Best Practices for Continuous Monitoring of Your SAP HR and Payroll Processes

Best Practices for Continuous Monitoring of Your SAP HR and Payroll ProcessesBhavesh C. Bhagat President & CEO EnCrisp © 2006 Wellesley Information Services. All rights reserved. What We’ll Cover … • • • • • • • • Identifying HR, Payroll, and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up 2 Control and Monitor Your SAP HR/Payroll System • 2006 expenditures on Compliance and related activities to top $6 billion HR and Payroll identified as key factors in compliance – money going out the door … factor Establishing and monitoring adequate controls in SAP is necessary but difficult • Best practice steps you can take to ensure compliance Are business processes and approvals appropriate for supporting the HR Payroll and related subsystem, including FI components? User access processes, approvals, and controls Internal control accountability processes 3 Control and Monitor Your SAP HR/Payroll System (cont.) • Is documentation clearly written and appropriate? Payroll controls and run manuals updated upon process or system changes Time-entry procedures relevant to support the current controls environment • Are processes and controls functioning as intended? Reviews established to periodically assess appropriateness of documentation Reviews conducted to periodically test functionality of controls through use of business rules 4 What We’ll Cover … • • • • • • • • Identifying HR, Payroll, and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up 5 Payroll. has been deemed to be MATERIAL by default. as a process.WHY Payroll and Related HR/FI Processes Are SENSITIVE • • • • Payroll is one of the largest cash outflows for most companies Time feeds into payroll and directly impacts the bottom line Sarbanes-Oxley (SOX) and other audit criteria focus on financial data of any “material” impact. Integration between HR and FI processes often interfaces with other systems and a myriad of manual/hybrid processes built into them EVERYONE TURN TO YOUR LEFT AND ASK HOW MUCH THAT PERSON SITTING NEXT TO YOU MAKES ☺ 6 • . and other Human-Capital-related processes have been the SECOND LARGEST focus in SOX efforts for regulatory compliance after the financial procedures Manual point-in-time audits in past Sampling of records and review of payroll checklists in past NEW PARADIGM – end-to-end process review (minimize sampling) Configuration Integration Security Objects and Transactions Segregation of duties (SOD) is reviewed NOT one time.Proactive Internal Controls Monitoring • • • • Payroll. Time. but is ongoing 7 . and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up 8 . Payroll.What We’ll Cover … • • • • • • • • Identifying HR. The HR business and HR systems resources must be engaged when these controls are being developed.Types of Controls in SAP HR and Payroll • Controls (process-driven) Entity Level Controls System Level Controls Process Level Controls Audits and Auditors • Controls (system-driven) Inherent Manual Automated Hybrid Systems and Controls Compliance Lifecycle Business Processes • • Control Documentation Monitoring B u ild in g B lo c k SAP Payroll and Time are involved in all of these activities. 9 . IV-Least) How – Identifies how the “what could go wrong” scenario could occur Prob – Probability of the scenario occurring (P-Probable. P • • • • • Ref number – Uniquely identifies the item to document What – Provides the “what could go wrong” scenario Severity – Identifies the impact (I-greatest. L-Likely.Create HR and Payroll Controls Repositories R e f Exposure/Risk What? (What could go wrong scenario) Threat Severity How? (Identify the root cause of the Problem-how can the exposure occur) Prob (without and with controls) Information Integrity Loss/ Disclosure 1 Unauthorized access to the system. II /III Unauthorized user gains access to authorized user ID while logged on. S-Small) 10 . or correct the scenario Timing – Identify when the control is to be implemented or if it already has been Type – Type of control (P-Preventive. detect.) Controls (Identify the controls implemented to mitigate the exposure/risk T I M I N G Controls/Practices T Resp Status Y P E Plan Control Tested Users are encouraged to log off when leaving their desks for long periods of time. C-Corrective) Resp – Who is responsible for the control? Status – Identify whether the control is implemented or what stage of development it is in Plan – Document the plan to implement or maintain the control Control Tested – Identify whether the control has been tested and signed off 11 . D-Detective.Create HR and Payroll Controls Repositories (cont. X P Users E • • • • • • • Controls – Identify controls implemented or to be implemented to prevent. Payroll. and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up 12 .What We’ll Cover … • • • • • • • • Identifying HR. Challenges with FI and HR Payroll Linkages • • • • • • Data is often fragmented and inconsistent (different scenarios for deploying HR and FI globally – centralized vs. integrated systems) Processes and technology are not standardized (different global/regional processes and SAP versioning) Some processes are very manual and error-prone Improperly-defined information requirements lead to a lack of the right data and reports Improperly-defined posting requirements cause posting errors Lack of or inappropriate documentation for posting rules GOTCHA! 13 . Understand Linkage – Data Flow Between HR and FI • FI provides HR data to the following areas. which affects the available options when setting up the postings back to FI: Chart of accounts/cost centers (used to meet the company’s decision-making needs regarding HR expense information) House banks Direct deposit bank information Payment methods (direct deposit vs. check) Document types (used to identify documents that are to be kept for the same length of time) 14 . and interest Government and regulatory agencies: Taxes due and garnishments Third-party administrators and benefits carriers: Premiums paid by EE or ER Vendors: Value of hours worked by consultants 15 . wage types collected.) • HR provides data to FI in the form of postings. cost of time for employees on loan Financial institutions (bank. loan principal. broken out by wage type ER (employer) or between cost centers: Dollar value of accumulated leave balances. credit union): Deposits. wage types paid by company. Posting accounts can exist for the following: EE (employee): Amount to be paid.Understand Linkage – Data Flow Between HR and FI (cont. such as volume of data.Internal Controls Factors for HR and FI Linkages • Understand the method and timing of passing data from Don't HR to FI The number of instances Technical requirements. in case problems or questions should arise once this data gets to FI Forget 16 . available bandwidth. and downtime for scheduled system maintenance (consult with your technical experts to develop an appropriate procedure) Deadlines from accounting for monthly closings Auditors’ requirements to ensure all data is successfully transferred and to prevent multiple transfers of the same data Evaluate general steps in your company for HR/FI integration (decoupled or coupled systems) Create reports to demonstrate how data is accumulated by wage type. 17 . a symbolic account is assigned to each wage type via a rule. vendor account) On the payroll side. the symbolic account is assigned to an account (G/L account. feature PPMOD will indicate how to direct the wage type to the appropriate general ledger accounts. depending on the employee group.Review Symbolic Account Linkages to G/L On the accounting side. customer account. If the symbolic account indicates that the assignment is employee-group-dependent. What We’ll Cover … • • • • • • • • Identifying HR. and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up 18 . Payroll. Control Rules = SAP HR and Payroll Tests applied to evaluate design and operating effectiveness of an identified and scoped control Forget 19 .Creating Good HR Internal Control Rules Controls = Statements driven by policy and control objectives guided by internal controls frameworks to analyze critical business process elements and risks and violations thereof Don't Example: Wage Types for exempt and non-exempt employees must be set up differently in IMG and any exceptions must be identified Control Topic: Integrity of HR Payroll Controls and Rules Drivers: – Law – Regulation – Business Policies – Procedures Manuals – System Documentation – Board Memoranda – etc. HR/Payroll Internal Controls – H5W Formula Internal Controls Monitoring Dimensions with an Example SPONSOR Scope = SOX Steering Committee OWNER Business Process = HR Payroll Functional Manager Control Objective HOW Process WHAT Data WHERE Location WHO Accountability WHEN Timing WHY Incentive CONTROL DESIGNER Design Details = Payroll SAP Analyst CONTROL TESTER Technical Test Details = External SOX or Controls tester INDEPENDENT EVALUATOR Audit = Internal Audit independent tests CONTROL PERFORMER Field Worker = Payroll or HR associate executing the activity Ensure that inaccurate payroll cash disbursements are not made to the G/L Evaluate HR/PY and FI integration Review the wage type maintenance and management process Review the Symbolic Account linkages in FI HR Wage Types FI Symbolic Accounts IMG /nSPRO (Wage Type Manage -ment menu tree under HR Config) Wage Type Statement Execution report RPCLGA 09 HR business process manager HR/PY functional integrator Basis/ ABAP report and security designers Annually in 1st Quarte r after fiscal close Annual Compliance Effectiv eness Project in 2006 for optimiz ing HR/PY Stream line PY/FI integra tion Business Rules Design Criterion Template Good Internal Controls Rules answer the H5W formula 20 . Payroll. and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up 21 .What We’ll Cover … • • • • • • • • Identifying HR. Key SAP HR Transactions and Processes • • • • • Recruiting Personnel Administration Time Management Payroll Performance Management SAP HR Internal Controls Components Process Configuration Transactions Objects Reports Security SOD 22 . Understand Control Points by Macro Process Overview Enter CATS Approval N Y Run RPTEXTP transfer Program CATS to 2002 Run RPTIME00 Evaluate time Is payroll control Record correct for Payroll area and period? N Y Run PY Simulation Release PY Are the simulated results reasonable? N Y Exit PY Set PY control record to proper period and area in PA03 Time and PY ended Problems with Simulation analyzed CATS rejected Time and PY ended Building Block Run live PY program RPCALCU0 Are the simulated N postings reasonable? Y Exit PY for corrections Make Corrections Release PY Run Simulated Posting Run live PY program RPCALCU0 23 . Understand Control Points by Macro Process Overview (cont.) Are the simulated N postings reasonable? Y B u ild in g B lo c k Document Posting Issues Exit PY Payroll results Pre-DME Pre-data medium program populates the REGUH table with the relevant bank details and payroll payments for the payroll relevant employees Data medium exchange programs create the monetary transfer file usually and ACH file or it generates the printed checks END Posting Run DME Display posting documents 24 . PC10**. 25 . Specific HR SOD rules must be customized for your business Auditors may bring a list of “standard” TCODES that have to be “secure!” This list has been developed outside of your business proccesses and function.Critical Process and Control Areas – Identify ALL HR-Related TCODES • Key Transaction Codes (TCODES) – Current count from 4. etc.6C 55300 Examples PA**. Authorization Objects are the Nuts and Bolts of your HR Security. ensure that your programmers use “Authorization Groups” in the code to check for security at auth object level in your custom HR programs 26 . Additionally. PLOG. etc.Critical Process and Control Areas – Identify Key HR Objects • Key Objects – Examples P_ORGIN. They decide WHAT can be done in a given infotype and a given transaction by the values defined within. PCLx. SAP HR and Payroll Objects to Consider Key Object Examples S_TABU_DIS P_ABAP PLOG P_ORGIN S_GUI PCLx P_PCR Key Transactions Payroll Driver Time Driver Posting to FI Key Workbenches Offcycle workbench Time managers workbench HR Process workbench Work with Basis to understand and plan! 27 . and HR usually has the responsibility to provide the notification ARE YOU PAYING YOUR ex-EMPLOYEES? Is your HR department part of your IT department’s ID management process? Contingent Workforce may pose special issues 28 .End-to-End Human Capital Management – Hire to Term Cycle • • • EE Lifecycle Key ISSUE Employees leave the organization. Often resides OUTSIDE of SAP. 29 . thus needs special controls review.Benefits – HR Transactions to Consider • Benefits and compensation are included in the master data and payroll processing • • • • Benefits linkages to banks 401K and other cash outlays Pensions Garnishments Executive compensation should be closely scrutinized. First Step – Enter Time • The timekeeping method must be considered during security and controls design Two main classes of timekeeping: Positive: Each hour must be entered to be paid Negative: All scheduled hours are paid unless an exception is processed Positive time – Punch clock or CATS 30 . and documented to meet compliance 31 . implemented.SAP HR and Time Systems • Key control issues Positive – Who enters the hours or has access to the system generating the hours? Positive time using clock punches usually links SAP to a third-party tool No SAP Security Applied Here SAP Authorizations and Security Applied Here SAP MASTER DATA Both systems will need controls designed. Internal Controls Business Rules Best Practices – Time • Risk = Detect any missing approvals or unusual approvals of employee time absence entries • Related Transactions = PA30. plus monitor history of P_ABAP program execution history and focus on the following fields: REPID. CATSXT. PTMW. and UNAME • • 32 . CAT2. CAXST_ADMIN. PA61. AEDTM. PA62.CATS_APPR_LITE Possible controls rule approach • Evaluate difference between PA2000 (attendance) and PA2001 (absence) to PTEX2000 (has difference attendance and absence types) and compare to see any anomalies • Risk = Monitor running of the time driver program Related Transactions = PT60. to identify access to the above transaction/reports. PTMW. RPTIME00 Possible controls rule approach Work with security admin. PA71. and sub-rules for a given schema 33 . subschemas.SAP Payroll Wage Type Management • When calculating payroll. rules. wage types are read from infotypes and the Time Management cluster Understand which wage types are processed in your payroll and the rules being run on them to calculate Payroll Report RPDASC00 can be used to list all schemas. RPCLGA09 Ensure that the Wage Type Statement report is executed during the Payroll Reconciliation process 34 .SAP Payroll Wage Type Management (cont.) • Key Wage Type control issues • Ensure that wage types and their amounts are not hardcoded into rules for Payroll calculations • Evaluate the IMG configuration for Payroll processing rules to identify hard-coded wage types • Wage Type Transaction examples = PC00_M99_CLGA09. Internal Controls Business Rules Best Practices – Payroll Execution and Results • • Risk = Detect any improper execution of the payroll driver program RPCALCU0 Related Transactions = PC00_M99_PA03_RELEA. especially if runs exceed releases and identify UNAME and AEDTM in T569U table 35 . PA03. PC00_M10_CALC_ Possible controls rule approach • Identify any differences between releases in PA03 and number of PY runs for execution (RPCALCU0). SE38. ) • Risk = Detect any improper execution of the payroll driver program RPCALCU0 • Ensure that the Payroll driver log review is a mandatory step in your Payroll process • Frequent and regular monitoring of this log could unearth some subtle issues in your Payroll process that might go unnoticed otherwise 36 .Internal Controls Business Rules Best Practices – Payroll Execution and Results (cont. SE38. PC00_M10_FFOT. RPCDTCU0 Possible controls rule approach • Evaluate execution of RPCALC on day X and running of pre-DME on day Y.) • Risk = Results from Pre-DME and DME execution are not reviewed • Related Transactions = PC00_M10_CDTC.Internal Controls Business Rules Best Practices – Payroll Execution and Results (cont. and any other conditions based on your business. Identify any changes in bank details between X and Y for a pernr. RFFOUS_T. 37 . and evaluate for exceptional check amounts. null amounts. the SAP Office.SAP Payroll Workbench Issues to Consider • • You may be using workflow and not even know it! Some processes require some form of workflow • Vacancy processing. and the process workbench • Create an appropriate custom role rather than allow SAP_ALL for workflow Issue 38 . Internal Controls Business Rules Best Practices – Offcycle Workbench • Risk = Identify unauthorized access to the offcycle workbench • Related Transactions = PUOC_10. Users outside of the list should indicate problems. determine the AEDTM and UNAME (via T569U or T569V) for execution and compare with physical HR name list for authorized payroll users for offcycle processes. 39 . SAPLHRPAY99_OC Possible controls rule approach • For any PGMID of RPCALCU0 with OFF CYCLE indicator or reason OCRSN. and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up 40 . Payroll.What We’ll Cover … • • • • • • • • Identifying HR. Segregation of Duties – Transaction Level • SOD processes and underlying TCODE and Object conflicts Key Payroll Transaction Codes allowing some form of payroll execution: PC00_M**_CALC SE38 SA38 PUOC_** PC00_M**_FFOT PA03 PC00_M**_CDTE PAUX PC00_M**_FPAYM PC00_M**_FFOC PC00_M**_RFF0AVIS PAUY Other Transaction Codes that should be segregated from the payroll processing personnel PA30 PA61 PA40 PA62 PA41 PA63 PA42 PA70 HRBEN* PA71 All HRCMP* and any other way to change pay-relevant master data 41 . 14. and 2002! You may be able to mitigate the risk by setting up a monitoring system 42 .. 15..SAP HR and Payroll Example of Common SOD Violation at the Object Level Master data changes …………………………………………. 2001. PA30/40 Object P_ORGIN and S_TCODE + Object P_ABAP and S_TCODE Payroll Processing …………………… Ability to run RPCALCU0 = Back-door SOD conflict from the objects! Especially for infotypes 8. and 2013! You may be able to mitigate the risk by setting up monitoring system 43 . 2011.. 2002.. 2010.SAP HR and Time Processing Example of Common SOD Violation at the Object Level Master data changes to infotype 2001 or 2002 ……………………. PA30/40 Object P_ORGIN Change Auth + Object P_ABAP – Program access to RPTIME00 Time Evaluation …………………… Ability to Change the hours worked or the type of hours – Reg to OT = Back-door SOD conflict from adjusting the hours! Especially for infotypes 2001. SOD Analysis and Non-SAP Systems SAP may not be the only point of SOD scrutiny! Change or Processing access here Tip SAP Time Evaluation Program access SOD Violation 44 . Look Beyond HR for Security in HR • • The HR Objects are not enough! You will need to know the Basis objects and when they are used to support HR functionality HR functionality has a layered approach from infotypes to workbenches to its programs 45 . What We’ll Cover … • • • • • • • • Identifying HR. and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up 46 . Payroll. SAP HR and Payroll Data Sensitivity — PAYROLL SPOOLS Must Be Secured Warning Spool list inadequately secured 47 . 2. and 8) Disable this loophole by IMG configuration Go to Personnel Admin > Customizing UI > Change Header Info In infotypes deemed to be sensitive. 6.SAP HR and Payroll Data Sensitivity – Sensitive Infotypes Sensitive information is distributed too widely (especially infotypes 0. remove the SSN field “PERID” from Header info table 48 . SAP HR and Payroll Data Sensitivity — Query Access from Non-HR Users • ABAP Queries or programs from other teams select against HR tables with sensitive information • • SECURE the ABAP Queries via special authorizations by working with your security team and controls experts Eliminate backdoors such as “/h” debug mode by enforcing parameter security and debug timeouts in production 49 . Sarbanes-Oxley. and Identity Fraud compliance 50 .Upcoming Legislation That Will Affect SAP HR and Payroll Sub-Process • Privacy issues driven by the tremendous increase in identity fraud have generated significant legislative activity at the state level and are likely to generate significant federal legislation soon • The use of SSN for any non-payroll or social security activity should be eliminated • California is the bellwether state regarding personal identification information legislation • Expect a convergence of HIPAA. What We’ll Cover … • • • • • • • • Identifying HR. and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up 51 . Payroll. org – Information Systems Audit and Control Association www.COSO.com/ – Combined Big 4 Web site for basics on SOX 52 .epic.Resources • • • • www.s-oxinternalcontrolinfo.ISACA.org – SOX internal controls framework driver www.org – Electronic Privacy Information Center www. and Security Objects Reduce or eliminate access to execute programs/reports (SA38. Transactions. SE38) 53 .7 Key Points to Take Home • • • • Critically review ALL aspects of HR and FI linkages Create an HR and Payroll Controls repository for your organization Create HR internal control rules focusing on Configuration (IMG). queries. and programs Evaluate authorization profiles to locate and eliminate back doors 54 .) • • • Security of custom programs: Add authorization object as development requirement Assignment to area menus: Create a new and specific transaction for payroll/time reports.7 Key Points to Take Home (cont. Your Turn! Questions? Contact Bhavesh C. Bhagat @ Web: www.com Email: [email protected] Tel: 703-728-2493 55 .