9
SAP Audit Guide for Human Resources

SAP Audit Guide Human Resources

Embed Size (px)

DESCRIPTION

SAP Audit guide for HR module. How to setup manage a proper implementation and control for SAP HR.

Citation preview

  • SAP Audit Guidefor Human Resources

  • This audit guide is designed to assist the review of human resource processes that rely upon controls enabled in SAP systems.

    The specific areas examined in this guide are relevant configurables, transactions, authorizations and reports in Personnel Management and other sub-modules in the Human Capital Management (HCM) application of SAP ERP.

    The guide provides instructions for assessing application-level controls in the following areas:

    HR Master Data

    Time Management

    Travel Management

    Payroll Processing

    Employee Self Service

    The guide is delivered using clear, non-technical terms to enable financial and operational auditors to successfully navigate the complexities of SAP security. Other volumes of this guide deal with SAP controls in areas such as Financial Accounting, Revenue, Expenditure, Inventory, and Basis.

    HR Master DataOrganizational and employee-level master data is maintained through the Personnel Management module in versions 4.6 and above. HR-related data fields are grouped and controlled in this module through records known as infotypes. There are multiple infotypes, each identified through a unique four-digit code. Examples include Personal Data (0002) which contains fields for an employees first name, last name and date of birth, among other areas. Codes between 0000 0999 are assigned to HR/payroll data, 1000 1999 are used for organizational data, and 2000 2999 are used for time-related data. Infotypes can have numerous subtypes and, since HR data is time-dependent, an employee can have multiple records for the same infotype. The complete list of infotypes configured in SAP can be viewed through the menu path IMG - Personnel Management - Personnel Administration - Customizing Procedures - Infotypes. Access to master data should be configured at the infotype level and correspond to role requirements.

    Within each SAP client, company codes are usually configured with several personnel areas and sub-areas

    Human Resources

    SAP Audit Guide

  • 2and Employee groups and sub-groups. These areas and groups control wage types, pay scales, default values for basic pay and other critical areas of employee master data. The enterprise structure including specific settings in personnel areas and employee groups within each company code should be closely reviewed using transaction EC01. Furthermore, a sample of master records should be reviewed to ensure that employees are assigned to the correct areas and groups.

    Master records should also be reviewed to ensure employees are assigned to the appropriate health, insurance, savings and other benefit plans. Configured plans and associated rules should be reviewed through IMG Personnel Management Benefits.

    To safeguard against the risk of duplicate employees in the system, SAP should be configured to compare information such as last name, first name and date of birth against existing records during the entry of new employees. This is performed through IMG Personnel Management Personnel Administration Customizing Dynamic Actions Activate Concurrent Employment for Personnel Administration. Once configured, SAP will automatically display possible matches against both active and inactive records.

    SAP should also be configured to provide a sufficient audit trail for changes to key infotypes. This is performed through tables HR Documents: Infotypes with Documents (V_T585A), HR Documents: Field Group Definition (V_T585B ) , and HR Documents : F i e ld Group Characteristics (V_T585C). Changes are displayed in report RPUAUD00 (Logged Changes in Infotype Data).

    Access to key master data transactions such as PA10 (Personnel File), PA20 (Display HR Master Data), PA30 (Maintain HR Master Data) and PA40 (Personnel Actions) and authorization object P_ORGIN should be restricted and based on role requirements. Access should be qualified with the P_PERNR authorization object which prevents users from changing specific infotypes in their own personnel records. Write operations W, S, D and E should be specified in the AUTHC (Authorization code) field of the P_PERNR object and the PSIGN field should be set to E (Exclude). The infotypes that are subject to the exclusion should be listed in the INFTY field. Users should not be granted inconsistent authorizations since this could override any exclusions. For example, an authorization with

    AUTHC = * and PSIGN = I (Include) will grant read access to all personnel records for infotypes specified in INFTY, regardless of exclusions for the same infotypes configured through other authorizations.

    Consideration should be given to implementing dual control over master data changes. This can be achieved by preventing changes in master records entered by one set of users from taking effect until they are released by another set of users with the appropriate authorizations. The latter group should have the authorizations to release changes but should not be able to enter master data.

    Time ManagementTime-related data including working hours, absences, overtime and allowances can be pulled from external time recording systems or entered directly into SAP through channels such as the Cross-Application Time Sheet (CATS) function. CATS integrates directly with other components of SAP including Logistics and Project Systems through Business Application Programming Interfaces (BAPIs). Accounting integration for time-data infotypes is enabled by default but can be disabled through customization. Therefore, the Infotype with Acct/ Logistics Data area of IMG for HCM should be closely reviewed to ensure that integration is not deselected for any infotype. If Workforce Management (WFM) is used to manage employee time data, the mapping of SAP infotypes to WFM specification types should be reviewed in the WFM Core.

    Time entry rules including validation checks, tolerances and controls for required, suppressed and optional fields are configured and applied through CATS profiles. The settings for each CATS profile assigned to every user interface should be reviewed in the Time Sheet area of the Cross-Application Components area of IMG. Release procedures are also defined with each profile. Approvals can be triggered manually but SAP Business Workflow should be used wherever possible to support time sheet review and approval. The attributes of workflows should be reviewed through the Workflow Builder.

    Other areas of IMG that should be carefully reviewed include rules for Work Schedules, Time Data Recording and Administration, and Schemas in Personnel Time Management. The last is particularly important since it impacts Time Evaluation.

  • 3This is an SAP function that detects potential errors in time-related data entered during a pay period prior to processing. Time Evaluation should be configured as a daily scheduled job. Errors and warnings generated by the Time Evaluation report RPTIME00 should be reviewed and resolved by administrators before time data is transferred to payroll. This report displays exceptions to rules configured in the schemas. Examples could include employees or contractors that have reported more than 8 hours in a day or 40 hours in a week or registered more than 20 days of vacation leave. The Time Management Status in the Planned Working Time infotype (0007) in every record for hourly employees should not be set to zero since this will exclude employees from Time Evaluation.

    Access to the time management transactions listed in Table A should be restricted, including the ability to approve timesheets, which should be assigned exclusively to functional managers. The dummy infotype 0316 is the authorization required for time sheet entry. Infotype 0328 is required for time approval.

    TRANSACTION DESCRIPTION

    CAT2, CAT3 Time Sheet: Initial Screen

    CAPSTime Sheet: Approve Times (Select by Master Data)

    CAT4Time Sheet: Approve Times (Selection by Org. Assignment)

    CAPP Time Sheet: Approve Times

    PP61 Change Shift Plan: Entry Screen

    PA61 Maintain Time Data

    PA62 List entry for additional data

    PA63 Maint. time data

    PA64 Calendar entry

    PA70 Fast Entry (Time Data)

    Table A: Time Management Transactions

    Time Management

    SAP Travel Management uses workflow to track and approve trip requests, book approved requests through integration with external reservation systems, and record, reimburse and post travel expenses. It performs an important control function by enforcing compliance with travel policies. The relevant rules, profiles and parameters for travel components should be reviewed in IMG Financial Accounting Travel Management to ensure alignment with travel policies and procedures.

    Master records should not be configured to exclude hourly employees from time evaluation

  • 4Travel policies are maintained with the TRAVEL_MANAGER role

    Standard Travel Management roles should be assigned to users. Most employees should be assigned the SAP_FI_TV_TRAVELER role, which enables users to request trips, check travel services and enter travel expenses. For organisations that opt for a centralized rather than decentralized model, these tasks will be performed by a s m a l l e r g r o u p o f u s e r s w i t h t h e S A P _ F I _ T V _ T R A V E L _ A S S I S TA N T r o l e . T h e MANAGER_GENERIC and ADVANCE_PAYER roles should assigned to users responsible for approving trip requests, e x p e n s e s t a t e m e n t s a n d / o r a d v a n c e s . T h e ADMINISTRATOR role should be closely safeguarded since it provides users with the ability to approve expense statements for all travelers in the enterprise. The same rule applies to the TRAVEL_MANAGER role which allows users to change configuration parameters for areas such as travel policies and maintain HR master data.

    Travel expenses should be transferred to FI after approval for posting to the relevant GL accounts. This is performed through transactions PFRI (Create Posting Run) and PRRW (Manage Posting Runs). Payments can be processed through payroll, check or direct deposit. Transactions PRDX, PRD1 and FDTA are used for direct deposit, PRPY for payroll and PRCU for check printing. Other significant transactions are listed in Table B.

    TRANSACTION DESCRIPTION

    PRMM Personnel Actions

    PRMD Maintain HR Master Data

    PRMS Display HR Master Data

    PRAA Automatic Vendor Maintenance

    PRAP Approval of Trips

    PR02 Travel Calendar

    PR03 Trip Advances

    PR04 Edit Weekly Report

    PR05 Travel Expense Manager

    PRCC Import Credit Card Files

    PRCCD Display Credit Card Receipts

    TPMM Personnel Actions (Travel Planning)

    TPMDMaintain HR Master Data (Travel Planning)

    TPMSDisplay HR Master Data (Travel Planning)

    TP01 Planning Manager

    Table B: Travel ManagementTransactions

  • 5Payroll ProcessingMaster data should be locked during a payroll run to prevent any changes. This is performed through Payroll Control Records, accessed through transaction PA03 (Maintain Personnel Control Record). Each pay area has an individual control record. The payroll period selected as the basis for the control records should be set to the period immediately before the live period. Also, the maximum number of past periods that are open for payroll adjustments should be appropriately set in the Earliest Retro Acctq Period field. Note that SAP uses the earliest personal retroactive accounting date set in the Payroll Status infotype (0003) in each employee master record if this does not match the date set in the control record.

    Payroll control records can be used to determine which employees were included and rejected in the last payroll run. The latter group can be identified by selecting Incorrect Pers. Nos. and Locked Pers. Nos.

    The ability to enter or update certain infotypes during a payroll run through transactions such as PAKG/ PAUX (Adjustments Workbench) should be restricted. The employee remuneration information infotype should be configured to prevent adjustments to wage types such as salaries since any adjustment will override the value in the master record. This should be performed through the IMG area Maintain Wage Types. Minimum and maximum values can be configured for each wage type. The latter is highly recommended. Rounding divisors for wage types should be reviewed to ensure they are configured appropriately (divisors can be set anywhere between 1 and 100). The posting characteristics including time-dependencies for wage types and month-end accruals should also be reviewed under account assignments. Wage types are mapped to symbolic accounts which in turn are mapped to GL accounts.

    Gross and net pay calculations are performed by the system based on processing rules known as personnel calculation rules. These rules are grouped in schemas and can be adjusted through transactions PE01 (Maintain Payroll Schemas), PE01N (Editor for Payroll Schemas), PE02 (Maintain Calculation Rules), PE02N (Editor for PC rules) and PE04 (Create Functions and Operations). Access to these sensitive functions should be safeguarded.

    There are a number of standard SAP reports that should be reviewed by management during each payroll run to confirm the validity of any adjustments and identify

    discrepancies. These include reports RPCEDT00 (Payroll Exceptions), RPUAUD00 (Logged Changes in Infotype Data) and RPURECG0 (Payroll Results).

    Advances, bonuses, corrections and other forms of payments or deductions outside scheduled payroll runs are processed through the Off-Cycle Work Bench (transaction PUOC) for individual employees or through batch input using the One-Time Payments Off-Cycle infotype (0267) for multiple employees. Reason codes should be configured and consistently applied for all payments. Furthermore, procedures should be in place to ensure that off-cycle functions are used to process and record payroll data for manual checks created outside the system.

    SAP Payroll integrates into the FI AP payment program for check printing and Automated Clearing House (ACH) transfers. The latter is performed through Payroll Bank Transfer Pre DME Program. DME is an acronym for Data Medium Exchange. This process creates a preliminary DME file that should be validated by management before the final file is generated in CEMTEX format and transferred to a designated processing bank. The Bank Deposit Summary report should be sent to the bank along with the file to enable reconciliation. Payments methods and banking information are configured in IMG - Personnel Administration Personal Data Bank Details Define Payment Methods and Payroll Data Medium Exchange Preliminary Programs for DME Set Up House Banks.

    The above process will update the check register in FI AP but will not update accounts in the General Ledger. This has to be manually performed through transaction PCP0 (Edit Posting Runs) or through the menu path Payroll Subsequent Activities Per Payroll Period Evaluation Posting to Accounting Execute Posting Run/ Process Posting Run/ Check Completeness.

    Payables to tax authorities, benefit providers and other third parties should be transferred to AP for settlement through Payroll Subsequent Activities Per Payroll Period Evaluation Third Party Remittance.

  • 6Employee Self ServiceEmployee Self-Service (ESS) is a Web Dynpro (Java) application that operates on the Enterprise Portal (EP). It enables employees to maintain their personal information, enter leave requests, update timesheets, display pay slips, and perform other similar functions. Employees must be assigned a user record in the J2EE with an appropriate role to be able to use ESS. This is performed through the HRUSER transaction or the menu path IMG Personnel Management Employee Self-Service (ITS Version) General Settings for ESS Create SAP Users for ESS.

    Users should be a assigned single role from a copy of the composite SAP_EMPLOYEE_ERP role provided by SAP and should only have the ability to update their own data for certain types of infotypes. Bank account information, for example, should only be updated centrally by authorized HR users. This should be configured through the P_PERNR authorization object rather than P_ORGIN. The former takes precedence over the latter. ESS users without P_PERNR may be able to view and update records belonging to other employees.

  • Webwww.layersevensecurity.comEmailinfo@layersevensecurity.comTelephone1 888 995 0993

    Address Westbury Corporate CentreSuite 1012275 Upper Middle RoadOakville, Ontario L6H 0C3, Canada

    Layer Seven Security empowers organisations to realize the potential of SAP systems. We serve customers worldwide to secure systems from cyber threats. We take an integrated approach to build layered controls for defense in depth

  • Copyright Layer Seven Security 2012 - All rights reserved.

    No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security.

    Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards.

    This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.


Audit of the SAP Solution Center

Audit of the SAP Solution Center

Documents
SAP GRC Audit for Call

SAP GRC Audit for Call

Documents
SAP AUDIT WILL S A SAP AUDIT WILL I SAP Audits S SAP Audits … · 2008-11-11 · SAP Audits ERPAUDITINGSOLUTIONS GOVERNANCE, RISK AND COMPLIANCE SOLUTIONS FOR INTERNAL AUDITORS SIMPLIFYING

SAP AUDIT WILL S A SAP AUDIT WILL I SAP Audits S SAP Audits … · 2008-11-11 · SAP Audits ERPAUDITINGSOLUTIONS GOVERNANCE, RISK AND COMPLIANCE SOLUTIONS FOR INTERNAL AUDITORS SIMPLIFYING

Documents
Sap Audit Samples

Sap Audit Samples

Documents
SAP Audit Guide Expenditure

SAP Audit Guide Expenditure

Documents
Sap security for audit seminar1

Sap security for audit seminar1

Education
SAP Audit Guide Basis

SAP Audit Guide Basis

Documents
Sap license audit

Sap license audit

Business
SAP Compliance for SAP License Audit - AuditBOT

SAP Compliance for SAP License Audit - AuditBOT

Business
SAP Audit Issues - SAP FI/CO Training

SAP Audit Issues - SAP FI/CO Training

Economy & Finance
Security and Audit Mission Critical SAP Security and Audit ...SAP Audit information system (AIS tool) SAP Security Governance policies Personal Data Protection Act (PDPA) in SAP. 09:00

