Final Audit Report - Audit of Data Integrity - HR Advantage

May 2009

Help on accessing alternative formats, such as Portable Document Format (PDF), Microsoft Word and PowerPoint (PPT) files, can be obtained in the alternate format help section.

Management Response and Action Plan

Table of Contents

• Executive Summary
• Introduction
  • Background
  • Objective(s)
  • Scope and Approach
• Findings, Recommendations and Management Responses
• Completeness and Accuracy of the Data
  • Authorization of Source Documents - Classification Action Requests
  • Reconciliation of Data with SAP
  • Leave Without Pay
  • Error Processing
• General Computer Controls Environment
  • Management Review of User Activity
  • Administering Access to HR Advantage
  • Change Management
  • Backup and Restoration Plan
• Conclusion
• Appendices
  • Appendix A: Lines of Inquiry and Audit Criteria
  • Appendix B: System Architecture

Executive Summary

The Human Resources Advantage system (HR Advantage) is Health Canada's primary tool used to perform human resources business activities. These activities include compensation, classification, staffing and labour relations. There are approximately 672 users across the Department with access to this system.

HR Advantage is one of several systems within the Department that provides data to SAP (Systems, Applications and Products) which is the Department's financial system. The information provided by HR Advantage is used to generate financial and management reports that are then used to manage the Department's human resources. In 2007/08, salaries alone for the Department amounted to approximately $833 million.

The objectives of the audit were to:

1. determine the completeness and accuracy of HR Advantage data that are uploaded to Health Canada's financial system; and
2. provide an overall assessment of the internal control environment for HR Advantage.

The Audit and Accountability Bureau conducted the audit in accordance with the Government of Canada's Policy on Internal Audit.

While there were no major errors found with the accuracy of data that interfaced with SAP there are some concerns that could potentially affect the integrity and completeness of the data if not addressed. For example, it was observed that the Classification Action Requests (CARs) were either missing, did not have the required approval or the documentation on file did not support the transaction interfaced with SAP. Also, leave balances in HR Advantage were being overridden without providing the necessary documentation explaining the changes.

The completeness of the data that are being interfaced with SAP could not be determined because HR Advantage does not generate control totals to compare input and output to SAP. Control totals are required in order to reconcile the data between HRAdvantage with SAP. Consequently, there is a risk of not knowing if all of the data have been captured

At the end of the audit, HR management indicated that the present HR system may not be able to address the deficiency noted above. For this reason and others, Health Canada is considering replacing HR Advantage with a different human resource application. The Department is currently partnering with another government department to develop a "Proof of Concept" for an alternate application as a possible solution to replace HR Advantage. A decision has yet to be made with respect to the replacement of HR Advantage.

Lastly, the general computer controls surrounding HR Advantage needs improvement. For example, the activities of the end users are not monitored at either the application or database level. The documentation relating to the granting of access privileges to HR Advantage was incomplete and essential information related to change management for processing work orders to the HR Advantage system were missing. In addition, there was no formal documented backup and recovery plan. These findings indicate a risk of unauthorized access to the application and database as well to the integrity of the data.

Management has agreed, with an action plan, to the eight recommendations which will serve to strengthen the controls surrounding HR Advantage.

Introduction

Background

The Human Resources Advantage system (HR Advantage) is Health Canada's primary tool used to perform human resources business activities. These activities include compensation, classification, staffing and labour relations. There are approximately 672 users across the Department with access to HR Advantage. The On-Line Pay system, which is managed by Public Works and Government Services Canada (PWGSC) is used by Compensation staff to update employee pay and benefits data. It also is the primary source for generating salary expense and benefits information that update both HR Advantage and SAP.

HR Advantage is one of several systems, within the Department, that provides data to SAP (Systems, Applications and Products) which is the Department's financial system. The information provided by HR Advantage is used to generate limited financial and management reports that are used to manage the Department's human resources and assets. In 2007/08, salaries alone for the Department amounted to approximately $833million.

Health Canada is considering the replacement of HR Advantage with a different human resource application that may provide for better quality data and more timely information. The Department is currently partnering with another government department to develop a "Proof of Concept" for an alternate application as a possible solution to replace HR Advantage. A decision has yet to be made with respect to the replacement of HR Advantage.

Appendix B provides an overview of the architecture of HR Advantage and On-Line Pay that supports the Human Resource function in the Department.

The audit was undertaken by the Audit and Accountability Bureau in accordance with Health Canada's Risk-Based Audit Plan update and with the Government of Canada's Policy on Internal Audit.

Objectives

The two objectives of the audit were to:

• determine the completeness and accuracy of the HR Advantage data that are uploaded to Health Canada's financial system; and
• provide an overall assessment of the internal control environment for the HR Advantage System.

Scope and Approach

The audit covered Human Resource data (Staffing, Classification and Pay related transactions) that interfaced with SAP as at May 2008. It also included a review of the general computer controls environment surrounding HR Advantage. The fieldwork was conducted in the National Capital and Ontario Regions.

Excluded from the scope were HR related transactions processed by the Interactive Leave and Attendance Module (ILAM) and the On-Line Pay System as it is managed by PWGSC.

The audit was conducted using criteria from three sources: Control Objectives for Information and Related Technology (COBIT) summarized in Appendix A; Health Canada's IT Security Policy; and the Treasury Board of Canada Secretariat Policy on Information Management.

Interviews were conducted with functional experts from the HR Systems unit, and the Human Resource Branch both located in the National Capital and Ontario regions. The audit included an examination of systems documentation, training and technical manuals. HR Advantage data (as at May 2008) that interfaced with SAP, was examined using generalized audit software. In addition, the audit examined the accuracy of data inputs, access controls, authorization, exception handling and logging, change management, backup and restoration procedures.

Findings, Recommendations and Management Responses

Completeness and accuracy of the data

Audit Criterion

Procedures should exist to ensure that all authorized source documents are complete, accurate, properly accounted for and received in a timely manner for data entry.

Authorization of Source Documents - Classification Action Requests

Job classification is a structure that establishes the relative value of work. Its purpose is to provide a basis for determining the compensation of employees in a manner that is consistent, equitable, efficient and effective.

A sample of forty-nine classification related transactions were examined, as at May 2008, from five files that interface on a daily basis with SAP. These files contain only data that represents changes to an employee profile (in this case changes to the employee's classification profile). Historical data are contained in employee master files that reside in the HR Advantage Database.

Sixteen transactions identified (approximately one-third of the sample) were either missing the approval authorizing the change of classification, had a different classification effective date than what was documented in the classification file or were missing the Classification Action Request (CAR). In addition, the documentation supporting the transaction had a different classification action other than what was represented by the transaction that interfaced with SAP. Therefore, it could not be determined if the transactions had been authorized prior to input which may affect the accuracy of data.

Recommendation No.1

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, ensure that changes to an employee's classification status are supported by the appropriate documentation and are reviewed by the Human Resources Directorate.

Management Response

Accept.

Audit Criteria

Procedures should exist to ensure output is routinely balanced to the relevant control totals. Audit trails should exist and facilitate the tracing of transaction processing and the reconciliation of disrupted data.

Reconciliation of Data with SAP

The data that are interfaced between HR Advantage and SAP is currently not being reconciled. There should be control totals identifying the number of transactions and pay related data that have been interfaced with SAP. The current messaging between HR Advantage and SAP merely states whether the interface was successful or failed. Given the current messaging, combined with the absence of "control totals" puts management at risk of not knowing whether all the information from HR Advantage has interfaced with SAP.

HR management reports that currently, there does not appear to be a system interface solution between HR Advantage and SAP to address the reconciliation.

Recommendation No. 2

It is recommended that the Assistant Deputy Minister, Corporate Services Branch ensure that there is a reconciliation of data between HR Advantage and SAP.

Management Response

Accept.

However, the department is considering a new HR application which may contain this capability.

Audit Criterion

Management should monitor the effectiveness of internal controls in the normal course of operations through management and supervisory activities, including comparisons, reconciliations and other routine actions.

Leave Without Pay (LWOP)

HR Advantage automatically accumulates vacation days earned by employees for the Fiscal Year. At the end of the year, any unused vacation days are carried forward to the next year. The maximum leave entitlements, for each employee, to be carried over from year to year, are determined by Treasury Board of Canada Secretariat, Collective Agreements. Leave in excess of the maximum amounts allowed are adjusted by Compensation staff and are paid out to the employee. Any unused vacation days are reported as a liability on the financial statements of the Department.

When employees are on Leave Without Pay (LWOP) HR Advantage will continue to accumulate leave. This information was obtained from the LWOP report produced in HR Advantage. However, at the end of the Fiscal Year, the system will adjust the leave balance to reflect the leave entitlement balance at the time the employee commenced their LWOP. Even though HR Advantage calculates the appropriate leave accumulation, Compensation staff can override the amount of the leave carried forward by changing the leave balance in HR Advantage. When an override is made, Compensation staff are required to provide a comment in the system to document the reason for the override to the leave balance. However, Compensation staff were not providing the required documentation in HR Advantage. Without the necessary documentation provided by Compensation staff, it is difficult to determine if the accumulated leave balance is accurate.

Recommendation No. 3

It is recommended that the Assistant Deputy Minister, Corporate Services Branch ensure that:

1. HR Advantage does not allow any changes to the accumulated leave balance unless Compensation staff provide the necessary comments in HR Advantage explaining the adjustments;
2. Compensation Managers monitor overrides to employee leave balances; and
3. HR Advantage is prevented from accumulating leave for employees who are on LWOP (see Change Management).

Management Response

Accept.

Audit Criterion

Controls should be in place that highlight errors and inconsistencies and should be corrected before they impact production.

Error Processing

HR Advantage produces the Department Supply and Services Error (DSSE) report that lists all errors that have been rejected by HR Advantage. When a transaction is rejected, all subsequent transactions for that employee are rejected and are not processed by HR Advantage.

A review of the DSSE report identified approximately 1,000 errors, which originated prior to 2007, had not been corrected. It was determined that some of these errors noted on the DSSE report could be traced back to the data that are being interfaced with SAP. There was no evidence to suggest that corrective action is being taken to respond to these errors in a timely manner. Without timely action to correcting errors, it is difficult to determine if the data are current and accurate.

Recommendation No. 4

It is recommended that the Assistant Deputy Minister, Corporate Services Branch ensure that Compensation Managers review the DSSE report and take appropriate action necessary to correct the errors in a timely manner.

Management Response

Accept.

General Computer Controls Environment

Audit Criteria

There should be a process in place for management to review, confirm and monitor all users' access rights to the system. Management should periodically review access to the system and transaction activity.

Management Review of User Activity

There is no documented evidence to support that management routinely tracks and monitors who has accessed HR Advantage, including access to the database by the Data Base Administrators (DBAs). This is of concern because DBAs, unlike other users, have unlimited access to the database, including the ability to make changes.

Reports for tracking and monitoring purposes could be made available to management. For example, the system does have the capability to generate logs and reports that can provide an audit trail which records transactions and access to the system.

Not using available information to periodically review the system-related activities of all users, including DBAs, exposes the Department to the risk that someone could access or make unauthorized changes to the data in HR database (potentially compromising the integrity of the data).

Recommendation No. 5

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, ensure that the activities of all users who have access to HR Advantage, including access by the Database Administrator, are periodically monitored.

Management Response

Accept

Audit Criterion

Health Canada's Policy on "Use of Electronic Networks" and industry best practices require that the user access rights should be in-line with defined and documented business needs and job requirements.

Administering Access to HR Advantage

There is no up-to-date record of employees authorized to access HR Advantage, or the operations they are allowed to perform. Nor is there any information on who has authorized the access privileges. This information should be recorded on the HR Advantage Creation forms for creating and reactivating an account. These forms should be retained for a minimum of three years, as required by the Government of Canada's Policy on Information Holdings.

Prior to October 2007, there were no documented access forms identifying privileges to HR Advantage. More than half of the 672 users who have access to HR Advantage have no documentation identifying access privileges to the system. In addition, there were 196 users identified who have access to HR Advantage but have never logged into the system.

Inactive accounts should be disabled in accordance with Health Canada's Policy - "Use of Electronic Networks".

The absence of these controls increases the risk of unauthorized access to HR Advantage.

Recommendation No. 6

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, ensure that:

1. employee access rights to HR Advantage be documented;
2. inactive accounts be disabled; and
3. all Security Forms be retained at least 3 years as per the Policy on Information Management.

Management Response

Accept

Audit Criterion

A well executed change management process is designed to minimize service downtime by ensuring that requests for changes to the system are recorded and then evaluated, authorized, prioritized, planned, tested, implemented, documented and reviewed in a controlled, consistent and timely manner.

Change Management

A formal change management process should include the following attributes associated with a best practice regime:

• the steps that should be taken to handle the change, including handling issues such as exceptions and unexpected events;
• roles and responsibilities - who should do what and when;
• time lines for completion of the actions;
• escalation procedures - who should be contacted and when;
• approval authority; and
• performance measures.

A sample of five work orders from a list of forty-four high priority work orders were examined. It was determined that key information, that is normally associated with the change management process, was missing. This information included time lines for completion of key milestone activities, names of individuals responsible for specific tasks, approval authority for the change, and user approved/acceptance of the change. It was noted that one high priority work order had been outstanding since 2004. In addition, there was a significant backlog of high priority problem fixes that had not been addressed.

There is a risk of poor quality data in HR Advantage if key attributes of the change management process are absent.

Recommendation No. 7

It is recommended that the Assistant Deputy Minister, Corporate Services Branch ensure that the Branch applies a formal change management process that is consistent with industry best practices.

Management Response

Accept. There is no formal change management process as the process is informal through discussions with clients. Change requests are documented however there is no formal process that each follows to completion.

