archived - sap hr system - canadian international development agency (cida)

7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)

1/28


www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU

Alternate Formats

Share this page

Home > About International Development > Performance > Internal Audit > ARCHIVED - SAP HR System

ARCHIVED - SAP HR System

This Web page has been archived on the Web.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping

purposes. It has not been altered or updated after the date of archiving. Web pages that are

archived on the Web are not subject to the Government of Canada Web Standards. As per the

Communications Policy of the Government of Canada, you can request alternate formats by

contacting us.

Internal Audit Report

July 7, 2005

Summary

1. Context

2. Objective, Scope and Methodology

2.1 Objectives

2.2 Scope

2.3 Methodology

3. Observations and Recommendations

3.1 Observations Arising from the review of SAP HR Processes

3.2. Observations Arising from the Benchmarking of the SAP Support Group Structure

3.3 Observations Arising from the Assessment of SAP HR Functionality

Conclusion

Appendix A Summary of Audit Recommendations

Appendix B Control Objectives/Audit Criteria for the SAP HR Process Review

Appendix C - SAP HR Control Framework

Summary

At the request of the Director General of the Human Resources Division (HRD), the Performance

Review Branch performed a preliminary survey in order to identify issues relating to Human

Resource Management.

As a result, three follow-on reviews/audits were identified and initiated. This report is on the audit

and assessment of the SAP HR module in operation at CIDA.

The overall objective of the audit is to assess the functionality of the SAP HR system, by:

Documenting the system controls and to assess the adequacy and use system;

Assessing the accuracy and integrity of the information emanating from the application;

Assessing the effectiveness and efficiency of the system and to identify areas for
http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app1http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#conclusionhttp://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a32http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a31http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a3http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a23http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a21http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a2http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a1http://www.acdi-cida.gc.ca/contactushttp://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12316http://www.acdi-cida.gc.ca/homehttp://www.acdi-cida.gc.ca/aboutcidahttp://www.acdi-cida.gc.ca/performancehttp://www.acdi-cida.gc.ca/internalaudithttp://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app3http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app2http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app1http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#conclusionhttp://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a33http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a32http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a31http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a3http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a23http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a22http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a21http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a2http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a1http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#sumhttp://www.acdi-cida.gc.ca/contactushttp://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12316http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#archivedhttp://www.acdi-cida.gc.ca/internalaudithttp://www.acdi-cida.gc.ca/performancehttp://www.acdi-cida.gc.ca/aboutcidahttp://www.acdi-cida.gc.ca/homehttp://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#pdf


2/28


www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 2

improvement;Reviewing and evaluating the appropriateness of access authorities to ensure the

privacy/protection of personal data;

Benchmarking the level of resources required to maintain and to enhance the system against

similar organizations; and,

Assessing the extent to which the SAP HR module is meeting the needs of HRD and of the

Agency overall.

As a result, we can conclude that the functionality required to support the business needs of HRD

and the Agency overall has been implemented. However some areas for improvement in theeffec tiveness, efficiency and data integrity within the business processes and reporting have been

identified. Opportunities for improvement of the control framework are also required with a specific

focus on increased monitoring of changes to master data elements, and through the performance

of periodic data quality reviews. An adequate framework for the design of user access privileges

has been developed however issues currently exist with the technical implementation through the

SAP application security functionality.

Based on the results accumulated through a benchmarking survey, the size of the SAP HR support

group is larger than those of the organizations polled.

The main observations and recommendations arising from the audit are:

HRD should modify the business processes surrounding acting situations to incorporate theentry of all EX acting situations into the SAP HR application and ensure that all terminated

acting assignments be reflected in the system on a timely basis;

HRD, in collaboration with IMTB and the Branches, should develop a set of periodic monitoring

procedures and reports for review and follow-up by the Responsible Managers within CIDA.

Compensation and Benefits Directorate should perform a reconciliation of position/employee

classification data and pay rates within SAP to information recorded in the On-Line Pay

application once a year.

IMTB, in conjunction with HRD and the SAP Support Group should correct the configuration of

the security role for the Branch Administrators and to eliminate the ability to submit and

approve their own overtime and leave requests;

HRD and the SAP Support Group should develop monitoring procedures for the review of leave

balances by Responsible Managers on a regular basis;IMTB, in cooperation with the SAP HR Support group, review the configuration of access

privileges assigned to the Branch Administrative Officers to prevent them from creating and

activating new positions thereby allowing the Classification Division to approve the position

and classification data for new positions and/or individuals, as outlined in their roles &

responsibilities;

IMTB should remove access of non-HR SAP Support Group members and IMTB users that are

not involved in supporting HR;

IMTB should perform Privacy Impact Assessments in accordance with Treasury Board

requirements;

IMTB should remove the ability to view personal information through direct query of HR

tables, the ability to execute reports through SA38 and that the configuration of security

over reporting of HR information be adjusted to protect personal information;IMTB should limit the use of generic accounts;

IMTB, in conjunction with HRD and the SAP Support Group should develop a set of security

monitoring procedures in order to identify potential access irregularities for correction;

CRC should decide on the staffing levels for the SAP HR Support group;

HR business process focused training (as opposed to SAP data entry training) should be

developed by HRD to enhance the business process and policy requirements knowledge of

users; and,

SAP HR Support Group should examine the reporting requirements of CIDA HR users and

determine whether the current reports available address their needs


3/28



1. Context

At the request of the Director General of the Human Resources Division (HRD), the Performance

Review Branch performed a preliminary survey in order to identify issues relating to Human

Resource Management.

As a result, three follow-on reviews/audits were identified and initiated. This report is on the audit

and assessment of the SAP HR module in operation at CIDA.

Overview of SAP Human Resources Modules

The Human Resources module of SAP in operation at CIDA is divided into three major applications -

Personnel Administration (PA), Organization Management (PD) and Time Management. The PA sub-

application includes employee information and employee classifications. The PD sub-application

covers organization management, which includes the organizational structure, the position

classifications and other organizational structure information. The Time Management functionality is

used to capture requests for leave and overtime compensation and to provide an electronic

approval of the requests from employees' supervisors.

The new Salary Forecasting System (SFS) within SAP was implemented as of April 1st, 2004. This

functionality will use the salary information captured for Agency employees within the SAPapplication and essentially provide a budget figure for salaries remaining to be paid within a given

fiscal/budget year. As of March 2004, CIDA's salary forecasting system was not within the SAP

system.

Infotypes

Functionality within the SAP application and the information stored with an employee's on-line

personnel file is centred on the concept of an "infotype". By definition, an infotype is a screen with

the SAP application that captured specific pieces/elements of information. For example, infotype

0002 contains personal information (name, date of birth, SIN) for all employees, and infotype 0008

contains basic/annual salary information. As this concept is central to the operation of the system,

the information within sensitive/personal infotypes must also be adequately protected fromunauthorized change or viewing.

2. Objective, Scope and Methodology

2.1 Objectives

The overall objective of the audit is to assess the functionality of the SAP HR system, including the

following:

Review of SAP HR Processes (Sect ion 3.1)

To document the system controls and to assess the adequacy and use system;

To assess the accuracy and integrity of the information emanating from the application;

To assess the effectiveness and efficiency of the system and to identify areas for

improvement;

To review and evaluate the appropriateness of access authorities to ensure the

privacy/protection of personal data;

Benchmarking of the SAP Support Group Structure (Sect ion 3.2)

To benchmark the level of resources required to maintain and to enhance the system against

public sector organizations with SAP HR ( two in the Federal Government and two others);
http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a32http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a31


4/28



and,

Assessment of SAP HR Functionality (Sect ion 3.3)

To assess the extent to which the SAP HR module is meeting the needs of HRD and of the

Agency overall.

2.2 Scope

The audit was focused on the assessment of functionality with the SAP HR application. This

included a detailed review and examination of the configuration of the system as well as theconfiguration and assignment of spec ific access rights to users. Processes and procedures

supporting the integrity of the data within the application were also evaluated, such as the use of

monitoring reports for the verification of data, subsequent to entry into the system.

The evaluation of the new SFS functionality was also excluded, as it was not implemented as of

March 31, 2004. Also excluded from the scope of the review were the processes, procedures and

overall control framework in place within PWGSC's On-Line Pay (OLP) application.

The focus of the audit was strictly the review and assessment of the control framework and the

functionality of CIDA's SAP HR application.

2.3 Methodology

This audit was performed according to the Treasury Board policy on internal audit and audit

standards of the Institute of Internal Auditors. The audit was conducted from February 10, 2004 to

March 31, 2004. Our audit approach was:

To gather information on concerns over SAP HR within CIDA by reviewing 2 other HR internal

audits that were recently completed along with the preliminary survey of the HR function;

To develop internal control objectives relating to the SAP HR functionality implemented at

CIDA against which to perform the detailed control-based analysis;

To gather information on the current SAP HR functionality, supporting business processes

and control framework supporting the accuracy and completeness of the data through aselection of interviews and system set-up review;

To review and analyze supporting process documentation relating to SAP HR processes, as

provided by interviewees;

To perform an assessment of the efficiency and effectiveness of the SAP system and

processes;

To perform a review of the key system based controls in SAP HR, including user access rights

to perform

HR related functions, the protection of personal information and configuration data validation

rules;

To perform accumulate data on support group size and composition through the completion

of surveys by local organizations (public sector and other) utilizing SAP HR for benchmarking

purposes; and/To perform a benchmarking of the size and composition of the SAP HR support group against

similar organizations.

The control objectives and audit criteria are documented within Appendix B.

Process descriptions and control framework are included in Appendix C. The control framework

presentation was used to analyze and to identify internal control strength and weaknesses

associated with the SAP HR audit work. It was also used to analyze whether the particular

objectives and assertions have been satisfied with the existing control processes/procedures

identified.
http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a33


5/28



3. Observations and Recommendations

3.1 Observations Arising from the review of SAP HR Processes

The following observations stem from the interviews of SAP HR support group and users of the

system, and through a review of documentation outlining the set-up or configuration of the system

and access profiles, as well as the design of supporting business processes. The appropriateness of

the assignment of access rights to users was also reviewed as well as the configuration of the SAP

access profiles.

HR Master Data

Overall, the integrity of HR related information is supported through the implementation of system-

based checks and validations, which are currently in operation within the HR module. For example,

with regards to the hiring of an employee, the application has been set-up with pre-established

routines to take users to the necessary screens for population of data, required fields have been

configured within the screens and access rights to perform the maintenance actions have been

restricted to authorized individuals.

It was noted, however, that selected personnel movement situations (such as EX ac ting

assignments that do not affec t pay) are currently not being entered into the system. This has anadverse impact on the routing for the approval of an employee's request for overtime and leave

requests established in the system, as the organizational structure is not updated with the most

current information. For example, if an EX-01 level individual acts as an EX-02, no change are

made in SAP HR until a 3-month period has elapsed, as no payroll changes are required. It was

further noted that the expiration of acting assignments are not being reflected on a timely basis.

These actions require user intervention within the application and the lack of system updates to

reflect the ac tual movements decreases the overall integrity and accuracy of the data in the HR

application.

The impact of this situation is that leave balances may not be updated on a timely basis and/or

overtime due to an employee may not be paid on a timely basis. Alternatively, this situation could

result in requests for leave and overtime being approved by an unauthorized person for the purposeof clearing old items in the system.

While the system-based controls are appropriate, it was noted during the audit that opportunities

for improvement of the data integrity verification procedures exist. Specifically, a number of

current manual and/or monitoring (i.e. non system-based) validation processes, which are normally

put in place to detect anomalies in data captured, are candidates for improvement. There are

currently no formal processes in place for the periodic review and approval of SAP HR information

by responsible managers within the Branches, or by individuals within HRD. This includes both the

review of organizational structure and personnel assignments in SAP (at the Branch level) and/or

the comparison and reconciliation of pay information against PWGSC's On-Line Pay system by

Compensation and Benefits. The On-Line Pay application contains more pristine information on pay

and benefits as Agency employees are currently paid via this system. Comparisons to this sourceof information strengthen the integrity of the classification and payroll related employee data

captured in the SAP application.

References (additional details see Appendix C HR Control Framework):

Control Weakness #1 - Acting Assignments;

Control Weakness #2 - Monitoring Reports for HR Master Data

Control Weakness #3 - PWGSC On-line Pay Reconciliation with SAP

Recommendations
http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app3


6/28



1. It is recommended that the HRD modify the business processes surrounding acting situations to

incorporate the entry of all acting situations into the SAP HR application, regardless of whether or

not there is an effect on pay. It is further recommended that all terminated acting assignments be

reflected in the system on a timely basis.

2. It is recommended that HRD, in collaboration with IMTB and the Branches develop a set of

periodic monitoring procedures and reports for review and follow-up by the Responsible Managers

within CIDA. The periodic review will serve to assess the integrity of the current organizational

structures and personnel assignments within a specific area of responsibility and will also identify

acting situations that have not been recorded and/or expired act ing situations that have not beenrecorded. It is further recommended that the review be performed at least every 4 months and

that the process be facilitated and monitored by the HRD.

3. It is recommended that the Compensation and Benefits Directorate perform a reconciliation of

position/employee classification data and pay rates within SAP to information recorded in the On-

Line Pay application once a year.

Management Responses

1. Agree that rationalization of leave and overtime approval authorities are required to reflect EX

acting situations that do not result in changes to rates of pay but disagree with the proposed

corrective action plan.

The Branch Administration Officers (BAO) can amend the reporting relationships to reflect acting

situation in the SAP system now, without a system configuration.

The Human Resources Division (HRD) agrees to remind BAOs of the need to amend the reporting

relationships of employees when someone is acting in an EX position and to ensure that this

procedure is reviewed as part of regular SAP-HR monitoring practices.

2. Agree. HRD, in collaboration with IMTB and the branches will identify appropriate monitoring

tools to enable the Responsible Manager within CIDA to periodically review the acting situation

within the manager's own branch. Also, HRD will assess the integrity of the organizational

structures at the Agency level.

Roles and responsibilities will be defined and process installed through the SAP-HR Improvement

Project (SHIP) initiative.

Business process and definition of roles and responsibilities through the SAP-HR Improvement

Project (SHIP) initiative.

3. Agree. Files are being created to compare data between "On-Line Pay" System and SAP-HR

employee's position classification and pay scale.

This comes under the SAP-HR Improvement Project (SHIP) initiative - Enhancement of Quality

control.

Leave and Overtime Recording

CIDA has developed an Agency specific solution for the creation/entry of leave requests and

overtime entitlements. In this business model, employees are responsible for entering their own

requests for leave, requests for approval for overtime worked, as well as selecting the method they

would like to be compensated for their overtime entitlement (i.e. banked time or cash payout).

Upon entry of the request, SAP automatically verifies whether the request is in accordance with

the employee's appropriate collective agreement provisions. The employee's Supervisor is then

responsible for examining the requests and for approving or "unlocking" the item so that it can be

committed to the database/recorded and settled (i.e. banked or paid out).


7/28



Generally, the SAP access roles for Employees and Supervisors were appropriately configured to

enforce the business rules/process outlined above. However, when the access rights were

combined with other access rights in SAP, 31 Branch Administrative Officers had the ability to

enter and approve/unlock their own requests. This situation increases the risk of unauthorized

overtime being paid out as employees can submit and approve these individuals own overtime

requests. This represented a known issue within the SAP system with a decision taken by

management to control the process through detective/monitoring type processes.

Furthermore, there are no periodic review processes in place to provide for the integrity of leavedata for employees. Without a proper detective control to ensure the employees are recording all

leave taken in SAP, individuals could possibly take more leave than they are entitled to and/or the

Agency could pay out amounts for invalid/inaccurate balances. The system can help managers

monitor whether employees are recording their leave or not.

References (additional details see Appendix C HR Artpack):

Control Weakness #4 - Unauthorized Approval of Overtime

Control Weakness #5 - Monitoring of Leave Balances Accuracy

Recommendations

4. It is recommended that IMTB, in conjunction with HRD and the SAP Support Group correct the

configuration of the security role for the Branch Administrators and to eliminate the ability to

submit and approve their own overtime and leave requests. Specifically, the Branch Administrators

access should be limited to submitting their own requests for subsequent approval by their

Supervisors.

5. It is recommended that HRD and the SAP Support Group develop monitoring procedures for the

review of leave balances by Responsible Managers on a monthly basis.


4. Agree. This recommendation was acted upon with SR1733 and completed May 13, 2004.

5. Agree. Supervisors and RC managers will be reminded of their responsibility to regularly review

their employees' leaves calendar to ensure that leave taken is recorded appropriately. HRD will

send out a reminder to managers to this effect.

A new tool to be launched in September 2005, Manager Self Services (MSS) will assist managers in

this regard.

Organizational Management

The organizational management functionality within SAP contains the active organizational

structure of the Agency, including the design of specific organization units (i.e. Branches) andpositions. Individual positions are created as elements of master data and include reporting

relationship between positions and classification/planned compensation based on collective

bargaining agreements. When employees are hired, they will then inherit the attributes of the

position including the salary and classification and the employee will also be placed into the

appropriate place in the organizational structure. This is referred to the integration of Personnel

Administration and Organizational Management within SAP HR.

The maintenance of position data at CIDA is a shared responsibility between the Branches (Branch

Administrative Officers and the Branch Managers) and the Classification Division. The current

business process stipulates that the Branch Administrative Officer is responsible for setting up the

new position or making a position data change in a "proposed" status for subsequent approval by


8/28



the Branch/Responsible Manager. Subsequently, the Classification Officer reviews the classificationand either approves or rejects the position. If it is approved, the position becomes active and the

position is introduced into CIDA's organizational structure. This "self-service" type of business

process is becoming more popular for SAP clients and the sharing of data entry functions as

outlined above is consistent with the trends occurring elsewhere in the public and private sectors.

In this new business model, end-user departments (such as the Branches) are typically responsible

for data entry with an oversight function being performed by a centralized body.

Branch Administrative Officers currently have the access in the SAP system to create positions,

assign a classification in SAP and make them active within the organizational structure at CIDA.They also have the ability to appoint or hire individuals into these positions. When this type of

access is combined with position maintenance access, a segregation of duties risk within SAP is

created as individuals could be appointed or hired into positions without a proper classification. The

risk of improper classification and non-compliance with delegation of authorities is also increased as

Branch Administrative Officers and the Responsible Managers also do not currently have the

delegation/classification authority for positions. To compensate for this risk, the SAP HR Support

group developed a monitoring report that provides a listing of the new positions that have been

created and classified in the system on a daily basis. This monitoring report is supposed to be

reviewed by the Classification Division, with any required corrections discussed with the Branches.

It was noted, however, that this report is currently not being reviewed on a daily/regular basis

given workload and backlog issues within the Classification Division.


Control Weakness #6 - Position Master Record Maintenance

Recommendation

6. It is recommended that IMTB, in cooperation with the SAP HR Support group, review the

configuration of access privileges assigned to the Branch Administrative Officers to ensure that the

configuration supports the needs of the business. Specific attention should be focused on the

creation and activation of positions by the Branch Administrative Officers as they can currently

create new positions without intervention from Classification Division. This configuration will allow

the Classification Division to approve the position and classification data for new positions and/orindividuals, as outlined in their roles & responsibilities.

Management response

6. Agree. This recommendation is already being addressed through a workflow process that will

identify the approval of the different authorized persons within the classification of a position

process in the SAP-HR system.

The Workflow section within IMTB is currently working with the SAP-HR Support group. Also, the

Branch Administrator's role is being reviewed to limit their access when creating a position for

classification.

Guidelines on the Service Standards will be developed by the Classification Section and

communicated to the BAO.

This comes under the SHIP-HR Improvement Project (SHIP) initiative.

Security and Privacy

Human Resource applications typically contain a number of elements of personal information that

must be protected from unauthorized disclosure. Given the importance of emergency contact and

the financial impact of pay information (with the implementation of SFS), it is important to limit the

ability to update this information to only authorized individuals.


9/28



At the time of the SAP HR implementation in October 2000, an assessment of the information

captured in the system was performed to identify elements of information that should not be

available for viewing to persons other than those designated. Specific examples of data covered in

this analysis include employment equity information and personal qualifications. Treasury Board

requirements state that a Privacy Impact Assessment (PIA) must be undertaken for any major

system change where personal information is involved. In the new fiscal year, CIDA is planning to

implement new functionality for salary forecasting (Salary Forecasting System - SFS) and no PIA

has been undertaken to date.

In general, while the security and privacy design approach/framework in CIDA for granting HR

access appears adequate for protecting personal information, there were some configuration

breakdowns/abnormalities noted during the audit that circumvented the key planned controls for

users to be limited to their own areas of responsibility (i.e. Branch) for the performance of HR

report execution.

The two configuration exceptions related to the viewing/reporting of information. The first

exception is that as of March 22, 2004, over 1700 (i.e. all CIDA employees and consultants) user

accounts had access to view HR data at the table level through table browser transactions (SAP

transaction code SE16). Effectively, this profile configuration represents a "back door" that allows

users to view information (including sensitive HR information) that is not required for their job

functions. This configuration could also result in violations of the Privacy Act that outlinesrequirements for protection of personal information for government employees.

The second exception involves the configuration of an SAP delivered "override". Specifically, when

the P_ABAP authorization object is configured with specific values and assigned to users, the

regular SAP security checks performed during the execution of HR reports are deactivated. For

example, if users are assigned access profiles that prevent them from viewing employees outside of

their area of responsibility (i.e. Branch), the configuration of the override will allow them to see

employees outside of their Branch on reports if requested (i.e. information that they are not

authorized to view). Authorizations set up in this manner allow individuals to have access to all HR

information on a report even though their user profile is configured to restrict them accessing the

data. Currently, 129 users have been provided with this override.

The audit of the HR end user access profiles revealed that 14 roles/profiles had been given access

to run programs directly (i.e. other than through specific access to reports/transactions) through

the ability to execute programs through a centralized mechanism (transaction SA38). The effect of

this functionality is essentially to bypass transactional restrictions imposed on users. These

transactions could also provide access to sensitive HR reports and transactions and therefore,

provide an alternative means of accessing HR information. Although the configuration does restrict

the users to specific reports within the HR function (through the use of authorization group flags

and authorization object S_PROGRAM), there are a number of reports in SAP, including HR reports,

for which this level of protection is not available.

Access to perform maintenance of specific pieces of information or infotypes and/or viewing of

selected sensitive infotypes is also available to SAP Support personnel who are not directlyinvolved with the support of the HR modules. This includes selected Support individuals for SAP

financial applications, as well as members of IMTB (such as Security Administrators).

A specific issue test conducted as part of the audit was to examine the use of generic accounts

within the system. Generic accounts/IDs are defined as user accounts that are not directly t ied to

an individual and/or are shared for maintenance purposes. The SAP HR support group has adopted

a specific naming convention for their group's users. Specifically, the HRAIS series of accounts

were created to prevent users from calling SAP support group members directly if a change is made

to an employee's information. However, members of the support have been given their own unique

HRAIS (i.e. HRAIS01, HRAIS02, etc.) account that is tied directly to them through the text field

name on the account. They are also responsible for keeping the confidentiality of their own


10/28



passwords. Finally, the same HRAIS account will not be assigned to a new employee after the

departure of support group team member. Therefore, the HRAIS series of accounts is not

considered to be generic accounts.

Nevertheless, there are some generic accounts that currently have access to perform maintenance

functions and/or view sensitive information. Accounts such as WFADMIN, WFADMIN2,

WFADMINTEST, WORKFLOW, PHOENIX, ACDI-CIDA are all accounts that have access to perform HR

functions.


Control Weakness #7 - Non SAP HR Support Group Access

Control Weakness #8 - Privacy Impact Assessment

Control Weakness #9 - SAP HR Table Access

Control Weakness #10 - SAP HR Report Execution

Control Weakness #11 - SAP HR Reporting

Control Weakness #12 - Generic Accounts

Control Weakness #13 - Monitoring Procedures

Recommendations

7. It is recommended that the access of non-HR SAP Support Group members and IMTB users bereviewed and that access to HR information be removed.

8. It is recommended that IMTB should perform Privacy Impact Assessments in accordance with

Treasury Board requirements.

9. It is recommended that the ability to view personal information through direct query of HR tables

(through transaction SE16) be removed from end-users by IMTB.

10. It is recommended that the ability to execute reports and programs through transaction SA38,

a central mechanism that bypasses transactional and reporting restrictions configured be removed

from end-user access profiles by IMTB.

11. It is recommended that the configuration of the P_ABAP authorization object be reviewed and

corrected by IMTB.

12. It is recommended that IMTB limit the use of generic accounts.

13. It is further recommended that IMTB, in conjunction with HRD and the SAP Support Group,

develop a set of security monitoring procedures focused on reviewing lists of users with access to

personal information and critical update transactions and infotypes in order to identify potential

access irregularities for correction.


7. Agree. This was done in conjunction with item 13, SR 3462.

8. Agree. However, Privacy Impact Assessments are the responsibility of both the Business Owner

(HRD) and the System Owner (IMTB). IMTB supports system owners in the preparation of

Preliminary PIA's. IMTB is incorporating processes into the SR and System Development Procedures

to identify systems changes and systems requests that may require PIA's; and, ensuring that

System Owners and the Privacy Coordinator are informed.

These assessments will be conducted and modifed if needed.

This co mes under the SAP-HR Improvement Project (SHIP) initiative.


11/28



9. Agree. SR3194 was registered, addressed & completed in December 2004.

10. Agree. Transactions SE38 and SA38 have been removed in most job roles via SRs 2250 (HR Job

roles), SR3039 and SR3058.

The remaining job roles for the SAP Functional teams and ABAP teams are limited by programs and

are required for their job, therefore cannot be removed.

11. Agree. HR Job roles were reviewed. SR3463 was opened.

12. Agree. Workflow related accounts (as referred to on page 16 of the audit report) are not

"generic" accounts. As with the HRAIS accounts, they are tied directly to support personnel

through the text field name on the account. Access is being revised (through SR 3314) ensuring

limited access to information. The "Phoenix" and "ACDI-CIDA" accounts are also being revised to

ensure that minimal access is granted.

13. Agree. SR3462 was opened and appropriate configuration was done into SAP-HR to action this

recommendation.

3.2. Observations Arising from the Benchmarking of the SAP Support GroupStructure

The preliminary survey conducted prior to the execution of specific audits outlined that HRD

currently has ten staff to maintain the SAP HR module.

Further examination of the ten positions revealed that there is a Manager included in that figure

who also has other responsibilities, as well as the following individuals as of May 4, 2004, and there

is currently one full-time consulting SAP HR expert on site who provides expert advice on the

development and implementation of the Salary Forecasting System:

2 Senior HR Systems Officers;

3 HR Systems Officers;

1 HR Junior System Officer;2 Full Time Experts consultants, and;

2 Full time Junior consultants;

1 Full time SAP HR consultant.

The total number of support employees for SAP HR is eleven.

Table 1 - Benchmarking Data

Area

Organization1

(PublicSector)

Organization 2(PublicSector)

Organization 3(Public Sector)

Organization4

(PublicSector)

CIDA

SAP HRFunctionality

PA, PD,Time Entry

(CATS)

PA, PD,Time Entry,Training &

Events, Payroll

PA, PD,Time Entry, Training

&Events, Payroll PA, PD

PA, PD,Time

ApproximateNumberof SAP HRUsers(excludingemployeeself-service)

500 2,000 2,500 290 300

Number ofEmployees

3,500 45,000 43,000 9,600 1,550


12/28



Number ofSupportEmployees

1.25 50 40 3.25 11

Number ofSAP HRConsultantsin SupportGroup

.25(programmer)

5 (moduleexperts)

10 (module experts,programmers)

0 4

Ratio of

SupportGroup toUsers

1:400 1:40 1:63 1:90 1:27

Ratio ofSupportGroup toEmployees

1:2800 1:900 1:1075 1:2950 1:141

HR MasterDataMaintenanceModel

Decentralized Decentralized Decentralized Centralized Decentralized

Table 1 summarizes the results of the benchmarking survey that was conducted for 4 public sector

organizations that currently use some components of the SAP HR module. Two key ratios, the ratioof support group employees to users and the ratio of support group employees to employees, were

calculated and used as the primary basis for comparison of their support structures versus CIDA's.

Based on the comparative ratios, CIDA's SAP HR support group composition should be between 1

and 2 full time equivalents.

As outlined in Table 1, CIDA's ratios for support personnel to active employees and the ratio of

support personnel to user are significantly lower than the other organizations, and near the middle

of the pack based on the number of users. The figures point to an overstaffing situation within the

SAP HR support group however other factors must be taken into consideration.

Specifically, the following difference were noted:

Individuals within the support group are currently working on the implementation of new

functionality (SFS);

The support group is currently leading and/or performing data quality activities for clean up

purposes, which is ultimately outside of the scope of their mandate for delivery; and,

Other organizations included in the benchmarking survey have t raining super users within the

individual user groups, whereas CIDA has kept the notion of centralized support.

Furthermore, the SAP support group is currently meeting their specific service level agreement

timelines, with a minimum of spare resource cycles as was noted in our interviews. Finally, as the

SFS moves into the production environment, additional support requirements will be created to

cover the new functionality and end user support requirements.

If the SAP support group is to be reduced, functions currently being undertaken by individuals

within this group will need to be performed by the business functions. Specifically, the

responsibility for data quality and verification would need to be shifted to the Branches and

support functions (i.e. IMTB) within CIDA.

Recommendation

14. It is recommended that CRC determine the required staffing levels for the SAP HR Support

group after the current data c leanup task has been completed and after the SFS funct ionality has

been implemented.


13/28



Management response

14. Agree that resource levels should be validated but suggest that this be done in concert with

other initiatives currently in play, including but not exclusively those recommended in the audit

report.

CIDA is the only government department in Schedule I.1 of the Financial Administration Act that

uses the SAP-HR module. All other public sector organizations using SAP-HR have terms and

conditions of employment or HR business practices that do not conform in whole or in part to those

of CIDA. Therefore, benchmarking staffing levels to other organizations that do not share the samebusiness requirements is of limited value. Maintenance of data integrity and training costs are a

major ongoing investment because staff recruited to CIDA from other government departments and

trained in a shared inter-government system must learn a new application before they can become

fully CIDA-functional. This ongoing demand in large part explains the current level and focus of

CIDA's SAP-HR resources.

This situation is well known within CIDA and has generally viewed, up to now, as an accepted cost

of doing business because the benefits to the SAP system overall were considered to outweigh the

investment costs and risks of maintaining the SAP-HR module.

We agree with the audit findings that regardless of the chosen accountability model, resources are

still required to support the application. The question is whether they can be more effectivelymanaged if the accountabilities were shifted to other parts of CIDA.

Initiatives In Play:

1. The increasing interest in the government-wide Shares Services initiatives for "corporate"

functions such as human resources has raised the awareness of CIDA's management to

review its present reliance on the SAP-HR module situation in light of these wider government

thrusts. HRD will play a key role in supporting this review, being led by the CIO, and look for

ways to optimize SAP-HR resources to ensure adequate service levels are maintained at

reasonable cost to CIDA until management decisions are made regarding benefits and risks of

maintaining the SAP-HR module over the long term.

2. HRD will provide for knowledgeable resources to partner with the SAP-HR support team toupdate the business process flow documentation, system configuration, monitor for system

weaknesses and facilitate improved training of end users. The working assumption is that if

better HR business practices are documented, monitored and maintained by the functional

business authority, less investment will be required in ongoing system refresher training

courses and daily interventions by the SAP-HR staff to assist users in the SAP-HR module

application.

Under the leadership of the VP HRCS, an internal review of the 3 SAP modules for which HRCSB is

responsible to support is currently underway to look for ways to further optimize the investment of

SAP resources. HRD is contributing to this review and will implement the decisions, once known.

3.3 Observations Arising from the Assessment of SAP HR Functionality

Within the preliminary survey and within the interviews conducted as part of this and other audits

of HR related activities, a number of observations were made with regards to the functionality of

the HR system. Comments ranged from the lack of useable reports to lack of understanding of

system functionality. SAP HR functionality and set-up are complex areas to understand.

After obtaining an understanding a high-level of the business needs for SAP HR within CIDA and

after reviewing the set-up and effectiveness of the application's control framework, all of the

expected functionality required to perform daily activities related to the movement of employees,

the management of the organizational structure, and the entry and approval of time and leave


14/28



requests have been implemented. Therefore, the basic needs for the management of employeeinformation, organizational structure as well as leave and overtime processing are being met by the

current system.

Nevertheless, two specific observations have come to our attention. First, there is a need for

additional business training to be provided to users of the HR functionality. Current training

programs are focused on the technical data entry steps of SAP transactions without necessarily

providing participants with background as to the importance of their work and its impact on

decision-making.

Second, difficulties in reporting on SAP information are experienced by a large number of

organizations, including CIDA. However, a significant number of standard SAP reports are delivered

with the application and CIDA has developed custom reports to serve their users. If users feel that

they are lacking information, specific causes could be the lack of understanding of the report

output contents, reports that do not meet end user requirements and/or overall data integrity

issues.

Recommendations

15. It is recommended that additional HR business process focused training (as opposed to SAP

data entry training) be developed by HRD to enhance the business process and policy requirements

knowledge of users, and that the materials be incorporated into the regular training program forSAP HR users.

16. It is recommended that the SAP HR Support Group examine the reporting requirements of CIDA

HR users and determine whether the current reports available address their needs. If addition

reports or information is required, we further recommend that additional reports be developed.

Alternatively, if the examination identified gaps in report understanding, we recommend that action

plans be developed to close the gaps through additional training.

Management responses

15. Agree. A c orrective act ion plan is underway to ensure that:

SAP reflects current and anticipated (e.g. PSMA) HRM policy and business process

requirements (part of CIDA HRM Project and PSMA Implementation);

Delegation of Authorities for HRM are up-to-date (part of Middle Manager and PSMA

Implementation Projects);

SAP-HR reflects current HRM accountabilities (part of SHIP action plan); and

End users are provided the necessary tools, trained in the application of the business

processes and are held to account for the quality of their data management input through

the application of active monitoring of the HR business process and SAP-HR data

management practices conducted by HRD in its role as the departmental business owner.

This comes under the SAP-HR Improvement Project (SHIP) initiative.

16. Agree. This recommendation will be prioritized through the SHIP action plan and in consultation

with those responsible for the HRM business functions (HRD) and Branch end-users.

Clean up of data, documentation and training of the correct business process flows and

consultation with the end users regarding their information needs will be done during 2005-2006 as

part of the SHIP action plan. Assuming SAP-HR is still the module of choice, during 2006-2007 new

tools will be designed and implemented to ensure more useful and higher quality information for end

users and to support internal monitoring and internal and external reporting requirements.

Conclusion


15/28



Our audit was specifically designed to meet the objectives outlined in section 2 of the report. It

was conducted in accordance with generally accepted auditing standards.

With respect to the accuracy and integrity of the information emanating from the SAP application,

the results of our audit enable us to conclude that the functionality required to support the

business needs of HRD and the Agency overall has been implemented. However some areas for

improvement in the effectiveness and efficiency of the business processes and reporting have been

identified and provided as recommendations within the body of the report. Data integrity must also

be improved as personnel movements are not being reflected on a timely basis for all requiredupdates.

