On the Frontlines: When Project Changes Happen

For internal auditors, understanding variation orders (VOs) is essential to assessing construction project risks effectively. Such familiarity supports conformance with Global Internal Audit Standard 13.2 – Engagement Risk Assessment, which requires auditors to understand the activities they review. Understanding the major risks and related controls can help auditors design an effective risk and control matrix covering VOs in construction projects, although the same principles can also be applied in other industries.

Understanding Variation Orders

VOs are common during construction projects and one of the primary causes of cost overruns, delays, and disputes. They arise from factors such as incomplete designs, unclear scopes, design changes, or owner-driven modifications. While some are unavoidable, many stem from weak planning.

It is important to recognize that VOs may not always involve additions. Scope omissions, usually referred to as de-scoping, is a reduction in the scope of work. This can happen because of financial constraints, errors, or changing project needs. While this piece focuses on VOs related to scope additions, VOs related to de-scoping have their own risks, such as lower quality, incomplete systems, or failure to meet end-user requirements.

The impact of VOs varies depending on the contract type, typically one of three forms:

• Lump-sum contracts, where the contractor delivers a clearly defined scope for a fixed price. These are highly susceptible to VO risk, as any deviation from the original scope usually requires formal approval and a price or schedule adjustment.
• Cost-plus contracts, where the owner reimburses actual costs plus a fee. These provide flexibility but shift cost risk to the owner and require strong controls to allow for review of actual expenditures before approval.
• Unit rate contracts, which set fixed prices per unit of work (e.g., per cubic meter of concrete), with total cost depending on quantities executed. This structure balances risk between the owner and contractor.

It is worth noting that each contract type can include mechanisms to limit an organization’s exposure to specific risks. For example, capped cost-plus contracts can help control budget overruns for the owner.

Key Risks and Controls

Here are the four main risk categories involved in VO risk, along with controls to help mitigate them.

Budget

Frequent or uncontrolled VOs can erode project budgets. Each approved change may add costs or deplete contingency reserves, leaving projects exposed to financial shocks. Informal or poorly reviewed changes often lead to scope creep — unauthorized expansion of a project without cost or time adjustments.

To mitigate these risks, projects should have mechanisms to evaluate the cost impact of each VO before approval. Internal auditors should confirm that cost estimates are independently reviewed, that VOs are approved according to a delegation of authority matrix, and that the cumulative VO value is monitored relative to the original contract amount. Contracts should also include procedures for reassessing unit rates and pricing when total VO value exceeds specified thresholds. Integrating approved or potential VOs into cash flow forecasts and the estimate at completion further strengthens financial controls.

Schedule

VOs can alter the critical path of a project, or the sequence of activities that determines the earliest completion date. Delays on this path directly impact delivery timelines. Without a formal time impact analysis, project teams may approve changes without fully understanding their schedule implications. It is worth noting, however, that not all VOs, even those with time implications, necessarily affect the critical path or delay overall completion, as certain activities can be executed concurrently.

Auditors should verify that each VO undergoes proper schedule impact evaluation. Some VOs can result in extension of time claims that include prolongation costs, where contractors seek compensation for indirect expenses such as extended site overheads or equipment rentals. Such claims need to be carefully assessed by the project controls team.

Procurement

Improperly managed VOs can undermine the fairness and transparency of the bidding process. A common manipulation tactic is the “bid low, claim high” strategy, where contractors submit low bids expecting to recover profits through later VOs. This distorts competition and inflates final project costs.

To mitigate this, auditors should review tender evaluation practices, confirming that bids are assessed not only on price but also on scope completeness and underlying assumptions. A pre-tender estimate can serve as a benchmark to detect unusually low bids. Auditors should also examine early VOs issued soon after contract award, especially for work that should have been foreseen, as these may indicate procurement manipulation.

Fraud

As per Standard 13.2 – Engagement Risk Assessment, risks related to fraud must be considered for every engagement. VOs can expose construction projects to significant fraud risks.

One of the most concerning fraud scenarios involves collusion between the owner’s staff and contractors, where unnecessary or inflated VOs are approved in exchange for kickbacks or other benefits. The risk is especially high when the same individuals are responsible for both initiating and approving VOs without sufficient segregation of duties. Fraud may also occur when large VOs are deliberately split into smaller ones to remain below higher approval thresholds or to avoid re-bidding.

Internal auditors should assess whether segregation of duties and clear approval hierarchies are in place to prevent or detect such manipulation.