Cost Assurance

Cost assurance and audits on infrastructure projects and contracts Part 6: Cost assurance and audit in practice


Kathleen Hannon MRICS, Cost and Commercial Assurance Team Leader, Senior Commercial Manager, Scottish Water and Cecelia Fadipe FCMA, Director, CFBL (Consulting) 

Continuing output from the Multidisciplinary Steering Group on Cost Assurance and Audits on Infrastructure Projects and Contracts

THIS key output from the Multidisciplinary Steering Group (MSG) for Cost Assurance and Audits on Infrastructure Projects and Contracts in a frequently asked questions (FAQ) style format contains best practice guidance and a framework for undertaking cost assurance and audits in practice on infrastructure projects and contracts.

Are cost assurance and audits something that is needed?

For most businesses involved in infrastructure projects, the answer is yes – to satisfy accounting requirements, safeguard against fraudulent activities, and report progress or cost capture, there needs to be a level of commercial assurance built into processes, systems, and business ethos. But the degree of assurance required will be dependent on how cost-conscious the business is and how cost-conscious stakeholders and the supply chain are.

The culture within organisations and how they approach cost data and choose to contract will impact how commercially aware the business and its people are or need to be. Transparency and open communication are key to getting the data quality required for sustained improvements. As such, a ‘noblame’ culture is beneficial.

What are the uses of cost assurance and audits?


Figure 1: Cost assurance and audit – Best practice framework example. 

Audit and commercial cost assurance provide supporting evidence based on data that processes and contracts are being adhered to and identify areas where commercial practices can be improved to reduce inefficiency, assure adherence (to the contract and law), reduce cost, waste, and ensure audibility of accounts and documentation. On cost-based contracts there needs to be a degree of audits of the accounts as set out within the contract.

The accounts should be accessible to the parties. Where lump sum contracts are in use, the sharing of cost information may be limited, however, individual organisations will still need to record, verify, monitor, and forecast cost information and risks. Commercial cost assurance can ensure that the contractual procedures needed to provide these are being followed and propose improvements where required.

Why the commercial strategy should inform the cost assurance and audit objectives?

The commercial strategy of the company should inform the cost assurance and audit objectives for a defined period; such objectives may include assurance that:

Why is an initial risk assessment fundamental?

When identifying objectives, a risk assessment using baseline information should be used at a strategic level to prioritise areas for improvement and to support key project objectives. When selecting which contracts require additional cost assurance, several factors should be considered, including:

The above consideration will influence whether a project requires additional assurance and assist in targeting which areas require verification. For example, an analysis of the spend profile will guide the sampling methodology for cost verification.

What competencies should the cost assurance team have?

A cost assurance team should be independent and have strong technical capabilities, including experience in contracts, project-based issues, cost, and risk reporting. It should be aware of the procedures and processes within the business for cost reporting and risk identification/reporting. They should be independent of internal pressures to allow for fair and reasonable feedback to be given and actioned. In some cases, cost assurance may come from and sit within an existing commercial team using a peer-based assurance structure.

In such instances, it is important that the individual clear their objectives and does not feel pressure from senior management. It should also be recognised that there is an inherent risk in auditing yourself If this route is chosen, there should be an independent, impartial review by an external company to verify the methodologies and audit findings.

Many organisations have an independent team carrying out commercial assurance. The benefits of this are independence and clarity to the wider stakeholders on the assurance parameters to be provided and provide standardisation of audit findings. Additionally, the confidentiality of base information and findings is easier to ensure – this is of particular concern in an actual cost contract, but this can be preserved via an independent team.

How can systems and technology help in cost assurance and audits?

The benefits of the increased use of technology and systems can be significant, providing greater clarity and transparency, reducing resource strain and efficiency, improved quality from standardisation of outputs and offering increased structure to processes. As organisations become more reliant on technology, cost reporting and contract administration will become more automated.

The likelihood of human error impacting data will be reduced; however, the impact of such errors or technological risks may be much more significant. As such, the use of human judgement and intervention in verification can still be of significant value. There are some challenges created from using different systems throughout the supply chain and from how data is manipulated and interpreted.

Cost assurance can assist in identifying whether such systems record the level of detail required correctly and provide clarity as to how the data is manipulated and recorded. Such systems require additional investigation and adjustments to record and report costs accurately – these can be raised in an audit, discussed, and improvements actioned.

Why is GDPR privacy and confidentiality important?

