Eric Anderson, City Manager. Scottie Nix, Internal Auditor

Transcription

1 City of Tacoma Internal Audit Office Memorandum TO: FROM: SUBJECT: Eric Anderson, City Manager Scottie Nix, Internal Auditor Improving SAP Roles Assignment and Monitoring at the City of Tacoma Follow Up Report DATE: The following is our report from our recent review of the City of Tacoma s current SAP role assignment process and the City s efforts to implement prior recommendations to improve and clarify SAP roles. If you have questions or comments, please call me at Finance department and Information Technology department managers and staff have agreed, and have begun, to implement all of our recommendations so we have not included a separate response from them in regards to the corrective action plan. They have begun and in some cases finished corrective action on most of our recommendations. We appreciate the time and effort they have spent on this and want to thank them. Background In late 2006, the Finance department brought to the attention of this office concerns about the process used by the City of Tacoma for role assignments within SAP. In particular, Finance managers were concerned about the number of staff assigned conflicting roles within their programs, and the possibility that controls governing the proper segregation of duties were not sufficient. After first considering the purchase of additional software to clarify and improve role definitions, both the Finance and the Information Technology departments concluded that the City could create a process in-house that could be used to serve the needs of the City of Tacoma until the SAP upgrade. The upgrade includes software that tracks role exceptions and reports them to Internal Audit and other users and managers. However, any processes created and implemented by the Finance department and Information Technology department should be part of an integrated, citywide approach to role assignment and compliance monitoring within SAP and the tasks performed by users in the City. Therefore, the purpose of this audit and report is to provide our observations and recommendations to help provide assurance that role assignments in SAP, and any exceptions granted, are consistent with a strong system of internal controls operating in the City programs. Audit Scope and Objectives The audit covers the period from SAP implementation in 2003 to the present. The purpose of this audit was to review the role assignment process and recommend improvements. The audit scope was limited to conflicting purchasing roles. 747 Market Street, Room 1520 Tacoma, Washington (253) FAX (253)

2 Page 2 The audit objectives were to: Review the role assignment process; Determine if the process used to authorize exceptions to roles has created conflicting roles and compromised controls for segregation of duties; Determine if exceptions to roles are properly approved, properly authorized, properly tracked, monitored and timely; and Review recommendations implemented since we first began this project. Audit Method and Analysis To conduct this audit, we interviewed City officials about the processes used to assign roles and to grant exceptions to the separation of duties standard. We created a summary of the current process used to assign and grant roles. We reviewed SAP documentation and information to obtain a better understanding of the SAP system and the part played by role assignments. We also reviewed literature related to internal control principles with a focus on segregation of duties. Defining and Explaining Roles in SAP R/3 According to SAP documents, within the SAP R/3 software the authorization concept provides for the protection of programs and data from unauthorized use. Access to the system is restricted through roles or authorization profiles. Roles are used to administer access of users. In other words, a role is a collection of privileges that allow a system user to access areas of the system and make certain allowed changes. In many cases a role or authorization generally equates to: A job - e.g., accounts payable clerk, payroll manager, senior tax accountant, treasury analyst or distribution manager; A role - e.g., journal entry creator, journal entry approver, payroll maintainer, invoice entry, recurring payment processor, personal data reporter; or A job task - e.g., create purchase order, release invoice, and perform payment run. One of the key components in SAP is the ability to prohibit users from being able to perform functions that could open the door to fraud or mistakes in transactions. Two of the most critical areas where these controls are based are in Purchasing and Payroll/Timekeeping. These areas rely on the concept of segregation of duties using the model called SAP Incompatible Roles. One of the customizations that occurred when the City implemented SAP involved some modifications to the standard SAP roles; we did not identify all these modifications 1. Defining Segregation of Duties Segregation of duties is a basic, key internal control and one of the most difficult to achieve. It 1 Finance staff believes that this is actually what caused the role conflict problem to begin with. Role assignments need to be specific for each position rather than a job class in their view. An office assistant in one area may need to input goods receipts, while one in another office may only need to do timecards, so wouldn't need both roles, even if such tasks are considered standard clerical assignments. Also, roles are assigned to a position number, not to a person or job classification. An idea may be to come up with a role assignment template, that doesn't include any conflicting or case-by-case assignment roles, for groups of similar job that includes menu options for conflicting roles, explanation of exception process, etc.

