Internal Audit Report. Post-Implementation Review PeopleSoft - Purchasing TxDOT Internal Audit Division

Internal Audit Report Post-Implementation Review PeopleSoft - Purchasing TxDOT Internal Audit Division

Objective To determine if the Oracle PeopleSoft ( PeopleSoft ) Purchasing (Financials and Supply Chain Management) module is providing for effective and efficient business operations. Opinion Based on the audit scope areas reviewed, control mechanisms require improvement and only partially address risk factors and exposures considered significant relative to impacting reporting reliability, operational execution, and compliance. The organization's system of internal controls requires improvement in order to provide reasonable assurance that key goals and objectives will be achieved. Significant improvements are required to correct control gaps and mitigate residual risk that may result in potentially significant negative impacts to the organization including the achievement of the organization's business/control objectives. Overall Engagement Assessment Needs Improvement Title Findings Control Design Operating Effectiveness Rating Finding 1 PeopleSoft Requisitions x x Unsatisfactory Finding 2 Access Roles x x Needs Improvement Finding 3 Data Reporting x Needs Improvement Management concurs with the above findings and prepared management action plans to address deficiencies. Control Environment When TxDOT implemented the PeopleSoft Purchasing module, customized automations that would have driven more purchasing efficiencies were not implemented. In addition, the division continues to rely on numerous manual inputs to help ensure that they are entering all needed and accurate information into the system. Although steps were taken to ensure the manual inputs were complete and accurate, they did not always work. As a result, the PeopleSoft implementation did not drive the efficiencies the procurement process was looking to achieve and subsequently increased the amount of time to purchase items. The Purchasing module is supported by TxDOT employees, as well as, a third party vendor. The third party vendor supporting the PeopleSoft application software is also responsible for correcting module issues and has been developing query reports for TxDOT users; TxDOT system administrators for the module approve and review changes completed by the third party. June 2016 2

Summary Results Finding Scope Area Evidence Data reliability and defined user roles were evaluated in the Procurement module to assess their effectiveness and impact on the procurement process. Goods and services that required an approval and were purchased from October 2014 to January 2016 were evaluated and the following was noted: Modifications to requisitions after Purchase Order (PO) issuance 991 POs had a requisition approval date after the PO date. There was no inappropriate activity identified. 1 Data Reliability User Roles Self-approved Requisitions 441 requisitions totaling $2.7 million were selfapproved. Although detailed testing was not performed to test specifically for fraud, a cursory review did not indicate any reason to believe inappropriate activity occurred. This information was referred to the Compliance Division for further review. Requisitions processed to POs without approvals 3,086 non-inventory requisitions were processed without requisition approvals in the system. Although detailed testing was not performed to test specifically for fraud, a cursory review did not indicate any reason to believe inappropriate activity occurred. This information was referred to the Compliance Division for further review. Users that had purchasing roles (e.g. request, approve, purchase, receive) from September 24, 2014 to January 4, 2016 were evaluated and the following was noted: 2 User Roles Incompatible Roles 120 of 3,154 (4%) employees were identified with ability to request and approve purchase orders. o 3 of the 120 employees executed both roles on three different requisitions for a total of $46,787 of goods and services being approved. Non-Procurement Employee Purchasers 5 non-procurement employees were granted incorrect system permissions and executed 31 purchase releases. June 2016 3

Unused Roles 12 of 15 (80%) employees sampled with incompatible roles (e.g. user had more than one of the following roles: requester, approver, purchaser) did not use at least one assigned role in over a year. o 9 of the 12 were non-procurement employees Queries (i.e., Performance Dashboard and Purchase Order report) written from the Procurement module had missing and/or inaccurate information and contributed to incorrect output: Structured Query Language (SQL) Logic Query script did not account for requisition approvals that were not required and data tables were joined incorrectly for Purchase Order Audit Report. Query script did not account for data anomalies (e.g., after-fact purchases, blank fields, approvals after PO issuance) when calculating the requisition approval date for Performance Dashboard Report that is used by management to monitor the timeliness of the procurement process. 3 Data Reliability Efficiency of Process As a result of these SQL errors, the following reporting issues occurred: Voucher Amounts Purchase Order Audit Report, which is used to report all purchasing transactions from requisition to receipt, showed 34,865 instances where voucher amounts exceeded PO authorization. Auditors selected 10 largest POs to review in the system and noted all 10 did not exceed voucher information in the system. Approval Information Purchase Order Audit Report contained 15,093 requisitions where the requester was the same as the approver. Auditors sampled 10 items to review in the system and noted the following: 2 showed the requisition approver was someone different than noted in the report. 6 showed the requisition approval not being needed in the PeopleSoft system. 2 showed self-approval of the requisition in PeopleSoft. Audit Scope The scope of the audit work focused on activities in the PeopleSoft system during the Procurement process, including the requisition, approval, purchasing, and receiving of goods June 2016 4

and services since implementation (October 2014) through March 2016. These activities were reviewed to assess the PeopleSoft system functionality, efficiency of the procurement process, and evaluation of reporting and monitoring functions. Payment cards and inventory purchases were not reviewed. Further, purchasing roles (e.g., requester, approver, purchaser, and receiver) in the purchasing module were evaluated for appropriate segregation of duty. The roles were reviewed as of October 2015. The audit was performed by Jessica Esqueda, Monica Washington, Christopher Williams, and Karen Henry (Engagement Lead). The audit was conducted during the period from December 14, 2015 to March 15, 2016. Methodology The methodology used to complete the objectives of this audit included: Reviewed TxDOT internal documents, including procurement policy and procedure manuals, organization charts, process maps, and management reports Reviewed state codes and manuals, including State of Texas Procurement manual, Texas Government Code, and Texas Administrative Code sections for purchase rules Reviewed prior audit reports from TxDOT s Internal Audit Division and Texas State Auditor s Office Evaluated control design and operating effectiveness of the procurement system Sample tested purchase order (PO) data (e.g. dates, amounts, purchase types) converted from the Automated Purchasing System (APS) to PeopleSoft Reviewed the Financials and Supply Chain Management (FSCM) functional roles and responsibilities for purchasing (e.g., requester, approver, purchaser, and receiver), which was used as the criteria for access security policy Reviewed employees assigned FSCM purchasing roles, to validate access was in accordance with security policy and best practice Interviewed key stakeholders, including staff and management, from Information Management Division (IMD) Enterprise Resource Planning Section, Contracts and Purchasing Division (formerly Procurement Division), and contracted third party vendor for PeopleSoft implementation and maintenance support Through data analysis and sampling in production environment: o Tested for instances where requisitions were approved after purchase order issuance o Tested for instances where requisitions had same requester and approver o Tested for instances of missing required information Reviewed Structured Query Language (SQL) logic for two reports utilized by Contracts and Purchasing Division (formerly Procurement Division) Reviewed communication and management philosophy of overall organizational tone Performed risk assessment of requisition and purchasing functions within PeopleSoft These procedures were applied as necessary to perform the audit fieldwork. June 2016 5

Background This report is prepared for the Texas Transportation Commission and for the Administration and Management of TxDOT. The report presents the results of the Post-Implementation Review PeopleSoft - Purchasing audit, which was conducted as part of the Fiscal Year 2016 Audit Plan. TxDOT implemented a new Oracle PeopleSoft system in October 2014. PeopleSoft is an integrated suite of software, which provides a common technology platform across core business areas of human resources, finance, supply chain, and payroll. The TxDOT PeopleSoft system replaced over 20 mainframe and legacy systems in Finance, Human Resources, and General Services. The new PeopleSoft consists of three main applications: Financials and Supply Chain Management (FSCM), Enterprise Learning Management (ELM), and Human Capital Management (HCM). The FSCM application includes procurement, contracts and purchasing, as well as general finance functions (e.g. accounts payable, asset management, billing, general ledger, inventory, and project costing). The purchasing functions in the FSCM module were reviewed for this audit. In the FSCM module, purchase orders are generated to procure goods and services. For a purchase order to be complete, it must include the type of purchase, the cost, quantity, who is requesting it, and who is approving it. This information allows the purchaser to buy the item. Only employees in the Contracts and Purchasing Division are authorized to purchase items on behalf of TxDOT. To implement PeopleSoft, TxDOT had a designated team consisting of TxDOT employees and third party vendors. TxDOT also established an Executive Steering Committee and a separate Enterprise Resource Planning Section dedicated to managing the PeopleSoft implementation. In addition, TxDOT employees from key program areas, also known as subject matter experts (SMEs), were used to help identify gaps in the legacy systems and identify areas of improvement. Third party vendors were used as the PeopleSoft System Integrators and to provide program quality management and oversight. Third party vendors within the designated team were responsible for coding the system, conducting gap analysis, testing the functionality of the code, ensuring the system functions worked properly, and giving proper access levels and roles to employees. Implementation problems or issues are communicated and addressed through TxDOT s information management ticket system, TxDOTNow. These tickets are to be addressed by a third party vendor or the Information Management Division (IMD) ERP Section. The primary vendor used to design and implement PeopleSoft was retained to provide ongoing maintenance support. We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. Recommendations to mitigate risks identified were provided to management during the engagement to assist in the formulation of the management action plans included in this report. The Internal Audit Division uses the June 2016 6

Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework version 2013. A defined set of control objectives was utilized to focus on reporting, operational, and compliance goals for the identified scope areas. Our audit opinion is an assessment of the health of the overall control environment based on (1) the effectiveness of the enterprise risk management activities throughout the audit period and (2) the degree to which the defined control objectives were being met. Our audit opinion is not a guarantee against reporting misstatement and reliability, operational sub-optimization, or non-compliance, particularly in areas not included in the scope of this audit. June 2016 7

Detailed Findings and Management Action Plans (MAP) Finding No. 1: PeopleSoft Requisitions Condition The PeopleSoft Financials and Supply Chain Management (FSCM) module allowed employees to modify requisitions after purchase orders (PO) had been issued. In addition, necessary information related to the item code to identify the good or service was missing from processed requisitions. The FSCM module also allowed non-inventory requisitions to be approved by the same employee submitting the requisition and allowed non-inventory requisitions to be processed without the required approval. Effect/Potential Impact Requisition modifications made after PO issuance or requisitions having missing information may lead to delayed or improper procurement methods or approvals. Improper access controls within the purchasing function can increase the susceptibility to fraudulent or inappropriate actions. Criteria The TxDOT Requirements Traceability Matrix (e.g., PeopleSoft system design and configuration) states that the system should not have the ability to change a requisition once a PO has been issued. The Matrix further discusses that requisitions should not be self-approved if the requester is also an approver. Further, the TxDOT Purchasing Manual Chapter 1 requires separation of duties between employees authorized to request and approve purchases. The National Institute of Government Purchasing (NIGP) Commodity/Services Code is a coding structure for standardizing purchasing that brings order and consistency for efficiency and economy. Agencies use the - item code numbering and descriptions found to properly code products or services on requisitions and purchases so informal and formal invitations for bid will reach vendors that have indicated they are capable of furnishing the required materials, equipment, supplies, and services. It is also important to both agencies and potential bidders that bidder class-item selections are correct. Cause No preventive or detective control exists that requires requisitions to be identified and reviewed independently if same person was the requester and approver prior to PO issuance. Additionally, no monitoring existed to ensure all necessary requisition fields were completed, including the correct item code. An issue exists in the system that allows for some requisitions to be self-approved or not require an approval. June 2016 8

It was also understood that NIGP/Item Identification (ID) Codes were left blank due to requesters selecting inactive or unavailable items from the FSCM module. Evidence Goods and services that required an approval and were purchased from October 2014 to January 2016 were reviewed and the following was noted: System allowed requisitions to be modified after PO issued: 991 POs totaling $10.7 million had requisition approval date after the PO date. Although 99% of these were due to requisition or purchase order line cancellations causing re-routing of the approval workflow, an issue still remains in the system that allows them to occur. There was no inappropriate activity identified. System allowed requisitions to be self-approved by the requester: 441 requisitions were self-approved by 241 employees. These requisitions totaled $2.7 million. Although detailed testing was not performed to test specifically for fraud, a cursory review performed did not indicate any reason to believe inappropriate activity occurred. This information was referred to the Compliance Division for further review. System allowed requisitions without approvals: 3,086 non-inventory items did not have requisition approvals in the system. Although 95% of these were due to requisition cancellations causing re-routing of the approval workflow, an issue still remains in the system that allows them to occur. Although detailed testing was not performed to test specifically for fraud, a cursory review performed did not indicate any reason to believe inappropriate activity occurred. This information was referred to the Compliance Division for further review. National Institute of Government Purchasing (NIGP)/Item Identification (ID) Codes The Purchase Order Audit report provided showed 72 instances where an NIGP/Item ID code was missing. These codes are required for processing purchases. Auditors judgmentally selected 10 of the POs to determine whether a code was entered into the system. All 10 POs reviewed that did not have an NIGP/Item ID Code in the report received also did not have a code assigned in PeopleSoft Management Action Plans (MAP): MAP Owner: Teri Augustine, Project Manager, Information Management Division - Enterprise Resource Planning Section MAP 1.1: Information Management Division will create tickets requesting TxDOT s third party contracted support team to remedy the issue related to the system allowing requisitions to be modified after Purchase Order issuance (Note: as of March 31, 2016, this has been done and the updated process is being tested by the business area). June 2016 9

