4.1.2 Audit Module not enabled in the new version of the SAP system (EHP7)
The Audit Information System is used to record user activities on the SAP application system in audit logs (trails). Audit found out that in March 2014, when the SAP system was upgraded from ECC6.0 to EHP7, the Audit Module was not enabled within the SAP system. The risk is that if the audit information system is not activated to enable recording of activities and their nature, possible violation or violation attempts may not be detected in a timely manner and there would be no trail of what took place. The Accountant General advised the Committee that the audit log for workstation identification was not activated due to low storage space on existing hardware and they had limited resources to fund the purchase of the additional servers required for capacity expansion.
In order to address the finding, the Ministry with the assistance from African Development Bank (AfDB), had ordered two super servers. The procurement process was reportedly underway. It was also the view of the Ministry that with the current scenario, it was still possible for Audit to generate and print reports that have complete audit trail. In addition, Ministries also prepared reconciliations which auditors can still refer to. However, the Auditor General pointed out that such individual modules prepared would not meet audit requirements and in many cases Ministries are not up to date with reconciliations, hence cannot be relied upon.
4.1.2.1 On the basis of the submissions received, the Committee recommends that Treasury should purchase the additional servers to allow the activation of the Audit Module within the System by 30th September, 2016.
4.1.3 Absence of supporting documentation to track changes in the SAP System to ascertain appropriateness and approval by Management
A change management process includes programme modifications, emergency changes, tracking and reporting, testing and approval of new and revised software. The SAP application system has the capacity to generate system changes reports and there was an upgrade of the system from version ECC6.0 to EHP7 in March 2014. There were no supporting documentation for changes made to ascertain appropriateness and approval by Management. This may promote invalid or inappropriate changes into the production environment, resulting in inappropriate modifications to system programmes, applications and data.
The Accountant General acknowledged the finding and admitted that there was no supporting document for changes made and the process was therefore not adhered to. He assured the Committee that future changes will be subject to formal approval procedures. As a matter of process, he highlighted that for any system upgrades, the Director PFMS will initiate and justify the proposed changes and the Deputy Accountant General (Accounting Services) will recommend changes for the Accountant General’s approval. When successfully implemented, the Director PFMS will recommend acceptance to the Deputy Accountant General and the Accountant General will sign off. In addition, the Accountant General directed Internal Audit to independently review the process. Thereafter, the SAP Transport System will effect changes to the system.
Continued next page
(994 VIEWS)