bhavesh c. bhagat encrisp · 2014-12-04 · payroll processes bhavesh c. bhagat ... hr and payroll...

© 2006 Wellesley Information Services. All rights reserved.

Best Practices for Continuous Monitoring of Your SAP HR and Payroll ProcessesBhavesh C. BhagatPresident & CEOEnCrisp

2

What We’ll Cover …

• Identifying HR, Payroll, and FI Process Monitoring Needs

• Documenting Required Internal Controls• Understanding Payroll and FI Dependency• Designing and Monitoring HR and Payroll Controls via

Business Rules• Implementing Critical Process and Transaction Controls• Ensuring Segregation of Duties in SAP HR• Addressing Privacy Issues in SAP HR• Wrap-up

3

Control and Monitor Your SAP HR/Payroll System

• 2006 expenditures on Compliance and related activities to top $6 billion

HR and Payroll identified as key factors in compliance –money going out the door … factor Establishing and monitoring adequate controls in SAP is necessary but difficult

• Best practice steps you can take to ensure complianceAre business processes and approvals appropriate for supporting the HR Payroll and related subsystem, including FI components?

User access processes, approvals, and controlsInternal control accountability processes

4

Control and Monitor Your SAP HR/Payroll System (cont.)

• Is documentation clearly written and appropriate?Payroll controls and run manuals updated upon process or system changesTime-entry procedures relevant to support the current controls environment

• Are processes and controls functioning as intended?Reviews established to periodically assess appropriateness of documentation Reviews conducted to periodically test functionality of controls through use of business rules

5





6

WHY Payroll and Related HR/FI Processes Are SENSITIVE

• Payroll is one of the largest cash outflows for most companies

• Time feeds into payroll and directly impacts the bottom line

• Sarbanes-Oxley (SOX) and other audit criteria focus on financial data of any “material” impact. Payroll, as a process, has been deemed to be MATERIAL by default.

• Integration between HR and FI processes often interfaces with other systems and a myriad of manual/hybrid processes built into them

• EVERYONE TURN TO YOUR LEFT AND ASK HOW MUCH THAT PERSON SITTING NEXT TO YOU MAKES ☺

7

Proactive Internal Controls Monitoring

• Payroll, Time, and other Human-Capital-related processes have been the SECOND LARGEST focus in SOX efforts for regulatory compliance after the financial procedures

• Manual point-in-time audits in past• Sampling of records and review of payroll checklists

in past• NEW PARADIGM – end-to-end process review

(minimize sampling)ConfigurationIntegrationSecurity Objects and TransactionsSegregation of duties (SOD) is reviewed NOT one time, but is ongoing

8





9

Types of Controls in SAP HR and Payroll

• Controls (process-driven)Entity Level ControlsSystem Level ControlsProcess Level Controls

• Controls (system-driven)InherentManualAutomatedHybrid

• Control Documentation• Monitoring

Systemsand

ControlsBusinessProcesses

Auditsand

Auditors

ComplianceLifecycle

B u i ld in g B lo c k

SAP Payroll and Time are involved in all of these activities. The HR business and HR systems resources must be engaged when these controls are being developed.

10

Create HR and Payroll Controls Repositories Exposure/Risk Threat

R e f

What? (What could go wrong

scenario)

Severity

How? (Identify the root cause of the Problem-how can the

exposure occur)

Prob (without and with controls)

Information Integrity Loss/ Disclosure

1 Unauthorized access to the system.

II /III Unauthorized user gains access to authorized user ID while

logged on.

P

• Ref number – Uniquely identifies the item to document• What – Provides the “what could go wrong” scenario• Severity – Identifies the impact (I-greatest, IV-Least)• How – Identifies how the “what could go wrong” scenario

could occur• Prob – Probability of the scenario occurring (P-Probable, L-Likely,

S-Small)

11

Create HR and Payroll Controls Repositories (cont.)Controls/Practices

Controls (Identify the controls

implemented to mitigate the exposure/risk

T I

M I N G

T Y P E

Resp Status

Plan

Control Tested

Users are encouraged to log off when leaving their desks for

long periods of time.

X P Users E

• Controls – Identify controls implemented or to be implemented to prevent, detect, or correct the scenario

• Timing – Identify when the control is to be implemented or if it already has been• Type – Type of control (P-Preventive, D-Detective, C-Corrective)• Resp – Who is responsible for the control?• Status – Identify whether the control is implemented or what stage of

development it is in• Plan – Document the plan to implement or maintain the control• Control Tested – Identify whether the control has been tested and signed off

12





13

Challenges with FI and HR Payroll Linkages

• Data is often fragmented and inconsistent (different scenarios for deploying HR and FI globally – centralized vs. integrated systems)

• Processes and technology are not standardized (different global/regional processes and SAP versioning)

• Some processes are very manual and error-prone• Improperly-defined information requirements lead to a

lack of the right data and reports• Improperly-defined posting requirements cause

posting errors• Lack of or inappropriate documentation for

posting rulesGOTCHA!

14

Understand Linkage – Data Flow Between HR and FI

• FI provides HR data to the following areas, which affects the available options when setting up the postings back to FI:

Chart of accounts/cost centers (used to meet the company’s decision-making needs regarding HR expense information) House banks Direct deposit bank information Payment methods (direct deposit vs. check) Document types (used to identify documents that are to be kept for the same length of time)

15

Understand Linkage – Data Flow Between HR and FI (cont.)

• HR provides data to FI in the form of postings. Posting accounts can exist for the following:

EE (employee): Amount to be paid, broken out by wage type ER (employer) or between cost centers: Dollar value of accumulated leave balances, wage types collected, wage types paid by company, cost of time for employees on loanFinancial institutions (bank, credit union): Deposits, loan principal, and interestGovernment and regulatory agencies: Taxes due and garnishments Third-party administrators and benefits carriers: Premiums paid by EE or ERVendors: Value of hours worked by consultants

16

Internal Controls Factors for HR and FI Linkages

• Understand the method and timing of passing data from HR to FI

The number of instancesTechnical requirements, such as volume of data, available bandwidth, and downtime for scheduled system maintenance (consult with your technical experts to develop an appropriate procedure) Deadlines from accounting for monthly closingsAuditors’ requirements to ensure all data is successfully transferred and to prevent multiple transfers of the same data Evaluate general steps in your company for HR/FI integration (decoupled or coupled systems)

Don't Forget

Create reports to demonstrate how data is accumulated by wage type, in case problems or questions should arise once this data gets to FI

17

Review Symbolic Account Linkages to G/L

On the accounting side, the symbolic account is assigned to an account (G/L account, customer account, vendor account)

On the payroll side, a symbolic account is assigned to each wage type via a rule. If the symbolic account indicates that the assignment is employee-group-dependent, feature PPMOD will indicate how to direct the wage type to the appropriate general ledger accounts, depending on the employee group.

18





19

Creating Good HR Internal Control Rules

Example:Wage Types for exempt and non-exempt employees must be set up differently in IMG and any exceptions must be identified

Control Topic:Integrity of HR Payroll

Controls = Statements driven by policy and control objectives guided by internal controls frameworks to analyze critical business process elements and risks and violations thereof

Controls and Rules Drivers:

– Law

– Regulation

– Business Policies

– Procedures Manuals

– System Documentation

– Board Memoranda

– etc.

Control Rules = SAP HR and Payroll Tests applied to evaluate design and operating effectiveness of an identified and scoped control

Don't Forget

20

HR/Payroll Internal Controls – H5W Formula

Internal Controls Monitoring Dimensions with an Example

Control Objective

HOWProcess

WHATData

WHERELocation

WHOAccountability

WHENTiming

WHYIncentive

SPONSORScope = SOX Steering Committee

OWNERBusiness Process = HR Payroll Functional Manager

CONTROL DESIGNERDesign Details = Payroll SAP Analyst

CONTROL TESTERTechnical Test Details = External SOX or Controls tester

INDEPENDENT EVALUATORAudit = Internal Audit independent tests

CONTROL PERFORMERField Worker = Payroll or HR associate executing the activity

Ensure that inaccurate payroll cash disburse-ments are not made to the G/L

Evaluate HR/PY and FI integration

Review the wage type mainten-ance and manage-mentprocess

Review the Symbolic Account linkages in FI

HR Wage Types

FI Symbolic Accounts

IMG/nSPRO(Wage Type Manage-mentmenu tree under HR Config)

