Sponsored Content

Seeing Beyond the Project: Why Internal Audit Must Rethink Assurance to Uncover Hidden Risks in High-Stakes Projects

Richard Snow, Consulting Director at Proteus, shares how Internal Audit can reframe assurance to focus on what really determines project success: the organisational conditions behind delivery.

The boardroom is tense. A £6 million ERP transformation is nearing go live, and the executive team wants assurance. Not a procedural sign-off. Not a compliance checklist. Real assurance - the kind that answers their unspoken questions:

• Are we really ready?
• Will we get the benefits we promised?
• Or are we about to walk into a mess?

It’s a scenario that’s playing out with increasing frequency across organisations. The scale and ambition of change has grown - but so has the risk. And traditional project assurance methods have struggled to keep pace.

This is where Internal Audit has a vital role to play - not just in reviewing projects, but in surfacing the organisational risks that shape their success or failure.

The Evolution of Organisational Change

Large-scale projects and transformation is no longer exceptional - it’s becoming the norm. Research shows that in many organisations:

• 8 in 10 projects are now classed as highly complex.
• Up to 70% of IT transformations and 50% of capital projects fail to deliver their intended benefits.
• Change activity is increasing by up to 50% year-on- year.

That places enormous strain on organisational systems, leadership capacity, and business-as-usual operations. Yet in many risk registers, these programmes are barely acknowledged - often reduced to a single vague risk summary, like “failure to manage and deliver projects”.

We wouldn’t tolerate that approach to financial, compliance, or cyber risks. So why do we accept it when it comes to transformation?

Rethinking What Project Assurance Means

Traditionally, project assurance has meant checking whether milestones were met, budgets controlled, or risk logs maintained. Important? Yes. But increasingly insufficient.

Because in too many failed projects, the problem wasn’t poor delivery - it was poor conditions around the delivery. Misaligned leadership. Strategic ambiguity. Capacity strain. These systemic issues often go unnoticed until it’s too late.

Put simply: you can’t fix a systemic issue with a project-level intervention.

Three Priorities for Internal Audit Today

To stay relevant and effective, Internal Audit must adapt its approach to project assurance. That starts by focusing on three critical areas:

1. The root causes of problems often lie in the organisation, not the project.

Most failures can’t be blamed on individual project teams. They stem from deeper organisational challenges:

• Business capacity is stretched beyond its limits - yet projects aren’t prioritised accordingly.
• Leaders are distracted by operational demands and have limited time for transformation oversight.
• Strategic ambitions outpace actual capability - often with no clear plan to bridge the gap.
• Governance structures focus on “delivery complexity” - milestones, status reports, and issue resolution. But the harder - to - navigate “management complexity” is where the real blockers lie.

Audit needs to bring these realities into view. Effective organisational governance, rather than project governance, is a key part of the assurance model.

2. Understand What Really Drives Project Success (and Failure)

No large-scale project is risk-free. But success becomes more likely when a few key factors are in place from day one:

• Clear outcomes and alignment. Everyone understands what success looks like - and what trade-offs are acceptable.
• Effective shaping phase. Projects are given enough time and attention upfront to set direction and build buy-in, rather than rushing into delivery.
• Business ownership. Change isn’t led by one function or department alone - it engages people, process, systems, and data in equal measure.
• Skilled, dedicated teams. Projects aren’t resourced as “side of desk” efforts.
• Sponsor and steering group effectiveness. Strong, focused leadership reduces rework and speeds up decisions.

Internal Audit can play a role in assessing whether these conditions are in place - especially during the early stages, when the impact is greatest. Not to assess the mechanics of delivery, but to challenge early alignment on outcomes, ownership, and capability

Pro tip: Don’t confuse detail for certainty. A perfect-looking plan can be more dangerous than no plan at all - if it stops people asking the hard questions.

3. Assurance Must Build Confidence in Outcomes, Not Just Process Compliance

Audit and risk committees don’t want a compliance report - they want to know if a programme is likely to deliver. That means helping them make better decisions, sooner.

Audit can provide greater value by:

• Offering forward-looking insight into programme health.
• Using data-led diagnostics to highlight systemic risk early.
• Surfacing the root causes of issues - not just symptoms.
• Providing real-time feedback that enables course correction.
• Assesses thematic and organisational exposure across portfolios. 

A Real-World Case: What Was Missed in the £6M ERP Programme Go Live Review

In one high-profile transformation, the risks weren’t hidden - they were simply overlooked:

• There was no shared understanding of whether the programme would achieve expected benefits.
• The business case shifted from benefit-led to tech-led, with no clear change control or communication to the Programme Board.
• Critical design work was paused without clear approval - impacting downstream readiness.
• The impact of resourcing challenges was not documented, reported or resolved.
• There was no evidence of trade-off decisions being made by the Programme Board.

These issues didn’t appear overnight. They compounded, quietly, through the design and delivery phases - and weren’t visible in traditional assurance reviews.

This wasn’t about poor intentions or negligent planning. It was about a lack of the right lens. Internal Audit could have surfaced these risks far earlier - but only by looking at the conditions, not just the controls.

The Questions That Matter Most

At Proteus, we’ve found that five simple questions can help auditors get a clearer picture of risks to outcomes:

1. Is it delivery reality - or a PowerPoint fantasy?
   If the plan only works in the board pack, it won’t survive contact with reality.
2. Are assumptions visible, tested, and owned?
   Unchecked assumptions are silent saboteurs - they need scrutiny.
3. What happens when things go wrong?
   A resilient plan expects the unexpected.
4. Can the organisation truly deliver this?
   Ambition is good - but only if it aligns with capability and capacity.
5. Will the business be ready to catch what’s being thrown at it?
   Adoption depends on involvement - not just at the end, but throughout.

Pro tip: In some cases, the right course of action may be to pause or even stop a project. That’s not failure. It's a sign of recognising when ambition exceeds capacity and capability – and acting before real damage is done.

Looking Ahead

Internal Audit has a pivotal role to play in helping organisations navigate transformation with greater confidence. But it can’t do that by looking in the rear-view mirror.

Assurance must evolve - to see beyond the project, understand the conditions that drive outcomes, and give stakeholders the insight they need to act early.

This isn’t about abandoning traditional audit practices - it’s about complementing them with a deeper understanding of change. Because when transformation goes wrong, it’s rarely because of a missed milestone. It’s because no one asked the right questions soon enough.

If you’re ready to bring clarity and confidence to project assurance, visit: https://myproteus.com/our-solutions/project-assurance-for-internal-audit/