Opportunities for improvement of the control framework also exist through increased monitoring of

changes to master data elements, and through the performance of periodic data quality reviews by

the Branches and other business owners within the Agency.

An adequate framework for the design of user access privileges has been developed to protect

sensitive information and to ensure access to perform critical maintenance functions for HR data is

appropriately restricted. The audit indicated, however, that there are currently some security

configuration issues that must be addressed and, as well, the use of generic accounts must be

investigated and corrected to ensure that the designed framework of controls is properly

implemented.

Based on the results accumulated through a benchmarking survey, the size of the SAP HR support

group is larger than those of the organizations polled. However, CIDA's support group provides a

broader range of services to the user population than the majority of the other organizations used

a benchmark. Therefore, once the new SFS functionality is implemented and subsequent to the

data cleanup task, CRC should determine the size of the SAP HR support group in accordance with

its expected return on investment.

Finally, in terms of an assessment of the extent to which the SAP HR module is meeting the needs

of HRD and of the Agency overall, the distinction must be drawn between system-based controls

and management/monitoring controls outside the system. For the system-based controls, with the

exception of the identified security configuration and access problems, the business processappears to be well supported by the SAP HR module. The audit revealed, however, that

improvement is required in supporting management and monitoring processes that are required to

ensure that system transactions are recorded as intended.

Appendix A Summary of Audit Recommendations

SAP HR Audit

Project Number ofRecommendations Completed Ongoing Work inProgress

Internal Audit of SAP

HR

16

Recommendations Management's Responses Date Status

1. It is recommended that

the HRD modify the business

processes surrounding acting

situations to incorporate the

entry of all acting situations

Agree that rationalization of leave

and overtime approval authorities are

required to reflect EX acting

situations that do not result in

changes to rates of pay but disagree

HRD to send

reminders to

BMOs of the

requirement

and method to


16/28



into the SAP HR application,

regardless of whether or not

there is an effect on pay. It

is further recommended that

all terminated acting

assignments be reflected in

the system on a timely basis.

with the proposed corrective action

plan.

The Branch Administration Officers

(BAO) can amend the reporting

relationships to reflect acting

situation in the SAP system now,

without a system configuration. The

Human Resources Division (HRD)

agrees to remind BAOs of the need toamend the reporting relationships of

employees when someone is acting in

an EX position and to ensure that

this procedure is reviewed as part of

regular SAP-HR monitoring practices.

amend

reporting

relationships

for the

purposes of

SAP-HR leave

and overtime

administration.

Procedure willbe

incorporated

into the SHIP

action plan


HRD, in collaboration with

IMTB and the Branches

develop a set of periodic

monitoring procedures and

reports for review and follow-

up by the ResponsibleManagers within CIDA. The

periodic review will serve to

assess the integrity of the

current organizational

structures and personnel

assignments within a specific

area of responsibility and will

also identify acting situations

that have not been recorded

and/or expired acting

situations that have not been

recorded. It is further

recommended that the

review be performed at least

every 4 months and that the

process be facilitated and

monitored by the HRD.

Agree

HRD, in collaboration with IMTB and

the branches will identify appropriate

monitoring tools to enable the

Responsible Manager within CIDA to

periodically review the actingsituation within the manager's own

branch. Also, HRD will assess the

integrity of the organizational

structures at the Agency level.

Roles and responsibilities will be

defined and process installed through

the SAP-HR Improvement Project

(SHIP) initiative.

Business process and definition of

roles and responsibilities through the

SAP-HR Improvement Project (SHIP)

initiative.

March 31,

2006

Part of SHIP

action plan.


the Compensation and

Benefits Directorate perform

a reconciliation of

position/employee

classification data and payrates within SAP to

information recorded in the

On-Line Pay application every

4 months.

Agree

Files are being created to compare

data between "On-Line Pay" System

and SAP-HR employee's position

classification and pay scale.

This comes under the SAP-HR

Improvement Project (SHIP) initiative

- Enhancement of Quality control.

December

2005

Part of the

SHIP action

plan


IMTB, in conjunction with

HRD and the SAP Support

Group correct the

configuration of the security

role for the Branch

Administrators and to

Agree

This recommendation was acted upon

with SR1733 and completed May 13,

2004.

COMPLETED


17/28



eliminate the ability to submit

and approve their own

overtime and leave requests.

Specifically, the Branch

Administrators access should

be limited to submitting their

own requests for subsequent

approval by their Supervisors.


HRD and the SAP SupportGroup develop monitoring

procedures for the review of

leave balances by

Responsible Managers on a

monthly basis.

Agree

Supervisors and RC managers will be

reminded of their responsibility to

regularly review their employees'

leaves calendar to ensure that leave

taken is recorded appropriately. HRD

will send out a reminder to managers

to this effect.

A new tool to be launched in

September 2005, Manager Self

Services (MSS) will assist managers

in this regard.

August

2005

September

2005

In progress


IMTB, in cooperation with the

SAP HR Support group,

review the configuration of

access privileges assigned to

the Branch Administrative

Officers to ensure that the

configuration supports the

needs of the business.

Specific attention should be

focused on the creation andactivation of positions by the

Branch Administrative

Officers as they can

currently create new

positions without intervention

from Classification Division.

This configuration will allow

the Classification Division to

approve the position and

classification data for new

positions and/or individuals,

as outlined in their roles &responsibilities.

Agree

This recommendation is already being

addressed through a workflow

process that will identify the approval

of the different authorized persons

within the classificat ion of a position

process in the SAP-HR system. The

Workflow section within IMTB is

currently working with the SAP-HR

Support group. Also, the BranchAdministrator's role is being reviewed

to limit their access when creating a

position for classification.

Guidelines on the Service Standards

will be developed by the Classification

Section and communicated to the

BAO.

This comes under the SHIP-HR

Improvement Project (SHIP) initiative.

March

2006

Part of the

SHIP action

plan


the access of non-HR SAP

Support Group members and

IMTB users be reviewed and

that access to HR information

be removed.

Agree

This was done in conjunction with

item 13, SR 3462.

March

2005

Completed


HRD should perform Privacy

Impact Assessments in

Agree

However, Privacy Impact

March

2006

Part of SHIP

action plan


18/28



accordance with Treasury

Board requirements.

Assessments are the responsibility of

both the Business Owner (HRD) and

the System Owner (IMTB). IMTB

supports system owners in the

preparation of Preliminary PIA's. IMTB

is incorporating processes into the SR

and System Development Procedures

to identify systems changes and

systems requests that may require

PIA's; and, ensuring that SystemOwners and the Privacy Coordinator

are informed.

These assessments will be conducted

and modifed if needed.




the ability to view personal

information through direct

query of HR tables (throughtransaction SE16) be

removed from end-users by

IMTB.

Agree

SR3194 was registered, addressed &

completed in December 2004.

December

2004

COMPLETED


the ability to execute reports

and programs through

transaction SA38, a central

mechanism that bypasses

transactional and reporting

restrictions configured be

removed from end-useraccess profiles by IMTB.

Agree

Transactions SE38 & SA38 have

been removed in most job roles via

SRs 2250 (HR Job roles), SR3039 &

SR3058.

The remaining job roles for the

SAP Functional teams and ABAP

teams are limited by programs andare required for their job,

therefore cannot be removed.

June 2004 COMPLETED


the configuration of the

P_ABAP authorization object

be reviewed and corrected

by IMTB.

Agree HR Job roles were reviewed.

SR3463 was opened.

March

2005

COMPLETED


IMTB limit the use of generic

accounts.

Agree

Workflow related accounts (as

referred to on page 16 of the auditreport) are not "generic" accounts.

As with the HRAIS accounts, they

are tied directly to support personnel

through the text field name on the

account. Access is being revised

(through SR 3314) ensuring limited

access to information. The "Phoenix"

and "ACDI-CIDA" accounts are also

being revised to ensure that minimal

access is granted.

March

2005

COMPLETED


19/28



13. It is further

recommended that IMTB, in

conjunction with HRD and the

SAP Support Group, develop

a set of security monitoring

procedures focused on

reviewing lists of users with

access to personal

information and critical

update transactions andinfotypes in order to identify

potential access irregularities

for correction.

Agree

SR3462 was opened and appropriate

configuration was done into SAP-HR

to action this recommendation.

March

2005

COMPLETED

14. We recommended that

CRC determine the required

staffing levels for the SAP HR

Support group after the

current data cleanup task

has been completed and

after the SFS functionality

has been implemented.

Agree that resource levels should be

validated but suggest that this be

done in concert with other initiatives

currently in play, including but not

exclusively those recommended in the

audit report.

CIDA is the only Schedule 1.1

government department that usesthe SAP-HR module. All other public

sector organizations using SAP-HR

have terms and conditions of

employment or HR business practices

that do not conform in whole or in

part to those of CIDA. Therefore,

benchmarking staffing levels to other

organizations that do not share the

same business requirements is of

limited value. Maintenance of data

integrity and training costs are a

major ongoing investment becausestaff recruited to CIDA from other

government departments and trained

in a shared inter-government system

must learn a new application before

they can become fully CIDA-

functional. This ongoing demand in

large part explains the current level

and focus of CIDA's SAP-HR

resources.

This situation is well known within

CIDA and has generally viewed, up to

now, as an accepted cost of doing

business because the benefits to the

SAP system overall were considered

to outweigh the investment costs

and risks of maintaining the SAP-HR

module.

We agree with the audit findings that

regardless of the chosen

accountability model, resources are

still required to support the

Ongoing With the

approval of

CRC and under

the direction

of the CIO, an

inter-Branch

project team

is being

established toassess the

impacts and

implications of

the Shared

Services

Initiative on

the SAP

system,

including the

SAP-HR

module.

Work has

begun in HRD

through the

establishment

of an internal

working group

to discuss HR

business

process flow

requirements,

identify SAP-

HR changes

and engage

end-users in

the clean up

of data and

the

application of

revised

procedures.

HRCSB internal


20/28



application. The question is whether

they can be more effectively

managed if the accountabilities were

shifted to other parts of CIDA.

Initiatives In Play:

1. The increasing interest in the

government-wide Shares Services

initiatives for "corporate" functionssuch as human resources has raised

the awareness of CIDA's management

to review its present reliance on the

SAP-HR module situation in light of

these wider government thrusts. HRD

will play a key role in supporting this

review, being led by the CIO, and

look for ways to optimize SAP-HR

resources to ensure adequate service

levels are maintained at reasonable

cost to CIDA until management

decisions are made regarding benefitsand risks of maintaining the SAP-HR

module over the long term.

2. HRD will provide for knowledgeable

resources to partner with the SAP-HR

support team to update the business

process flow documentation, system

configuration, monitor for system

weaknesses and facilitate improved

training of end users. The working

assumption is that if better HR

business practices are documented,monitored and maintained by the

functional business authority, less

investment will be required in ongoing

system refresher training courses and

daily interventions by the SAP-HR

staff to assist users in the SAP-HR

module application. Under the

leadership of the VP HRCS, an

internal review of the 3 SAP modules

for which HRCSB is responsible to

support is currently underway to look

for ways to further optimize theinvestment of SAP resources. HRD is

contributing to this review and will

implement the dec isions, once known.

review in

progress.


additional HR business

process focused training (as

opposed to SAP data entry

training) be developed by

HRD to enhance the business

process and policy

Agree

A corrective action plan is underway

to ensure that:

SAP reflects current and

anticipated (e.g. PSMA) HRM

policy and business process

March

2006

Work in

progress


21/28



requirements knowledge of

users, and that the materials

be incorporated into the

regular training program for

SAP HR users.

requirements (part of CIDA HRM

Project and PSMA

Implementation);

Delegation of Authorities for HRM

are up-to-date (part of Middle

Manager and PSMA

Implementation Projects);

SAP-HR reflects current HRM

accountabilities (part of SHIP

action plan); andEnd users are provided the

necessary tools, t rained in the

application of the business

processes and are held to account

for the quality of their data

management input through the

application of active monitoring of

the HR business process and SAP-

HR data management practices

conducted by HRD in its role as

the departmental business owner.




the SAP HR Support Group

examine the reporting

requirements of CIDA HR

users and determine whether

the current reports available

address their needs. If

addition reports or

information is required, we

further recommend that

additional reports be

developed. Alternatively, if

the examination identified

gaps in report understanding,

we recommend that action

plans be developed to close

the gaps through additional

training.

Agree This recommendation will be

prioritized through the SHIP action

plan and in consultation with those

responsible for the HRM business

functions (HRD) and Branch end-

users.

Clean up of data, documentation and

training of the correct business

process flows and consultation with

the end users regarding their

information needs will be done during

2005-2006 as part of the SHIP action

plan. Assuming SAP-HR is still the

module of choice, during 2006-2007

new tools will be designed and

implemented to ensure more useful

and higher quality information for end

users and to support internal

monitoring and internal and external

reporting requirements.



March

2006

March

2007

Part of the

SHIP action

plan

Last phase of

the SHIP

action plan

Appendix B Control Objectives/Audit Criteria for the SAP HR ProcessReview

The following control objectives/audit criteria were developed during the planning phase of this

audit to capture the required audit criteria on which to base the assessment of the control


22/28



framework and the security access rights. The criteria have been segregated to reflect the sub-

processes that form the basis for the SAP HR supported process.

HR Master Data

1. All changes to the SAP HR and payroll master files are complete, valid and

timely

2. Agency employee information transferred to the Compensation Systems is

accurate, valid and timely.3. Terminated employees are removed from the payroll maser file and all deletions

are valid (and are within statutory requirements).


4. Leave/absence data and balances reflect actual absences and entitlements for

employees and requests are properly authorized.


5. All valid changes to organizational units, positions and other master data are

accurate, valid, timely and in accordance with relevant legislation.


6. Access to personal/sensitive information is adequately restricted to only

authorized individuals.

7. Segregation of duties is appropriate and system access is restricted to

authorized personnel.

Appendix C - SAP HR Control Framework

March 31, 2004

ARTpack Project

Introduction

This document analyzes the control framework within a particular application or process. For each

process reviewed, the following documents were prepared:

1. Flow Diagram

2. Control Framework and Evaluation Matrix

3. Process Descriptions

The application flow diagram aims to convey the most important elements of the process and as a

result, certain infrequent or insignificant detail is intentionally omitted. The following icons are used

on the diagrams:

Control Points

Financial/Business Exposure;


23/28



Main Flow of Transactions;

The above icon types cross-refer to the control evaluation matrix, which compares the identified

controls to the control objectives for the area and assesses the degree to which the objectives

are supported by controls. The following icons are used on the control evaluation matrix:

The identified control supports this control objective

Weaknesses were found for this control

A description of the control or weakness can also be found on the control evaluation matrix. Blue

text indicates a control and red text indicates a weakness or inefficiency (see PDF version).

Scope of this Review

This review considered controls and weaknesses throughout the SAP HR System.

The review included discussions with CIDA staff and testing of certain system and manual control

activities. Consult the table below in large format.

Description Control Objective

HR Master DataMaintenance

Leave and Over-time Recording

Organizationalanagement

Security & Privacy

Control/Weakness

Control/WeaknessReference

1. All changesto the SAP HRmaster file sare accurate,complete,valid andtimely.

2. Agencyemployeeinformationenteredinto theCompensationsystem isaccurate,complete,valid andtimely.

3. Terminatedemployees areremoved fromthe payrollmaster file andall deletions arevalid).

4. Leave/ absence dataand balances reflectactual absences andentitlements foremployees and requestsare properlyauthorized.

5. Overtimeentered isaccurate andvalid andcalculated inaccordance withcollectiveagreements.

6. All changes toorganizational units,positions and other dataorg structure dataelements are timely,accurate, valid andcomplete.

7. Access topersonal/sensitiveinformation isrestricted toonlyauthorizedindividuals.

8. Segregation ofduties appropriateand system accessis appropriatelyrestricted toauthorizedpersonnel.

AccuracyValidityCompletenessCut-off


ValidityAccuracy

AccuracyValidity

AccuracyValidity


Validity ValidityCompletenessAccuracy

HR Master Data Maintenance

SAP Security

for HRMaster Data

The SAP security and authorization concept is utilized to re strict the ability to update pe rsonnel information (transactions PA30 and PA40) to only authorized individ uals. Accessrestrictions at the infotype le vel hav e also bee n configured for specific roles.

SAP InputControls forMaster Data

Mandatory fields are configured for infotypes included in pe rsonnel files within SAP, in orde r to ensure that all rele vant information is captured.

Personnel a ctions (a grouping of functionality to accomplish specific HR activities such as hiring) hav e bee n configured for major HR administrative tasks to ensure that all re levantinfotypes are completed for per sonnel rel ated activities. Time constraints, an element of SAP configuration that specifies whether infotypes must be populated, have a lso been configuredat the infotype lev el to control the completeness of infotypes within an on-line pe rsonnel file.

ActingAssignments

Selected acting situations (i.e. one month or above ) that do not affect pay are curre ntly not entered into SAP. For ex ample, an EX-01 employe e acting at an EX-02 level is currently notentered into the system until 3 months has elapsed. The lack of update of the org structure has an impa ct on the prope r routing of work flow items for appr oval.

In addi tion, it was further noted that expir ed acting situations were not updated in SAP on a timely basis.

PlannedCompensation

Pay scales that are aligned with the rel evant public sector collective agree ments have been configured i n SAP. Changes to the collective a greeme nts are controlled through the formalService Reque st process at CIDA.

Integrationwith OrgManagement

Pay scale/salary information is defaulted into the personnel file (infotype 0008) ba sed on information stored on the position master r ecord. Howev er, users can change the informationbrought in to accommodate Salary Protected employee s (employee s that have be en designated as surplus and giv en a lowe r classification, but still paid at their pre vious pay r ate).

MonitoringReportsfor HRMaster Data

There i s currently no formali zed revie w and/or appr oval of active employ ee listings, staffing repor ts or orga nizational charts by the Responsible Manager s or Financial Authorities on aperiodic basis.

PWGSCReconciliationwith SAP
http://www.acdi-cida.gc.ca/acdi-cida/ACDI-CIDA.nsf/eng/NAT-114155745-SL6http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#pdf


24/28



There is currently no formal re conciliation of employee p ay rates in the PWGSC On-Line Pay system to the records in SAP.


SAP Securityfor Leave andOvertime

The SAP security and authorization concept is utilized to re strict the ability to unlock/appr ove requests for leave (SAP transactions ZAPT, PA61)

LeaveEntitlementValidation

Prior to the completion of a leave r equest, SAP verifies that the emplo yee is entitled to the type of lea ve r equested and that the minimum/maximum amounts requested are in line withthe appropri ate collective agree ment provisions. The SAP Time Evaluation functionality is utilized to perform the check.

QuotaBalances

Prior to completing the on-line approv al transaction, SAP automatically veri fies whether an employ ee has an ade quate leave entitlement remaining to accommodate the req uest. If thequantity remaining is i nsufficient, the Superv isor is not permi tted to save/ approv e the appli cation. The SAP Time Evaluation functionality is utilized to perform the check.

Upon successful approv al of leav e, SAP automatically updates the quota balance(s) for an employe e.

SAP Securityfor Leave andOvertimeApprovals

The SAP security and authorization concept is utilized to re strict the ability to unlock/appr ove submitted ov ertime re cords.

UnauthorizedApproval ofOvertime

Situations have bee n noted where employ ees were ab le to submit their requests for paid overtime and ap prove their own requests. This could result in unauthorized ove rtime paymentsbeing generated for e mployees.

Monitoringof LeaveBalances

There are currently no processes or procedures in place to perform a periodic review of employee leave balances, to ensure that all leave taken is being recorded in SAP.


SAP Securityfor OrganManagement

The SAP security and authorization concept is utilized to re strict the ability to update position master data to appr opriate pe rsonnel.

SAP InputControls forOrganizationalManagement

Mandatory fields are configured for or ganizational management infotypes, in order to ensure that all rel evant information is captured.

Actions have also be en configured for k ey or ganizational structure maintenance activities to ensure that all relev ant infotypes are completed for the creation of new objects (i.e.positions). Time constraints have al so been configured at the infotype level to control the comple teness of infotypes for these ob jects.

PositionMasterRecordMaintenance

Branch Administrative Officers currently hav e access to create, approve and active new positions without the Classification Division rev iewing the ap propri ateness of the classificationdata. Branch Administrative Officers also have the a bility to per form personnel movements. To mitigate this segregation of duties risk, the SAP HR Support Group crea ted monitoring

repor ts for Classification to revi ew; howev er, it was noted that the reports are curr ently not being re viewe d on a re gular basis by the Classification Division.


Security/Privacy ofHR Data

The SAP security and authorization concept is utilized to re strict the ability to update pe rsonnel information (transactions PA30 and PA40) to only authorized individ uals. Accessrestrictions at the infotype le vel hav e also bee n configured for specific roles.

Non SAP HRSupportGroup Access

Non-HR SAP support indiv iduals currently hav e the abi lity to maintain critical infotypes such as infotype 0008 (basic pay) .

PrivacyImpactAssessment

A formal Privacy I mpact Assessment has not been pe rformed since the initial imple mentation of SAP HR, and some significant changes have either b een imple mented or are planned forimplementation.

SAP HR

Table Acc ess

An excessive number of users have the ability to view pe rsonal information through direct query of HR tables (through transaction SE16).

archived - sap hr system - canadian international development agency (cida)

Documents