I came to call it the “Triangle Audit” and my experience with the process dates back almost two decades to when our firm HMS started doing Research and Development Tax Claims. Project Managers are often faced with this process and not just for R&D claims but also for Defense Contract Audit Agency or other government compliance reasons. Let’s take a look at what the Triangle Audit looks like from the project manager’s perspective and how you can think of the systems you’ll need to implement as part of your core project management process to ensure these types of audits can be responded to successfully.
First, the three basic aspects of the triangle audit are:
- Project Management
Sounds simple enough, right? It can be.
But it’s often not.
Phase One – Payroll
If your audit is designed to show the true cost of a project, then it will often start with the payroll. This would be true for an R&D tax claim or a Sarbanes-Oxley audit to determine true project costs for an asset that will now be displayed on the balance sheet.
After all, if the payroll doesn’t add up to what you’re claiming the project is worth, you’ve got troubles before we even start thinking of project management. Validating the human resources costs is not always obvious. Perhaps you’ve used sub-contractors for this project. Can you identify their costs? Perhaps the sub-contractors have worked on a fixed price basis. Perhaps they have worked on multiple projects. Perhaps you’ve had some temporary workers on the project. Perhaps you’ve had unpaid interns on the project. Can you count the value they’ve added without the payroll? All good questions for Finance as they look to report on total labor costs.
Phase Two – Project Plans
Once the total cost of people has been confirmed, the audit moves its attention to the project plans. Is there a plan? When did the project start? What was the original plan? What progress has been made? When we’re talking about audits, it’s almost always important to be able to identify the planned work and progressed work during this fiscal period. Was there a baseline taken at the start of the fiscal year? Can the work for this fiscal year be distinguished from the previous fiscal year?
Auditors look for some obvious red flags:
- Did your project exactly match the baseline plan? That’s not how life works. To an auditor this says that the reports they’re looking were not worked on all year but rather were prepared at the end of the year to satisfy the needs of the auditors. That will cause the auditors to start looking much more closely at all the project data with an eye to whether it has been prepared just to pass the audit or is a real reflection of the project.
- Are there progress reports going forward for the year or just a report prepared at the end of the year? To an auditor, this may indicate that the reports aren’t a reflection of what actually happened but rather are prepared after the fact just to satisfy the audit.
- Are there journal notes or some kind of description of how the project progressed? Auditors will be looking to a) justify through a narrative why the project is worth what it cost and; b) validate whether the narrative reports match the progress reported.
Phase Three – Timesheets
For most projects, timesheet data is the glue where the bulk of the costs from Finance and the progress from Project Management meet. For most projects where a Triangle Audit is important, labor is the main cost or at least the cost which requires the most work to audit.
Timesheet data must be able to distinguish not just the project name but some categorization of what was done. In a project audit like this, the auditors will want to identify tasks or groups of tasks in the timesheet data. It’s not enough to say programming or testing. The report should be able to say testing on what. Timesheets don’t always have to go to every task that was listed on the project management report but they can’t just be for the whole project either. Some level between will be acceptable for most auditors.
Phase Four – reconciled data
Because of the order in which the data is collected, by the time the auditors look at the timesheet data, they already have total costs and project progress for the fiscal year in question. So, the next obvious task is to compare what they were expecting with what they’re seeing and this can be a critical element of the audit when you think of systems. So far we’ve only talked about the type of data being collected not the systems the data resided in. To be fair, in theory, you don’t need a computer at all to pass such an audit. It could theoretically be accomplished using just paper though these days that’s not very common.
The challenge in this phase is that the systems for timesheets, projects and payroll are rarely together. Let’s take a couple of the most likely scenarios that could cause grief for the audit:
Only one timesheet exists which supports only Finance or Project Management
In some cases the only timesheet in existence will be part of the Finance department and will be filled in to support payroll and/or human resources. The timesheet might have capacity for describing what time was spent on but it’s more likely that it is associated to the possible conditions that would change the payroll so the functionality of the timesheet deals with vacations, sick leave, hourly workers, part time workers paid leave and unpaid leave for different purposes, overtime, bonuses and other pay-related matters. On the project management side in this scenario, there wouldn’t be a timesheet. And, when the auditor requests proof of what time was spent on what part of each project, the only answer would be to approximate based on the progress reported. This can lead to a challenge to get through the audit successfully.
In other cases, it will be the Project Management department which has a timesheet which is associated to each project. The Finance department in this case won’t have a timesheet as the payroll and HR functions might not require it. In an all-salaried organization, this can be common. The Project Managers have the timesheet and in each timesheet there is an opportunity to link the time directly to tasks on the projects but all the controls that Finance is so used to are absent. The approvals and validations of the timesheet are almost all about what each project manager says. There is no function in which the totals for the timesheet are required to balance to the total work for that employee. In fact, it may be more common to have to record time only for the projects or even only for some projects. In many cases the timesheets won’t match the number of hours that each employee works each week and this will cause the auditors to take pause. How can they know what the quality of this timesheet data is if they cannot balance it to the other data they have?
There are different timesheets for Payroll, HR and Project Management
Multiple timesheets is, sadly, all too common. Each department has imposed a requirement on employees to fill in timesheets. HR has one for time off such as sick leave and vacation. Payroll has one for attendance so it can calculate each employee’s pay and Project Management has one for tracking project progress hours on key projects. If you ask which of these is the “real” timesheet, all three departments answer “this one”. The chances of three disparate timesheets adding up to the same numbers is 0.0%. They will never balance without specific processes and procedures to ensure that they will each week which can be a daunting challenge. This scenario can even occur when an enterprise-wide ERP system has been deployed. If the timesheet within the ERP is serving only Finance and not tracking labor to the project task level, then you might as well have no project timesheet at all. For auditors, they are again left with questions over how to balance the numbers they have already with timesheet values that don’t match. Of course, we’re just talking about the results of the audit here but how many employees are happy about filling in multiple timesheets at the end of each week? Not many we’d guess.
There is no timesheet at all
Surprisingly uncommon, is the situation where there is no timesheet data at all and the audit has to confront accepting the data on face value. The usual result of this is a failed audit but there are circumstances where that’s not the case. For example, an entire division is working on only one project and nothing else so there are few questions over what project the time was spent on. Progress data from the project management side may be enough to have the auditors accept the calculations from that system associated to the payroll numbers.
Making a system that supports the Triangle Audit
If you are in the position to make a system to support this type of project management audit, then there are a few key criteria to include in your system design.
Use that crazy new technology
I’m referring to talking to each other of course. Get the Project Management department and the Finance department and perhaps the IT department together before the beginning of the next fiscal year and talk about what Finance will be needing at the end of it. At HMS we encounter countless organizations who call us at the end of the year asking if we can fix last year’s data. We can’t of course and once the new Fiscal Year is complete, the urgency of fixing the systems dissipates and people go on hoping it’ll be better next year. If you talk about your existing systems, you have a chance of doing a self-inventory of what you have to see if you have gaps or to make decisions on how to proceed.
Find or configure a timesheet to support both Payroll and Project Management
If your existing timesheet system can support both Finance and Project Management, then configuring it to do so can solve the most likely gap in your auditable system. This will require not only configuring the timesheet to work at the task level for project management but also include all the controls for Finance. There will be resistance from Project Management to include Finance-level controls and from Finance to work at the lowest common denominator of task detail but if you did that first step of talking about this first, a compromise can be reached.
If there is no configuring an existing timesheet then you can look for one that supports both systems. When you do, you’ll need to do more than ask if this new timesheet system can send data back and forth to your project management system and your Finance system (they all can), but you will need also to determine if processes from both departments can be accommodated. Is there an approval mechanism that supports both departments? Are there Finance level controls for validating data? Can rates be supported in the way Finance needs for Payroll and Project Management needs for costing? … and so on. We do this at HMS every day obviously. Our TimeControl system is often looked at as a possible solution to this type of challenge.
Finally, for the long term, document what you’re doing. At some point in the future, perhaps years from now, someone else will be reviewing your systems and trying to figure out why you made the system choices you did. Being able to read the justifications for the decisions you made can save the organization in a major way in the future from failing future audits that have gone so well for so long.