A project audit checklist serves as a pivotal tool in a project risk management process. It helps senior leadership and project managers appraise internal elements and external factors affecting the completion of the project. An auditor must comply with Generally Accepted Auditing Standards (GAAS) when using a project audit checklist.
An auditor learns about a project's control environment to become familiar with factors affecting the project's progress and completion dates. These factors may be internal or external. External elements that may affect a project completion date are laws and regulations. Internal factors may relate to corporate policies and guidelines, top management's ethical qualities and staff members' skill set.
For example, a certified internal auditor (CIA) or certified public accountant (CPA) reviews a project control environment overseas. She can ensure that project accountants apply International Financial Reporting Standards (IFRS), when summarizing operating data. Alternatively, the CPA or CIA can learn about local laws, regulations and industry practices and how they may affect the completion of the project.
Test Internal Controls
A project auditor tests internal controls and procedures to ensure that such controls are adequate and functional. A control is a set of directives that a project manager puts into place to prevent operating losses resulting from technological breakdowns, error, fraud or theft. An adequate control instructs project staff members on how to perform tasks, highlight problems and make decisions. A functional control provides proper solutions to project breakdowns.
Internal controls and procedures vary by industry, company and location. For instance, a road construction project manager may establish procedures that adhere to Occupational Health and Safety Administration (OSHA) rules. In contrast, a project manager in the financial services industry may emphasize compliance with guidelines the National Association of Securities Dealers Automated Quotations (NASDAQ) promulgates.
Rank Controls and Risks
An auditor ranks controls and related risks based on the loss expectation. She reviews the adequacy and effectiveness of controls and rates them as "high," "medium" and "low." The project auditor also ensures that controls in financial reporting systems conform to GAAP or Generally Accepted Government Accounting Standards (GAGAS). A project's accountant that does not comply with these standards may report inaccurate and incomplete financial statements.
Issue Final Report
The American Institute of Certified Public Accountants (AICPA) requires a project auditor to review "high" and "medium" risks with top management and ensure they provide corrective measures for such risks. The AICPA also recommends that segment managers find mitigating solutions for "low" risks. A project auditor also may review a company's "risk and control self-assessment" (RCSA) report to ensure risk ratings are consistent. In an RCSA, a segment staff member rates controls as "Tier 1," "Tier 2" and "Tier 3," based on expected losses. An auditor issues a final report once management provides mitigation plans for major risks.