SAP Audit Guide for Human Resources

Similar documents
Layer Seven Security ADVISORY

This component/sub module provides solution for calculation of remuneration for work performed by an employee in an organization.

Account Determination in SAP

SAP FI AP / AR Configuration

RG Connect 2016 Microsoft Dynamics GP Tips and Tricks May 13, 2016

SAP HR END USER TRAINING

Martin Gillet. Integrating CATS. Bonn Boston

Enhancements in Spectrum Last Updated: April 5, 2018

Bridge. Billing Guide. Version

Sage What s New

Sage HRMS 2014 Release Notes. October 2013

Which of the following are subareas of the People Integration subcomponent of SAP NetWeaver?

Concur Expense Integrator

Payroll Guide Guru Guide Version

SAP Business One OnDemand. SAP Business One OnDemand Solution Overview

Payroll Basics (PY-XX-BS)

Norming ehrms. Implementing Human Resource Management Strategies for an Effective and Agile Organization

Run SAP Implementation Partner Program for SAP Services Partners. Adopting the Run SAP methodology into your SAP Implementations

Enhancements for Last Updated: January 9, 2018

Testkings.C_THR12_66.70.QA. T E S T K I N G S

QUICKBOOKS ONLINE CERTIFICATION COURSE. Supplemental Guide. Module 6: Payroll and Other Transactions

SAP Certified Application Associate Human Capital Management with SAP ERP 6.0 EHP4 - print view

Now you have even more reasons to love Sage Accpac ERP over 267 of them, in fact.

Microsoft Dynamics GP What s New

Microsoft Dynamics GP What s New

TERP10. SAP ERP Integration of Business Processes COURSE OUTLINE. Course Version: 16 Course Duration: 10 Day(s)

Processing a Pay Run with One- Time Changes and Corrections - US. Training Guide

Enterprise Edition Payroll Master Files and Personnel Setup

HR110. Business Processes in HCM Payroll COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

Sage 100 Direct Deposit. Getting Started Guide

Payroll Portugal (PY-PT)

Sage What s New. March 2018

Oracle. Global Human Resources Cloud Implementing Payroll Costing. Release 13 (update 18B)

Winshuttle for Finance Clinton Jones Director of Solution Management for Finance - Winshuttle

The need for optimization: Getting the most from Microsoft Dynamics GP

JD Edwards EnterpriseOne Payroll for Canada Rel 9.x

2010 Wellesley Information Services. All rights reserved.

Payroll Table of Contents

Microsoft MB6-871 Exam Questions & Answers

Payroll Thailand (PY-TH)

Human Capital Management

JD Edwards EnterpriseOne Payroll for US Rel 9.x

Oracle. Global Human Resources Cloud Implementing Payroll Costing. Release 13 (update 18A)

Norming Asset Management Norming Resource Manager Norming Payroll Manager Norming Bank Security Norming Inventory Security Norming Sales Security

PRODUCT ANNOUNCEMENT US LOCALIZATION ORACLE PAYROLL RELEASE 12.1

TERP10. SAP ERP Integration of Business Processes COURSE OUTLINE. Course Version: 17 Course Duration: 10 Day(s)

Sage ERP Accpac 6.0A. What's New

Sage 100. Payroll User Guide. August 2017

Management of Global Employees

GFMIS. MIS MIS - BW SEM Operating System SAP R/3 (GFMIS) FI CO. e-payroll, e-pension AFMIS. ก ก (e-catalog,e-shopping list

Annexure A. Application Overview. TMS - Cash Management

Sage 100 Payroll 2.19

AC010. Business Processes in Financial Accounting COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

CENTRAL SUSQUEHANNA INTERMEDIATE UNIT FIS - Payroll Processing Learning Guide

SAP enhancement package 6 for SAP ERP 6.0 Release Notes

FI300 FI Customizing: G/L, A/R, A/P

SAP FICO Syllabus SAP TRAINING DIVISION. SAP ECC 6.0 FICO Contents. SAP Overview

You can easily view comparative data and drill through for transaction details.

Step Action See: 1 Install MYOB AccountEdge page 3. 2 Upgrade your files page 3. 3 Read about the new features in MYOB AccountEdge page 6

Internal Control Checklist

Sage HRMS/Payroll (V2014) vs Microsoft Dynamics GP-HR/PR (V2013): A comparison By Lisa Simpson

Reconciliation Procedures. University Financial Services Hand in Hand We Learn Session June 22, 2017

Payroll. Role control

Data Exchange Module. Vendor Invoice Import

Connecting to SAP CAMPBELL Personnel Administration

Sage What s New. December 2017

COINS Enhancement: Verify Pay Rates against State Minimum Wage

Bayan Human Resources Management

How to Configure the Initial Settings in SAP Business One

Best practices to design and configure payment methods for accounts payable, accounts receivable, and cash management

Sage 100. Payroll User Guide. December 2018

SAP - FI/CO (Financial and Controlling)

MatrixCare Senior Living Release Notes Version 2018 R4

Welcome to the course on the working process across branch companies.

SAP SuccessFactors Employee Central Payroll

APPENDIX 2 COMMUNITY DEVELOPMENT COMMISSION FINANCIAL CHECKLIST REQUIRED FOR ALL APPLICANTS (A SITE VISIT MAY BE CONDUCTED LATER)

1. What lists can be imported from Excel spreadsheets, when setting up a QuickBooks Online company?

SAP Business One 2005 A Solution Map. Release 2005

Data Exchange Module. Vendor Invoice Import

EASY HELP DESK REFERENCE GUIDE

Employee Management Training Guide. P130 Employee Management: Basic

Abila MIP Fund Accounting

Year-End Close Checklists

Accounting Master Update for Version 14.2

SAGE ACCPAC. Sage Accpac ERP. U.S. Payroll 5.5A. Getting Started

Page 2 SAP New GL Simple Finance

Sage What's New

Public Accounting System

Copyright 2018, Insight Works. Canadian Payroll Setup and Configuration Guide

PDS Client Accounting to Creative Solutions Accounting Conversion Guide

IAB Level 1 Certificate in Bookkeeping and Payroll 603/3010/7. Qualification Specification

CYMA IV. Accounting for Windows. Accounts Receivable Training Guide. Training Guide Series

Year-end Close Checklists. Calendar-Year, Fiscal-year, Combined

Posting to Accounting (PY-XX- DT)

TV3146 Umoja Create Shipment Request. Umoja Create Shipment Request Version 3 1

Session 1-3 and 1-4 Sage 300 CRE: Advanced Accounts Payable Lab (Parts 1 and 2) Presented by: Kathy Lewis Kathy Lewis Consulting

SAP Consolidated Payables Link

McMaster University. HR Phase 1, Release 1: Change Impacts Summary

Pass4Sure.C_TERP10_65 (85Q) C_TERP10_65. SAP Certified - Associate Business Foundation & Integration with SAP ERP 6.0 EHP5

Concur Solution Overview and Integration with SAP S/4HANA

Transcription:

SAP Audit Guide for Human Resources

This audit guide is designed to assist the review of human resource processes that rely upon controls enabled in SAP systems. The specific areas examined in this guide are relevant configurables, transactions, authorizations and reports in Personnel Management and other sub-modules in the Human Capital Management (HCM) application of SAP ERP. The guide provides instructions for assessing application-level controls in the following areas: HR Master Data Time Management Travel Management Payroll Processing Employee Self Service The guide is delivered using clear, non-technical terms to enable financial and operational auditors to successfully navigate the complexities of SAP security. Other volumes of this guide deal with SAP controls in areas such as Financial Accounting, Revenue, Expenditure, Inventory, and Basis. HR Master Data Human Resources SAP Audit Guide Organizational and employee-level master data is maintained through the Personnel Management module in versions 4.6 and above. HR-related data fields are grouped and controlled in this module through records known as infotypes. There are multiple infotypes, each identified through a unique four-digit code. Examples include Personal Data (0002) which contains fields for an employee s first name, last name and date of birth, among other areas. Codes between 0000 0999 are assigned to HR/payroll data, 1000 1999 are used for organizational data, and 2000 2999 are used for time-related data. Infotypes can have numerous subtypes and, since HR data is timedependent, an employee can have multiple records for the same infotype. The complete list of infotypes configured in SAP can be viewed through the menu path IMG - Personnel Management - Personnel Administration - Customizing Procedures - Infotypes. Access to master data should be configured at the infotype level and correspond to role requirements. Within each SAP client, company codes are usually configured with several personnel areas and sub-areas

2 and Employee groups and sub-groups. These areas and groups control wage types, pay scales, default values for basic pay and other critical areas of employee master data. The enterprise structure including specific settings in personnel areas and employee groups within each company code should be closely reviewed using transaction EC01. Furthermore, a sample of master records should be reviewed to ensure that employees are assigned to the correct areas and groups. Master records should also be reviewed to ensure employees are assigned to the appropriate health, insurance, savings and other benefit plans. Configured plans and associated rules should be reviewed through IMG Personnel Management Benefits. To safeguard against the risk of duplicate employees in the system, SAP should be configured to compare information such as last name, first name and date of birth against existing records during the entry of new employees. This is performed through IMG Personnel Management Personnel Administration Customizing Dynamic Actions Activate Concurrent Employment for Personnel Administration. Once configured, SAP will automatically display possible matches against both active and inactive records. SAP should also be configured to provide a sufficient audit trail for changes to key infotypes. This is performed through tables HR Documents: Infotypes with Documents (V_T585A), HR Documents: Field Group Definition ( V _ T 5 8 5 B ), a n d H R D o c u m e n t s : F i e l d G ro u p Characteristics (V_T585C). Changes are displayed in report RPUAUD00 (Logged Changes in Infotype Data). Access to key master data transactions such as PA10 (Personnel File), PA20 (Display HR Master Data), PA30 (Maintain HR Master Data) and PA40 (Personnel Actions) and authorization object P_ORGIN should be restricted and based on role requirements. Access should be qualified with the P_PERNR authorization object which prevents users from changing specific infotypes in their own personnel records. Write operations W, S, D and E should be specified in the AUTHC (Authorization code) field of the P_PERNR object and the PSIGN field should be set to E (Exclude). The infotypes that are subject to the exclusion should be listed in the INFTY field. Users should not be granted inconsistent authorizations since this could override any exclusions. For example, an authorization with AUTHC = * and PSIGN = I (Include) will grant read access to all personnel records for infotypes specified in INFTY, regardless of exclusions for the same infotypes configured through other authorizations. Consideration should be given to implementing dual control over master data changes. This can be achieved by preventing changes in master records entered by one set of users from taking effect until they are released by another set of users with the appropriate authorizations. The latter group should have the authorizations to release changes but should not be able to enter master data. Time Management Time-related data including working hours, absences, overtime and allowances can be pulled from external time recording systems or entered directly into SAP through channels such as the Cross-Application Time Sheet (CATS) function. CATS integrates directly with other components of SAP including Logistics and Project Systems through Business Application Programming Interfaces (BAPIs). Accounting integration for time-data infotypes is enabled by default but can be disabled through customization. Therefore, the Infotype with Acct/ Logistics Data area of IMG for HCM should be closely reviewed to ensure that integration is not deselected for any infotype. If Workforce Management (WFM) is used to manage employee time data, the mapping of SAP infotypes to WFM specification types should be reviewed in the WFM Core. Time entry rules including validation checks, tolerances and controls for required, suppressed and optional fields are configured and applied through CATS profiles. The settings for each CATS profile assigned to every user interface should be reviewed in the Time Sheet area of the Cross- Application Components area of IMG. Release procedures are also defined with each profile. Approvals can be triggered manually but SAP Business Workflow should be used wherever possible to support time sheet review and approval. The attributes of workflows should be reviewed through the Workflow Builder. Other areas of IMG that should be carefully reviewed include rules for Work Schedules, Time Data Recording and Administration, and Schemas in Personnel Time Management. The last is particularly important since it impacts Time Evaluation.

This is an SAP function that detects potential errors in timerelated data entered during a pay period prior to processing. Time Evaluation should be configured as a daily scheduled job. Errors and warnings generated by the Time Evaluation report RPTIME00 should be reviewed and resolved by administrators before time data is transferred to payroll. This report displays exceptions to rules configured in the schemas. Examples could include employees or contractors that have reported more than 8 hours in a day or 40 hours in a week or registered more than 20 days of vacation leave. The Time Management Status in the Planned Working Time infotype (0007) in every record for hourly employees should not be set to zero since this will exclude employees from Time Evaluation. Access to the time management transactions listed in Table A should be restricted, including the ability to approve timesheets, which should be assigned exclusively to functional managers. The dummy infotype 0316 is the authorization required for time sheet entry. Infotype 0328 is required for time approval. TRANSACTION DESCRIPTION CAT2, CAT3 Time Sheet: Initial Screen CAPS CAT4 CAPP PP61 PA61 PA62 PA63 PA64 Time Sheet: Approve Times (Select by Master Data) Time Sheet: Approve Times (Selection by Org. Assignment) Time Sheet: Approve Times Change Shift Plan: Entry Screen Maintain Time Data List entry for additional data Maint. time data Calendar entry PA70 Fast Entry (Time Data) Table A: Time Management Transactions Time Management SAP Travel Management uses workflow to track and approve trip requests, book approved requests through integration with external reservation systems, and record, reimburse and post travel expenses. It performs an important control function by enforcing compliance with travel policies. The relevant rules, profiles and parameters for travel components should be reviewed in IMG Financial Accounting Travel Management to ensure alignment with travel policies and procedures. Master records should not be configured to exclude hourly employees from time evaluation 3

Travel policies are maintained with the TRAVEL_MANAGER role 4 Standard Travel Management roles should be assigned to users. Most employees should be assigned the SAP_FI_TV_TRAVELER role, which enables users to request trips, check travel services and enter travel expenses. For organisations that opt for a centralized rather than decentralized model, these tasks will be performed by a s m a l l e r g r o u p o f u s e r s w i t h t h e S A P _ F I _ T V _ T R A V E L _ A S S I S TA N T r o l e. T h e MANAGER_GENERIC and ADVANCE_PAYER roles should assigned to users responsible for approving trip requests, e x p e n s e s t a t e m e n t s a n d / o r a d v a n c e s. T h e ADMINISTRATOR role should be closely safeguarded since it provides users with the ability to approve expense statements for all travelers in the enterprise. The same rule applies to the TRAVEL_MANAGER role which allows users to change configuration parameters for areas such as travel policies and maintain HR master data. Travel expenses should be transferred to FI after approval for posting to the relevant GL accounts. This is performed through transactions PFRI (Create Posting Run) and PRRW (Manage Posting Runs). Payments can be processed through payroll, check or direct deposit. Transactions PRDX, PRD1 and FDTA are used for direct deposit, PRPY for payroll and PRCU for check printing. Other significant transactions are listed in Table B. TRANSACTION PRMM PRMD PRMS PRAA PRAP PR02 PR03 PR04 PR05 PRCC PRCCD TPMM TPMD TPMS TP01 DESCRIPTION Personnel Actions Maintain HR Master Data Display HR Master Data Automatic Vendor Maintenance Approval of Trips Travel Calendar Trip Advances Edit Weekly Report Travel Expense Manager Import Credit Card Files Display Credit Card Receipts Personnel Actions (Travel Planning) Maintain HR Master Data (Travel Planning) Display HR Master Data (Travel Planning) Planning Manager Table B: Travel ManagementTransactions

