Identifying HR, Payroll, and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up
2
Identifying HR, Payroll, and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up
5
Payroll is one of the largest cash outflows for most companies Time feeds into payroll and directly impacts the bottom line Sarbanes-Oxley (SOX) and other audit criteria focus on financial data of any material impact. Payroll, as a process, has been deemed to be MATERIAL by default. Integration between HR and FI processes often interfaces with other systems and a myriad of manual/hybrid processes built into them
EVERYONE TURN TO YOUR LEFT AND ASK HOW MUCH THAT PERSON SITTING NEXT TO YOU MAKES
6
Payroll, Time, and other Human-Capital-related processes have been the SECOND LARGEST focus in SOX efforts for regulatory compliance after the financial procedures Manual point-in-time audits in past Sampling of records and review of payroll checklists in past NEW PARADIGM end-to-end process review (minimize sampling)
Configuration Integration Security Objects and Transactions Segregation of duties (SOD) is reviewed NOT one time, but is ongoing
7
Identifying HR, Payroll, and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up
8
Controls (process-driven)
Entity Level Controls System Level Controls Process Level Controls
Controls (system-driven)
Inherent Manual Automated Hybrid
Compliance Lifecycle
Business Processes
B u ild in g B lo c k
SAP Payroll and Time are involved in all of these activities. The HR business and HR systems resources must be engaged when these controls are being developed.
Ref number Uniquely identifies the item to document What Provides the what could go wrong scenario Severity Identifies the impact (I-greatest, IV-Least) How Identifies how the what could go wrong scenario could occur Prob Probability of the scenario occurring (P-Probable, L-Likely, S-Small)
10
Users are encouraged to log off when leaving their desks for long periods of time.
Users
Controls Identify controls implemented or to be implemented to prevent, detect, or correct the scenario Timing Identify when the control is to be implemented or if it already has been Type Type of control (P-Preventive, D-Detective, C-Corrective) Resp Who is responsible for the control? Status Identify whether the control is implemented or what stage of development it is in Plan Document the plan to implement or maintain the control Control Tested Identify whether the control has been tested and signed off
11
Identifying HR, Payroll, and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up
12
Data is often fragmented and inconsistent (different scenarios for deploying HR and FI globally centralized vs. integrated systems) Processes and technology are not standardized (different global/regional processes and SAP versioning) Some processes are very manual and error-prone Improperly-defined information requirements lead to a lack of the right data and reports Improperly-defined posting requirements cause posting errors Lack of or inappropriate documentation for posting rules
GOTCHA!
13
FI provides HR data to the following areas, which affects the available options when setting up the postings back to FI:
Chart of accounts/cost centers (used to meet the companys decision-making needs regarding HR expense information) House banks Direct deposit bank information Payment methods (direct deposit vs. check) Document types (used to identify documents that are to be kept for the same length of time)
14
HR provides data to FI in the form of postings. Posting accounts can exist for the following:
EE (employee): Amount to be paid, broken out by wage type ER (employer) or between cost centers: Dollar value of accumulated leave balances, wage types collected, wage types paid by company, cost of time for employees on loan Financial institutions (bank, credit union): Deposits, loan principal, and interest Government and regulatory agencies: Taxes due and garnishments Third-party administrators and benefits carriers: Premiums paid by EE or ER Vendors: Value of hours worked by consultants
15
The number of instances Technical requirements, such as volume of data, available bandwidth, and downtime for scheduled system maintenance (consult with your technical experts to develop an appropriate procedure) Deadlines from accounting for monthly closings Auditors requirements to ensure all data is successfully transferred and to prevent multiple transfers of the same data Evaluate general steps in your company for HR/FI integration (decoupled or coupled systems)
Create reports to demonstrate how data is accumulated by wage type, in case problems or questions should arise once this data gets to FI
Forget
16
On the payroll side, a symbolic account is assigned to each wage type via a rule. If the symbolic account indicates that the assignment is employee-group-dependent, feature PPMOD will indicate how to direct the wage type to the appropriate general ledger accounts, depending on the employee group.