Security and Audit Mission Critical SAP Security and Audit ...SAP Audit information system (AIS tool) SAP Security Governance policies Personal Data Protection Act (PDPA) in SAP. 09:00

Documents
Surviving an SAP Audit(1)

Surviving an SAP Audit(1)

Documents
SAP Audit Information Approach

SAP Audit Information Approach

Documents
Analytics for SAP Audit Managementinternal-audit-strategy.com/.../2018/03/SAP-Audit-Reporting.pdf · SAP Analytics End-to-End Overview Architecture Contacts Self-Service Advanced

Analytics for SAP Audit Managementinternal-audit-strategy.com/.../2018/03/SAP-Audit-Reporting.pdf · SAP Analytics End-to-End Overview Architecture Contacts Self-Service Advanced

Documents
SAP Audit Guide - Expenditure - Layer Seven Security · PDF fileAccounts Payable (FI-AP) sub-module of SAP. ... do not use a three way match process since SAP ... SAP Audit Guide -

SAP Audit Guide - Expenditure - Layer Seven Security · PDF fileAccounts Payable (FI-AP) sub-module of SAP. ... do not use a three way match process since SAP ... SAP Audit Guide -

Documents
SAP - Audit Findings

SAP - Audit Findings

Documents
SAP Audit Guide Financial Accounting

SAP Audit Guide Financial Accounting

Documents
SAP License Audit Report

SAP License Audit Report

Technology
SAP Audit Guidelines

SAP Audit Guidelines

Documents
SAP Audit Guide - Advanced SAP Security Solutions · PDF filerely upon automated functions in SAP ... SAP Audit Guide. 2 ... AJRW Fiscal Year Change AJAB Year-end closing Asset Accounting

SAP Audit Guide - Advanced SAP Security Solutions · PDF filerely upon automated functions in SAP ... SAP Audit Guide. 2 ... AJRW Fiscal Year Change AJAB Year-end closing Asset Accounting

Documents
SAP- Audit Guidelines R/3

SAP- Audit Guidelines R/3

Documents
Sap audit _ Basic

Sap audit _ Basic

Education
SAP License Services - Crayon · 2016-05-05 · • SAP Contract Negotiation and Strategy • SAP Audit Preparedness and Audit Support • SAP Run Configuration • Detailed usage

SAP License Services - Crayon · 2016-05-05 · • SAP Contract Negotiation and Strategy • SAP Audit Preparedness and Audit Support • SAP Run Configuration • Detailed usage

Documents
SAP Compliance Tool for SAP IT Audit

SAP Compliance Tool for SAP IT Audit

Technology
Save SAP License |Optimize SAP License Audit| SAP License Cost

Save SAP License |Optimize SAP License Audit| SAP License Cost

Technology
SAP License Services · • SAP Contract Negotiation and Strategy • SAP Audit Preparedness and Audit Support • SAP Run Configuration • Detailed usage and risk review of indirect

SAP License Services · • SAP Contract Negotiation and Strategy • SAP Audit Preparedness and Audit Support • SAP Run Configuration • Detailed usage and risk review of indirect

Documents
1091606 - SAP Tax Audit (EN) V1

1091606 - SAP Tax Audit (EN) V1

Documents
Human Resources Audit (HR Audit)

Human Resources Audit (HR Audit)

Business
Internal Audit Handbook - Kementerian Keuangan … Audit Handbook.pdf · Internal Audit Handbook Management with the SAP ... SAP®, SAP NetWeaver®, ABAP-4® and other SAP products

Internal Audit Handbook - Kementerian Keuangan … Audit Handbook.pdf · Internal Audit Handbook Management with the SAP ... SAP®, SAP NetWeaver®, ABAP-4® and other SAP products

Documents
SAP Audit Guide Financial Accouting

SAP Audit Guide Financial Accouting

Documents