IA’s practical approach to driving success for strategic and transformational
DRAFT www.pwc.com IA’s practical approach to driving success for strategic and transformational initiatives DRAFT ISACA Geek Week 2014 DRAFT Agenda Module A. Welcome and Introduction B. Transformational Change C. Strategic initiatives – the risks D. Internal Audit’s role E. Keys to successful transformation assurance F. Recap & Questions G. Contact details PwC 2 Welcome and Team Introduction DRAFT Welcome & Team Introduction Antwon Hardwick • • • • • PwC Director- US East Region Project Assurance Leader Located in Atlanta, GA Project, Program and Portfolio assurance and management for transformational projects 13+ years consulting experience with clients in insurance, energy, software, IT services, construction, and entertainment and media Led on-going program management office (PMO) oversight activities for global multi-year $140M ticketing platform transformation for Fortune 500 leading company. Performed a number of risk management and assessment activities to include focused project risk assessments, deep dives, health checks, and periodic status reporting to the client's Audit Committee and senior executives. 4 Transformational Change DRAFT Transformational change Market trends Accelerating investments in significant projects to enable business transformation initiatives. IT spending has been cut over the last few years resulting in a backlog of IT projects. Multiple and uncoordinated assurance requirements; IA, external audit, SOX, Compliance, Risk Management. Organizations are resource-constrained – not adequately staffed to advance projects and maintain existing operations. Regulatory requirements are expanding, adding to compliance efforts. Complex dependencies across projects. PwC 6 6 DRAFT What are your experiences with project success rates? Our 2012 survey indicates that 200 global companies were spending over $4.5B on projects to deliver changes required to implement their strategy. 20% of ERP implementation projects are not completed. 51% of ERP implementation viewed as a failure (Gartner) (Robbins-Gioia Survey) 71% of ERP projects do not meet the expectations of senior management 84% of projects do not meet all criteria for success (Standish Group) (CSC Index/AMA Survey) 2%: Companies that had 100% of their projects on time, within budget, to scope and delivering the right business benefits. (PwC Global Survey on State of Project Management) PwC 35%: Number of companies where system projects deliver expected business benefits (PwC Global Survey on State of Project Management) 7 DRAFT As a result… Boards, Audit Committees, and other senior business executives are increasingly recognizing the level of risk posed by large programs and are seeking greater transparency into strategic initiatives to understand if projects will deliver the business outcomes….. • Are we going to have a positive return on investment? • Are our people engaged and the business ready to change? • Is the solution the best we can deliver for the costs we can afford? • Have we got the skills we need looking at the really important things we need to do? • Are we on-time, on-budget and on-scope? • Are we getting the best out of our third parties? • Is there appropriate governance to ensure project outcomes? • Are we maintaining the integrity of our control environment? …..there is increasing demand for project transparency PwC 8 DRAFT Reasons for program failures Poor estimation continues to be the largest contributor to project failures. Poor estimates, lack of sponsorship and poorly defined scope are 3 primary reasons cited for project underperformance Source: PwC’s 3rd Global Survey on State of Project Management (2012) PwC 9 The state of the Internal Audit profession 2012 92% of CAEs …consider project risk as either important or very important. 82% of Executives …think large program risk is considered well managed. PwC 27% of CAEs 37% of Executives 10 Transformation change: Internal Audit challenges 01 02 03 04 05 PwC Building a portfolio risk assessment process which considers the current and emerging risks and evolves with project delivery. Enhancing existing project audit methodology to consider current techniques and more dynamic application. Understanding and leveraging the ‘lines of defense’ appropriately. Acquiring the right resources and skill sets to assemble the team. Identifying effective methods for communicating and reporting risks timely. 11 Strategic initiatives – the risks DRAFT Key areas of project risk Risks are not isolated to classic project management artifacts, but extend to a broader ‘risk universe’. Technology • Infrastructure • System architecture • Networking • Security • Availability • Performance • Disaster recovery Governance • Strategic Alignment • Senior Management Commitment • Sponsorship / Champions • Governance and Decision making • Synergy identification and tracking Data • Data Structures • Mapping • Cleansing Effort • Conversion and validation • Data governance • Backup and recovery • BI and reporting strategy Program Management • Time schedules • Budgets • Resources/staffing • Vendors • Knowledge transfer • Issue and Risk management • Scope management Process and Solution • Requirements • Business processes • System Development Life Cycle • Data • Controls • Bolt-ons • Interfaces/integrations PwC $ $ $ $ * * Organization • Business impacts • Training • Communication • Organizational alignment • Change management • Compliance and controls • Business continuity 13 DRAFT Project risk – Inherent, Delivery, Delivered Inherent $ $ Delivery Delivered Strategy and Governance No strategic roadmap for IT spend Project does not align with business No business owner for realizing strategy project benefits postimplementation Program Management Organization lacks a project management methodology Project reporting is inconsistent and inaccurate Organization Organization has little Business SMEs have limited Organization resists adoption of experience with large projects capacity for involvement in delivery the new solution Solution and Process No process maps or metrics impairs ‘case for change’ Interim processes are ad-hoc and labor intensive Solution does not include robust internal controls (SOX compliance) Data Data is not ‘clean’ Data conversion is inaccurate Backup and archiving not included in solution Technology Inconsistent technology platforms, and no vision for rationalization Insufficient environments to support development, test, and production No support and maintenance plan for new infrastructure $ Lessons learned are not captured $ * * Note: There are high level examples only. In most cases, there will be many specific risks corresponding to each box above. PwC 14 DRAFT Who plays a part in managing program risk? Large transformation projects typically have a number functions supporting risk and quality management. Understanding the respective roles and levels of assurance provides a holistic view of current assurance levels and helps identify the gaps that may need to be addressed. Work stream monitoring activities Examples of Level 1 activities: • Program risk function • Program PMO • Vendor PMO & QA PMO monitoring and assurance activities Examples of Level 2 activities: • Operational risk teams • Compliance teams • Organizational or independent PMO • Targeted QA activities (from within the organization but independent of the project) • Product vendor provided assurance PwC External vendor and internal audit Examples of Level 3 activities: • Internal Audit reviews (part of the annual plan) • ‘Health checks’ and targeted specialist ‘Deep Dive’ reviews • External Audit reviews 15 Internal Audit’s role DRAFT In 2013, were stakeholders satisfied with IA’s role? Source: Examining the issues – 2013 IA Global survey PwC 17 DRAFT How can IA add value to a project? Stay ahead of the curve Get involved early. Build a ‘three lines of defense model’. Develop an embedded assurance plan. Operate the integrated assurance plan, making responsive changes based on the shifting risks. Use Subject Matter Specialists. Agree how, when and to who you will report. Focus on value. PwC 18 DRAFT How can IA add value to a project? Develop forward looking view 1. Navigate the integration risk landscape 2. Understand stakeholder perspectives and provide deeper insights 3. Cut through the clutter Questions How well aligned is internal audit’s plan with the critical risks facing the organization? Does internal audit provide a point of view to help the business improve its responses to risk? How effectively does internal audit communicate with stakeholders? How can IA effectively engage in Transformation initiatives • Think and act strategically to focus on key integration risks Internal audit understands the organization’s strategy, initiatives, and related risks; project audit activities are derived from a top-down risk assessment and aligned with stakeholder expectations. • Leverage the second line of defense Internal audit contributes to and coordinates with organization and program risk management efforts, providing insight to the overall risk management process and focusing audit efforts appropriately. PwC • Understand the business Internal audit is in a unique position to objectively assess perspectives of various integration stakeholders – leverage this to foster the desire for internal audit involvement in integration (and all significant) business initiatives. • Build trust through ongoing dialogue Significant attention is given to face-to-face communication with stakeholders, including the audit committee. In these meetings, additional perspective is provided around the management of critical risks. • Leverage specialists Internal audit uses specialists —both internal and external—to support work in areas where it does not have the breadth and depth of expertise to effectively provide a point of view. • Simplify reporting, make it consumable Internal audit reports contain concise messages clearly linked to underlying business risks. • Deliver advice and best