You are on page 1of 28

6/19/13

ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)

Home > About International Development > Performance > Internal Audit > ARCHIVED - SAP HR System

ARCHIVED - SAP HR System
This Web page has been archived on the Web.

Share this page

Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats by contacting us.

Internal Audit Report
July 7, 2005 Summary 1. Context 2. Objective, Scope and Methodology 2.1 Objectives 2.2 Scope 2.3 Methodology 3. Observations and Recommendations 3.1 Observations Arising from the review of SAP HR Processes 3.2. Observations Arising from the Benchmarking of the SAP Support Group Structure 3.3 Observations Arising from the Assessment of SAP HR Functionality Conclusion Appendix A Summary of Audit Recommendations Appendix B Control Objectives/Audit Criteria for the SAP HR Process Review Appendix C - SAP HR Control Framework Alternate Formats

Summary
At the request of the Director General of the Human Resources Division (HRD), the Performance Review Branch performed a preliminary survey in order to identify issues relating to Human Resource Management. As a result, three follow-on reviews/audits were identified and initiated. This report is on the audit and assessment of the SAP HR module in operation at CIDA. The overall objective of the audit is to assess the functionality of the SAP HR system, by: Documenting the system controls and to assess the adequacy and use system; Assessing the accuracy and integrity of the information emanating from the application; Assessing the effectiveness and efficiency of the system and to identify areas for
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 1/28

6/19/13

ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)

improvement; Reviewing and evaluating the appropriateness of access authorities to ensure the privacy/protection of personal data; Benchmarking the level of resources required to maintain and to enhance the system against similar organizations; and, Assessing the extent to which the SAP HR module is meeting the needs of HRD and of the Agency overall. As a result, we can conclude that the functionality required to support the business needs of HRD and the Agency overall has been implemented. However some areas for improvement in the effectiveness, efficiency and data integrity within the business processes and reporting have been identified. Opportunities for improvement of the control framework are also required with a specific focus on increased monitoring of changes to master data elements, and through the performance of periodic data quality reviews. An adequate framework for the design of user access privileges has been developed however issues currently exist with the technical implementation through the SAP application security functionality. Based on the results accumulated through a benchmarking survey, the size of the SAP HR support group is larger than those of the organizations polled. The main observations and recommendations arising from the audit are: HRD should modify the business processes surrounding acting situations to incorporate the entry of all EX acting situations into the SAP HR application and ensure that all terminated acting assignments be reflected in the system on a timely basis; HRD, in collaboration with IMTB and the Branches, should develop a set of periodic monitoring procedures and reports for review and follow-up by the Responsible Managers within CIDA. Compensation and Benefits Directorate should perform a reconciliation of position/employee classification data and pay rates within SAP to information recorded in the On-Line Pay application once a year. IMTB, in conjunction with HRD and the SAP Support Group should correct the configuration of the security role for the Branch Administrators and to eliminate the ability to submit and approve their own overtime and leave requests; HRD and the SAP Support Group should develop monitoring procedures for the review of leave balances by Responsible Managers on a regular basis; IMTB, in cooperation with the SAP HR Support group, review the configuration of access privileges assigned to the Branch Administrative Officers to prevent them from creating and activating new positions thereby allowing the Classification Division to approve the position and classification data for new positions and/or individuals, as outlined in their roles & responsibilities; IMTB should remove access of non-HR SAP Support Group members and IMTB users that are not involved in supporting HR; IMTB should perform Privacy Impact Assessments in accordance with Treasury Board requirements; IMTB should remove the ability to view personal information through direct query of HR tables, the ability to execute reports through SA38 and that the configuration of security over reporting of HR information be adjusted to protect personal information; IMTB should limit the use of generic accounts; IMTB, in conjunction with HRD and the SAP Support Group should develop a set of security monitoring procedures in order to identify potential access irregularities for correction; CRC should decide on the staffing levels for the SAP HR Support group; HR business process focused training (as opposed to SAP data entry training) should be developed by HRD to enhance the business process and policy requirements knowledge of users; and, SAP HR Support Group should examine the reporting requirements of CIDA HR users and determine whether the current reports available address their needs

www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU

2/28

the position classifications and other organizational structure information.6/19/13 ARCHIVED . This functionality will use the salary information captured for Agency employees within the SAP application and essentially provide a budget figure for salaries remaining to be paid within a given fiscal/budget year. Objective. The PA subapplication includes employee information and employee classifications. As a result. an infotype is a screen with the SAP application that captured specific pieces/elements of information.acdi-cida. the information within sensitive/personal infotypes must also be adequately protected from unauthorized change or viewing. As this concept is central to the operation of the system. For example. Organization Management (PD) and Time Management.nsf/eng/NAT-1013101052-JMU 3/28 . Infotypes Functionality within the SAP application and the information stored with an employee's on-line personnel file is centred on the concept of an "infotype". CIDA's salary forecasting system was not within the SAP system. Scope and Methodology 2.ca/acdi-cida/acdi-cida. To review and evaluate the appropriateness of access authorities to ensure the privacy/protection of personal data. 2004. The PD sub-application covers organization management. three follow-on reviews/audits were identified and initiated. Benchmarking of the SAP Support Group Structure (Section 3. which includes the organizational structure.1) To document the system controls and to assess the adequacy and use system. infotype 0002 contains personal information (name.gc. including the following: Review of SAP HR Processes (Section 3.2) To benchmark the level of resources required to maintain and to enhance the system against public sector organizations with SAP HR ( two in the Federal Government and two others). date of birth. The new Salary Forecasting System (SFS) within SAP was implemented as of April 1st. 2. SIN) for all employees. To assess the effectiveness and efficiency of the system and to identify areas for improvement. www. Overview of SAP Human Resources Modules The Human Resources module of SAP in operation at CIDA is divided into three major applications Personnel Administration (PA). By definition. the Performance Review Branch performed a preliminary survey in order to identify issues relating to Human Resource Management.Canadian International Development Agency (CIDA) 1. The Time Management functionality is used to capture requests for leave and overtime compensation and to provide an electronic approval of the requests from employees' supervisors. As of March 2004.SAP HR System . This report is on the audit and assessment of the SAP HR module in operation at CIDA.1 Objectives The overall objective of the audit is to assess the functionality of the SAP HR system. To assess the accuracy and integrity of the information emanating from the application. Context At the request of the Director General of the Human Resources Division (HRD). and infotype 0008 contains basic/annual salary information.

To perform accumulate data on support group size and composition through the completion of surveys by local organizations (public sector and other) utilizing SAP HR for benchmarking purposes.3) To assess the extent to which the SAP HR module is meeting the needs of HRD and of the Agency overall. To review and analyze supporting process documentation relating to SAP HR processes.3 Methodology This audit was performed according to the Treasury Board policy on internal audit and audit standards of the Institute of Internal Auditors.gc. such as the use of monitoring reports for the verification of data. 2. The audit was conducted from February 10. as provided by interviewees. and/ To perform a benchmarking of the size and composition of the SAP HR support group against similar organizations. To gather information on the current SAP HR functionality. Assessment of SAP HR Functionality (Section 3. To perform a review of the key system based controls in SAP HR. supporting business processes and control framework supporting the accuracy and completeness of the data through a selection of interviews and system set-up review.nsf/eng/NAT-1013101052-JMU 4/28 .acdi-cida. It was also used to analyze whether the particular objectives and assertions have been satisfied with the existing control processes/procedures identified. The control objectives and audit criteria are documented within Appendix B. as it was not implemented as of March 31. 2004.2 Scope The audit was focused on the assessment of functionality with the SAP HR application. Processes and procedures supporting the integrity of the data within the application were also evaluated. To develop internal control objectives relating to the SAP HR functionality implemented at CIDA against which to perform the detailed control-based analysis. This included a detailed review and examination of the configuration of the system as well as the configuration and assignment of specific access rights to users. To perform an assessment of the efficiency and effectiveness of the SAP system and processes.SAP HR System . www. 2004 to March 31. The control framework presentation was used to analyze and to identify internal control strength and weaknesses associated with the SAP HR audit work.ca/acdi-cida/acdi-cida. procedures and overall control framework in place within PWGSC's On-Line Pay (OLP) application. subsequent to entry into the system. The evaluation of the new SFS functionality was also excluded. the protection of personal information and configuration data validation rules.6/19/13 ARCHIVED . including user access rights to perform HR related functions.Canadian International Development Agency (CIDA) and. The focus of the audit was strictly the review and assessment of the control framework and the functionality of CIDA's SAP HR application. 2004. Also excluded from the scope of the review were the processes. Process descriptions and control framework are included in Appendix C. 2. Our audit approach was: To gather information on concerns over SAP HR within CIDA by reviewing 2 other HR internal audits that were recently completed along with the preliminary survey of the HR function.

that selected personnel movement situations (such as EX acting assignments that do not affect pay) are currently not being entered into the system. as no payroll changes are required.PWGSC On-line Pay Reconciliation with SAP Recommendations www. as well as the design of supporting business processes.nsf/eng/NAT-1013101052-JMU 5/28 . and through a review of documentation outlining the set-up or configuration of the system and access profiles. HR Master Data Overall.1 Observations Arising from the review of SAP HR Processes The following observations stem from the interviews of SAP HR support group and users of the system. however. no change are made in SAP HR until a 3-month period has elapsed. the integrity of HR related information is supported through the implementation of systembased checks and validations.gc. For example.e.ca/acdi-cida/acdi-cida. Comparisons to this source of information strengthen the integrity of the classification and payroll related employee data captured in the SAP application. required fields have been configured within the screens and access rights to perform the maintenance actions have been restricted to authorized individuals. These actions require user intervention within the application and the lack of system updates to reflect the actual movements decreases the overall integrity and accuracy of the data in the HR application. This has an adverse impact on the routing for the approval of an employee's request for overtime and leave requests established in the system.Acting Assignments.6/19/13 ARCHIVED . While the system-based controls are appropriate.SAP HR System . are candidates for improvement. a number of current manual and/or monitoring (i. The impact of this situation is that leave balances may not be updated on a timely basis and/or overtime due to an employee may not be paid on a timely basis. non system-based) validation processes. References (additional details see Appendix C HR Control Framework): Control Weakness #1 . It was further noted that the expiration of acting assignments are not being reflected on a timely basis. Control Weakness #2 . with regards to the hiring of an employee. This includes both the review of organizational structure and personnel assignments in SAP (at the Branch level) and/or the comparison and reconciliation of pay information against PWGSC's On-Line Pay system by Compensation and Benefits. Alternatively.Monitoring Reports for HR Master Data Control Weakness #3 . if an EX-01 level individual acts as an EX-02.acdi-cida. The On-Line Pay application contains more pristine information on pay and benefits as Agency employees are currently paid via this system. It was noted. Specifically. it was noted during the audit that opportunities for improvement of the data integrity verification procedures exist. For example. which are normally put in place to detect anomalies in data captured. which are currently in operation within the HR module. the application has been set-up with pre-established routines to take users to the necessary screens for population of data. or by individuals within HRD.Canadian International Development Agency (CIDA) 3. Observations and Recommendations 3. as the organizational structure is not updated with the most current information. There are currently no formal processes in place for the periodic review and approval of SAP HR information by responsible managers within the Branches. The appropriateness of the assignment of access rights to users was also reviewed as well as the configuration of the SAP access profiles. this situation could result in requests for leave and overtime being approved by an unauthorized person for the purpose of clearing old items in the system.

banked time or cash payout).gc. It is recommended that the Compensation and Benefits Directorate perform a reconciliation of position/employee classification data and pay rates within SAP to information recorded in the OnLine Pay application once a year. regardless of whether or not there is an effect on pay.e. HRD will assess the integrity of the organizational structures at the Agency level.ca/acdi-cida/acdi-cida. It is further recommended that the review be performed at least every 4 months and that the process be facilitated and monitored by the HRD. as well as selecting the method they would like to be compensated for their overtime entitlement (i. The periodic review will serve to assess the integrity of the current organizational structures and personnel assignments within a specific area of responsibility and will also identify acting situations that have not been recorded and/or expired acting situations that have not been recorded. HRD. Agree. in collaboration with IMTB and the Branches develop a set of periodic monitoring procedures and reports for review and follow-up by the Responsible Managers within CIDA. It is further recommended that all terminated acting assignments be reflected in the system on a timely basis.acdi-cida. It is recommended that the HRD modify the business processes surrounding acting situations to incorporate the entry of all acting situations into the SAP HR application. Management Responses 1. Business process and definition of roles and responsibilities through the SAP-HR Improvement Project (SHIP) initiative. Upon entry of the request.e. Files are being created to compare data between "On-Line Pay" System and SAP-HR employee's position classification and pay scale. SAP automatically verifies whether the request is in accordance with the employee's appropriate collective agreement provisions.nsf/eng/NAT-1013101052-JMU 6/28 . banked or paid out).SAP HR System . The Branch Administration Officers (BAO) can amend the reporting relationships to reflect acting situation in the SAP system now. www. In this business model.Enhancement of Quality control. 2. It is recommended that HRD. Roles and responsibilities will be defined and process installed through the SAP-HR Improvement Project (SHIP) initiative. Agree that rationalization of leave and overtime approval authorities are required to reflect EX acting situations that do not result in changes to rates of pay but disagree with the proposed corrective action plan. Agree. 3.6/19/13 ARCHIVED . requests for approval for overtime worked. 3. 2. Leave and Overtime Recording CIDA has developed an Agency specific solution for the creation/entry of leave requests and overtime entitlements. without a system configuration. This comes under the SAP-HR Improvement Project (SHIP) initiative .Canadian International Development Agency (CIDA) 1. The employee's Supervisor is then responsible for examining the requests and for approving or "unlocking" the item so that it can be committed to the database/recorded and settled (i. employees are responsible for entering their own requests for leave. in collaboration with IMTB and the branches will identify appropriate monitoring tools to enable the Responsible Manager within CIDA to periodically review the acting situation within the manager's own branch. The Human Resources Division (HRD) agrees to remind BAOs of the need to amend the reporting relationships of employees when someone is acting in an EX position and to ensure that this procedure is reviewed as part of regular SAP-HR monitoring practices. Also.

Management Responses 4. Branches) and positions.Monitoring of Leave Balances Accuracy Recommendations 4. When employees are hired. the SAP access roles for Employees and Supervisors were appropriately configured to enforce the business rules/process outlined above. The maintenance of position data at CIDA is a shared responsibility between the Branches (Branch Administrative Officers and the Branch Managers) and the Classification Division. This represented a known issue within the SAP system with a decision taken by management to control the process through detective/monitoring type processes. Organizational Management The organizational management functionality within SAP contains the active organizational structure of the Agency. 31 Branch Administrative Officers had the ability to enter and approve/unlock their own requests. This recommendation was acted upon with SR1733 and completed May 13. there are no periodic review processes in place to provide for the integrity of leave data for employees. HRD will send out a reminder to managers to this effect. Specifically. Manager Self Services (MSS) will assist managers in this regard. they will then inherit the attributes of the position including the salary and classification and the employee will also be placed into the appropriate place in the organizational structure.Unauthorized Approval of Overtime Control Weakness #5 . 5. This situation increases the risk of unauthorized overtime being paid out as employees can submit and approve these individuals own overtime requests.SAP HR System . Agree.6/19/13 ARCHIVED . It is recommended that IMTB.nsf/eng/NAT-1013101052-JMU 7/28 .acdi-cida.Canadian International Development Agency (CIDA) Generally. A new tool to be launched in September 2005. 2004. The current business process stipulates that the Branch Administrative Officer is responsible for setting up the new position or making a position data change in a "proposed" status for subsequent approval by www. including the design of specific organization units (i.e.gc.ca/acdi-cida/acdi-cida. when the access rights were combined with other access rights in SAP. However. 5. individuals could possibly take more leave than they are entitled to and/or the Agency could pay out amounts for invalid/inaccurate balances. Furthermore. Without a proper detective control to ensure the employees are recording all leave taken in SAP. Agree. Supervisors and RC managers will be reminded of their responsibility to regularly review their employees' leaves calendar to ensure that leave taken is recorded appropriately. The system can help managers monitor whether employees are recording their leave or not. This is referred to the integration of Personnel Administration and Organizational Management within SAP HR. It is recommended that HRD and the SAP Support Group develop monitoring procedures for the review of leave balances by Responsible Managers on a monthly basis. in conjunction with HRD and the SAP Support Group correct the configuration of the security role for the Branch Administrators and to eliminate the ability to submit and approve their own overtime and leave requests. Individual positions are created as elements of master data and include reporting relationship between positions and classification/planned compensation based on collective bargaining agreements. the Branch Administrators access should be limited to submitting their own requests for subsequent approval by their Supervisors. References (additional details see Appendix C HR Artpack): Control Weakness #4 .

