Author By: Bassam Samman, PMP, PSP, EVP | CMCS CEO and Founder
Projects are investments that organizations undertake to achieve their strategic objectives, regardless of the industry, size and type of projects. When a project is approved for execution, the investment that had been allocated for the project would take into consideration the revenue that this project will generate when completed as well as the level of risk that the project has. Failing to achieve the estimated return of investment would result in unrecoverable losses to the project owner. Of course, the return of investment is not necessarily that always be measured in monetary figures but also in terms of other tangible and intangible benefits.
Nevertheless, for many organizations not only they do not have a documented process for managing the project life cycle but they also lack having the internal control and audit that will prevent those involved in delivering the project in committing project fraud. Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. The absence of such internal controls and audits encourages those involved in the project delivery to take actions that although could benefit them personally or the organization they represent but on the other hand they would harm the project owner.
To start with, let us first define what we mean by project fraud. Project fraud is the misrepresentation of a project's mission or progress to secure project financing, reporting wrong project progress to hide project delays and/or budget overrun, wrong forecasting for expected project cost at completion to avoid reporting lower project profitability, overestimating the value of anticipated changes to the project scope to increase the project value, misuse of project resources, and/or improper dealings with project vendors for personal enrichment, substituting specified equipments and materials with lower quality alternatives, among many others.
Fraud is very much a part of every business and projects are no different. Actually, there are more chances in project fraud than other type of business frauds especially when it comes to engineering and construction projects. Project fraud often originates because employees don’t want to report bad news or information that can harm them politically or career wise. It also often results from poor planning and supervision that leads to project rework, placing the project further behind.
The most common types of project fraud includes over-reported and unsubstantiated business case or feasibility studies, unsubstantiated project decisions, under-reported initial estimates of project lifecycle costs, under-reported initial estimates of project maintenance costs, setting unrealistic project completion dates, unbalancing the project cost estimate, under-reported costs, over reported schedule progress, over-reported quality progress, project asset misuse, vendor conflict of interest and kickbacks, vendor “overselling” of their capabilities, inappropriate vendor charges.
Those project frauds occur to direct the decision makers to take certain decisions that if they would had the correct information instead of what had been passed, those decisions could have not been taken. For example, over-reported and unsubstantiated business case or feasibility studies would lead the decision maker for selecting the wrong project investments
But what actions an organization can do to reduce the opportunity to commit fraud. The first action would be to raise the visibility of project progress as n one will commit fraud if people are watching. That is why their growing demand among project owners for having single version of the truth on what it comes to projects performance reporting. Another action would be the requirement for developing a detailed and complete Work Breakdown Structure (WBS) where the project scope of work is decomposed to a level that can identify extra, missing and/ or vague work elements.
The segregation and clarity of project duties between the different project team members as well as other stakeholders is another effective action to stop project fraud. A complete and detailed organization chart that will be integrated with the WBS developed earlier will provide the project team with what is known as the accountability matrix. This matrix details the parties involved in each element of the project scope as well as the role they have in performing, approving, reviewing, supporting and others in delivering this scope.
Another action would be to manage the project critical path or paths so the team members can become aware of opportunities to accelerate and/or threats to project success. The critical path provides an objective tool for assessing the impact of today’s decisions on future project results. It also provides an objective tool for setting priorities for taking actions and allocating scarce resources to projects.
Risk identification, assessment and response are other effective fraud control action. Projects are undertaken with many uncertainties and assumptions. Implementing a formal risk management process will ensure that risks are identified, assessed qualitatively and quantitatively, response actions identified and provisions including contingency plans and reserves are allocated for the project. A formal risk management process will also provide management with the support to make rational decisions when needed.
Another important action is standardized projects performance metrics and reporting. Those metrics provide the project stakeholders with objective status of the project budget, schedule and quality performance and the impact it would have on the project completion date and estimated cost at completion. The development in project management software applications has enabled organizations to develop wide variety of metrics that not only provides wide variety of performance metrics but also enable organizations to created effective dashboards to capture the performance of a single or a group of projects in the desired format and level of detail. In addition, metrics will help the organization in setting performance thresholds where alerts will be triggered when a performance metric is over or under desired limits. Those alerts will become issues that will be assigned to project team members to resolve and which will be escalated if there were not closed within specific time period.
The last recommended action is to impose the requirement to prepare a detailed project closeout report. This report will provide an assessment of the project successes and failures, document lessons learned, confirming to which extent project objectives were achieved and ensuring that the different project contractual obligations had been terminated and transferred to the project owner in a complete way.
The above actions plus many others can become the basis for internal controls that an organization can adopt to control project fraud. For internal control to be effective, it must address the following five components: control environment - The tone at the top and operating style, risk assessment -The risks that matter for the organization, their risk appetite and the available response actions to risk, control activities - Specific policies and procedures to minimize risk, information and communication - The flow of information and communication in the company, and monitoring - Periodic assessments of internal control effectiveness.