REMINDER

Check in on the

COLLABORATE mobile app

Stop Fearing Audits: Best Practices of PCM Security and Administration

Presented by:

Thea Robinson

Consultant

Pro Management Systems, Inc.

Session ID#: 15477

Pro Management Systems, Inc

■ What is Pro Management Systems?

▪ Started in late 1980’s by Steve Kelly

▪ Focused on customer needs

▪ Not been reseller for Primavera or Oracle

▪ Provide consulting first, product second

▪ 100’s of clients and thousands trained in the use of Primavera

products

▪ Creators of CMPlus – the add on utility for PCM

▪ Customers world-wide

Background

■ Not an Oracle employee, never have been

■ Most of professional career has been in some form of the

Finance and Accounting Industry

■ Worked in some form of Consulting for the last 20 years:

▪ Successfully passed Agency audits ▪ Consulted on projects with public funds – subject to audit

▪ Developed Audit plans

▪ Conducted Internal Reviews/Audits

▪ Coached clients on Audit preparations

Questions to the audience:

■ Who is here as a PCM User? Consultant?

■ Who has been party to an outside Audit? By an Owner? By a Stakeholder? By an Agency?

■ Who likes Audits?

What is an Audit?

Contract Management has

NO great way to maintain a

proper Audit Trail

Important to Note:

■ An audit is not designed to provide absolute assurance, rather it is designed to reduce the risk of material misstatement whether caused by fraud or error.

■ A misstatement is defined as an error, omitted disclosure or inappropriate policies.

■ It is based on a sampling and not the testing of all transactions.

Like with Software Updates … Auditor inquiries can multiply if there are

“bugs” or abnormal findings…

Questions:

■ Who can Audit an Organization? (Aside from the IRS)

▪ Banks

▪ Internal Auditors as deemed necessary by a Board of Directors

or Upper Management

▪ Outside Agencies (in the case of a government funded project)

▪ Regulators

▪ Suppliers

■ What is the purpose of an Audit?

▪ Add credibility to the implied assertion by an organization’s

management that it’s controls fairly represent the organization’s

performance.

▪ Add value through reducing information risk.

Questions:

■ Who can be Audited?

▪ Organizations with a direct or in-direct government contract,

including “us” consultants

▪ Organizations with bank loans that are FDIC insured. Bank

Auditors may review information out of PCM, and it can include:

— Invoices

— Payment Requisitions

— Dates approved

— Dates payments recorded

▪ Firms interested in merging or being acquired. Internal auditors

or a third party auditing firm may review:

— All Internal Controls, including the use of any PCM module

Creating an Audit Plan ■ Why have one? How is this relevant to PCM?

■ Document:

▪ Work-flows – document the PCM modules used

▪ Document controls – how are documents stored in PCM?

▪ Access rights – how are rights determined?

▪ Internal Checks and QA/QC – who is performing these checks?

▪ Processes and procedures – how are these affected by PCM?

■ An Audit plan includes

▪ Audit and compliance review and purpose

▪ Methods

▪ Special Procedures

▪ Frequency of Reviews – “Testing"

▪ Reporting

Use of Templates

■ Create Templates

▪ Users

▪ Projects

■ Document all requests in writing

■ Tracking of users and projects

■ Questions an Auditor may ask:

▪ Provide the request to add project “Route 66 re-paving”

▪ Provide the request to change John Smith’s access to

administrator

▪ When was project “Fab 20 Retrofit” closed? Please provide the

request to close this project.

Consistency, consistency, consistency

■ Recommend that documented practices be followed consistently and at ALL LEVELS

■ Submittals

▪ Must have review cycles

▪ Must be “approved” before being incorporated into final design

▪ Adhere to 14 day review cycle

■ RFIs

▪ In order to be closed, must have an answer

▪ Must have a dollar value

■ Questions an Auditor may ask:

▪ Provide a report that shows that all submittals reviewed within

timeframe.

▪ Provide a report with the dollar value of each RFI

There’s always an exception to the Rule

■ Be Proactive and Document ALL deviations

▪ Why? Why was a deviation to a

procedure needed?

▪ When? When did it occur?

▪ Who? Who approved it? Who was

involved in the decision to deviate?

▪ What? What module was involved?

What procedure was changed?

▪ Where? In PCM? In a Spreadsheet?

■ Auditors know there are deviations and may want to know how they are managed and documented

When Auditors Come …

■ Scheduled audits

▪ PCM Review

▪ Document reviews

▪ Prepare staff for Interviews

▪ Request feedback

▪ If corrective action is requested,

perform by given time-frame

■ Unscheduled audits

▪ Remain proactive by maintaining

internal controls

▪ Review PCM reports with an

auditor perspective

Questions?

Please complete the session evaluation We appreciate your feedback and insight

■ SESSION ID# 15477

■ Thea Robinson, thear@promanagementsystems.com

■ You may complete the session evaluation either on paper or online via the mobile app