2006 Audit Recommendations - Status Tracking

Audit: IT Process of Computerized Financial System

(Lead: S. Finnamore)

Audit Recommendation

Management Response

Budget Implications 2008 or Beyond

Related Council Motions

Status Update / Comments

Audit Management Response

Action Required Based on DCM Implementation Plan

Management Timelines (Q1- Q4)

($$ if known)

(Status, risks, issues regarding implementation, etc)

1a) b)

That Information Technology Services Branch ensure that:
a) The control activities set out within the City of Ottawa policy documents be emphasised as required steps in all circumstances;
b) The evidence of the performance of the prescribed control activities be retained for audit and monitoring purposes; and

Management agrees with these recommendations.

The Information Technology Services (ITS) branch will continue to communicate the importance of following documented processes and retaining appropriate evidence, to staff, by means of email reminders, staff meetings, and employee performance evaluations.

ITS to review control activities requirements in policy documents and track performance over time.

Review Q2 2007
Tracking Ongoing

1a, 1b Complete
Requirements reviewed in May. Currently reviewing processes and will be communicating changes as required.

2a)

That Information Technology Services Branch, SAP Support Center Unit (SAP security group), in conjunction with senior management, using the information noted herein as well as the existing authorization audit reports:

a) Execute a review of users with access to BASIS sensitive development activities, objects, transactions and Standard SAP BASIS profiles to ensure that high level access in SAP is restricted to users who require this level of access as part of their job;

Management agrees with this recommendation.

ITS branch currently conducts a monthly review of all sensitive user accounts and the assignment of sensitive privileges. ITS will investigate the impact of further access restrictions to sensitive BASIS roles. This will be initiated in Q2 2007.

Support Centre have reduced number of BASIS sensitive role assignments to the minimum number (four) required to maintain the production SAP environment. Three system accounts that are restricted by the SAP application and can only be used by the application internally also exists.

Q2 2007

Complete
Support Centre has completed the review of the sensitive roles and reduced number of BASIS sensitive role assignments to the minimum number (four) required to maintain the production SAP environment.

Sensitive role assignments are reviewed weekly and system accounts are reviewed monthly.

2b)

b) Remove access to the productions environment for all SAP ABAP developers;

b) Management disagrees with this recommendation.

SAP ABAP programmers require production access to investigate and diagnose production- related problems. SAP production global system settings prevent programmers from altering programs or altering application configuration tables. These changes can only be created in the development environment and must follow the published approval process before being promoted to production. Adjustment of global system parameters is restricted, monitored and logged.

Support Centre Programmers have display access to production data only. Roles were reviewed in Production in May. All SAP ABAP programmers do not have access to HR data.

Q2 2007

Complete
SAP ABAP developers only have display access to production and reporting process for access levels has been put into place as of June 2007.
As of June 2007, the Support Centre will be preparing a monthly listing of all Support Centre staff and consultants with production access, which will be reviewed and approved by the SAP Program Manager.

2c)

c) Place a particular emphasis on external consultants, who normally have privileged levels of access. Their accesses should be approved, well monitored and removed in a timely fashion; and

Management agrees with this recommendation.

External consultants are not automatically provided production access. Production access is provided to consultants to allow them to perform their roles only after competence and performance is assessed. Consultant network accounts currently have end dates applied when created, this ensures that accounts are automatically locked by the EDS interface when the contract end dates are reached. This will be initiated in Q2 2007.

Conduct a review of external consultants and ensure the necessary measures are in place to approve, monitor and track their level of access to the system.

Q2 2007

Complete
In May 2007, Support Centre reviewed all access levels for consultants. External consultants access is closely monitored and their accounts are disabled in a timely fashion.
Starting in June the Support Centre will be preparing a monthly listing of all Support Centre staff and consultant production access in production and is reviewed and approved by the SAP Program Manager. Access to sensitive roles must be approved by project managers.

3a)

That Information Technology Services Branch:

a) Review, the users who are inactive, have never logged on or work on a seasonal schedule with a particular and immediate focus on excluding those users who only have SAP access due to the SAP ESS/HR functionality granted to all employees.

Management agrees with this recommendation.

Non-ESS/MSS accounts are reviewed regularly because of the costs associated with the licensing. ITS will include Employee Self Service accounts in the nightly process, which automatically locks accounts dormant for more than 60 days. This will be initiated in Q2 2007.
The ITS branch in conjunction with the Employee Services branch will review the number of re-activation requests in Q4 2007 to determine if the development of a self-serve account re-activation function is warranted. Should the re-activation function be required, the branch estimates 20 days of effort ($20,000 of consultant services) to be initiated in Q1 2008.
The Employee Services branch has also identified several initiatives in their Q3 2007 work plan designed to increase the usage of ESS. These initiatives include updating current content and reports to make the site more user friendly as well as undertaking a promotion campaign focusing on the usability and convenience of the site.

