Financial System Implementation Project (FSIP) Limited Scope Progress Review

Transcription

1 UCSB Internal Audit Reprt Octber 8, 2015 Perfrmed by: Antni Manas-Melendez, Senir Auditr Apprved by: Rbert Tarsia, Directr Reprt N

2 This page intentinally left blank.

3 University f Califrnia, Santa Barbara BERKELEY DAVIS IRVINE LOS ANGELES MERCED RIVERSIDE SAN DIEGO SAN FRANCISCO SANTA BARBARA SANTA CRUZ Octber 8, 2015 AUDIT AND ADVISORY SERVICES SANTA BARBARA, CALIFORNIA Tel: (805) Fax: (805) T: Katie Mankins, Directr, Enterprise IT Prject Management Office Jessie Masek, Financial System Prject Manager Enterprise Technlgy Services Distributin Re: Audit N As part f the annual audit services plan, has cmpleted an audit f the University f Califrnia, Santa Barbara (UCSB) Financial System Implementatin Prject (FSIP). This audit was a limited scpe prgress review, perfrmed as part f a series f audits and advisry service prjects designed t supprt FSIP effrts. The purpse f this review included evaluating the status f prductin rles and prfiles prir t Phase 1 g-live, and assessing the status f issues reprted in ur previus FSIP reviews. Our audit als included review f cmpliance with selected prvisins f University f Califrnia Plicy BFB IS- 10, Systems Develpment Standards. The issues identified by ur review f rles and prfiles were cmmunicated t the FSIP team and reslved prir t g-live. Based n the results f the ther wrk perfrmed, there has been significant prgress n the issues addressed in ur previus reviews, including peratinal readiness and training, adequacy f resurces, testing and gap reslutin, rerganizatin and realignment f administrative cmputing department respnsibilities, and prject prcedures and dcumentatin. The results f ur wrk als indicate that the prject is generally in cmpliance with Plicy IS-10 in the functinal areas we selected fr detailed review. Detailed bservatins and management crrective actins are included in the fllwing sectins f the reprt. The management crrective actins prvided indicate that each audit bservatin was given thughtful cnsideratin and that psitive measures have been taken r planned t implement the management crrective actins. We sincerely appreciate the cperatin and assistance prvided by Enterprise Technlgy Services and Business and Financial Services persnnel during the review. If yu have any questins, please feel free t cntact me. Respectfully submitted, Rbert Tarsia Directr

4 Katie Mankins, Jessie Masek Octber 8, 2015 Page 2 f 2 Enclsure Distributin: Enterprise Technlgy Services Matthew Hall, Assciate Vice Chancellr fr Infrmatin Technlgy and Chief Infrmatin Officer Dug Drury, Directr Business Relatinship & Service Management Yaheya Quazi, Directr Enterprise System Integratin Finance and Resurce Management Assistant Chancellr Finance and Resurce Management Tdd Lee Jim Crkill, Cntrller and Directr, Business & Financial Services Leslie Griffin, Assciate Directr, Business & Financial Services cc: Chancellr Henry Yang Executive Vice Chancellr David Marshall Vice Chancellr Administrative Services Marc Fisher UCSB Audit Cmmittee Senir Vice President and Chief Cmpliance and Audit Officer Sheryl Vacca

5 UCSB Prject N PURPOSE The purpse f this review included evaluating the status f rles and prfiles in the prductin envirnment 1 f the prir t Phase 1 g-live, and assessing the status f issues reprted in ur previus Financial System Implementatin Prject (FSIP) Prject Prgress Review reprt, dated April 1, Our audit als included a review f cmpliance with selected prvisins f University f Califrnia (UC) Plicy BFB IS-10, System Develpment Standards (Plicy IS-10). This audit is part f the University f Califrnia, Santa Barbara (UCSB) annual audit services plan and is ne f a series f audits and advisry prjects designed t supprt FSIP effrts. SCOPE, OBJECTIVES, AND METHODOLOGY The scpe f wrk included a review f rles and prfiles in the prductin envirnment prir t Phase 1 g-live, and fllw-up wrk in several functinal areas addressed in a previus FSIP review, including issues related t peratinal readiness and training, adequacy f resurces, testing and gap reslutin, rerganizatin and realignment f administrative cmputing department respnsibilities, prject prcedures and dcumentatin, and ther areas, during the stabilizatin perid fllwing g-live. Our audit als included a review f cmpliance with selected prvisins f Plicy IS-10. The scpe f the review was limited t FSIP activities and dcumentatin available thrugh September 3, Our audit bjectives included the fllwing: Determine whether administrative privileges have been prperly restricted and whether rles and prfiles in the prductin envirnment f FSIP were in cmpliance with the separatin f duties matrix apprved by the Cntrller and Directr, Business and Financial Business. Assess the implementatin prgress f management actin plans t address previus audit findings related t enhancing peratinal readiness and training, adequacy f resurces, testing and gap reslutin, rerganizatin and realignment f administrative cmputing department respnsibilities, and prcesses and prcedures related t applicatin supprt and maintenance. Determine whether FSIP is in cmpliance with selected prvisins f Plicy IS-10, including the rerganizatin and realignment f administrative cmputing department respnsibilities and prject dcumentatin. As part f this audit, we als updated the FSIP risk assessment we cmpleted fr ur previus audit. The purpse f this risk assessment is t identify and priritize key FSIP risk areas fr additinal analysis and audit effrts; we used the updated risk assessment results t select Plicy IS-10 areas fr cverage during this audit. 1 The envirnment in which the applicatin is actually put int peratin fr its intended uses by end users. 1

6 T accmplish ur bjectives, ur wrk included interviews, direct bservatins, review f dcumentatin, testing, and ther steps, which included: Review and analysis f previus audit and advisry wrk we perfrmed fr FSIP, including the fllwing prjects: Financial System Implementatin Prject: Campus Use f Shadw Systems - Audit reprt dated Octber 5, Financial System Implementatin Prject: Prject Prgress Review - Audit reprt dated May 2, : - Audit reprt dated April 1, : Rles and Prfiles - Preprductin Phase Advisry service memrandum dated January 15, : Testing Assistance - Advisry service reprt dated July 17, Utilized Audit Cmmand Language (ACL), a data mining and analysis tl, t review rles and prfiles in the prductin envirnment as f June 17, Reviewed and analyzed FSIP dcumentatin available as f September 3, 2015, including, the FSIP segregatin f duties matrix, prject plan, training plan, cmmunicatin plan, prject status reprts, manuals, prcedures, UCSB s cntract amendments with the vendr, and varius ther plans, reprts, and dcuments available n the FSIP SharePint site. Interviewed Enterprise IT Prject Management Office (PMO) persnnel and prject stakehlders. Mnitred the prgress f the prject thrugh participatin in weekly FSIP management and FSIP Executive Steering Cmmittee meetings, and thrugh nging cnsultatins with the Financial System Prject Manager and ther prject persnnel. This audit was cnducted in cnfrmance with the Internatinal Standards fr the Prfessinal Practice f Internal Auditing. BACKGROUND UCSB implemented its previus legacy mainframe financial system ver thirty years ag. Over the years, limitatins in a number f areas resulted in a number f wrkarund slutins t meet campus needs, including a wide range f shadw systems and a data warehuse. In December 2011, the campus decided t implement Oracle/PepleSft Financials t replace the legacy system. Because the UC Office f the President chse the Oracle platfrm fr UCPath, the new systemwide human resurces and payrll system, the selectin f Oracle/PepleSft Financials als created an pprtunity t leverage synergies between existing prducts. In September 2012, the campus cntracted with Ciber, Inc. t implement Oracle/PepleSft Financials; the prject is managed by the Enterprise IT Prject Management Office f Enterprise Technlgy Services (ETS). 2

7 FSIP Phase 1 encmpassed implementatin f the general ledger, chart f accunts, cmmitment cntrl (budget), accunts payable, asset management, and prject csting mdules, as well as relevant interfaces with ther campus and UC Office f the President systems. The implementatin f these mdules has laid the grundwrk fr replacing the legacy campus mainframe system and prceeding with additinal mdules in subsequent FSIP phases. After previus changes in the prject schedule, UCSB began replacing sme f the financial system applicatins currently n the mainframe with the cre mdules f the new PepleSft financial system n July 1, Table 1 PepleSft Mdules FSIP Phase 1 Descriptin AM AP GL KK PC Asset Management Accunts Payable General Ledger Cmmitment Cntrl (Budgeting) Prject Csting Surce: Auditr analysis. The fllwing are imprtant milestnes fr FSIP g-live: 2015 fiscal year-end prcesses were cmpleted n the legacy system. June 29, The last payments frm the legacy accunts payable system, APEX, were prduced. June 30, The BARC/Cashier s Office was clsed t prepare fr the system changever. June 29 thrugh July 5, Campus accunts payable web applicatins Travel, Disbursements, Frm-5, and FlexCard were unavailable. July 1, 2015, thrugh July 20, Asset Management recrds culd nt be updated. Beginning July 6, 2015, invice data frm PepleSft appeared in the campus Data Warehuse. Purchasing-related data tables and EZAccess reprts reflected new fields and frmats. August 8, 2015, thrugh August 10, Campus ledger web applicatins (TOE, TOF, TOSF) were unavailable. 2 Surce: ETS Website. 3

8 August 14, 2015, thrugh August 18, General ledger tables and reprts in the campus Data Warehuse were unavailable while tables were updated fr PepleSft. Beginning August 19, 2015, July ledger data (frm PepleSft Financials) was available in the Data Warehuse. July 1, 2015, thrugh December 31, Stabilizatin perid, during which the reslutin f pen issues, lad and validatin f fiscal year-end clse data int PepleSft, peratinal readiness, prject dcumentatin, realignment f respnsibilities, and ther activities will be cmpleted. Table 2 Definitins Name BARC EZAccess FlexCard Frm-5 TOE TOF TOSF Descriptin Billing Accunts Receivable Cllectins Pre-defined reprts frm the campus Data Warehuse UCSB s prcurement credit card A payment request frm fr nn-payrll expenses Transfer f Expense Transfer f Funds Transfer f Sft Funds Surce: Auditr analysis Rles and Prfiles There are several critical aspects f cmputer system security, including physical security, access cntrl, mnitring, and prperly implementing rles and prfiles. Rles and prfiles refers t the prcess f creating rles fr varius jb functins, alng with assigning t specific rles the permissins t perfrm certain peratins. Each user is assigned a prfile that cnsists f selected rles, while each rle is made up f selected permissin lists. Users wh belng t a particular rle need a specific set f permissins r authrizatins in rder t cmplete their daily tasks within the PepleSft system. This aspect f security deals primarily with system access and segregatin f duties. These definitins prvide a gd verview f the PepleSft security mdel: 3 User - A uniquely named user f the PepleSft system wh will be able t sign nt the system t perfrm tasks. Rle - Can be thught f as a named set f wrk that a user can d. 3 Adapted frm cntent included in FSIP dcumentatin. 4

9 Permissin List - The specific authrizatins needed t carry ut a business task r set f tasks. User Prfile - Defines all f a particular user s authrizatins as the unin f all the linked rles and permissin lists. SUMMARY OBSERVATIONS The issues identified by ur review f rles and prfiles were cmmunicated t the FSIP team and reslved prir t g-live. Based n the results f the ther wrk perfrmed, there has been significant prgress n the issues addressed in ur previus reviews, including peratinal readiness and training, adequacy f resurces, testing and gap reslutin, rerganizatin and realignment f administrative cmputing department respnsibilities, and prject prcedures and dcumentatin. The results f ur wrk als indicate that the prject is generally in cmpliance with Plicy IS-10 in the functinal areas we selected fr detailed review. The fllwing issues shuld be fully addressed during the stabilizatin perid: Cmpleting the technical knwledge transfer. Ensuring that the prject has adequate resurces during and after the stabilizatin perid. Frmalizing plans t dcument respnsibilities after the stabilizatin perid. Cmpletin f required dcumentatin. 5

10 DETAILED OBSERVATIONS A. Prductin Rles and Prfiles 1. Administrative Privileges We fund that user accunts with administrative privileges were cmpletely identified and apprpriately restricted: Access t administrative accunts was restricted t users with administrative respnsibilities. Administrative accunts represented nly 5% f ttal FSIP user accunts. Our review f administrative user accunts highlighted a minr issue related t the frequency f administrative users changing their passwrds. Tw administrative user accunts had nt changed their passwrds since September Segregatin f Duties Our review f FSIP functinal rles highlighted that: A segregatin f duties matrix fr functinal rles has been defined and functinal rles and administrative rles had been adequately segregated between ETS and Business and Financial Services persnnel. There were sme differences between the segregatin f duties matrix and rles granted in the prductin envirnment: 75 rles fr nine users were nt granted. 75 rles fr 22 users shuld nt have been granted. 98 rles were nt dcumented in the segregatin f duties matrix. All identified issues were reslved prir t g-live, and an updated segregatin f duties matrix was apprved by the Cntrller and Directr, Business and Financial Services. We did nt assess the apprpriateness f rles and prfiles frm a functinal r peratinal perspective. This wrk will be included in the scpe f a pst-implementatin internal cntrl review f Business and Financial Services, planned t start after the end f the stabilizatin perid. B. Status f Issues Addressed in Previus FSIP Reviews Our April 1, 2014, FSIP Prject Prgress Review reprt included tw cmprehensive recmmendatins with five actin plans related t rganizatinal readiness and training, adequacy f resurces, testing and gap reslutin, rerganizatin and realignment f administrative cmputing department respnsibilities, and prcedures and dcumentatin related t applicatin supprt and maintenance. The Enterprise IT PMO cmmitted t actins plans, r management crrective actins, within reasnable timeframes in all cases. 6

11 Based n the result f the wrk perfrmed, we fund that management actin plans are in place and prgress has been made. Hwever, three f the five actin plans have nt been fully addressed. Table 3 summarizes the results f ur evaluatin. Table 3 Status f Management Crrective Actins Finding Title Enhancing Operatinal Readiness & Training Adequacy f Resurces Testing and Gap Reslutin Rerganizatin and Realignment f Certain IT Rles and Respnsibilities Prcesses and Prcedures Related t Applicatin Supprt and Maintenance Status Implemented In Prgress Implemented In Prgress In Prgress Surce: Auditr Analysis 1. Enhancing Organizatinal Readiness and Training An extensive training plan, in additin t a testing plan that included substantial additinal training, has been executed fr Business and Financial Services and the tw ther departments directly affected by Phase 1. A plan fr technical knwledge transfer frm Ciber 4 t UCSB technical staff als has been initiated. Hwever, additinal measures shuld be taken by the Enterprise System Integratin unit f ETS t prvide assurance that technical persnnel have the knwledge t prvide technical supprt. These measures include: Cmpleting the transfer f technical knwledge frm Ciber. Prviding acknwledgement that the training has been cmpleted as planned. It is expected that these measures will be implemented befre the end f the stabilizatin perid. 2. Adequacy f Resurces Our interviews with the Financial System Prject Manager highlighted risks related t the level f resurces allcated t FSIP. The prject has a defined plan fr supprting the new financial system thrugh the end f the stabilizatin perid. Hwever, the authrized PepleSft technical lead has nt yet been hired. 5 It is expected that sufficient PepleSft Technical resurces will be in place in Enterprise System Integratin befre the end f the stabilizatin perid. 4 UCSB s Implementatin partner. 5 A PepleSft develper has already been hired and is nw n staff. 7

12 3. Testing and Gap Reslutin Cnsistent with the cnclusins cmmunicated in ur FSIP advisry reprt dated July 17, 2015, we bserved that sme areas required additinal develpment and ther wrk, including sme reprts, applicatin functinalities, and ne interface. Hwever, an extensive testing plan was prepared, then implemented during systems integratin testing (SIT) and user acceptance testing (UAT). The Financial System Prject Manager, ETS Quality Assurance, and UCSB s implementatin partner crdinated these plans and additinal measures t prvide assurance that critical issues were identified and addressed. The results f ur fllw-up wrk fr the management actin plans in the areas f rerganizatin and realignment f IT rles and respnsibilities, and applicatin supprt and maintenance, are included in the fllwing sectin. C. Cmpliance with UC Plicy IS-10, System Develpment Standards Based n ur audit risk analysis, we selected tw areas fr review f Plicy IS-10 cmpliance; as nted, management actin plans addressed in ur previus review are already in place fr these areas. The bjectives fr bth areas are t ensure that there are adequate prcesses and dcumentatin in place after the end f the Phase 1 stabilizatin perid. We fund that FSIP is generally in cmpliance with Plicy IS-10 in these areas, but that additinal wrk is required. 1. Administrative Cmputing Department Respnsibilities Accrding t the Financial System Prject Manager, several ETS units have shared respnsibility fr supprting FSIP during Phase 1 implementatin and the stabilizatin perid. Rerganizatin and realignment f certain IT rles and respnsibilities have been implemented as part f the creatin and rganizatin f the Enterprise Technlgy Services rganizatin. FSIP technical pen issues reslutin and applicatin maintenance will be perfrmed by Enterprise System Integratin, and Business Relatinship & Service Management will manage the future vendr management, applicatin change management and the hsting cntract with Ciber 6. Hwever, plans have nt been cmpletely frmalized fr the transfer f the daily pen issue reslutin, issue tracking and reprting, and PepleSft technical persnnel management respnsibilities frm the PMO t Enterprise System Integratin after g-live, due t lack f Enterprise System Integratin resurces. It is ur understanding that Business and Financial Services, Enterprise System Integratin, and Business Relatinship & Service Management transitin readiness plans were t be initially discussed by the end f September r beginning f Octber. 2. Prject Prcedures and Dcumentatin Plicy IS-10 requires specific dcumentatin, including an peratins manual, system manual, and user dcumentatin. Althugh prcedures fr a FSIP help desk and the prcess fr escalating issues have been dcumented, we fund that it is uncertain that all Business and Financial Services, Business Relatinship & Service Management, and Enterprise System Integratin prcedures and required dcumentatin have been fully dcumented and prperly distributed. 6 Business and Financial Services persnnel will perfrm part f FSIP peratins. 8

13 Given the current stage f the prject, we cannt yet determine whether FSIP dcumentatin will fully cmply with Plicy IS-10 after the stabilizatin perid. The fllwing issues shuld be fully addressed by Enterprise Technlgy Services during the stabilizatin perid: Cmplete the technical knwledge transfer frm the vendr and prvide acknwledgement that training has been cmpleted as planned. Cnclude hiring prcesses t ensure that the prject has adequate resurces during and after the stabilizatin perid. Evaluate whether additinal dcumentatin is required t cmplete the minimal dcumentatin required by Plicy IS-10, and ensure that any gaps are addressed. This issue will need t be crdinated with Business and Financial Services. Enterprise Technlgy Services shuld validate with Business and Financial Services that Business Relatinship & Service Management and Enterprise System Integratin respnsibilities have been dcumented after the stabilizatin perid. Management Crrective Actins As the auditrs nte, we have made prgress in addressing the remaining issues highlighted in previus reviews. The status f these activities is generally cnsistent with the revised timeline fr Phase1 stabilizatin. Enterprise System Integratin will address the fllwing issues during the stabilizatin perid: Cmplete the technical knwledge transfer frm the vendr and prvide acknwledgement that training has been cmpleted as planned. Cnclude hiring prcesses t ensure that the prject has adequate resurces during and after the stabilizatin perid. Evaluate whether additinal dcumentatin is required t cmplete the minimal dcumentatin required by Plicy IS-10, and ensure that any gaps are addressed. Business Relatinship & Service Management will: Evaluate whether additinal dcumentatin is required t cmplete the minimal dcumentatin required by Plicy IS-10, and ensure that any gaps are addressed. Ensure that Business and Financial Services, Business Relatinship & Service Management, and Enterprise System Integratin respnsibilities have been dcumented after the stabilizatin perid. will fllw up n the status f these issues by March 31,