Audit Committee, 13 March 2013. Internal Audit Report Project Management. Executive summary and recommendations. Introduction



Similar documents
Internal Audit Report Project Management

Internal Audit Report Disaster Recovery / Business Continuity Planning

Audit Committee, 20 March Internal Audit Report Partners Expenses. Executive summary and recommendations. Introduction

Internal audit report Information Security / Data Protection review

The report rated this area Substantial Assurance and made 2 housekeeping recommendations.

How To Audit Health And Care Professions Council Security Arrangements

Recommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating:

Information Commissioner's Office

Coleg Gwent. Business Continuity Plan Test - Post Implementation Review (PIR) Internal Audit Report (12.09/10)

Dacorum Borough Council Final Internal Audit Report

Cumbria Constabulary. Business Continuity Planning

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010

Information Commissioner's Office

Audit of Business Continuity Planning

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS

The Human Resources Department Work Plan for the period 1 April 2015 to 31 March 2016 is attached.

Recommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.

Aberdeen City Council

Cheshire Fire Authority

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary

ARGYLL AND BUTE COUNCIL SUPPORT SERVICES REVIEW 15 DECEMBER 2011 SUMMARY REPORT

PROJECT MANAGEMENT FRAMEWORK

Audit Committee, 28 November. HCPC Project Risk Management. Executive summary and recommendations. Introduction

REVIEW OF THE FIREWALL ARRANGEMENTS

1. Background and business case

Aberdeen City Council IT Governance

Aberdeen City Council IT Asset Management

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

Business Continuity Business Impact Analysis arrangements

Aberdeen City Council IT Security (Network and perimeter)

APPENDIX C. Internal Audit Report South Holland District Council Project Management

1.1 Terms of Reference Y P N Comments/Areas for Improvement

Comhairle nan Eilean Siar Internal Audit Review DISASTER RECOVERY ARRANGEMENTS Information Technology. Final Report 2014/15-06

Essex Fire Authority

The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17

The Learning Zone - Project Management Arrangements

INTERNAL AUDIT FINAL REPORT. Project Management. June 2013

ESSEX FIRE AUTHORITY. Internal Audit Progress Report. Audit Sub-Committee Meeting: April 2012

Appendix C Accountant in Bankruptcy. Annual report on the 2013/14 audit

Information Commissioner's Office

BSI audited HCPC on the 6 May 2014, as the second audit of the new three year audit cycle across the whole organisation.

HUNTINGDONSHIRE DISTRICT COUNCIL. Internal Audit Service: Annual Report. Meeting/Date: Corporate Governance Panel 15 July 2015

Internal Audit at the University of Cambridge.

Standard 1. Governance for Safety and Quality in Health Service Organisations. Safety and Quality Improvement Guide

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June Report 6c Page 1 of 15

Risk Management Policy and Process Guide

Comhairle nan Eilean Siar Internal Audit Review Project Management and Project Delivery Technical Services department. Final Report 2014/15-21

APPENDIX: CHECKLIST COMPLIANCE WITH THE CODE

South Northamptonshire Council Contract Assurance: Leisure Contract

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

Human Resources Department Workplan. Contents. Page. Introduction 2. Resources Staffing Resources 2 Budget Management 3

Cumbria Constabulary. Audit of Budget Management (Payroll)

Business Planning & Budgetary Control 2012/13

Internal Audit - progress report and plan

Essex Fire Authority. Fleet Management. Internal Audit Report (4.12/13) 28 February 2013 FINAL. Overall Opinion

Governance and Audit Committee 23 November 2015

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Aberdeen City Council IT Disaster Recovery

Aberdeen City Council. Fleet Management Final Report

Governance, Risk and Best Value Committee

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

Coleg Gwent Internal Audit Report 2012/13 Payroll and HR. Assurance Rating: Payroll

Project Management Toolkit Version: 1.0 Last Updated: 23rd November- Formally agreed by the Transformation Programme Sub- Committee

