Project-accompanying audit – more security and transparency in the project
Corporate IT in constant change
Driven by technological change and entrepreneurial growth, many companies have the need to adapt their IT landscape and application environment to the new circumstances. Such adaptations almost always include changes to the underlying business processes as well as the introduction of new technologies, be it the replacement of legacy systems or the development/introduction of new software and applications (such as an ERP system), the outsourcing of the IT infrastructure to the cloud or the introduction of more complex topics such as blockchain technology or artificial intelligence.
However, the modification of existing or the introduction of new IT systems is always associated with significant challenges. This applies both on a small and large scale and is to some extent independent of the type of project in question, although the risks increase in particular for medium-sized and large projects due to their increased complexity.
Challenges in IT projects
The challenges in the implementation of IT projects consist first and foremost of the typical project risks such as schedule and budget overruns and quality risks. However, there are also other risks such as
- Risk of undesirable developments and non-fulfilment of requirements
- Gaps in information security and missing or inappropriate controls
- Migration risks
Furthermore, when new processes and technologies are introduced, there is almost always uncertainty about the regulatory and legal requirements, which results in corresponding compliance risks.
Possibilities of risk mitigation on the basis of IDW PS 850
A variety of project-related measures are possible to address these risks. Starting with classic project management activities such as the selection of a suitable project methodology, proper project planning and control as well as resource allocation, a clean requirements and quality management, up to appropriate testing and formal project acceptance.
In addition, there is also the possibility of minimising project risks by involving an external, neutral authority that accompanies the project selectively for the acceptance of certain project milestones or for the entire duration of the project up to the final acceptance.
The establishment of such a project-accompanying inspection by an external and neutral body offers the following opportunities:
- Early assurance that all requirements are taken into account in the specifications.
- Compliance requirements
- Compliance with relevant regularity requirements (e.g. balance sheet continuity)
- Security by design
- Adequate IT controls
- Coverage of requirements for future audits
- Neutral and independent assessment of project status (deliverables and milestones)
- Neutral and independent assessment of risks and measures during project implementation
- Additional quality assurance
- Overall acceptance of the project by an independent external body
The procedure for such a project-accompanying audit is based on the auditing standard IDW PS 850 issued by the Institute of Public Auditors in Germany. This standard contains important specifications for auditing throughout the entire project life cycle:
- Project planning and organisation
- System design, development and test phases
- Data migration
- Rollout and go-live
In addition, PS 850 also provides guidelines for the use of third-party examinations or audit results as well as for documentation and reporting.
Conclusion
The early involvement of an external independent expert ensures compliance with the regularity requirements and balance sheet continuity, acts as a neutral authority for quality assurance and risk monitoring and may even serve as an institution for the acceptance of the overall project.
The external auditing body can draw on experience from similar projects, provide valuable advice and recommendations for project implementation and thus significantly support the overall success of the project.