Gerard Gallagher says that programme risk is the internal audit 'blind spot' that keeps board members awake at nights.

There's an old saying that what you don't know, won't hurt you. Unfortunately, it is just not true, as many global companies have discovered when projects or programmes in countries far from the boardroom go badly wrong. So boards, non-executive directors, audit committees and management are turning to internal audit (IA) for assurance about these risks. But it is a formidable challenge for IA to meet this demand - a challenge that stretches resources and skills in departments that have traditionally focused on day to day business-critical issues.

The scale of the issues

Research by Ernst & Young presented to a recent programme director think tank found that 73% of the business leaders interviewed were very worried about global programmes. The respondents agreed that 'assessing both risks and returns on global projects is a major challenge'. They voiced concern, not just about the need to control risks on programmes that were under way, but also about how the targeted benefits were identified and delivered.

Projects and programmes are unique in their expanse across today's global corporations: they can be under way at any time, any place, anywhere. They involve a multitude of partners, contractors, regulators, and governments, and take place under different legal, social, economic and political constraints. They may involve IT, real estate, construction, shared service centres, outsourcing, manufacturing, distribution, or any combination of those. And the organisation's corporate identity, reputation and strategy are at risk to a greater or lesser degree in every single one of those projects.

Evidence of programmes failing also came in a recent DTI survey which covered both public and private sectors: about half ran over budget; more than half were delivered late, and roughly two out of every five failed to deliver the expected benefits.

And these are not small projects. The scale of their impact was revealed in an Ernst & Young Survey at the recent internal audit conference 2006 (IACON), held in London, where more than a hundred senior respondents from global organisations were asked about their global exposure to programme risk. The respondents said 90% of their programmes in the previous year were significant or business-critical. Half of the projects involved sums greater than £500m. Some programmes can be bigger than the organisation's annual cash flow, or indeed the organisation itself. Despite this size and criticality, 70% agreed that control over their projects and programmes could be better, or was insufficient. And 80% of our respondents felt it was the role of IA to provide that assurance.

Rising to the challenge

But it is a role that IA is struggling to fill: three quarters of IA departments surveyed said they spent less than 20% of their time on business-critical programmes. IA has historically focused on day to day, business-critical finance functions, with processes firmly rooted in the annual cycle. Projects and programmes, on the other hand, tend to stretch across many years, several disciplines and areas of the business, and they tend to involve people who are unfamiliar with the organisation's rules and procedures, and who may have no legacy commitment to the organisation after the programme has ended.

To meet the challenge, IA departments need to develop a clear and consistent approach. Consistency was a key theme emerging from the programme director think tank, especially the difficulty of achieving worldwide standards in programmes of global scale. Companies are asking how they can use controls to maintain standards and protect their brand and reputation anywhere in the world. Boards also need to be convinced that IA can approach the task with confidence, and that it has the capacity to deliver - which may involve extra resources. So IA has to simultaneously manage up, seeking resources and skills, and manage down, while still continuing normal day to day functions.

Internal auditors often feel they are faced with a confusing kaleidoscope of responsibility in areas of the business that they are unfamiliar with. Given the traditional skill base of IA, part of the answer may be to buy in help from professionals who have addressed these issues before and can transfer their skills and knowledge to the in-house team, leaving them better equipped to face the challenge.

A framework to respond

The start point for addressing programme risks is to look at three perspectives: strategic risk, operational risk and project risk. An understanding that the type of risks faced, and the mechanics for controlling programme risks are different at each level of the business enterprise is the first step to implementing a pragmatic and value adding assurance function.

The board has a very strong role to play in managing and controlling the strategic risks. It should be testing the strategic logic for programmes and projects - asking the 'why are we doing this?' question. The answer should include issues such as the original business case for the project, the alignment of the vision and direction with the overall organisational strategy, the sponsorship for the project, and whether the benefits have been fully realised for the organisation at the end of the project.

It is the last part of that answer that I do not often hear board members putting to their advisers. It can be summed up as: "How are you going to make sure this project delivers what we want it to, and how are you going to tell us if it doesn't?"