E2E Project Management Process Governance (Electric Capital)

Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council. Year ended 31 March 2013

The Annual Audit Letter for Torbay Council

Management of Business Support Service Contracts

DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Appendix 1b REVIEW OF CHEQUE HANDLING PROCESS

Auditing data protection a guide to ICO data protection audits

PDNPA Project Management Peak District National Park Authority Internal Audit Report 2014/15

SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011

Australian National Audit Office. Human Resource Management Performance Audit

Programme Governance and Management Plan Version 2

1 PURPOSE AND SUMMARY 1.1 This report seeks approval to consult on the draft 2015/ /20 Revenue Financial Plan.

Audit Manual PART TWO SYSTEM BASED AUDIT

Comhairle nan Eilean Siar Internal Audit Follow Up Review Disaster Recovery. Final Report FU18 14/15

Business Process Improvement Roy Dunn

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT

Comhairle nan Eilean Siar Internal Audit Review MANAGEMENT OF SICKNESS ABSENCES. Final Report 2013/14-18

Audit Quality Thematic Review

Shared service centres

INTERNAL AUDIT 2008/09 INFORMATION TECHNOLOGY (BUSINESS CONTINUITY)

How To Audit A Windows Active Directory System

National Programme for IT

Performance Detailed Report. May Review of Performance Management. Norwich City Council. Audit 2007/08

DIRECTORATE OF AUDIT, RISK FF AND ASSURANCE. Appendix 2a FOLLOW UP REVIEW OF CORPORATE BUSINESS CONTINUITY

SUBMITTED TO: NORFOLK AND SUFFOLK COLLABORATION PANEL - 3 SEPTEMBER 2014 ERP (ENTERPRISE RESOURCE PLANNING) PROJECT UPDATE

Human Resources Manager 12 month fixed term contract

Fife Council Post Implementation Review of VoIP Project 2007/08

SOUTH NORTHAMPTONSHIRE COUNCIL. 11/31 ICT Capacity Management FINAL REPORT. June 2011

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

Entitlements Management System (EMS) Technology Update Project Health Check Review

Annual Governance Statement 2013/14

Internal Audit Report. Chief Executive s Unit. Review of Contract Management

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report.

Change Management Office Benefits and Structure

Internal audit service protocol

Transcription:

Audit Committee, 13 March 2013 Internal Audit Report Project Management Executive summary and recommendations Introduction Mazars has undertaken a review of the arrangements for project management in accordance with the internal audit plan agreed by the Committee in March 2012. The audit considered the following risks: Poor and/or unrealistic project initiation, specification and objectives leading to failure to deliver project objectives and HCPC requirements. Major Project Cost Over-runs. Poor project management and monitoring resulting in delays in delivery of projects. Ineffective post-project review and evaluation resulting potential improvements for future projects not being identified and acted on. The report is attached as an appendix to this paper. Decision The Committee is asked to discuss and approve the report Background information At its meeting in March 2012 the Committee approved the Internal Audit Plan for 2012/13 Resource implications None Financial implications None Appendices Internal Audit Report Project Management Date of paper 1 March 2013

Internal Audit Report Project Management (09.12/13) REPORT

CONTENTS Page 1. Introduction 1 2. Background 1 3. Scope and objectives of the audit 2 4. Audit Findings: One page summary 4 5. Summary of findings 5 6. Action plan agreed with management 7 Appendix 1 Definitions of Assurance Levels and Recommendations AUDIT CONTROL SCHEDULE: Client contacts Greg Ross- Sampson: Director of Operations Rob Silverman: Project Portfolio Manager Internal Audit Team Peter Cudlip: Partner Graeme Clarke: Director James Sherrett: Assistant Manager Matt Brookland: Auditor Finish on Site \ Exit Meeting: Observation of Lessons Learned meeting: 13 December 2012 21 January 2013 Management responses received: 25 Draft report issued: 11 Final report issued: 25 In the event of any questions arising from this report please contact Graeme Clarke, Director, Mazars LLP graeme.clarke@mazars.co.uk Status of our reports This report has been prepared for the sole use of the Health and Care Professions Council. This report must not be disclosed to any third party or reproduced in whole or in part without the prior written consent of Mazars LLP. To the fullest extent permitted by law, no responsibility or liability is accepted by Mazars LLP to any third party who purports to use or rely, for any reason whatsoever, on this report, its contents or conclusions.