practices Internal audit provides deep insights in all of its activities, as well as proactively offering advice on the design of future processes. • Connect the dots Internal audit identifies common themes and trends across the organization, enabling the business to close gaps. 19 DRAFT How can IA add value? Controls are often overlooked Go Live UAT Implement Build Design Solution Blueprint Cost of controls high Test Build The design of internal controls (configurable, manual, and access/security) during business process design, rather than identifying and correcting control weaknesses after the process and systems are installed, provides the greatest value in terms of process, system, and data integrity, at the lowest cost. Post imp. Cost of controls increases as project progresses Pre--implementation Pre During development low start PwC Project life cycle finish 20 DRAFT Developing a Project Assurance Plan Why is a Project Assurance Plan important? • Helps to understand the roles and sources of assurance available to a project • Help you to develop a risk-driven integrated assurance plan that is aligned to the three lines of defence. When should the Project Assurance plan be developed? • Ideally this occurs from the beginning of the integration program, and makes use of the program’s initial risk assessment activities. However, it can be implemented at any point in the lifecycle. Who should be involved in developing the Project Assurance plan? • Key project stakeholders (internal to the project team and business) • Representatives from each line of defense (the PA plan is often a component of an integrated risk or quality management plan) PwC 21 DRAFT Managing risk over the program lifecycle Delivering Change Assess Design Construct Implement Operate & Review Is the ‘case for change’ robust with clear scope, business outcomes and ownership? Will the organization & technical design deliver the benefits? Is the solution being built as designed and robustly tested? Is the business ready to go with detailed go live and support plans in place? Are the benefits being delivered and what could be improved? • Project governance and mgt review • Planning and mobilization • Business case review • High level target operating model • Organization change strategy • Deployment strategy • Business process design • Data and reporting design • Test and data conversion strategies • Security & controls • People and Org Design • Dedicated vendor management • Solution testing and remediation • Training plans and execution • Data conversion • Security and control configuration • Business continuity planning • Benefits management plan • Support model design • Test and training results • Go-live process • Data conversion process • Transition to business as usual (BAU) planning • Stakeholder engagement • Go-live readiness assessment • 30-90 day support • Business adoption • Benefits realization • Compliance and controls certification * * Driving Change Is the Change Management approach appropriate and delivering success? Is the organization engaging key stakeholders (including existing vendors/partners) throughout the change? Is the program being effectively governed against guiding principles and managed across all workstreams? $ $ $ Is delivery of business benefits a key focus throughout the lifecycle? $ PwC 22 Keys to successful transformation assurance DRAFT Top 10 Keys to success Key events that may contribute to a successful Project Audit: 1. Stakeholder buy-in & tone at the top, understanding & acceptance of engagement 2. Staffing, proper technical skills, qualifications and capabilities allowing the team to quickly establish credibility 3. Understanding project needs and expectations, as well as the level of comfort desired 4. Scoping appropriately, leveraging a risk based approach and delivering upon the agreed scope 5. Up-front communication regarding scope of review, extent of review, timing of review and level of details to be provided in reporting 6. Execution and completion of work within defined budget and schedule 7. Change agility, being able to change with the project needs (adjust timeline, etc.) but avoiding scope creep 8. Communication to all parties 9. Relevance, providing actionable useful and timely deliverables (reporting) – consider requirements of the audience (i.e. Audit Committee, Sponsor, Project Manager, etc.) 10. Monitoring project progress between checkpoint reviews to minimize ramp-up time required at each checkpoint PwC 24 Recap and Closing DRAFT Recap & Questions Get involved early. Build a ‘three lines of defense model’. Develop an embedded assurance plan. Operate the integrated assurance plan, making responsive changes based on the shifting risks. Use Subject Matter Specialists. Agree how, when and to who you will report. Focus on value. PwC 26 Contact Details DRAFT Thank you Team contact information Antwon Hardwick (678) 419-8618 Team contact information Kshipra Pitre (678) 296-6066 © 2014 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
© Copyright 2024