| 2006 Audit Recommendations - Status Tracking | ||||||||||||||
| Document 4 | ||||||||||||||
| Audit: IT Process of Computerized Financial System | (Lead: S. Finnamore) | |||||||||||||
| Audit Recommendation | Management Response | Budget Implications 2008 or Beyond | Related Council Motions | Status Update / Comments | ||||||||||
| Audit Management Response | Action Required Based on DCM Implementation Plan | Management Timelines (Q1- Q4) | ($$ if known) | (Status, risks, issues regarding implementation, etc) | ||||||||||
| 1c) | c) As it pertains to withdrawn/terminated users, more diligent application of logical access management policies as well as a more robust communication protocol between Employee Services Branch and Information Technology Services Branch be enforced to ensure timely reaction to access removal. Furthermore, routine (e.g. quarterly) review of employee lists, last logons, etc. would also greatly reduce the risks associated with having terminated users. | Management
agrees with this recommendation and it has already been implemented. On October 30 2005, the City implemented an Enterprise Directory Services (EDS). EDS provides the information required to automate the locking of “terminated” employee Network and SAP applications accounts. It also automates the adjustment of SAP application privileges when employees move from one position to another. This has significantly improved the administration and timeliness of account administration. |
Locking of terminated employee accounts implemented October 30 2005. All accounts are reviewed automatically by EDS interface daily to determine status. | Review Q3 2007 with implementation in Q1 2008 | Sept 2007: In-Progress - Work
scheduled for Q1 2008. Upgrade on
schedule for competion Q4 2007. ESS and MSS locking outstanding Employee Self Service (ESS) and Manager Self Service (MSS) accounts are automatically locked when staff are terminated. A process is being developed with an implementation date of Q3 2007 to lock ESS and MSS accounts after 60 days of inactivity. A review of the current process is being done to ensure the process can efficiently address large number of requests as staff typical access ESS and MSS as a result of a special event. (e.g. pending back pay or during key stages of the budget cycle) |
|||||||||
| 2d) | d) Reconsider providing highly privileged access to SAP to a temporary Information Technology Services Branch student. | Management
agrees with this recommendation. It is not standard practice to provide student positions with privileged access. In the instance cited, the temporary student employee was granted the access after gaining four months of experience and being retained for a second work term. ITS will review authorization assignments to determine if more restricted roles can be assigned. This will be initiated in Q2 2007. |
Support Centre has review support roles in production. Any additional access is assigned based in specific task and duration and must be approved by a project manager. Additional assignments are also reviewed by the Program Manager for reasonability, during the weekly security reviews. | Q3 2007 | Sept
2007: In-Progress
- Review completed with preliminary data collection starting in production Q4
2007. Full implemenation scheduled
for Q1 2008. Completed review of support roles in production. Documentation of amended approval process is outstanding and scheduled for completion in Q3 2007. |
|||||||||
| 3c) | c) That Information Technology Services Branch determine the true usage rates of SAP to provide context for any more stringent access controls and possible user account removal. | Management
agrees with this recommendation. Recommendation requires the implementation of recommendation 4B. After profile usage logging has been implemented, the branch will generate new usage rates based on log information in Q2 2008. |
In Q3-Q4 2007 a process will be developed to analyze the data needed to determine SAP user access usage rates. New usage rates will be determined after the SAP upgrade scheduled for November 13th 2007. See funding note in 4. | Due Q2 2008 | Sept
2007: In-Progress
- Work scheduled for Q1 2008. Upgrade
on schedule for competion Q4 2007. Work to begin following SAP upgrade end of year. The Support Centre is currently upgrading the SAP system. The upgrade may have an impact on the final solution. |
|||||||||
| 4 | That Information Technology Services Branch enable SAP auditing as per generally accepted practice to allow for the auditing of key activities within SAP. In conjunction with the enablement, IT and business management should define the key events they wish to audit and on what frequency while balancing the need for timeliness of review. Similarly, these events should be regularly assessed for continued applicability. | Management agrees with this
recommendation. ITS branch, in partnership with the affected business process owners (e.g. Financial Services, Employee Services, and Surface Operations branch, etc.), will conduct an assessment of the impact of implementing audit logging in Q3 2007. Implementation will begin in Q1 2008 depending on requirements and resource availability identified in the assessment phase. The assessment will begin in Q3 2007. The initial high-level assessment for the implementation is identified as approximately: 20 days audit consultant $45,000; 10 days BASIS $10,000; and 30 days business staff $10,000. |
Preliminary investigations have been done to determine the capabilities and impact of using the SAP global System Security audit function. Initial security settings will be moved to production in Q3 2007. Additional resources will be required to assist with determining how the data collected can be analyzed and managed. Funding will be required to secure additional resources needed to complete 3c and 4. | Review due Q3 2007 with implementation in Q1 2008 | 20 days audit consultant $45,000; 10 days Basis $10,000; and 30 days business staff $10,000. | Sept
2007: In-Progress
- Review completed with preliminary data collection starting in production Q4
2007. Full implemenation scheduled
for Q1 2008. Review due Q3 2007 with implementation in Q1 2008 |
||||||||
| 5b) | That Information Technology Services Branch consider establishing monitoring controls for when the profiles are actually utilized. | Management
agrees with this recommendation. The branch will implement quarterly monitoring controls of profile usage. This recommendation is dependant on the implementation of audit recommendation 4B scheduled for Q2 2008. |
Work has not started. | Dependant on 4b implementation | Sept
2007: Not Started
- See comments below. Not started - dependant on implementation of #4. Payroll Process owner reviewing roll assignments. Changes are being made to reduce the number of staff who have access. Support Centre have reduced production access and now have eliminated division of duty conflicts (BASIS Exempted) |
|||||||||
| 14 | That Information
Technology Services Branch require that all relevant SAP-based documentation
be: - Immediately updated; - Routinely updated; - Formally approved and communicated, to represent the current state of each process; and - Incorporated within the scope of their existing document management strategy, which has refresh and update requirements. |
Management
agrees with this recommendation. The ITS branch recognizes the importance and necessity of maintaining current documentation. Workload demands, staff vacancies, and the volume of documentation dictate that different priorities are placed on different document types. System administration procedures and system configuration are given the highest priorities. The branch will formally implement a document process for high priority documents to ensure they are approved, periodically reviewed and updated. The ITS branch identifies a requirement for a technical document writer to assist with document preparation and updating (140 days @ $600 per day – $84,000) to be initiated in Q3 2007 depending on resource availability. In the case of business process documents, the ITS branch relies on business process owners to vet all requested SAP change requests to ensure they comply with acceptable business practices and procedures. In the case of major changes or addition of controls, business acceptance testing is also performed. |
As
part of the SAP upgrade project, staff will be reviewing and updating all
relevant high priority documents. A
project plan will be developed by Q4 to identify and implement a formal
document management process to ensure currency of support documents. In Q3, Support Centre staff will begin to use the enterprise document management system to manage documentation. |
In progress | (140 days @ $600 per day – $84,000) | Sept
2007: In-Progress
– The SAP Support Centre implemented the Stellant Document Management
software on July 3, 2007 to manage project documents, procedure documents,
approvals for security access, and test documents used for the SAP materials
management module. Additional
document types are planned after the SAP upgrade in Q1 2008. Staff may not be able to review and update all the relevant SAP upgrade before the end of the year due to upgrade deadlines. |
||||||||