1. INTRODUCTION 1.1 As part of the Internal Audit Plan for 2012/13, we have undertaken a review of the Health and Care Professions Council s (HCPC) arrangements for project management. Within our Internal Audit Strategy, we have provided resources for consideration of project management / individual projects on annual basis due to there being a number of risks associated with projects on HCPC s Corporate Risk Register. 1.2 Our review of project management in 2011/12 led us to provide Substantial assurance with eight Priority 3 recommendations made. Progress on the implementation of these recommendations was reviewed as part this audit. 1.3 We are grateful to the Project Portfolio Manager, Project Managers and other members of staff for their assistance during the course of the audit. 1.4 This report is for the use of the Audit Committee and senior management of HCPC. The report summarises the results of the internal audit work and, therefore, does not include all matters that came to our attention during the audit. Such matters have been discussed with the relevant staff. 2. BACKGROUND 2.1 Project management is the way of managing change. It describes the activities that meet specific objectives and can be used to introduce or improve new or existing products and services. 2.2 HCPC, in maintaining its operations, conducts numerous projects to ensure it remains a streamlined and efficient organisation. There are two types of projects within the organisation Major Projects and Departmental Projects. Major projects are managed by the Project Management team and Departmental projects are managed by the owning departments. 2.3 The Project Management team reports to the Operations Director and currently consists of the Project Portfolio Manager and two Project managers. The team use Microsoft Project for the ongoing project management of all projects and have adopted PRINCE2 methodology to define its approach. 2.4 In September of each year the Project Portfolio Manager invites the Directors to produce Business Cases for projects they would like to initiate in the next financial year. All Business Cases for major projects are collated by the Project Portfolio Manager and presented to the Executive Management Team (EMT) at an away day designed to decide which major projects to initiate and to prioritise them. Each Business Case is presented by the relevant Project Sponsor and EMT considers the available budget and resources for the following financial year to inform their decision of which projects should go ahead. After EMT has agreed the projects to be included in the portfolio, the project start dates are reviewed so that a staggered effect is created to avoid over-stretching resources or peaks of activity at a particular point. A Project Portfolio Work-plan is presented to EMT by the Project Portfolio Manager for sign-off. The signed-off Work-plan is then presented for approval by the Finance and Resources Committee. Subject to the approval of the Finance and Resources Committee, the Work-plan is then presented to Council for noting. Page 1

2.5 Progress and budget reports are regularly provided to EMT to help ensure projects are delivered to cost and timescales. A new project finance template has been developed recently which is designed to enable easier monitoring of the financial position of projects. 2.6 A Project Management Update is provided as part of the Operations Report to each Finance and Resources Committee meeting. In addition, reports on individual projects are also presented to the Committee where this is appropriate. 3. SCOPE AND OBJECTIVES OF THE AUDIT 3.1 Our audit considered the following risks relating to the area under review: Poor and / or unrealistic project initiation, specification and objectives leading to failure to deliver project objectives and HCPC requirements; Major Project Cost Over-runs (Risk Ref 15.3, HCPC Risk Register, September 2012); Poor project management and monitoring resulting in delays in delivery of projects; and Ineffective post-project review and evaluation resulting potential improvements for future projects not being identified and acted on. 3.2 In reviewing the above risks, our audit considered the following areas: Project management framework including Project Management Handbook, procedures / templates and guidance covering project management activities; Identification and prioritisation of Major Projects; Business cases; Identification of project sponsor, project lead and project team and other staffing requirements; Assessment of resource requirements and project budgeting; Project initiation and approval / sign-off; Risk identification, mitigation and risk logs; Impact assessments; Project plans and communication; Project change control and management; Monitoring of the operational and financial progress of projects by project team / EMT / Committee / Council; Post-project reviews / evaluations, benefits realisation and lessons learned logs / meetings; and Follow up of recommendations from 2011/12 Project Management audit. Page 2

