Canada - English
Audit Point of View

IT Project Risks – Forewarned Is Forearmed 

What the Audit Committee Should Know

What the Audit Committee Should Know


There are numerous reasons large system projects go off the rails: their objectives are unclear, management is not sufficiently engaged, project scope shifts too often, the technologies are too complex, companies lack appropriate skill sets, teams fail to work together, schedules are unrealistic… the list goes on.


Given the impact system project failures can have on a company, management must obviously take an active role in mitigating these risks. The question for audit committee members is to what extent they should get involved as well.

The Goldilocks Balance

To be sure, audit committees are not looking for additional items to add to their agenda. However, companies heavily dependent on IT or those embarking on major system change can likely benefit from greater audit committee involvement in these issues (see our article on Tackling Technology Risks). The key is to find the right balance. Audit committees need just the right level of information about these projects to ensure they understand the risk factors and can ask the right questions. Too much or too little disclosure can prevent the committee from properly discharging its function.


Achieving this balance may require the audit committee to boost its IT literacy. Some committees address this need by adding members who have relevant IT expertise. For larger projects, the committee may even want a larger team of experts who can educate them about the IT risks the company may be facing and suggest mitigation activities.


Additionally, audit committees should understand the extent to which the company may be relying on system integrators to manage and run their IT projects. While these integrators can deliver significant value, their services can lead to ballooning project costs. To keep these costs in check, some companies hire third-party professionals to conduct independent program assurance to review the performance of the system integrators. This independent review acts almost like an outsourced internal audit function and has been shown to measurably decrease system project risks. As such, audit committees may want to ensure that management hires these independent experts and have them report back to key stakeholders at regular intervals.

Deciding on Next Steps

To determine whether or not the audit committee should be reviewing a company’s system project risks, the committee should:


  • Have the company’s portfolio of IT projects risk-rated so the committee can be apprised of major risk exposures on a regular basis. This applies both to major projects and in cases where companies engage in dozens—or even hundreds—of smaller projects which, collectively, may pose significant risk. 
  • Fully understand the company’s IT strategy, including the major technology risks being managed. This should include the corporate strategy related to such things as cyber risks, mobility and social media, big data and how the company leverages the cloud.


Given the repercussions of system project risks, audit committee members cannot safely afford to ignore these issues. The key is to be sufficiently forewarned so that the audit committee can ensure management takes the necessary steps to prevent system project risks from endangering corporate performance.


  • Robert Rowe, Partner, Advisory Services

1. McKinsey & Company, October 2012. Delivering large-scale IT projects on time, on budget, and on value, by Michael Bloch, Sven Blumberg, and Jurgen Laartz.

Be first to know

Get the latest information from KPMG.


Robert Rowe

Robert Rowe

Partner, Advisory


Share this


Follow us

Audit Committee Institute

Visit KPMG's Audit Committee Institute for practical insights, resources and peer-exchange opportunities for audit committees and board members.