Primavera gateway SAP provider - Oracle Primavera P6 Collaborate 14
Stop fearing audits - Oracle Primavera Collaborate 14
Transcript of Stop fearing audits - Oracle Primavera Collaborate 14
REMINDER
Check in on the
COLLABORATE mobile app
Stop Fearing Audits: Best Practices of PCM Security and Administration
Presented by:
Thea Robinson
Consultant
Pro Management Systems, Inc.
Session ID#: 15477
Pro Management Systems, Inc
■ What is Pro Management Systems?
▪ Started in late 1980’s by Steve Kelly
▪ Focused on customer needs
▪ Not been reseller for Primavera or Oracle
▪ Provide consulting first, product second
▪ 100’s of clients and thousands trained in the use of Primavera
products
▪ Creators of CMPlus – the add on utility for PCM
▪ Customers world-wide
Background
■ Not an Oracle employee, never have been
■ Most of professional career has been in some form of the
Finance and Accounting Industry
■ Worked in some form of Consulting for the last 20 years:
▪ Successfully passed Agency audits ▪ Consulted on projects with public funds – subject to audit
▪ Developed Audit plans
▪ Conducted Internal Reviews/Audits
▪ Coached clients on Audit preparations
Questions to the audience:
■ Who is here as a PCM User? Consultant?
■ Who has been party to an outside Audit? By an Owner? By a Stakeholder? By an Agency?
■ Who likes Audits?
Important to Note:
■ An audit is not designed to provide absolute assurance, rather it is designed to reduce the risk of material misstatement whether caused by fraud or error.
■ A misstatement is defined as an error, omitted disclosure or inappropriate policies.
■ It is based on a sampling and not the testing of all transactions.
Like with Software Updates … Auditor inquiries can multiply if there are
“bugs” or abnormal findings…
Questions:
■ Who can Audit an Organization? (Aside from the IRS)
▪ Banks
▪ Internal Auditors as deemed necessary by a Board of Directors
or Upper Management
▪ Outside Agencies (in the case of a government funded project)
▪ Regulators
▪ Suppliers
■ What is the purpose of an Audit?
▪ Add credibility to the implied assertion by an organization’s
management that it’s controls fairly represent the organization’s
performance.
▪ Add value through reducing information risk.
Questions:
■ Who can be Audited?
▪ Organizations with a direct or in-direct government contract,
including “us” consultants
▪ Organizations with bank loans that are FDIC insured. Bank
Auditors may review information out of PCM, and it can include:
— Invoices
— Payment Requisitions
— Dates approved
— Dates payments recorded
▪ Firms interested in merging or being acquired. Internal auditors
or a third party auditing firm may review:
— All Internal Controls, including the use of any PCM module
Creating an Audit Plan ■ Why have one? How is this relevant to PCM?
■ Document:
▪ Work-flows – document the PCM modules used
▪ Document controls – how are documents stored in PCM?
▪ Access rights – how are rights determined?
▪ Internal Checks and QA/QC – who is performing these checks?
▪ Processes and procedures – how are these affected by PCM?
■ An Audit plan includes
▪ Audit and compliance review and purpose
▪ Methods
▪ Special Procedures
▪ Frequency of Reviews – “Testing"
▪ Reporting
Use of Templates
■ Create Templates
▪ Users
▪ Projects
■ Document all requests in writing
■ Tracking of users and projects
■ Questions an Auditor may ask:
▪ Provide the request to add project “Route 66 re-paving”
▪ Provide the request to change John Smith’s access to
administrator
▪ When was project “Fab 20 Retrofit” closed? Please provide the
request to close this project.
Consistency, consistency, consistency
■ Recommend that documented practices be followed consistently and at ALL LEVELS
■ Submittals
▪ Must have review cycles
▪ Must be “approved” before being incorporated into final design
▪ Adhere to 14 day review cycle
■ RFIs
▪ In order to be closed, must have an answer
▪ Must have a dollar value
■ Questions an Auditor may ask:
▪ Provide a report that shows that all submittals reviewed within
timeframe.
▪ Provide a report with the dollar value of each RFI
There’s always an exception to the Rule
■ Be Proactive and Document ALL deviations
▪ Why? Why was a deviation to a
procedure needed?
▪ When? When did it occur?
▪ Who? Who approved it? Who was
involved in the decision to deviate?
▪ What? What module was involved?
What procedure was changed?
▪ Where? In PCM? In a Spreadsheet?
■ Auditors know there are deviations and may want to know how they are managed and documented
When Auditors Come …
■ Scheduled audits
▪ PCM Review
▪ Document reviews
▪ Prepare staff for Interviews
▪ Request feedback
▪ If corrective action is requested,
perform by given time-frame
■ Unscheduled audits
▪ Remain proactive by maintaining
internal controls
▪ Review PCM reports with an
auditor perspective
Please complete the session evaluation We appreciate your feedback and insight
■ SESSION ID# 15477
■ Thea Robinson, [email protected]
■ You may complete the session evaluation either on paper or online via the mobile app