3.3 The objectives of our audit were to evaluate the adequacy of controls and processes for project management, and the extent to which controls have been applied, with a view to providing an opinion on the extent to which risks in this area are managed. In giving this assessment, it should be noted that assurance cannot be absolute. The most an Internal Audit service can provide is reasonable assurance that there are no major weaknesses in the framework of internal control. 3.4 We are only able to provide an overall assessment on those aspects of the controls and processes for project management that we have tested or reviewed. The responsibility for maintaining internal control rests with management, with internal audit providing a service to management to enable them to achieve this objective. Specifically, we assess the adequacy of the internal control arrangements implemented by management and perform testing on those controls to ensure that they are operating for the period under review. We plan our work in order to ensure that we have a reasonable expectation of detecting significant control weaknesses. However, our procedures alone are not a guarantee that fraud, where existing, will be discovered. Page 3

4. AUDIT FINDINGS: ONE PAGE SUMMARY Assurance on effectiveness of internal controls Substantial Assurance Recommendations summary Priority No. of recommendations 1 (Fundamental) None 2 (Significant) None 3 (Housekeeping) 3 Total 3 Risk management As referred to in 1.1 and 3.1 above, HCPC s Risk Register contains a specific section of risks associated with Project Management. Testing undertaken as part of this audit has confirmed the mitigating actions in respect of these risks are in place and operating effectively. We have, however, made three Priority 3 recommendations which should strengthen further HCPC s risk management framework in respect of its major projects. It should also be noted that risks are also considered as part of the Business Case and Project Initiation Documents for each project. Risk and issues logs are maintained during the life of a project. These logs are used as part of end-of-project reviews and Lessons Learned meetings to try to ensure that, if appropriate mitigating controls are built-in to future projects. Value for money The Project Management team has a well developed project management approach which adopts the widely recognised PRINCE2 methodology and uses Microsoft Project. Project management processes are therefore streamlined whilst being appropriately robust. Page 4

5. SUMMARY OF FINDINGS Overall conclusion on effectiveness and application of internal controls 5.1 Taking account of the issues identified in paragraphs 5.2 to 5.4 below, in our opinion the control framework for project management, as currently laid down and operated at the time of our review, provides substantial assurance that risks material to the achievement of HCPC s objectives are adequately managed and controlled. 5.2 All except one of the recommendations made as part of our review in 2011/12 were considered as implemented. The one exception relates to the creation of an annual end of year overall project summary for all projects. However it is felt that this recommendation has been superseded as there are end of project reports produced for each project and it is felt by management that resources would not currently permit collating all required information into a summary document. Areas where controls are operating effectively 5.3 The following are examples of controls which we have considered are operating effectively at the time of our review: HCPC has a detailed project management framework in place which is supported by a comprehensive project management handbook. Up-to-date templates have been produced and are used for project documentation; The inter-relatedness of projects and the impact on resources is considered as part of the project prioritisation and Project Portfolio planning processes; Detailed business cases are produced for all non-statutory projects; Project Plans are developed for all major projects which are in the form of a Gantt chart. Review of these for a sample of project indicated that key expected areas had been covered; Risk is considered for each of the projects including through the use of risk and issues logs; Progress in the delivery of the major projects is regularly monitored by EMT; Any significant issues which impact on the timeliness of delivery and / or budget for project are reported to EMT through the use of exception reports, with project extensions and / or revised budgets being approved; As part of our audit fieldwork we observed the Lessons Learned meeting for the Education System and Process Review Phase 1 project. The meeting was conducted in an open manner with an appropriate degree of self-reflection with areas for improvement being identified and captured for future projects. The meeting was also attended by the Director of HR as it was felt this would be useful to inform the recently initiated HR and Partners project; A revised budget monitoring tool has been developed to assist improved monitoring of the financial position of projects; and An update on projects, including the risks associated with them, is provided to the Finance and Resources Committee as part of the Operations Report. Additionally, reports on individual projects are also presented to the Committee where this is appropriate. For example, the Project End Report for the On- Page 5

