Executive Summary – Testing of delegation of authority and account verification controls in SAP,  June 2015

Executive Summary

On April 1, 2014, Employment and Social Development Canada (the Department) began to use the SAP enterprise management system as the system of record for financial transactions. The Department seized this opportunity to harmonize automated payment transaction processes with the control expectations of the Financial Administration Act (FAA) and the Treasury Board (TB) Directive on Account Verification, which positioned the Department as a leader in automation of the accounts payable process.

This summary presents the results of testing of the automated controls in SAP. It complements and should be read in conjunction with the reports on the audit of the Implementation of Delegation of Authority within SAP and the audit of Account Verification Quality Assurance Processes, presented separately.

What we expected

The first objective of the testing was to assess whether automated controls related to delegated financial authorities within SAP were adequately designed and operating as intended to support the appropriate authorization of financial transactions. Effective controls supporting delegated financial authorities should ensure that incompatible authorities are not exercised on individual transactions and that delegated authorities cannot be exceeded.

The second objective of the testing was to assess whether automated controls related to quality assurance of account verification were adequately designed and operating as intended in support of the Chief Financial Officer Branch (CFOB) risk management strategy, which consists of grouping payments by categories susceptible to various risks and assessing them as either high risk or low risk. The automated controls should ensure that all payment transactions are subject to proper pre-payment or considered for post-payment account verification procedures based on the risk categories and that access to perform key account verification functions is restricted to appropriate individuals based on their job requirements and competencies.

What we observed

The audit team found that payment transactions were appropriately routed for approval by the different automated workflows based on the information on financial signing authorities recorded in the supporting SAP tables. Automated controls supporting account verification operated as intended for most transactions processed during the audit period.

However, the audit found that it was possible to bypass the automated controls in place through the use of specific SAP functions, which allow CFOB users granted access rights to those functions, to exercise financial authority without proper delegation. The audit found that access to these functions was not sufficiently restricted to effectively mitigate the risks pertaining to those sensitive roles. In addition, transactions bearing coding attributes that are not typical or that do not follow a typical workflow are not subject to the automated account verification process. Furthermore, the exercise of financial authorities for several types of transactions has not been automated.

The audit also found that SAP users involved in the accounts payable process had been granted incompatible access to key functions and that some financial authorities could be exercised on a user’s own expenditures. The audit found that criteria to grant access to those functions had not been formalized and that monitoring of sensitive access rights is not performed.

Why it is important

Personnel responsible for certifying payments pursuant to section 33 of the FAA rely primarily on accounts payable controls applied before the payments are made available to them for release. Such controls are presumed to ensure that payments have been approved in accordance with the delegation of authority instruments and subject to appropriate review based on risks. Therefore, controls inadequately designed or not operating as intended restrict the extent of reliance that should be placed on automated controls to provide the level of assurance required to exercise payment authority. In a broader perspective, the risks related to the stewardship of payment transactions in support to the Chief Financial Officer’s accountability with respect to the TB Policy on Internal Control may not be managed adequately through effective internal controls.

Conclusion

In the opinion of the audit team, automated controls have been adequately designed and are operating as intended for most payment transactions. However, limitations were noted, which do not align with the delegation of authority instruments and the CFOB risk management strategy for account verification. Access to key sensitive functions is not sufficiently restricted, reviewed and monitored to ensure such access is granted and used appropriately. Furthermore, control operating effectiveness exceptions were noted, which weaken the system of internal controls over payment transactions.

Recommendations

The Chief Financial Officer should:

1. Ensure that the automated control design in support to the accounts payable process, including user access management, is adequate and supported by compensating manual controls where limitations were noted.
2. Ensure that key automated and manual controls, including access controls, in support to the accounts payable process are reviewed and tested periodically to ensure they are operating consistently and as intended.