In this key relationship between the board, the IA department and any professional advisers, there should be an ability to work with a high level of trust, and with courage to do the right thing. We have seen from the survey evidence how projects and programmes have a high potential failure rate. Cancelling, stopping or delaying a project or programme is not a decision to be taken lightly, especially if progress is already in train. The potential legal and financial consequences loom large. But, it could, in some circumstances, be the right decision.

Where do you focus the effort?

Resources of people and money are finite. So it is a judgement call to decide which projects to audit, and to what depth. To objectify the decision, it helps to work through a prioritisation model which uses programme evaluation criteria based on common indicators of risk and performance. This model takes account of the state of development of the project, its cost and complexity, and the strategic importance and risk to the organisation. Consideration should also be given to the project's performance. And by applying the model across global projects, a higher degree of consistency is obtained. The weighted programme evaluation criteria will produce a recommendation to the audit committee of programmes to be audited.

Our experience suggests that IA needs substantial board support to obtain a mandate to select and review business-critical programmes. The selection of programmes should be consistent from year to year, so that the recommendations produced are proven to be soundly based. The outcome of evaluation will be a recommendation to the audit committee with a list of priority projects and programmes to be audited. It is also important to note that the level of controls needed will vary as the project goes through its life cycle. The diagram above gives examples of the criteria and methodology for selection.

Internal auditors need to be aware of the danger of too much data. Our recent survey shows some companies run as many as 600 projects and programmes at once: the effort of gathering, collating, analysing and presenting data on this scale can slow the reporting to an extent that it becomes almost redundant. Bear in mind too, that the average non-executive director (NED) spends about 27 days a year on company business according to research from Ernst & Young's NED network. So when reviewing control reports on projects, real value is delivered by knowing what criteria have been set for each project, and reporting variance against those criteria. The approach outlined above is designed to highlight the differential impact of projects on the organisation, thereby enabling the focusing of assurance resources on those projects which are 'red flagged' as a result. Using this approach has been shown to save up to 40% of IA resources when compared to a uniform broad-brush approach. It thereby allows sparse resources to be husbanded for subsequent, more intensive, follow-up work on the flagged projects.

The information presented to the board should be appropriate and validated, enabling confident key strategic decisions about projects to be made: start it, keep it going, accelerate it, slow it down, suspend it, move it elsewhere, or close it.

The internal audit opportunity

There's an opportunity for IA here. Boards are saying "We're really worried that no-one's looking at this situation, how do we keep track of it?" However, the boards are also keen for the right combination of skills and experience to carry out the audits. One programme director told us: "You need people who understand the project and can therefore understand the risk". Boards are looking for knowledge across the broad scope of the business, and for understanding of project management disciplines. And while thinking globally, local knowledge of the legal, social, economic and political environment in the project location, whether it be Buenos Aires or Bangalore, will add depth and credibility. The right blend of skill and experience, on a global scale, is hard to find, and the likelihood of it existing in one single organisation or function is low. At the same time, demands for assurance around other Board level anxieties have to be met.

Finding the right people requires a step change, and few organisations have the global reach to face the challenge. Almost certainly they require professional help to bring in, and subsequently transfer, supplemental skills to support the in-house function in achieving a consistent global approach.

Boards, audit committees and non-executives expect some surprises in business. But they want to see controls that cut down on those surprises. If you recognise that what you don't know about the risks round your programmes is a blind spot, then putting measures in place to report and control those risks is the first step on the road to fixing them.

Gerard Gallagher is partner, risk advisory services, Ernst & Young LLP,


In some organisations, the boundaries of the internal auditor's and risk manager's roles have become somewhat blurred, overlapping rather than complimenting each other. So it is worth going back to basics and considering the Institute of Internal Auditors UK and Ireland's definition of the role of the internal auditor.

The IIA says that internal auditors look at how organisations are managing their risks. They provide the audit committee and the board of directors with information about whether risks have been identified, and how well they are being managed. 'They are different to external auditors, because they do not focus only on financial statements or financial risks: much of their work is looking at reputational, operational or strategic risks. They also give an independent opinion on whether internal controls, such as policies and procedures put in place to manage these risks, are actually working as intended.

'The official IIA definition is that internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

The IIA points out that the responsibility to manage risk always resides with management. Internal audit's role is to identify potential problem areas and recommend ways of improving risk management and internal control.