peoplesoftaudit_plans_icqs8-2-06.rtf

Copyright 2006 Information Systems Audit and Control AssociationPage 1

Security, Audit and Control Features PeopleSoft 2nd Edition

Audit ProgramsandInternal Control Questionnaires

ISACA With more than 50,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, develops international information systems auditing and control standards, and administers the globally respected Certified Information Systems Auditor (CISA) designation earned by more than 48,000 professionals since inception, and Certified Information Security Manager (CISM) designation, a groundbreaking credential earned by 6,000 professionals since the programs inception.

Purpose of Audit Programs and Internal Control QuestionnairesOne of ISACAs goals is to ensure that educational products support member and industry information needs. Responding to member requests for useful audit programs, ISACAs Education Board has released audit programs and internal control questionnaires, for member use through K-NET. These products are developed from ITGI publications, or provided by practitioners in the field.

Control Objectives for Information and related TechnologyControl Objectives for Information and related Technology (COBIT) has been developed as a generally applicable and accepted framework for good information technology (IT) security and control practices for management, users, and IS audit, control and security practitioners. The audit programs included in K-NET have been referenced to key COBIT control objectives.

DisclaimerISACA (the Owner) has designed and created this publication, titled Security, Audit and Control Features PeopleSoft: A Technical and Risk Management Reference Guide, 2nd Edition (the Work), primarily as an educational resource for control professionals. The Owner makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, the control professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment.

While all care has been taken in researching and documenting the techniques described in this text, persons employing these techniques must use their own knowledge and judgment. ISACA and Deloitte Touche Tohmatsu, its partners and employees, shall not be liable for any losses and/or damages (whether direct or indirect), costs, expenses or claims whatsoever arising out of the use of the techniques described, or reliance on the information in this reference guide.

Oracle, JD Edwards, PeopleSoft and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. The publisher gratefully acknowledges Oracles kind permission to use the trademarks in this publication. Oracle is not the publisher of this book and is not responsible for the content.

The purpose of these audit programs and internal control questionnaires (ICQs) is to provide the audit, control and security professional with a methodology for evaluating the subject matter of the ISACA publication Security, Audit and Control Features PeopleSoft: A Technical and Risk Management Guide 2nd Edition. They examine key issues and components that need to be considered for this topic. The review questions have been developed and reviewed with regard to COBIT 4.0. Note: The professional should customize the audit programs and ICQs to define each specific organizations constraints, policies and practices.

The following are included here:HR Cycle Audit ProgramPage 3HR Cycle Audit ICQPage 14Payroll Cycle Audit ProgramPage 17Payroll Cycle Audit ICQPage 37Security Administration Cycle Audit ProgramPage 48Security Administration Cycle Audit ICQPage 72

HR Cycle Audit ProgramControl Objective/TestDocumentation/Matters ArisingCOBITReferencesPreliminary Audit StepsGain an understanding of the PeopleSoft environment.a.The same background informationobtained for the PeopleSoft ApplicationSecurity audit plan is required for, andrelevant to, the business cycles. Inparticular, the following informationis important: Determine the version and release ofthe PeopleSoft software implemented(by holding Ctrl-J on anyPeopleSoft page). Determine the total number of namedusers (for comparison with logicalaccess security testing results). Determine the number of PeopleSoftinstances. Determine the operating systems anddatabase management systems runningwithin the environment. Identify the modules that arebeing used. Determine if there have been anylocally developed reports or tablescreated by the organization. Obtain details of the risk assessmentapproach taken by the organization toidentify and prioritize risks. Obtain copies of the organizationskey security policies and standards. Obtain a copy of any service levelagreements. Obtain a copy of the contingency/backup plan. Review outstanding audit findings,if any, from previous years.

PO2PO3PO4PO6PO9AI2AI6DS2DS5ME1ME2

Control Objective/TestDocumentation/Matters ArisingCOBITReferencesPreliminary Audit Steps cont.b.In addition:

AI1DS5DS6 Obtain details of the organizationalmodel as it relates to HR activity, i.e.,HR organization unit structure in thePeopleSoft software and HRorganization chart (required whenevaluating the results of access securitycontrol testing). Interview the systems implementationteam, if possible, and obtain processdesign documentation for HR. Review the training program to ensurethat it is adequate and addresses allfunctional areas.

Identify the significant risks and determine the key controls.c.Develop a high-level process flowdiagram and overall understanding ofthe HR processing cycle, including thefollowing subprocesses: Master Data Maintenance Commencements Personal Development Terminations

PO9AI1DS13d.Assess the key risks, determine keycontrols or control weaknesses, and testcontrols (refer to the following sampletesting program and chapter 4 fortechniques for testing configurablecontrols and logical access security) inregard to the following factors: The controls culture of the organization The need to exercise judgment todetermine the key controls in theprocess and whether the controlsstructure is adequate (Any weaknessesin the control structure should bereported to executive managementand resolved.)

PO9DS5DS9ME2

Control Objective/TestDocumentation/Matters ArisingCOBITReferences1.Master Data Maintenance1.1Access to HR setup tables and master file transactionis appropriately restricted.

Review access security matrices andaccess assignment documentation togain an understanding of the securitydesign. Corroborate this understandingby generating lists of users with accessto the Workforce Administration,Compensation, Set Up HRMS andGlobal Human Resources Rules menus,and reviewing their level of access bywriting the following query inPeopleSoft Query Manager:SELECT B.OPRID, B.OPRCLASS,A.MENUNAME, A.BARNAME,A.BARITEMNAME,A.PNLITEMNAME,A.AUTHORIZEDACTIONS,A.DISPLAYONLYFROM PSAUTHITEM A, PSOPRCLS BWHERE A.CLASSID = B.OPRCLASSOrder by B.OPRID, B.OPRCLASS,A.MENUNAME to ensure that the userIDs (OPRID), permission lists(OPRCLASS) and components(MENUNAME) are listed inalphabetical order.Also, generate a list of users with accessto the setup pages within PeopleSoftmenus, and review their level of accessby writing the following query inPeopleSoft Query Manager:SELECT B.OPRID, B.OPRCLASS,A.MENUNAME, A.BARNAME,A.BARITEMNAME,A.PNLITEMNAME,A.DISPLAYONLY,A.AUTHORIZEDACTIONS

AI2AI6DS5DS6DS1 1DS13

Control Objective/TestDocumentation/Matters ArisingCOBITReferences1.Master Data Maintenance cont.1.1cont.FROM PSAUTHITEM A, PSOPRCLS BWHERE A.CLASSID = B.OPRCLASSAND A.BARNAME LIKE SETUP%Order by B.CLASSID to ensure that theuser IDs (OPRID) are listed inalphabetical order.The column A.AUTHORIZEDACTIONSwill contain values that represent theaction types that the user is authorized toperform, where high-risk values are: 8Corrections 9Add Correction 10Update/Display, Corrections 11Add Update/Display, Correction 12Update/Display, All Correction 13Add Update/Display, AllCorrection 14Update/Display, Update/Display,All Correction 15Add Update/Display, Update/Display, All Correction 136Correction, Data Entry 137Add Correction, Data Entry 138Update/Display, Correction,Data Entry 139Add Update/Display, Correction,Data Entry 140Update/Display All, Correction,Data Entry 141Add Update/Display All,Correction, Data Entry 142Update/Display, Update/DisplayAll, Correction, Data Entry 143Add Update/Display, Update/Display All, Correction, Data EntryNote: The A.DISPLAYONLY columnwill have a value of 0 or 1. A value of 1means that all fields in the page aredisplay-only to the user, and a value

Control Objective/TestDocumentation/Matters ArisingCOBITReferences

1.Master Data Maintenance cont.

1.1cont.of 0 means this setting is turned offand the action type codes indicatethe level of access granted.Generate a list of users and the row-levelsecurity defined by writing the followingquery in PeopleSoft Query Manager:SELECT C.OPRID, A.DEPTID,B.SETID, B.DESCR, A.ACCESS_CD,A.TREE_NODE_NUM, A.TREE_NODE_NUM_ENDFROM PS_SCRTY_TBL_DEPT A,PS_DEPT_TBL B, PSOPRDEFN CWHERE A.SETID = B. SETIDAND A.DEPTID = B.DEPTIDAND B.EFFDT =(SELECT MAX(B_ED.EFFDT)FROM PS_DEPT_TBL B_EDWHERE B.SETID = B_ED. SETIDAND B.DEPTID = B_ED.DEPTID)AND A.ROWSECCLASS =C.ROWSECCLASSOrder by B.OPRID, B.DESCR toensure that the user IDs (OPRID) anddescriptions (DESCR) are listed inalphabetical order.

Select a sample of HR users and assesswhether they have access to updatetheir own HR data (i.e., job) byobserving them attempting to makesuch changes.

1.2Access to make changes to employee HR master data is appropriatelyrestricted

1.2.1 Review security design documentationdetailing the configured controlsimplemented in the system andapproved by management. In particular,review the online edit and validationchecks and range checks.

PO9AI2AI6DS6DS9

Control Objective/TestDocumentation/Matters ArisingCOBITReferences1.Master Data Maintenance cont.1.2.1 For either a sample of the edit and

cont.validation checks or for the entirepopulation, enter changes to employeedata and observe the outcome to theseattempts. Organizations may be reluctantto allow auditors to have access to maketest changes in the productionenvironment. Consequently, performaudit tests in the Test or QA environment.Corroborate that the configuration ofcontrols in the Test/QA environment isthe same as that in the productionenvironment.For example, attempt to change the bankID and branch ID of an employeesbank information via HomeWorkforce AdministrationPersonalInformationBiographicalBankAccounts. Change the bank ID and/orbranch ID to an erroneous value, andobserve whether a warning messageis displayed.Attempt to change the employees paygroup via HomeWorkforceAdministrationJob InformationJobDataPayroll. Change the pay groupfield to an erroneous value, and observewhether a warning message is issued.Review the Date Last Increase field viaHomeWorkforce AdministrationPersonal InformationJob DataEmployment Data (at the bottom of thepage), and determine whether thiscorresponds to the last authorizedpay increase.

Control Objective/TestDocumentation/Matters ArisingCOBITReferences1.Master Data Maintenance cont.1.2.1 Note that not all potential pay increase

cont.scenarios impact this date change.Therefore, in addition to the above,generate a compensation history bywriting the following query inQuery Manager:SELECT JO.EFFDT, JO.ACTION,JO.ACTION_REASON,JO.ANNUAL_RT, JO.EMPLIDFROM PS_JOB JOWHERE JO.CHANGE_AMT 0AND JO.EMPLID = specific EmplIDOrder by JO.EFFDT to ensure that theoutput is in effective-date (EFFDT)order.

Review the compensation history andinvestigate the validity of the changes.

1.2.2 Review security design documentationdetailing the configured controlsimplemented in the system and approvedby management, in particular the audittrails setup. Determine with relevantmanagement the procedures in place forgenerating, reviewing and investigatingaudit reports showing changes toemployee master data. Inspect a sampleof audit trail reports for evidence ofreview and rectification of exceptionitems identified.

AI4DS9ME42.Commencements2.1Access to the hiring process is appropriately restricted.2.1.1 Review access security matrices andaccess assignment documentation togain an understanding of the securitydesign. Determine if the documentationwas authorized by management priorto implementation.

PO10

Control Objective/TestDocumentation/Matters ArisingCOBITReferences2.Commencements cont.2.1.2 Generate lists of users with access tothe Workforce Administration,Workforce Development, Recruiting andApplicant Contract Data menus, andreview their level of access by writingthe SQL query detailed in chapter 6,Master Data Maintenance: TestingTechniques 1.1.1 in PeopleSoftQuery Manager.

DS5DS 11Select a sample of HR users and assesswhether they have access to update theirown HR data (i.e., job) by observingthem attempting to make such changes.

2.2Access to make changes to employee contract data is appropriatelyrestricted.2.2.1 Review security design documentationdetailing the configured controlsimplemented in the system and approvedby management, particularly the onlineedit and validation checks, rangechecks, etc. For either a sample of theedit and validation checks or for theentire population, enter changes toemployee contract data (via HomeWorkforce AdministrationJobInformationContract AdministrationUpdate Contracts) and observe thesuccess or failure of these attempts andwhether a warning message is displayed.Note that the above menu navigationpath is different from HomeRecruitingHire ApplicantsPreparefor HireCreate Employment Contracts,which is for creating applicant contracts.The first menu path described is foraccess to employee contracts.

AI1DS 11DS13

Control Objective/TestDocumentation/Matters ArisingCOBITReferences2.2Access to make changes to employee contract data is appropriatelyrestricted. cont.

Organizations may be reluctant to allowauditors to have the access to make testchanges in the production environment.Consequently, perform the followingaudit tests in the Test or QAenvironment. Corroborate that theconfiguration of controls in the Test/QAenvironment is the same as those in theproduction environment.