Support Centre is working with ES, CAPM, and Finance to determine communication strategy before locking ESS and MSS accounts due to inactivity.

Automatic locking of ESS and MSS accounts after 60 days of inactivity will not be completed until Q3 2007.

$20,000 for consultant services

Complete -Sept 2007 - Automatic locking of ESS and MSS accounts has been implemented.

Automatic locking of ESS and MSS accounts after 60 days of inactivity will not be completed until Q3 2007.

SAP accounts for terminated employees are automatically locked. SAP accounts for consultants or contractors are locked at end of contract date identified in EDS. Re-activation of ESS and MSS privileges will initially be done manually. $20K is reserved to assist with developing an automated re-authentication process for users requesting reactivation of their ESS and MSS accounts in 2008. This will be done only if number of requests warrant automation.

3b)

b) That Information Technology Services Branch removed/restricted/disabled accounts that are no longer required on a regular BASIS (i.e. quarterly).

Management agrees with this recommendation and it has already been implemented.

With the implementation of the Enterprise Directory Services (EDS) in October 2005, all SAP accounts are automatically reviewed daily with current SAP HR employee status information. SAP user accounts are automatically locked upon employee termination and access privileges are adjusted based on the position that the employee occupies. In addition to the implementation of EDS, ITS uses an SAP password generation utility to assign a system generated initial password. Users are notified of the initial password by email or by phone and must login and change password within 24 hours or the account is automatically locked. In the case of ESS accounts, system generated passwords are generated and stored in SAP. These account passwords are never published. ESS user authentication is based on Microsoft’s active directory single sign-on utilizing the user’s network account.

Support Centre s working with ES, CAPM, and Finance to determine communication strategy before locking ESS and MSS accounts due to inactivity.

EDS interface implemented in October 2005 to address locking of terminated employee accounts.

Complete - with the implementation of Enterprise Directory Services (EDS) in October of 2005.

The daily EDS interfaces insures that all SAP accounts are reviewed against the updated Enterprise Directory. SAP accounts for terminated employees are automatically locked. SAP accounts for consultants or contractors are locked at end of contract date identified in EDS.

5a)

That Information Technology Services Branch immediately review the users and generic user ids with access to SAP Standard BASIS profiles S_A.CUSTOMIZ; S_A.DEVELOP; S_A.SYSTEM; and SAP_NEW for reasonableness as well as continue to systematically monitor access levels through their existing authorization audits.

Management agrees with this recommendation.

The branch will complete a review of Userids with access to SAP BASIS roles to reduce the total number of assignments in Q2 2007

Review completed May 2007. Basis roles have been restricted and system account setting have been restricted for system use only. Use of specific authorization objects and basis roles are reported in the weekly security audit report.

Q2 2007

Complete

The Program Manager for the SAP Support Centre now reviews and sign's off on weekly, monthly and quarterly reports. Any outstanding action items are recorded in the security issues log and assigned for action to the SAP Support Centre Authorization Analyst. Program Manager cover-off arranged when absent.

a) That Information Technology Services Branch restrict or provide at display-only access in production, to Data Dictionary Maintenance (SE11) and Program Maintenance (SE38) transactions. Any changes should be made in the development environment, be properly tested, and then transported to production.

b) That Information Technology Services Branch immediately review the users and generic user ids with access to Data Dictionary Maintenance (SE11) and Program Maintenance (SE38) for reasonableness as well as continue to systematically monitor access levels through their existing authorization audits.

c) That Information Technology Services Branch limit access to the Data Dictionary Maintenance (SE11) transactions to database administrators and implement mitigating controls to ensure these types of changes are not occurring in the production environment without proper approval.

Management agrees with this recommendation.

At the beginning of 2006, the ITS branch implemented a granting approval process for several sensitive transactions including SE11 and SE38 in production. Access is granted for a specific duration and only with Support Centre project manager approval. SAP Production global system settings prevent any program maintenance access. Program changes can only be created in the development environment and must follow the published approval process before being promoted to production. Adjustment of global system parameters is restricted, monitored and logged.

Recommendation previously implemented in 2006.
SE11 and SE38 transaction assignments are reviewed monthly. Staff are assigned transactions on an as needed bases for a specific purpose and time duration.
May Monthly report identified 7 accounts (4 basis and 3 system) with access to SE38 and SE11.

Complete in 2006

Completed in 2006

The Program Manager for the SAP Support Centre now reviews and sign's off on weekly, monthly and quarterly reports. Any outstanding action items are recorded in the security issues log and assigned for action to the SAP Support Centre Authorization Analyst. Program Manager cover-off is assigned when absent.