Information Management Division will create tickets for analysis of all requisitions without approvals and take corrective action. In addition, the Enterprise Resource Planning system will analyze the contract specialist role to ensure the appropriateness of its function and permissions are correct within non-601ct business units. Once a solution is determined for bullets 1 and 2 above, including the level of effort and a completion date, Information Management Division will submit an update to the Internal Audit Division indicating whether the identified, August 15, 2016, management action plan completion date is feasible. Email notification will be provided to support completion of this portion of the management action plan. Information Management Division will implement a new process and reporting cycle to monitor the TxDOT Now system for tickets relating to this issue and will collaborate with Contracts and Purchasing Division to resolve them within 45 days. A process document and example report will be provided to support completion of this portion of the management action plan. August 15, 2016 MAP Owner: Dee Dee Evans, Purchase Order Module Systems Administrator, Contracts and Purchasing Division MAP 1.2: Contracts and Purchasing Division will test the patch that will address the issue related to the system allowing requisition to be modified after Purchase Order issuance in the testing environment prior to being applied to the production environment. Testing documentation will be retained and provided to support completion of all new patch testing performed. August 15, 2016 MAP 1.3: Contracts and Purchasing Division (CPD) will perform 3 monthly reviews after patches are applied to determine that there are no instances of Purchase Orders being issued after requisition lines are modified. In addition, CPD will develop procedures to require data monitoring on an annual basis. December 15, 2016 June 2016 10

MAP 1.4: National Institute of Government Purchasing (NIGP)/Item Identification (ID) codes are blank due to requester selecting inactive/unavailable items. Contracts and Purchasing Division will add the word inactive to the item description in the system to provide a visual for the end users who are requesting the inactive items as well as the purchaser who is processing them. This will help prevent staff selecting inactive codes. Documentation of the testing will be documented. Contracts and Purchasing Division will develop procedures to continue to monitor the Purchase Orders (POs) being created with no Item IDs and create tickets to have a Structured Query Language (SQL) update ran to update the POs with the applicable Item Identification (ID) Codes. The procedures will call for monitoring to be performed by running reports and filtering for blank Item IDs and to be performed annually. December 15, 2016 June 2016 11

Finding No. 2: Access Roles Condition Access controls do not provide proper segregation of duties for requesting, approving, purchasing, and receiving goods and services. In addition, access controls do not ensure that only authorized Contracts and Purchasing Division employees can execute purchases in PeopleSoft s Financials and Supply Chain Management (FSCM) module. There were 12 employees identified with assigned purchasing roles that were determined to be unnecessary as those roles were not used in over a year. Additionally, three system administrator roles (i.e. super user access) were identified where their actions and edits were not monitored as a detective control. Effect/Potential Impact Improper and unnecessary access controls within the purchasing system can lead to increased susceptibility to fraud or inappropriate actions. Criteria TxDOT Functional Roles and Descriptions document does not permit any individual to have both a requester and an approver role. The TxDOT Purchasing Manual Chapter 1 also requires adequate segregation of duties between employees authorized to request, approve a purchase, receive, and initiate payments. The Purchasing Manual further defines that a purchaser can only be an employee from a procurement function. In addition, the National Institute of Standards and Technology (NIST) suggest users should only be granted access for the resources they need to perform their official functions and that audit trails should be reviewed periodically to changes made to the system. Cause Access to the procurement roles and user permissions are provided by the Information Management Division (IMD) through a manual process. Once roles are granted, there is no ongoing review of assigned roles by those in the Contracts and Purchasing Division to determine appropriateness. In addition, there has not been an established timeframe for when users should be removed after a specified period of non-usage. Finally, detective controls have not been established to properly monitor activity by system administrator roles that have far reaching access to procurement transactions. Evidence Auditors obtained user access information for purchasing roles (e.g., requester, approver, purchaser, or receiver) and Procurement module system administrator role and identified the following: Requester and Approval Role 120 of 3,154 (4%) employees had an approval and requester role o 3 of 120 (3%) employees executed requisitions of $46,787 of goods and services that they also approved June 2016 12