Audit Criteria

There should be a documented plan and procedures used to define and implement the backup and restoration of system and data as part of a business continuity and disaster recovery plan. There should also be adequate safeguards in place to protect the data.

Backup and Restoration Plan

A documented back up and restoration plan includes the following best practices:

• detailed steps required to perform a backup and restore of the application and data;
• rollback procedures that returns the production environment to a state prior to the changes being made;
• periodic testing of the restoration procedures;
• restoration of application/data within specified time lines;
• identification of individuals, along with their alternates, responsible for performing the backup and restoration;
• documented evidence to support that regular backups are being conducted; and
• a provision for off-site back up of both application and data.

Although backups of the application and data were being conducted on a regular basis, there was no evidence to support the existence of a documented backup and recovery plan. It was determined that there was no provision for off-site back ups of both the application and data.

The absence of a documented backup and restoration plan, that outlines procedures required to backup and restore the data, poses a risk to the integrity of the data if procedures are not followed in accordance with a plan.

Recommendation No. 8

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, ensure that there is a documented backup and recovery plan that includes industry best practices.

Management Response

Accept.

Conclusion

While there were no major errors found with the accuracy of data that interfaced with SAP there are some concerns that could potentially affect the integrity and completeness of the data if not addressed.

Specifically, in relation to the first line of enquiry - completeness and accuracy of the data - there are four areas that need improvement. Currently, there are incomplete data relating to Health Canada's classification action requests and leave balances are sometimes overridden without explanation. In addition, there is a risk of not knowing if all of the data have been interfaced with SAP as the reconciliation process is missing an important "control total" element. Lastly, errors reported in the HR Advantage system are not being dealt with in a timely manner. However, as previously mentioned, HR management noted that with the current HR Advantage, it was not evident that there was a system interface solution with SAP for the quality and timeliness of the data. As such, Health Canada is considering a new HR application, which may address issues related to this first line of inquiry.

With regards to the second line of enquiry - general computer controls surrounding HR Advantage - there are three areas that need improvement. The first area of concern is the insufficient monitoring of user activity at the application and database level. Second is the informality with the change management procedures and lastly, back up and restoration procedures that are currently not documented in accordance with industry standards.

Management has agreed, with an action plan, to the eight recommendations which will serve to strengthen the controls surrounding HR Advantage.

Appendices

Appendix A: Lines of Enquiry and Audit Criteria

Lines of Enquiry	Audit Criteria
A. The Completeness and Accuracy of the Claims Data
The controls to ensure that transactions are completely and accurately processed	Procedures ensure that all authorized source documents are complete and accurate, properly accounted for and transmitted in a timely manner for entry. Transaction data entered for processing people generated, system-generated or interfaced inputs should be subject to a variety of controls to check for accuracy, completeness and validity.
Segregation of duties with respect to transaction processing;	Authorized personnel who are acting within their authority properly prepare source documents and an adequate segregation of duties is in place regarding the origination and approval of source documents.
The accuracy and completeness of claims data uploaded to SAP.	Output is routinely balanced to the relevant control totals. Audit trails facilitate the tracing of transaction processing and the reconciliation of disrupted data.
The process for identifying and correcting, in a timely manner, transactions that have been incorrectly processed (Error Processing).	Procedures for the correction and re-submission of data that were erroneously input are in place and followed. Error handling procedures during data origination should reasonably ensure that errors and irregularities are detected, reported and corrected.
B. The General Computer Controls Environment Surrounding HR Advantage
Management reviews user accounts.	Management should have a control process in place to review and confirm access rights periodically.
Access to HR Advantage by employees is controlled and monitored.	User access rights to systems and data should be in line with defined and documented business needs and job requirements. User access rights are requested by user management, approved by system owner and implemented by the security-responsible person.
Access to the system by Database Administrators (DBAs) is controlled and periodically reviewed.	Ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and ensure that related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included. These procedures should apply for all users, including administrators (privileged users), internal and external.
There is a change management process in place and problems are resolved in a timely manner.	There should be a change management process designed to minimize service downtime by ensuring that requests for changes to the system are recorded and then evaluated, authorized, prioritized, planned, tested, implemented, documented and reviewed in a controlled and consistent and timely manner.
Documented back-up and recovery plan procedures are in place.	Define and implement procedures for backup and restoration of systems, data and documentation in line with business requirements and the continuity plan. Verify compliance with the backup procedures, and verify the ability to and time required for successful and complete restoration. Test backup media and the restoration process.

Audit criteria have been summarized for presentation purposes.

Appendix B: System Architecture

HR Advantage System - General Overview of Data Interfacing with FIRMS