ARCHIVED - Management Response and Action Plan – Audit of SAP General Controls

It is recommended that the Assistant Deputy Minister, Chief Financial Officer Branch (CFOB), strengthen control over user accounts related to SAP operation, including the tracing of Special Access privileges, and setting User Account expiration for term/contract staff.

While the form for Special Access requests does not always provide the full details on the purpose of the requests, other documentation and communication outside of the form provide the context and rationale for the requests in the form of emails or verbal communications. The additional information provides the approver with enough information to make an informed decision. Going forward, staff will be reminded to include text describing the purpose and/or objective of Special Access Requests within the form. SAP Security will update their procedures to include the turning on of the "User Trace" feature and to copy the results in the Special Access Request form.

FIRMS will create a Development Request to have the SAP User Access Request Form modified to include "Employee Status" such as Indeterminate, Casual, Term or Contractor, and include the employment or contract end date to input as the expiration date in the user account for temporary staff and contractors.

In the short term, FIRMS will request the Branch SAP Security Officers to use the comment field to provide the status of the user (i.e. employment status or contractor) and the related expiration dates when required.

It is recommended that the Assistant Deputy Minister, CFOB, improve control over batch file processing in SAP by changing SAP batch interface requirements to include implementing batch balancing totals.

As noted in the report, reconciliations have been implemented to ensure the completeness of data between internal Health Canada Feeder Systems and SAP. These reconciliations provide assurance on the completeness of data and mitigate the risk. Given the plans to replace the Department's two Grants and Contribution applications with one system, it would not be cost effective to implement new batch interface requirements at this time.

FIRMS will update their generic batch file interface requirement documents to include batch balancing totals. The new requirements will be implemented for any new interfaces developed or when changes are made to existing interfaces with internal Health Canada feeder systems.

It is recommended that the Assistant Deputy Minister, CFOB, in consultation with the Assistant Deputy Minister, CSB, carry out the formal Threat and Risk Assessment (TRA) for SAP in line with the Health Canada IT Security Policy.

FIRMs and FIRMS-IT will work with CSB to update the TRA for SAP in line with the Health Canada IT Security Policy.

It is recommended that the Assistant Deputy Minister, CFOB, enhance SAP security monitoring to detect and address conflicts in the segregation of duties.

FIRMS will review and address the two specific combinations of transactions the audit highlighted as potential conflicts in the segregation of duties. In addition, FIRMS will share this observation with the IFMS Program Office to assess potential enhancements to the current monitoring tool and to identify other monitoring best practices performed by other SAP departments that could be adopted by Health Canada.