3.Personal Development3.1Access to career planning is appropriately restricted.

Review access security matrices andaccess assignment documentation togain an understanding of the securitydesign. Determine if the documentationwas authorized by management priorto implementation.Generate lists of users with access tothe Career Planning page via HomeWorkforce DevelopmentCareerPlanningPrepareCreate Career Plan.Review their level of access by writingthe SQL query detailed in chapter 6,Master Data Maintenance TestingTechnique 1.1.1, in PeopleSoft QueryManager.Select a sample of HR users and assesswhether they have access to update thestrengths and development area pagesof their own career plans by observingthem attempting to make such changes.

DS5DS 113.2Access to succession planning is appropriately restricted.3.2.1 Review access security matrices andaccess assignment documentation togain an understanding of the securitydesign. Determine if the documentationwas authorized by management priorto implementation.

PO4PO8AI1AI2DS5

Control Objective/TestDocumentation/Matters ArisingCOBITReferences3.Personal Development cont.3.2.1 Generate lists of users with access to

cont.Succession Planning via HomeOrganizational DevelopmentSuccession PlanningCreateSuccession Plan.Review their level of access by writingthe SQL query detailed in chapter 6,Master Data Maintenance TestingTechnique 1.1.1, in PeopleSoft QueryManager.Select a sample of HR users and assesswhether they have access to update thesuccession plans by observing themattempting to make such changes.

3.3Access to training administration is appropriately restricted.3.3.1 Review access security matrices andaccess assignment documentation togain an understanding of the securitydesign. Determine if the documentationwas authorized by management priorto implementation.

AI2AI4DS5

Generate lists of users with access tothe Training Administration functionsthrough one of the following paths: HomeEnterprise LearningDefineCourse/Cost DetailsProgramInformation HomeEnterprise LearningDefineCourse/Cost DetailsCoursesAlso review the users level of access bywriting the SQL query detailed inchapter 6, Master Data MaintenanceTesting Technique 1.1.1, in PeopleSoftQuery Manager.

Control Objective/TestDocumentation/Matters ArisingCOBITReferences4.Terminations4.1Access to process terminations is appropriately restricted.4.1.1 Review access security matrices andaccess assignment documentation togain an understanding of the securitydesign. Determine if the documentationwas authorized by management prior toimplementation.

PO7DS134.1.2 Generate lists of users with access to

PO7terminate employees on the system via

DS5HomeWorkforce Administration Job InformationJob Data.Review their level of access by writingthe SQL query detailed in chapter 6,Master Data Maintenance TestingTechniques 1.1.1, in PeopleSoftQuery Manager.

DS 11

HR Cycle Audit ICQ

Control Objective/Test

ResponseCommentCOBITReferences

YesNo N/A

1.Master Data Maintenance1.1Access to HR setup tables and master file transaction is appropriatelyrestricted.1.1.1Are there security matricesand documentation inplace that define roles,permission lists, menusand pages per job functionfor HR?Who has access to definebusiness rules andadministration of employeeHR data? Are these usersappropriate?Who has access to add/correct/update access toDefine Business Rules?This should be restrictedto the HR administrator.

PO7DS5DS 111.2Access to make changes to employee HR master data is appropriatelyrestricted.1.2.1Have edit and validationchecks been implementedto ensure valid datachanges? What type ofedit and validation checksare in place?Who has access to makechanges to the employeeHR master data? Are theseusers appropriate?

DS 111.2.2Are audit logs of changesto employee master datareviewed by managementon a periodic basis?

DS 13ME1


Response

CommentCOBITReferences

YesNoN/A

2.Commencements2.1Access to the hiring process is appropriately restricted.2.1.1Are there security matricesand documentation inplace that define roles,permission lists, menusand pages per job functionfor HR? Has thisdocumentation beenreviewed and approved bymanagement priorto implementation?

PO7DS4DS52.1.2Who has access to thefunction to hire employeesand maintain employeecontract information? Arethese users appropriate,and have duties beenappropriately segregated?

PO4DS42.2Access to make changes to employee contract data is appropriatelyrestricted.2.2.1Has the security designdocumentation detailedthe configured controls inthe system? Was thisdocumentation approvedby management?What types of edit andvalidation checks arein place?