3 Page 3 is used to ensure that errors or irregularities are prevented or detected on a timely basis by employees in the normal course of business. Segregation of duties provides two benefits: 1. A deliberate fraud is more difficult to achieve because it requires collusion of two or more persons. 2. It is much more likely that innocent errors will be found. At the most basic level, segregation of duties means that no single individual should have control over two or more phases of a transaction or operation. Management should assign responsibilities to ensure a crosscheck of duties. If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities, they have generally been assigned or allowed access to incompatible duties or responsibilities. Some examples of incompatible duties are: Authorizing a transaction, then receiving and maintaining custody of the asset that resulted from the transaction. Receiving checks (payment on accounts receivable) and approving write-offs. Depositing cash and reconciling bank statements. Approving time cards and having custody of paychecks. Having unlimited access to alter or adjust assets and accounting records, and computer terminals and programs. For instance, having access to, and using checks, as the source documents to post to accounting records rather than using a check log or receipts. There are four general categories of duties or responsibilities that are examined when segregation of duties is discussed: Authorization; Custody; Recordkeeping; and Reconciliation. In an ideal system, different employees would perform each of these four major functions. In other words, no one person should have control of two or more of these responsibilities. The more negotiable the asset, the greater the need for proper segregation of duties - especially when dealing with cash, negotiable checks and inventories. In those instances where duties cannot be fully segregated, mitigating or compensating controls must be established. Mitigating or compensating controls are additional procedures designed to reduce the risk of errors or irregularities. For instance, if the record keeper also performs a reconciliation process, a detailed review of the reconciliation could be performed and documented by a supervisor to provide additional control over the assignment of incompatible functions. Segregation of duties is more difficult to achieve in a centralized, computerized environment. Compensating controls in that arena include passwords, inquiry only access, logs, dual authorization requirements, and documented reviews of input/output. In the specific case of the City SAP system, the roles that are incompatible (which are the causes of the most problems) stem from role assignments related to Payroll/Timekeeping and Purchasing. Many of these situations occur in City offices where there is a single administrative person who may support several managers and staff. In these cases, conflicting roles related to the tasks listed below have often been assigned to a single individual.

4 Page 4 The table below lists the role assignments that have been determined by the Finance department as having potential conflicts if assigned in certain combinations: 2 Payroll/Timekeeping Assignments Purchasing Assignments 3 Add an employee to the system PR: Create a purchase requisition Change pay information PR: Approve a purchase requisition Approve changes to payroll information PO: Create a purchase order 4 Issue the paycheck Receiving: Document that items ordered were received 5 Understanding the Current Process of Assigning Roles/Privileges and Granting of Exceptions at the City of Tacoma in SAP As part of our audit we documented the process used to assign and grant roles at the City of Tacoma. The table below describes the current process step-by step. ROLES NARRATIVE Action By Action 1 Supervisor/requestor Hires employee and needs to have roles in the SAP system, completes online role request and submits electronically. 6 2 IT SAP Office Assistant/ Management Analyst Receives electronic role request, Completes electronic cover sheet, with screenshots PO13, SUD1 and training Information, Posts to IT shared drive, and Sends an to team leads. (i.e., requests for purchasing roles forwarded to the functional team that supports Finance divisions.) 3 IT Functional Team Leads Approves allowed 7 purchasing roles. 2 There are two purchasing role conflicts: PR Create with PR Approve and PO Create with Receiving. 3 No conflict exists between PR Create and PO Create, PR Create and Receiving or PR Approve and Receiving. 4 POs under $5K are not "released" (approved) as they are below Tacoma's threshold requiring competition. POs over $5K are created and released (approved) by Purchasing staff. All purchase requisitions and goods receipts are entered by department end users. When Purchasing staff create the purchase order, separation of duties is accomplished. 5 Payment roles are restricted to designated AP staff. LESA, ETC and Library staff enter and release their own invoices, but the checks are cut by AP. Power Management has a few staff that enter invoices for power purchases but the checks are cut by AP. 6 Many supervisors are at a loss as to the best roles to assign and the way to do this. They often seek help from others, including IT and Purchasing staff (with respect to purchasing roles). Currently, many supervisors use the previous role assignments for the position and this is, for the most part, a good practice if they have recently reviewed the roles and job duties for the position.

5 Page 5 Action By Action List on cover page. List approved role and derivative. List tasks, Customer Interaction Center (CIC). If request includes conflicting roles, get approval from Finance-Purchasing. Complete electronic signature. Forward to Training to schedule required training for the roles that are being granted. 4 Finance Purchasing Division Management Analyst Reviews purchasing role requests with identified conflicts as well as requests for PO Create, which is assigned on a case-by-case basis. For conflicting roles, Purchasing contacts the supervisor and advises that functions be separated between staff to maintain internal controls. If that is not possible, departments are advised to submit an exception request to Purchasing detailing their unique circumstances and the compensating measures that will be taken to ensure that internal controls are maintained, as well as an explanation of how they will monitor such control efforts. The exception is reviewed by Purchasing staff, and if adequate information is provided, forwarded to the Finance director, who approves or denies. The outcome is sent to IT as well as the supervisor. Approvals are forwarded to Internal Audit. 5 IT Training Staff Creates training plan and communicates to user and his/her supervisor options for attending required training. 6 User Attends any required SAP training for the roles requested. 7 IT Training Staff Once training is complete, lets Basis staff know 8 Basis Staff Assigns roles per form, communicates to requestor/supervisor when the roles are in place and can be used within the SAP system. Determining the Criteria for Granting Exceptions Based on discussions with previous Finance directors, we were told that it is impractical for every departmental program in the City of Tacoma to have enough staff to assign different roles to at least two, or preferably three or four, people to maintain the needed compliance with SAP 7 Functional team leads "approve" assignment of purchasing roles that don't have conflicts or restricted access, and deny roles that are restricted to Purchasing staff. If conflicts are identified, the requests are forwarded to Purchasing for resolution.

