Read Microsoft Word - ~4216974.doc text version

SAP HR System

Internal Audit Report July 7, 2005 Internal Audit Division Performance and Knowledge Management Branch

Canadian International Development Agency 200 Promenade du Portage Gatineau, Quebec K1A 0G4 Tel: (819) 997-5006 Toll free: 1-800-230-6349 Fax: (819) 953-6088 (For the hearing and speech impaired only (TDD/TTY): (819) 953-5023 Toll free for the hearing and speech impaired only: 1-800-331-5018) E-mail: [email protected]

Internal Audit of the SAP HR System

Table of Contents

Summary ......................................................................................................................................... 3 1. 2. Context.................................................................................................................................... 5 Objective, Scope and Methodology........................................................................................ 6 2.1 2.2 2.3 3. Objectives ........................................................................................................................ 6 Scope................................................................................................................................ 6 Methodology .................................................................................................................... 7

Observations & Recommendations......................................................................................... 8 3.1 3.2. 3.3 Observations Arising from the review of SAP HR Processes ......................................... 8 Observations Arising from the Benchmarking of the SAP Support Group Structure ... 17 Observations Arising from the Assessment of SAP HR Functionality ......................... 21

Conclusion .................................................................................................................................... 23 Appendix A - Summary of Audit Recommendations.................................................................. 24 Appendix B - Control Objectives/Audit Criteria for the SAP HR Process Review .................... 35 Appendix C ­ SAP HR Control Framework................................................................................. 36

Internal Audit Report ­ July 7, 2005

2

Canadian International Development Agency

Internal Audit of the SAP HR System

Summary

At the request of the Director General of the Human Resources Division (HRD), the Performance Review Branch performed a preliminary survey in order to identify issues relating to Human Resource Management. As a result, three follow-on reviews/audits were identified and initiated. This report is on the audit and assessment of the SAP HR module in operation at CIDA. The overall objective of the audit is to assess the functionality of the SAP HR system, by: · · · · · · Documenting the system controls and to assess the adequacy and use system; Assessing the accuracy and integrity of the information emanating from the application; Assessing the effectiveness and efficiency of the system and to identify areas for improvement; Reviewing and evaluating the appropriateness of access authorities to ensure the privacy/protection of personal data; Benchmarking the level of resources required to maintain and to enhance the system against similar organizations; and, Assessing the extent to which the SAP HR module is meeting the needs of HRD and of the Agency overall.

As a result, we can conclude that the functionality required to support the business needs of HRD and the Agency overall has been implemented. However some areas for improvement in the effectiveness, efficiency and data integrity within the business processes and reporting have been identified. Opportunities for improvement of the control framework are also required with a specific focus on increased monitoring of changes to master data elements, and through the performance of periodic data quality reviews. An adequate framework for the design of user access privileges has been developed however issues currently exist with the technical implementation through the SAP application security functionality. Based on the results accumulated through a benchmarking survey, the size of the SAP HR support group is larger than those of the organizations polled. The main observations and recommendations arising from the audit are: · HRD should modify the business processes surrounding acting situations to incorporate the entry of all EX acting situations into the SAP HR application and ensure that all terminated acting assignments be reflected in the system on a timely basis; HRD, in collaboration with IMTB and the Branches, should develop a set of periodic monitoring procedures and reports for review and follow-up by the Responsible Managers within CIDA.

3

·

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

Internal Audit of the SAP HR System

·

Compensation and Benefits Directorate should perform a reconciliation of position/employee classification data and pay rates within SAP to information recorded in the On-Line Pay application once a year. IMTB, in conjunction with HRD and the SAP Support Group should correct the configuration of the security role for the Branch Administrators and to eliminate the ability to submit and approve their own overtime and leave requests; HRD and the SAP Support Group should develop monitoring procedures for the review of leave balances by Responsible Managers on a regular basis; IMTB, in cooperation with the SAP HR Support group, review the configuration of access privileges assigned to the Branch Administrative Officers to prevent them from creating and activating new positions thereby allowing the Classification Division to approve the position and classification data for new positions and/or individuals, as outlined in their roles & responsibilities; IMTB should remove access of non-HR SAP Support Group members and IMTB users that are not involved in supporting HR; IMTB should perform Privacy Impact Assessments in accordance with Treasury Board requirements; IMTB should remove the ability to view personal information through direct query of HR tables, the ability to execute reports through SA38 and that the configuration of security over reporting of HR information be adjusted to protect personal information; IMTB should limit the use of generic accounts; IMTB, in conjunction with HRD and the SAP Support Group should develop a set of security monitoring procedures in order to identify potential access irregularities for correction; CRC should decide on the staffing levels for the SAP HR Support group; HR business process focused training (as opposed to SAP data entry training) should be developed by HRD to enhance the business process and policy requirements knowledge of users; and, SAP HR Support Group should examine the reporting requirements of CIDA HR users and determine whether the current reports available address their needs

·

· ·

· · ·

· ·

· ·

·

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

4

Internal Audit of the SAP HR System

1.

Context

At the request of the Director General of the Human Resources Division (HRD), the Performance Review Branch performed a preliminary survey in order to identify issues relating to Human Resource Management. As a result, three follow-on reviews/audits were identified and initiated. This report is on the audit and assessment of the SAP HR module in operation at CIDA. Overview of SAP Human Resources Modules The Human Resources module of SAP in operation at CIDA is divided into three major applications ­ Personnel Administration (PA), Organization Management (PD) and Time Management. The PA sub-application includes employee information and employee classifications. The PD sub-application covers organization management, which includes the organizational structure, the position classifications and other organizational structure information. The Time Management functionality is used to capture requests for leave and overtime compensation and to provide an electronic approval of the requests from employees' supervisors. The new Salary Forecasting System (SFS) within SAP was implemented as of April 1st, 2004. This functionality will use the salary information captured for Agency employees within the SAP application and essentially provide a budget figure for salaries remaining to be paid within a given fiscal/budget year. As of March 2004, CIDA's salary forecasting system was not within the SAP system. Infotypes Functionality within the SAP application and the information stored with an employee's on-line personnel file is centred on the concept of an "infotype". By definition, an infotype is a screen with the SAP application that captured specific pieces/elements of information. For example, infotype 0002 contains personal information (name, date of birth, SIN) for all employees, and infotype 0008 contains basic/annual salary information. As this concept is central to the operation of the system, the information within sensitive/personal infotypes must also be adequately protected from unauthorized change or viewing.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

5

Internal Audit of the SAP HR System

2.

2.1

Objective, Scope and Methodology

Objectives

The overall objective of the audit is to assess the functionality of the SAP HR system, including the following: Review of SAP HR Processes (Section 3.1) · · · · To document the system controls and to assess the adequacy and use system; To assess the accuracy and integrity of the information emanating from the application; To assess the effectiveness and efficiency of the system and to identify areas for improvement; To review and evaluate the appropriateness of access authorities to ensure the privacy/protection of personal data;

Benchmarking of the SAP Support Group Structure (Section 3.2) · To benchmark the level of resources required to maintain and to enhance the system against public sector organizations with SAP HR ( two in the Federal Government and two others); and,

Assessment of SAP HR Functionality (Section 3.3) · 2.2 To assess the extent to which the SAP HR module is meeting the needs of HRD and of the Agency overall.

Scope

The audit was focused on the assessment of functionality with the SAP HR application. This included a detailed review and examination of the configuration of the system as well as the configuration and assignment of specific access rights to users. Processes and procedures supporting the integrity of the data within the application were also evaluated, such as the use of monitoring reports for the verification of data, subsequent to entry into the system.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

6

Internal Audit of the SAP HR System

The evaluation of the new SFS functionality was also excluded, as it was not implemented as of March 31, 2004. Also excluded from the scope of the review were the processes, procedures and overall control framework in place within PWGSC's On-Line Pay (OLP) application. The focus of the audit was strictly the review and assessment of the control framework and the functionality of CIDA's SAP HR application. 2.3 Methodology

This audit was performed according to the Treasury Board policy on internal audit and audit standards of the Institute of Internal Auditors. The audit was conducted from February 10, 2004 to March 31, 2004. Our audit approach was: · To gather information on concerns over SAP HR within CIDA by reviewing 2 other HR internal audits that were recently completed along with the preliminary survey of the HR function; To develop internal control objectives relating to the SAP HR functionality implemented at CIDA against which to perform the detailed control-based analysis; To gather information on the current SAP HR functionality, supporting business processes and control framework supporting the accuracy and completeness of the data through a selection of interviews and system set-up review; To review and analyze supporting process documentation relating to SAP HR processes, as provided by interviewees; To perform an assessment of the efficiency and effectiveness of the SAP system and processes; To perform a review of the key system based controls in SAP HR, including user access rights to perform HR related functions, the protection of personal information and configuration data validation rules; To perform accumulate data on support group size and composition through the completion of surveys by local organizations (public sector and other) utilizing SAP HR for benchmarking purposes; and/ To perform a benchmarking of the size and composition of the SAP HR support group against similar organizations.

· ·

· · ·

·

·

The control objectives and audit criteria are documented within Appendix B.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

7

Internal Audit of the SAP HR System

Process descriptions and control framework are included in Appendix C. The control framework presentation was used to analyze and to identify internal control strength and weaknesses associated with the SAP HR audit work. It was also used to analyze whether the particular objectives and assertions have been satisfied with the existing control processes/procedures identified.

3.

3.1

Observations & Recommendations

Observations Arising from the review of SAP HR Processes

The following observations stem from the interviews of SAP HR support group and users of the system, and through a review of documentation outlining the set-up or configuration of the system and access profiles, as well as the design of supporting business processes. The appropriateness of the assignment of access rights to users was also reviewed as well as the configuration of the SAP access profiles. HR Master Data Overall, the integrity of HR related information is supported through the implementation of system-based checks and validations, which are currently in operation within the HR module. For example, with regards to the hiring of an employee, the application has been set-up with preestablished routines to take users to the necessary screens for population of data, required fields have been configured within the screens and access rights to perform the maintenance actions have been restricted to authorized individuals. It was noted, however, that selected personnel movement situations (such as EX acting assignments that do not affect pay) are currently not being entered into the system. This has an adverse impact on the routing for the approval of an employee's request for overtime and leave requests established in the system, as the organizational structure is not updated with the most current information. For example, if an EX-01 level individual acts as an EX-02, no change are made in SAP HR until a 3-month period has elapsed, as no payroll changes are required. It was further noted that the expiration of acting assignments are not being reflected on a timely basis. These actions require user intervention within the application and the lack of system updates to reflect the actual movements decreases the overall integrity and accuracy of the data in the HR application. The impact of this situation is that leave balances may not be updated on a timely basis and/or overtime due to an employee may not be paid on a timely basis. Alternatively, this situation

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency 8

Internal Audit of the SAP HR System

could result in requests for leave and overtime being approved by an unauthorized person for the purpose of clearing old items in the system. While the system-based controls are appropriate, it was noted during the audit that opportunities for improvement of the data integrity verification procedures exist. Specifically, a number of current manual and/or monitoring (i.e. non system-based) validation processes, which are normally put in place to detect anomalies in data captured, are candidates for improvement. There are currently no formal processes in place for the periodic review and approval of SAP HR information by responsible managers within the Branches, or by individuals within HRD. This includes both the review of organizational structure and personnel assignments in SAP (at the Branch level) and/or the comparison and reconciliation of pay information against PWGSC's On-Line Pay system by Compensation and Benefits. The On-Line Pay application contains more pristine information on pay and benefits as Agency employees are currently paid via this system. Comparisons to this source of information strengthen the integrity of the classification and payroll related employee data captured in the SAP application. References (additional details see Appendix C HR Control Framework): · · · Control Weakness #1 ­ Acting Assignments; Control Weakness #2 ­ Monitoring Reports for HR Master Data Control Weakness #3 ­ PWGSC On-line Pay Reconciliation with SAP

Recommendations 1. It is recommended that the HRD modify the business processes surrounding acting situations to incorporate the entry of all acting situations into the SAP HR application, regardless of whether or not there is an effect on pay. It is further recommended that all terminated acting assignments be reflected in the system on a timely basis. It is recommended that HRD, in collaboration with IMTB and the Branches develop a set of periodic monitoring procedures and reports for review and follow-up by the Responsible Managers within CIDA. The periodic review will serve to assess the integrity of the current organizational structures and personnel assignments within a specific area of responsibility and will also identify acting situations that have not been recorded and/or expired acting situations that have not been recorded. It is further recommended that the review be performed at least every 4 months and that the process be facilitated and monitored by the HRD.

2.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

9

Internal Audit of the SAP HR System

3.

It is recommended that the Compensation and Benefits Directorate perform a reconciliation of position/employee classification data and pay rates within SAP to information recorded in the On-Line Pay application once a year.

Management Responses

1.

Agree that rationalization of leave and overtime approval authorities are required to reflect EX acting situations that do not result in changes to rates of pay but disagree with the proposed corrective action plan. The Branch Administration Officers (BAO) can amend the reporting relationships to reflect acting situation in the SAP system now, without a system configuration. The Human Resources Division (HRD) agrees to remind BAOs of the need to amend the reporting relationships of employees when someone is acting in an EX position and to ensure that this procedure is reviewed as part of regular SAP-HR monitoring practices.

2.

Agree. HRD, in collaboration with IMTB and the branches will identify appropriate monitoring tools to enable the Responsible Manager within CIDA to periodically review the acting situation within the manager's own branch. Also, HRD will assess the integrity of the organizational structures at the Agency level. Roles and responsibilities will be defined and process installed through the SAP-HR Improvement Project (SHIP) initiative. Business process and definition of roles and responsibilities through the SAP-HR Improvement Project (SHIP) initiative.

3.

Agree. Files are being created to compare data between "On-Line Pay" System and SAPHR employee's position classification and pay scale. This comes under the SAP-HR Improvement Project (SHIP) initiative ­ Enhancement of Quality control.

Leave and Overtime Recording CIDA has developed an Agency specific solution for the creation/entry of leave requests and overtime entitlements. In this business model, employees are responsible for entering their own requests for leave, requests for approval for overtime worked, as well as selecting the method they would like to be compensated for their overtime entitlement (i.e. banked time or cash payout). Upon entry of the request, SAP automatically verifies whether the request is in accordance with the employee's appropriate collective agreement provisions. The employee's

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

10

Internal Audit of the SAP HR System

Supervisor is then responsible for examining the requests and for approving or "unlocking" the item so that it can be committed to the database/recorded and settled (i.e. banked or paid out). Generally, the SAP access roles for Employees and Supervisors were appropriately configured to enforce the business rules/process outlined above. However, when the access rights were combined with other access rights in SAP, 31 Branch Administrative Officers had the ability to enter and approve/unlock their own requests. This situation increases the risk of unauthorized overtime being paid out as employees can submit and approve these individuals own overtime requests. This represented a known issue within the SAP system with a decision taken by management to control the process through detective/monitoring type processes. Furthermore, there are no periodic review processes in place to provide for the integrity of leave data for employees. Without a proper detective control to ensure the employees are recording all leave taken in SAP, individuals could possibly take more leave than they are entitled to and/or the Agency could pay out amounts for invalid/inaccurate balances. The system can help managers monitor whether employees are recording their leave or not. References (additional details see Appendix C HR Artpack): · · Control Weakness #4 ­ Unauthorized Approval of Overtime Control Weakness #5 ­ Monitoring of Leave Balances Accuracy

Recommendations 4. It is recommended that IMTB, in conjunction with HRD and the SAP Support Group correct the configuration of the security role for the Branch Administrators and to eliminate the ability to submit and approve their own overtime and leave requests. Specifically, the Branch Administrators access should be limited to submitting their own requests for subsequent approval by their Supervisors. It is recommended that HRD and the SAP Support Group develop monitoring procedures for the review of leave balances by Responsible Managers on a monthly basis.

5.

Management Responses 4. 5. Agree. This recommendation was acted upon with SR1733 and completed May 13, 2004. Agree. Supervisors and RC managers will be reminded of their responsibility to regularly review their employees' leaves calendar to ensure that leave taken is recorded appropriately. HRD will send out a reminder to managers to this effect.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

11

Internal Audit of the SAP HR System

A new tool to be launched in September 2005, Manager Self Services (MSS) will assist managers in this regard. Organizational Management The organizational management functionality within SAP contains the active organizational structure of the Agency, including the design of specific organization units (i.e. Branches) and positions. Individual positions are created as elements of master data and include reporting relationship between positions and classification/planned compensation based on collective bargaining agreements. When employees are hired, they will then inherit the attributes of the position including the salary and classification and the employee will also be placed into the appropriate place in the organizational structure. This is referred to the integration of Personnel Administration and Organizational Management within SAP HR. The maintenance of position data at CIDA is a shared responsibility between the Branches (Branch Administrative Officers and the Branch Managers) and the Classification Division. The current business process stipulates that the Branch Administrative Officer is responsible for setting up the new position or making a position data change in a "proposed" status for subsequent approval by the Branch/Responsible Manager. Subsequently, the Classification Officer reviews the classification and either approves or rejects the position. If it is approved, the position becomes active and the position is introduced into CIDA's organizational structure. This "self-service" type of business process is becoming more popular for SAP clients and the sharing of data entry functions as outlined above is consistent with the trends occurring elsewhere in the public and private sectors. In this new business model, end-user departments (such as the Branches) are typically responsible for data entry with an oversight function being performed by a centralized body. Branch Administrative Officers currently have the access in the SAP system to create positions, assign a classification in SAP and make them active within the organizational structure at CIDA. They also have the ability to appoint or hire individuals into these positions. When this type of access is combined with position maintenance access, a segregation of duties risk within SAP is created as individuals could be appointed or hired into positions without a proper classification. The risk of improper classification and non-compliance with delegation of authorities is also increased as Branch Administrative Officers and the Responsible Managers also do not currently have the delegation/classification authority for positions. To compensate for this risk, the SAP HR Support group developed a monitoring report that provides a listing of the new positions that have been created and classified in the system on a daily basis. This monitoring report is supposed to be reviewed by the Classification Division, with any required corrections discussed with the Branches. It was noted, however, that this report is currently not being reviewed on a daily/regular basis given workload and backlog issues within the Classification Division.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

12

Internal Audit of the SAP HR System

References (additional details see Appendix C HR Artpack): · Control Weakness #6 ­ Position Master Record Maintenance

Recommendation 6. It is recommended that IMTB, in cooperation with the SAP HR Support group, review the configuration of access privileges assigned to the Branch Administrative Officers to ensure that the configuration supports the needs of the business. Specific attention should be focused on the creation and activation of positions by the Branch Administrative Officers as they can currently create new positions without intervention from Classification Division. This configuration will allow the Classification Division to approve the position and classification data for new positions and/or individuals, as outlined in their roles & responsibilities.

Management response 6. Agree. This recommendation is already being addressed through a workflow process that will identify the approval of the different authorized persons within the classification of a position process in the SAP-HR system. The Workflow section within IMTB is currently working with the SAP-HR Support group. Also, the Branch Administrator's role is being reviewed to limit their access when creating a position for classification. Guidelines on the Service Standards will be developed by the Classification Section and communicated to the BAO. This comes under the SHIP-HR Improvement Project (SHIP) initiative. Security and Privacy Human Resource applications typically contain a number of elements of personal information that must be protected from unauthorized disclosure. Given the importance of emergency contact and the financial impact of pay information (with the implementation of SFS), it is important to limit the ability to update this information to only authorized individuals. At the time of the SAP HR implementation in October 2000, an assessment of the information captured in the system was performed to identify elements of information that should not be available for viewing to persons other than those designated. Specific examples of data covered in this analysis include employment equity information and personal qualifications. Treasury Board requirements state that a Privacy Impact Assessment (PIA) must be undertaken for any

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency 13

Internal Audit of the SAP HR System

major system change where personal information is involved. In the new fiscal year, CIDA is planning to implement new functionality for salary forecasting (Salary Forecasting System ­ SFS) and no PIA has been undertaken to date. In general, while the security and privacy design approach/framework in CIDA for granting HR access appears adequate for protecting personal information, there were some configuration breakdowns/abnormalities noted during the audit that circumvented the key planned controls for users to be limited to their own areas of responsibility (i.e. Branch) for the performance of HR report execution. The two configuration exceptions related to the viewing/reporting of information. The first exception is that as of March 22, 2004, over 1700 (i.e. all CIDA employees and consultants) user accounts had access to view HR data at the table level through table browser transactions (SAP transaction code SE16). Effectively, this profile configuration represents a "back door" that allows users to view information (including sensitive HR information) that is not required for their job functions. This configuration could also result in violations of the Privacy Act that outlines requirements for protection of personal information for government employees. The second exception involves the configuration of an SAP delivered "override". Specifically, when the P_ABAP authorization object is configured with specific values and assigned to users, the regular SAP security checks performed during the execution of HR reports are deactivated. For example, if users are assigned access profiles that prevent them from viewing employees outside of their area of responsibility (i.e. Branch), the configuration of the override will allow them to see employees outside of their Branch on reports if requested (i.e. information that they are not authorized to view). Authorizations set up in this manner allow individuals to have access to all HR information on a report even though their user profile is configured to restrict them accessing the data. Currently, 129 users have been provided with this override. The audit of the HR end user access profiles revealed that 14 roles/profiles had been given access to run programs directly (i.e. other than through specific access to reports/transactions) through the ability to execute programs through a centralized mechanism (transaction SA38). The effect of this functionality is essentially to bypass transactional restrictions imposed on users. These transactions could also provide access to sensitive HR reports and transactions and therefore, provide an alternative means of accessing HR information. Although the configuration does restrict the users to specific reports within the HR function (through the use of authorization group flags and authorization object S_PROGRAM), there are a number of reports in SAP, including HR reports, for which this level of protection is not available. Access to perform maintenance of specific pieces of information or infotypes and/or viewing of selected sensitive infotypes is also available to SAP Support personnel who are not directly

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

14

Internal Audit of the SAP HR System

involved with the support of the HR modules. This includes selected Support individuals for SAP financial applications, as well as members of IMTB (such as Security Administrators). A specific issue test conducted as part of the audit was to examine the use of generic accounts within the system. Generic accounts/IDs are defined as user accounts that are not directly tied to an individual and/or are shared for maintenance purposes. The SAP HR support group has adopted a specific naming convention for their group's users. Specifically, the HRAIS series of accounts were created to prevent users from calling SAP support group members directly if a change is made to an employee's information. However, members of the support have been given their own unique HRAIS (i.e. HRAIS01, HRAIS02, etc.) account that is tied directly to them through the text field name on the account. They are also responsible for keeping the confidentiality of their own passwords. Finally, the same HRAIS account will not be assigned to a new employee after the departure of support group team member. Therefore, the HRAIS series of accounts is not considered to be generic accounts. Nevertheless, there are some generic accounts that currently have access to perform maintenance functions and/or view sensitive information. Accounts such as WFADMIN, WFADMIN2, WFADMINTEST, WORKFLOW, PHOENIX, ACDI-CIDA are all accounts that have access to perform HR functions. References (additional details see Appendix C HR Artpack): · · · · · · · Control Weakness #7 ­ Non SAP HR Support Group Access Control Weakness #8 ­ Privacy Impact Assessment Control Weakness #9 ­ SAP HR Table Access Control Weakness #10 ­ SAP HR Report Execution Control Weakness #11 ­ SAP HR Reporting Control Weakness #12 ­ Generic Accounts Control Weakness #13 ­ Monitoring Procedures

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

15

Internal Audit of the SAP HR System

Recommendations 7. It is recommended that the access of non-HR SAP Support Group members and IMTB users be reviewed and that access to HR information be removed. It is recommended that IMTB should perform Privacy Impact Assessments in accordance with Treasury Board requirements. It is recommended that the ability to view personal information through direct query of HR tables (through transaction SE16) be removed from end-users by IMTB. It is recommended that the ability to execute reports and programs through transaction SA38, a central mechanism that bypasses transactional and reporting restrictions configured be removed from end-user access profiles by IMTB. It is recommended that the configuration of the P_ABAP authorization object be reviewed and corrected by IMTB. It is recommended that IMTB limit the use of generic accounts. It is further recommended that IMTB, in conjunction with HRD and the SAP Support Group, develop a set of security monitoring procedures focused on reviewing lists of users with access to personal information and critical update transactions and infotypes in order to identify potential access irregularities for correction.

8.

9.

10.

11.

12. 13.

Management Responses 7. 8. Agree. This was done in conjunction with item 13, SR 3462. Agree. However, Privacy Impact Assessments are the responsibility of both the Business Owner (HRD) and the System Owner (IMTB). IMTB supports system owners in the preparation of Preliminary PIA's. IMTB is incorporating processes into the SR and System Development Procedures to identify systems changes and systems requests that may require PIA's; and, ensuring that System Owners and the Privacy Coordinator are informed. These assessments will be conducted and modifed if needed. This co mes under the SAP-HR Improvement Project (SHIP) initiative. 9. Agree. SR3194 was registered, addressed & completed in December 2004.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

16

Internal Audit of the SAP HR System

10.

Agree. Transactions SE38 & SA38 have been removed in most job roles via SRs 2250 (HR Job roles), SR3039 & SR3058. The remaining job roles for the SAP Functional teams and ABAP teams are limited by programs and are required for their job, therefore cannot be removed.

11. 12.

Agree. HR Job roles were reviewed. SR3463 was opened. Agree. Workflow related accounts (as referred to on page 16 of the audit report) are not "generic" accounts. As with the HRAIS accounts, they are tied directly to support personnel through the text field name on the account. Access is being revised (through SR 3314) ensuring limited access to information. The "Phoenix" and "ACDI-CIDA" accounts are also being revised to ensure that minimal access is granted. Agree. SR3462 was opened and appropriate configuration was done into SAP-HR to action this recommendation.

13.

3.2. Observations Arising from the Benchmarking of the SAP Support Group Structure The preliminary survey conducted prior to the execution of specific audits outlined that HRD currently has ten staff to maintain the SAP HR module. Further examination of the ten positions revealed that there is a Manager included in that figure who also has other responsibilities, as well as the following individuals as of May 4, 2004, and there is currently one full-time consulting SAP HR expert on site who provides expert advice on the development and implementation of the Salary Forecasting System: · · · · · · 2 Senior HR Systems Officers; 3 HR Systems Officers; 1 HR Junior System Officer; 2 Full Time Experts consultants, and; 2 Full time Junior consultants; 1 Full time SAP HR consultant.

The total number of support employees for SAP HR is eleven.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

17

Internal Audit of the SAP HR System

Table 1 ­ Benchmarking Data Organization 1 (Public Sector) Organization 2 (Public Sector) PA, PD, Time Entry, Training & Events, Payroll Organization 3 (Public Sector) PA, PD, Time Entry, Training & Events, Payroll Organization 4 (Public CIDA Sector) PA, PD, Time

Area

PA, PD, SAP HR Time Entry Functionality (CATS) Approximate Number of SAP HR Users 500 (excluding employee self-service) Number of Employees Number of Support Employees Number of SAP HR Consultants in Support Group Ratio of Support Group to Users Ratio of Support Group to Employees HR Master Data Maintenance Model 3,500

PA, PD

2,000

2,500

290

300

45,000

43,000

9,600

1,550

1.25

50

40

3.25

11

.25 5 (module (programmer) experts)

10 (module experts, 0 programmers)

4

1:400

1:40

1:63

1:90

1:27

1:2800

1:900

1:1075

1:2950

1:141

Decentralized Decentralized Decentralized

Centralized

Decentralized

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

18

Internal Audit of the SAP HR System

Table 1 summarizes the results of the benchmarking survey that was conducted for 4 public sector organizations that currently use some components of the SAP HR module. Two key ratios, the ratio of support group employees to users and the ratio of support group employees to employees, were calculated and used as the primary basis for comparison of their support structures versus CIDA's. Based on the comparative ratios, CIDA's SAP HR support group composition should be between 1 and 2 full time equivalents. As outlined in Table 1, CIDA's ratios for support personnel to active employees and the ratio of support personnel to user are significantly lower than the other organizations, and near the middle of the pack based on the number of users. The figures point to an overstaffing situation within the SAP HR support group however other factors must be taken into consideration. Specifically, the following difference were noted: Individuals within the support group are currently working on the implementation of new functionality (SFS); The support group is currently leading and/or performing data quality activities for clean up purposes, which is ultimately outside of the scope of their mandate for delivery; and, Other organizations included in the benchmarking survey have training super users within the individual user groups, whereas CIDA has kept the notion of centralized support. Furthermore, the SAP support group is currently meeting their specific service level agreement timelines, with a minimum of spare resource cycles as was noted in our interviews. Finally, as the SFS moves into the production environment, additional support requirements will be created to cover the new functionality and end user support requirements. If the SAP support group is to be reduced, functions currently being undertaken by individuals within this group will need to be performed by the business functions. Specifically, the responsibility for data quality and verification would need to be shifted to the Branches and support functions (i.e. IMTB) within CIDA. Recommendation 14. It is recommended that CRC determine the required staffing levels for the SAP HR Support group after the current data cleanup task has been completed and after the SFS functionality has been implemented.

Management response 14. Agree that resource levels should be validated but suggest that this be done in concert with other initiatives currently in play, including but not exclusively those recommended in the audit report.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

19

Internal Audit of the SAP HR System

CIDA is the only government department in Schedule I.1 of the Financial Administration Act that uses the SAP-HR module. All other public sector organizations using SAP-HR have terms and conditions of employment or HR business practices that do not conform in whole or in part to those of CIDA. Therefore, benchmarking staffing levels to other organizations that do not share the same business requirements is of limited value. Maintenance of data integrity and training costs are a major ongoing investment because staff recruited to CIDA from other government departments and trained in a shared intergovernment system must learn a new application before they can become fully CIDAfunctional. This ongoing demand in large part explains the current level and focus of CIDA's SAP-HR resources. This situation is well known within CIDA and has generally viewed, up to now, as an accepted cost of doing business because the benefits to the SAP system overall were considered to outweigh the investment costs and risks of maintaining the SAP-HR module. We agree with the audit findings that regardless of the chosen accountability model, resources are still required to support the application. The question is whether they can be more effectively managed if the accountabilities were shifted to other parts of CIDA. Initiatives In Play: 1. The increasing interest in the government-wide Shares Services initiatives for "corporate" functions such as human resources has raised the awareness of CIDA's management to review its present reliance on the SAP-HR module situation in light of these wider government thrusts. HRD will play a key role in supporting this review, being led by the CIO, and look for ways to optimize SAPHR resources to ensure adequate service levels are maintained at reasonable cost to CIDA until management decisions are made regarding benefits and risks of maintaining the SAP-HR module over the long term. HRD will provide for knowledgeable resources to partner with the SAP-HR support team to update the business process flow documentation, system configuration, monitor for system weaknesses and facilitate improved training of end users. The working assumption is that if better HR business practices are documented, monitored and maintained by the functional business authority, less investment will be required in ongoing system refresher training courses and daily interventions by the SAP-HR staff to assist users in the SAP-HR module application.

2.

Under the leadership of the VP HRCS, an internal review of the 3 SAP modules for which HRCSB is responsible to support is currently underway to look for ways to further optimize the investment of SAP resources. HRD is contributing to this review and will implement the decisions, once known.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency 20

Internal Audit of the SAP HR System

3.3

Observations Arising from the Assessment of SAP HR Functionality

Within the preliminary survey and within the interviews conducted as part of this and other audits of HR related activities, a number of observations were made with regards to the functionality of the HR system. Comments ranged from the lack of useable reports to lack of understanding of system functionality. SAP HR functionality and set-up are complex areas to understand. After obtaining an understanding a high-level of the business needs for SAP HR within CIDA and after reviewing the set-up and effectiveness of the application's control framework, all of the expected functionality required to perform daily activities related to the movement of employees, the management of the organizational structure, and the entry and approval of time and leave requests have been implemented. Therefore, the basic needs for the management of employee information, organizational structure as well as leave and overtime processing are being met by the current system. Nevertheless, two specific observations have come to our attention. First, there is a need for additional business training to be provided to users of the HR functionality. Current training programs are focused on the technical data entry steps of SAP transactions without necessarily providing participants with background as to the importance of their work and its impact on decision-making. Second, difficulties in reporting on SAP information are experienced by a large number of organizations, including CIDA. However, a significant number of standard SAP reports are delivered with the application and CIDA has developed custom reports to serve their users. If users feel that they are lacking information, specific causes could be the lack of understanding of the report output contents, reports that do not meet end user requirements and/or overall data integrity issues. Recommendations 15. It is recommended that additional HR business process focused training (as opposed to SAP data entry training) be developed by HRD to enhance the business process and policy requirements knowledge of users, and that the materials be incorporated into the regular training program for SAP HR users. It is recommended that the SAP HR Support Group examine the reporting requirements of CIDA HR users and determine whether the current reports available address their needs. If addition reports or information is required, we further recommend that additional reports be developed. Alternatively, if the examination identified gaps in report understanding, we recommend that action plans be developed to close the gaps through additional training.

16.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

21

Internal Audit of the SAP HR System

Management responses 15. Agree A corrective action plan is underway to ensure that: SAP reflects current and anticipated (e.g. PSMA) HRM policy and business process requirements (part of CIDA HRM Project and PSMA Implementation); Delegation of Authorities for HRM are up-to-date (part of Middle Manager and PSMA Implementation Projects); SAP-HR reflects current HRM accountabilities (part of SHIP action plan); and End users are provided the necessary tools, trained in the application of the business processes and are held to account for the quality of their data management input through the application of active monitoring of the HR business process and SAP-HR data management practices conducted by HRD in its role as the departmental business owner. This comes under the SAP-HR Improvement Project (SHIP) initiative. 16. Agree. This recommendation will be prioritized through the SHIP action plan and in consultation with those responsible for the HRM business functions (HRD) and Branch end-users. Clean up of data, documentation and training of the correct business process flows and consultation with the end users regarding their information needs will be done during 2005-2006 as part of the SHIP action plan. Assuming SAP-HR is still the module of choice, during 2006-2007 new tools will be designed and implemented to ensure more useful and higher quality information for end users and to support internal monitoring and internal and external reporting requirements.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

22

Internal Audit of the SAP HR System

Conclusion

Our audit was specifically designed to meet the objectives outlined in section 2 of the report. It was conducted in accordance with generally accepted auditing standards. With respect to the accuracy and integrity of the information emanating from the SAP application, the results of our audit enable us to conclude that the functionality required to support the business needs of HRD and the Agency overall has been implemented. However some areas for improvement in the effectiveness and efficiency of the business processes and reporting have been identified and provided as recommendations within the body of the report. Data integrity must also be improved as personnel movements are not being reflected on a timely basis for all required updates. Opportunities for improvement of the control framework also exist through increased monitoring of changes to master data elements, and through the performance of periodic data quality reviews by the Branches and other business owners within the Agency. An adequate framework for the design of user access privileges has been developed to protect sensitive information and to ensure access to perform critical maintenance functions for HR data is appropriately restricted. The audit indicated, however, that there are currently some security configuration issues that must be addressed and, as well, the use of generic accounts must be investigated and corrected to ensure that the designed framework of controls is properly implemented. Based on the results accumulated through a benchmarking survey, the size of the SAP HR support group is larger than those of the organizations polled. However, CIDA's support group provides a broader range of services to the user population than the majority of the other organizations used a benchmark. Therefore, once the new SFS functionality is implemented and subsequent to the data cleanup task, CRC should determine the size of the SAP HR support group in accordance with its expected return on investment. Finally, in terms of an assessment of the extent to which the SAP HR module is meeting the needs of HRD and of the Agency overall, the distinction must be drawn between system-based controls and management/monitoring controls outside the system. For the system-based controls, with the exception of the identified security configuration and access problems, the business process appears to be well supported by the SAP HR module. The audit revealed, however, that improvement is required in supporting management and monitoring processes that are required to ensure that system transactions are recorded as intended.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

23

Internal Audit of the SAP HR System

Appendix A - Summary of Audit Recommendations

SAP HR Audit

Project Number of Recommendations 16 Completed Ongoing Work in Progress

Internal Audit of SAP HR Recommendations

Management's Responses

Agree that rationalization of leave and overtime approval authorities are required to reflect EX acting situations that do not result in changes to rates of pay but disagree with the proposed corrective action plan. The Branch Administration Officers (BAO) can amend the reporting relationships to reflect acting situation in the SAP system now, without a system configuration. The Human Resources Division (HRD) agrees to remind BAOs of the need to amend the reporting relationships of employees when someone is acting in an EX position and to ensure that this procedure is reviewed as part of regular SAP-HR monitoring practices.

Date

Status

1. It is recommended that the HRD modify the business processes surrounding acting situations to incorporate the entry of all acting situations into the SAP HR application, regardless of whether or not there is an effect on pay. It is further recommended that all terminated acting assignments be reflected in the system on a timely basis.

HRD to send reminders to BMOs of the requirement and method to amend reporting relationships for the purposes of SAP-HR leave and overtime administration. Procedure will be incorporated into the SHIP action plan

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

24

Internal Audit of the SAP HR System

Recommendations

2. It is recommended that HRD, in collaboration with IMTB and the Branches develop a set of periodic monitoring procedures and reports for review and follow-up by the Responsible Managers within CIDA. The periodic review will serve to assess the integrity of the current organizational structures and personnel assignments within a specific area of responsibility and will also identify acting situations that have not been recorded and/or expired acting situations that have not been recorded. It is further recommended that the review be performed at least every 4 months and that the process be facilitated and monitored by the HRD. 3. It is recommended that the Compensation and Benefits Directorate perform a reconciliation of position/employee classification data and pay rates within SAP to information recorded in the On-Line Pay application every 4 months. Agree

Management's Responses

Date

Status

March 31, 2006 HRD, in collaboration with IMTB and the branches will identify appropriate monitoring tools to enable the Responsible Manager within CIDA to periodically review the acting situation within the manager's own branch. Also, HRD will assess the integrity of the organizational structures at the Agency level. Roles and responsibilities will be defined and process installed through the SAP-HR Improvement Project (SHIP) initiative. Business process and definition of roles and responsibilities through the SAP-HR Improvement Project (SHIP) initiative.

Part of SHIP action plan.

Agree December 2005 Files are being created to compare data between "On-Line Pay" System and SAP-HR employee's position classification and pay scale. This comes under the SAP-HR Improvement Project (SHIP) initiative ­ Enhancement of Quality control.

25

Part of the SHIP action plan

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

Internal Audit of the SAP HR System

Recommendations

Management's Responses

Date

Status

4. It is recommended that IMTB, in Agree conjunction with HRD and the SAP Support Group correct the configuration This recommendation was acted upon with SR1733 of the security role for the Branch and completed May 13, 2004. Administrators and to eliminate the ability to submit and approve their own overtime and leave requests. Specifically, the Branch Administrators access should be limited to submitting their own requests for subsequent approval by their Supervisors. 5. It is recommended that HRD and the SAP Support Group develop monitoring procedures for the review of leave balances by Responsible Managers on a monthly basis. Agree August 2005 Supervisors and RC managers will be reminded of their responsibility to regularly review their employees' leaves calendar to ensure that leave taken is recorded appropriately. HRD will send out a reminder to managers to this effect. A new tool to be launched in September 2005, September 2005 Manager Self Services (MSS) will assist managers in this regard.

COMPLETED

In progress

6. It is recommended that IMTB, in Agree cooperation with the SAP HR Support March 2006 group, review the configuration of This recommendation is already being addressed

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

Part of the SHIP action plan

26

Internal Audit of the SAP HR System

Recommendations

access privileges assigned to the Branch Administrative Officers to ensure that the configuration supports the needs of the business. Specific attention should be focused on the creation and activation of positions by the Branch Administrative Officers as they can currently create new positions without intervention from Classification Division. This configuration will allow the Classification Division to approve the position and classification data for new positions and/or individuals, as outlined in their roles & responsibilities.

Management's Responses

through a workflow process that will identify the approval of the different authorized persons within the classification of a position process in the SAPHR system. The Workflow section within IMTB is currently working with the SAP-HR Support group. Also, the Branch Administrator's role is being reviewed to limit their access when creating a position for classification. Guidelines on the Service Standards will be developed by the Classification Section and communicated to the BAO.

Date

Status

This comes under the SHIP-HR Improvement Project (SHIP) initiative. 7. It is recommended that the access of Agree non-HR SAP Support Group members and IMTB users be reviewed and that This was done in conjunction with item 13, SR March 2005 3462. access to HR information be removed. 8. It is recommended that HRD should Agree perform Privacy Impact Assessments in accordance with Treasury Board However, Privacy Impact Assessments are the March 2006 requirements. responsibility of both the Business Owner (HRD) and the System Owner (IMTB). IMTB supports system owners in the preparation of Preliminary

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

Completed

Part of SHIP action plan

27

Internal Audit of the SAP HR System

Recommendations

Management's Responses

PIA's. IMTB is incorporating processes into the SR and System Development Procedures to identify systems changes and systems requests that may require PIA's; and, ensuring that System Owners and the Privacy Coordinator are informed. These assessments will be conducted and modifed if needed.

Date

Status

This comes under the SAP-HR Improvement Project (SHIP) initiative. 9. It is recommended that the ability to Agree view personal information through December 2004 direct query of HR tables (through SR3194 was registered, addressed & completed in transaction SE16) be removed from end- December 2004. users by IMTB. 10. It is recommended that the ability to Agree execute reports and programs through June 2004 transaction SA38, a central mechanism · Transactions SE38 & SA38 have been that bypasses transactional and reporting removed in most job roles via SRs 2250 restrictions configured be removed from (HR Job roles), SR3039 & SR3058. end-user access profiles by IMTB. · The remaining job roles for the SAP Functional teams and ABAP teams are limited by programs and are required for their job, therefore cannot be removed.