PO4AI2DS93.Personal Development3.1Access to career planning is appropriately restricted.3.1.1Are there security matricesand documentation inplace that define roles,permission lists, menusand pages per job functionfor HR?

PO7AI4ME1


Response


YesNoN/A

3.Personal Development cont.

3.1.1cont.Has this documentationbeen reviewed andapproved by managementprior to implementation?

3.1.2Who has access tomaintain the employeestrengths and developmentareas as part of anemployees career plan?Are these usersappropriate HR personnel?

DS53.2Access to succession planning is appropriately restricted.

3.2.1Who has access tosuccession planning? Arethese users appropriateHR personnel?

PO73.3Access to training administration is appropriately restricted.

3.3.1Who has access to maintainthe Training Coursetable? Are these usersappropriate HR personnel?

PO7DS5DS 114.Terminations

4.1Access to process terminations is appropriately restricted.

4.1.1Are there security matricesand documentation inplace that define roles,permission lists, menusand pages per job functionfor HR?Has this documentationbeen reviewed andapproved by managementprior to implementation?

PO74.1.2Who has access to theterminations process?Are these usersappropriate HR personnel?

PO7DS5Payroll Cycle Audit ProgramControl Objective/TestDocumentation/Matters ArisingCOBITReferencesPreliminary Audit StepsGain an understanding of the PeopleSoft environment.a.The same background informationobtained for the PeopleSoft ApplicationSecurity audit plan is required for, andrelevant to, the business cycles. Inparticular, the following steps areimportant: Determine what version and releaseof the PeopleSoft software has beenimplemented (by holding Ctrl-J onany PeopleSoft page). Determine the total number of namedusers (for comparison with logicalaccess security testing results). Determine the number of PeopleSoftinstances. Identify the modules that arebeing used. Determine whether the organizationhas created any locally developedreports or tables. Obtain details of the risk assessmentapproach taken in the organization toidentify and prioritize risks. Obtain copies of the organizationskey security policies and standards. Review outstanding audit findings,if any, from previous years.

PO2PO3PO4PO6PO9AI1AI2AI6ME2b.Obtain details: Of the organizational model as itrelates to payroll activity, i.e., payrollorganization unit structure in thePeopleSoft software and payrollorganization chart (required whenevaluating the results of accesssecurity control testing).

AI1AI3

Control Objective/TestDocumentation/Matters ArisingCOBITReferencesPreliminary Audit Steps cont.b.cont. By interviewing the systemsimplementation team, if possible,and obtaining process designdocumentation for payrolls

Identify the significant risks and determine the key controls.c.Develop a high-level process flowdiagram and overall understanding ofthe payroll processing cycle, includingthe following subprocesses: Master Data Maintenance Recording Attendance and LeaveProcessing Calculating and Disbursing Payroll Reporting and Reconciliation

PO9AI1DS13d.Assess the key risks, determine keycontrols or control weaknesses, and testcontrols (refer to the following sampletesting program and chapter 4 fortechniques for testing configurablecontrols and logical access security)regarding the following factors: The controls culture of theorganization The need to exercise judgment todetermine the key controls in theprocess and whether the controlsstructure is adequate (Anyweaknesses in the control structureshould be reported to executivemanagement and resolved.)

PO9DS5DS9ME2

Control Objective/TestDocumentation/Matters ArisingCOBITReferences1.Master Data Maintenance1.1Access to payroll setup tables and master file transaction is restrictedappropriately.1.1.1Review access security matrices andaccess assignment documentation togain an understanding of the securitydesign. Corroborate this understandingby generating lists of users with accessto the WorkForce Administration,Compensation, Set Up HRMS andGlobal Payroll Rules menus andreviewing their level of access bywriting the following query inPeopleSoft Query Manager:SELECT A.OPRID,A.OPRDEFNDESC, A.ACCTLOCK,B.ROLENAME, C.CLASSID,D.MENUNAME, D.BARNAME,D.BARITEMNAME,D.PNLITEMNAME,D.DISPLAYONLY,D.AUTHORIZEDACTIONSFROM PSOPRDEFN A,PSROLEUSER B, PSROLECLASS C,PSAUTHITEM DWHERE A.OPRID = B.ROLEUSERAND B.ROLENAME =C.ROLENAME AND C.CLASSID =D.CLASSID AND D.MENUNAME= SETUP_HRMSOrder by A.OPRID, B.ROLENAME,C.CLASSID, D.MENUNAME toensure that the user IDs (OPRID),roles (ROLENAME), permission lists(CLASSID) and components(MENUNAME) are listed inalphabetical order.

AI2AI6DS5DS6DS1 1DS13

Control Objective/TestDocumentation/Matters ArisingCOBITReferences1.Master Data Maintenance cont.1.1.1cont.Generate a list of users with access tothe setup pages within PeopleSoftmenus (and the roles that provide suchaccess), and review their level ofaccess by writing the following queryin PeopleSoft Query Manager:SELECT A.OPRID,A.OPRDEFNDESC, A.ACCTLOCK,B.ROLENAME, C.CLASSID,D.MENUNAME, D.BARNAME,D.BARITEMNAME,D.PNLITEMNAME,D.DISPLAYONLY,D.AUTHORIZEDACTIONSFROM PSOPRDEFN A,PSROLEUSER B, PSROLECLASS C,PSAUTHITEM DWHERE A.OPRID = B.ROLEUSERAND B.ROLENAME =C.ROLENAME AND C.CLASSID =D.CLASSID AND D.BARNAMELIKE %SETUP%The column D.AUTHORIZEDACTIONSwill contain a numerical value thatrepresents the action type that the useris authorized to perform. Action typesare detailed at the end of chapter 10.History note: The D.DISPLAYONLYcolumn will have value of 0 or 1. Avalue of 1 means all fields in the pageare display-only to the user, and avalue of 0 means this setting is turnedoff and the action type codesindicate the level of access granted.

Control Objective/TestDocumentation/Matters ArisingCOBITReferences1.Master Data Maintenance cont.1.1.1cont.Generate a list of users and therow-level security defined by writingthe following query in PeopleSoftQuery Manager:SELECT A.OPRID, A.OPRDEFNDESC,A.ACCTLOCK, B.SETID, B.DEPTID,C.DESCR, B.ACCESS_CD, TO_CHAR(B.TREE_EFFDT,YYYY-MM-DD),B.TREE_NODE_NUM, B.TREE_NODE_NUM_END, C.SETID,C.DEPTID,TO_CHAR(C.EFFDT,YYYY-MM-DD)FROM PSOPRDEFN A, PS_SCRTY_TBL_DEPT B, PS_DEPT_TBL CWHERE A.ROWSECCLASS =B.ROWSECCLASSAND B.SETID =C. SETIDAND B.DEPTID = C.DEPTIDAND C.EFFDT =(SELECT MAX(C_ED.EFFDT) FROM PS_DEPT_TBL C_EDWHERE C.SETID =C_ED. SETID AND C.DEPTID =C_ED.DEPTID AND C_ED.EFFDT 135Determine whether these users shouldhave Correction Mode access as partof their roles and responsibilities.

Match all user IDs to relevant HRrecords to determine staff position andcurrency of service. This will alsoassist in identifying redundant users.

4.8Security documentation is defined in query-level security design, andpolicies and procedures are aligned with managements intentions.4.8.1Review security documentation tounderstand the intended query securitydesign: Generate a list of users with access tothe Query Manager menu utilizingthe query detailed in chapter 10, 1.1.1Development and Integration Tools:Testing Techniques.

AI4DS5DS11

Control Objective/TestDocumentation/Matters ArisingCOBITReferences4.Security Administration Tools cont.4.8.1cont. Generate a list of query profiles usingthe following query:SELECT A.OPRID,A.OPRDEFNDESC, A.ACCTLOCK,B.ROLENAME, C.CLASSID,E.CLASSID, E.VERSION, E.QRY_RUN_ONLY, E.QRY_CREATE_PUBLIC, E.QRY_CREATE_WFLOW,E.QRY_MAX_FETCH, E.QRY_MAX_RUN, E.QRY_ADV_DISTINCT, E.QRY_ADV_ANY_JOIN, E.QRY_ADV_SUBQUERY,E.QRY_ADV_UNION, E.QRY_ADV_EXPR, E.QRY_MAX_JOINS,E.QRY_MAX_IN_TREE, E.QRY_OUT_LISTBOX, E.QRY_OUT_NVISION, E.QRY_OUT_CRYSTAL,E.QRY_ADM_AUTOPUBLIC,E.QRY_ADM_AUTOPRIV, E.QRY_ADM_LIMUNAPPRV, E.QRY_ADM_UNAPP_ROWSFROM PSOPRDEFN A,PSROLEUSER B, PSROLECLASS C,PS_SCRTY_QUERY EWHERE A.OPRID = B.ROLEUSERAND B.ROLENAME = C.ROLENAMEAND C.CLASSID = E.CLASSID Generate a list of user access to querytrees and the access groups assignedto them by writing the followingquery in Query Manager:SELECT A.OPRID,A.OPRDEFNDESC, A.ACCTLOCK,B.ROLENAME, C.CLASSID,D.CLASSID, D.TREE_NAME,D.ACCESS_GROUP,D.ACCESSIBLEFROM PSOPRDEFN A,PSROLEUSER B,PSROLECLASS C, PS_SCRTY_ACC_GRP D

Control Objective/TestDocumentation/Matters ArisingCOBITReferences4.Security Administration Tools cont.4.8.1cont.WHERE A.OPRID =B.ROLEUSERAND B.ROLENAME =C.ROLENAMEAND C.CLASSID = D.CLASSID

This determines the tables that a usermay access when maintainingtheir queries.

4.9Policies and standards are documented to define the critical recordsand record fields that are to be logged for changes.4.9.1Review security procedures created bymanagement that identify what criticalrecords and fields are being logged andhow often these logs are reviewed bymanagement. For the critical recordsand record fields identified, check thatthe following audit settings have beenconfigured appropriately inApplication Designer: Record-level auditingChoose theObjects workspace and open therecord. Check Use Properties, andreview the audit options selected: Audit Record AddInserts an audittable row whenever a new row isadded to the table Audit Record ChangeInserts oneor two audit table rows whenever arow is changed on the table Audit Record SelectiveInsertsone or two audit table rowswhenever a field that is alsoincluded on the record definitionfor the audit table is changed Audit Record DeleteInserts anaudit table row whenever a row isdeleted from the table

DS5ME1

Control Objective/TestDocumentation/Matters ArisingCOBITReferences4.Security Administration Tools cont.4.9.1cont. Record field-level auditingFor therecord fields chosen, check the UseProperties of the different field type(character, number, data/time) options,and review the audit options selected:

Field AddAudits this fieldwhenever a new row of data is added Field ChangeAudits this fieldwhenever the contents are changed Field DeleteAudits this fieldwhenever a row of data is deletedby management.For the critical records and recordfields identified, check (via HomePeopleToolsApplication Designer)that the audit settings have beenconfigured appropriately.

Default User IDsPeopleSoft comes delivered with default user IDs, providing superuser-type access to specific applications within the system. Figure 10.4 lists some of the more powerful user IDs that should be removed from production:

Figure 10.4HRMS Default User IDs

BELHRGERPSESPUKHRCANGRHRPSFRAUKNICFRJCADMIN1PSGERUSACNHRNLDHRPSINEUSHRESPPSPSJPNWEBGUESTFRAPSCFRPSPORWEBMODELFRHRPSDUTTIME

PeopleSoft is delivered with a number of default permission lists providing superuser-type access to various applications in the system. These permission lists that should be removed from production are shown in figure 10.5.Figure 10.5HRMS Default Permission Lists

HHR_TRNHHR_VC04HPI_KCI001HTLPSAPPSPSQRYHH R_VC01HHR_VC05HPYKRONOSPS BASS

HH R_VC02H PAH PYC FRMOBILEPSDEV

HH R_VC03H PIHSTPSPSEM

Security Administration Cycle Audit ICQ


Response


YesNoN/A

1.Security Administration

1.1Access to development and integration tools is restricted toauthorized users and segregated from incompatible duties.

1.1.1Does the organization haveseparate database instancesfor production (PROD) anddevelopment (DEV)?Are development andmaintenance of PeopleSoftobjects and functionsperformed in thedevelopment instance?Does the organizationutilize the following tools: Application Designer Application Engine Workflow Administrator Business Process DesignerIs access to thedevelopment andintegration tools in theproduction environmentrestricted to authorizedusers and segregated fromincompatible duties?

AI2DS5DS13


Response


YesNoN/A

1.Security Administration cont.1.2Security documentation is available for object security and alignedwith managements intentions.1.2.1Has security documentationbeen compiled to definethe PeopleTools object-levelsecurity design andprocedures for creation andmodification of objectdefinitions, in line withmanagements intentions?Has object security beenimplemented to restrictaccess to object definitionsvia Application Designer,Application Engine,Workflow Administratorand Business ProcessDesigner, and has everyobject been assigned to anobject group?

PO7DS52.Data Management Tools2.1Access to sensitive pages in production is appropriately restricted toauthorized users and segregated from incompatible duties.2.1.1Who has access to thedatabase and PeopleTools?Are these users appropriate?What is the process formodifying objectdefinitions?Are the following datamanagement tools used bythe organization, and isaccess to these appropriate: Data Mover Import Manager Mass Change Cube Manager Application Designer

DS5DS13


Response


YesNoN/A

2.Data Management Tools cont.2.1.1cont.Does managementgenerate and review thereports DDDAudit.SQRand SYSAudit.SQR?

3.Operation Tools3.1Access to the process schedule manager functions is restricted toauthorized users.3.1.1Who has access to theProcess Schedule Manager?Do they require this access?Have process securitygroups and process profilesbeen established andassigned to permissionlists that are aligned withthe security design andmanagements intentions?Are there documentedprocedures for themaintenance of roles/permission lists and, inparticular, the design andassignment of processscheduler access, processgroups and process profiles?

PO4DS54.Security Administration Tools4.1Security administration profiles are segregated and assigned to systemmanagement staff appropriately.4.1.1Who has access to thesecurity administrationfunctions, and are thesepersons appropriate?Are security administrationprofiles segregated andassigned to systemmanagement staffappropriately?

DS5


Response


YesNoN/A

4.Security Administration Tools cont.4.2PeopleSoft access security design is documented and signed off bymanagement during the implementation.4.2.1Was documentationdeveloped that describesthe design and assignmentof permission lists androles, and was a proceduredeveloped for themaintenance of thisdocumentation?Did management sign offfor this documentationduring the implementation?Has a copy of thedocumentation been keptoffsite for use in the eventof a disaster?

AI2DS4DS5DS1 14.3SYSADM password capabilities and permissions are reviewed andadequately controlled.4.3.1Has the SYSADM defaultpassword been changed?Is access to ALLPNLS andPSADMIN permission listsrestricted to only thosewho require it?Is a formal approvalrequired for assigning theabove permission lists toend users?

DS5DS134.4Default PeopleS oft passwords for the sup eruser IDs are changed andaccess restricted.4.4.1Has the default PeopleSoftpassword for superuser IDsbeen changed andrestricted to appropriateindividuals for specificsituations only?

DS5DS1 1


Response


YesNoN/A

4.Security Administration Tools cont.4.4.1cont.Is the SYSADM passwordstored in a safe foremergency access only?

4.5Access to powerful profiles is restricted.4.5.1Who has access to thepowerful profiles? Arethese users appropriate?Is the assignment ofpowerful permission listsrestricted in line withapproved security designdocumentation andmanagements intentions?

DS5DS9DS1 14.6Password parameter controls are established and adhered to by theorganization.4.6.1Have password controlsbeen established to supportthe confidentiality of userpasswords and restrictunauthorized access?Are there standards/guidelines in place that arecommunicated to end usersto ensure that users havesecurity awareness?Has password controlmanagement beenimplemented in PeopleSoftthrough the passwordparameter settings?

AI3AI4DS54.7Security policies and procedures are in place and include specificguidance on the use of correction mode.4.7.1Do the security policiesand procedures includespecific guidance on theuse of correction mode?

PO10AI4DS5


Response


YesNoN/A

4.Security Administration Tools cont.4.7.1cont.Is approval required forusers who requireCorrection Mode?

4.8Security documentation is defined in query-level security design,policies and procedures in line with managements intentions.4.8.1Has the securitydocumentation definedquery-level securitydesign, policies andprocedures in line withmanagement intentions?Has this documentationbeen formally approved?How is query securityset up?

AI4DS5DS1 14.9Policies and standards are documented to define the critical recordsand record fields that are to be logged for changes.4.9.1Have policies andstandards been documented,and do they includedefining the critical recordsand record fields thatshould be logged forchanges?Have the PeopleSoftauditing system capabilitiesbeen extended to includetracking changes tosecurity tables?Are these logs reviewed ona regular basis as part ofthe security procedures forthe organization?

AI4DS12ME1

peoplesoftaudit_plans_icqs8-2-06.rtf

Documents