5 Payroll Processing Master data should be locked during a payroll run to prevent any changes. This is performed through Payroll Control Records, accessed through transaction PA03 (Maintain Personnel Control Record). Each pay area has an individual control record. The payroll period selected as the basis for the control records should be set to the period immediately before the live period. Also, the maximum number of past periods that are open for payroll adjustments should be appropriately set in the Earliest Retro Acctq Period field. Note that SAP uses the earliest personal retroactive accounting date set in the Payroll Status infotype (0003) in each employee master record if this does not match the date set in the control record. Payroll control records can be used to determine which employees were included and rejected in the last payroll run. The latter group can be identified by selecting Incorrect Pers. Nos. and Locked Pers. Nos. The ability to enter or update certain infotypes during a payroll run through transactions such as PAKG/ PAUX (Adjustments Workbench) should be restricted. The employee remuneration information infotype should be configured to prevent adjustments to wage types such as salaries since any adjustment will override the value in the master record. This should be performed through the IMG area Maintain Wage Types. Minimum and maximum values can be configured for each wage type. The latter is highly recommended. Rounding divisors for wage types should be reviewed to ensure they are configured appropriately (divisors can be set anywhere between 1 and 100). The posting characteristics including time-dependencies for wage types and month-end accruals should also be reviewed under account assignments. Wage types are mapped to symbolic accounts which in turn are mapped to GL accounts. Gross and net pay calculations are performed by the system based on processing rules known as personnel calculation rules. These rules are grouped in schemas and can be adjusted through transactions PE01 (Maintain Payroll Schemas), PE01N (Editor for Payroll Schemas), PE02 (Maintain Calculation Rules), PE02N (Editor for PC rules) and PE04 (Create Functions and Operations). Access to these sensitive functions should be safeguarded. discrepancies. These include reports RPCEDT00 (Payroll Exceptions), RPUAUD00 (Logged Changes in Infotype Data) and RPURECG0 (Payroll Results). Advances, bonuses, corrections and other forms of payments or deductions outside scheduled payroll runs are processed through the Off-Cycle Work Bench (transaction PUOC) for individual employees or through batch input using the One-Time Payments Off-Cycle infotype (0267) for multiple employees. Reason codes should be configured and consistently applied for all payments. Furthermore, procedures should be in place to ensure that off-cycle functions are used to process and record payroll data for manual checks created outside the system. SAP Payroll integrates into the FI AP payment program for check printing and Automated Clearing House (ACH) transfers. The latter is performed through Payroll Bank Transfer Pre DME Program. DME is an acronym for Data Medium Exchange. This process creates a preliminary DME file that should be validated by management before the final file is generated in CEMTEX format and transferred to a designated processing bank. The Bank Deposit Summary report should be sent to the bank along with the file to enable reconciliation. Payments methods and banking information are configured in IMG - Personnel Administration Personal Data Bank Details Define Payment Methods and Payroll Data Medium Exchange Preliminary Programs for DME Set Up House Banks. The above process will update the check register in FI AP but will not update accounts in the General Ledger. This has to be manually performed through transaction PCP0 (Edit Posting Runs) or through the menu path Payroll Subsequent Activities Per Payroll Period Evaluation Posting to Accounting Execute Posting Run/ Process Posting Run/ Check Completeness. Payables to tax authorities, benefit providers and other third parties should be transferred to AP for settlement through Payroll Subsequent Activities Per Payroll Period Evaluation Third Party Remittance. There are a number of standard SAP reports that should be reviewed by management during each payroll run to confirm the validity of any adjustments and identify

6 Employee Self Service Employee Self-Service (ESS) is a Web Dynpro (Java) application that operates on the Enterprise Portal (EP). It enables employees to maintain their personal information, enter leave requests, update timesheets, display pay slips, and perform other similar functions. Employees must be assigned a user record in the J2EE with an appropriate role to be able to use ESS. This is performed through the HRUSER transaction or the menu path IMG Personnel Management Employee Self-Service (ITS Version) General Settings for ESS Create SAP Users for ESS. Users should be a assigned single role from a copy of the composite SAP_EMPLOYEE_ERP role provided by SAP and should only have the ability to update their own data for certain types of infotypes. Bank account information, for example, should only be updated centrally by authorized HR users. This should be configured through the P_PERNR authorization object rather than P_ORGIN. The former takes precedence over the latter. ESS users without P_PERNR may be able to view and update records belonging to other employees.

Layer Seven Security About Us Layer Seven Security specialize in SAP security. The company serves customers across the globe to protect SAP systems against internal and external threats and comply with industry and statutory reporting requirements. It fuses technical expertise with business acumen to deliver unparalleled implementation, consulting & audit services targeted at managing risks in contemporary SAP systems. Layer Seven Security employs a distinctive approach to SAP risk management that examines and manages vulnerabilities at the platform, application, program and client level. Through partnerships with leading software developers, the company is able to develop SAP systems with defense in depth and perform integrated security assessments that improve the quality and lower the cost of SAP audits. Layer Seven Security leverage leading SAP-certified solutions to provide comprehensive and rapid results covering risks in every component of SAP landscapes. Address Westbury Corporate Centre Suite 101 2275 Upper Middle Road East Oakville, Ontario L6H 0C3, Canada Web www.layersevensecurity.com Email info@layersevensecurity.com Telephone 1 888 995 0993

Copyright Layer Seven Security 2012 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback