KASBO Spring 2015 4B – ROLE BASED SECURITY - PAYROLL Brian Pelletier Tyler Technologies Intro/Goals Intro: • Theft and fraud affect an entire organization. Secure Munis to reduce the threat • Focusing on role based security alone is not a complete solution Goals: • Secure Munis through user, menu and role based security • Review Payroll Auditing functions User Access • Review all enabled user accounts in Cloud Admin User Access • Review all enabled user accounts in User Attributes Note: Keep support roles (983klamb, 983smill, 9XXXschd, 9XXXsupp) User Roles - Review • Do your users have roles like this? User Roles - Review • Review Munis generated roles (e.g. PO_MNTPOS_FULL, AP_POST_FULL etc.) • Remove Munis generated roles from User once you have reviewed and taken action • Review remaining roles and determine if they are appropriate for each enabled user • As you review roles, remove unneeded modules (use caution) • Use the Munis Help to get detailed information on fields • Never share passwords!!! Temporarily assign a role if needed • Remember to perform a database refresh (mucopy) after making changes to ensure Train & Test are also secure Munis/User Roles - Review • Review settings in Munis generated roles • Review modules in each role Menu Security • • • • Menu access is assigned to a role(s) Ensure user has appropriate menu access in each role Roles do not require menu access (e.g. GL data access) Very few users need access to System Administration > Security > User Attributes/Roles Role Security - Payroll • The payroll module (found within a role) has many options • Use Munis Help from within the program to get information on various fields Munis Help Role Security - Payroll Role Security - Payroll • Payroll Superuser/Administrator • Needed to process payrolls • Not necessary for updating employee information • If “Yes, no restrictions” this overrides category and other restrictions • Other options: • No: Can update employee info but limited in payroll processing • Restricted to location: Limits access to employees • Projections Only: Limited to payroll info in Budget Salary Benefit Projections • Status/Start/Change Access: • Full Access • Restricted – Cannot access Start, Users, Locations and Balloon buttons Role Security - Payroll • View/Maintain deductions: Only in a payroll (Earnings & Deductions) • View/Maintain direct deposit accounts: In Employee Deductions • Maintain Job/Pay GL: In Employee Job/Salary Data Access: • Options in each area are: • Full – no restrictions • None – no access • Limited – you set the specific ranges accessible to this role • Remember - Restrictions only apply if not Payroll Superuser Role Security - Payroll Role Security - Payroll • Category Access provides 5 options: • No Access • Hide SSN (Inquiry Only) • Hide SSN (Upd/Del) Inquiry Only Update/Delete – full access Monitoring Payroll • No matter the restrictions in place, someone or some group must have access to process the payrolls • Separation of duties and restrictions can reduce the opportunity of fraud but cannot eliminate it • Monitoring payroll is a task each organization should consider performing • Tyler includes many programs that not only audit payroll changes to employees but also audit the payroll process and changes Monitoring Payroll Monitoring Payroll Processing: • • • • Payroll Start and Status Earnings and Deductions Earnings and Deductions Proof Global Audit Inquiry Auditing Changes: • Payroll Audit Inquiry • Payroll Audit Options Payroll Start and Status Payroll Start and Status • Warrant is typically check date (e.g. 111714) • Check Date determines where the pays/deductions are reported/accumulated • Incomplete steps show green triangle • Completed steps show grey triangle • Complete: Shows checked when all required steps are complete. Set by Munis. • Check for Period Files Purged Payroll Earnings and Deductions • Check for altered deductions in the Earnings and Deductions program: Payroll Earnings and Deductions Earnings and Deductions program: • Click the Global button • Click the “Global access to deduction records” button • Find all deductions where “Changed” > 0 1 2 4 256 512 1024 Sufficiency Calc Code Tax Tables, Tax Marital, Exemptions Deduction Gross Employee Amount Employer Amount • Codes can be combined (e.g. 1536 = 512 + 1024) Earnings and Deductions Proof Occasionally run a Totals Only proof after the payroll is complete and compare to prior Final proof amounts: Global Audit Inquiry • Provides an audit trail of payroll processing tasks • User can see who ran payroll step and precisely when • Can also see if it was run multiple times Payroll Audit Inquiry •Audits changes to: • Employee data (master, deductions, pay, accruals, accumulator etc.) • Setup tables (Pay master, Deduction and Benefit Master, Accrual Tables etc.) • Control tables (Payroll Control Settings) • Information kept in great detail along with all fields established during an Add or Delete • The Audit Finder provides an elaborate tool to navigate the vast audit information Payroll Audit Inquiry Payroll Audit Inquiry Payroll Audit Options • Program allows user to determine what is audited in Payroll/HR • Some auditing is optional and others are not Payroll Audit Options • Predefined Sets Within Tables • • • • • • • Live – Current Term – Terminated Proj – Projection System Gen – System Generated Changes Other – Uncategorized Data Actions – Pending Actions Applicant – Applicant Tracking Payroll Audit Options • May want to turn off System Gen options to reduce audit overhead