Joint audit of SAP internal controls

2015-2016
Agriculture and Agri-Food Canada - Office of Audit and Evaluation, December 4, 2015
Canadian Food Inspection Agency - Audit and Evaluation Branch, January 13, 2016
Natural Resources Canada - Audit Branch, December 17, 2015

Executive summary

SAP is the Enterprise Resource Planning system standard for the Government of Canada used for the Integrated Financial and Materiel System (IFMS). As the administrator of the IFMS, (Agriculture and Agri-Food Canada) AAFC is responsible for providing SAP application management services, as well as managing the SAP database infrastructure for various cluster partners.

The Chief Audit Executives of AAFC and two of its cluster partners, the Canadian Food Inspection Agency (CFIA) and Natural Resources Canada (NRCan), agreed to have a joint audit conducted to provide assurance to their respective organizations regarding the effectiveness of the SAP Enterprise Resource Planning application in providing accurate, reliable, accessible and timely financial information.

Objective

Summary of observations

Conclusion

The audit determined that governance structures were in place to support sound and equitable investment planning and the allocation of resources in the maintenance and continued evolution of the SAP Enterprise Resource Planning; however key governance groups did not meet at the frequency defined in the Partnership Service Level Agreement and attendance was not consistently at the appropriate level. Overall, the audit determined that the AAFC Centre of Excellence consistently executed key IT controls under its responsibility effectively and in a timely manner. Opportunities for improvement were identified to address weaknesses in some IT controls owned by Client Partners or jointly owned by the Partnership, as well as in the areas of business continuity and disaster recovery. Finally, the audit determined that governance structures for service providers could be strengthened.

1.0 Introduction

1.1 Background

1.2 Audit objective

1.3 Audit scope

1.4 Audit approach

1.5 Conclusion

1.6 Statement of conformance

2.0 Detailed observations, recommendations and management responses

2.1 Partnership governance

Figure 1 - Partnership governance structure

Description of this image follows.
Description of Figure 1

The above chart outlines the following:

SAP partnership steering committee (SPSC) is Strategic
SAP partnership management committee is Tactical
Centre of excellence, Change control committee, Client advisor, and Partner forums are Operational.

Finding

2.2 Information technology controls

Information technology general controls

Information technology change management

Finding

User access management

Strengths:

Findings

Information technology operations

Application controls

2.3 Business continuity planning and disaster recovery planning

Findings

2.4 Service provider governance

Disaster recovery planning

Finding

Information technology infrastructure change management

Finding

Annex A: acronyms

AAFC
Agriculture and Agri-Food Canada
CCC
AAFC Change Control Committee
CFIA
Canadian Food Inspection Agency
COBIT
Control Objectives for Information and Related Technology
IMFS
Integrated Financial and Material Systems
IT
Information technology
SPMC
SAP Partnership Management Committee
SPSC
SAP Partnership Steering Committee
NRCan
Natural Resources Canada
SSC
Shared Services Canada
TB
Treasury Board

Annex B: audit criteria

Line of enquiry 1.

The Partnership governance structure enables the Partnership to jointly discuss, establish and communicate strategic priorities and objectives to guide investment and resource planning and prioritization in alignment with business requirements and government-wide direction.

Line of enquiry 2.

Information Technology (IT) controls are in place at the AAFC Centre of Excellence and Client Partners to support the production of accurate, reliable, accessible and timely financial information.

Line of enquiry 3.

Governance structures are in place to manage risks related to services provided by third parties.

Date modified: