Sponsored Content

Auditing What Matters: Patterns from Recent Project Assurance Reviews

What recent project reviews reveal about the top 10 recurring risks, cultural warning signs, and how internal audit can respond with insight and greater impact.

Independent project assurance reviews over the past year have revealed a troubling pattern. Whether reviewing ERP implementations spanning 100+ countries, compliance remediation, platform upgrades, organisational restructures, or multi-billion-dollar infrastructure giga-project, the same problems keep appearing.

Projects consistently struggle with misaligned outcomes, unmanaged adoption risks, weak governance, and overly optimistic reporting. These aren't one-off issues – they're structural patterns that signal internal audit needs a new approach.

This article examines the most common themes emerging from these reviews, explains why they matter, and shows how audit functions can respond with greater insight and influence.


The Top 10 issues repeatedly found in complex projects

1. Adoption risk and insufficient change management

Change is often treated as peripheral or delegated to delivery teams. Many projects deliver on paper but stall in practice because end-users aren’t ready, able, or supported to change their behaviour. Without structured adoption planning, lasting value is difficult to achieve.

2. Unclear or misaligned programme outcomes

Stakeholders frequently have differing views on what the project is actually trying to achieve. Without a shared definition of success and a single benefits plan, decisions become fragmented, and trade-offs are made in isolation. Critically, many initiatives lack traceability from scope through to target outcomes – meaning the things being delivered do not always align with the things needed to succeed.

As a result, projects often under-deliver in key areas while simultaneously investing time and budget in activities that are not required. Leaders are usually unaware of these misalignments until benefits fail to materialise, by which point course correction is difficult and costly.

3. Weak governance and role clarity

Even where governance forums exist, they often lack teeth. We found high turnover in steering groups, unclear escalation paths, and over-reliance on individual leaders – all leading to slow or inconsistent decisions at critical moments.

4. The risks that matter most are often invisible to leaders

Risk logs are often present but narrow, with limited visibility of systemic or compound risks. In capital projects, interdependency risks are often poorly integrated across disciplines or contractors. For digital projects, integration and data risks are underplayed.

Crucially, most projects focus heavily on delivery risks but overlook strategic risks, e.g. to target outcomes, BAU, customers or reputation. The focus is typically “down and in” rather than “up and out”, meaning the risks that leaders and sponsors care most about are often invisible to them – creating the exact kind of blind spot third line assurance exists to expose.

5. Business readiness and capacity gaps

Projects are frequently given the go ahead without testing whether business functions have the capacity – or incentive – to absorb change. In several cases, resource or capability gaps, or competing priorities undermined delivery momentum or stability. This often stems from organisations trying to do too much change at once.

6. Fragmented architecture

Projects often operate as a set of parallel workstreams without a unified project architecture. Where integration is weak, the result is duplication, sequencing issues, and missed opportunities for synergy or scale.

7. Optimism bias and visibility gaps

Delivery teams often report “green until it’s red” or languish in a permanent state of amber… Overconfidence, reputational pressure or lack of challenge culture can mask true status. We observed late discovery of issues that had been visible at operational levels but not escalated effectively.

8. Benefits not tracked or traced

Once projects go live, benefits realisation often fades from view. Without actively managed benefits tracking tied to delivery phases, post-implementation reviews become superficial and long-term value is left on the table.

9. Data, integration and process readiness overlooked

System or process transitions often proceed without full visibility of data quality, business process alignment or interface readiness. This creates knock-on risks at cutover, in testing, and throughout early operations.

10. Operating model or culture misaligned with delivery

In several cases, delivery teams were building for a future that the organisation wasn’t yet prepared to adopt. Without agreement on the future state operating model or ways of working, delivery becomes disconnected from business reality.


What internal auditors should do differently

The issues above are not isolated incidents – they are repeat signals from projects under real pressure. As an Internal Auditor, your role is not just to check for delivery progress or control compliance, but to ask: “Are we set up to succeed?” That requires expanding your assurance lens beyond milestones and methodology to include intent, alignment, culture, and adoption.

Here are six ways Internal Audit functions can adapt their approach for greater impact:

1. Shift focus from delivery tracking to outcome assurance

  • Why: Many programmes deliver outputs (tech go-lives, org restructures) but fail to realise intended business outcomes or benefits.
  • Action: Ask “what will be different for the business and how will we know?”. Ensure programmes have a single, owned, actively managed benefits realisation plan.

 

2. Put structured adoption risk on the audit agenda

  • Why: Change management is often treated as peripheral or informal. Yet poor adoption is a root cause in many value leakage issues. In many programmes, consideration of high-level change impacts and behavioural trade-offs comes too late.
  • Action: Insist on evidence of structured, resourced adoption plans from the early direction and design stages of the project. Review “what good looks like” criteria and whether it’s being tracked over the project lifecycle.

 

3. Test alignment around “success” early and often

  • Why: Misaligned views on goals and priorities lead to delivery conflict, unproductive trade-offs, and unmet expectations. This is usually invisible to the people involved in the initiative.
  • Action: Use stakeholder interviews or surveys to test shared understanding of project vision, outcomes, and priorities – especially after resets or leadership changes.

 

4. Probe governance effectiveness, not just design

  • Why: Many programmes show neat RACI charts but suffer from unclear decision-making, SteerCo churn, or siloed accountability.
  • Action: Check whether leaders are being presented with well-crafted, impact-assessed options allowing them to make conscious, well-informed decisions.

 

5. Track integration of lessons learned

  • Why: Many programmes repeat known issues (e.g. poor data, siloed delivery, insufficient readiness), despite prior retrospectives.
  • Action: Validate that lessons are embedded into delivery playbooks, not just documented. Use lessons learned as part of pre-implementation review.

 

6. Observe organisational behaviours that undermine strategy

  • Why: Many critical risks stem from cultural norms such as reluctance to escalate, tolerance of non-adoption, or a focus on tactical survival over strategic outcomes. Internal Audit can assess whether such behaviours are recognised, challenged and controlled – or whether they quietly erode value across projects.
  • Ask: Are the behaviours observed in and around this project aligned with the organisation’s stated intent?

 

When project failures reveal cultural risk

 

While project assurance typically focuses on governance, delivery health and benefits tracking, a consistent pattern has emerged: many visible failures are underpinned by organisational behaviours that quietly undermine strategic intent.

 

These behaviours are rarely captured in risk logs – yet they show up again and again across sectors, including:

 

  • Reluctance to escalate or challenge flawed plans
  • Resistance to adopting new processes despite formal go-live
  • Tactical closure of issues to meet deadlines, deferring root causes
  • Misaligned incentives that reward speed or cost over strategic goals
  • Over-optimism in reporting, creating “green until red” surprises.

 

These are repeated, observable patterns that cut across digital, organisational and capital projects. Reframing them as behavioural control failures offers Internal Audit a more structured and actionable way to address culture.


From controls to confidence: a new mandate for internal audit

Large-scale complex projects demand more from Internal Audit than ever before. The risk is no longer just that budgets overrun, or timelines slip – it’s that projects land technically, but fail to deliver the outcomes that justified the investment in the first place.

Internal Audit’s greatest contribution is not just confirming control design but challenging whether the programme is set up to realise strategic intent. That means asking different questions, using different data, and working alongside project leadership – not behind it. By focusing on adoption, alignment and strategic readiness, auditors can shift from compliance gatekeepers to enablers of long-term value.

 

 

About Us
Quick Links
Contact