Agree. the Classification Officer reviews the classification and either approves or rejects the position. Management response 6. It is recommended that IMTB.acdi-cida. Given the importance of emergency contact and the financial impact of pay information (with the implementation of SFS). Specific attention should be focused on the creation and activation of positions by the Branch Administrative Officers as they can currently create new positions without intervention from Classification Division. When this type of access is combined with position maintenance access. Subsequently. review the configuration of access privileges assigned to the Branch Administrative Officers to ensure that the configuration supports the needs of the business. They also have the ability to appoint or hire individuals into these positions.SAP HR System . This comes under the SHIP-HR Improvement Project (SHIP) initiative. The risk of improper classification and non-compliance with delegation of authorities is also increased as Branch Administrative Officers and the Responsible Managers also do not currently have the delegation/classification authority for positions. in cooperation with the SAP HR Support group.Canadian International Development Agency (CIDA) the Branch/Responsible Manager. the Branch Administrator's role is being reviewed to limit their access when creating a position for classification. the position becomes active and the position is introduced into CIDA's organizational structure. Also. Security and Privacy Human Resource applications typically contain a number of elements of personal information that must be protected from unauthorized disclosure. however.Position Master Record Maintenance Recommendation 6. assign a classification in SAP and make them active within the organizational structure at CIDA. that this report is currently not being reviewed on a daily/regular basis given workload and backlog issues within the Classification Division. This recommendation is already being addressed through a workflow process that will identify the approval of the different authorized persons within the classification of a position process in the SAP-HR system. This configuration will allow the Classification Division to approve the position and classification data for new positions and/or individuals.6/19/13 ARCHIVED . Guidelines on the Service Standards will be developed by the Classification Section and communicated to the BAO.nsf/eng/NAT-1013101052-JMU 8/28 . it is important to limit the ability to update this information to only authorized individuals. To compensate for this risk. the SAP HR Support group developed a monitoring report that provides a listing of the new positions that have been created and classified in the system on a daily basis. end-user departments (such as the Branches) are typically responsible for data entry with an oversight function being performed by a centralized body. as outlined in their roles & responsibilities. www. It was noted. with any required corrections discussed with the Branches. The Workflow section within IMTB is currently working with the SAP-HR Support group. This "self-service" type of business process is becoming more popular for SAP clients and the sharing of data entry functions as outlined above is consistent with the trends occurring elsewhere in the public and private sectors. If it is approved. References (additional details see Appendix C HR Artpack): Control Weakness #6 . Branch Administrative Officers currently have the access in the SAP system to create positions. This monitoring report is supposed to be reviewed by the Classification Division.gc. a segregation of duties risk within SAP is created as individuals could be appointed or hired into positions without a proper classification. In this new business model.ca/acdi-cida/acdi-cida.

nsf/eng/NAT-1013101052-JMU 9/28 . information that they are not authorized to view). Branch) for the performance of HR report execution. for which this level of protection is not available. In the new fiscal year. 2004. They are also responsible for keeping the confidentiality of their own www. Currently.e.acdi-cida.) account that is tied directly to them through the text field name on the account. the regular SAP security checks performed during the execution of HR reports are deactivated. A specific issue test conducted as part of the audit was to examine the use of generic accounts within the system.e. including HR reports. the configuration of the override will allow them to see employees outside of their Branch on reports if requested (i. This configuration could also result in violations of the Privacy Act that outlines requirements for protection of personal information for government employees.e. Treasury Board requirements state that a Privacy Impact Assessment (PIA) must be undertaken for any major system change where personal information is involved. Authorizations set up in this manner allow individuals to have access to all HR information on a report even though their user profile is configured to restrict them accessing the data.e. HRAIS02. there were some configuration breakdowns/abnormalities noted during the audit that circumvented the key planned controls for users to be limited to their own areas of responsibility (i.SFS) and no PIA has been undertaken to date. other than through specific access to reports/transactions) through the ability to execute programs through a centralized mechanism (transaction SA38). Specifically. The second exception involves the configuration of an SAP delivered "override". Generic accounts/IDs are defined as user accounts that are not directly tied to an individual and/or are shared for maintenance purposes. The SAP HR support group has adopted a specific naming convention for their group's users. over 1700 (i. Although the configuration does restrict the users to specific reports within the HR function (through the use of authorization group flags and authorization object S_PROGRAM). all CIDA employees and consultants) user accounts had access to view HR data at the table level through table browser transactions (SAP transaction code SE16). this profile configuration represents a "back door" that allows users to view information (including sensitive HR information) that is not required for their job functions. This includes selected Support individuals for SAP financial applications. In general. as well as members of IMTB (such as Security Administrators).ca/acdi-cida/acdi-cida. These transactions could also provide access to sensitive HR reports and transactions and therefore. CIDA is planning to implement new functionality for salary forecasting (Salary Forecasting System . when the P_ABAP authorization object is configured with specific values and assigned to users.6/19/13 ARCHIVED .gc. For example. the HRAIS series of accounts were created to prevent users from calling SAP support group members directly if a change is made to an employee's information. Branch). there are a number of reports in SAP. if users are assigned access profiles that prevent them from viewing employees outside of their area of responsibility (i.Canadian International Development Agency (CIDA) At the time of the SAP HR implementation in October 2000. etc. while the security and privacy design approach/framework in CIDA for granting HR access appears adequate for protecting personal information. an assessment of the information captured in the system was performed to identify elements of information that should not be available for viewing to persons other than those designated. Specific examples of data covered in this analysis include employment equity information and personal qualifications. members of the support have been given their own unique HRAIS (i.e. The audit of the HR end user access profiles revealed that 14 roles/profiles had been given access to run programs directly (i. However. The two configuration exceptions related to the viewing/reporting of information. Effectively. The effect of this functionality is essentially to bypass transactional restrictions imposed on users. Access to perform maintenance of specific pieces of information or infotypes and/or viewing of selected sensitive infotypes is also available to SAP Support personnel who are not directly involved with the support of the HR modules.e. The first exception is that as of March 22. Specifically. HRAIS01. provide an alternative means of accessing HR information.SAP HR System . 129 users have been provided with this override.

13. References (additional details see Appendix C HR Artpack): Control Control Control Control Control Control Control Weakness Weakness Weakness Weakness Weakness Weakness Weakness #7 . ACDI-CIDA are all accounts that have access to perform HR functions. IMTB supports system owners in the preparation of Preliminary PIA's. there are some generic accounts that currently have access to perform maintenance functions and/or view sensitive information.SAP HR System . Agree. a central mechanism that bypasses transactional and reporting restrictions configured be removed from end-user access profiles by IMTB. Accounts such as WFADMIN.Generic Accounts #13 . It is further recommended that IMTB. www. IMTB is incorporating processes into the SR and System Development Procedures to identify systems changes and systems requests that may require PIA's. 10. develop a set of security monitoring procedures focused on reviewing lists of users with access to personal information and critical update transactions and infotypes in order to identify potential access irregularities for correction. ensuring that System Owners and the Privacy Coordinator are informed. Privacy Impact Assessments are the responsibility of both the Business Owner (HRD) and the System Owner (IMTB).ca/acdi-cida/acdi-cida.Privacy Impact Assessment #9 .SAP HR Table Access #10 .Monitoring Procedures Recommendations 7.Canadian International Development Agency (CIDA) passwords. Therefore. WORKFLOW. These assessments will be conducted and modifed if needed.gc. It is recommended that the access of non-HR SAP Support Group members and IMTB users be reviewed and that access to HR information be removed. This was done in conjunction with item 13. Management Responses 7. This co mes under the SAP-HR Improvement Project (SHIP) initiative. SR 3462. It is recommended that the ability to execute reports and programs through transaction SA38. and.SAP HR Reporting #12 . 8. 9. It is recommended that the ability to view personal information through direct query of HR tables (through transaction SE16) be removed from end-users by IMTB. WFADMINTEST. Agree.Non SAP HR Support Group Access #8 . PHOENIX. WFADMIN2.acdi-cida. the HRAIS series of accounts is not considered to be generic accounts. 11. Finally.nsf/eng/NAT-1013101052-JMU 10/28 .SAP HR Report Execution #11 . It is recommended that IMTB limit the use of generic accounts. It is recommended that the configuration of the P_ABAP authorization object be reviewed and corrected by IMTB. 8. It is recommended that IMTB should perform Privacy Impact Assessments in accordance with Treasury Board requirements. 12. in conjunction with HRD and the SAP Support Group. However.6/19/13 ARCHIVED . the same HRAIS account will not be assigned to a new employee after the departure of support group team member. Nevertheless.

Time Entry (CATS) Organization 2 (Public Sector) PA. The "Phoenix" and "ACDI-CIDA" accounts are also being revised to ensure that minimal access is granted. Further examination of the ten positions revealed that there is a Manager included in that figure who also has other responsibilities. HR Junior System Officer. Access is being revised (through SR 3314) ensuring limited access to information. 2004. HR Job roles were reviewed.500 45. SR3463 was opened.500 290 300 3. Transactions SE38 and SA38 have been removed in most job roles via SRs 2250 (HR Job roles).2.nsf/eng/NAT-1013101052-JMU . PD. PD. Payroll CIDA SAP HR Functionality Approximate Number of SAP HR Users (excluding employee self-service) Number of Employees PA. The remaining job roles for the SAP Functional teams and ABAP teams are limited by programs and are required for their job. 12. Agree. and there is currently one full-time consulting SAP HR expert on site who provides expert advice on the development and implementation of the Salary Forecasting System: 2 3 1 2 2 1 Senior HR Systems Officers.ca/acdi-cida/acdi-cida. SR3462 was opened and appropriate configuration was done into SAP-HR to action this recommendation. therefore cannot be removed. PD. As with the HRAIS accounts. Agree.Canadian International Development Agency (CIDA) 9. The total number of support employees for SAP HR is eleven. addressed & completed in December 2004. SR3039 and SR3058. 10.000 43.550 11/28 www. Time Entry. Training & Events. SR3194 was registered. Workflow related accounts (as referred to on page 16 of the audit report) are not "generic" accounts. 3.6/19/13 ARCHIVED .600 1. PD PA. 11. PD. Payroll Organization 4 (Public Sector) Area Organization 3 (Public Sector) PA. Full time SAP HR consultant. Time 500 2. 13. Agree. HR Systems Officers.SAP HR System .000 9. Agree.gc. Observations Arising from the Benchmarking of the SAP Support Group Structure The preliminary survey conducted prior to the execution of specific audits outlined that HRD currently has ten staff to maintain the SAP HR module. and.acdi-cida. Table 1 .Benchmarking Data Organization 1 (Public Sector) PA.000 2. they are tied directly to support personnel through the text field name on the account. Full time Junior consultants. as well as the following individuals as of May 4. Time Entry. Training & Events. Full Time Experts consultants. Agree.

whereas CIDA has kept the notion of centralized support. Furthermore. and near the middle of the pack based on the number of users.25 50 40 3.6/19/13 ARCHIVED .gc. the SAP support group is currently meeting their specific service level agreement timelines. If the SAP support group is to be reduced. Specifically. CIDA's ratios for support personnel to active employees and the ratio of support personnel to user are significantly lower than the other organizations. and. the following difference were noted: Individuals within the support group are currently working on the implementation of new functionality (SFS). The support group is currently leading and/or performing data quality activities for clean up purposes.25 11 . The figures point to an overstaffing situation within the SAP HR support group however other factors must be taken into consideration.ca/acdi-cida/acdi-cida. functions currently being undertaken by individuals within this group will need to be performed by the business functions. www.Canadian International Development Agency (CIDA) Number of Support Employees Number of SAP HR Consultants in Support Group Ratio of Support Group to Users Ratio of Support Group to Employees HR Master Data Maintenance Model 1. additional support requirements will be created to cover the new functionality and end user support requirements. It is recommended that CRC determine the required staffing levels for the SAP HR Support group after the current data cleanup task has been completed and after the SFS functionality has been implemented. As outlined in Table 1. CIDA's SAP HR support group composition should be between 1 and 2 full time equivalents. Based on the comparative ratios. programmers) 0 4 1:400 1:40 1:63 1:90 1:27 1:2800 1:900 1:1075 1:2950 1:141 Decentralized Decentralized Decentralized Centralized Decentralized Table 1 summarizes the results of the benchmarking survey that was conducted for 4 public sector organizations that currently use some components of the SAP HR module. the responsibility for data quality and verification would need to be shifted to the Branches and support functions (i. as the SFS moves into the production environment. were calculated and used as the primary basis for comparison of their support structures versus CIDA's. Recommendation 14. Two key ratios.SAP HR System .nsf/eng/NAT-1013101052-JMU 12/28 . Other organizations included in the benchmarking survey have training super users within the individual user groups.e. with a minimum of spare resource cycles as was noted in our interviews.acdi-cida. IMTB) within CIDA. the ratio of support group employees to users and the ratio of support group employees to employees. Specifically.25 (programmer) 5 (module experts) 10 (module experts. Finally. which is ultimately outside of the scope of their mandate for delivery.

system configuration. as an accepted cost of doing business because the benefits to the SAP system overall were considered to outweigh the investment costs and risks of maintaining the SAP-HR module. HRD will play a key role in supporting this review. Under the leadership of the VP HRCS. an internal review of the 3 SAP modules for which HRCSB is responsible to support is currently underway to look for ways to further optimize the investment of SAP resources. The question is whether they can be more effectively managed if the accountabilities were shifted to other parts of CIDA. We agree with the audit findings that regardless of the chosen accountability model. monitored and maintained by the functional business authority.Canadian International Development Agency (CIDA) Management response 14. After obtaining an understanding a high-level of the business needs for SAP HR within CIDA and after reviewing the set-up and effectiveness of the application's control framework. CIDA is the only government department in Schedule I. Maintenance of data integrity and training costs are a major ongoing investment because staff recruited to CIDA from other government departments and trained in a shared inter-government system must learn a new application before they can become fully CIDA-functional. This ongoing demand in large part explains the current level and focus of CIDA's SAP-HR resources. less investment will be required in ongoing system refresher training courses and daily interventions by the SAP-HR staff to assist users in the SAP-HR module application. benchmarking staffing levels to other organizations that do not share the same business requirements is of limited value. resources are still required to support the application. Comments ranged from the lack of useable reports to lack of understanding of system functionality. All other public sector organizations using SAP-HR have terms and conditions of employment or HR business practices that do not conform in whole or in part to those of CIDA.gc. The increasing interest in the government-wide Shares Services initiatives for "corporate" functions such as human resources has raised the awareness of CIDA's management to review its present reliance on the SAP-HR module situation in light of these wider government thrusts. HRD is contributing to this review and will implement the decisions.SAP HR System . and the entry and approval of time and leave www. 2.ca/acdi-cida/acdi-cida. SAP HR functionality and set-up are complex areas to understand. 3. once known. Therefore. Agree that resource levels should be validated but suggest that this be done in concert with other initiatives currently in play. and look for ways to optimize SAP-HR resources to ensure adequate service levels are maintained at reasonable cost to CIDA until management decisions are made regarding benefits and risks of maintaining the SAP-HR module over the long term.3 Observations Arising from the Assessment of SAP HR Functionality Within the preliminary survey and within the interviews conducted as part of this and other audits of HR related activities. all of the expected functionality required to perform daily activities related to the movement of employees. monitor for system weaknesses and facilitate improved training of end users. including but not exclusively those recommended in the audit report.nsf/eng/NAT-1013101052-JMU 13/28 . HRD will provide for knowledgeable resources to partner with the SAP-HR support team to update the business process flow documentation. Initiatives In Play: 1. being led by the CIO.acdi-cida. the management of the organizational structure. The working assumption is that if better HR business practices are documented. This situation is well known within CIDA and has generally viewed.1 of the Financial Administration Act that uses the SAP-HR module. a number of observations were made with regards to the functionality of the HR system.6/19/13 ARCHIVED . up to now.

acdi-cida. It is recommended that additional HR business process focused training (as opposed to SAP data entry training) be developed by HRD to enhance the business process and policy requirements knowledge of users. Conclusion www.g.Canadian International Development Agency (CIDA) requests have been implemented. Current training programs are focused on the technical data entry steps of SAP transactions without necessarily providing participants with background as to the importance of their work and its impact on decision-making. trained in the application of the business processes and are held to account for the quality of their data management input through the application of active monitoring of the HR business process and SAP-HR data management practices conducted by HRD in its role as the departmental business owner. It is recommended that the SAP HR Support Group examine the reporting requirements of CIDA HR users and determine whether the current reports available address their needs.nsf/eng/NAT-1013101052-JMU 14/28 . This comes under the SAP-HR Improvement Project (SHIP) initiative. Clean up of data. Agree.gc. Delegation of Authorities for HRM are up-to-date (part of Middle Manager and PSMA Implementation Projects). during 2006-2007 new tools will be designed and implemented to ensure more useful and higher quality information for end users and to support internal monitoring and internal and external reporting requirements. Recommendations 15. First. if the examination identified gaps in report understanding.SAP HR System . If users feel that they are lacking information. difficulties in reporting on SAP information are experienced by a large number of organizations. SAP-HR reflects current HRM accountabilities (part of SHIP action plan). 16. Therefore. Alternatively. Assuming SAP-HR is still the module of choice. However. 16.ca/acdi-cida/acdi-cida. and that the materials be incorporated into the regular training program for SAP HR users. Management responses 15. we further recommend that additional reports be developed. there is a need for additional business training to be provided to users of the HR functionality. A corrective action plan is underway to ensure that: SAP reflects current and anticipated (e. organizational structure as well as leave and overtime processing are being met by the current system. reports that do not meet end user requirements and/or overall data integrity issues. specific causes could be the lack of understanding of the report output contents. including CIDA. This recommendation will be prioritized through the SHIP action plan and in consultation with those responsible for the HRM business functions (HRD) and Branch end-users. Nevertheless. two specific observations have come to our attention. the basic needs for the management of employee information.6/19/13 ARCHIVED . Second. If addition reports or information is required. and End users are provided the necessary tools. we recommend that action plans be developed to close the gaps through additional training. a significant number of standard SAP reports are delivered with the application and CIDA has developed custom reports to serve their users. Agree. PSMA) HRM policy and business process requirements (part of CIDA HRM Project and PSMA Implementation). documentation and training of the correct business process flows and consultation with the end users regarding their information needs will be done during 2005-2006 as part of the SHIP action plan.

in terms of an assessment of the extent to which the SAP HR module is meeting the needs of HRD and of the Agency overall. However some areas for improvement in the effectiveness and efficiency of the business processes and reporting have been identified and provided as recommendations within the body of the report.nsf/eng/NAT-1013101052-JMU . Data integrity must also be improved as personnel movements are not being reflected on a timely basis for all required updates. the business process appears to be well supported by the SAP HR module. the use of generic accounts must be investigated and corrected to ensure that the designed framework of controls is properly implemented. With respect to the accuracy and integrity of the information emanating from the SAP application.ca/acdi-cida/acdi-cida. However. CRC should determine the size of the SAP HR support group in accordance with its expected return on investment. Therefore. with the exception of the identified security configuration and access problems. The audit revealed. For the system-based controls.acdi-cida. as well. It is recommended that the HRD modify the business processes surrounding acting situations to incorporate the entry of all acting situations Number of Recommendations 16 Completed Ongoing Work in Progress Management's Responses Agree that rationalization of leave and overtime approval authorities are required to reflect EX acting situations that do not result in changes to rates of pay but disagree Date Status HRD to send reminders to BMOs of the requirement and method to 15/28 www. however. Based on the results accumulated through a benchmarking survey. Appendix A Summary of Audit Recommendations SAP HR Audit Project Internal Audit of SAP HR Recommendations 1. Finally. Opportunities for improvement of the control framework also exist through increased monitoring of changes to master data elements.Canadian International Development Agency (CIDA) Our audit was specifically designed to meet the objectives outlined in section 2 of the report. that improvement is required in supporting management and monitoring processes that are required to ensure that system transactions are recorded as intended. the distinction must be drawn between system-based controls and management/monitoring controls outside the system. however. An adequate framework for the design of user access privileges has been developed to protect sensitive information and to ensure access to perform critical maintenance functions for HR data is appropriately restricted. CIDA's support group provides a broader range of services to the user population than the majority of the other organizations used a benchmark.SAP HR System . the results of our audit enable us to conclude that the functionality required to support the business needs of HRD and the Agency overall has been implemented. and through the performance of periodic data quality reviews by the Branches and other business owners within the Agency. the size of the SAP HR support group is larger than those of the organizations polled. The audit indicated.6/19/13 ARCHIVED . It was conducted in accordance with generally accepted auditing standards.gc. once the new SFS functionality is implemented and subsequent to the data cleanup task. that there are currently some security configuration issues that must be addressed and.

Agree This recommendation was acted upon with SR1733 and completed May 13. 2004. with the proposed corrective action plan. Procedure will be incorporated into the SHIP action plan Part of SHIP action plan. in collaboration with IMTB and the branches will identify appropriate monitoring tools to enable the Responsible Manager within CIDA to periodically review the acting situation within the manager's own branch. It is recommended that IMTB. in collaboration with IMTB and the Branches develop a set of periodic monitoring procedures and reports for review and followup by the Responsible Managers within CIDA. The Branch Administration Officers (BAO) can amend the reporting relationships to reflect acting situation in the SAP system now.acdi-cida.gc. in conjunction with HRD and the SAP Support Group correct the configuration of the security role for the Branch Administrators and to Agree Files are being created to compare data between "On-Line Pay" System and SAP-HR employee's position classification and pay scale.Enhancement of Quality control. Roles and responsibilities will be defined and process installed through the SAP-HR Improvement Project (SHIP) initiative. HRD will assess the integrity of the organizational structures at the Agency level. 4.SAP HR System .ca/acdi-cida/acdi-cida. The periodic review will serve to assess the integrity of the current organizational structures and personnel assignments within a specific area of responsibility and will also identify acting situations that have not been recorded and/or expired acting situations that have not been recorded. This comes under the SAP-HR Improvement Project (SHIP) initiative . It is further recommended that all terminated acting assignments be reflected in the system on a timely basis. The Human Resources Division (HRD) agrees to remind BAOs of the need to amend the reporting relationships of employees when someone is acting in an EX position and to ensure that this procedure is reviewed as part of regular SAP-HR monitoring practices. without a system configuration. 2006 amend reporting relationships for the purposes of SAP-HR leave and overtime administration. It is recommended that HRD. 3. December 2005 Part of the SHIP action plan COMPLETED www.6/19/13 ARCHIVED . Agree HRD. March 31. Business process and definition of roles and responsibilities through the SAP-HR Improvement Project (SHIP) initiative. It is recommended that the Compensation and Benefits Directorate perform a reconciliation of position/employee classification data and pay rates within SAP to information recorded in the On-Line Pay application every 4 months. It is further recommended that the review be performed at least every 4 months and that the process be facilitated and monitored by the HRD. regardless of whether or not there is an effect on pay.Canadian International Development Agency (CIDA) into the SAP HR application. Also.nsf/eng/NAT-1013101052-JMU 16/28 . 2.

It is recommended that HRD and the SAP Support Group develop monitoring procedures for the review of leave balances by Responsible Managers on a monthly basis. A new tool to be launched in September 2005.ca/acdi-cida/acdi-cida. Also. in cooperation with the SAP HR Support group. Agree Supervisors and RC managers will be reminded of their responsibility to regularly review their employees' leaves calendar to ensure that leave taken is recorded appropriately. Specific attention should be focused on the creation and activation of positions by the Branch Administrative Officers as they can currently create new positions without intervention from Classification Division. the Branch Administrator's role is being reviewed to limit their access when creating a position for classification. Privacy Impact March 2005 Completed March 2006 Part of SHIP action plan 17/28 www.nsf/eng/NAT-1013101052-JMU . SR 3462. Guidelines on the Service Standards will be developed by the Classification Section and communicated to the BAO. HRD will send out a reminder to managers to this effect. The Workflow section within IMTB is currently working with the SAP-HR Support group. that access to HR information be removed. 6. Agree This recommendation is already being addressed through a workflow process that will identify the approval of the different authorized persons within the classification of a position process in the SAP-HR system.6/19/13 ARCHIVED .gc. This comes under the SHIP-HR Improvement Project (SHIP) initiative.acdi-cida. It is recommended that HRD should perform Privacy Impact Assessments in Agree However. 8.SAP HR System .Canadian International Development Agency (CIDA) eliminate the ability to submit and approve their own overtime and leave requests. the Branch Administrators access should be limited to submitting their own requests for subsequent approval by their Supervisors. It is recommended that IMTB. 5. This configuration will allow the Classification Division to approve the position and classification data for new positions and/or individuals. March 2006 Part of the SHIP action plan August 2005 In progress September 2005 7. It is recommended that Agree the access of non-HR SAP Support Group members and This was done in conjunction with IMTB users be reviewed and item 13. Specifically. review the configuration of access privileges assigned to the Branch Administrative Officers to ensure that the configuration supports the needs of the business. as outlined in their roles & responsibilities. Manager Self Services (MSS) will assist managers in this regard.

Access is being revised (through SR 3314) ensuring limited access to information. It is recommended that the ability to view personal information through direct query of HR tables (through transaction SE16) be removed from end-users by IMTB. It is recommended that the ability to execute reports and programs through transaction SA38. These assessments will be conducted and modifed if needed. As with the HRAIS accounts. Agree SR3194 was registered. 12. SR3039 & SR3058. 10. and. IMTB supports system owners in the preparation of Preliminary PIA's. SR3463 was opened.gc. ensuring that System Owners and the Privacy Coordinator are informed.nsf/eng/NAT-1013101052-JMU 18/28 .Canadian International Development Agency (CIDA) accordance with Treasury Board requirements. This comes under the SAP-HR Improvement Project (SHIP) initiative. It is recommended that the configuration of the P_ABAP authorization object be reviewed and corrected by IMTB. March 2005 COMPLETED 11. 9.ca/acdi-cida/acdi-cida.SAP HR System .acdi-cida. addressed & completed in December 2004. The "Phoenix" and "ACDI-CIDA" accounts are also being revised to ensure that minimal access is granted. December 2004 COMPLETED Agree June 2004 Transactions SE38 & SA38 have been removed in most job roles via SRs 2250 (HR Job roles). they are tied directly to support personnel through the text field name on the account. It is recommended that IMTB limit the use of generic accounts. The remaining job roles for the SAP Functional teams and ABAP teams are limited by programs and are required for their job. IMTB is incorporating processes into the SR and System Development Procedures to identify systems changes and systems requests that may require PIA's.6/19/13 ARCHIVED . COMPLETED Agree Workflow related accounts (as referred to on page 16 of the audit report) are not "generic" accounts. Agree HR Job roles were reviewed. therefore cannot be removed. March 2005 COMPLETED www. Assessments are the responsibility of both the Business Owner (HRD) and the System Owner (IMTB). a central mechanism that bypasses transactional and reporting restrictions configured be removed from end-user access profiles by IMTB.

HRCSB internal 19/28 www. This situation is well known within CIDA and has generally viewed. We agree with the audit findings that regardless of the chosen accountability model. It is further recommended that IMTB.1 government department that uses the SAP-HR module. March 2005 COMPLETED Agree that resource levels should be Ongoing validated but suggest that this be done in concert with other initiatives currently in play. up to now. We recommended that CRC determine the required staffing levels for the SAP HR Support group after the current data cleanup task has been completed and after the SFS functionality has been implemented.6/19/13 ARCHIVED .nsf/eng/NAT-1013101052-JMU . CIDA is the only Schedule 1. 14. Work has begun in HRD through the establishment of an internal working group to discuss HR business process flow requirements.gc. in conjunction with HRD and the SAP Support Group. as an accepted cost of doing business because the benefits to the SAP system overall were considered to outweigh the investment costs and risks of maintaining the SAP-HR module. an inter-Branch project team is being established to assess the impacts and implications of the Shared Services Initiative on the SAP system.SAP HR System . This ongoing demand in large part explains the current level and focus of CIDA's SAP-HR resources. resources are still required to support the With the approval of CRC and under the direction of the CIO.Canadian International Development Agency (CIDA) 13. including the SAP-HR module. benchmarking staffing levels to other organizations that do not share the same business requirements is of limited value. All other public sector organizations using SAP-HR have terms and conditions of employment or HR business practices that do not conform in whole or in part to those of CIDA. Maintenance of data integrity and training costs are a major ongoing investment because staff recruited to CIDA from other government departments and trained in a shared inter-government system must learn a new application before they can become fully CIDAfunctional. including but not exclusively those recommended in the audit report.acdi-cida. Therefore. Agree SR3462 was opened and appropriate configuration was done into SAP-HR to action this recommendation. develop a set of security monitoring procedures focused on reviewing lists of users with access to personal information and critical update transactions and infotypes in order to identify potential access irregularities for correction. identify SAPHR changes and engage end-users in the clean up of data and the application of revised procedures.ca/acdi-cida/acdi-cida.

2.ca/acdi-cida/acdi-cida. 15.Canadian International Development Agency (CIDA) application. The question is whether they can be more effectively managed if the accountabilities were shifted to other parts of CIDA. and look for ways to optimize SAP-HR resources to ensure adequate service levels are maintained at reasonable cost to CIDA until management decisions are made regarding benefits and risks of maintaining the SAP-HR module over the long term. HRD is contributing to this review and will implement the decisions. monitored and maintained by the functional business authority. HRD will provide for knowledgeable resources to partner with the SAP-HR support team to update the business process flow documentation. being led by the CIO.g. HRD will play a key role in supporting this review. monitor for system weaknesses and facilitate improved training of end users.gc. It is recommended that additional HR business process focused training (as opposed to SAP data entry training) be developed by HRD to enhance the business process and policy Agree A corrective action plan is underway to ensure that: SAP reflects current and anticipated (e. less investment will be required in ongoing system refresher training courses and daily interventions by the SAP-HR staff to assist users in the SAP-HR module application. an internal review of the 3 SAP modules for which HRCSB is responsible to support is currently underway to look for ways to further optimize the investment of SAP resources. Initiatives In Play: 1.acdi-cida. The working assumption is that if better HR business practices are documented. Under the leadership of the VP HRCS.nsf/eng/NAT-1013101052-JMU 20/28 . once known. system configuration. PSMA) HRM policy and business process March 2006 review in progress.SAP HR System .6/19/13 ARCHIVED . Work in progress www. The increasing interest in the government-wide Shares Services initiatives for "corporate" functions such as human resources has raised the awareness of CIDA's management to review its present reliance on the SAP-HR module situation in light of these wider government thrusts.

we recommend that action plans be developed to close the gaps through additional training. If addition reports or information is required. documentation and training of the correct business process flows and consultation with the end users regarding their information needs will be done during 2005-2006 as part of the SHIP action plan. if the examination identified gaps in report understanding. This comes under the SAP-HR Improvement Project (SHIP) initiative. SAP-HR reflects current HRM accountabilities (part of SHIP action plan). and that the materials be incorporated into the regular training program for SAP HR users. we further recommend that additional reports be developed.nsf/eng/NAT-1013101052-JMU 21/28 . trained in the application of the business processes and are held to account for the quality of their data management input through the application of active monitoring of the HR business process and SAPHR data management practices conducted by HRD in its role as the departmental business owner. Alternatively.6/19/13 ARCHIVED . and End users are provided the necessary tools. Delegation of Authorities for HRM are up-to-date (part of Middle Manager and PSMA Implementation Projects).gc. Assuming SAP-HR is still the module of choice.SAP HR System . during 2006-2007 new tools will be designed and implemented to ensure more useful and higher quality information for end users and to support internal monitoring and internal and external reporting requirements.ca/acdi-cida/acdi-cida.acdi-cida. Agree This recommendation will be prioritized through the SHIP action plan and in consultation with those responsible for the HRM business functions (HRD) and Branch endusers. It is recommended that the SAP HR Support Group examine the reporting requirements of CIDA HR users and determine whether the current reports available address their needs. March 2006 Part of the SHIP action plan March 2007 Last phase of the SHIP action plan Appendix B Control Objectives/Audit Criteria for the SAP HR Process Review The following control objectives/audit criteria were developed during the planning phase of this audit to capture the required audit criteria on which to base the assessment of the control www. Clean up of data. requirements (part of CIDA HRM Project and PSMA Implementation).Canadian International Development Agency (CIDA) requirements knowledge of users. This comes under the SAP-HR Improvement Project (SHIP) initiative. 16.

SAP HR Control Framework March 31.SAP HR System . Control Framework and Evaluation Matrix 3. valid and timely 2. Process Descriptions The application flow diagram aims to convey the most important elements of the process and as a result. Appendix C . The criteria have been segregated to reflect the subprocesses that form the basis for the SAP HR supported process. The following icons are used on the diagrams: Control Points Financial/Business Exposure. Organizational Management 5.Canadian International Development Agency (CIDA) framework and the security access rights. certain infrequent or insignificant detail is intentionally omitted. Access to personal/sensitive information is adequately restricted to only authorized individuals. Security and Privacy 6.acdi-cida.6/19/13 ARCHIVED . timely and in accordance with relevant legislation. Leave and Overtime Recording 4. HR Master Data 1.ca/acdi-cida/acdi-cida. valid. Terminated employees are removed from the payroll maser file and all deletions are valid (and are within statutory requirements). Flow Diagram 2.gc.nsf/eng/NAT-1013101052-JMU 22/28 . the following documents were prepared: 1. valid and timely. 3. www. 2004 ARTpack Project Introduction This document analyzes the control framework within a particular application or process. All valid changes to organizational units. All changes to the SAP HR and payroll master files are complete. 7. positions and other master data are accurate. Agency employee information transferred to the Compensation Systems is accurate. Leave/absence data and balances reflect actual absences and entitlements for employees and requests are properly authorized. Segregation of duties is appropriate and system access is restricted to authorized personnel. For each process reviewed.

PWGSC Reconciliation with SAP www. Terminated employees are removed from the payroll master file and all deletions are valid).Canadian International Development Agency (CIDA) Main Flow of Transactions.e. The lack of update of the org structure has an impact on the proper routing of workflow items for approval. Organizational anagement 6. Access to personal/ sensitive information is restricted to only authorized individuals. Segregation of duties appropriate and system access is appropriately restricted to authorized personnel. an EX-01 employee acting at an EX-02 level is currently not entered into the system until 3 months has elapsed. users can change the information brought in to accommodate Salary Protected employees (employees that have been designated as surplus and given a lower classification. 5.6/19/13 ARCHIVED . Control Objective Leave and Overtime Recording 4. Scope of this Review This review considered controls and weaknesses throughout the SAP HR System.gc. Acting Assignments Selected acting situations (i.SAP HR System . Blue text indicates a control and red text indicates a weakness or inefficiency (see PDF version). Monitoring Reports for HR Master Data There is currently no formalized review and/or approval of active employee listings. valid and complete.ca/acdi-cida/acdi-cida. Security & Privacy 7. For example. Changes to the collective agreements are controlled through the formal Service Request process at CIDA. complete. valid and timely. one month or above) that do not affect pay are currently not entered into SAP. Accuracy Validity Completeness Cut-off Validity Accuracy Accuracy Validity Accuracy Validity Accuracy Validity Completeness Cut-off Validity Validity Completeness Accuracy HR Master Data Maintenance SAP Security for HR Master Data The SAP security and authorization concept is utilized to restrict the ability to update personnel information (transactions PA30 and PA40) to only authorized individuals. Consult the table below in large format. an element of SAP configuration that specifies whether infotypes must be populated. Agency employee information entered into the Compensation system is accurate. The following icons are used on the control evaluation matrix: The identified control supports this control objective Weaknesses were found for this control A description of the control or weakness can also be found on the control evaluation matrix.acdi-cida. Time constraints. positions and other data org structure data elements are timely. have also been configured at the infotype level to control the completeness of infotypes within an on-line personnel file. Integration with Org Management Pay scale/salary information is defaulted into the personnel file (infotype 0008) based on information stored on the position master record. Accuracy Validity Completeness Cut-off 3. in order to ensure that all relevant information is captured. Leave/ absence data and balances reflect actual absences and entitlements for employees and requests are properly authorized. but still paid at their previous pay rate). Description HR Master Data Maintenance Control/ Weakness Control/ Weakness Reference 1. All changes to the SAP HR master files are accurate. All changes to organizational units. The review included discussions with CIDA staff and testing of certain system and manual control activities. Planned Compensation Pay scales that are aligned with the relevant public sector collective agreements have been configured in SAP. which compares the identified controls to the control objectives for the area and assesses the degree to which the objectives are supported by controls. staffing reports or organizational charts by the Responsible Managers or Financial Authorities on a periodic basis. valid and timely. 2. Overtime entered is accurate and valid and calculated in accordance with collective agreements. In addition. accurate. However.nsf/eng/NAT-1013101052-JMU 23/28 . Access restrictions at the infotype level have also been configured for specific roles. SAP Input Controls for Master Data Mandatory fields are configured for infotypes included in personnel files within SAP. complete. it was further noted that expired acting situations were not updated in SAP on a timely basis. 8. The above icon types cross-refer to the control evaluation matrix. Personnel actions (a grouping of functionality to accomplish specific HR activities such as hiring) have been configured for major HR administrative tasks to ensure that all relevant infotypes are completed for personnel related activities.

Unauthorized Approval of Overtime Situations have been noted where employees were able to submit their requests for paid overtime and approve their own requests.nsf/eng/NAT-1013101052-JMU 24/28 . This could result in unauthorized overtime payments being generated for employees. the SAP HR Support Group created monitoring reports for Classification to review. Upon successful approval of leave. www. Generic Accounts There are currently generic/shared accounts that have access to perform update and reporting functions for HR information. Time constraints have also been configured at the infotype level to control the completeness of infotypes for these objects.gc. The SAP Time Evaluation functionality is utilized to perform the check. a central mechanism that bypasses transactional and reporting restrictions configured. Leave and Overtime Recording SAP Security for Leave and Overtime The SAP security and authorization concept is utilized to restrict the ability to unlock/approve requests for leave (SAP transactions ZAPT.6/19/13 ARCHIVED . and some significant changes have either been implemented or are planned for implementation. Privacy Impact Assessment A formal Privacy Impact Assessment has not been performed since the initial implementation of SAP HR. SAP automatically updates the quota balance(s) for an employee.ca/acdi-cida/acdi-cida. Non SAP HR Support Group Access Non-HR SAP support individuals currently have the ability to maintain critical infotypes such as infotype 0008 (basic pay). in order to ensure that all relevant information is captured. positions). SAP HR Report Execution An excessive number of end-users have the ability to execute reports and programs through transaction SA38. SAP HR Reporting The configuration around SAP HR reporting is currently not in accordance with best practices. SAP verifies that the employee is entitled to the type of leave requested and that the minimum/maximum amounts requested are in line with the appropriate collective agreement provisions. Actions have also been configured for key organizational structure maintenance activities to ensure that all relevant infotypes are completed for the creation of new objects (i. To mitigate this segregation of duties risk. SAP Input Controls for Organizational Management Mandatory fields are configured for organizational management infotypes. Access restrictions at the infotype level have also been configured for specific roles. SAP HR Table Access An excessive number of users have the ability to view personal information through direct query of HR tables (through transaction SE16). Organizational Management SAP Security for Organ Management The SAP security and authorization concept is utilized to restrict the ability to update position master data to appropriate personnel. to ensure that all leave taken is being recorded in SAP. Quota Balances Prior to completing the on-line approval transaction. at the Branch level) allowing users to only see information (personal and non-personal) for individuals outside of their areas of responsibility. the configuration of authorization P_ABAP has effectively deactivate a level of data restrictions (i. approve and active new positions without the Classification Division reviewing the appropriateness of the classification data. the Supervisor is not permitted to save/approve the application. Position Master Record Maintenance Branch Administrative Officers currently have access to create. Monitoring of Leave Balances There are currently no processes or procedures in place to perform a periodic review of employee leave balances. however. PA61) Leave Entitlement Validation Prior to the completion of a leave request. If the quantity remaining is insufficient. Specifically. it was noted that the reports are currently not being reviewed on a regular basis by the Classification Division.SAP HR System . SAP Security for Leave and Overtime Approvals The SAP security and authorization concept is utilized to restrict the ability to unlock/approve submitted overtime records.Canadian International Development Agency (CIDA) There is currently no formal reconciliation of employee pay rates in the PWGSC On-Line Pay system to the records in SAP. Branch Administrative Officers also have the ability to perform personnel movements. Security and Privacy Security/ Privacy of HR Data The SAP security and authorization concept is utilized to restrict the ability to update personnel information (transactions PA30 and PA40) to only authorized individuals. SAP automatically verifies whether an employee has an adequate leave entitlement remaining to accommodate the request.acdi-cida.e. The SAP Time Evaluation functionality is utilized to perform the check.e.

Extension . Upon receiving the decision from the candidate. transfer) in the SAP system and enters the relevant information from the letter of offer.e. Pre-configured HR actions are utilized during the creation and/or maintenance of an employee's file in the system. If the candidate declines the offer.) Actions configured in SAP for personnel movements are (they are presented along with the group responsible for performance of the update): 01 .6/19/13 Monitoring Procedures ARCHIVED . Possible scenarios for filling the position include an internal transfer within CIDA. The data entry functions are shared amongst a small number of groups within the Agency depending on the nature of the update required. termination. the Branch Administrative Officer for the hiring Branch.Branch Administration Officers. and for other types of personnel movements (transfers within CIDA. Assignment Division. Pay and Benefits 04 . Once the candidate accepts the offer.nsf/eng/NAT-1013101052-JMU 25/28 .). the HR Advisor/Assistant prepares two copies of the letter of offer and sends them to the candidate. hiring. change in work hours. No SAP system updates (with the exception of the updates to the Eligibility List) are performed prior to the signed letter of offer being received by the HR Advisor/Assistant. etc. a copy is filed.Change of Position/Pay/Status . Languages Program and Education Leave Advisor www.) or other personnel file updates (salary changes.acdi-cida.ca/acdi-cida/acdi-cida. Advisor. the HR Advisor/Assistant makes three copies of the letter of offer. Summary of Controls and Weaknesses Control Objective Met Weaknesses Noted Control Objective Met . the Compensation and Benefits Advisor makes the appropriate entries.Struck off Strength (SOS) . promotion.gc.Advisor. a new employee. approved documentation. and the date of the next statutory increase. terminations. a requirement for the entry of HR information into SAP arises.Branch Administration Officers. and the announcement is posted on Entre-Nous (CIDA's Intranet site). The HR Advisor/Assistant is also responsible for managing the appeal process. then the HR Advisor/Assistant selects the next qualified candidate from the eligibility list. For all of the staffing needs noted above. bilingual bonus (if applicable). Pay and Benefits 06 . The letter of offer also represents the notification/trigger for an entry in the SAP HR system. After the staffing events have been completed.Weaknesses Noted Control Objective Met Weaknesses Noted Control Objective Met Control Objective Met Weaknesses Noted Control Objective Met Weaknesses Noted Control Objective Met Weaknesses Noted Control Objective Met .Change: Basic Salary/Work Hours . Should any corrections be required. transfer. etc. Each requirement is supported and/or initiated by the receipt of appropriate. After the appeal period has expired. Upon receipt of the signed letter of offer.Take on Strength (TOS) .Branch Administration Officers 05 . a signed copy of the letter of offer is returned to the HR Advisor/Assistant. The Compensation and Benefits Advisor verifies the accuracy of the salary. a secondment or an acting situation among others. and continues the process until a candidate accepts. and sends one each to the Compensation and Benefits Advisor. the HR Advisor/Assistant updates the Eligibility List in SAP (transaction ZEGB in SAP).SAP HR System . A letter of offer is then produced and sent to the chosen candidate for acceptance.Branch Administration Officers 02 .Weaknesses Noted Process Description HR Master Data A Branch first identifies a staffing need and an appropriate HR/staffing activity is undertaken to fulfill the requirement. SAP HR actions essentially walk users through a system-based sequence to complete the required elements of information for a given HR activity (such as hiring. the Branch Administrative Officer performs the necessary action (i.Canadian International Development Agency (CIDA) There are currently no monitoring procedures in place to periodically review and validate viewing and update access listing for key HR functions within the system. and the Employment Equity Division. etc.

