| 2006 Audit Recommendations - Status Tracking | ||||||||||||||
| Document 3 | ||||||||||||||
| Audit: IT Process of Computerized Financial System | (Lead: S. Finnamore) | |||||||||||||
| Audit Recommendation | Management Response | Budget Implications 2008 or Beyond | Related Council Motions | Status Update / Comments | ||||||||||
| Audit Management Response | Action Required Based on DCM Implementation Plan | Management Timelines (Q1- Q4) | ($$ if known) | (Status, risks, issues regarding implementation, etc) | ||||||||||
| 2d) | d) Reconsider providing highly privileged access to SAP to a temporary Information Technology Services Branch student. | Management
agrees with this recommendation. It is not standard practice to provide student positions with privileged access. In the instance cited, the temporary student employee was granted the access after gaining four months of experience and being retained for a second work term. ITS will review authorization assignments to determine if more restricted roles can be assigned. This will be initiated in Q2 2007. |
Support Centre has review support roles in production. Any additional access is assigned based in specific task and duration and must be approved by a project manager. Additional assignments are also reviewed by the Program Manager for reasonability, during the weekly security reviews. | Q3 2007 | Jan 2008: In
progress: Implemented method for data collection of SAP transaction usage
information independent of 4b.
Creation of report and subsequent analysis of data collected to begin
in late Q1- early Q2 2008. Sept 2007 - Review completed with preliminary data collection starting in production Q4 2007. Full implemenation scheduled for Q1 2008. Completed review of support roles in production. Documentation of amended approval process is outstanding and scheduled for completion in Q3 2007. |
|||||||||
| 3c) | c) That Information Technology Services Branch determine the true usage rates of SAP to provide context for any more stringent access controls and possible user account removal. | Management
agrees with this recommendation. Recommendation requires the implementation of recommendation 4B. After profile usage logging has been implemented, the branch will generate new usage rates based on log information in Q2 2008. |
In Q3-Q4 2007 a process will be developed to analyze the data needed to determine SAP user access usage rates. New usage rates will be determined after the SAP upgrade scheduled for November 13th 2007. See funding note in 4. | Due Q2 2008 | Jan
2008: In progress: Implemented method for data collection of
SAP transaction usage information independent of 4b. Sept 2007 - Work scheduled for Q1 2008. Upgrade on schedule for competion Q4 2007. Work to begin following SAP upgrade end of year. The Support Centre is currently upgrading the SAP system. The upgrade may have an impact on the final solution. |
|||||||||
| 4 | That Information Technology Services Branch enable SAP auditing as per generally accepted practice to allow for the auditing of key activities within SAP. In conjunction with the enablement, IT and business management should define the key events they wish to audit and on what frequency while balancing the need for timeliness of review. Similarly, these events should be regularly assessed for continued applicability. | Management
agrees with this recommendation. ITS branch, in partnership with the affected business process owners (e.g. Financial Services, Employee Services, and Surface Operations branch, etc.), will conduct an assessment of the impact of implementing audit logging in Q3 2007. Implementation will begin in Q1 2008 depending on requirements and resource availability identified in the assessment phase. The assessment will begin in Q3 2007. The initial high-level assessment for the implementation is identified as approximately: 20 days audit consultant $45,000; 10 days BASIS $10,000; and 30 days business staff $10,000. |
Preliminary investigations have been done to determine the capabilities and impact of using the SAP global System Security audit function. Initial security settings will be moved to production in Q3 2007. Additional resources will be required to assist with determining how the data collected can be analyzed and managed. Funding will be required to secure additional resources needed to complete 3c and 4. | Review due Q3 2007 with implementation in Q1 2008 | 20 days audit consultant $45,000; 10 days Basis $10,000; and 30 days business staff $10,000. | Jan
2008: In progress: Completed
identification of critical security events for the purposes of tracking. SAP
Security logging of these critical events is scheduled for implementation Q1
2008. Identification of critical business events and associated work effort
to be determine with client stakeholders beginning late Q2 2008. Sept 2007 - Review completed with preliminary data collection starting in production Q4 2007. Full implemenation scheduled for Q1 2008. Review due Q3 2007 with implementation in Q1 2008. |
||||||||
| 5b) | That Information Technology Services Branch consider establishing monitoring controls for when the profiles are actually utilized. | Management
agrees with this recommendation. The branch will implement quarterly monitoring controls of profile usage. This recommendation is dependant on the implementation of audit recommendation 4B scheduled for Q2 2008. |
Work has not started. | Dependant on 4b implementation | Jan
2008: In progress: Implemented method for data collection of
SAP transaction usage information independent of 4b. Creation of report and subsequent analysis
of data collected to begin in late Q1- early Q2 2008. Sept 2007: Not Started - See comments below. Not started - dependant on implementation of #4. Payroll Process owner reviewing roll assignments. Changes are being made to reduce the number of staff who have access. Support Centre have reduced production access and now have eliminated division of duty conflicts (BASIS Exempted). |
|||||||||