Language selection


Joint audit of SAP internal controls

Agriculture and Agri-Food Canada - Office of Audit and Evaluation, December 4, 2015
Canadian Food Inspection Agency - Audit and Evaluation Branch, January 13, 2016
Natural Resources Canada - Audit Branch, December 17, 2015

Executive summary

SAP is the Enterprise Resource Planning system standard for the Government of Canada used for the Integrated Financial and Materiel System (IFMS). As the administrator of the IFMS, (Agriculture and Agri-Food Canada) AAFC is responsible for providing SAP application management services, as well as managing the SAP database infrastructure for various cluster partners.

The Chief Audit Executives of AAFC and two of its cluster partners, the Canadian Food Inspection Agency (CFIA) and Natural Resources Canada (NRCan), agreed to have a joint audit conducted to provide assurance to their respective organizations regarding the effectiveness of the SAP Enterprise Resource Planning application in providing accurate, reliable, accessible and timely financial information.


Summary of observations


The audit determined that governance structures were in place to support sound and equitable investment planning and the allocation of resources in the maintenance and continued evolution of the SAP Enterprise Resource Planning; however key governance groups did not meet at the frequency defined in the Partnership Service Level Agreement and attendance was not consistently at the appropriate level. Overall, the audit determined that the AAFC Centre of Excellence consistently executed key IT controls under its responsibility effectively and in a timely manner. Opportunities for improvement were identified to address weaknesses in some IT controls owned by Client Partners or jointly owned by the Partnership, as well as in the areas of business continuity and disaster recovery. Finally, the audit determined that governance structures for service providers could be strengthened.

1.0 Introduction

1.1 Background

1.2 Audit objective

1.3 Audit scope

1.4 Audit approach

1.5 Conclusion

1.6 Statement of conformance

2.0 Detailed observations, recommendations and management responses

2.1 Partnership governance

Figure 1 - Partnership governance structure

Description of this image follows.
Description of Figure 1

The above chart outlines the following:

SAP partnership steering committee (SPSC) is Strategic
SAP partnership management committee is Tactical
Centre of excellence, Change control committee, Client advisor, and Partner forums are Operational.


2.2 Information technology controls

Information technology general controls

Information technology change management


User access management



Information technology operations

Application controls

2.3 Business continuity planning and disaster recovery planning


2.4 Service provider governance

Disaster recovery planning


Information technology infrastructure change management


Annex A: acronyms

Agriculture and Agri-Food Canada
AAFC Change Control Committee
Canadian Food Inspection Agency
Control Objectives for Information and Related Technology
Integrated Financial and Material Systems
Information technology
SAP Partnership Management Committee
SAP Partnership Steering Committee
Natural Resources Canada
Shared Services Canada
Treasury Board

Annex B: audit criteria

Line of enquiry 1.

The Partnership governance structure enables the Partnership to jointly discuss, establish and communicate strategic priorities and objectives to guide investment and resource planning and prioritization in alignment with business requirements and government-wide direction.

Line of enquiry 2.

Information Technology (IT) controls are in place at the AAFC Centre of Excellence and Client Partners to support the production of accurate, reliable, accessible and timely financial information.

Line of enquiry 3.

Governance structures are in place to manage risks related to services provided by third parties.

Report a problem on this page
Please select all that apply:

Date modified: