Proactive Payroll Controls - Home - EnCrisp · 2014-12-04 · • Segregation of Duties NOT one...

Identifying Proactive Process Solutions for Identifying Proactive Process Solutions for Key Payroll and Time Management ControlsKey Payroll and Time Management Controls

Bhavesh Bhagat, EnCrisp

What WeWhat We’’ll Cover ll Cover ……

• Need to monitor Payroll & Time proactively

• Control Basic Concepts

• SAP Payroll & Time Critical Process and Control Areas

• SAP Payroll & Time Transactions to consider

• SAP Payroll and Privacy Issues

• Upcoming Legislation that will affect SAP HR Payroll and Time

• Wrap-up

WHY Payroll & Time are SENSITIVE?WHY Payroll & Time are SENSITIVE?

• Payroll is one of the largest cash outflow for most companies

• Time feeds into Payroll and directly impacts the bottom-line

• Payroll as a process has been identified as a Material process for Sarbanes Oxley and other audit criterion

• Often these two processes have interfaces with other systems and many manual/hybrid processes built into them.

• EVERYONE TURN TO YOUR LEFT side and ASK HOW MUCH THAT PERSON SITTING NEXT TO YOU MAKES ☺

CASE for PROACTIVE CONTROLS MONITORINGCASE for PROACTIVE CONTROLS MONITORING

• Payroll, Time and other Human Capital related processes have been the SECOND LARGEST weakness in 2004-2005 efforts for regulatory compliance

• Manual point in time Audits in past• Sampling of records and review of Payroll check lists in past• NEW PARADIGM – end to end process review (minimize

sampling)• Configuration• Integration• Security Objects & Transactions• Segregation of Duties NOT one time but ongoing








• Wrap-up

Audit, System and Business ProcessesAudit, System and Business Processes

• Compliance integration comes by planning across these three components

Systems&

Controls

BusinessProcesses

Audits&

Auditors

Planning

>>>> A significant value opportunity exists when these are integrated <<<<>>>> >>>> Use sarbanes oxley as the catalyst for positive change and an increase in

value <<<<<<<<

Types of Controls Applicable for Types of Controls Applicable for Payroll & TimePayroll & Time

• Controls• Entity Level Controls• System Level Controls• Process Level Controls

• Control Documentation• Monitoring

SAP Payroll& Time are involved in all of these controls activities. The HR business and HR systems resources must be engaged when these controls are being developed.

Payroll & Time Controls RepositoriesPayroll & Time Controls RepositoriesPayroll & Time Controls Repositories Exposure/Risk Threat Controls/Practices

R e f

What? (What could go wrong

scenario)

Severity

How? (Identify the root cause of the Problem-how can the

exposure occur)

Prob (without and with controls)

Controls (Identify the controls

implemented to mitigate the exposure/risk

T I

M I N G

T Y P E

Resp Status

Plan

Control Tested

Information Integrity Loss/ Disclosure

1 Unauthorized access to the system.

II /III Unauthorized user gains access to authorized user ID while

logged on.

P Users are encouraged to log off when leaving their desks for

long periods of time.

X P Users E

•Ref #-Uniquely Identifies the item to document

•What-Provides the “what could go wrong” scenario

•Severity-Identifies the impact (I-greatest, IV-Least)

•How-Identifies how the “what could go wrong” scenario could occur

•Prob-Probability of the scenario occurring (P-Probable, L-Likely, S-Small)

•Controls-Identify controls implemented or to be implemented to prevent, detect, or correct the scenario

•Timing-Identify when the control is to be implemented or if it already is

•Type-Type of control (P-Preventive, D-Detective, C-Corrective)

•Resp-Who is responsible for the control

•Status-Identify if the control is implemented or what stage of development it is in

•Plan-Document the plan to implement or maintain the control

•Control Tested-Identify if the control has been tested and signed off

Leverage Controls Best Practices

Payroll & Time Controls RepositoriesPayroll & Time Controls RepositoriesPayroll & Time Controls Repositories Exposure/Risk Threat Controls/Practices

R e f

What? (What could go wrong

scenario)

Severity

How? (Identify the root cause of the Problem-how can the

exposure occur)

Prob (without and with controls)

Controls (Identify the controls

implemented to mitigate the exposure/risk

T I

M I N G

T Y P E

Resp Status

Plan

Control Tested

Information Integrity Loss/ Disclosure

Information Integrity 1 Reconciliation Process

does not detect problem with data

II Reconciliation is not performed

Business decides at what level to reconcile the loaded data. Any discrepancies below the P.O. level are likely immaterial, or would be detected by users / reconcilers if significant offsets occurred.

E D Payroll &

Financial Acctg Teams

E -

Information Disclosure 2 Application Security Access III/ IV Users can change data

warehouse data O / R Users have read only

access. X P HR

Security E -

3 Competitive or proprietary data e.g. Reserves could

be accessed by unauthorized people

II / III Somebody directly accesses the ORACLE tables

O / R Users are not allowed direct access to the tables. Users cannot log onto the box separately from BW.

X P HR Security

E -

Real Life Proactive Template to follow…Real Life Proactive Template to follow…

Best Practice Controls ApproachBest Practice Controls ApproachBest Practice Controls ApproachAre business processes and approvals appropriate for supporting the Payroll & Time sub-system

•User Access processes, approvals, and controls•Change control processes and controls

Is documentation clearly written and appropriate•Payroll run manuals updated upon process or system changes•Time entry procedures relevant to support the current controls environment

Are processes and controls functioning as intended•Reviews established to periodically assess appropriateness of documentation •Reviews conducted to periodically test functionality of controls








• Wrap-up

Key SAP HR Transactions and ProcessesKey SAP HR Transactions and Processes

• Recruiting• Personnel Administration

• Time Management• Payroll • Performance Management

Auditors may bring a list of ‘standard’ TCODES that have to be ‘secure’! This list has been Developed outside of your business processes and functions.

Critical Process and Control AreasCritical Process and Control Areas

• Key TCODES - Current count from 4.6c 55300Examples PA**, PC10**, Etc.See Spreadsheet HR SOD


• Key Objects - Current count from 4.6c 55300Examples P_ORGIN, PLOG, PCLx, Etc.

Segregation of DutiesSegregation of Duties

•• Segregation of Duties (SOD) processes and underlying TCODE and OSegregation of Duties (SOD) processes and underlying TCODE and Object conflicts.bject conflicts.

Key Payroll Transaction Codes allowing some form of payroll execution

pc00_M**_CALCSe38 PA03sa38 PC00_M**_CDTE(FFOT,FPAYM,FFOC,RFF0AVIS)PUOC_** paux pauy

Other Transaction Codes that should be segregated from the payroll processing personnelPa30 pa40 pa41 pa42 pa61 pa62 pa63 pa70Pa71 All HRCMP* and any other way to change pay relevant master data

Identification Management and Employee Life Cycle Issues Identification Management and Employee Life Cycle Issues for Payrollfor Payroll

• EE Lifecycle Key ISSUE Employees leave the organization and HR usually has the responsibility to provide the notification

• ARE YOU PAYING YOUR ex-EMPLOYEES?• Is your HR department part of your IT departments ID management

process? YES is the normal answer!

Contingent Workforce may pose special issues.


• The HR Objects are not enough!

• You will need to know the BASIS objects and when they are used to support HR functionality.

HR functionality has a layered approach from Info types to workbenches to its programs.








• Wrap-up

Key WorkbenchesOff cycle workbenchTime managers workbenchHR Process workbench

Key TransactionsPayroll DriverTime DriverPosting to FI

Key Object ExamplesS_TABU_DIS P_ABAPPLOG P_ORGINS_GUI PCLxP_PCR

Work with BASIS to understand and plan !Work with BASIS to understand and plan !

SAP HR and Payroll Objects to ConsiderSAP HR and Payroll Objects to Consider

SAP Payroll Workbench Issues to ConsiderSAP Payroll Workbench Issues to Consider

• You may be using workflow and not even know it!• Some processes require some form of workflow

• Vacancy processing, the SAP Office, and the process workbench

• Granting SAP_ALL for workflow will not be allowed.

Four Concepts Supporting Proactive Payroll/Time Four Concepts Supporting Proactive Payroll/Time ControlsControls

1) Reduced or eliminate access to execute programs / reports (SA38,SE38).

2) Security of custom programs : Add authorization object as development requirement.

3) Assignment to area menus : Create a new and specific transactionfor reports, queries and programs.

4) Limitation of info type access through P_ABAP authorization object.

Work with BASIS and security to create custom limited roles with necessary authorizations and nothing more !

SAP HR and Payroll Example of common SOD SAP HR and Payroll Example of common SOD violation at the object levelviolation at the object level

Master data changes …………………………………………... PA30/40

+ Object P_ABAP and S_TCODEObject P_ORGIN and S_TCODE +Payroll Processing …………………… Ability to run RPCALCU0

== Backdoor SOD conflict from the objects !

Especially for info types 8, 14, 15, 2001 and 2002 !

You may be able to mitigate the risk by setting up monitoring system.

SAP HR and Time Processing Example of SAP HR and Time Processing Example of common SOD violation at the object levelcommon SOD violation at the object level

Master data changes to Infotype 2001 or 2002……………………... PA30/40

+ Object P_ABAP- Program accessTo RPTIME00

Object P_ORGIN Change Auth +Time Evaluation …………………… Ability to Change the hours worked

or the type of hours- Reg to OT

== Backdoor SOD conflict from adjusting the hours!

Especially for info types 2013, 2011, 2010, 2001 and 2002 !

You may be able to mitigate the risk by setting up monitoring system.

SAP HR and Time Systems SAP HR and Time Systems

The time keeping method must be considered during security and controls design.

Two Main Classes of Timekeeping-Positive- Each hour must be entered to be paidNegative- All scheduled hours are paid unless and exception is processed

Key Control issues-Positive- Who enters the hours or has access to the system generating the hours?Negative- Who enters the absences and exceptions and hasaccess to the time evaluation program?

Positive time- Punch clockOr CATS


Key Control issues-Positive- Who enters the hours or has access to the system generating the hours?

Positive time using clock punches usually links SAP to a third party Tool

No SAPSecurity Applied Here

SAP AuthorizationsAnd Security Applied Here

Both systems will needControls designed, Implemented, and documentedTo meet compliance

SAPMASTER DATA


SAP may not be the only point of SOD scrutiny!

Change or Processing access here

SAPTime Evaluation

SODViolation

Program access

SAP HR and Payroll Transactions to ConsiderSAP HR and Payroll Transactions to Consider

Benefits and compensation are included in the master data and payroll processing.

Executive compensation will be closely scrutinized.








• Wrap-up

SAP HR and Payroll Data SensitivitySAP HR and Payroll Data Sensitivity

Sensitive information is distributed to widely (especially info type 0, 2 and 6)


Spool list inadequately secured


ABAP Queries or programs from other teams select againstHR tables with sensitive information








• Wrap-up

Upcoming Legislation that will affect SAP HR & Payroll sub-process

• Privacy Issues driven by the tremendous increase in identity fraud has generated significant legislative activity at the state level and is likely to generate significant federal legislation soon

• The use of SSN for any non payroll or social security activity should be eliminated

• California is the bellwether state regarding personal identifying information legislation.

• Expect a convergence of HIPAA, Sarbanes Oxley, and Identity Fraud compliance

Your Turn !Your Turn !

Contact us :[email protected] * 1.703.728.2493

mailto:[email protected]

20042004Session Code:

Proactive Payroll Controls - Home - EnCrisp · 2014-12-04 · • Segregation of Duties NOT one...

Documents

Transcript of Proactive Payroll Controls - Home - EnCrisp · 2014-12-04 · • Segregation of Duties NOT one...