6 Page 6 role assignments and the proper segregation of duties. As of October 2008, there are 285 purchasing role conflicts, with the majority of these conflicts in place since SAP implementation in 2003: 207 staff have a PO Create-Receiving conflict, including 14 approved exceptions since February staff have a PR Create-PR Approve conflict, including one exception approved since February staff have both conflicts, with no approved exceptions. Role conflicts in place in late 2006 included users who had access to create purchase orders and confirm delivery of goods and services by entering receipts against those purchase orders. There was no central listing of the exceptions granted or the compensating controls prior to February 2007 when Finance became involved in SAP role assignments. Results and Conclusions Based on the work performed we found that there were several opportunities for the City to improve the role exceptions granted and monitoring process. In 2007 we discussed the process with Finance, and it is as described in the Roles Narrative table. The table below illustrates the improvements made by the Finance department since that time. Description of Needed Control and Progress toward Improvement Maintaining a log/listing/database of all the exceptions they grant. Status 2007 Status Fall 2008 Yes - as of February 2007 Yes Documenting the compensating control. Asking for and/or documenting how the compensating control will be monitored by management or the supervisor. Providing oversight and review to determine that the compensating control is in place and working in a manner consistent with its approval. Communicating the results of their oversight reviews to IT and Internal Audit. Clean up of the older listed role conflicts. Yes - request saved and data input into "Exception Request" table. Yes, since July 2007 No No No Yes using a consistent system to document the control and exceptions granted Yes and documenting some supervisor compliance Yes in process Not yet, in process Not yet, in process Based on our 2007 review, we made the following recommendations related to the Finance

7 Page 7 Purchasing division roles exception process: 1. A log/listing/database be created and maintained 8 in the Finance department that documents each exception granted with the following detailed information about the exception and the compensating control: Documenting the compensating control. Documenting how the compensating control will be monitored by management or the supervisor. Documenting the plan to provide oversight. Reviewing the process at each site to determine that the compensating control is in place and working in a manner consistent with its approval. Communicating the results of their oversight reviews to IT and Internal Audit. This information should be maintained by Finance and made accessible for future audits. As of today, most of these recommendations are in place and working. In addition the Finance Purchasing Division is in the process of implementing and following up on all the recommended actions. Finance was not involved with SAP role assignments until February 2007 when they negotiated with IT to refer all conflicting purchasing role requests to Purchasing for review and approval before IT grants such role assignments. Prior to this time, IT granted roles as requested by supervisors. Most of the conflicts stem from the original role assignments granted at SAP implementation by the project team. We recommended: The role conflict list needs to be updated and reviewed by a committee of Finance and IT managers and staff 9. Users with role conflicts without an approved exception and their supervisors should be contacted to resolve the conflict, whether by removing conflicting roles or advancing through the exception process. Other Issues and Recommendations: 2. The IT department does not currently have a process to run periodic reports about conflicting roles and their usage. Reports that detail the number and departments with conflicting role assignments and a report showing their usage would help the City to better monitor conflicting role assignments and their usage. Included within the SAP system is a process that alerts system users if they are allowing incompatible roles. Recommendation: IT develops a process that will list activity so they can alert supervisors. Run this process on a regular basis and notify the supervisors, as well as Finance and Internal Audit. 8 An exception list has been created and is being maintained at this time. 9 The City had an ad hoc group that attended presentations by various vendors related to roles in This group has not met since that time and many members have changed jobs or are no longer with the City, the committee members were Scottie Nix, Karen Jones, Mark Meyer, Kathy Palon, Paul Federighi, Dan Hilleren, Lorraine Stargel, Eric Pugmire, and Kathy Everett.

8 Page 8 3. There is a long list of SAP roles available to end users, though several are restricted by job scope. For example, only Purchasing staff can create and release purchase orders over $5,000. Many supervisors indicate they are at a loss about the best roles to assign staff, and in all likelihood, for all but newly created positions, supervisors typically assign roles based on those held by the previous person in the position. This is, for the most part, a good practice if they have recently reviewed the roles and job duties for the position. Recommendation: IT should work with Finance to develop reminders that there is already a list of role definitions on the IT website, including restrictions and conflicting assignments. Purchasing also has a role FAQ and definitions document on its website to help supervisors to understand the trade off between incompatible duties and compensating controls. Recommendation: We recommend the available information be publicized-marketed and an online assistant be created to help supervisors when they are requesting roles for their staff. Cc Rey Arellano Robert Biles Michelle Lewis-Hodges Mark Meyer Richelle Krienke