Proactive Payroll Controls - Home - EnCrisp · 2014-12-04 · • Segregation of Duties NOT one...
-
Upload
hoangduong -
Category
Documents
-
view
215 -
download
0
Transcript of Proactive Payroll Controls - Home - EnCrisp · 2014-12-04 · • Segregation of Duties NOT one...
Identifying Proactive Process Solutions for Identifying Proactive Process Solutions for Key Payroll and Time Management ControlsKey Payroll and Time Management Controls
Bhavesh Bhagat, EnCrisp
What WeWhat We’’ll Cover ll Cover ……
• Need to monitor Payroll & Time proactively
• Control Basic Concepts
• SAP Payroll & Time Critical Process and Control Areas
• SAP Payroll & Time Transactions to consider
• SAP Payroll and Privacy Issues
• Upcoming Legislation that will affect SAP HR Payroll and Time
• Wrap-up
WHY Payroll & Time are SENSITIVE?WHY Payroll & Time are SENSITIVE?
• Payroll is one of the largest cash outflow for most companies
• Time feeds into Payroll and directly impacts the bottom-line
• Payroll as a process has been identified as a Material process for Sarbanes Oxley and other audit criterion
• Often these two processes have interfaces with other systems and many manual/hybrid processes built into them.
• EVERYONE TURN TO YOUR LEFT side and ASK HOW MUCH THAT PERSON SITTING NEXT TO YOU MAKES ☺
CASE for PROACTIVE CONTROLS MONITORINGCASE for PROACTIVE CONTROLS MONITORING
• Payroll, Time and other Human Capital related processes have been the SECOND LARGEST weakness in 2004-2005 efforts for regulatory compliance
• Manual point in time Audits in past• Sampling of records and review of Payroll check lists in past• NEW PARADIGM – end to end process review (minimize
sampling)• Configuration• Integration• Security Objects & Transactions• Segregation of Duties NOT one time but ongoing
What WeWhat We’’ll Cover ll Cover ……
• Need to monitor Payroll & Time proactively
• Control Basic Concepts
• SAP Payroll & Time Critical Process and Control Areas
• SAP Payroll & Time Transactions to consider
• SAP Payroll and Privacy Issues
• Upcoming Legislation that will affect SAP HR Payroll and Time
• Wrap-up
Audit, System and Business ProcessesAudit, System and Business Processes
• Compliance integration comes by planning across these three components
Systems&
Controls
BusinessProcesses
Audits&
Auditors
Planning
>>>> A significant value opportunity exists when these are integrated <<<<>>>> >>>> Use sarbanes oxley as the catalyst for positive change and an increase in
value <<<<<<<<
Types of Controls Applicable for Types of Controls Applicable for Payroll & TimePayroll & Time
• Controls• Entity Level Controls• System Level Controls• Process Level Controls
• Control Documentation• Monitoring
SAP Payroll& Time are involved in all of these controls activities. The HR business and HR systems resources must be engaged when these controls are being developed.
Payroll & Time Controls RepositoriesPayroll & Time Controls RepositoriesPayroll & Time Controls Repositories Exposure/Risk Threat Controls/Practices
R e f
What? (What could go wrong
scenario)
Severity
How? (Identify the root cause of the Problem-how can the
exposure occur)
Prob (without and with controls)
Controls (Identify the controls
implemented to mitigate the exposure/risk
T I
M I N G
T Y P E
Resp Status
Plan
Control Tested
Information Integrity Loss/ Disclosure
1 Unauthorized access to the system.
II /III Unauthorized user gains access to authorized user ID while
logged on.
P Users are encouraged to log off when leaving their desks for
long periods of time.
X P Users E
•Ref #-Uniquely Identifies the item to document
•What-Provides the “what could go wrong” scenario
•Severity-Identifies the impact (I-greatest, IV-Least)
•How-Identifies how the “what could go wrong” scenario could occur
•Prob-Probability of the scenario occurring (P-Probable, L-Likely, S-Small)
•Controls-Identify controls implemented or to be implemented to prevent, detect, or correct the scenario
•Timing-Identify when the control is to be implemented or if it already is
•Type-Type of control (P-Preventive, D-Detective, C-Corrective)
•Resp-Who is responsible for the control
•Status-Identify if the control is implemented or what stage of development it is in
•Plan-Document the plan to implement or maintain the control
•Control Tested-Identify if the control has been tested and signed off
Leverage Controls Best Practices
Payroll & Time Controls RepositoriesPayroll & Time Controls RepositoriesPayroll & Time Controls Repositories Exposure/Risk Threat Controls/Practices
R e f
What? (What could go wrong
scenario)
Severity
How? (Identify the root cause of the Problem-how can the
exposure occur)
Prob (without and with controls)
Controls (Identify the controls
implemented to mitigate the exposure/risk
T I
M I N G
T Y P E
Resp Status
Plan
Control Tested
Information Integrity Loss/ Disclosure
Information Integrity 1 Reconciliation Process
does not detect problem with data
II Reconciliation is not performed
Business decides at what level to reconcile the loaded data. Any discrepancies below the P.O. level are likely immaterial, or would be detected by users / reconcilers if significant offsets occurred.
E D Payroll &
Financial Acctg Teams
E -
Information Disclosure 2 Application Security Access III/ IV Users can change data
warehouse data O / R Users have read only
access. X P HR
Security E -
3 Competitive or proprietary data e.g. Reserves could
be accessed by unauthorized people
II / III Somebody directly accesses the ORACLE tables
O / R Users are not allowed direct access to the tables. Users cannot log onto the box separately from BW.
X P HR Security
E -
Real Life Proactive Template to follow…Real Life Proactive Template to follow…
Best Practice Controls ApproachBest Practice Controls ApproachBest Practice Controls ApproachAre business processes and approvals appropriate for supporting the Payroll & Time sub-system
•User Access processes, approvals, and controls•Change control processes and controls
Is documentation clearly written and appropriate•Payroll run manuals updated upon process or system changes•Time entry procedures relevant to support the current controls environment
Are processes and controls functioning as intended•Reviews established to periodically assess appropriateness of documentation •Reviews conducted to periodically test functionality of controls
What WeWhat We’’ll Cover ll Cover ……
• Need to monitor Payroll & Time proactively
• Control Basic Concepts
• SAP Payroll & Time Critical Process and Control Areas
• SAP Payroll & Time Transactions to consider
• SAP Payroll and Privacy Issues
• Upcoming Legislation that will affect SAP HR Payroll and Time
• Wrap-up
Key SAP HR Transactions and ProcessesKey SAP HR Transactions and Processes
• Recruiting• Personnel Administration
• Time Management• Payroll • Performance Management
Auditors may bring a list of ‘standard’ TCODES that have to be ‘secure’! This list has been Developed outside of your business processes and functions.
Critical Process and Control AreasCritical Process and Control Areas
• Key TCODES - Current count from 4.6c 55300Examples PA**, PC10**, Etc.See Spreadsheet HR SOD
Critical Process and Control AreasCritical Process and Control Areas
• Key Objects - Current count from 4.6c 55300Examples P_ORGIN, PLOG, PCLx, Etc.
Segregation of DutiesSegregation of Duties
•• Segregation of Duties (SOD) processes and underlying TCODE and OSegregation of Duties (SOD) processes and underlying TCODE and Object conflicts.bject conflicts.
Key Payroll Transaction Codes allowing some form of payroll execution
pc00_M**_CALCSe38 PA03sa38 PC00_M**_CDTE(FFOT,FPAYM,FFOC,RFF0AVIS)PUOC_** paux pauy
Other Transaction Codes that should be segregated from the payroll processing personnelPa30 pa40 pa41 pa42 pa61 pa62 pa63 pa70Pa71 All HRCMP* and any other way to change pay relevant master data
Identification Management and Employee Life Cycle Issues Identification Management and Employee Life Cycle Issues for Payrollfor Payroll
• EE Lifecycle Key ISSUE Employees leave the organization and HR usually has the responsibility to provide the notification
• ARE YOU PAYING YOUR ex-EMPLOYEES?• Is your HR department part of your IT departments ID management
process? YES is the normal answer!
Contingent Workforce may pose special issues.
Critical Process and Control AreasCritical Process and Control Areas
• The HR Objects are not enough!
• You will need to know the BASIS objects and when they are used to support HR functionality.
HR functionality has a layered approach from Info types to workbenches to its programs.
What WeWhat We’’ll Cover ll Cover ……
• Need to monitor Payroll & Time proactively
• Control Basic Concepts
• SAP Payroll & Time Critical Process and Control Areas
• SAP Payroll & Time Transactions to consider
• SAP Payroll and Privacy Issues
• Upcoming Legislation that will affect SAP HR Payroll and Time
• Wrap-up
Key WorkbenchesOff cycle workbenchTime managers workbenchHR Process workbench
Key TransactionsPayroll DriverTime DriverPosting to FI
Key Object ExamplesS_TABU_DIS P_ABAPPLOG P_ORGINS_GUI PCLxP_PCR
Work with BASIS to understand and plan !Work with BASIS to understand and plan !
SAP HR and Payroll Objects to ConsiderSAP HR and Payroll Objects to Consider
SAP Payroll Workbench Issues to ConsiderSAP Payroll Workbench Issues to Consider
• You may be using workflow and not even know it!• Some processes require some form of workflow
• Vacancy processing, the SAP Office, and the process workbench
• Granting SAP_ALL for workflow will not be allowed.
Four Concepts Supporting Proactive Payroll/Time Four Concepts Supporting Proactive Payroll/Time ControlsControls
1) Reduced or eliminate access to execute programs / reports (SA38,SE38).
2) Security of custom programs : Add authorization object as development requirement.
3) Assignment to area menus : Create a new and specific transactionfor reports, queries and programs.
4) Limitation of info type access through P_ABAP authorization object.
Work with BASIS and security to create custom limited roles with necessary authorizations and nothing more !
SAP HR and Payroll Example of common SOD SAP HR and Payroll Example of common SOD violation at the object levelviolation at the object level
Master data changes …………………………………………... PA30/40
+ Object P_ABAP and S_TCODEObject P_ORGIN and S_TCODE +Payroll Processing …………………… Ability to run RPCALCU0
== Backdoor SOD conflict from the objects !
Especially for info types 8, 14, 15, 2001 and 2002 !
You may be able to mitigate the risk by setting up monitoring system.
SAP HR and Time Processing Example of SAP HR and Time Processing Example of common SOD violation at the object levelcommon SOD violation at the object level
Master data changes to Infotype 2001 or 2002……………………... PA30/40
+ Object P_ABAP- Program accessTo RPTIME00
Object P_ORGIN Change Auth +Time Evaluation …………………… Ability to Change the hours worked
or the type of hours- Reg to OT
== Backdoor SOD conflict from adjusting the hours!
Especially for info types 2013, 2011, 2010, 2001 and 2002 !
You may be able to mitigate the risk by setting up monitoring system.
SAP HR and Time Systems SAP HR and Time Systems
The time keeping method must be considered during security and controls design.
Two Main Classes of Timekeeping-Positive- Each hour must be entered to be paidNegative- All scheduled hours are paid unless and exception is processed
Key Control issues-Positive- Who enters the hours or has access to the system generating the hours?Negative- Who enters the absences and exceptions and hasaccess to the time evaluation program?
Positive time- Punch clockOr CATS
SAP HR and Time Systems SAP HR and Time Systems
Key Control issues-Positive- Who enters the hours or has access to the system generating the hours?
Positive time using clock punches usually links SAP to a third party Tool
No SAPSecurity Applied Here
SAP AuthorizationsAnd Security Applied Here
Both systems will needControls designed, Implemented, and documentedTo meet compliance
SAPMASTER DATA
SAP HR and Time Systems SAP HR and Time Systems
SAP may not be the only point of SOD scrutiny!
Change or Processing access here
SAPTime Evaluation
SODViolation
Program access
SAP HR and Payroll Transactions to ConsiderSAP HR and Payroll Transactions to Consider
Benefits and compensation are included in the master data and payroll processing.
Executive compensation will be closely scrutinized.
What WeWhat We’’ll Cover ll Cover ……
• Need to monitor Payroll & Time proactively
• Control Basic Concepts
• SAP Payroll & Time Critical Process and Control Areas
• SAP Payroll & Time Transactions to consider
• SAP Payroll and Privacy Issues
• Upcoming Legislation that will affect SAP HR Payroll and Time
• Wrap-up
SAP HR and Payroll Data SensitivitySAP HR and Payroll Data Sensitivity
Sensitive information is distributed to widely (especially info type 0, 2 and 6)
SAP HR and Payroll Data SensitivitySAP HR and Payroll Data Sensitivity
Spool list inadequately secured
SAP HR and Payroll Data SensitivitySAP HR and Payroll Data Sensitivity
ABAP Queries or programs from other teams select againstHR tables with sensitive information
What WeWhat We’’ll Cover ll Cover ……
• Need to monitor Payroll & Time proactively
• Control Basic Concepts
• SAP Payroll & Time Critical Process and Control Areas
• SAP Payroll & Time Transactions to consider
• SAP Payroll and Privacy Issues
• Upcoming Legislation that will affect SAP HR Payroll and Time
• Wrap-up
Upcoming Legislation that will affect SAP HR & Payroll sub-process
• Privacy Issues driven by the tremendous increase in identity fraud has generated significant legislative activity at the state level and is likely to generate significant federal legislation soon
• The use of SSN for any non payroll or social security activity should be eliminated
• California is the bellwether state regarding personal identifying information legislation.
• Expect a convergence of HIPAA, Sarbanes Oxley, and Identity Fraud compliance
20042004Session Code: