Internal Audit Report Project Management



Similar documents
Internal Audit Report Disaster Recovery / Business Continuity Planning

Audit Committee, 20 March Internal Audit Report Partners Expenses. Executive summary and recommendations. Introduction

The report rated this area Substantial Assurance and made 2 housekeeping recommendations.

Internal audit report Information Security / Data Protection review

How To Audit Health And Care Professions Council Security Arrangements

Recommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.

Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010

Internal Audit - progress report and plan

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating:

Recommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.

ARGYLL AND BUTE COUNCIL SUPPORT SERVICES REVIEW 15 DECEMBER 2011 SUMMARY REPORT

Audit Committee, 28 November. HCPC Project Risk Management. Executive summary and recommendations. Introduction

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Aberdeen City Council IT Governance

Project Management Toolkit Version: 1.0 Last Updated: 23rd November- Formally agreed by the Transformation Programme Sub- Committee

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

Cumbria Constabulary. Business Continuity Planning

Information Commissioner's Office

Essex Fire Authority. Fleet Management. Internal Audit Report (4.12/13) 28 February 2013 FINAL. Overall Opinion

Coleg Gwent. Business Continuity Plan Test - Post Implementation Review (PIR) Internal Audit Report (12.09/10)

Dacorum Borough Council Final Internal Audit Report

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS

PROJECT MANAGEMENT FRAMEWORK

1. Background and business case

Aberdeen City Council IT Security (Network and perimeter)

The Annual Audit Letter for Torbay Council

Finance Business Partner Job Profile

Note the Chief Internal Auditor s findings to date and gain assurance from Officers that key issues raised are being addressed.

1.1 Terms of Reference Y P N Comments/Areas for Improvement

Audit of Business Continuity Planning

The Learning Zone - Project Management Arrangements

Information Commissioner's Office

APPENDIX C. Internal Audit Report South Holland District Council Project Management

Aberdeen City Council IT Asset Management

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

Governance, Risk and Best Value Committee

The Human Resources Department Work Plan for the period 1 April 2015 to 31 March 2016 is attached.

HOME GROUP JOB DESCRIPTION. Date:

Annual Governance Statement 2013/14

Quality Impact Assessment. Executive summary

Standard 1. Governance for Safety and Quality in Health Service Organisations. Safety and Quality Improvement Guide

Human Resources Officer

Auditing data protection a guide to ICO data protection audits

Business Planning & Budgetary Control 2012/13

INTERNAL AUDIT FINAL REPORT. Project Management. June 2013

Level: 3 Credit value: 5 GLH: 28 Relationship to NOS:

Projects Office Tari Kaupapa. Project Methodology Template Examples

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

JOINT CORE STRATEGY PROGRAMME MANAGEMENT FRAMEWORK GOVERNANCE PROCESSES AND PROCEDURES. Draft

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June Report 6c Page 1 of 15

Appendix C Accountant in Bankruptcy. Annual report on the 2013/14 audit

Internal Audit at the University of Cambridge.

BSI audited HCPC on the 6 May 2014, as the second audit of the new three year audit cycle across the whole organisation.

FRAMEWORK FOR THE PREPARATION OF ACCOUNTS. Best Practice Guidance

Oxford City Council Managing Capital Projects

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

THE COMPLETE GUIDE TO PERFECT PROJECT MANAGEMENT

Human Resources Manager 12 month fixed term contract

Programme Governance and Management Plan Version 2

Council is asked to discuss the work plan and agree the contents.

Audit Committee. Directors Report. Gary Hughes Chairman, Audit Committee. Gary Hughes Chairman, Audit Committee

Project, Programme and Portfolio Management Delivery Plan 6

HUNTINGDONSHIRE DISTRICT COUNCIL. Internal Audit Service: Annual Report. Meeting/Date: Corporate Governance Panel 15 July 2015

Risk Management Policy and Process Guide

WEST LOTHIAN COLLEGE

Aberdeen City Council. Fleet Management Final Report

The Risk Management strategy sets out the framework that the Council has established.

Appendix 1e DIRECTORATE OF AUDIT, RISK AND ASSURANCE INTERNAL AUDIT SERVICE TO THE GLA

Compliance. Group Standard

APPENDIX: CHECKLIST COMPLIANCE WITH THE CODE

Isle of Man Financial Supervision Commission. Business Plan Guidance for Licence Applicants

Position Description

Request for Proposal. Supporting Document 3 of 4. Contract and Relationship Management for the Education Service Payroll

Aberdeen City Council IT Disaster Recovery

Financial Planning Assessment Vale of Glamorgan County Borough Council. Audit year: Issued: January 2015 Document reference: 620A2014

The Annual Audit Letter for West Midlands Fire & Rescue Authority

Human Resources Advisor 12 month fixed term contract

All Portfolios - Actual against Budget

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT

Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council. Year ended 31 March 2013

Transcription:

Audit Committee, 20 Internal Audit Report Project Management Executive summary and recommendations Introduction As part of the Internal Audit Plan for 2013-14 Mazars have undertaken a review of arrangements for project management. This included review of the management of the major projects. Decision The Committee is asked to discuss the report Resource implications None Financial implications This audit was undertaken as part of the internal audit plan for 2013-14. Mazars annual fee is 27,000. Appendices Internal Audit Report Project Management Date of paper 10 1

Internal Audit Report Project Management (06.13/14) REPORT 2

CONTENTS Page 1. Introduction 2. Background 3. Scope and objectives of the audit 5 4. Audit Findings: One page summary 7 5. Summary of findings 8 6. Action plan agreed with management 9 Appendix 1 Definitions of Assurance Levels and Recommendations AUDIT CONTROL SCHEDULE: Client contacts Greg Ross- Sampson: Director of Operations Claire Reed: Project Portfolio Manager Internal Audit Team Peter Cudlip: Partner Graeme Clarke: Director James Sherrett: Assistant Manager Matt Brookland: Auditor Finish on Site \ Exit Meeting: 12 December 2013 Management responses received: 19 February 2014 Draft report issued: 17 January 2014 Final report issued: 7 In the event of any questions arising from this report please contact James Sherrett, Mazars LLP james.sherrett@mazars.co.uk or Graeme Clarke Mazars LLP graeme.clarke@mazars.co.uk Status of our reports This report has been prepared for the sole use of the Health and Care Professions Council. This report must not be disclosed to any third party or reproduced in whole or in part without the prior written consent of Mazars LLP. To the fullest extent permitted by law, no responsibility or liability is accepted by Mazars LLP to any third party who purports to use or rely, for any reason whatsoever, on this report, its contents or conclusions. 3

1. INTRODUCTION 1.1 As part of the Internal Audit Plan for 2013/14, we have undertaken a review of the Health and Care Professions Council s (HCPC) arrangements for project management. This included review of the management of the major projects for 186 Kennington Park Road new office building and HR and Partners. Within our Internal Audit Strategy, we have provided resources for consideration of project management/individual projects on an annual basis due to there being a number of risks associated with projects on HCPC s Corporate Risk Register. 1.2 Our review of project management in 2012/13 led us to provide Substantial assurance with three Priority 3 recommendations. Progress on the implementation of these recommendations was reviewed as part this audit. 1.3 We are grateful to the Project Portfolio Manager, Project Managers and other members of staff for their assistance during the course of the audit. 1.4 This report is for the use of the Audit Committee and senior management of HCPC. The report summarises the results of the internal audit work and, therefore, does not include all matters that came to our attention during the audit. Such matters have been discussed with the relevant staff. 2. BACKGROUND 2.1 Project management is the way of managing change. It describes the activities that meet specific objectives and can be used to introduce or improve new or existing products and services. 2.2 HCPC, in maintaining its operations, conducts numerous projects to ensure it remains a streamlined and efficient organisation. These projects are overseen by the Project Management team. 2.3 The Project Management team reports to the Operations Director and currently consists of the Project Portfolio Manager and two Project Managers as well as an unfilled Senior Project Manager post. The team use Microsoft Project for the ongoing project management of all projects and use a project management methodology that is based upon PRINCE2, the HCPC methodology is currently under review. 2.4 Each year the Project Portfolio Manager invites the Directors to produce Business Cases for projects they would like to initiate in the next financial year. All Business Cases for major projects are collated by the Project Portfolio Manager and presented to the Executive Management Team (EMT) at an away day designed to decide which major projects to initiate and to prioritise them. These Business cases, which include the relevant Project Sponsor, the budget and resources and timeframes, are considered by the EMT in relation to the following financial year and to determine which projects should go ahead. 2.5 An indicative Major Projects work plan is produced and presented to the Finance and Resources Committee who are asked to discuss the proposed workplan and agree its contents. The Committee in turn recommend the workplan to the Council for approval. As part of the revised governance structure, the work of the Finance and Resource Committee will be subsumed into the work of the Council. 2. 5 Once approved, progress and budget reports are regularly provided to EMT to help ensure projects are delivered to cost and timescales. A new project finance 4