For example. the Compensation and Benefits Advisors performs the update in the PWGSC compensation system and notify the appropriate Branch Administrative Officer.ca/acdi-cida/acdi-cida. basic pay/salary information is stored on infotype 0008.Canadian International Development Agency (CIDA) 07 . An infotype is a grouping of information that is entered/shown on a specific screen in SAP.6/19/13 ARCHIVED . the basic pay and other entitlements information (with the exception of leave and overtime described in the Time Recording section below) captured in SAP is currently not directly relevant for payroll purposes. Employees are paid by PWGSC on behalf of Treasury Board through the On-Line Pay application. Corrections to an employee's information are made by the appropriate person. Advisor. Leave and Overtime Recording CIDA has developed a custom SAP solution for the collection of the following time related data: Requests for leave. Languages Program and Education Leave Advisor 14 . Assignment Division. In addition. With the introduction of the Salary Forecasting System (SFS).Advisor. For requests for leave.Secondment in . Leave entitlements are defined in the collective agreements for each category/classification of employee.Branch Administration Officers 19 . this information will be used in the forecasting of salary costs for budgeting/planning purposes. As such. approved by the relevant certified HR Practitioner (i.Branch Administration Officers. SAP workflow functionality is used to route the request to the employee's Manager for approval based on the reporting relationships defined in the SAP organizational www.Re-Taken on Strength (RTOS) . promotions or other changes through the receipt of a letter of offer. the assignment of employees to positions within the organizational structure in SAP is automatically updated through this process if the action involves movement of personnel into.nsf/eng/NAT-1013101052-JMU 26/28 . After the successful completion of one of the actions listed above. the employee's personnel file in SAP is updated.Rehabilitation .Temporary Struck Off Strength . the employee's entries are saved in a "locked" status in the system and are not granted until an approval from the employee's supervisor is provided. Should any adjustments to employee pay records be required. The Compensation and Benefits Directorate (and specifically.End of Secondment-In .Branch Administration Officers. Advisor. the Compensation and Benefits Advisors) are responsible for data entry of payroll and benefits changes in to the various PWGSC On-Line Pay application.Branch Administration Officers.In .Acting Situation . however.e. the SAP system automatically verifies whether the employee is entitled to the type of leave being requested and whether the number of days falls within the pre-established minimum and maximum days allowed.Assignment/Sec.Branch Administration Officers For each of the actions. and. HR Advisor/Assistant).Re-Entry after SOS/New Sec.Branch Administration Officers 22 .Out (LWP) .Return to Substantive Position . a series of infotypes appear in a pre-determined sequence.acdi-cida.SAP HR System . For valid requests.gc. within or outside of the Agency. Overtime. depending on what action is required in the system (see list of actions above).Branch Administration Officers 13 . Leave Employees are responsible for entering their own leave requests either directly into SAP (transaction ZAPT) or through the use of the Employee Self-Service (ESS) application. Pay and Benefits.Branch Administration Officers 18 . The Compensation and Benefits Advisors also handle payroll enquiries from employees. Assignment Division. The Compensation and Benefits Advisors are notified of any new hirings. Pay and Benefits 08 . Languages Program and Education Leave Advisor 16 . Pay and Benefits 15 .

This is achieved through either transaction ZAPT. On an annual basis (October 1). PA61. Upon successfully completion of the approval. CIDA captures information on organizational units (responsibility centers) and positions. Changes to the organization structure are initiated by the Branches and entered into SAP by the Branch Administrative Officers. the Classification Officer is also responsible for making any adjustments necessary to the classification.ca/acdi-cida/acdi-cida. www. For employees who have selected to have their overtime paid in cash.) Responsible financial authorities within the Agency are then notified of the amounts applicable for their areas of responsibility for budget planning purposes. The Quota Balance Report (RPTBAL00 in SAP) is executed by the Compensation and Benefits Advisor and the excess entitlements are automatically calculated by SAP. unused banked overtime balances are identified and settled with employees.5 times the hours worked. The employee makes the choice at the time of entry into the system. As with the requests for leave. etc. 35 days. excess vacation balances. either the Branch Administration Officer or the Manager changes the status from planned to "submitted". Per the CIDA business process. On an annual basis (March 31).SAP HR System . Required information includes the identification of a supervisor/subordinate relationship.75 times the hours worked. unlock and save the request). Organizational Management Within the Organizational Management side of SAP HR. Nevertheless to be paid and/or banked.gc. it is then made active and integrated into the organizational structure for CIDA.acdi-cida.) through the execution of the approved overtime report (transaction ZAHRPAYOTREP) by the Compensation and Benefits Advisor. Overtime can either be paid in cash or banked.6/19/13 ARCHIVED . 1. The Branch Administration Officers also have the ability to execute the report throughout the year if required. The Compensation and Benefits Advisor then enter the number of hours into the PWGSC On-Line Pay system for payment to the employee. any overtime worked and recorded must be approved/unlocked by the employee's supervisor. vacation payouts are calculated and recorded for unused balances that cannot be carried forward to the subsequent year. the request must be changed into unlocked (approved) status. the supervisor is not able to complete the approval function (i. the SAP Business Workplace (transaction SBWP) or via Lotus Notes. a pay scale (pay grade and step) and classification information among others. the total number of hours of overtime entitlements is calculated by SAP (i.nsf/eng/NAT-1013101052-JMU 27/28 .e. Once the Classification Officer has reviewed a position. Overtime Employees must also enter their own overtime information through the ESS application. Should an adequate balance not exist. If the position is approved. Pre-configured actions that walk users through the sequence of required infotypes for creation of organization units and positions within SAP are also used. the Branch Administrative Officer creates the position in a "planned" status within the system. the employee's corresponding quota/bank of leave is also reduced by the approved amount. At the time of approval.e. The Classification Officer is then responsible to ensure that the position is assigned the proper classification by reviewing the data in the system. Subsequently. the entry can either be moved to "approved" or "rejected" status. If the position is rejected. The amounts to be paid are then entered into the PWGSC compensation system by the Compensation and Benefits Advisor for settlement. the Branch Administration Officer is notified and the organizational structure is not updated. SAP verifies whether or not the employee has the requisite amount of vacation entitlement remaining.e. 1. The excess entitlement is defined as the amount over and above the allowable carry-forward number of days (i. The process followed is the same as outlined above for the settlement of unused.Canadian International Development Agency (CIDA) structure. The supervisor must then approve/"unlock" the transaction in the system for the item to be completed.

SAP security configuration is also utilized to protect personal information such as employment equity information. Finally. refer to the Help page.acdi-cida. Date Modified: 2012-08-29 www. For example.SAP HR System .ca/acdi-cida/acdi-cida. the design calls for Branch Administrative Officers to be limited to performing tasks and view information for only those employees within their Branch. ple ase contact us.3 Kb. home address and qualifications recorded on specific infotypes. Alternate Formats Note: If you cannot access the alternate format.6/19/13 ARCHIVED . SAP HR System .gc. users are limited to viewing and maintaining HR information for only those employees within their area of responsibility.Canadian International Development Agency (CIDA) Security and Privacy A role based security strategy has been developed and configured to provide users with access to only those transaction and infotypes required for their job functions. 47 pages) If you have com m e nts or que stions on this page pre pare d by Strate gic Policy and Pe rform ance Branch.Internal Audit Report (PDF 180.nsf/eng/NAT-1013101052-JMU 28/28 .