HKSM

Audits are structured, evidence-based reviews that assess whether project activities, deliverables, and controls meet defined criteria and are effective. They surface gaps and confirm good practices to enable corrective and preventive actions.

Key Points

• Audits are independent, criteria-based assessments of processes, deliverables, and compliance.
• They apply across quality, risk, procurement, and governance, and may be scheduled or ad hoc.
• Focus is on both conformance to requirements and the effectiveness of controls.
• Evidence is gathered through interviews, document reviews, observations, and sampling.
• Typical outputs include findings, nonconformities, recommendations, and action items.
• Follow-up and verification of corrective actions are essential to realize benefits.

Purpose of Analysis

Audits analyze how well the project adheres to policies, standards, and plans, and whether controls are working. They aim to reduce risk, strengthen predictability, improve processes, and increase stakeholder confidence through objective evidence.

• Verify compliance with organizational, contractual, and regulatory requirements.
• Evaluate the effectiveness of processes and controls, not just their existence.
• Identify root causes and opportunities for continuous improvement.
• Inform decisions on corrective actions, preventive actions, and process updates.

Method Steps

• Plan the audit: define scope, objectives, criteria, timing, and roles in an audit plan.
• Prepare tools: create checklists and a sampling approach; gather background documents; notify stakeholders.
• Collect evidence: review records and systems, interview stakeholders, observe work, and test samples.
• Analyze evidence: compare against criteria, note nonconformities, assess impact, and explore root causes.
• Validate findings: debrief with auditees to confirm facts and context; prioritize by risk and value.
• Report and assign actions: document findings and recommendations with owners, due dates, and measures of success.
• Follow up: track implementation, verify effectiveness, and update lessons learned and process assets.

Inputs Needed

• Project management plans and relevant subsidiary plans (quality, risk, procurement, configuration).
• Organizational policies, standards, procedures, and regulatory or contract requirements.
• Performance data, dashboards, metrics, and process capability baselines.
• Deliverables, test results, configuration records, and change control logs.
• Risk, issue, and assumption registers; previous audit reports and action logs.
• Stakeholder lists and role descriptions to identify interviewees and process owners.

Outputs Produced

• Audit report summarizing scope, criteria, evidence, findings, and conclusions.
• Nonconformity and observation log with severity, impact, and priority.
• Corrective and preventive action requests with assigned owners and due dates.
• Change requests and updates to plans, procedures, templates, or training.
• Updated risk and issue registers, lessons learned entries, and compliance status.
• Supplier performance feedback and procurement audit records when applicable.

Interpretation Tips

• Differentiate nonconformities (must fix) from opportunities for improvement (should consider).
• Assess findings by risk and impact; not all gaps warrant the same urgency.
• Seek system-level root causes instead of focusing on individual errors.
• Confirm sufficiency of evidence and sample size before drawing conclusions.
• Maintain an objective, non-punitive tone to encourage transparency and learning.
• Verify effectiveness of actions; closure is not complete until controls work in practice.

Example

A mid-project quality audit reviews change records, builds, and test evidence. It finds missing peer-review sign-offs and inconsistent configuration entries.

• Actions: reinstate mandatory reviews, update the checklist, retrain contributors, and tighten sampling.
• Follow-up: a spot-check two sprints later shows complete records and reduced defect leakage.

Pitfalls

• Checklist-only audits that ignore effectiveness and outcomes.
• Lack of independence or objectivity, leading to biased results.
• Scope creep that burdens the team and dilutes focus on key risks.
• Poor communication of findings and expectations for corrective actions.
• No follow-up, allowing the same issues to recur.
• Overreliance on tiny samples that do not represent actual performance.

PMP Example Question

A mid-project audit reveals missing approvals in the change log and gaps in configuration records. What should the project manager do next?

1. Escalate to the sponsor and request replacement of team leads.
2. Retroactively re-perform all past changes, regardless of risk or impact.
3. Create and execute a corrective action plan to restore compliance and prevent recurrence.
4. Close the audit because no product defects were found.

Correct Answer: C — Create and execute a corrective action plan to restore compliance and prevent recurrence.

Explanation: After an audit identifies gaps, the proper response is to agree on corrective actions, assign owners and due dates, and verify effectiveness. Punitive actions or ignoring findings do not address root causes.