Identifying Proactive Process Solutions for Key Payroll and Time Management Controls. Bhavesh Bhagat, EnCrisp

Transcription

1 Identifying Proactive Process Solutions for Key Payroll and Time Management Controls Bhavesh Bhagat, EnCrisp

2 What We ll Cover Need to monitor Payroll & Time proactively Control Basic Concepts SAP Payroll & Time Critical Process and Control Areas SAP Payroll & Time Transactions to consider SAP Payroll and Privacy Issues Upcoming Legislation that will affect SAP HR Payroll and Time Wrap-up

3 WHY Payroll & Time are SENSITIVE? Payroll is one of the largest cash outflow for most companies Time feeds into Payroll and directly impacts the bottomline Payroll as a process has been identified as a Material process for Sarbanes Oxley and other audit criterion Often these two processes have interfaces with other systems and many manual/hybrid processes built into them. EVERYONE TURN TO YOUR LEFT side and ASK HOW MUCH THAT PERSON SITTING NEXT TO YOU MAKES

4 CASE for PROACTIVE CONTROLS MONITORING Payroll, Time and other Human Capital related processes have been the SECOND LARGEST weakness in efforts for regulatory compliance Manual point in time Audits in past Sampling of records and review of Payroll check lists in past NEW PARADIGM end to end process review (minimize sampling) Configuration Integration Security Objects & Transactions Segregation of Duties NOT one time but ongoing

5 What We ll Cover Need to monitor Payroll & Time proactively Control Basic Concepts SAP Payroll & Time Critical Process and Control Areas SAP Payroll & Time Transactions to consider SAP Payroll and Privacy Issues Upcoming Legislation that will affect SAP HR Payroll and Time Wrap-up

6 Audit, System and Business Processes Compliance integration comes by planning across these three components Audits & Auditors Planning Systems & Controls Business Processes >> A significant value opportunity exists when these are integrated << >>>> Use sarbanes oxley as the catalyst for positive change and an increase in value <<<<

7 Types of Controls Applicable for Payroll & Time Controls Entity Level Controls System Level Controls Process Level Controls Control Documentation Monitoring SAP Payroll& Time are involved in all of these controls activities. The HR business and HR systems resources must be engaged when these controls are being developed.

8 Payroll & Time Controls Repositories R e f Exposure/Risk Threat Controls/Practices Severity How? Prob Controls T (Identify the root cause of (without (Identify the controls Y the Problem-how can the and with implemented to mitigate the P exposure occur) controls) exposure/risk E What? (What could go wrong scenario) T I M I N G Resp Status Plan Control Tested Information Integrity Loss/ Disclosure 1 Unauthorized access to the system. II /III Unauthorized user gains access to authorized user ID while logged on. P Users are encouraged to log off when leaving their desks for long periods of time. X P Users E Ref #-Uniquely Identifies the item to document What-Provides the what could go wrong scenario Severity-Identifies the impact (I-greatest, IV-Least) How-Identifies how the what could go wrong scenario could occur Leverage Controls Best Practices Prob-Probability of the scenario occurring (P-Probable, L-Likely, S-Small) Controls-Identify controls implemented or to be implemented to prevent, detect, or correct the scenario Timing-Identify when the control is to be implemented or if it already is Type-Type of control (P-Preventive, D-Detective, C-Corrective) Resp-Who is responsible for the control Status-Identify if the control is implemented or what stage of development it is in Plan-Document the plan to implement or maintain the control Control Tested-Identify if the control has been tested and signed off

9 Payroll & Time Controls Repositories R e f Exposure/Risk Threat Controls/Practices Severity How? Prob Controls T (Identify the root cause of (without (Identify the controls Y the Problem-how can the and with implemented to mitigate the P exposure occur) controls) exposure/risk E What? (What could go wrong scenario) T I M I N G Resp Status Plan Control Tested Information Integrity Loss/ Disclosure Information Integrity 1 Reconciliation Process does not detect problem with data II Reconciliation is not performed Information Disclosure 2 Application Security Access III/ IV Users can change data warehouse data 3 Competitive or proprietary data e.g. Reserves could be accessed by unauthorized people II / III Somebody directly accesses the ORACLE tables O / R O / R Business decides at what level to reconcile the loaded data. Any discrepancies below the P.O. level are likely immaterial, or would be detected by users / reconcilers if significant offsets occurred. Users have read only access. Users are not allowed direct access to the tables. Users cannot log onto the box separately from BW. E D Payroll & Financia l Acctg Teams X P HR Security X P HR Security E - E - E - Real Life Proactive Template to follow

10 Best Practice Controls Approach Are business processes and approvals appropriate for supporting the Payroll & Time sub-system User Access processes, approvals, and controls Change control processes and controls Is documentation clearly written and appropriate Payroll run manuals updated upon process or system changes Time entry procedures relevant to support the current controls environment Are processes and controls functioning as intended Reviews established to periodically assess appropriateness of documentation Reviews conducted to periodically test functionality of controls

11 What We ll Cover Need to monitor Payroll & Time proactively Control Basic Concepts SAP Payroll & Time Critical Process and Control Areas SAP Payroll & Time Transactions to consider SAP Payroll and Privacy Issues Upcoming Legislation that will affect SAP HR Payroll and Time Wrap-up

12 Key SAP HR Transactions and Processes Recruiting Personnel Administration Time Management Payroll Performance Management Auditors may bring a list of standard TCODES that have to be secure! This list has been Developed outside of your business processes and functions.

13 Critical Process and Control Areas Key TCODES - Current count from 4.6c Examples PA**, PC10**, Etc. See Spreadsheet HR SOD

14 Critical Process and Control Areas Key Objects - Current count from 4.6c Examples P_ORGIN, PLOG, PCLx, Etc.

15 Segregation of Duties Segregation of Duties (SOD) processes and underlying TCODE and Object O conflicts. Key Payroll Transaction Codes allowing some form of payroll execution pc00_m**_calc Se38 PA03 sa38 PC00_M**_CDTE(FFOT,FPAYM,FFOC,RFF0AVIS) PUOC_** paux pauy Other Transaction Codes that should be segregated from the payroll processing personnel Pa30 pa40 pa41 pa42 pa61 pa62 pa63 pa70 Pa71 All HRCMP* and any other way to change pay relevant master data

16 Identification Management and Employee Life Cycle Issues for Payroll EE Lifecycle Key ISSUE Employees leave the organization and HR usually has the responsibility to provide the notification ARE YOU PAYING YOUR ex-employees? Is your HR department part of your IT departments ID management process? YES is the normal answer! Contingent Workforce may pose special issues.

17 Critical Process and Control Areas The HR Objects are not enough! You will need to know the BASIS objects and when they are used to support HR functionality. HR functionality has a layered approach from Info types to workbenches to its programs.

18 What We ll Cover Need to monitor Payroll & Time proactively Control Basic Concepts SAP Payroll & Time Critical Process and Control Areas SAP Payroll & Time Transactions to consider SAP Payroll and Privacy Issues Upcoming Legislation that will affect SAP HR Payroll and Time Wrap-up

19 SAP HR and Payroll Objects to Consider Key Object Examples S_TABU_DIS P_ABAP PLOG P_ORGIN S_GUI PCLx P_PCR Key Transactions Payroll Driver Time Driver Posting to FI Key Workbenches Off cycle workbench Time managers workbench HR Process workbench Work with BASIS to understand and plan!

20 SAP Payroll Workbench Issues to Consider You may be using workflow and not even know it! Some processes require some form of workflow Vacancy processing, the SAP Office, and the process workbench Granting SAP_ALL for workflow will not be allowed.

21 Four Concepts Supporting Proactive Payroll/Time Controls 1) Reduced or eliminate access to execute programs / reports (SA38,SE38). 2) Security of custom programs : Add authorization object as development requirement. 3) Assignment to area menus : Create a new and specific transaction for reports, queries and programs. 4) Limitation of info type access through P_ABAP authorization object. Work with BASIS and security to create custom limited roles with necessary authorizations and nothing more!

22 SAP HR and Payroll Example of common SOD violation at the object level Master data changes... PA30/40 + Object P_ORGIN and S_TCODE + Object P_ABAP and S_TCODE Payroll Processing Ability to run RPCALCU0 = Backdoor SOD conflict from the objects! Especially for info types 8, 14, 15, 2001 and 2002! You may be able to mitigate the risk by setting up monitoring system.

23 SAP HR and Time Processing Example of common SOD violation at the object level Master data changes to Infotype 2001 or PA30/40 + Object P_ORGIN Change Auth + Object P_ABAP- Program access To RPTIME00 Time Evaluation Ability to Change the hours worked or the type of hours- Reg to OT = Backdoor SOD conflict from adjusting the hours! Especially for info types 2013, 2011, 2010, 2001 and 2002! You may be able to mitigate the risk by setting up monitoring system.

24 SAP HR and Time Systems The time keeping method must be considered during security and controls design. Two Main Classes of Timekeeping- Positive- Each hour must be entered to be paid Negative- All scheduled hours are paid unless and exception is processed Positive time- Punch clock Or CATS Key Control issues- Positive- Who enters the hours or has access to the system generating the hours? Negative- Who enters the absences and exceptions and has access to the time evaluation program?

25 SAP HR and Time Systems Key Control issues- Positive- Who enters the hours or has access to the system generating the hours? No SAP Security Applied Here Positive time using clock punches usually links SAP to a third party Tool SAP Authorizations And Security Applied Here SAP MASTER DATA Both systems will need Controls designed, Implemented, and documented To meet compliance

26 SAP HR and Time Systems SAP may not be the only point of SOD scrutiny! Change or Processing access here SAP Time Evaluation SOD Violation Program access

27 SAP HR and Payroll Transactions to Consider Benefits and compensation are included in the master data and payroll processing. Executive compensation will be closely scrutinized.

28 What We ll Cover Need to monitor Payroll & Time proactively Control Basic Concepts SAP Payroll & Time Critical Process and Control Areas SAP Payroll & Time Transactions to consider SAP Payroll and Privacy Issues Upcoming Legislation that will affect SAP HR Payroll and Time Wrap-up

29 SAP HR and Payroll Data Sensitivity Sensitive information is distributed to widely (especially info type 0, 2 and 6)

30 SAP HR and Payroll Data Sensitivity Spool list inadequately secured

31 SAP HR and Payroll Data Sensitivity ABAP Queries or programs from other teams select against HR tables with sensitive information

32 What We ll Cover Need to monitor Payroll & Time proactively Control Basic Concepts SAP Payroll & Time Critical Process and Control Areas SAP Payroll & Time Transactions to consider SAP Payroll and Privacy Issues Upcoming Legislation that will affect SAP HR Payroll and Time Wrap-up

33 Upcoming Legislation that will affect SAP HR & Payroll sub-process Privacy Issues driven by the tremendous increase in identity fraud has generated significant legislative activity at the state level and is likely to generate significant federal legislation soon The use of SSN for any non payroll or social security activity should be eliminated California is the bellwether state regarding personal identifying information legislation. Expect a convergence of HIPAA, Sarbanes Oxley, and Identity Fraud compliance

34 Your Turn! Contact us : bb@encrisp.com *

35 Session Code: 2004