SAP Audit Guide for Human Resources



Similar documents
SAP Audit Guide for Inventory

HR/Payroll Integration With FI/CO Quentin Hurst Virtuoso, LLC Mike Timm Integrated Consulting Group LLC

Tips and Tricks for Year-End Payroll Be Proactive, Not Reactive

Payments HELP.PYINT. Release 4.6C

PY3141 Umoja Payroll Master Data Maintenance

The Payroll Process HELP.PYINT. Release 4.6C

To-Be Process Review Workshop

SAP Audit Guide for Financial Accounting

OnePurdue HR Payroll. Concepts of Payroll in OnePurdue

SCEIS FINANCE OVERVIEW OF PAYROLL PY510. End User Training Columbia, SC Fall 2011

Time Management Aspects in Payroll

Oracle Time and Labor

JD Edwards EnterpriseOne Payroll for Canada Rel 9.x

SAP HR / HCM Self Learning Course Self Learning Center

HR390 Introduction to Payroll HR390

Sage Payroll Services

HR400 SAP ERP HCM Payroll Configuration

Employee Central. Employee Central Core HR. HR Transactions. Specification Sheet. Key capabilities and descriptions:

Confirmation HELP.PSCON. Release 4.6C

INTELLIGENCE AND HOMELAND DEFENSE INSIGHT

PY Payroll. SAP ERP Central Component

Compare & Adjust How to Guide for Compare & Adjust in SAP Solution Manager Application Lifecycle Management

TheFinancialEdge. Converting to Payroll 7

AC200. Basics of Customizing for Financial Accounting: General Ledger, Accounts Receivable, Accounts Payable COURSE OUTLINE

SAP FIORI. (HR Renewal) Payroll Control Centre

Compensation Management (PA- CM)

ENTERPRISE MANAGEMENT AND SUPPORT IN THE TELECOMMUNICATIONS INDUSTRY

Attachment S - Payroll End-to-End Processing Requirements

Munis Human Capital Management

SAP ERP EMPLOYEE INTERACTION CENTER

Five Strategies Small and Medium Enterprises Can Use to Successfully Implement High Value Business Mobility

Munis Human Resources and Payroll

Service Procurement process improvement in SAP. Copyright 2008, Advanced Contractor Cost Management Inc. All Rights Reserved 1

How-to guide: Monitoring of standalone Hosts. This guide explains how you can enable monitoring for standalone hosts in SAP Solution Manager

The new SAP HCM User Experience: HR Renewal

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT PAYROLL AUDIT PROGRAM

An Oracle White Paper August JD Edwards EnterpriseOne Workflow Processes

Orange County Convention Center Orlando, Florida June 3-5, HR Renewal Intelligence Enabled ESS/MSS Alex Matthew I Vardaraj AV

Human Capital Management (HCM) Module Overview

PA-ER E-Recruiting. SAP ERP Central Component

Sage HRMS 2014 Sage HRMS Payroll Getting Started Guide. October 2013

Increase Efficiency and Cut Costs with Automated Payroll Processes

Production Assessment of Marin County s SAP ERP System. Phoenix Business Consulting

ENTERPRISE MANAGEMENT AND SUPPORT IN THE AUTOMOTIVE INDUSTRY

How To Use A Bank Service On A Bank System

Automate Complex Pay Rules While Streamlining Time and Attendance Management

Microsoft Dynamics GP What s New

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

SAP Business Objects Attacks: Espionage and Poisoning of BI Platforms

Settlement (CO) HELP.COABR. Release4.6C

The Complete Buying Guide For Payroll Software

Sage 300 ERP Bank Services User's Guide

Connection with External Time Recording Systems

Sage HRMS 2015 Sage Employee Self Service Release Notes. November 2014

We recommend that you create seven binders: one each for each SAGE PRO module you own:

Reference Document Month-End Closing

Agentry and SMP Metadata Performance Testing Guidelines for executing performance testing with Agentry and SAP Mobile Platform Metadata based

Microsoft Dynamics GP. U.S. Payroll

Human Resources. R/3 System Payroll South Africa

SAP EDUCATION SAMPLE QUESTIONS: P_HCMTM_65. Questions. and sub-family? Please choose the correct answer. appropriate positions. paths.

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

Contents at a Glance. 1 Goal of this Book Overview of SAP ERP HCM SAP ERP HCM Projects Personnel Administration 75

CELL PHONE REIMBURSMENT FOR ACTIVE EMPLOYEES DO NOT CREATE OR MAKE CHANGES ON MONDAYS WHEN PAYROLL IS LOCKED

for Sage 100 ERP Payroll Overview Document

Introduction. Work Instruction Hiring Staff (Form) BU Temporary or Non-Compensated Employee. Process and Trigger

Payroll and Human Resources Software

Mass Hiring Customization Cookbook

Sage ERP Accpac 6.0A. What's New

NASCIO. Improving State

THE PRODUCTION PROCESS (MANUFACTURING EXECUTION)

Payroll Spain (PY-ES)

SAP Business ByDesign Reference Systems. Scenario Outline. SAP ERP Integration Scenarios

SAP BusinessObjects Edge BI, Preferred Business Intelligence. SAP BusinessObjects Portfolio SAP Solutions for Small Businesses and Midsize Companies

Time Evaluation RPTIME00 Report Prerequisites, Process Flow and Storing results on Cluster B2

Business ByDesign. The SAP Business ByDesign solution helps you optimize project management

SAP BusinessObjects SOLUTIONS FOR ORACLE ENVIRONMENTS

Dayforce HCM Employee Access Employee Guide

Agency Payroll Processing Check List: Pay Period: \ \ to \ \ TIME/LEAVE

SAP Business One OnDemand. SAP Business One OnDemand Solution Overview

Swedish Time & Attendance (STA)

HR Management with SAP

PEOPLESOFT ENTERPRISE PAYABLES

Using Oracle Time Management. Release 11.i A

THE NEXT GENERATION OF HR SHARED SERVICES SUBHEADLINE RUNS HERE AND HERE AND HERE AND HERE

The Requirements Compliance Matrix columns are defined as follows:

Payco, Inc. Evolution and Employee Portal. Payco Services, Inc.., Home

Understanding HR Schema and PCR with an Example

Build an Advanced Incentive- Compensation Program That Meets Today s Sales Goals

Overview p. 19 Reports and Transaction Codes p. 20 Real-Time Processing and the Document Principle p. 21 SAP R/3 Replaces SAP R/2 p.

SAP ERP FINANCIALS ENABLING FINANCIAL EXCELLENCE. SAP Solution Overview SAP Business Suite

How To Improve Your Business Process With Sap

SAP DSM/BRFPlus System Architecture Considerations

December Camino Ramon, Suite 210 San Ramon, CA Voice: Fax: Website:

What s New in Microsoft Dynamics GP 2015 R2. Microsoft Dynamics GP June 2015

WebLearning SAP Best Practice CD-ROM Courseware and e-library Titles. SAP Best Practices for Business Intelligence and Warehouse - BW

SAP Accounts Receivable and Accounts Payable Configuration

Transcription:

SAP Audit Guide for Human Resources

This audit guide is designed to assist the review of human resource processes that rely upon controls enabled in SAP systems. The specific areas examined in this guide are relevant configurables, transactions, authorizations and reports in Personnel Management and other sub-modules in the Human Capital Management (HCM) application of SAP ERP. The guide provides instructions for assessing application-level controls in the following areas: HR Master Data Time Management Travel Management Payroll Processing Employee Self Service The guide is delivered using clear, non-technical terms to enable financial and operational auditors to successfully navigate the complexities of SAP security. Other volumes of this guide deal with SAP controls in areas such as Financial Accounting, Revenue, Expenditure, Inventory, and Basis. HR Master Data Human Resources SAP Audit Guide Organizational and employee-level master data is maintained through the Personnel Management module in versions 4.6 and above. HR-related data fields are grouped and controlled in this module through records known as infotypes. There are multiple infotypes, each identified through a unique four-digit code. Examples include Personal Data (0002) which contains fields for an employee s first name, last name and date of birth, among other areas. Codes between 0000 0999 are assigned to HR/payroll data, 1000 1999 are used for organizational data, and 2000 2999 are used for time-related data. Infotypes can have numerous subtypes and, since HR data is timedependent, an employee can have multiple records for the same infotype. The complete list of infotypes configured in SAP can be viewed through the menu path IMG - Personnel Management - Personnel Administration - Customizing Procedures - Infotypes. Access to master data should be configured at the infotype level and correspond to role requirements. Within each SAP client, company codes are usually configured with several personnel areas and sub-areas

2 and Employee groups and sub-groups. These areas and groups control wage types, pay scales, default values for basic pay and other critical areas of employee master data. The enterprise structure including specific settings in personnel areas and employee groups within each company code should be closely reviewed using transaction EC01. Furthermore, a sample of master records should be reviewed to ensure that employees are assigned to the correct areas and groups. Master records should also be reviewed to ensure employees are assigned to the appropriate health, insurance, savings and other benefit plans. Configured plans and associated rules should be reviewed through IMG Personnel Management Benefits. To safeguard against the risk of duplicate employees in the system, SAP should be configured to compare information such as last name, first name and date of birth against existing records during the entry of new employees. This is performed through IMG Personnel Management Personnel Administration Customizing Dynamic Actions Activate Concurrent Employment for Personnel Administration. Once configured, SAP will automatically display possible matches against both active and inactive records. SAP should also be configured to provide a sufficient audit trail for changes to key infotypes. This is performed through tables HR Documents: Infotypes with Documents (V_T585A), HR Documents: Field Group Definition ( V _ T 5 8 5 B ), a n d H R D o c u m e n t s : F i e l d G ro u p Characteristics (V_T585C). Changes are displayed in report RPUAUD00 (Logged Changes in Infotype Data). Access to key master data transactions such as PA10 (Personnel File), PA20 (Display HR Master Data), PA30 (Maintain HR Master Data) and PA40 (Personnel Actions) and authorization object P_ORGIN should be restricted and based on role requirements. Access should be qualified with the P_PERNR authorization object which prevents users from changing specific infotypes in their own personnel records. Write operations W, S, D and E should be specified in the AUTHC (Authorization code) field of the P_PERNR object and the PSIGN field should be set to E (Exclude). The infotypes that are subject to the exclusion should be listed in the INFTY field. Users should not be granted inconsistent authorizations since this could override any exclusions. For example, an authorization with AUTHC = * and PSIGN = I (Include) will grant read access to all personnel records for infotypes specified in INFTY, regardless of exclusions for the same infotypes configured through other authorizations. Consideration should be given to implementing dual control over master data changes. This can be achieved by preventing changes in master records entered by one set of users from taking effect until they are released by another set of users with the appropriate authorizations. The latter group should have the authorizations to release changes but should not be able to enter master data. Time Management Time-related data including working hours, absences, overtime and allowances can be pulled from external time recording systems or entered directly into SAP through channels such as the Cross-Application Time Sheet (CATS) function. CATS integrates directly with other components of SAP including Logistics and Project Systems through Business Application Programming Interfaces (BAPIs). Accounting integration for time-data infotypes is enabled by default but can be disabled through customization. Therefore, the Infotype with Acct/ Logistics Data area of IMG for HCM should be closely reviewed to ensure that integration is not deselected for any infotype. If Workforce Management (WFM) is used to manage employee time data, the mapping of SAP infotypes to WFM specification types should be reviewed in the WFM Core. Time entry rules including validation checks, tolerances and controls for required, suppressed and optional fields are configured and applied through CATS profiles. The settings for each CATS profile assigned to every user interface should be reviewed in the Time Sheet area of the Cross- Application Components area of IMG. Release procedures are also defined with each profile. Approvals can be triggered manually but SAP Business Workflow should be used wherever possible to support time sheet review and approval. The attributes of workflows should be reviewed through the Workflow Builder. Other areas of IMG that should be carefully reviewed include rules for Work Schedules, Time Data Recording and Administration, and Schemas in Personnel Time Management. The last is particularly important since it impacts Time Evaluation.

This is an SAP function that detects potential errors in timerelated data entered during a pay period prior to processing. Time Evaluation should be configured as a daily scheduled job. Errors and warnings generated by the Time Evaluation report RPTIME00 should be reviewed and resolved by administrators before time data is transferred to payroll. This report displays exceptions to rules configured in the schemas. Examples could include employees or contractors that have reported more than 8 hours in a day or 40 hours in a week or registered more than 20 days of vacation leave. The Time Management Status in the Planned Working Time infotype (0007) in every record for hourly employees should not be set to zero since this will exclude employees from Time Evaluation. Access to the time management transactions listed in Table A should be restricted, including the ability to approve timesheets, which should be assigned exclusively to functional managers. The dummy infotype 0316 is the authorization required for time sheet entry. Infotype 0328 is required for time approval. TRANSACTION DESCRIPTION CAT2, CAT3 Time Sheet: Initial Screen CAPS CAT4 CAPP PP61 PA61 PA62 PA63 PA64 Time Sheet: Approve Times (Select by Master Data) Time Sheet: Approve Times (Selection by Org. Assignment) Time Sheet: Approve Times Change Shift Plan: Entry Screen Maintain Time Data List entry for additional data Maint. time data Calendar entry PA70 Fast Entry (Time Data) Table A: Time Management Transactions Time Management SAP Travel Management uses workflow to track and approve trip requests, book approved requests through integration with external reservation systems, and record, reimburse and post travel expenses. It performs an important control function by enforcing compliance with travel policies. The relevant rules, profiles and parameters for travel components should be reviewed in IMG Financial Accounting Travel Management to ensure alignment with travel policies and procedures. Master records should not be configured to exclude hourly employees from time evaluation 3

Travel policies are maintained with the TRAVEL_MANAGER role 4 Standard Travel Management roles should be assigned to users. Most employees should be assigned the SAP_FI_TV_TRAVELER role, which enables users to request trips, check travel services and enter travel expenses. For organisations that opt for a centralized rather than decentralized model, these tasks will be performed by a s m a l l e r g r o u p o f u s e r s w i t h t h e S A P _ F I _ T V _ T R A V E L _ A S S I S TA N T r o l e. T h e MANAGER_GENERIC and ADVANCE_PAYER roles should assigned to users responsible for approving trip requests, e x p e n s e s t a t e m e n t s a n d / o r a d v a n c e s. T h e ADMINISTRATOR role should be closely safeguarded since it provides users with the ability to approve expense statements for all travelers in the enterprise. The same rule applies to the TRAVEL_MANAGER role which allows users to change configuration parameters for areas such as travel policies and maintain HR master data. Travel expenses should be transferred to FI after approval for posting to the relevant GL accounts. This is performed through transactions PFRI (Create Posting Run) and PRRW (Manage Posting Runs). Payments can be processed through payroll, check or direct deposit. Transactions PRDX, PRD1 and FDTA are used for direct deposit, PRPY for payroll and PRCU for check printing. Other significant transactions are listed in Table B. TRANSACTION PRMM PRMD PRMS PRAA PRAP PR02 PR03 PR04 PR05 PRCC PRCCD TPMM TPMD TPMS TP01 DESCRIPTION Personnel Actions Maintain HR Master Data Display HR Master Data Automatic Vendor Maintenance Approval of Trips Travel Calendar Trip Advances Edit Weekly Report Travel Expense Manager Import Credit Card Files Display Credit Card Receipts Personnel Actions (Travel Planning) Maintain HR Master Data (Travel Planning) Display HR Master Data (Travel Planning) Planning Manager Table B: Travel ManagementTransactions

5 Payroll Processing Master data should be locked during a payroll run to prevent any changes. This is performed through Payroll Control Records, accessed through transaction PA03 (Maintain Personnel Control Record). Each pay area has an individual control record. The payroll period selected as the basis for the control records should be set to the period immediately before the live period. Also, the maximum number of past periods that are open for payroll adjustments should be appropriately set in the Earliest Retro Acctq Period field. Note that SAP uses the earliest personal retroactive accounting date set in the Payroll Status infotype (0003) in each employee master record if this does not match the date set in the control record. Payroll control records can be used to determine which employees were included and rejected in the last payroll run. The latter group can be identified by selecting Incorrect Pers. Nos. and Locked Pers. Nos. The ability to enter or update certain infotypes during a payroll run through transactions such as PAKG/ PAUX (Adjustments Workbench) should be restricted. The employee remuneration information infotype should be configured to prevent adjustments to wage types such as salaries since any adjustment will override the value in the master record. This should be performed through the IMG area Maintain Wage Types. Minimum and maximum values can be configured for each wage type. The latter is highly recommended. Rounding divisors for wage types should be reviewed to ensure they are configured appropriately (divisors can be set anywhere between 1 and 100). The posting characteristics including time-dependencies for wage types and month-end accruals should also be reviewed under account assignments. Wage types are mapped to symbolic accounts which in turn are mapped to GL accounts. Gross and net pay calculations are performed by the system based on processing rules known as personnel calculation rules. These rules are grouped in schemas and can be adjusted through transactions PE01 (Maintain Payroll Schemas), PE01N (Editor for Payroll Schemas), PE02 (Maintain Calculation Rules), PE02N (Editor for PC rules) and PE04 (Create Functions and Operations). Access to these sensitive functions should be safeguarded. discrepancies. These include reports RPCEDT00 (Payroll Exceptions), RPUAUD00 (Logged Changes in Infotype Data) and RPURECG0 (Payroll Results). Advances, bonuses, corrections and other forms of payments or deductions outside scheduled payroll runs are processed through the Off-Cycle Work Bench (transaction PUOC) for individual employees or through batch input using the One-Time Payments Off-Cycle infotype (0267) for multiple employees. Reason codes should be configured and consistently applied for all payments. Furthermore, procedures should be in place to ensure that off-cycle functions are used to process and record payroll data for manual checks created outside the system. SAP Payroll integrates into the FI AP payment program for check printing and Automated Clearing House (ACH) transfers. The latter is performed through Payroll Bank Transfer Pre DME Program. DME is an acronym for Data Medium Exchange. This process creates a preliminary DME file that should be validated by management before the final file is generated in CEMTEX format and transferred to a designated processing bank. The Bank Deposit Summary report should be sent to the bank along with the file to enable reconciliation. Payments methods and banking information are configured in IMG - Personnel Administration Personal Data Bank Details Define Payment Methods and Payroll Data Medium Exchange Preliminary Programs for DME Set Up House Banks. The above process will update the check register in FI AP but will not update accounts in the General Ledger. This has to be manually performed through transaction PCP0 (Edit Posting Runs) or through the menu path Payroll Subsequent Activities Per Payroll Period Evaluation Posting to Accounting Execute Posting Run/ Process Posting Run/ Check Completeness. Payables to tax authorities, benefit providers and other third parties should be transferred to AP for settlement through Payroll Subsequent Activities Per Payroll Period Evaluation Third Party Remittance. There are a number of standard SAP reports that should be reviewed by management during each payroll run to confirm the validity of any adjustments and identify

6 Employee Self Service Employee Self-Service (ESS) is a Web Dynpro (Java) application that operates on the Enterprise Portal (EP). It enables employees to maintain their personal information, enter leave requests, update timesheets, display pay slips, and perform other similar functions. Employees must be assigned a user record in the J2EE with an appropriate role to be able to use ESS. This is performed through the HRUSER transaction or the menu path IMG Personnel Management Employee Self-Service (ITS Version) General Settings for ESS Create SAP Users for ESS. Users should be a assigned single role from a copy of the composite SAP_EMPLOYEE_ERP role provided by SAP and should only have the ability to update their own data for certain types of infotypes. Bank account information, for example, should only be updated centrally by authorized HR users. This should be configured through the P_PERNR authorization object rather than P_ORGIN. The former takes precedence over the latter. ESS users without P_PERNR may be able to view and update records belonging to other employees.

Layer Seven Security empowers organisations to realize the potential of SAP systems. We serve customers worldwide to secure systems from cyber threats. We take an integrated approach to build layered controls for defense in depth Address Westbury Corporate Centre Suite 101 2275 Upper Middle Road Oakville, Ontario L6H 0C3, Canada Web www.layersevensecurity.com Email info@layersevensecurity.com Telephone 1 888 995 0993

Copyright Layer Seven Security 2012 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information