template has been developed which is designed to enable easier monitoring of the financial position of projects. 2.6 A Project Management Update is also provided as part of the Operations Report to each Finance and Resources Committee meeting. In addition, detailed reports on individual projects may also periodically be presented to the Committee. 3. SCOPE AND OBJECTIVES OF THE AUDIT 3.1 Our audit considered the following risks relating to the area under review: Poor and/or unrealistic project initiation, specification and objectives leading to failure to deliver project objectives and HCPC requirements; Poor project management and monitoring resulting in delays in delivery of projects and/or cost over-runs; and Ineffective post-project review and evaluation resulting potential improvements for future projects not being identified and acted on. 3.2 In reviewing the above risks, our audit considered the following areas: Project management framework including Project Management Handbook, procedures/templates and guidance covering project management activities; Review of agreed projects (186 Kennington Park Road new office building, the HR and Partners projects) from the initial stages through to when the project is in progress covering: - Project Initiation Document (PID) - Initial plan - Risk and Issues logs - Budgetary control - Quality log - Stakeholder Analysis and Communications Plan - Resource management - Approval of projects by EMT/Committee/Council - Monitoring of the operational and financial progress of projects by project team/emt/committee/council; Escalation of project risks from individual project risk logs/registers, project management section of the corporate risk register and strategic risks, as appropriate; and Follow up of recommendations from 2012/13 Project Management audit (report reference 09.12/13). 3.3 The objectives of our audit were to evaluate the adequacy of controls and processes for project management, and the extent to which controls have been applied, with a view to providing an opinion on the extent to which risks in this area are managed. In giving this assessment, it should be noted that assurance cannot be absolute. The most an Internal Audit service can provide is reasonable assurance that there are no major weaknesses in the framework of internal control. 3.4 We are only able to provide an overall assessment on those aspects of the controls and processes for project management that we have tested or reviewed. The 5

responsibility for maintaining internal control rests with management, with internal audit providing a service to management to enable them to achieve this objective. Specifically, we assess the adequacy of the internal control arrangements implemented by management and perform testing on those controls to ensure that they are operating for the period under review. We plan our work in order to ensure that we have a reasonable expectation of detecting significant control weaknesses. However, our procedures alone are not a guarantee that fraud, where existing, will be discovered. 6

4. AUDIT FINDINGS: ONE PAGE SUMMARY Assurance on effectiveness of internal controls Substantial Assurance Recommendations summary Priority No. of recommendations 1 (Fundamental) None 2 (Significant) 1 3 (Housekeeping) 1 Total 2 Risk management Project risk logs are in place for individual projects and a standard agenda item at regular project board meetings throughout the life of the project. At the end of a project the risk log is reviewed as part of the lessons learned meeting. The Project risk logs contain risks which are risks to the success of that particular project. These tend to be very operational and it is therefore unlikely that these individual risks will be sufficiently high in terms of likelihood and/or impact to be required to be escalated to the project management section of the HCPC Corporate Risk Register. These are risks to the success of a project not risks to the operation or success of HCPC as a whole. In the event that risks do require escalation there are mechanisms in place to do so. Testing undertaken as part of this audit has confirmed that the controls in place to mitigate risks in this area are operating effectively. Value for money The Project Management team has a well developed project management approach which adopts the widely recognised PRINCE2 methodology and uses Microsoft Project. Project management processes are therefore streamlined whilst being appropriately robust. A potential area which could be streamlined is in respect of financial monitoring. Budget spread sheets are currently maintained for projects by the Project Management team. In addition, the Finance team record project financial transactions in the Sage finance system. Reconciliations between the two sets of records are prepared on a monthly basis. Whilst records are clearly maintained for differing purposes, there could be opportunity for more efficient practice through, for example, budget spread sheets being automatically updated/linked to financial data in the finance system and subject to appropriate in-built controls reducing the need for a monthly reconciliation. 7

5. SUMMARY OF FINDINGS Overall conclusion on effectiveness and application of internal controls 5.1 Taking account of the issues identified in paragraphs 5.2 to 5.4 below, in our opinion the control framework for project management, as currently laid down and operated at the time of our review, provides substantial assurance that risks material to the achievement of HCPC s objectives are adequately managed and controlled. 5.2 All of the recommendations made as part of our review in 2012/13 were considered as implemented. Areas where controls are operating effectively 5.3 The following are examples of controls which we have considered are operating effectively at the time of our review: HCPC has a detailed project management framework in place which is supported by a comprehensive project management handbook. Up-to-date templates have been produced and are used for project documentation; The inter-relatedness of projects and the impact on resources is considered as part of the project prioritisation and Project Portfolio planning processes; Detailed business cases and Project Initiation Documents (PIDs) were produced for the two major projects reviewed; Project Plans which are in the form of a Gantt chart are in place and covered key expected areas; Risk is considered for each of the projects including the use of risk and issues logs; Communication logs and plans are detailed for each of the projects and ensure project staff know what communication is required and to whom; and Testing confirmed progress in the delivery of these major projects is regularly monitored by EMT as well as forming part of the update on projects presented to the Finance and Resources Committee. Areas for further improvement 5.4 We identified certain areas where there is scope for further improvement in the control environment. The matters arising have been discussed with management, to whom we have made a number of recommendations. The recommendations have been, or are being, addressed as detailed in the management action plan (Section 6 below). 8

6. ACTION PLAN Observation/Risk Recommendation Priority Management response Timescale/ responsibility 6.1 Observation: HCPC s Project Management Guide and Procedure requires that exception reports be completed for any significant financial/ budgetary adjustments that takes place. Finance and Resources Committee have delegated responsibility for the management of project portfolio budget to the Executive Management Team (EMT). The treatment of project costs for the HR and Partners Project should be brought to the attention of the EMT. Exception reports should be completed for any significant financial adjustment that takes place. 2 It has now been specifically stated in the project management guidance that any transferrals of budget from opex to capex also require an exception report. The transferral of funds in this project was notified to EMT within the project prioritisation pack discussion at the November monthly EMT meeting. Completed The original budget for the HR and Partners Project was approximately 100k. During the course of the project a reforecast indicated that this was likely to increase to approximately 124k. This budget increase was subject to an exception report and has been approved. However, the original budget was for all expenditure to be OPEX and none to be CAPEX. The split between these types of expenditure has been revised such that approximately 75.5k is CAPEX and 48.5k OPEX although this reallocation was not subject to a formal exception report to EMT. Risk: The EMT is not fully aware of the true levels of operating funds which are available for distribution for projects. 9

Observation/Risk Recommendation Priority Management response Timescale/ responsibility 6.2 Observation: Budget spread sheets are currently maintained for projects by the Project Management team. In addition, the Finance team record project financial transactions in the Sage finance system. Reconciliations between the two sets of records are required on a monthly basis. Whilst records are clearly maintained for differing purposes, there could be opportunity for more efficient practice. Consideration should be given to streamlining the current financial monitoring of projects by the Project Team. For example Budget spread sheets being automatically updated and linked to financial data in the Finance system and subject to appropriate inbuilt controls, reducing the need for a monthly reconciliation. 3 This has been raised with the finance department and will be investigated further in the course of a full review of the Finance systems and processes by the new Director of Finance. However it seems that the levels of detail required by the two departments differ greatly. Completed Risk: Inefficient use of resources. 10

Appendix 1 Definitions of Assurance Levels and Recommendations We use the following levels of assurance and recommendations in our audit reports: Assurance Level Adequacy of system design Effectiveness of operating controls Substantial Assurance: Adequate Assurance: Limited Assurance: While a basically sound system of control exists, there is some scope for improvement. While a generally sound system of control exists, there are weaknesses which put some of the system objectives at risk. Control is generally weak leaving the system open to significant error or abuse. While controls are generally operating effectively, there is some scope for improvement. While controls are generally operating effectively, there are weaknesses which put some of the system objectives at risk. Control is generally weak leaving the system open to significant error or abuse. Recommendation Grading Definition Priority 1 (Fundamental) Priority 2 (Significant) Priority 3 (Housekeeping) Recommendations represent fundamental control weaknesses, which expose, HCPC to a high degree of unnecessary risk. Recommendations represent significant control weaknesses which expose, HCPC to a moderate degree of unnecessary risk. Recommendations show areas where we have highlighted opportunities to implement a good or better practice, to improve efficiency or further reduce exposure to risk. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information