17
Identifying HR, Payroll, and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up
18
19
Control Objective
HOW Process
WHAT Data
WHERE Location
WHO Accountability
WHEN Timing
WHY Incentive
CONTROL DESIGNER Design Details = Payroll SAP Analyst CONTROL TESTER Technical Test Details = External SOX or Controls tester INDEPENDENT EVALUATOR Audit = Internal Audit independent tests CONTROL PERFORMER Field Worker = Payroll or HR associate executing the activity
Ensure that inaccurate payroll cash disbursements are not made to the G/L
Evaluate HR/PY and FI integration Review the wage type maintenance and management process Review the Symbolic Account linkages in FI
IMG /nSPRO (Wage Type Manage -ment menu tree under HR Config) Wage Type Statement Execution report
RPCLGA 09
HR business process manager HR/PY functional integrator Basis/ ABAP report and security designers
Annual Compliance Effectiv eness Project in 2006 for optimiz ing HR/PY Stream line PY/FI integra tion
Business Rules Design Criterion Template Good Internal Controls Rules answer the H5W formula
20
Identifying HR, Payroll, and FI Process Monitoring Needs Documenting Required Internal Controls Understanding Payroll and FI Dependency Designing and Monitoring HR and Payroll Controls via Business Rules Implementing Critical Process and Transaction Controls Ensuring Segregation of Duties in SAP HR Addressing Privacy Issues in SAP HR Wrap-up
21
SAP HR Internal Controls Components Process Configuration Transactions Objects Reports Security SOD
22
Building Block
Make Corrections
Release PY
23
Exit PY
Payroll results
Pre-DME
Pre-data medium program populates the REGUH table with the relevant bank details and payroll payments for the payroll relevant employees Data medium exchange programs create the monetary transfer file usually and ACH file or it generates the printed checks END
Posting Run
DME
24
Critical Process and Control Areas Identify ALL HR-Related TCODES Key Transaction Codes (TCODES) Current count from 4.6C 55300
Examples PA**, PC10**, etc. Specific HR SOD rules must be customized for your business
Auditors may bring a list of standard TCODES that have to be secure! This list has been developed outside of your business proccesses and function.
25
Authorization Objects are the Nuts and Bolts of your HR Security. They decide WHAT can be done in a given infotype and a given transaction by the values defined within.
Additionally, ensure that your programmers use Authorization Groups in the code to check for security at auth object level in your custom HR programs
26
27
EE Lifecycle Key ISSUE Employees leave the organization, and HR usually has the responsibility to provide the notification ARE YOU PAYING YOUR ex-EMPLOYEES? Is your HR department part of your IT departments ID management process?
28
Benefits and compensation are included in the master data and payroll processing
Benefits linkages to banks 401K and other cash outlays Pensions Garnishments
Executive compensation should be closely scrutinized. Often resides OUTSIDE of SAP, thus needs special controls review.
29
The timekeeping method must be considered during security and controls design
Two main classes of timekeeping: Positive: Each hour must be entered to be paid Negative: All scheduled hours are paid unless an exception is processed
Both systems will need controls designed, implemented, and documented to meet compliance
31
Risk = Monitor running of the time driver program Related Transactions = PT60, PTMW, RPTIME00 Possible controls rule approach Work with security admin. to identify access to the above transaction/reports, plus monitor history of P_ABAP program execution history and focus on the following fields: REPID, AEDTM, and UNAME
32
When calculating payroll, wage types are read from infotypes and the Time Management cluster
Understand which wage types are processed in your payroll and the rules being run on them to calculate Payroll Report RPDASC00 can be used to list all schemas, subschemas, rules, and sub-rules for a given schema
33
SAP Payroll Wage Type Management (cont.) Key Wage Type control issues
Ensure that wage types and their amounts are not hardcoded into rules for Payroll calculations Evaluate the IMG configuration for Payroll processing rules to identify hard-coded wage types
Internal Controls Business Rules Best Practices Payroll Execution and Results
Risk = Detect any improper execution of the payroll driver program RPCALCU0 Related Transactions = PC00_M99_PA03_RELEA, PA03, SE38, PC00_M10_CALC_
Possible controls rule approach
Identify any differences between releases in PA03 and number of PY runs for execution (RPCALCU0), especially if runs exceed releases and identify UNAME and AEDTM in T569U table
35
Internal Controls Business Rules Best Practices Payroll Execution and Results (cont.)
Risk = Detect any improper execution of the payroll driver program RPCALCU0 Ensure that the Payroll driver log review is a mandatory step in your Payroll process Frequent and regular monitoring of this log could unearth some subtle issues in your Payroll process that might go unnoticed otherwise
36
Internal Controls Business Rules Best Practices Payroll Execution and Results (cont.) Risk = Results from Pre-DME and DME execution are not reviewed Related Transactions = PC00_M10_CDTC, PC00_M10_FFOT, SE38, RFFOUS_T, RPCDTCU0
Possible controls rule approach
Evaluate execution of RPCALC on day X and running of pre-DME on day Y. Identify any changes in bank details between X and Y for a pernr, and evaluate for exceptional check amounts, null amounts, and any other conditions based on your business.
37
You may be using workflow and not even know it! Some processes require some form of workflow
Internal Controls Business Rules Best Practices Offcycle Workbench Risk = Identify unauthorized access to the offcycle workbench Related Transactions = PUOC_10, SAPLHRPAY99_OC