Of particular concern in assessing the cost to employ, are the sensitivity and privacy legislation concerning personal information, required to verify actual staff costs. This information is required to satisfy contract requirements and therefore must be made available, however, organisations must restrict the use of and the distribution of sensitive personal data. In practice, this can create a conundrum if privacy and confidentiality clauses are not clearly set out and addressed early on. All parties to a contract must comply with the General Data Protection Regulation (GDPR) requirements in executing the contract, and the importance of this should be stressed; an independent auditor may be required to sign a separate confidentiality and non-disclosure agreement.

What key issues are often encountered as part of cost assurance audits?

In part 1 of the MSG outputs, we examined the key issues. For example, most cost-based contracts, NEC options C-E, target cost and alliancing contracts state a requirement for cost audits to agree on actual, defined costs using open-book accounting principles before the final account is agreed. There are, however, no standard guidelines about how these should be undertaken, for example, by establishing an agreed programme of audits linked to major project milestones. Consequently, the intention of cost audits and how they should be effectively undertaken have been left to interpretation – making resource planning, time to deliver cost audits efficiently, or addressing lessons learnt, challenging.

Some businesses may have frameworks for undertaking cost audits, but to what extent do these take into account the business’s cost assurance strategy and existing people, processes, and systems issues?

What should a best practice cost assurance and audit framework look like?

In part 2 of the MSG outputs, the group recommended a three-line defence model as best practice. The first line of defence consists of control functions like cost management, an element of commercial management that ensures that the contract is administered correctly and assesses the accuracy of contractual costs. The second line of defence for cost assurance may involve strategic controls to provide added confidence to key external and internal parties that project risks will be minimised and objectives met transparently and collaboratively.

The third line of defence involves independent cost verification audits to comply with international auditing standards. It is recommended that a robust cost assurance and audit best practice framework be used. The framework, seen in Figure 1, incorporates seven key aspects; risk-based assessment of the control environment, appropriate and agreed sampling methodology, and application of independence and materiality concepts on assurance engagements and in accounting.

What do the contract schedules and legal terms stipulate?

Cost-based contracts NEC options C-E, target cost and alliancing contracts stipulate a requirement for cost audits to agree on actual and defined costs before the final account is agreed or on completion. There are, however, no set standard guidelines about how these should be undertaken, for example, via an agreed programme linked to project milestones.

Consequently, the intention of cost audits and how they should be effectively undertaken have been left to interpretation, making resource planning and time to deliver cost audits efficiently challenging. In practice, cost accuracy on cost-based contracts is governed by cost schedules and legal terms. In part 3 and part 4 of the MSG outputs, the group published best practices for the contract cost component and interpretation of contract legal terms.

What are the best practice behaviours from people undertaking and supporting cost audits?

As set out in part 5 of the MSG outputs, the skills and expertise of the cost assurance team need to extend to an understanding of contractual and legal terms, data analytics/ benchmarking, knowledge of cost and financial systems, accounting, and commercial management. The people involved should provide insightful information to influence commercial and cost decisions in real-time. Ideally, this role should be undertaken by an independent team of qualified and experienced personnel comprising qualified accountants, data analysts, auditors, and quantity surveyors.

The importance of organisational culture and a cost assurance strategy for instilling confidence is vital. Training should emphasise how cost assurance audits should not be used punitively for the wrong reasons, for example, to realise efficiencies but to safeguard parties’ interest in a cost-based or open book alliancing contract equitably. Resources should be capable of administering the contract form and specific requirements and controls, so upskilling commercial, finance and project teams can safeguard adherence to these.

Construction projects often involve a high number of factors to be considered, such as defects or variations, which on their own have a small value, making it disproportionate to consider each item on its own. The courts have confirmed that sampling and extrapolation can be used to present claims and that parties should try to agree on the approach. Where parties cannot agree, the court can and will intervene by providing directions for sampling and extrapolation. This has been the subject of several court decisions and in a recent decision in 2021, the court required the defendant to choose variations to include in a sample to ensure that the sample was representative of their work as a whole.

This highlights the benefit of parties agreeing on the process of sampling and extrapolation, and this can of course be done at an early stage and as part of any review which requires assessment of a high number of items. There is not one single or approved approach to sampling and extrapolating (that will depend on the individual case), but parties should consider the following guidance from the courts: A sample should be representative of the overall population. This might involve taking a random sample or demonstrating statistical confidence between the sample and overall population, but there is no general rule that an extrapolation must be statistical in nature. Extrapolation can be inferred from a relatively small sample, where it has been established that the sample is representative. It must be possible to draw credible inferences between the sample size and the overall population.

For example, selecting a sample of variations based on their value may be an acceptable approach where these variations were issued by the same individuals on the same project in the same circumstances, and there is no other feature distinguishing the variations in the sample from the overall population.

Shy Jackson, Partner and Jennifer Varley, Senior Associate, Bryan Cave Leighton Paisner 

What do the typical cost assurance and audit cycles entail?

Communicating an audit programme linked to key milestones is recommended, as are standard protocols setting out expectations for the parties early on. This includes examining the effectiveness of controls and the project risk environment. The practicability of the sampling methodology, including the level of detail, behaviours and competency of staff interpreting the contract and examining records to safeguard compliance, and when these should be done, must be considered.

For instilling confidence in the organisational culture, communicating a cost assurance strategy is critical. Cost assurance audits should not be used punitively for the wrong reasons.

The assurance process entails setting up internal controls and procedures, including aligning cost collection and reporting systems to contract requirements.

This can be complex because standard financial systems and account code architecture that comply with International Financial Reporting Standards (IFRS) or Generally Accepted Accounting Principles (GAAP) are often standardised across multiple projects and contracts. Therefore, manual adjustments and journal entries will be required to comply with specific contract terms. More so, internal and group cost recovery assumptions may be contrary to the contract.

Part 6 of the MSG outputs contains cost reporting and assumptions best practice that involves implementing robust processes and controls for correctly administering the contract, such as timesheets and subcontract cost recovery.

As a result, as intended by cost-based or open-book contracts, the equitable sharing of risk in these contracts will result in unexpected cost risks and disallowed costs for some or all the parties. Therefore, the importance of an escalation process for disallowed costs that will arise and lessons learnt for future improvements cannot be overemphasised. Below are two examples:

Example 1: Project audit

 Figure 2: Example 1 - A project audit into people and sub-contrator costs under an actual cost contract may investigate the following.

A project under an actual cost contract has been identified as suitable for audit. The cost profile identifies that 80% of spending is related to people costs and subcontractors. The auditor will evaluate the spend profile to assess which sub-contractors/people costs would be most suitable for cost verification and request records to verify costs records will include but not be limited to the following:

Example 2: Cost forecasting

Figure 3: Example 2 - An audit or review into cost forecasting under an actual cost or open book contract may investigate the following.

The commercial strategy has identified that forecasting within a department requires improvement. The auditor evaluates the existing process and undertakes an audit to evaluate whether staff are complying with the process.

    1. Lack of knowledge as to the process.
    2. Lack of skills in the use of technology used to forecast costs.
    3. The inefficiency concerning the scale of the process.
    1. Additional training or workshops.
    2. Better communication of processes.
    3. Alterations to the existing processes to increase efficiency.

As the use of cost-based contracts increases globally, so will the need for clients and their suppliers to implement effective cost assurance and cost audit processes. Clients will need assurance that the amounts they are paying their suppliers represent the costs incurred by the supplier and just as importantly value for money with both parties wanting to ensure that the supplier recovers their entitlement to cost as justified by the terms of the contract.

Cost assurance and cost auditing need to be considered as soon as a cost-reimbursable commercial model has been selected for the contract and developed in parallel with, and reflected in, the contract documentation. The client initially needs to consider what they will need as audit records and assurance processes to satisfy their internal requirements and should engage the supply chain as soon as practically possible to develop requirements that will, where possible, work with the suppliers existing record-keeping practices and avoid the need for additional record-keeping on the part of the supplier.

The cost assurance and cost auditing processes need to align with the contract form selected, and the use of standard forms of contracts, such as the NEC4 suite of contracts should allow the parties to develop a consistent understanding and to create repeatable processes.

Ian Heaphy, Director, IN Construction

How can lessons learnt and technology be best used for future data-driven decision making?

Audit findings and non-conformances should be addressed proactively and closed out to prevent risks, issues, and disallowances from compounding. The cost assurance audit process is iterative and should not be treated as a box-ticking exercise. Technology should be used to analyse huge volumes of data from past projects, and reports/lessons learnt on completed contract audits provided in real-time to influence and inform future financial and commercial outcomes.

This proactiveness is key as no one project environment is the same because objectives, stakeholders and risks will defer, but past lessons learnt should not be repeated time and time again on future projects. Cost assurance audits serve the purpose of highlighting contract grey areas and risks early on.

The early facilitation of discussions ensures that risks and opportunities are identified early to drive contract compliance, efficiency, and value. On contracts, grey areas and unforeseen risks will almost certainly arise; therefore, technology can help improve cost and risk forecasting.

What is the outlook for cost assurance and audits?


Figure 4: Cost assurance and audit - Transformative cost and audit framework. 

Historically infrastructure in the UK has been more expensive with lower-than-average productivity than its European and US counterparts. The UK government has actively communicated future expectations through reports such as ‘Transforming Infrastructure Performance: Roadmap to 2030’, ‘National Infrastructure and Construction Procurement Pipeline 2020/21’ and the ‘Great British Railways: Williams-Shapps plan for rail’.

The recommended best practice builds on the Chartered Institute of Management Accountants’ seven-dimensional cost transformation framework to support a transformative infrastructure sector, which begins with a cost-conscious culture that actively manages risks. Next, profitability is key; therefore, contract fees, project budget and fees for an assurance engagement must be reasonable.

This means balancing cost certainty versus supply chain profitability because projects need to be cost-efficient but profitable and viable, or there is a trade-off that can drive the wrong people behaviours, as highlighted in part 5 of the MSG outputs.

What are the additional emerging issues for cost assurance and audits on infrastructure projects?

Emerging risks, complexities and costs arising from COVID-19, Brexit and carbon will require contract expertise and cost records to support disallowed cost claims. These include risks associated with the increasing cost of resources and raw materials like steel. This is worsened by sustainability and environmental, social, and corporate governance (ESG) KPIs to achieve net-zero (science-based targets).

The infrastructure sector accounts for 80% of carbon emissions, and climate changerelated infrastructure risks will increasingly increase contract risks and costs. As a result, cost assurance and audit scope will expand beyond traditional cost verification and value for money audits. There may be an increasing requirement to prevent greenwashing by verifying project-related sustainability claims, carbon cost reporting, and contractual requirements to validate that defined costs are environmentally viable and to disallow costs with heightened ESG risks.

How are cost/alliancing contracts helping in sharing risks and managing cost drivers?

To share risks, the use of joint venture (JV) partnerships and alliancing contracts are on the rise therefore how cost assurance audit protocols and processes on JV alliancing contracts should differ versus cost-based contracts should be clear with sensitivity to the risk-sharing intention of alliancing contracts. For cost drivers, systems, and processes, we recommend that pre-agreed protocols are embedded in the contract work scope.

On mobilising, these should be jointly reviewed to establish the readiness of the parties and alignment of people, processes, systems, and controls to the contract. This is also important for a common interpretation of contract legal terms, understanding the level of scrutiny and detailed records required in an audit or on a claim. As the industry is maturing businesses are communicating their commercial assurance strategy, developing cost assurance protocols, and disclosing these from the tender stage to clarify objectives and how cost audits should be correctly undertaken.

These processes will require continuous improvements that will need to draw heavily on technology to help address the issues on infrastructure projects highlighted above that have been compounded by increased risks, changing consumer behaviour and new ways of working due to the pandemic. 

Kathleen Hannon MRICS, Cost and Commercial Assurance Team Leader, Senior Commercial Manager, Scottish Water and Cecelia Fadipe FCMA, Director, CFBL (Consulting)


The Multidisciplinary Steering Group on Cost Assurance and Audits on Infrastructure Projects and Contracts: Cecelia Fadipe (chair), CFBL Consulting; Imran Akhtar, Turner & Townsend; Michael Bamber, Capita; Gary Bone, Blake Newport; Adrian Charlton, Atkins/SNC Lavalin; Kathleen Hannon, Scottish Water; Mark Harvey, Crossrail-Transport for London; Chris Haworth, Ridge & Partners; Ian Heaphy, IN Construction, NEC Contract Board; David Heath, Atkins/SNC Lavalin; Victoria HillStanford, Network Rail; Charlotte Hughes, Eversheds Sutherland; Tom Leach, Southern Water; Jim McCluskey (CICES representative), Vinci; Lisa O’Toole, Network Rail (HS2); Elliot Patsanza, Ridge & Partners; Paul Railton, The Orange Partnership; Claire Randall-Smith, Eversheds Sutherland; Matt Yates, Buckingham Group; Darren Ward, The Orange Partnership; Michael Strickland, Network Rail; Shy Jackson, Brian Cave Leighton Paisner