COMPLETED

COMPLETED

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

28

Internal Audit of the SAP HR System

Recommendations

Management's Responses

Date

Status

11. It is recommended that the Agree configuration of the P_ABAP March 2005 authorization object be reviewed and HR Job roles were reviewed. SR3463 was opened. corrected by IMTB. 12. It is recommended that IMTB limit Agree the use of generic accounts. March 2005 Workflow related accounts (as referred to on page 16 of the audit report) are not "generic" accounts. As with the HRAIS accounts, they are tied directly to support personnel through the text field name on the account. Access is being revised (through SR 3314) ensuring limited access to information. The "Phoenix" and "ACDI-CIDA" accounts are also being revised to ensure that minimal access is granted. 13. It is further recommended that Agree IMTB, in conjunction with HRD and the March 2005 SAP Support Group, develop a set of SR3462 was opened and appropriate configuration security monitoring procedures focused was done into SAP-HR to action this on reviewing lists of users with access recommendation. to personal information and critical update transactions and infotypes in order to identify potential access irregularities for correction. 14. We recommended that CRC Agree that resource levels should be validated but determine the required staffing levels suggest that this be done in concert with other for the SAP HR Support group after the initiatives currently in play, including but not current data cleanup task has been exclusively those recommended in the audit report.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

COMPLETED

COMPLETED

COMPLETED

29

Internal Audit of the SAP HR System

Recommendations

Management's Responses

Date

Status

completed and after the SFS functionality has been implemented. CIDA is the only Schedule 1.1 government Ongoing department that uses the SAP-HR module. All other public sector organizations using SAP-HR have terms and conditions of employment or HR business practices that do not conform in whole or in part to those of CIDA. Therefore, benchmarking staffing levels to other organizations that do not share the same business requirements is of limited value. Maintenance of data integrity and training costs are a major ongoing investment because staff recruited to CIDA from other government departments and trained in a shared intergovernment system must learn a new application before they can become fully CIDA-functional. This ongoing demand in large part explains the current level and focus of CIDA's SAP-HR resources. This situation is well known within CIDA and has generally viewed, up to now, as an accepted cost of doing business because the benefits to the SAP system overall were considered to outweigh the investment costs and risks of maintaining the SAPHR module. We agree with the audit findings that regardless of the chosen accountability model, resources are still

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

With the approval of CRC and under the direction of the CIO, an inter-Branch project team

30

Internal Audit of the SAP HR System

Recommendations

Management's Responses

required to support the application. The question is whether they can be more effectively managed if the accountabilities were shifted to other parts of CIDA. Initiatives In Play: 1. The increasing interest in the government-wide Shares Services initiatives for "corporate" functions such as human resources has raised the awareness of CIDA's management to review its present reliance on the SAP-HR module situation in light of these wider government thrusts. HRD will play a key role in supporting this review, being led by the CIO, and look for ways to optimize SAP-HR resources to ensure adequate service levels are maintained at reasonable cost to CIDA until management decisions are made regarding benefits and risks of maintaining the SAP-HR module over the long term. HRD will provide for knowledgeable resources to partner with the SAP-HR support team to update the business process flow documentation, system configuration, monitor for system weaknesses and facilitate improved training of end users. The working assumption

Date

Status

is being established to assess the impacts and implications of the Shared Services Initiative on the SAP system, including the SAP-HR module. Work has begun in HRD through the establishment of an internal working group to discuss HR business process flow requirements, identify SAP-HR changes and engage end-users in the clean up of data and the application of revised procedures.

2.

HRCSB internal review in progress.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

31

Internal Audit of the SAP HR System

Recommendations

Management's Responses

is that if better HR business practices are documented, monitored and maintained by the functional business authority, less investment will be required in ongoing system refresher training courses and daily interventions by the SAP-HR staff to assist users in the SAP-HR module application. Under the leadership of the VP HRCS, an internal review of the 3 SAP modules for which HRCSB is responsible to support is currently underway to look for ways to further optimize the investment of SAP resources. HRD is contributing to this review and will implement the decisions, once known.

Date

Status

15. It is recommended that additional Agree HR business process focused training March 2006 (as opposed to SAP data entry training) A corrective action plan is underway to ensure that: be developed by HRD to enhance the SAP reflects current and anticipated (e.g. business process and policy PSMA) HRM policy and business process requirements knowledge of users, and requirements (part of CIDA HRM Project that the materials be incorporated into and PSMA Implementation); the regular training program for SAP Delegation of Authorities for HRM are upHR users. to-date (part of Middle Manager and PSMA Implementation Projects); SAP-HR reflects current HRM accountabilities (part of SHIP action plan); and

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

Work in progress

32

Internal Audit of the SAP HR System

Recommendations

Management's Responses

End users are provided the necessary tools, trained in the application of the business processes and are held to account for the quality of their data management input through the application of active monitoring of the HR business process and SAP-HR data management practices conducted by HRD in its role as the departmental business owner. This comes under the SAP-HR Improvement Project (SHIP) initiative. Agree

Date

Status

16. It is recommended that the SAP HR Support Group examine the reporting requirements of CIDA HR users and determine whether the current reports available address their needs. If addition reports or information is required, we further recommend that additional reports be developed. Alternatively, if the examination identified gaps in report understanding, we recommend that action plans be developed to close the gaps through additional training.

March 2006 This recommendation will be prioritized through the SHIP action plan and in consultation with those responsible for the HRM business functions (HRD) and Branch end-users. Clean up of data, documentation and training of the correct business process flows and consultation with the end users regarding their information needs will be done during 2005-2006 as part of the SHIP action plan. Assuming SAP-HR is still the March 2007 module of choice, during 2006-2007 new tools will be designed and implemented to ensure more useful and higher quality information for end users and to support internal monitoring and internal and external reporting requirements.

Part of the SHIP action plan

Last phase of the SHIP action plan

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

33

Internal Audit of the SAP HR System

Recommendations

Management's Responses

Date

Status

This comes under the SAP-HR Improvement Project (SHIP) initiative.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

34

Internal Audit of SAP HR System

Appendix B - Control Objectives/Audit Criteria for the SAP HR Process Review

The following control objectives/audit criteria were developed during the planning phase of this audit to capture the required audit criteria on which to base the assessment of the control framework and the security access rights. The criteria have been segregated to reflect the sub-processes that form the basis for the SAP HR supported process. HR Master Data 1 All changes to the SAP HR and payroll master files are complete, valid and timely 2 Agency employee information transferred to the Compensation Systems is accurate, valid and timely. 3 Terminated employees are removed from the payroll maser file and all deletions are valid (and are within statutory requirements). Leave and Overtime Recording 4 Leave/absence data and balances reflect actual absences and entitlements for employees and requests are properly authorized. Organizational Management 5 All valid changes to organizational units, positions and other master data are accurate, valid, timely and in accordance with relevant legislation. Security and Privacy 6 Access to personal/sensitive information is adequately restricted to only authorized individuals. 7 Segregation of duties is appropriate and system access is restricted to authorized personnel.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

35

SAP HR

REVIEW OF SAP HR SYSTEM CANADIAN INTERNATIONAL DEVELOPMENT AGENCY

Appendix C ­ SAP HR Control Framework

MARCH 31, 2004

DRAFT

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

36

SAP HR

INTRODUCTION This document analyzes the control framework within a particular application or process. For each process reviewed, the following documents were prepared: 1. Flow Diagram 2. Control Framework and Evaluation Matrix 3. Process Descriptions The application flow diagram aims to convey the most important elements of the process and as a result, certain infrequent or insignificant detail is intentionally omitted. The following icons are used on the diagrams:

1 2

Control Points; Financial/Business Exposure; Main Flow of Transactions;

The above icon types cross-refer to the control evaluation matrix, which compares the identified controls to the control objectives for the area and assesses the degree to which the objectives are supported by controls. The following icons are used on the control evaluation matrix: The identified control supports this control objective; Weaknesses were found for this control;

A description of the control or weakness can also be found on the control evaluation matrix. Blue text indicates a control and red text indicates a weakness or inefficiency

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

37

Internal Audit of SAP HR System

SCOPE OF THIS REVIEW This review considered controls and weaknesses throughout the SAP HR System. The review included discussions with CIDA staff and testing of certain system and manual control activities.

Description

HR Master Data Maintenance

Control Objective

Leave and Overtime Recording 4. Leave/ absence data and balances reflect actual absences and entitlements for employees and requests are properly authorized.

Accuracy Validity

Organizational Management 6. All changes to organizational units, positions and other data org structure data elements are timely, accurate, valid and complete.

Accuracy Validity Completeness Cut-off

Security & Privacy 7. Access to personal/ sensitive information is restricted to only authorized individuals. 8. Segregation of duties appropriate and system access is appropriately restricted to authorized personnel.

Control/ Weakness

Control/ Weakness Reference

1. All changes to the SAP HR master files are accurate, complete, valid and timely.

2. Agency employee information entered into the Compensation system is accurate, complete, valid and timely.

Accuracy Validity Completeness Cut-off

3. Terminated employees are removed from the payroll master file and all deletions are valid).

5. Overtime entered is accurate and valid and calculated in accordance with collective agreements.

Accuracy Validity Completeness Cut-off

Validity Accuracy

Accuracy Validity

Validity

Validity Completeness Accuracy

HR MASTER DATA MAINTENANCE

SAP Security for HR Master Data

1

The SAP security and authorization concept is utilized to restrict the ability to update personnel information (transactions PA30 and PA40) to only authorized individuals. Access restrictions at the infotype level have also been configured for specific roles.

Canadian International Development Agency

38

SAP HR

SAP Input Controls for Master Data

2

Mandatory fields are configured for infotypes included in personnel files within SAP, in order to ensure that all relevant information is captured. Personnel actions (a grouping of functionality to accomplish specific HR activities such as hiring) have been configured for major HR administrative tasks to ensure that all relevant infotypes are completed for personnel related activities. Time constraints, an element of SAP configuration that specifies whether infotypes must be populated, have also been configured at the infotype level to control the completeness of infotypes within an on-line personnel file. Acting Assignments

1

Selected acting situations (i.e. one month or above) that do not affect pay are currently not entered into SAP. For example, an EX01 employee acting at an EX-02 level is currently not entered into the system until 3 months has elapsed. The lack of update of the org structure has an impact on the proper routing of workflow items for approval. In addition, it was further noted that expired acting situations were not updated in SAP on a timely basis. Planned Compensatio n

3

Pay scales that are aligned with the relevant public sector collective agreements have been configured in SAP. Changes to the collective agreements are controlled through the formal Service Request process at CIDA. Integration with Org Management

4

Pay scale/salary information is defaulted into the personnel file (infotype 0008) based on information stored on the position master record. However, users can change the information brought in to accommodate Salary Protected employees (employees that have been designated as surplus and given a lower classification, but still paid at their previous pay rate).

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

39

39

SAP HR

Monitoring Reports for HR Master Data

2

There is currently no formalized review and/or approval of active employee listings, staffing reports or organizational charts by the Responsible Managers or Financial Authorities on a periodic basis. PWGSC Reconciliatio n with SAP

3

There is currently no formal reconciliation of employee pay rates in the PWGSC On-Line Pay system to the records in SAP.

LEAVE AND OVERTIME RECORDING

SAP Security for Leave and Overtime

5

The SAP security and authorization concept is utilized to restrict the ability to unlock/approve requests for leave (SAP transactions ZAPT, PA61) Leave Entitlement Validation

6

Prior to the completion of a leave request, SAP verifies that the employee is entitled to the type of leave requested and that the minimum/maximum amounts requested are in line with the appropriate collective agreement provisions. The SAP Time Evaluation functionality is utilized to perform the check. Quota Balances

7

Prior to completing the on-line approval transaction, SAP automatically verifies whether an employee has an adequate leave entitlement remaining to accommodate the request. If the quantity remaining is insufficient, the Supervisor is not permitted to save/approve the application. The SAP Time Evaluation functionality is utilized to perform the check. Upon successful approval of leave, SAP automatically updates the quota balance(s) for an employee.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

40

40

SAP HR

SAP Security for Leave and Overtime Approvals

8

The SAP security and authorization concept is utilized to restrict the ability to unlock/approve submitted overtime records. Unauthorized Approval of Overtime

4

Situations have been noted where employees were able to submit their requests for paid overtime and approve their own requests. This could result in unauthorized overtime payments being generated for employees. Monitoring of Leave Balances

5

There are currently no processes or procedures in place to perform a periodic review of employee leave balances, to ensure that all leave taken is being recorded in SAP.

ORGANIZATIONAL MANAGEMENT

SAP Security for Org Management

9

The SAP security and authorization concept is utilized to restrict the ability to update position master data to appropriate personnel. SAP Input Controls for Org Management

10

Mandatory fields are configured for organizational management infotypes, in order to ensure that all relevant information is captured. Actions have also been configured for key organizational structure maintenance activities to ensure that all relevant infotypes are completed for the creation of new objects (i.e. positions). Time constraints have also been configured at the infotype level to control the completeness of infotypes for these objects.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

41

41

SAP HR

Position Master Record Maintenance

6

Branch Administrative Officers currently have access to create, approve and active new positions without the Classification Division reviewing the appropriateness of the classification data. Branch Administrative Officers also have the ability to perform personnel movements. To mitigate this segregation of duties risk, the SAP HR Support Group created monitoring reports for Classification to review; however, it was noted that the reports are currently not being reviewed on a regular basis by the Classification Division.

SECURITY & PRIVACY

Security /Privacy of HR Data

11

The SAP security and authorization concept is utilized to restrict the ability to update personnel information (transactions PA30 and PA40) to only authorized individuals. Access restrictions at the infotype level have also been configured for specific roles. Non SAP HR Support Group Access

7

Non-HR SAP support individuals currently have the ability to maintain critical infotypes such as infotype 0008 (basic pay). Privacy Impact Assessment

8

A formal Privacy Impact Assessment has not been performed since the initial implementation of SAP HR, and some significant changes have either been implemented or are planned for implementation. SAP HR Table Access

9

An excessive number of users have the ability to view personal information through direct query of HR tables (through transaction SE16).

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

42

42

SAP HR

SAP HR Report Execution

10

An excessive number of end-users have the ability to execute reports and programs through transaction SA38, a central mechanism that bypasses transactional and reporting restrictions configured. SAP HR Reporting

11

The configuration around SAP HR reporting is currently not in accordance with best practices. Specifically, the configuration of authorization P_ABAP has effectively deactivate a level of data restrictions (i.e. at the Branch level) allowing users to only see information (personal and non-personal) for individuals outside of their areas of responsibility. Generic Accounts

12

There are currently generic/shared accounts that have access to perform update and reporting functions for HR information. Monitoring Procedures

13

There are currently no monitoring procedures in place to periodically review and validate viewing and update access listing for key HR functions within the system. Summary of Controls and Weaknesses

Control Objective Met ­ Weaknesses Noted

Control Objective Met ­ Weaknesses Noted

Control Objective Met ­ Weaknesses Noted

Control Objective Met

Control Objective Met ­ Weaknesses Noted

Control Objective Met ­ Weaknesses Noted

Control Objective Met ­ Weaknesse s Noted

Control Objective Met ­ Weaknesses Noted

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

43

43

Internal Audit of SAP HR System

Process Description HR Master Data A Branch first identifies a staffing need and an appropriate HR/staffing activity is undertaken to fulfill the requirement. Possible scenarios for filling the position include an internal transfer within CIDA, a new employee, a secondment or an acting situation among others. After the staffing events have been completed, the HR Advisor/Assistant prepares two copies of the letter of offer and sends them to the candidate. Upon receiving the decision from the candidate, the HR Advisor/Assistant updates the Eligibility List in SAP (transaction ZEGB in SAP). If the candidate declines the offer, then the HR Advisor/Assistant selects the next qualified candidate from the eligibility list, and continues the process until a candidate accepts. A letter of offer is then produced and sent to the chosen candidate for acceptance. The letter of offer also represents the notification/trigger for an entry in the SAP HR system. No SAP system updates (with the exception of the updates to the Eligibility List) are performed prior to the signed letter of offer being received by the HR Advisor/Assistant. Once the candidate accepts the offer, a signed copy of the letter of offer is returned to the HR Advisor/Assistant, a copy is filed, and the announcement is posted on Entre-Nous (CIDA's Intranet site). The HR Advisor/Assistant is also responsible for managing the appeal process. After the appeal period has expired, the HR Advisor/Assistant makes three copies of the letter of offer, and sends one each to the Compensation and Benefits Advisor, the Branch Administrative Officer for the hiring Branch, and the Employment Equity Division. Upon receipt of the signed letter of offer, the Branch Administrative Officer performs the necessary action (i.e. hiring, promotion, transfer) in the SAP system and enters the relevant information from the letter of offer. The Compensation and Benefits Advisor verifies the accuracy of the salary, bilingual bonus (if applicable), and the date of the next statutory increase. Should any corrections be required, the Compensation and Benefits Advisor makes the appropriate entries. For all of the staffing needs noted above, and for other types of personnel movements (transfers within CIDA, terminations, etc.) or other personnel file updates (salary changes, change in work hours, etc.), a requirement for the entry of HR information into SAP arises. Each requirement is supported and/or initiated by the receipt of appropriate, approved documentation. The data entry functions are shared amongst a small number of groups within the Agency depending on the nature of the update required. Pre-configured HR actions are utilized during the creation and/or maintenance of an employee's file in the system. SAP HR actions essentially walk users through a system-based sequence to complete the required elements of information for a given HR activity (such as hiring, termination, transfer, etc.) Actions configured in SAP for personnel movements are (they are presented along with the group responsible for performance of the update): · · 01 ­ Take on Strength (TOS) ­ Branch Administration Officers 02 ­ Struck off Strength (SOS) ­ Advisor, Pay and Benefits

44

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

SAP HR

· · · · · · · · · · · ·

04 ­ Extension ­ Branch Administration Officers 05 ­ Change: Basic Salary/Work Hours ­ Branch Administration Officers, Advisor, Pay and Benefits 06 ­ Change of Position/Pay/Status ­ Branch Administration Officers, Assignment Division, Languages Program and Education Leave Advisor 07 ­ Rehabilitation ­ Advisor, Pay and Benefits 08 ­ Re-Entry after SOS/New Sec.In ­ Branch Administration Officers 13 ­ Temporary Struck Off Strength ­ Branch Administration Officers, Advisor, Pay and Benefits, Assignment Division, Languages Program and Education Leave Advisor 14 ­ Re-Taken on Strength (RTOS) ­ Branch Administration Officers, Advisor, Pay and Benefits 15 ­ Assignment/Sec.Out (LWP) ­ Branch Administration Officers, Assignment Division, Languages Program and Education Leave Advisor 16 ­ Secondment in ­ Branch Administration Officers 18 ­ Return to Substantive Position ­ Branch Administration Officers 19 ­ End of Secondment-In ­ Branch Administration Officers 22 ­ Acting Situation ­ Branch Administration Officers

For each of the actions, a series of infotypes appear in a pre-determined sequence. An infotype is a grouping of information that is entered/shown on a specific screen in SAP. For example, basic pay/salary information is stored on infotype 0008. After the successful completion of one of the actions listed above, the employee's personnel file in SAP is updated. In addition, the assignment of employees to positions within the organizational structure in SAP is automatically updated through this process if the action involves movement of personnel into, within or outside of the Agency. Employees are paid by PWGSC on behalf of Treasury Board through the On-Line Pay application. As such, the basic pay and other entitlements information (with the exception of leave and overtime described in the Time Recording section below) captured in SAP is currently not directly relevant for payroll purposes. With the introduction of the Salary Forecasting System (SFS), however, this information will be used in the forecasting of salary costs for budgeting/planning purposes. The Compensation and Benefits Directorate (and specifically, the Compensation and Benefits Advisors) are responsible for data entry of payroll and benefits changes in to the various PWGSC On-Line Pay application. The Compensation and Benefits Advisors are notified of any new hirings, promotions or other changes through the receipt of a letter of offer, approved by the relevant certified HR Practitioner (i.e. HR Advisor/Assistant). The Compensation and Benefits Advisors also handle payroll enquiries from employees. Should any adjustments to employee pay records be required, the Compensation and Benefits Advisors performs the update in the PWGSC compensation system and notify the appropriate Branch

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

45

SAP HR

Administrative Officer. Corrections to an employee's information are made by the appropriate person, depending on what action is required in the system (see list of actions above). Leave and Overtime Recording CIDA has developed a custom SAP solution for the collection of the following time related data: · · Leave Employees are responsible for entering their own leave requests either directly into SAP (transaction ZAPT) or through the use of the Employee Self-Service (ESS) application. For requests for leave, the SAP system automatically verifies whether the employee is entitled to the type of leave being requested and whether the number of days falls within the pre-established minimum and maximum days allowed. Leave entitlements are defined in the collective agreements for each category/classification of employee. For valid requests, the employee's entries are saved in a "locked" status in the system and are not granted until an approval from the employee's supervisor is provided. SAP workflow functionality is used to route the request to the employee's Manager for approval based on the reporting relationships defined in the SAP organizational structure. The supervisor must then approve/"unlock" the transaction in the system for the item to be completed. This is achieved through either transaction ZAPT, PA61, the SAP Business Workplace (transaction SBWP) or via Lotus Notes. At the time of approval, SAP verifies whether or not the employee has the requisite amount of vacation entitlement remaining. Should an adequate balance not exist, the supervisor is not able to complete the approval function (i.e. unlock and save the request). Upon successfully completion of the approval, the employee's corresponding quota/bank of leave is also reduced by the approved amount. On an annual basis (March 31), vacation payouts are calculated and recorded for unused balances that cannot be carried forward to the subsequent year. The Quota Balance Report (RPTBAL00 in SAP) is executed by the Compensation and Benefits Advisor and the excess entitlements are automatically calculated by SAP. The excess entitlement is defined as the amount over and above the allowable carry-forward number of days (i.e. 35 days.) Responsible financial authorities within the Agency are then notified of the amounts applicable for their areas of responsibility for budget planning purposes. The Branch Administration Officers also have the ability to execute the report throughout the year if required. The amounts to be paid are then entered into the PWGSC compensation system by the Compensation and Benefits Advisor for settlement. Overtime Employees must also enter their own overtime information through the ESS application. As with the requests for leave, any overtime worked and recorded must be approved/unlocked by the employee's supervisor. Overtime can either be paid in cash or banked. The employee makes the choice at the time of entry into the system. Nevertheless to be paid and/or banked, the request

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

Requests for leave; and, Overtime.

46

SAP HR

must be changed into unlocked (approved) status. For employees who have selected to have their overtime paid in cash, the total number of hours of overtime entitlements is calculated by SAP (i.e. 1.5 times the hours worked, 1.75 times the hours worked, etc.) through the execution of the approved overtime report (transaction ZAHRPAYOTREP) by the Compensation and Benefits Advisor. The Compensation and Benefits Advisor then enter the number of hours into the PWGSC On-Line Pay system for payment to the employee. On an annual basis (October 1), unused banked overtime balances are identified and settled with employees. The process followed is the same as outlined above for the settlement of unused, excess vacation balances. Organizational Management Within the Organizational Management side of SAP HR, CIDA captures information on organizational units (responsibility centers) and positions. Changes to the organization structure are initiated by the Branches and entered into SAP by the Branch Administrative Officers. Per the CIDA business process, the Branch Administrative Officer creates the position in a "planned" status within the system. Subsequently, either the Branch Administration Officer or the Manager changes the status from planned to "submitted". The Classification Officer is then responsible to ensure that the position is assigned the proper classification by reviewing the data in the system; the Classification Officer is also responsible for making any adjustments necessary to the classification. Required information includes the identification of a supervisor/subordinate relationship, a pay scale (pay grade and step) and classification information among others. Once the Classification Officer has reviewed a position, the entry can either be moved to "approved" or "rejected" status. If the position is approved, it is then made active and integrated into the organizational structure for CIDA. If the position is rejected, the Branch Administration Officer is notified and the organizational structure is not updated. Pre-configured actions that walk users through the sequence of required infotypes for creation of organization units and positions within SAP are also used. Security & Privacy A role based security strategy has been developed and configured to provide users with access to only those transaction and infotypes required for their job functions. SAP security configuration is also utilized to protect personal information such as employment equity information, home address and qualifications recorded on specific infotypes. Finally, users are limited to viewing and maintaining HR information for only those employees within their area of responsibility. For example, the design calls for Branch Administrative Officers to be limited to performing tasks and view information for only those employees within their Branch.

Internal Audit Report ­ July 7, 2005 Canadian International Development Agency

47

Information

Microsoft Word - ~4216974.doc

47 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

502742