ARCHIVED - Management Response and Action Plan – Audit of SAP General Controls

September 2011

Audit of SAP General Controls
Recommendations
Management Response and Planned Actions
Deliverables
Expected Completion Date
Responsibility
Recommendation 1

It is recommended that the Assistant Deputy Minister, Chief Financial Officer Branch (CFOB), strengthen control over user accounts related to SAP operation, including the tracing of Special Access privileges, and setting User Account expiration for term/contract staff.

Management agrees with this recommendation.

While the form for Special Access requests does not always provide the full details on the purpose of the requests, other documentation and communication outside of the form provide the context and rationale for the requests in the form of emails or verbal communications. The additional information provides the approver with enough information to make an informed decision. Going forward, staff will be reminded to include text describing the purpose and/or objective of Special Access Requests within the form. SAP Security will update their procedures to include the turning on of the "User Trace" feature and to copy the results in the Special Access Request form.

FIRMS will create a Development Request to have the SAP User Access Request Form modified to include "Employee Status" such as Indeterminate, Casual, Term or Contractor, and include the employment or contract end date to input as the expiration date in the user account for temporary staff and contractors.

In the short term, FIRMS will request the Branch SAP Security Officers to use the comment field to provide the status of the user (i.e. employment status or contractor) and the related expiration dates when required.

Reminder email to FIRMS and FIRMS-IT employees to include text describing the purpose and/or objective of the access requested on the Special Access Request form. The approver will ensure that appropriate documentation is provided to support the Special Access Requests. September 2011 CFOB-FIRMS
Updated SAP Security procedures for Special Access Requests. September 2011 CFOB-FIRMS / Corporate Services Branch (CSB)-FIRMS-IT
Updated SAP User Access Request Form (Lotus Notes database). March 2012 CFOB-FIRMS, CSB-FIRMS-IT and CSB-Information Management Services Directorate-Solution Centre-Corporate Application and Systems
Updated SAP security instructions to request SAP user access and inform Branch SAP security officers of the change. September 2011 CFOB-FIRMS
Recommendation 2

It is recommended that the Assistant Deputy Minister, CFOB, improve control over batch file processing in SAP by changing SAP batch interface requirements to include implementing batch balancing totals.

Management agrees with this recommendation.

As noted in the report, reconciliations have been implemented to ensure the completeness of data between internal Health Canada Feeder Systems and SAP. These reconciliations provide assurance on the completeness of data and mitigate the risk. Given the plans to replace the Department's two Grants and Contribution applications with one system, it would not be cost effective to implement new batch interface requirements at this time.

FIRMS will update their generic batch file interface requirement documents to include batch balancing totals. The new requirements will be implemented for any new interfaces developed or when changes are made to existing interfaces with internal Health Canada feeder systems.

Updated generic batch file interface requirement documents. December 2011 CFOB-FIRMS, CSB-FIRMS-IT
Recommendation 3

It is recommended that the Assistant Deputy Minister, CFOB, in consultation with the Assistant Deputy Minister, CSB, carry out the formal Threat and Risk Assessment (TRA) for SAP in line with the Health Canada IT Security Policy.

Management agrees with this recommendation.

FIRMs and FIRMS-IT will work with CSB to update the TRA for SAP in line with the Health Canada IT Security Policy.

Updated TRA for SAP. March 2012 CFOB-FIRMS / CSB-FIRMS-IT in consultation with CSB-IMSD-IT Security
Recommendation 4

It is recommended that the Assistant Deputy Minister, CFOB, enhance SAP security monitoring to detect and address conflicts in the segregation of duties.

Management agrees with this recommendation.

FIRMS will review and address the two specific combinations of transactions the audit highlighted as potential conflicts in the segregation of duties. In addition, FIRMS will share this observation with the IFMS Program Office to assess potential enhancements to the current monitoring tool and to identify other monitoring best practices performed by other SAP departments that could be adopted by Health Canada.

Review of specific combinations of transactions the audit highlighted as potential conflicts in segregation of duties and follow-up action based upon assessed risk. October 2011 CFOB-FIRMS / CSB-FIRMS-IT
Adoption of enhancements to segregation of duties Control Table in SAP based on assessment with IFMS Program Office and other monitoring best practices used by other SAP departments. June 2012 CFOB-FIRMS / CSB-FIRMS-IT

Page details

Date modified: