Project Kickoff Checklist

Pull the executed SOW from the engagement folder and confirm both signatures, the effective date, and any change-order language. If the SOW sits under a Master Services Agreement, verify the MSA is current — expired MSAs are a common reason finance refuses to open the engagement code.

Screen the staffed team and the engagement scope against active and recent client relationships, named board seats, and personal investments. The screen must clear before any consultant is granted client-system access — late COI checks are a top reason engagements unwind painfully. For audit-adjacent advisory, run the independence check against the AICPA / PCAOB criteria as well.

Document the specific conflict, the consultants affected, and the proposed mitigation (re-staffing, ethical wall, declination). The engagement partner signs the COI memo before mobilization continues; do not start the staffing plan until the memo is on file.

Determine whether the engagement inherits regulated-industry obligations from the client. Common triggers: HIPAA (any PHI access), GDPR (EU data subjects), GLBA (financial services), FedRAMP / CMMC (federal contractor), SEC/FINRA (broker-dealer or RIA client). Capture which addendum is required so the right contracts vehicle gets executed before access is granted.

Confirm the regulatory addendum is signed by both parties and filed in the engagement archive before any consultant touches client data. HIPAA engagements need a BAA; EU-data engagements need a DPA with the right standard contractual clauses; cleared work needs the DD-254 or equivalent. No addendum, no access — even if the client says it's fine.

Open the engagement in the time-tracking system (Harvest, BigTime, Replicon) and set the project codes per workstream. Activate codes the day the SOW is signed, not at kickoff — discovery and mobilization hours are billable on T&M and need to land on the right code from day one.

Each consultant on the engagement is on a firm-issued, encrypted device with MFA enrolled in Okta or Entra ID before client-system access is granted. Subcontractors get guest accounts with scoped access — never full firm SSO. A signed NDA does not protect the firm if data ends up on a personal laptop.

Walk the engagement team through the SOW, the client's stated objectives, the politics around the sponsor, and the must-not-do list. Cover the client-data handling protocol explicitly: where data may live (firm laptop, client VDI), how it travels (firm email, encrypted transfer — never personal Gmail or Dropbox), and retention at engagement end.

Identify the executive sponsor, day-to-day client contact, steering committee members, and any change champions or known blockers. Map decision rights (RACI) for each major deliverable so escalation paths are explicit before the first status call.

Seed the Risks / Assumptions / Issues / Dependencies log with what's already known: data-access dependencies, key SME availability, parallel client initiatives that could conflict, scope ambiguities. The RAID log is the artifact you'll point to when scope creep starts; populate it before kickoff so day-one risks are on the record.

Read out what's in scope, what's explicitly excluded, and how change orders work (who signs, what the rate is, what the lead time is). Surfacing the change-order process at kickoff — not the first time scope creep happens — sets the precedent that out-of-scope asks get a written change order, not a quiet 'sure, we'll fit it in.'

Confirm each milestone date, the deliverable that gates it, and the acceptance criteria the client will apply. Vague acceptance criteria ("client is satisfied") are how engagements end with re-work disputes — push for specific, testable criteria for every billable milestone.

Set the standing weekly status (day, time, attendees, format) and the steering committee cadence (typically every 2–4 weeks). Confirm the status report template — RAG status, milestones, RAID log delta, decisions needed — so the first weekly isn't spent debating format.

Name who decides what on the client side: the day-to-day contact, the executive sponsor, and the steering committee. Confirm response-time expectations for each tier so the engagement manager knows when to escalate past the day-to-day contact without breaking trust.

Send the kickoff deck plus a written recap (decisions made, action items with owners and dates, open questions) within 24 hours. Same-day-following is the practical standard; longer lags signal poor engagement hygiene to the client sponsor.

Place the executed SOW, MSA, COI memo, regulatory addendum, and kickoff readout in the engagement folder structure. This becomes the audit trail for billing disputes, scope arguments, and any later closeout reference — populate it now while everything is at hand.

Put the weekly client status, the internal team check-in, the steering committee, and the mid-engagement quality review on calendars now. The mid-engagement QA — a structured pause to review the deliverable trajectory before it's too late to course-correct — is the one most often skipped and most often regretted.