cited. Research Article An Approach to Audit Dynamic Changes within Project Development Life Cycle – A Case of Omani Public Organization Authors

In the field of project management, rapidly changing environments are newly recognized and of increased challenge. Old-fashioned inflexible methods, focused around process control, are considered obsolete. Along with the increasing diffusion of project management worldwide, a comprehensive governance principle does not yet address this objective. Therefore, the driven dynamic changes (DC) into the business environment strongly influence the business processes and the project objectives. Thus, the risk of failure for outsourced information technology projects will increase. Thus, there is a clear need of an approach which will handle dynamic changes (DC) into project development life cycle (PDLC). This research focus on how the adoption of control principle in project development life cycle (PDLC) will reduce the effect of dynamic changes on overall project objectives. A qualitative approach has been followed by incorporating project management controls from different industrial standards, secondary data from available scientific literature and case study of Omani public organization were adopted and analyzed. This research will outline the foundation of an approach to how dynamic changes can easily be managed by using control practices during PDLC and can be accommodated within project budget.


Introduction
Information Technology projects are subject to immense influences from a large number of critical factors such as dynamic changes, interdependency among projects and failure to meet the defined stakeholder's requirement.Hence, paying less attention to these factors frequently leads to major delays in projects completion, project performance measurement, exceeds the proposed baselines and sometimes projects being aborted (Greame Thomas & Fermandez, 2008;Wallace, 2007).

Communications of the IBIMA 2
In today's world, most of the IT projects are outsourced.Outsourced projects are usually managed through a third party for a certain organization.In this case, the third party is defined as a seller while the organization is classified as a buyer.Therefore, the concerns of these two entities would split between technical aspects and business aspects.According to Chen (Chen, 2011), the benefit perceived by one party usually come as a cost to other partners.Accordingly, the importance of information technology control increased and has been recognized as a vital technique to provide the required level of the internal control.The provision of this control influence tasks completion competency and project management performance.It assists the optimization of employees behavior in a way that allows the achievement of organizational goals (Bernroider;& Ivanov, 2011).
The internal control is enclosed differently by several IT audit frameworks such as COSO, COBIT, ITIL and ISO27001.These frameworks assist to guide and evaluate the practices of the different areas of IT such as security, application, service management and IT business process.Besides, some of them provide guidelines to evaluate the process of project development life cycle (PDLC).These are developed to follow up the accuracy and completion of the entire PDLC phases.This governance scheme would help to eliminate the challenge of achieving all projects goals, objectives while honoring perceived project constraints, risks and balance the received benefit from the two different perspectives in the outsourced project (Brad Tuttle & D.Vandervelde, 2007).Numerous factors do affect the completion of PDLC which is labeled as dynamic changes.For example, adding new requirement to the project plan, technology changes, interdependency between progressed projects etc.They cause a delay to the project completion in terms of exceeding the approved budget and achieve either if not none; low deliverables.Hence facing any of these issues in project management is a sign of low level of internal audit and control.
Managing these risks entails the efforts of various parties within the organization and demands to implement an effective framework of information technology governance.This becomes a necessity as organizations have developed essential dependencies on IT for their success (Abu-Musa, 2008).
Despite, most of the international frameworks mentioned internal controls; there are no single audit and control framework which study dynamic changes (DC) over the different phases of PDLC; when and where it can be used to as internal controls.As well, it is noticeable that organizations cannot predict the DCs since it is uncertain.Therefore, the need of a comprehensive framework to provide strategies of auditing overall project development life cycle is highly recommended.This research will elaborate more about controlling IT project management and visualize these DC problems through the proposed approach.This approach assists to study the DC from different prospective and eliminate the effects of unpredictable associated risks involved in overall PDLC phases.Besides, it would assist to integrate the compulsory changes and ensures project's completion as originally planned.
This research presents a fundamental understanding on project development life cycle, project management standards followed by issues in regards to the dynamic changes in project management.The paper will also present research methodology, proposed approach and case analysis with conclusion.

Managing the Company Projects
According to eskendahl (Meskendahl, 2010), only 63% of the firms do realizing their strategies potential value and 66% of them report corporate strategy is never implemented (Orla McHugh & Hogan, 2010).However, as Hrebiniak stated, "it is very difficult to make strategy work than to make strategy" (Hrebiniak, 2006).Hence, project portfolio management comes to be as an achievement control for the business strategies (Orla McHugh & Hogan, 2010).
Hellstrom & Wikstrom indicated, "Despite the fact that projects mostly are illustrated as something unique; project management has become a core business process for both private and government organizations."This is because of the perceived increased focus on core competencies where clients have outsourced more and more of their projects scope, and the demand of specialized project contractors and suppliers have augmented (Katalin Pádár, Bela Pataki, & Sebestyén, 2011;Magnus Hellstrom & Wikstrom, 2005).
Mainly, there are two standards used for managing projects process: Project Management Body of Knowledge (PMBOK) which is developed by the project management institution PMI and the Project IN Controlled Environment (PRINCE2) which is developed by the office of government commerce and used extensively by UK Government.These methodologies are flexible in design and can be customized to suit the needs of the adopted organizations (Greame Thomas & Fermandez, 2008;Orla McHugh & Hogan, 2010).Therefore, it was observed that 38.9% of organizations in Germany and Switzerland are following project management standards where only 19.2% of them following PMBOK methodology (Frederik Ahlemann, Frank Teuteberg, & Vogelsang, 2009).
An empirical study found that the use of project management practices in information systems (IS) departments do improve the IT project management process.Such practices improve the effectiveness and efficiency in terms of better project planning, scheduling, monitoring, and controlling.As well, it improves the IS departments productivity, time management and decision making (Louis Raymond & Bergeron, 2008) & Shah, 2007).Rod Farr (Farr-Wharton, 2003) investigated that in certain projects type, it is very difficult for an organization to find an appropriate skilled project manager within project budget and considered as major factor towards the decision of project outsourcing.
According to aforementioned literature, define the semi-outsourced as a situation when buyer and seller share the responsibilities for managing IT projects.This type of project management combination always led to some problems, which arise from the differences between the two entities in their business goals and organizations structure.As well, it raises the feeling of vulnerability to opportunism or shirking of responsibilities by the other with both buyer and seller.Therefore, such feeling, consequently, may make the two entities to pull project management into different directions.Along with the difficulties in obtaining quick feedback, meeting frequencies, and building interpersonal relationships, make the management of semi outsourced IT projects as a tough task to classify successful based on the PMBOK and PRINCE2 (Sabherwal, 2003).
In reference to the importance of project management, some researchers observed that IT projects are often adding little or no organizational value even though the substantial investments are made (Marnwick C., 2010).For example, a KPMG survey of 600 organizations across 22 countries represented that "project complexity, in the IT domain, increased in 88% of organizations and budget baseline was exceeded for around of 79% of organizations."Furthermore, it was found that "86% of project outcomes fell short of planned expectations '' (Karen E. Papke-Shields, Communications of the IBIMA 4 Catherine Beise, & Quan, 2010).These insights the importance to use internal control techniques for outsourced IT projects in order to ensure the accomplishment of projects goals and objectives.

Auditing and Controlling Company's Project
Throughout the development of any project lifecycle, audit practices provide expertise on both the internal control and how to ensure that all information systems, related topics and procedures perform efficiently and fit in to applicable law, regulation and other standards within the management scope.Additionally, practicing audit in project management confirms to proper process of integration, configuration and recording the additional requirement cost for any new accepted changes in the organization financial statement (Champlain, 2003).
IT audit principles are the foundation defined by the information system audit and control association (ISACA, 2010).It formed multiple levels of controls that are categorized as: • Standards: the mandatory requirements for IT audit and assurance.They set the minimum level of acceptable performance required to meet the professional level of performances that are identified in the ISACA Code of Professional Ethics.
• Guidelines: are assistance steps in applying IT Audit and Assurance Standards.
• Tools and Techniques: are examples of procedures and technologies for IT audit and assurance the organization might follow (ISACA, 2010).
Despite, the global agreement on how IT governance best practice governs the implementation of IT related projects; it is not applied universally (Marnwick C., 2010).Therefore, implementing effective IT governance is crucial to ensure that all IT and its related issues are working effectively.
There are some critical factors stands beyond the success of practicing IT audit.The most common ones are senior management support, clear and realistic objectives, personnel knowledge of project management (Karen E. Papke-Shields, et al., 2010).An investigation's results stated that the given training to the project managers is not considering as a high priority in several organizations.Thus, this behavior increases the risk of business project failure.For example, the 2000 Gartner Survey indicated that 60% of organizations did not offer project management training (Champlain, 2003).In 2011, the highest priorities rank IT management as the top ten businesses and technology worldwide which increases enterprise growth, improves business process and the other business successes.(Christy Pettey, 2010;Meskendahl, 2010).Further, the usage of a standardized Information System Project Management Methodology (ISPMM) is very important to ensure that the development is completed accordingly based on original plan.The lack of ISPMM cannot prevent the tendency of adding additional features to the system based on the impacts of DC during the phases of PDLC (Champlain, 2003).
Thus, the use of our proposed framework will assist in controlling the process of project management and eliminate the consequences from the previous mentioned factors.As well as the organizations willingness to adopt control framework to ensure the compatibility between their businesses objectives and the initiated projects (Frederik Ahlemann, et al., 2009;Kristina Zdanytė & Neverauskas, 2011).
This research has performed analysis on five selected frameworks: COBIT, COSO, ITIL, ISO27001 / ISO17799 / B-S7799 and NAS INFOSEC assessment methodology; and studied how they conduct IT project management audit process.These principles were initiated for auditing a specific area from the organizations business process such as information management, services management, project management and information security.It has been found that these frameworks overlap with each other in IT audit governance zones.Therefore, no single framework is comprehensive enough to control all of the different areas in IT division (Sergio Pellegrinelli, et al., 2007).
Table 1 provides a detailed analysis and comparison of how each framework surrounds in project management control areas.

Table 1: General Comparison Analysis for IT Governance Framework
Table 2 shows how the frameworks enclosed controls in auditing the project management process and business and system process (Champlain, 2003;Chris Davis, Mike Schiller, & Wheeler, 2007;Hrebiniak, 2006).It covered seven components in project management and five ones in business and system process.In reference to Davis and Wheeler (Chris Davis, et al., 2007), Table 2 highlights how these frameworks are different in the coverage areas, objectives, responsibility for internal control and who is the target audience.IT audit and control frameworks are diverse since some of them focus on controlling security while others aligning the IT process to organization goals and application.Table 2 compares the selected framework from two main prospective; project management process control and business system process controls which fit to this research scope.
The above analysis clearly identifies that these frameworks are serving specific areas of IT and no one cover them in a whole (Bernroider;& Ivanov, 2011).Thus in order to perform comprehensive IT project management which cover all areas of business, requires the usage of two frameworks.Also it has been found that most commonly used frameworks to control the project management process were COBIT and COSO or a combination of both.Table 2 shows how COBIT and COSO are mapped to which extent and they are important to govern IT project management in COBIT 4.1 (Bernroider;& Ivanov, 2011;Hrebiniak, 2006).
COBIT focuses mainly on IT process controls whereas COSO focuses on the controls of financial processes.Therefore, both frameworks can be used to govern the entire IT projects process.In COBIT 4.1, "COBIT is the generally accepted as an internal control framework for IT and COSO is the generally accepted framework for enterprise" (Koren Brand K & Boonen, 2007).As well, both work as a supplement for each other to ensure an overall control for the success of the organization business process.However, COBIT has been considered as one of the strongest practices available for assisting organization in a way that how IT supports its visions and strategies.This is due to the fact that it is the only control framework which dedicated the project management as one of its components.It is entitled as P010 manage project.The importance of that component is to assist in ensuring the correct prioritization and co-ordination of the existed projects (Marnwick C., 2010).However, the project change control objective of that component requests to establish a control system to review, approve and incorporate the accepted changes to the project plan without affecting the project success.However, it does not mention the process of the change control when changes cannot be accepted while it is important to the project success.Accordingly, it is noticeable how both frameworks indicate the importance of change control in IT process but they do not provide any solution or process how it should be handled.Thus, the next section is underlining the different impacts of dynamic changes on PDLC and the importance to set an approach to control the above mentioned problem.

Managing Dynamic Change
According to Chung-Yang Chen, "In a clientsupplier relationship of project procurement, the client typically views an outsourced project as a black box."(Chen, 2011).It is because the outsourced projects are easily affected and been not successful due to several endlessly changes such as (Wallace, 2007): Changes and dynamic changes are different, the changes happen once at any stage, but the dynamic changes are unpredictable and can be required at any phase of PDLC and would consequently, make other changes as shown in Figure 1.Hence, the lack of control with all of these changes does cause project delay; project exceeds the original proposed baselines and even some situations/cases it led to project cessation.Therefore, this subsequently increases the risks of project failure with semi outsourced project.This is due to the direct or indirect influences between the buyer and seller who use different methodologies of management and control.In order to manage and control outsourced project effectively under these circumstances, the buyer may attempt to monitor and intervene in the seller processes Communications of the IBIMA 8 to proactively identify risks, ensure quality deliverables, obtain timely information or give timely support, and maintain a shared vision of the project with the seller.

Figure 1: Illustrates the Coverage Areas of Dynamic Changes through the PDLC
This research is trying to highlight that the importance of project audits is not seriously taken while it would add value (Hettigei, 2005).Since activating audit process at the later stages will request more time and cost as it was described in the PMBOK (Wallace, 2007).Nevertheless, it is highly recommended to form the available control principles in a way that will assists to overcome the resulted problem from DC during the PDLC and reduce the associated risks of project failure.Thus, a proposed solution is required to eliminate the impacts of DC and streamline the process of accepting and integrating the important changes to the PDLC without changing the estimated baselines.

Research Methodology
In parallel with our research's objectives, a qualitative approach was adopted to optimize the limited timelines and draw a good conclusion for the existing scenario of IT audit practices in project management.The results have been achieved by using incorporation of project management controls in secondary data and models.To test our proposed approach, a case study of one of the Oman's public organizations has been used.Due to the confidentiality reasons, the organization will be named in our case study as "Organization X".This Analysis was based on studying how the project management audits best practices of COBIT 4.1 and COSO is complemented to the existing situation for some organizations in the Omani marketplace.Thus, to find a solution for reducing dynamic changes consequence effects on projects baselines, deliverables and objectives.The following processes were applied to gather the necessary information: Primarily, examine the latest published data based on following questions: 1. How projects are managed in terms of the used methodology?
2. How do organization in public and private sectors manage the dynamic changes during the process of the project development life cycle?
3. How organization monitors each stage within PDLC in consistency with the adopted project management methodology?
4. What audit and control frameworks are followed in order to monitor all the project's inputs and outputs?How does it help to control the risks of DC?
The gathered data showed how the two frameworks are used to govern the IT project management process in Oman.They are mapped together to control the management of the project's process, since COSO is mainly focusing on controls for financial processes, and COBIT focuses on controlling IT process (Leader, 2003).In addition, a suggested control layer was developed based on the collected data from the preliminary step.It assists to govern the DC in all the PDLC domains.The selected DCs in the case analysis section were the most challenged ones in organization X.
Finally, a real case study from the Omani market has been used to apply the proposed control layer and develop the solution.The required information for the case study was collected through interviewing the project supervisor, project leader and auditing group in organization X.Some of the interview questions include: How the organization manages its projects?What are the common problems they face in project management?What are the frequent DCs the organization face?What are the implemented procedures to manage the DCs and what auditing groups are practicing in governing the IT project in this organization?The next section presents our proposed framework which will help to overcome challenges of dynamic changes in IT project management.

Proposed Framework
The proposed framework is designed to cater the management implications involved in auditing the dynamic changes of semi outsourced projects.Organization involved in initializing the project is normally referred as "buyer" and organization involved in implementing and deliver the required project refer as "seller".The seller usually deals with multi-suppliers normally known as sub-contractors.They are used to deliver the demanded service for the buyer indirectly.Therefore, the communication for the development of the outsourced project will be clearly monitored and audited between the seller and buyer, but it would not be noticeable and controllable between the buyer and the sub-contractors.Figure 2 depicts the relationships among buyer and seller in outsourcing the projects.In our framework approach, different components from COBIT 4.1 and COSO that related to change management are selected and consider as a baseline followed with a proper procedure to deal and integrate such dynamic changes in to existing PDLC.A detailed explanation to the proposed dynamic changes control layer process is illustrated in Figure 4.

Table 3: Expected Impacts of DC on Any Phase of PDLC
It is obvious that DC effects differ on every phase of the PDLC.If the DC occurs in the initiation stage; it can be managed easily since the project is in a startup stage.However, it is harder to manage it in the execution phase.In order to test the validity of the above proposed solution we adopted a case study of public organization from Oman.The case is based on three main scenarios where each one describes different cases of DCs and its influences on the project completion.These scenarios are illustrated in the following section.

Case Analysis
To assess our proposed framework, a case study of one of the Oman public organizations is being used.Due to the confidentiality reason, the organization has been named here as "Organization X".This organization considered as a corporate head office of Oman.It has around 26 branches all over Oman including Salalah, Muscat, Sohar and Nizwa and has work force of 15, 857 employees (As of September 2011).The organization X comprises of several departments but for this study will focus on Information & Computer Technology (ICT) department and processes currently followed for any project implementation.The ICT department is further divided into six (6) sub-sections which are: 1. Service Support In ICT department, all projects go through the following nine (9) steps, Step 1: A request, a need, or a problem will be discovered by the sections head and send to ICT General Manager (GM) as a project proposal.
Step 2: If the GM approves the idea (project proposal), the sections head again will provide a formal request for proposal (RFP) to be send to the CEO.
Step 3: When the RFP is approved by the CEO; ICT department will contact the supply department to issue a tender for this project.
Step 4: The tender process will be supervised by the supply department from the start till the end (from announcing the tender until Step 5: Once the vendor is selected, the ICT department will sign a contract with the selected vendor to start the project based on the organization's requirement. Step 6: To handle the project, the job of the Project Manager (PM) will be semi outsourced.The vendor will create and submit a project plan and schedule; ICT department will review, modify and confirm it based on project requirements.
Step 7: Once the project plan and schedule is confirmed, project kickoffs and project status meeting commenced weekly or biweekly based on the project plan.These meetings provide the overall project status, agreed project objectives, manage the new requirement and changes coming from different department and resolve any project issues which will affect the overall project success.
Step 8: ICT department will create monthly project deliverables report and to be submitted to GM.
Step 9: The vendor's maintenance and support contract will start after the successful project implementation In this case study, ICT Department -Network subsection project "Company's Network Upgrade" is being used.The project objective is to upgrade organization complete network including 26 locations in Oman.The project is semi outsourced where the selected vendor (seller) executes the project work under the supervision of ICT Department.
During the project execution phase, several new requirements and changes has been put forward from different department and to accommodate all the requested changes, ICT Department has to continuously extend the project timelines.Our case study, analyze the following three (3) scenarios during the PDLC where requested dynamic changes affect the project timelines: Due to the organization X restructuring, the management would like the extension of current three floors of headquarter building.This change is mandatory for business operation in order to accommodate new staff.And also to facilitate the central meeting hall business operational requirement equipped with cutting edge technology such as communication and video conference real time links.The project management team considers this change as a major constraint because it came during the execution phase and will affect the original network upgrade plan.In order to accommodate this change, the network upgrade plan requires to be changed based on the fact that it requires network infrastructure installation on new building and link needs to be created to connect with central core switches and server.Thus, the project manager has left with no choice to reject this dynamic change (DC) because this will derail the project scope, cost and timelines.
In order to facilitate the above scenarios change request, our proposed framework approach measuring scale as shown in Table 3 which will help project management office to evaluate the change request and come up with the better decision.Based on the budget/cost factor, project management office has to decide either to adopt or reject the change.If the required change request has low cost, no impact on project overall times lines, no other dependency and no other alternatives are available as shown in Table 3 (Alternative 1) than the PMO decision will be to accept the change.However, if the change request falls under alternative 2, 3 or 4; the change request will be rejected.In the case of mandatory dynamic change request which is aligned with organization and project objectives, but will impact the original project timelines; it could be managed as separate mini scope project carried in parallel with the main project.Mini scope project can be executed by the same or new vendor with a distinct baseline and budget

Scenario B -Two Dynamic Changes (DC): Interdependency and Exploit Technology
Organization X management would like to upgrade its headquarter building old network infrastructure to a powerful and scalable network.In order to accommodate this management change request during PDLC, current data center room extension is required with the installation of new cooling system (interdependency change request) before the project development starts.Room extension and cooling system installation do not come under ICT department responsibility.The project cannot be started without the required adjustment because heat generation is the major risk for servers and switches.Due to these interdependencies, PMO left with no choice to start the project execution.If the project was not started on time, it will have massive impact on data center operation to manage network traffic including several IT applications resides on the server.Also data center was already facing network infrastructure challenges with the implementation of RFID application into store department which was taking enormous network resources.Thus, if the PMO use the proposed framework approach, they will easily manage the data center issues as a separate scope and ensure the project completion on time.

Scenario C -Multiple Dynamic Changes (DC): Confusion between Departments
Due to the organization X restructuring, the management would like go ahead with the extension of current three floors of headquarter building which includes upgrade of its entire network infrastructure (Scenario A and B together).In conjunction with these two change requests there was additional change request put forward by ICT department to use CEO office which is part of the headquarter office as a place to keep the additional cabinets of servers and switches to provide network link to the extension building.The ICT department change request was based on the industry standard network performance guidelines which states that do not pull cables distance length more than 90 meters.However, the CEO rejects this change request to provide the required place to ICT department without looking into thorough technical details and jeopardize the project completion and network performance objective.However, with the use of our proposed framework, PMO can manage these dependent change requests as a separate mini scope projects which will have no impact on the original project scope, cost and timelines.
The proposed framework will help project management office to better manage the influx of any number of change requests from business side.It assists PMO to manage any type of change request (dependent or independent).These change requests will be completed parallel with the original PDLC.Applying the proposed framework to above scenarios during PDLC will fulfill all the requirements from business units and achieve project goal in the same timeframe.

Conclusion
The rapid extent of project management to the development of "new" technologies is an important development particularly the application of project management to the area of information technology.This field is generally uptight with a much higher level of complexity (e.g. more stakeholders to be satisfied) and is the result of more brain work.Also, the logical progression of the work is less evident.Changes to projects are almost inevitable.As project work Communications of the IBIMA 14 progresses, discoveries are made, problems are encountered and solved, new requirements are discovered.All of these have the potential to change one or more of the three main constraints that bound any project -Time (the deadline), Resources (the people, materials and money available to do the project), and Output (the required deliverables).Any change that affects one of these constraints can seriously affect the ultimate delivery of the project.Most of the project's failure is caused due to the low or non-control practices during the PDLC.This directly affects project timelines and budget overruns.However, exceeding the time to complete the project is considered as a cost.If proper control practices are followed the same resources can be invested into new projects and business task.Therefore it is evident that low level of controls in project management cannot be implemented without using the best evaluating practices.Most of the organization in PDLC gives less time to project team to evaluate dynamic changes which results in eventually moving away from project baseline objective.
Our proposed approach outlines the foundation of an approach on how dynamic changes can be managed using best practices in PDLC as the current business environments are considered as high risk and unpredictable.In addition, it is very important to exercise governance strategies to ensure the success of outsourced project.As part of future work, IT audit best practices and controls in project management area will be explored.
Organization's structure • Exploit technology improvements • Organization's priorities/objectives • New business partners and channels • New industrial legislation and regulations • Globalization, standards • Dependencies and interdependencies with other project • Chaos among department

Figure
Figure 2: Buyer and Seller Relationship Changes in project requirements specification during project development is considered normal but if changes are dynamic, ad hoc and not expected then it is difficult to satisfy and convinced all parties involved in the project.Our framework

Figure 4 :
Figure 4: DC Control Layer DC control layer operates when a change request is initiated; every change has to be addressed through the audit process in the PMO.The PMO has to make the decision to either accept or deny the request.The