boarding of Social Workers project presented to the January 2013 meeting of the Committee. Areas for further improvement 5.4 We identified certain areas where there is scope for further improvement in the control environment. The matters arising have been discussed with management, to whom we have made a number of recommendations. The recommendations have been, or are being, addressed as detailed in the management action plan (Section 6 below). Page 6

6. ACTION PLAN Observation/Risk Recommendation Priority Management response Timescale/ responsibility 6.1 Observation: In review of a sample of project business cases we noted that they often included estimated costs and / or that project costs where not fully completed. Quotations / costs from potential suppliers where not included. Risk: Project budgeting and financial planning is hindered. Unforeseen costs arise after project approval.. The costs section of business cases should be completed in full and where possible be supported by actual quotations of costs from potential suppliers. 3 The Project Portfolio Manager will communicate this requirement to EMT Additionally, when the next project prioritisation process begins in approx. September 2013, the Project Portfolio Manager will remind EMT that Business Cases should contain quotes. - PPM Poor decision making. 6.2 Observation: Review of the staffing of project boards and project teams indicated that there are often the same key individuals involved in several projects. This reflects the importance of having staff experienced in project management being involved in projects. Risk: Over-reliance on a small number of key staff in several projects jeopardises the business-as-usual operations. Consideration should be given to exposing more staff within HCPC to involvement in projects. This could be through training provided by the project management team and / or those staff not usually involved in projects shadowing members of the project management team. 3 The Project Portfolio Manager will highlight this risk to EMT for their consideration. - PPM Page 7

Observation/Risk Recommendation Priority Management response Timescale/ responsibility 6.3 Observation: The project management team are not involved in Departmental projects and, while Departments are advised to follow the processes set out in the Project Management Guide, there is no requirement to use this formal methodology. Risk: Departmental projects do not achieve the desired objectives in a timely and cost effective manner. Consideration should be given to devising an agreed light version of the project methodology for use in Departmental projects. Alternatively, members of the project management team could be used in an advisory or consultancy-type role on Departmental projects. 3 One purpose of the existing Project Management Handbook is to provide guidance to project managers of departmental projects. This has been communicated to the whole organisation. Departmental projects are of a sufficiently low risk that they do not need to follow a formal HCPC process. Members of the projects department should make themselves available to departmental project managers if any advice is required. This will be communicated to the organisation - PPM Page 8

Appendix 1 Definitions of Assurance Levels and Recommendations We use the following levels of assurance and recommendations in our audit reports: Assurance Level Adequacy of system design Effectiveness of operating controls Substantial Assurance: Adequate Assurance: Limited Assurance: While a basically sound system of control exists, there is some scope for improvement. While a generally sound system of control exists, there are weaknesses which put some of the system objectives at risk. Control is generally weak leaving the system open to significant error or abuse. While controls are generally operating effectively, there is some scope for improvement. While controls are generally operating effectively, there are weaknesses which put some of the system objectives at risk. Control is generally weak leaving the system open to significant error or abuse. Recommendation Grading Definition Priority 1 (Fundamental) Priority 2 (Significant) Priority 3 (Housekeeping) Recommendations represent fundamental control weaknesses, which expose, HCPC to a high degree of unnecessary risk. Recommendations represent significant control weaknesses which expose, HCPC to a moderate degree of unnecessary risk. Recommendations show areas where we have highlighted opportunities to implement a good or better practice, to improve efficiency or further reduce exposure to risk. Page 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information