7a)

a) That Information Technology Services Branch immediately review the users and generic user ids with access to impact the transport system through SE01, SE06, SE10 and STMS transactions for reasonableness as well as continue to systematically monitor access levels through their existing authorization audits.

Management agrees with this recommendation.

The ITS branch will review Userids with access to SE01, SE06, SE10 and STMS transactions for reasonableness in Q2 2007.

Review completed May 2007.
SE01, SE06, SE10 transaction assignments have been added to the monthly review. STMS was added previously and is currently being monitored monthly.
STMS 7 accounts (4 basis, 3 system)
SE01 7 accounts (4 basis, 3 system)
SE06 7 accounts (4 basis, 3 system)
SE10 7 accounts (4 basis, 3 system)

Q2 2007

7b)

b) That Information Technology Services Branch restrict access to a limited number of BASIS users.

Management agrees with this recommendation.

The ITS branch will restrict transactions to a limited number of users, however these will not necessarily be limited to BASIS accounts only. This action will be initiated in Q2 2007.

Review completed May 2007. Basis roles have bee restricted and system accounts setting have been restricted for system use only. Use of specific authorization objects and basis roles are reported in the weekly security audit report.

Q2 2007

Complete
The Program Manager for the SAP Support Centre now reviews and sign's off on weekly, monthly and quarterly reports. Any outstanding action items are recorded in the security issues log and assigned for action to the SAP Support Centre Authorization Analyst. Program Manager cover-off is assigned when absent.

That Information Technology Services Branch review the users and generic user ids with access to object S_USER_AGR for reasonableness as well as continue to systematically monitor access levels through their existing authorization audits to ensure appropriate segregation of duties are maintained.

Management agrees with this recommendation.
This action will be initiated in Q2 2007.

A review of sensitive object assignment is conducted weekly. At the time of the audit there were 36 accounts identified. As of May there are a total of 20 accounts with update access (4 basis, 3 system, and 13 financial staff who require access and are further stricted to only maintenace of Account master data.) A further 17 support centre staff have have display only access to verify production security assignments. Listing of 13 financial users will be validated by the process owner in the next quarterly review.

Q2 2007

That Information Technology Services Branch immediately review the users and generic user ids with access to object S_DEVELOP for reasonableness as well as continue to systematically monitor access levels through their existing authorization audits.

Management agrees with this recommendation.

The ITS branch will initiate this recommendation in Q2 2007

Q2 2007

That Information Technology Services Branch immediately review the users and generic user ids with access to object S_TRANSPRT for reasonableness as well as continue to systematically monitor access levels through their existing authorization audits.

Management agrees with this recommendation.

The ITS branch will initiate this recommendation in Q2 2007.

A review of sensitive object assignment is conducted weekly.
At the time of the audit there were 10 accounts identified. As of May, there are 9 accounts (4 basis, 3 system and 2 apporved temporary assignments.

Q2 2007

Complete
The Program Manager for the SAP Support Centre now reviews and sign's off on weekly, monthly and quarterly reports. Any outstanding action items are recorded in the security issues log and assigned for action to the SAP Support Centre Authorization Analyst. Program Manager cover-off is arranged when absent.

That Information Technology Services Branch immediately review the users and generic user ids with access to object S_CTS_ADMI for reasonableness as well as continue to systematically monitor access levels through their existing authorization audits.

Management agrees with this recommendation.

This action will be initiated in Q2 2007.

A review of sensitive object assignment is conducted weekly. At the time of the audit there were 9 accounts identified. As of May, there are 8 accounts (4 basis, 3 system and 1 apporved temporary assignment now removed)

Q2 2007

That Information Technology Services Branch immediately review the users and generic users ids with access to object S_TABU_CLI for reasonableness as well as continue to systematically monitor access levels through their existing authorization audits.

Management agrees with this recommendation.

This will be initiated in Q2 2007.

A review of sensitive object assignment is conducted weekly.
At the time of the audit there were 42 accounts identified. As of May, there are 27 accounts (4 basis, 3 system and 20 user accounts which have further restrictions to perform financial account maintennace. Listing of 20 users will be validated by the process owner in the next quarterly review.

Q2 2007

That Information Technology Services Branch immediately review the users and generic user ids with access to object S_TABU_DIS for reasonableness as well as continue to systematically monitor access levels through their existing authorization audits.

Management agrees with this recommendation.

This action will be initiated in Q2 2007.

A review of sensitive object assignment is conducted weekly. At the time of the audit there were 23 accounts identified. As of May, there are 8 accounts (4 basis, 3 system and 1 apporved temporary assignment now removed) Note: when this object is used user roles an additional restriction is always used. Weekly report is used to verify restrictions are in place.

Q2 2007