3 of 3,154 (1%) had requester, approval, purchaser, and receiver roles. The same employees also had the system administrator role (i.e. super user) that also provides them the ability to access and edit purchasing transactions without any independent review being performed. Further assessment could not be performed due to no system administrator activity logs and reports providing incorrect outputs. Unused Incompatible Roles 12 of 15 (80%) employees sampled with incompatible roles (e.g. user had more than one of the following roles: requester, approver, purchaser) did not use at least one assigned role in over a year o 9 of the 12 were non-procurement employees Non-Procurement Employee Purchasers 5 non-procurement employees, who had purchasing roles from September 24, 2014 to January 4, 2016, were granted incorrect system permissions and executed 31 purchase order releases for goods and services. Management Action Plan (MAP): MAP Owner: Teri Augustine, Project Manager, Information Management Division Enterprise Resource Planning Section MAP 2.1: Roles and permissions due to change in position were removed when the PeopleSoft Employee Transfer Security Process was fully implemented on March 15, 2016. The PeopleSoft Employee Transfer Security Process requires TxDOT s third party contracted support team to create daily reports to be submitted to Information Management Division (IMD) for internally transferred employees. Upon receipt of the daily report, IMD will clear the employees user profiles and re-establish basic new hire permissions. The employee s new manager will be required to submit requests for all required new roles. This new process went into effect in March 2016. July 15, 2016 MAP 2.2: The 120 employees identified with incompatible roles and the 5 employees with incorrect permissions were corrected. Role review by Contracts and Purchasing Division and subsequent removal by Information Management Division PeopleSoft Security began in March 2016 with the implementation of the Oracle PeopleSoft Security Audit Process. July 15, 2016 June 2016 13

MAP 2.3: Information Management Division will work with Contracts and Purchasing Division to update role description and constraint language used by users and the Security Team in determining and provisioning roles for non-procurement employees that obtain Procurement roles. Updated constraints will be used by the security team and will be available on SharePoint. The modified role description and constraint language was fully implemented on March 15, 2016. July 15, 2016 MAP 2.4: Segregation of duties responsibilities are accomplished manually through the Oracle PeopleSoft Annual Manager Access Approval process, for all Enterprise Resource Planning modules. A request for funding for purchase and implementation of an automation software process will be developed in September 2016. September 15, 2016 MAP Owner: Dee Dee Evans, Purchase Order Module Systems Administrator, Contracts and Purchasing Division MAP 2.5: CPD will develop procedures to address the situation when CPD purchasing buyers leave TxDOT or CPD Division. The procedures will call for a PeopleSoft role ticket to be created to request the removal of the no longer applicable PO module roles. CPD will add constraints to the security access criteria for the PO module update roles to be removed if not utilized in the system for over 6 months. CPD will develop procedures to obtain a report from IMD security annually showing any employee with procurement roles not using the roles in over 6 months. The procedures will call for any exceptions (e.g. users not using roles in over 6 months) to be routed to IMD for corrective action. July 15, 2016 MAP 2.6: Contracts and Purchasing Division (CPD) will develop procedures to acquire system activity logs from Information Management Division for CPD staff with system administrator roles and monitor for unusual activity on a semi-annual basis. The review will include looking for transactions/roles performed by the individuals (requester, approver, buyer, vendor changes, payment functions) and documenting exceptions outside the defined user roles for the activities performed. July 15, 2016 June 2016 14

Finding No. 3: Data Reporting Condition The Purchase Order Audit Report and the Purchase Order Mean and Median Average Processing Time Report from the Procurement module had missing and erroneous information which caused validity issues related to internal metrics and monitoring. Examples of missing and erroneous information noted in the report included the following: incorrect voucher amounts, missing Purchase Order (PO) numbers, and incorrect approver information. Effect/Potential Impact Inaccurate reporting can hinder the TxDOT s ability to monitor the procurement process to ensure it is working as intended. Inaccurate reporting can also provide false assurance and/or result in unnecessary activities being performed to address perceived issues. Further, timeliness reports were found to overstate how long it was taking to procure goods and services which could impact the ability to properly identify inefficient processes. Criteria Control Objectives for Information and Related Technology (COBIT) suggests that organizations ensure that reporting is complete, timely, and accurate to provide program owners the necessary information to monitor and review program objectives and goals to assure program success. Cause Structured Query Language (SQL) logic to obtain information from the database did not accurately reflect the current TxDOT Procurement Process (e.g., after-fact purchases, blank fields, approval information). SQL logic presented also allowed for incorrect PO amounts to appear due to the receipt/voucher distribution. Evidence Review of the Purchase Order Audit and the Purchase Order Mean and Median Average Processing Time Reports showed the following: SQL Logic Query script did not account for items that did not require requisition approvals (per TxDOT policy) and data tables were joined incorrectly for Purchase Order Audit Report. The Purchase Order Mean and Median Average Processing Time Report scripts did not account for data anomalies (e.g., after-fact purchases, blank fields, approvals after PO issuance) when calculating the requisition approval date for Performance Dashboard Report that is used by management to monitor the timeliness of the procurement process. Auditors performed further assessment to determine the root cause of missing or incorrect data for the Purchase Order Audit Report and the Performance Dashboard Report and identified the following: June 2016 15

Voucher Amounts The Purchase Order Audit Report, which is used to report all purchasing transactions from requisition to receipt, received by auditors showed 34,865 instances where voucher amounts exceeded PO authorization. Auditors judgmentally selected 10 largest POs issued from October 2014 to September 2016 to review in the system: It was determined the 10 POs sampled did not exceed voucher information in the system. PO Numbering Gaps The Purchase Order Audit Report received by auditors contained 1,623 gaps in the PO numbering convention. Auditors randomly selected 11 PO number gaps to further assess their existence. Auditors were able to locate PO data for 9 of the identified missing PO numbers from the report within the PeopleSoft application. The other 2 POs did not exist in PeopleSoft and therefore were accurately reflected as gaps in sequence. These 2 POS were missing due to reasonable system issues. Approval Information The Purchase Order Audit Report received by auditors contained 15,093 requisitions where the requester was the same as the approver. Auditors randomly selected requisition line items from 10 requisitions to verify the data from the report and noted the following: 2 showed the requisition approver was someone different than noted in the report. This was identified as a SQL issue. 6 showed the requisition approval not being needed in the PeopleSoft system. This erroneous notation was identified as a system issue in Finding No. 1 and also identified as a SQL issue. 2 showed self-approval of the requisition in PeopleSoft. This was identified as a system issue in Finding No. 1. Management Action Plan (MAP): MAP Owner: Dee Dee Evans, Purchase Order Module Systems Administrator, Contracts and Purchasing Division MAP 3.1: Contracts and Purchasing Division (CPD) will create TxDOT Now tickets to request logic changes to be made to the Purchase Order (PO) Audit Report and the PO Mean and Median Average Processing time reports to ensure Structured Query Language (SQL) logic is corrected and anomalies identified in the finding no longer exist. CPD will continue to test and validate reports by reviewing for blank fields, same employee ID within both requester and approver fields, voucher amounts exceeding PO authorization, and approval dates occurring after PO issuance dates. CPD will perform 3 monthly reviews after SQL logic is corrected and the data will also be reviewed on an annual basis to monitor exceptions. December 15, 2016 June 2016 16

MAP 3.2: Contracts and Purchasing Division (CPD) will develop procedures to utilize the Purchase Order Audit Report, once report logic has been updated, to identify and correct the following on a quarterly basis: Any requisitions that needed approval but were not obtained Requisitions being approved by same person as requester, and Purchase Order dates prior to requisition approval dates. The CPD procedure will require a query from Information Management Division (IMD) to show any gaps in requisition ID numbers and if any of those skipped requisition numbers result in a PO being associated with them. December 15, 2016 MAP Owner: Teri Augustine, Project Manager, Information Management Division Enterprise Resource Planning Section MAP 3.3: Information Management Division will provide the Contracts and Purchasing Division with assistance on the Structured Query Language (SQL) for the Purchase Order Audit and Performance Dashboard Reports as needed. IMD will perform the following steps: Hire a SQL writer The SQL writer will review the Purchase Order Audit report and Performance Dashboard for modifications Problem solve the issues and create a solution Perform testing on the solution Implement the solution December 15, 2016 June 2016 17

Summary Results Based on Enterprise Risk Management Framework Closing Comments The results of this audit were discussed with the Director of Contracts and Purchasing Division, Purchasing Section Director, Interim Director of Information Management Division, and Management Action Plan Owners on May 16, 2016. We appreciate the assistance and cooperation received from the Contracts and Purchasing Division, Information Management Division (IMD), Enterprise Resource Planning Section of IMD, Human Resources Division, and Financial Management Division contacted during this audit. June 2016 18