SCALABLE & INTEGRATED

PROGRAM AUDIT (SIPA)

METHOD
12 Jul 17 Vishnu Varthanan Moorthy
Scope and Applicability

Scope:
This presentation explains the method of Scalable & Integrated
Program Audit and its benefits in performing audits in large & complex
programs with multiple reference/expectations.
Applicability:

The framework and explanation is limited to Software Industry,

however the same can be leveraged to other industries with adequate
care.
Fitness of Audit programs for Large programs/Engagements
Challenges in Auditing
Large Engagements
Lack of recognition of complexity in
Complex governance planning
Long duration Audit Program
Multiple Services offered Inadequate Coverage to give
confidence on report
Many suppliers Not involving all roles in program
Audit teams are not composed with
Tools dominance and virtual environments Right capabilities
Engagement undergo multiple audits
Legal needs/data protection from various teams
Unclear objectives and ineffective
Increased Communication channels results
Auditors lost in vastness of
information and Jargons
Scalable & Integrated Program Audits
Scalable: Audit planning can be ramped up or down based on the Engagement/practice needs.
Integrated: Multifunctional & multi objective audit performed in co-ordinated manner with shared
values and clear responsibilities
Program : Covering delivery of services, governance and capabilities to achieve successful results
Audit: Evaluation of execution of activities as per expected norms/references , on sample basis, to
ensure the management/client/social objectives are met.

Scalable & Integrated Program Audit is an effective Auditing framework for handling large complex
programs/ practices in organization, which works on Value Generation, Compliance, capability and
Risk evaluation principles. This differs from traditional audits interms of ability to handle larger
teams, matrix communications, mammoth information, multiple norms in a systematic manner and
yielding results.
SIPA Framework Value Layers
Objective & Value Generation
Sponsor/mgmt, Practice /Program Lead
Auditor
Key Focus Areas
Strategizing Audit Program
Strategizing & Scaling
Up Layer

Shared Objectives
Initial information processing
Interface &Interactive Points
Governance & resources
Conduct & Reporting Norms
Integrated Program Layer

Tactical planning
Consolidation and Realignment
Information and evidence processing
Report development & Agreement
Audit Execution Layer
 SIPA - Framework
Top Management/
Sponsor Audit
Strategy
Scope Value
& Value Objective Budget
Generati
Generation
Practice LA/Program LA
on
Practice Level for Multiple Programs
Governance
Program Audit Plan
Objective Mapping

Engagement (or) Shared

Schedule
Tactical
Practice Mgmt Objective Activity 1 Activity 2 Activity 3
s
Prepare Mgmt Audit Execute Report
Program LA Audit
Program
Level
3C (Capability, Competency & Communication)

Schedule
Tactical
Functional LAs Objective Activity 1 Activity 2 Activity 3
s
Prepare Stream Audit Execute Report

Stream 1 Stream 3
Schedule

Schedule
Tactical

Tactical
Auditor by Fn & Stream Stream Activity 1 Activity 2 Activity 3 Activity 1 Activity 2 Activity 3
Objective
Query Notes
Thread Log

s
Prepare Stream Audit Execute Report Prepare Stream Audit Execute Report
Auditor by Fn & Stream Daily
Standup Stream 2 Stream N

Schedule
Tactical
Schedule
Tactical

Activity 1 Activity 2 Activity 3

Auditee by role Activity 1 Activity 2 Activity 3
Daily Report
Consolidation
Prepare Stream Audit Execute Report
Prepare Stream Audit Execute Report
 Are Both Condition Same?
Engagement with a team of 50 members and its has to have compliance with contractual
requirements and ISO9001 standard. The team is working on Mobile application
development.

Engagement with 900 members and is looking forward to submit to client the report on
compliance to contractual requirements, risks and value addition performed in engagements
and has reference to data security, healthcare and Business continuity aspects. The
Engagement services 4 major type of work (development, maintenance, data center
management, migration of code) and working across multiple domains with virtual
environment and many automation activities are in progress. In addition there is high
dependency with external service provider in maintaining service levels. Also 50 of testers
are working as sub contractor in the engagement. Around 12 certified project managers
handling various activities in engagement.

Unfortunately our Auditing Approach , many a times doesnt recognize the

difference.
 Planning in SIPA
Get Objectives from Management
(and/or) Audit function Head
Collect the reference compliance norms
Understand Client and Interested parties
expectations
Collect information about Engagement/
Practice (multiple engagements) over
people, operations, sites, suppliers ,etc
Agree on Scope and Objectives
Provide initial estimation to agree on
Budget and availability on logistics
Finalize Objective & Scoping
Assess the different Competencies
needed for Audit
Involve stakeholders to get nominated
Auditors
Conduct expectation setting session
Design Structure of Audit teams
Develop shared vision and norms
Identify critical components & Areas to
check and share the responsibilities
Design for Outcome
Prepare detailed Schedule in alignment
with engagement/practice Contact
members
Ensure Coverage and Scope
Ensure Auditee Identification at
practice/program/stream level
Identify if any additional auditees are
needed (supplier/extended support)
Plan the logistics of Program
Communicate schedule and high level
method
Plan Elements
Planning Factors by Level
Audit Focus References/Norms Characteristics
Practice/Engagement Roles
Regulatory Audit Contracts and Annexures & Reporting
Process Audit Quality System Delivery of Services
Financial Audit Policies and procedure Policies and procedure
Security Audit Org/Practice/guidelines Size of team & Grades of
Functional Audit Statutory/Regulatory employees
Performance Audit Requirements Operation sites
Business Continuity Audit International & national Tools & Technology
Domain Based Audit Standards No. of support teams
Technology/Architecture Best Practices in Industry Suppliers and type of
Audit Client Mandates/ Supplier Contracts
Standards Readiness Audit Standards Current Activities
Company Objectives Other Select Information

Third party audits are not covered in this method , as they have pre-
defined guidance in most cases.
 Steps Involved in Planning
Strategize

Design Value Develop a Practice

Initiation with Objective Study
addition with Audit/Program
Management Finalization Characteristics
Functional Auditors Audit Plan
Program Plan

Initiate Shared Collect information Plan Practice level

Prepare Auditing
Vision and Ground on Schedule(or) Plan logistics
Aids
rules Practice/Program Program Level
Stream Plan

Plan stream level Collect Information Plan Stream Level Collaborate with
Finalize Planning
Objectives on Streams Schedule Auditors

When Practice Level Audit is required , then multiple program

level Audits can be subset of the Practice level Audit. Each
program audit can have multiple stream level audits.
 Scalability & Integration in Audit
Scalability Integration

Process
Quality
Regulatory

Cyber security
Security
Business continuity

Practice Level Multiple Programs

Architecture
Technical
Configuration

Other
Additions

Program level Multiple Streams

Stream : upto 150 member

Program: Upto 900 member or not more than 6 Stream Not More than 5 focus area
Practice: upto 5000 member or not more than 6 programs
 Execution
Opening Meeting Audit Execution Report Preparation Presentation

Opening Reporting & Opening Reporting &

Meeting Closing Meeting Closing

Practice Level Program level

Stand up Daily Report Stand up Daily Report

Meeting Program Governance Audit Consolidate Meeting Program Governance Audit Consolidate
Practice Level
(As Applicable with Program
Stream Level Audit Stream Level Audit
Program level connect)
Thread Log

Thread Log
Query Notes

Stream Level Audit Stream Level Audit Stand up

Meeting

Query Notes
Thread Log
Day 1
Stream Level Audit Day N-a
Stream Level Audit
Daily Report
Consolidate

Thread Log: Helps auditors to share threads with other auditors in a stream or Query Notes: To be verified items which they want to take it with auditors.
governance level. Across programs as required Typically connects the next day standup meeting.
 Typical Areas to Check
Client/Management Expectations
Contract/scope Commitment Mapping
in planning
Budget provision for Execution
Management Structure
Roles and Responsibilities
Delivery Methodology Identification
Risk Identification and Management
RACI/Stakeholder Identification
Deliverables and Acceptance criteria
Standards/Regulatory Requirements
Resource Needs
Resource& Service Procurement
Internal/External Service Provider
Security
Business Continuity
Performance Management
Compliance Checks
Manage Teams
Governance
Stream Level Planning
Resource Competency Management Cost Savings
Resource management
Training and Development Quality Improvements
Risk management
Motivation and People Performance On-time performance
Deliverable Management
Dynamic Resource need handling Compliance
Traceability of decisions
Assets and Roles alignment with management
Capacity and availability
Commitment Operational
management
Develop/maintain Systems and Efficiency
Back up and Security
Tools Improvement &
Lifecycle and Validation points
Develop process flows/Processes Innovations
Budget Consumption and Key
Capability measurement Career path of
Performance measures
Client Expectation Tracing resources
Client expectations met
Scope/Change Management & Client Satisfaction
monitoring and control
Communication Improvement
Service provider tracking
Reporting and Sharing Additional Value
Regulatory/Standard
Decision Sharing offerings
application/compliance
Internal Team Communication Technology
Resource Onboard/off-board
External Communication adherence/utilization
Trainings
Facilities and Infrastructure ROI on Key Decisions
Reporting
Control of data/Records Succession Plan
Tools/licenses/assets and
Infrastructure
3C (Competency, Capability & Stream Value chain
Communication)
 Reporting
Report Draft Report Management Final Report
consolidation Preparation presentation Submission

Report
Top Management/
Practice Evidence Sponsor
Deviations
Focus Area 1 Deviation
Program Evidence (Ex: Regulatory/Process) Practice LA/Program LA
Audit Objective

Weakness

Shared Vision
Stream Evidence
Engagement (or)
Practice Mgmt
Practice Evidence Strengths
Focus Area N
Deviation Opportunities for Functional LAs
Program Evidence (Ex: Security) Improvement

Stream Evidence Value Chain

Results
Conclusion
SIPA gives better control and focus over audits
Flexibility to scale up to required level and Add multifunctional Auditors leads to
new possibilities
Audits are not merely compliance focused / Risk assessments instead leads better
Progress and Value addition
Organized Audits reduces chaos and better plans enable auditee to be in comfort
to do reality check
Reduces frequent audits on engagement/practices by various functions
Increases Client /Management confidence in Audits
Improves effectiveness of Audit and Better Reporting.