SAP Audit Guide for Human Resources This audit guide is designed to assist the review of human resource processes that rely upon controls enabled in SAP systems. The specific areas examined in this guide are relevant configurables, transactions, authorizations and reports in Personnel Management and other sub-modules in the Human Capital Management (HCM) application of SAP ERP. The guide provides instructions for assessing application-level controls in the following areas: HR Master Data Time Management Travel Management Payroll Processing Employee Self Service The guide is delivered using clear, non-technical terms to enable financial and operational auditors to successfully navigate the complexities of SAP security. Other volumes of this guide deal with SAP controls in areas such as Financial Accounting, Revenue, Expenditure, Inventory, and Basis. HR Master Data Human Resources SAP Audit Guide Organizational and employee-level master data is maintained through the Personnel Management module in versions 4.6 and above. HR-related data fields are grouped and controlled in this module through records known as infotypes. There are multiple infotypes, each identified through a unique four-digit code. Examples include Personal Data (0002) which contains fields for an employee’s first name, last name and date of birth, among other areas. Codes between 0000 – 0999 are assigned to HR/payroll data, 1000 – 1999 are used for organizational data, and 2000 – 2999 are used for time-related data. Infotypes can have numerous subtypes and, since HR data is timedependent, an employee can have multiple records for the same infotype. The complete list of infotypes configured in SAP can be viewed through the menu path IMG - Personnel Management - Personnel Administration - Customizing Procedures - Infotypes. Access to master data should be configured at the infotype level and correspond to role requirements. Within each SAP client, company codes are usually configured with several personnel areas and sub-areas 2 and Employee groups and sub-groups. These areas and groups control wage types, pay scales, default values for basic pay and other critical areas of employee master data. The enterprise structure including specific settings in personnel areas and employee groups within each company code should be closely reviewed using transaction EC01. Furthermore, a sample of master records should be reviewed to ensure that employees are assigned to the correct areas and groups. Master records should also be reviewed to ensure employees are assigned to the appropriate health, insurance, savings and other benefit plans. Configured plans and associated rules should be reviewed through IMG – Personnel Management – Benefits. To safeguard against the risk of duplicate employees in the system, SAP should be configured to compare information such as last name, first name and date of birth against existing records during the entry of new employees. This is performed through IMG – Personnel Management – Personnel Administration – Customizing – Dynamic Actions – Activate Concurrent Employment for Personnel Administration. Once configured, SAP will automatically display possible matches against both active and inactive records. SAP should also be configured to provide a sufficient audit trail for changes to key infotypes. This is performed through tables HR Documents: Infotypes with Documents (V_T585A), HR Documents: Field Group Definition (V_T585B), and HR Documents: Field Group Characteristics (V_T585C). Changes are displayed in report RPUAUD00 (Logged Changes in Infotype Data). Access to key master data transactions such as PA10 (Personnel File), PA20 (Display HR Master Data), PA30 (Maintain HR Master Data) and PA40 (Personnel Actions) and authorization object P_ORGIN should be restricted and based on role requirements. Access should be qualified with the P_PERNR authorization object which prevents users from changing specific infotypes in their own personnel records. Write operations W, S, D and E should be specified in the AUTHC (Authorization code) field of the P_PERNR object and the PSIGN field should be set to E (Exclude). The infotypes that are subject to the exclusion should be listed in the INFTY field. Users should not be granted inconsistent authorizations since this could override any exclusions. For example, an authorization with AUTHC = * and PSIGN = I (Include) will grant read access to all personnel records for infotypes specified in INFTY, regardless of exclusions for the same infotypes configured through other authorizations. Consideration should be given to implementing dual control over master data changes. This can be achieved by preventing changes in master records entered by one set of users from taking effect until they are released by another set of users with the appropriate authorizations. The latter group should have the authorizations to release changes but should not be able to enter master data. Time Management Time-related data including working hours, absences, overtime and allowances can be pulled from external time recording systems or entered directly into SAP through channels such as the Cross-Application Time Sheet (CATS) function. CATS integrates directly with other components of SAP including Logistics and Project Systems through Business Application Programming Interfaces (BAPIs). Accounting integration for time-data infotypes is enabled by default but can be disabled through customization. Therefore, the Infotype with Acct/ Logistics Data area of IMG for HCM should be closely reviewed to ensure that integration is not deselected for any infotype. If Workforce Management (WFM) is used to manage employee time data, the mapping of SAP infotypes to WFM specification types should be reviewed in the WFM Core. Time entry rules including validation checks, tolerances and controls for required, suppressed and optional fields are configured and applied through CATS profiles. The settings for each CATS profile assigned to every user interface should be reviewed in the Time Sheet area of the CrossApplication Components area of IMG. Release procedures are also defined with each profile. Approvals can be triggered manually but SAP Business Workflow should be used wherever possible to support time sheet review and approval. The attributes of workflows should be reviewed through the Workflow Builder. Other areas of IMG that should be carefully reviewed include rules for Work Schedules, Time Data Recording and Administration, and Schemas in Personnel Time Management. The last is particularly important since it impacts Time Evaluation. This is an SAP function that detects potential errors in timerelated data entered during a pay period prior to processing. Time Evaluation should be configured as a daily scheduled job. Errors and warnings generated by the Time Evaluation report RPTIME00 should be reviewed and resolved by administrators before time data is transferred to payroll. This report displays exceptions to rules configured in the schemas. Examples could include employees or contractors that have reported more than 8 hours in a day or 40 hours in a week or registered more than 20 days of vacation leave. The Time Management Status in the Planned Working Time infotype (0007) in every record for hourly employees should not be set to zero since this will exclude employees from Time Evaluation. Access to the time management transactions listed in Table A should be restricted, including the ability to approve timesheets, which should be assigned exclusively to functional managers. The dummy infotype 0316 is the authorization required for time sheet entry. Infotype 0328 is required for time approval. TRANSACTION DESCRIPTION CAT2, CAT3 Time Sheet: Initial Screen CAPS CAT4 Time Sheet: Approve Times (Select by Master Data) Time Sheet: Approve Times (Selection by Org. Assignment) CAPP Time Sheet: Approve Times PP61 Change Shift Plan: Entry Screen PA61 Maintain Time Data PA62 List entry for additional data PA63 Maint. time data PA64 Calendar entry PA70 Fast Entry (Time Data) Table A: Time Management Transactions Time Management SAP Travel Management uses workflow to track and approve trip requests, book approved requests through integration with external reservation systems, and record, reimburse and post travel expenses. It performs an important control function by enforcing compliance with travel policies. The relevant rules, profiles and parameters for travel components should be reviewed in IMG – Financial Accounting – Travel Management to ensure alignment with travel policies and procedures. Master records should not be configured to exclude hourly employees from time evaluation 3 Travel policies are maintained with the TRAVEL_MANAGER role 4 Standard Travel Management roles should be assigned to users. Most employees should be assigned the SAP_FI_TV_TRAVELER role, which enables users to request trips, check travel services and enter travel expenses. For organisations that opt for a centralized rather than decentralized model, these tasks will be performed by a smaller group of users with the S A P _ F I _ T V _ T R AV E L _ A S S I S TA N T r o l e . T h e MANAGER_GENERIC and ADVANCE_PAYER roles should assigned to users responsible for approving trip requests, expense statements and/or advances. The ADMINISTRATOR role should be closely safeguarded since it provides users with the ability to approve expense statements for all travelers in the enterprise. The same rule applies to the TRAVEL_MANAGER role which allows users to change configuration parameters for areas such as travel policies and maintain HR master data. Travel expenses should be transferred to FI after approval for posting to the relevant GL accounts. This is performed through transactions PFRI (Create Posting Run) and PRRW (Manage Posting Runs). Payments can be processed through payroll, check or direct deposit. Transactions PRDX, PRD1 and FDTA are used for direct deposit, PRPY for payroll and PRCU for check printing. Other significant transactions are listed in Table B. TRANSACTION DESCRIPTION PRMM Personnel Actions PRMD Maintain HR Master Data PRMS Display HR Master Data PRAA Automatic Vendor Maintenance PRAP Approval of Trips PR02 Travel Calendar PR03 Trip Advances PR04 Edit Weekly Report PR05 Travel Expense Manager PRCC Import Credit Card Files PRCCD Display Credit Card Receipts TPMM Personnel Actions (Travel Planning) TPMD TPMS TP01 Maintain HR Master Data (Travel Planning) Display HR Master Data (Travel Planning) Planning Manager Table B: Travel ManagementTransactions 5 Payroll Processing Master data should be locked during a payroll run to prevent any changes. This is performed through Payroll Control Records, accessed through transaction PA03 (Maintain Personnel Control Record). Each pay area has an individual control record. The payroll period selected as the basis for the control records should be set to the period immediately before the live period. Also, the maximum number of past periods that are open for payroll adjustments should be appropriately set in the Earliest Retro Acctq Period field. Note that SAP uses the earliest personal retroactive accounting date set in the Payroll Status infotype (0003) in each employee master record if this does not match the date set in the control record. Payroll control records can be used to determine which employees were included and rejected in the last payroll run. The latter group can be identified by selecting Incorrect Pers. Nos. and Locked Pers. Nos. The ability to enter or update certain infotypes during a payroll run through transactions such as PAKG/ PAUX (Adjustments Workbench) should be restricted. The employee remuneration information infotype should be configured to prevent adjustments to wage types such as salaries since any adjustment will override the value in the master record. This should be performed through the IMG area Maintain Wage Types. Minimum and maximum values can be configured for each wage type. The latter is highly recommended. Rounding divisors for wage types should be reviewed to ensure they are configured appropriately (divisors can be set anywhere between 1 and 100). The posting characteristics including time-dependencies for wage types and month-end accruals should also be reviewed under account assignments. Wage types are mapped to symbolic accounts which in turn are mapped to GL accounts. Gross and net pay calculations are performed by the system based on processing rules known as personnel calculation rules. These rules are grouped in schemas and can be adjusted through transactions PE01 (Maintain Payroll Schemas), PE01N (Editor for Payroll Schemas), PE02 (Maintain Calculation Rules), PE02N (Editor for PC rules) and PE04 (Create Functions and Operations). Access to these sensitive functions should be safeguarded. There are a number of standard SAP reports that should be reviewed by management during each payroll run to confirm the validity of any adjustments and identify discrepancies. These include reports RPCEDT00 (Payroll Exceptions), RPUAUD00 (Logged Changes in Infotype Data) and RPURECG0 (Payroll Results). Advances, bonuses, corrections and other forms of payments or deductions outside scheduled payroll runs are processed through the Off-Cycle Work Bench (transaction PUOC) for individual employees or through batch input using the One-Time Payments Off-Cycle infotype (0267) for multiple employees. Reason codes should be configured and consistently applied for all payments. Furthermore, procedures should be in place to ensure that off-cycle functions are used to process and record payroll data for manual checks created outside the system. SAP Payroll integrates into the FI AP payment program for check printing and Automated Clearing House (ACH) transfers. The latter is performed through Payroll – Bank Transfer – Pre DME Program. DME is an acronym for Data Medium Exchange. This process creates a preliminary DME file that should be validated by management before the final file is generated in CEMTEX format and transferred to a designated processing bank. The Bank Deposit Summary report should be sent to the bank along with the file to enable reconciliation. Payments methods and banking information are configured in IMG - Personnel Administration – Personal Data – Bank Details – Define Payment Methods and Payroll – Data Medium Exchange – Preliminary Programs for DME – Set Up House Banks. The above process will update the check register in FI AP but will not update accounts in the General Ledger. This has to be manually performed through transaction PCP0 (Edit Posting Runs) or through the menu path Payroll – Subsequent Activities – Per Payroll Period – Evaluation – Posting to Accounting – Execute Posting Run/ Process Posting Run/ Check Completeness. Payables to tax authorities, benefit providers and other third parties should be transferred to AP for settlement through Payroll – Subsequent Activities – Per Payroll Period – Evaluation – Third Party Remittance. 6 Employee Self Service Employee Self-Service (ESS) is a Web Dynpro (Java) application that operates on the Enterprise Portal (EP). It enables employees to maintain their personal information, enter leave requests, update timesheets, display pay slips, and perform other similar functions. Employees must be assigned a user record in the J2EE with an appropriate role to be able to use ESS. This is performed through the HRUSER transaction or the menu path IMG – Personnel Management – Employee Self-Service (ITS Version) – General Settings for ESS – Create SAP Users for ESS. Users should be a assigned single role from a copy of the composite SAP_EMPLOYEE_ERP role provided by SAP and should only have the ability to update their own data for certain types of infotypes. Bank account information, for example, should only be updated centrally by authorized HR users. This should be configured through the P_PERNR authorization object rather than P_ORGIN. The former takes precedence over the latter. ESS users without P_PERNR may be able to view and update records belonging to other employees. Layer Seven Security About Us Layer Seven Security specialize in SAP security. The company serves customers across the globe to protect SAP systems against internal and external threats and comply with industry and statutory reporting requirements. It fuses technical expertise with business acumen to deliver unparalleled implementation, consulting & audit services targeted at managing risks in contemporary SAP systems. Layer Seven Security employs a distinctive approach to SAP risk management that examines and manages vulnerabilities at the platform, application, program and client level. Through partnerships with leading software developers, the company is able to develop SAP systems with defense in depth and perform integrated security assessments that improve the quality and lower the cost of SAP audits. Layer Seven Security leverage leading SAP-certified solutions to provide comprehensive and rapid results covering risks in every component of SAP landscapes. Address Westbury Corporate Centre Suite 101 2275 Upper Middle Road East Oakville, Ontario L6H 0C3, Canada Web www.layersevensecurity.com Email info@layersevensecurity.com Telephone 1 888 995 0993 © Copyright Layer Seven Security 2012 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.