This document summarizes a presentation about best practices for PCM security and administration to prepare for audits. It discusses what an audit is and who can conduct them. It emphasizes the importance of maintaining proper audit trails in PCM, creating audit plans that document workflows, access rights, and internal checks. The presentation recommends using templates, consistency in practices, and documenting all deviations from procedures to be prepared for auditors' questions. Maintaining strong internal controls and reviewing PCM reports with an auditor's perspective can help organizations remain proactive.

1. REMINDER
Check in on the
COLLABORATE mobile app
Stop Fearing Audits: Best
Practices of PCM Security and
Administration
Presented by:
Thea Robinson
Consultant
Pro Management Systems, Inc.
Session ID#: 15477

2. Pro Management Systems, Inc
■ What is Pro Management Systems?
▪ Started in late 1980’s by Steve Kelly
▪ Focused on customer needs
▪ Not been reseller for Primavera or Oracle
▪ Provide consulting first, product second
▪ 100’s of clients and thousands trained in the use of Primavera
products
▪ Creators of CMPlus – the add on utility for PCM
▪ Customers world-wide

3. Background
■ Not an Oracle employee, never have been
■ Most of professional career has been in some form of the
Finance and Accounting Industry
■ Worked in some form of Consulting for the last 20 years:
▪ Successfully passed Agency audits
▪ Consulted on projects with public funds – subject to audit
▪ Developed Audit plans
▪ Conducted Internal Reviews/Audits
▪ Coached clients on Audit preparations

4. Questions to the audience:
■ Who is here as a PCM User? Consultant?
■ Who has been party to an outside Audit? By an Owner?
By a Stakeholder? By an Agency?
■ Who likes Audits?

5. What is an Audit?

7. Contract Management has
NO great way to maintain a
proper Audit Trail

8. Important to Note:
■ An audit is not designed to provide absolute assurance,
rather it is designed to reduce the risk of material
misstatement whether caused by fraud or error.
■ A misstatement is defined as an error, omitted disclosure or
inappropriate policies.
■ It is based on a sampling and not the testing of all
transactions.

9. Like with Software Updates …
Auditor inquiries can multiply if there are
“bugs” or abnormal findings…

10. Questions:
■ Who can Audit an Organization? (Aside from the IRS)
▪ Banks
▪ Internal Auditors as deemed necessary by a Board of Directors
or Upper Management
▪ Outside Agencies (in the case of a government funded project)
▪ Regulators
▪ Suppliers
■ What is the purpose of an Audit?
▪ Add credibility to the implied assertion by an organization’s
management that it’s controls fairly represent the organization’s
performance.
▪ Add value through reducing information risk.

11. Questions:
■ Who can be Audited?
▪ Organizations with a direct or in-direct government contract,
including “us” consultants
▪ Organizations with bank loans that are FDIC insured. Bank
Auditors may review information out of PCM, and it can include:
— Invoices
— Payment Requisitions
— Dates approved
— Dates payments recorded
▪ Firms interested in merging or being acquired. Internal auditors
or a third party auditing firm may review:
— All Internal Controls, including the use of any PCM module

12. Creating an Audit Plan
■ Why have one? How is this relevant to PCM?
■ Document:
▪ Work-flows – document the PCM modules used
▪ Document controls – how are documents stored in PCM?
▪ Access rights – how are rights determined?
▪ Internal Checks and QA/QC – who is performing these checks?
▪ Processes and procedures – how are these affected by PCM?
■ An Audit plan includes
▪ Audit and compliance review and purpose
▪ Methods
▪ Special Procedures
▪ Frequency of Reviews – “Testing"
▪ Reporting

13. Use of Templates
■ Create Templates
▪ Users
▪ Projects
■ Document all requests in writing
■ Tracking of users and projects
■ Questions an Auditor may ask:
▪ Provide the request to add project “Route 66 re-paving”
▪ Provide the request to change John Smith’s access to
administrator
▪ When was project “Fab 20 Retrofit” closed? Please provide the
request to close this project.

14. Consistency, consistency, consistency
■ Recommend that documented practices be followed
consistently and at ALL LEVELS
■ Submittals
▪ Must have review cycles
▪ Must be “approved” before being incorporated into final design
▪ Adhere to 14 day review cycle
■ RFIs
▪ In order to be closed, must have an answer
▪ Must have a dollar value
■ Questions an Auditor may ask:
▪ Provide a report that shows that all submittals reviewed within
timeframe.
▪ Provide a report with the dollar value of each RFI

15. There’s always an exception to the Rule
■ Be Proactive and Document ALL
deviations
▪ Why? Why was a deviation to a
procedure needed?
▪ When? When did it occur?
▪ Who? Who approved it? Who was
involved in the decision to deviate?
▪ What? What module was involved?
What procedure was changed?
▪ Where? In PCM? In a Spreadsheet?
■ Auditors know there are deviations
and may want to know how they are
managed and documented

16. When Auditors Come …
■ Scheduled audits
▪ PCM Review
▪ Document reviews
▪ Prepare staff for Interviews
▪ Request feedback
▪ If corrective action is requested,
perform by given time-frame
■ Unscheduled audits
▪ Remain proactive by maintaining
internal controls
▪ Review PCM reports with an
auditor perspective

17. Questions?

18. Please complete the session
evaluation
We appreciate your feedback and insight
■ SESSION ID# 15477
■ Thea Robinson, thear@promanagementsystems.com
■ You may complete the session evaluation either on
paper or online via the mobile app