Wage Type State-mentExecu-tionreportRPCLGA09

HR business process manager

HR/PY functional integrator

Basis/ABAP report and security designers

Annu-ally in 1st

Quarter after fiscal close

Annual Compli-ance

Effectiveness Project in 2006 for optimizing HR/PY

Streamline PY/FI integration

Business Rules Design Criterion TemplateGood Internal Controls Rules answer the H5W formula

21





22

Key SAP HR Transactions and Processes

• Recruiting• Personnel

Administration• Time

Management• Payroll • Performance

Management

SAP HR Internal Controls Components

ProcessConfigurationTransactions

ObjectsReportsSecurity

SOD

23

Understand Control Points by Macro Process Overview

Run RPTEXTP transferProgram CATS to 2002

Approval NYEnter CATS CATS rejected Time and PY ended

Run RPTIME00 Evaluate time

Is payroll controlRecord correct for

Payroll area and period? N

Y

Set PY control record to proper period and area in PA03

Release PYRun PY Simulation Exit PY

Are the simulatedresults reasonable? N

Y

Time and PY endedProblems with

Simulation analyzed

Run live PY program RPCALCU0

Exit PY for corrections Make Corrections Release PY

Run live PY program RPCALCU0Run Simulated Posting

Are the simulatedN postings reasonable?

Y

Building Block

24

Are the simulatedN postings reasonable?

Y

Document PostingIssues

Exit PY

Pre-DME Posting Run

DME Display posting documents

END

Pre-data medium programpopulates the REGUH table with the relevant bank details and payrollpayments for the payroll relevant employees

Data medium exchange programs create the monetary transfer file usually and ACH file or it generates the printed checks

Payroll results

Understand Control Points by Macro Process Overview (cont.)

B u i l d i n g B l o c k

25

Critical Process and Control Areas – Identify ALL HR-Related TCODES

• Key Transaction Codes (TCODES) – Current count from 4.6C 55300

Examples PA**, PC10**, etc.Specific HR SOD rules must be customized for your business

Auditors may br This list has been developed outside of your

ing a list of “standard” TCODES that have to be “secure!” business proccesses and function.

26

Critical Process and Control Areas – Identify Key HR Objects

• Key Objects – Examples P_ORGIN, PLOG, PCLx, etc.

Additionally, ensure that your programmers use “Authorization Groups” in the code to check for security at auth object level in your custom HR programs

Authorization Objects are the Nuts and Bolts of your HR Security. They decide WHAT can be done in a given infotype and a given transaction by the values defined within.

27

SAP HR and Payroll Objects to Consider

Key WorkbenchesOffcycle workbenchTime managers workbenchHR Process workbench

Key TransactionsPayroll DriverTime DriverPosting to FI

Key Object ExamplesS_TABU_DIS P_ABAPPLOG P_ORGINS_GUI PCLxP_PCR

Work with Basis to understand and plan!

28

End-to-End Human Capital Management – Hire to Term Cycle

• EE Lifecycle Key ISSUE Employees leave the organization, and HR usually has the responsibility to provide the notification

• ARE YOU PAYING YOUR ex-EMPLOYEES?• Is your HR department part of your IT department’s ID

management process?

Contingent Workforce may pose special issues

29

Benefits – HR Transactions to Consider

• Benefits and compensation are included in the master data and payroll processing

• Benefits linkages to banks

• 401K and other cash outlays

• Pensions• Garnishments

Executive compensation should be closely scrutinized. Often resides OUTSIDE of SAP, thus needs special controls review.

30

First Step – Enter Time

• The timekeeping method must be considered during security and controls design

Two main classes of timekeeping:Positive: Each hour must be entered to be paidNegative: All scheduled hours are paid unless an exception is processed

Positive time – Punch clockor CATS

31

SAP HR and Time Systems

• Key control issuesPositive – Who enters the hours or has access to the system generating the hours?Positive time using clock punches usually links SAP to a third-party tool

No SAPSecurity

Applied Here

SAP Authorizationsand Security Applied Here

SAPMASTER DATA

Both systems will need controls designed, implemented, and documented to meet compliance

32

Internal Controls Business Rules Best Practices – Time

• Risk = Detect any missing approvals or unusual approvals of employee time absence entries

• Related Transactions = PA30, PTMW, PA61, PA71, CAT2, PA62, CATSXT, CAXST_ADMIN,CATS_APPR_LITE

Possible controls rule approach • Evaluate difference between PA2000

(attendance) and PA2001 (absence) to PTEX2000 (has difference attendance and absence types) and compare to see any anomalies

• Risk = Monitor running of the time driver program

• Related Transactions = PT60, PTMW, RPTIME00

Possible controls rule approach • Work with security admin. to identify

access to the above transaction/reports, plus monitor history of P_ABAP program execution history and focus on the following fields: REPID, AEDTM, and UNAME

33

SAP Payroll Wage Type Management

• When calculating payroll, wage types are read from infotypes and the Time Management cluster

Understand which wage types are processed in your payroll and the rules being run on them to calculate PayrollReport RPDASC00 can be used to list all schemas, sub-schemas, rules, and sub-rules for a given schema

34

SAP Payroll Wage Type Management (cont.)

• Key Wage Type control issues

• Ensure that wage types and their amounts are not hard-coded into rules for Payroll calculations

• Evaluate the IMG configuration for Payroll processing rules to identify hard-coded wage types

• Wage Type Transaction examples = PC00_M99_CLGA09, RPCLGA09

Ensure that the Wage Type Statement report is executed during the Payroll Reconciliation process

35

Internal Controls Business Rules Best Practices –Payroll Execution and Results

• Risk = Detect any improper execution of the payroll driver program RPCALCU0

• Related Transactions = PC00_M99_PA03_RELEA, PA03, SE38, PC00_M10_CALC_

Possible controls rule approach

• Identify any differences between releases in PA03 and number of PY runs for execution (RPCALCU0), especially if runs exceed releases and identify UNAME and AEDTM in T569U table

36

Internal Controls Business Rules Best Practices –Payroll Execution and Results (cont.)

• Risk = Detect any improper execution of the payroll driver program RPCALCU0

• Ensure that the Payroll driver log review is a mandatory step in your Payroll process

• Frequent and regular monitoring of this log could unearth some subtle issues in your Payroll process that might go unnoticed otherwise

37

Internal Controls Business Rules Best Practices –Payroll Execution and Results (cont.)• Risk = Results from Pre-DME and DME execution are

not reviewed• Related Transactions = PC00_M10_CDTC,

PC00_M10_FFOT, SE38, RFFOUS_T, RPCDTCU0Possible controls rule approach

• Evaluate execution of RPCALC on day X and running of pre-DME on day Y. Identify any changes in bank details between X and Y for a pernr, and evaluate for exceptional check amounts, null amounts, and any other conditions based on your business.

38

SAP Payroll Workbench Issues to Consider

• You may be using workflow and not even know it!• Some processes require some form of workflow

• Vacancy processing, the SAP Office, and the process workbench

• Create an appropriate custom role rather than allow SAP_ALL for workflow

Issue

39

Internal Controls Business Rules Best Practices –Offcycle Workbench

• Risk = Identify unauthorized access to the offcycleworkbench

• Related Transactions = PUOC_10, SAPLHRPAY99_OC

Possible controls rule approach • For any PGMID of RPCALCU0 with OFF CYCLE indicator

or reason OCRSN, determine the AEDTM and UNAME (via T569U or T569V) for execution and compare with physical HR name list for authorized payroll users for offcycle processes. Users outside of the list should indicate problems.

40





41

Segregation of Duties – Transaction Level

• SOD processes and underlying TCODE and Object conflictsKey Payroll Transaction Codes allowing some form of payroll execution:PC00_M**_CALC PC00_M**_FFOT PC00_M**_FPAYMSE38 PA03 PC00_M**_FFOCSA38 PC00_M**_CDTE PC00_M**_RFF0AVISPUOC_** PAUX PAUYOther Transaction Codes that should be segregated from the payroll processing personnelPA30 PA40 PA41 PA42 HRBEN*PA61 PA62 PA63 PA70 PA71

All HRCMP* and any other way to change pay-relevant master data

42

SAP HR and Payroll Example of Common SOD Violation at the Object Level

Master data changes …………………………………………... PA30/40

+Object P_ORGIN and S_TCODE Object P_ABAP and S_TCODE+Payroll Processing …………………… Ability to run RPCALCU0

== Back-door SOD conflict from the objects!

Especially for infotypes 8, 14, 15, 2001, and 2002!

You may be able to mitigate the risk by setting up a monitoring system

43

SAP HR and Time Processing Example of Common SOD Violation at the Object Level

Master data changes to infotype 2001 or 2002 ……………………... PA30/40 Object P_ABAP – Program access toRPTIME00+Object P_ORGIN Change Auth +

Time Evaluation …………………… Ability to Change the hours worked or the type of hours – Reg to OT

== Back-door SOD conflict from adjusting the hours!Especially for infotypes 2001, 2002, 2010, 2011, and 2013!

You may be able to mitigate the risk by setting up monitoring system

44

SOD Analysis and Non-SAP Systems

SAP may not be the only point of SOD scrutiny!

TipChange or Processing access here

SAPTime

EvaluationSODViolation

Program access

45

Look Beyond HR for Security in HR

• The HR Objects are not enough!• You will need to know the Basis objects and when they

are used to support HR functionality

HR functionality has a layered approach from infotypes to workbenches to its programs

46





47

SAP HR and Payroll Data Sensitivity — PAYROLL SPOOLS Must Be Secured

Warning

Spool list inadequately secured

48

SAP HR and Payroll Data Sensitivity – Sensitive Infotypes

Sensitive information is distributed too widely (especially infotypes 0, 2, 6, and 8)

Disable this loophole by IMG configuration Go to Personnel Admin > Customizing UI > Change Header InfoIn infotypes deemed to be sensitive, remove the SSN field “PERID” from Header info table

49

SAP HR and Payroll Data Sensitivity — Query Access from Non-HR Users

• ABAP Queries or programs from other teams select against HR tables with sensitive information

• SECURE the ABAP Queries via special authorizations by working with your security team and controls experts

• Eliminate backdoors such as “/h” debug mode by enforcing parameter security and debug timeouts in production

50

Upcoming Legislation That Will Affect SAP HR and Payroll Sub-Process

• Privacy issues driven by the tremendous increase in identity fraud have generated significant legislative activity at the state level and are likely to generate significant federal legislation soon

• The use of SSN for any non-payroll or social security activity should be eliminated

• California is the bellwether state regarding personal identification information legislation

• Expect a convergence of HIPAA, Sarbanes-Oxley, and Identity Fraud compliance

51





52

Resources

• www.epic.org – Electronic Privacy Information Center• www.COSO.org – SOX internal controls framework

driver• www.ISACA.org – Information Systems Audit and

Control Association• www.s-oxinternalcontrolinfo.com/ – Combined Big 4

Web site for basics on SOX

53

7 Key Points to Take Home

• Critically review ALL aspects of HR and FI linkages• Create an HR and Payroll Controls repository for your

organization• Create HR internal control rules focusing on

Configuration (IMG), Transactions, and Security Objects• Reduce or eliminate access to execute programs/reports

(SA38, SE38)

54

7 Key Points to Take Home (cont.)

• Security of custom programs: Add authorization object as development requirement

• Assignment to area menus: Create a new and specific transaction for payroll/time reports, queries, and programs

• Evaluate authorization profiles to locate and eliminate back doors

55

Your Turn!

Questions?

Contact Bhavesh C. Bhagat @Web: www.EnCrisp.comEmail: [email protected]

Tel: 703-728-2493

bhavesh c. bhagat encrisp · 2014-12-04 · payroll processes bhavesh c. bhagat ... hr and payroll...

Documents