SAP HR System

SAP HR System
Internal Audit Report

July 7, 2005
Internal Audit Division
Performance and Knowledge Management Branch
Canadian International Development Agency

200 Promenade du Portage
Gatineau, Quebec
K1A 0G4
Tel: (819) 997-5006
Toll free: 1-800-230-6349
Fax: (819) 953-6088
(For the hearing and speech impaired only (TDD/TTY): (819) 953-5023
Toll free for the hearing and speech impaired only: 1-800-331-5018)
E-mail: info@acdi-cida.gc.ca
Internal Audit of the SAP HR System
Table of Contents
Summary ......................................................................................................................................... 3
1.
Context.................................................................................................................................... 5
2.
Objective, Scope and Methodology........................................................................................ 6
3.
2.1
Objectives ........................................................................................................................ 6
2.2
Scope................................................................................................................................ 6
2.3
Methodology .................................................................................................................... 7
Observations & Recommendations......................................................................................... 8

3.1
Observations Arising from the review of SAP HR Processes ......................................... 8
3.2.
Observations Arising from the Benchmarking of the SAP Support Group Structure ... 17
3.3
Observations Arising from the Assessment of SAP HR Functionality ......................... 21
Conclusion .................................................................................................................................... 23
Appendix A Summary of Audit Recommendations.................................................................. 24
Appendix B Control Objectives/Audit Criteria for the SAP HR Process Review .................... 35
Appendix C SAP HR Control Framework................................................................................. 36
Internal Audit Report July 7, 2005
Summary
At the request of the Director General of the Human Resources Division (HRD), the
Performance Review Branch performed a preliminary survey in order to identify issues relating
to Human Resource Management.
As a result, three follow-on reviews/audits were identified and initiated. This report is on the
audit and assessment of the SAP HR module in operation at CIDA.
The overall objective of the audit is to assess the functionality of the SAP HR system, by:
Documenting the system controls and to assess the adequacy and use system;
Assessing the accuracy and integrity of the information emanating from the
application;
Assessing the effectiveness and efficiency of the system and to identify areas for
improvement;
Reviewing and evaluating the appropriateness of access authorities to ensure the
privacy/protection of personal data;
Benchmarking the level of resources required to maintain and to enhance the system
against similar organizations; and,
Assessing the extent to which the SAP HR module is meeting the needs of HRD and
of the Agency overall.
As a result, we can conclude that the functionality required to support the business needs of HRD
and the Agency overall has been implemented. However some areas for improvement in the
effectiveness, efficiency and data integrity within the business processes and reporting have been
identified. Opportunities for improvement of the control framework are also required with a
specific focus on increased monitoring of changes to master data elements, and through the
performance of periodic data quality reviews. An adequate framework for the design of user
access privileges has been developed however issues currently exist with the technical
implementation through the SAP application security functionality.
Based on the results accumulated through a benchmarking survey, the size of the SAP HR
support group is larger than those of the organizations polled.
The main observations and recommendations arising from the audit are:
HRD should modify the business processes surrounding acting situations to incorporate
the entry of all EX acting situations into the SAP HR application and ensure that all
terminated acting assignments be reflected in the system on a timely basis;
HRD, in collaboration with IMTB and the Branches, should develop a set of periodic
monitoring procedures and reports for review and follow-up by the Responsible
Managers within CIDA.

Compensation and Benefits Directorate should perform a reconciliation of

position/employee classification data and pay rates within SAP to information recorded
in the On-Line Pay application once a year.
IMTB, in conjunction with HRD and the SAP Support Group should correct the
configuration of the security role for the Branch Administrators and to eliminate the
ability to submit and approve their own overtime and leave requests;
HRD and the SAP Support Group should develop monitoring procedures for the review
of leave balances by Responsible Managers on a regular basis;
IMTB, in cooperation with the SAP HR Support group, review the configuration of
access privileges assigned to the Branch Administrative Officers to prevent them from
creating and activating new positions thereby allowing the Classification Division to
approve the position and classification data for new positions and/or individuals, as
outlined in their roles & responsibilities;
IMTB should remove access of non-HR SAP Support Group members and IMTB users
that are not involved in supporting HR;
IMTB should perform Privacy Impact Assessments in accordance with Treasury Board
requirements;
IMTB should remove the ability to view personal information through direct query of HR
tables, the ability to execute reports through SA38 and that the configuration of security
over reporting of HR information be adjusted to protect personal information;
IMTB should limit the use of generic accounts;
IMTB, in conjunction with HRD and the SAP Support Group should develop a set of
security monitoring procedures in order to identify potential access irregularities for
correction;
CRC should decide on the staffing levels for the SAP HR Support group;
HR business process focused training (as opposed to SAP data entry training) should be
developed by HRD to enhance the business process and policy requirements knowledge
of users; and,
SAP HR Support Group should examine the reporting requirements of CIDA HR users
and determine whether the current reports available address their needs

1.
Context
At the request of the Director General of the Human Resources Division (HRD), the
Performance Review Branch performed a preliminary survey in order to identify issues relating
to Human Resource Management.
As a result, three follow-on reviews/audits were identified and initiated. This report is on the
audit and assessment of the SAP HR module in operation at CIDA.
Overview of SAP Human Resources Modules
The Human Resources module of SAP in operation at CIDA is divided into three major
applications Personnel Administration (PA), Organization Management (PD) and Time
Management.
The PA sub-application includes employee information and employee
classifications. The PD sub-application covers organization management, which includes the
organizational structure, the position classifications and other organizational structure
information. The Time Management functionality is used to capture requests for leave and
overtime compensation and to provide an electronic approval of the requests from employees
supervisors.
The new Salary Forecasting System (SFS) within SAP was implemented as of April 1st, 2004.
This functionality will use the salary information captured for Agency employees within the SAP
application and essentially provide a budget figure for salaries remaining to be paid within a
given fiscal/budget year. As of March 2004, CIDAs salary forecasting system was not within
the SAP system.
Infotypes
Functionality within the SAP application and the information stored with an employees on-line
personnel file is centred on the concept of an infotype. By definition, an infotype is a screen
with the SAP application that captured specific pieces/elements of information. For example,
infotype 0002 contains personal information (name, date of birth, SIN) for all employees, and
infotype 0008 contains basic/annual salary information. As this concept is central to the
operation of the system, the information within sensitive/personal infotypes must also be
adequately protected from unauthorized change or viewing.

2.
Objective, Scope and Methodology
2.1
Objectives
The overall objective of the audit is to assess the functionality of the SAP HR system, including
the following:
Review of SAP HR Processes (Section 3.1)
To document the system controls and to assess the adequacy and use system;
To assess the accuracy and integrity of the information emanating from the
application;
To assess the effectiveness and efficiency of the system and to identify areas for
improvement;
To review and evaluate the appropriateness of access authorities to ensure the

privacy/protection of personal data;
Benchmarking of the SAP Support Group Structure (Section 3.2)
To benchmark the level of resources required to maintain and to enhance the system
against public sector organizations with SAP HR ( two in the Federal Government
and two others); and,
Assessment of SAP HR Functionality (Section 3.3)
2.2
To assess the extent to which the SAP HR module is meeting the needs of HRD and
of the Agency overall.
Scope
The audit was focused on the assessment of functionality with the SAP HR application. This
included a detailed review and examination of the configuration of the system as well as the
configuration and assignment of specific access rights to users. Processes and procedures
supporting the integrity of the data within the application were also evaluated, such as the use of
monitoring reports for the verification of data, subsequent to entry into the system.

The evaluation of the new SFS functionality was also excluded, as it was not implemented as of
March 31, 2004. Also excluded from the scope of the review were the processes, procedures and
overall control framework in place within PWGSCs On-Line Pay (OLP) application.
The focus of the audit was strictly the review and assessment of the control framework and the
functionality of CIDAs SAP HR application.
2.3
Methodology
This audit was performed according to the Treasury Board policy on internal audit and audit
standards of the Institute of Internal Auditors. The audit was conducted from February 10, 2004
to March 31, 2004. Our audit approach was:
To gather information on concerns over SAP HR within CIDA by reviewing 2 other HR

internal audits that were recently completed along with the preliminary survey of the HR
function;
To develop internal control objectives relating to the SAP HR functionality implemented at

CIDA against which to perform the detailed control-based analysis;
To gather information on the current SAP HR functionality, supporting business processes

and control framework supporting the accuracy and completeness of the data through a
selection of interviews and system set-up review;
To review and analyze supporting process documentation relating to SAP HR processes, as

provided by interviewees;
To perform an assessment of the efficiency and effectiveness of the SAP system and
processes;
To perform a review of the key system based controls in SAP HR, including user access
rights to perform HR related functions, the protection of personal information and
configuration data validation rules;
To perform accumulate data on support group size and composition through the completion
of surveys by local organizations (public sector and other) utilizing SAP HR for
benchmarking purposes; and/
To perform a benchmarking of the size and composition of the SAP HR support group
against similar organizations.
The control objectives and audit criteria are documented within Appendix B.

Process descriptions and control framework are included in Appendix C. The control framework
presentation was used to analyze and to identify internal control strength and weaknesses
associated with the SAP HR audit work. It was also used to analyze whether the particular
objectives and assertions have been satisfied with the existing control processes/procedures
identified.
3.
Observations & Recommendations
3.1
Observations Arising from the review of SAP HR Processes
The following observations stem from the interviews of SAP HR support group and users of the
system, and through a review of documentation outlining the set-up or configuration of the
system and access profiles, as well as the design of supporting business processes. The
appropriateness of the assignment of access rights to users was also reviewed as well as the
configuration of the SAP access profiles.
HR Master Data
Overall, the integrity of HR related information is supported through the implementation of
system-based checks and validations, which are currently in operation within the HR module.
For example, with regards to the hiring of an employee, the application has been set-up with preestablished routines to take users to the necessary screens for population of data, required fields
have been configured within the screens and access rights to perform the maintenance actions
have been restricted to authorized individuals.
It was noted, however, that selected personnel movement situations (such as EX acting
assignments that do not affect pay) are currently not being entered into the system. This has an
adverse impact on the routing for the approval of an employees request for overtime and leave
requests established in the system, as the organizational structure is not updated with the most
current information. For example, if an EX-01 level individual acts as an EX-02, no change are
made in SAP HR until a 3-month period has elapsed, as no payroll changes are required. It was
further noted that the expiration of acting assignments are not being reflected on a timely basis.
These actions require user intervention within the application and the lack of system updates to
reflect the actual movements decreases the overall integrity and accuracy of the data in the HR
application.
The impact of this situation is that leave balances may not be updated on a timely basis and/or
overtime due to an employee may not be paid on a timely basis. Alternatively, this situation
could result in requests for leave and overtime being approved by an unauthorized person for the
purpose of clearing old items in the system.
While the system-based controls are appropriate, it was noted during the audit that opportunities
for improvement of the data integrity verification procedures exist. Specifically, a number of
current manual and/or monitoring (i.e. non system-based) validation processes, which are
normally put in place to detect anomalies in data captured, are candidates for improvement.
There are currently no formal processes in place for the periodic review and approval of SAP HR
information by responsible managers within the Branches, or by individuals within HRD. This
includes both the review of organizational structure and personnel assignments in SAP (at the
Branch level) and/or the comparison and reconciliation of pay information against PWGSCs
On-Line Pay system by Compensation and Benefits. The On-Line Pay application contains more
pristine information on pay and benefits as Agency employees are currently paid via this system.
Comparisons to this source of information strengthen the integrity of the classification and
payroll related employee data captured in the SAP application.
References (additional details see Appendix C HR Control Framework):
Control Weakness #1 Acting Assignments;
Control Weakness #2 Monitoring Reports for HR Master Data
Control Weakness #3 PWGSC On-line Pay Reconciliation with SAP
Recommendations
1.
It is recommended that the HRD modify the business processes surrounding acting
situations to incorporate the entry of all acting situations into the SAP HR application,
regardless of whether or not there is an effect on pay. It is further recommended that all
terminated acting assignments be reflected in the system on a timely basis.
2.
It is recommended that HRD, in collaboration with IMTB and the Branches develop a set
of periodic monitoring procedures and reports for review and follow-up by the
Responsible Managers within CIDA. The periodic review will serve to assess the
integrity of the current organizational structures and personnel assignments within a
specific area of responsibility and will also identify acting situations that have not been
recorded and/or expired acting situations that have not been recorded. It is further
recommended that the review be performed at least every 4 months and that the process
be facilitated and monitored by the HRD.

3.
It is recommended that the Compensation and Benefits Directorate perform a

reconciliation of position/employee classification data and pay rates within SAP to
information recorded in the On-Line Pay application once a year.
Management Responses
1.
Agree that rationalization of leave and overtime approval authorities are required to
reflect EX acting situations that do not result in changes to rates of pay but disagree with
the proposed corrective action plan.
The Branch Administration Officers (BAO) can amend the reporting relationships to
reflect acting situation in the SAP system now, without a system configuration.
The Human Resources Division (HRD) agrees to remind BAOs of the need to amend the
reporting relationships of employees when someone is acting in an EX position and to
ensure that this procedure is reviewed as part of regular SAP-HR monitoring practices.
2.
Agree. HRD, in collaboration with IMTB and the branches will identify appropriate
monitoring tools to enable the Responsible Manager within CIDA to periodically review
the acting situation within the managers own branch. Also, HRD will assess the integrity
of the organizational structures at the Agency level.
Roles and responsibilities will be defined and process installed through the SAP-HR
Improvement Project (SHIP) initiative.
Business process and definition of roles and responsibilities through the SAP-HR
3.
Agree. Files are being created to compare data between On-Line Pay System and SAPHR employees position classification and pay scale.
This comes under the SAP-HR Improvement Project (SHIP) initiative Enhancement of
Quality control.
Leave and Overtime Recording

CIDA has developed an Agency specific solution for the creation/entry of leave requests and
overtime entitlements. In this business model, employees are responsible for entering their own
requests for leave, requests for approval for overtime worked, as well as selecting the method
they would like to be compensated for their overtime entitlement (i.e. banked time or cash
payout). Upon entry of the request, SAP automatically verifies whether the request is in
accordance with the employees appropriate collective agreement provisions. The employees

10
Supervisor is then responsible for examining the requests and for approving or unlocking the
item so that it can be committed to the database/recorded and settled (i.e. banked or paid out).
Generally, the SAP access roles for Employees and Supervisors were appropriately configured to
enforce the business rules/process outlined above. However, when the access rights were
combined with other access rights in SAP, 31 Branch Administrative Officers had the ability to
enter and approve/unlock their own requests. This situation increases the risk of unauthorized
overtime being paid out as employees can submit and approve these individuals own overtime
requests.
This represented a known issue within the SAP system with a decision taken by
management to control the process through detective/monitoring type processes.
Furthermore, there are no periodic review processes in place to provide for the integrity of leave
data for employees. Without a proper detective control to ensure the employees are recording all
leave taken in SAP, individuals could possibly take more leave than they are entitled to and/or
the Agency could pay out amounts for invalid/inaccurate balances. The system can help
managers monitor whether employees are recording their leave or not.
References (additional details see Appendix C HR Artpack):
Control Weakness #4 Unauthorized Approval of Overtime
Control Weakness #5 Monitoring of Leave Balances Accuracy
Recommendations
4.
It is recommended that IMTB, in conjunction with HRD and the SAP Support Group
correct the configuration of the security role for the Branch Administrators and to
eliminate the ability to submit and approve their own overtime and leave requests.
Specifically, the Branch Administrators access should be limited to submitting their own
requests for subsequent approval by their Supervisors.
5.
It is recommended that HRD and the SAP Support Group develop monitoring procedures
for the review of leave balances by Responsible Managers on a monthly basis.
4.
Agree. This recommendation was acted upon with SR1733 and completed May 13, 2004.
5.
Agree. Supervisors and RC managers will be reminded of their responsibility to regularly

review their employees leaves calendar to ensure that leave taken is recorded
appropriately. HRD will send out a reminder to managers to this effect.

11
A new tool to be launched in September 2005, Manager Self Services (MSS) will assist
managers in this regard.
Organizational Management
The organizational management functionality within SAP contains the active organizational
structure of the Agency, including the design of specific organization units (i.e. Branches) and
positions. Individual positions are created as elements of master data and include reporting
relationship between positions and classification/planned compensation based on collective
bargaining agreements. When employees are hired, they will then inherit the attributes of the
position including the salary and classification and the employee will also be placed into the
appropriate place in the organizational structure. This is referred to the integration of Personnel
Administration and Organizational Management within SAP HR.
The maintenance of position data at CIDA is a shared responsibility between the Branches
(Branch Administrative Officers and the Branch Managers) and the Classification Division. The
current business process stipulates that the Branch Administrative Officer is responsible for
setting up the new position or making a position data change in a proposed status for
subsequent approval by the Branch/Responsible Manager. Subsequently, the Classification
Officer reviews the classification and either approves or rejects the position. If it is approved,
the position becomes active and the position is introduced into CIDAs organizational structure.
This self-service type of business process is becoming more popular for SAP clients and the
sharing of data entry functions as outlined above is consistent with the trends occurring
elsewhere in the public and private sectors. In this new business model, end-user departments
(such as the Branches) are typically responsible for data entry with an oversight function being
performed by a centralized body.
Branch Administrative Officers currently have the access in the SAP system to create positions,
assign a classification in SAP and make them active within the organizational structure at CIDA.
They also have the ability to appoint or hire individuals into these positions. When this type of
access is combined with position maintenance access, a segregation of duties risk within SAP is
created as individuals could be appointed or hired into positions without a proper classification.
The risk of improper classification and non-compliance with delegation of authorities is also
increased as Branch Administrative Officers and the Responsible Managers also do not currently
have the delegation/classification authority for positions. To compensate for this risk, the SAP
HR Support group developed a monitoring report that provides a listing of the new positions that
have been created and classified in the system on a daily basis. This monitoring report is
supposed to be reviewed by the Classification Division, with any required corrections discussed
with the Branches. It was noted, however, that this report is currently not being reviewed on a
daily/regular basis given workload and backlog issues within the Classification Division.

12
Control Weakness #6 Position Master Record Maintenance
Recommendation
6.
It is recommended that IMTB, in cooperation with the SAP HR Support group, review
the configuration of access privileges assigned to the Branch Administrative Officers to
ensure that the configuration supports the needs of the business. Specific attention should
be focused on the creation and activation of positions by the Branch Administrative
Officers as they can currently create new positions without intervention from
Classification Division. This configuration will allow the Classification Division to
approve the position and classification data for new positions and/or individuals, as
outlined in their roles & responsibilities.
Management response
6.
Agree. This recommendation is already being addressed through a workflow process that
will identify the approval of the different authorized persons within the classification of a
position process in the SAP-HR system.
The Workflow section within IMTB is currently working with the SAP-HR Support
group. Also, the Branch Administrators role is being reviewed to limit their access when
creating a position for classification.
Guidelines on the Service Standards will be developed by the Classification Section and
communicated to the BAO.
This comes under the SHIP-HR Improvement Project (SHIP) initiative.
Security and Privacy

Human Resource applications typically contain a number of elements of personal information
that must be protected from unauthorized disclosure. Given the importance of emergency
contact and the financial impact of pay information (with the implementation of SFS), it is
important to limit the ability to update this information to only authorized individuals.
At the time of the SAP HR implementation in October 2000, an assessment of the information
captured in the system was performed to identify elements of information that should not be
available for viewing to persons other than those designated. Specific examples of data covered
in this analysis include employment equity information and personal qualifications. Treasury
Board requirements state that a Privacy Impact Assessment (PIA) must be undertaken for any
13
major system change where personal information is involved. In the new fiscal year, CIDA is
planning to implement new functionality for salary forecasting (Salary Forecasting System
SFS) and no PIA has been undertaken to date.
In general, while the security and privacy design approach/framework in CIDA for granting HR
access appears adequate for protecting personal information, there were some configuration
breakdowns/abnormalities noted during the audit that circumvented the key planned controls for
users to be limited to their own areas of responsibility (i.e. Branch) for the performance of HR
report execution.
The two configuration exceptions related to the viewing/reporting of information. The first
exception is that as of March 22, 2004, over 1700 (i.e. all CIDA employees and consultants) user
accounts had access to view HR data at the table level through table browser transactions (SAP
transaction code SE16). Effectively, this profile configuration represents a back door that
allows users to view information (including sensitive HR information) that is not required for
their job functions. This configuration could also result in violations of the Privacy Act that
outlines requirements for protection of personal information for government employees.
The second exception involves the configuration of an SAP delivered override. Specifically,
when the P_ABAP authorization object is configured with specific values and assigned to users,
the regular SAP security checks performed during the execution of HR reports are deactivated.
For example, if users are assigned access profiles that prevent them from viewing employees
outside of their area of responsibility (i.e. Branch), the configuration of the override will allow
them to see employees outside of their Branch on reports if requested (i.e. information that they
are not authorized to view). Authorizations set up in this manner allow individuals to have
access to all HR information on a report even though their user profile is configured to restrict
them accessing the data. Currently, 129 users have been provided with this override.
The audit of the HR end user access profiles revealed that 14 roles/profiles had been given access
to run programs directly (i.e. other than through specific access to reports/transactions) through
the ability to execute programs through a centralized mechanism (transaction SA38). The effect
of this functionality is essentially to bypass transactional restrictions imposed on users. These
transactions could also provide access to sensitive HR reports and transactions and therefore,
provide an alternative means of accessing HR information. Although the configuration does
restrict the users to specific reports within the HR function (through the use of authorization
group flags and authorization object S_PROGRAM), there are a number of reports in SAP,
including HR reports, for which this level of protection is not available.
Access to perform maintenance of specific pieces of information or infotypes and/or viewing of
selected sensitive infotypes is also available to SAP Support personnel who are not directly

14
involved with the support of the HR modules. This includes selected Support individuals for
SAP financial applications, as well as members of IMTB (such as Security Administrators).
A specific issue test conducted as part of the audit was to examine the use of generic accounts
within the system. Generic accounts/IDs are defined as user accounts that are not directly tied to
an individual and/or are shared for maintenance purposes. The SAP HR support group has
adopted a specific naming convention for their groups users. Specifically, the HRAIS series of
accounts were created to prevent users from calling SAP support group members directly if a
change is made to an employees information. However, members of the support have been
given their own unique HRAIS (i.e. HRAIS01, HRAIS02, etc.) account that is tied directly to
them through the text field name on the account. They are also responsible for keeping the
confidentiality of their own passwords. Finally, the same HRAIS account will not be assigned to
a new employee after the departure of support group team member. Therefore, the HRAIS series
of accounts is not considered to be generic accounts.
Nevertheless, there are some generic accounts that currently have access to perform maintenance
functions and/or view sensitive information. Accounts such as WFADMIN, WFADMIN2,
WFADMINTEST, WORKFLOW, PHOENIX, ACDI-CIDA are all accounts that have access to
perform HR functions.
Control Weakness #7 Non SAP HR Support Group Access
Control Weakness #8 Privacy Impact Assessment
Control Weakness #9 SAP HR Table Access
Control Weakness #10 SAP HR Report Execution
Control Weakness #11 SAP HR Reporting
Control Weakness #12 Generic Accounts
Control Weakness #13 Monitoring Procedures

15
Recommendations
7.
It is recommended that the access of non-HR SAP Support Group members and IMTB
users be reviewed and that access to HR information be removed.
8.
It is recommended that IMTB should perform Privacy Impact Assessments in accordance

with Treasury Board requirements.
9.
It is recommended that the ability to view personal information through direct query of
HR tables (through transaction SE16) be removed from end-users by IMTB.
10.
It is recommended that the ability to execute reports and programs through transaction
SA38, a central mechanism that bypasses transactional and reporting restrictions
configured be removed from end-user access profiles by IMTB.
11.
It is recommended that the configuration of the P_ABAP authorization object be

reviewed and corrected by IMTB.
12.
It is recommended that IMTB limit the use of generic accounts.
13.
It is further recommended that IMTB, in conjunction with HRD and the SAP Support
Group, develop a set of security monitoring procedures focused on reviewing lists of
users with access to personal information and critical update transactions and infotypes in
order to identify potential access irregularities for correction.
7.
Agree. This was done in conjunction with item 13, SR 3462.
8.
Agree. However, Privacy Impact Assessments are the responsibility of both the Business
Owner (HRD) and the System Owner (IMTB). IMTB supports system owners in the
preparation of Preliminary PIA's. IMTB is incorporating processes into the SR and
System Development Procedures to identify systems changes and systems requests that
may require PIA's; and, ensuring that System Owners and the Privacy Coordinator are
informed.
These assessments will be conducted and modifed if needed.
This co mes under the SAP-HR Improvement Project (SHIP) initiative.
9.
Agree. SR3194 was registered, addressed & completed in December 2004.

16
10.
Agree.
Transactions SE38 & SA38 have been removed in most job roles via SRs 2250 (HR Job
roles), SR3039 & SR3058.
The remaining job roles for the SAP Functional teams and ABAP teams are limited by
programs and are required for their job, therefore cannot be removed.
11.
Agree. HR Job roles were reviewed. SR3463 was opened.
12.
Agree. Workflow related accounts (as referred to on page 16 of the audit report) are not
generic accounts. As with the HRAIS accounts, they are tied directly to support
personnel through the text field name on the account. Access is being revised (through
SR 3314) ensuring limited access to information. The Phoenix and ACDI-CIDA
accounts are also being revised to ensure that minimal access is granted.
13.
Agree. SR3462 was opened and appropriate configuration was done into SAP-HR to
action this recommendation.
3.2. Observations Arising from the Benchmarking of the SAP Support Group Structure
The preliminary survey conducted prior to the execution of specific audits outlined that HRD
currently has ten staff to maintain the SAP HR module.
Further examination of the ten positions revealed that there is a Manager included in that figure
who also has other responsibilities, as well as the following individuals as of May 4, 2004, and
there is currently one full-time consulting SAP HR expert on site who provides expert advice on
the development and implementation of the Salary Forecasting System:
2 Senior HR Systems Officers;
3 HR Systems Officers;
1 HR Junior System Officer;
2 Full Time Experts consultants, and;
2 Full time Junior consultants;
1 Full time SAP HR consultant.
The total number of support employees for SAP HR is eleven.

17
Table 1 Benchmarking Data

Organization
2 (Public
Sector)
PA, PD,
Time Entry,
Training &
Events,
Payroll
Organization
3 (Public
Sector)
PA, PD,
Time Entry,
Training &
Events,
Payroll
Organization
4 (Public
CIDA
Sector)
PA, PD
PA, PD,
Time
Approximate
Number of
SAP HR
Users
500
(excluding
employee
self-service)
2,000
2,500
290
300
Number of
Employees
3,500
45,000
43,000
9,600
1,550
1.25
50
40
3.25
11
Area
Organization
1 (Public
Sector)
PA, PD,
SAP HR
Time Entry
Functionality
(CATS)
Number of
Support
Employees
Number of
SAP HR
Consultants
in Support
Group
Ratio of
Support
Group to
Users
Ratio of
Support
Group to
Employees
HR Master
Data
Maintenance
Model
.25
5 (module
(programmer) experts)
10 (module
experts,
0
programmers)
1:400
1:40
1:63
1:90
1:27
1:2800
1:900
1:1075
1:2950
1:141
Centralized
Decentralized
Decentralized Decentralized Decentralized

18
Table 1 summarizes the results of the benchmarking survey that was conducted for 4 public
sector organizations that currently use some components of the SAP HR module. Two key
ratios, the ratio of support group employees to users and the ratio of support group employees to
employees, were calculated and used as the primary basis for comparison of their support
structures versus CIDAs. Based on the comparative ratios, CIDAs SAP HR support group
composition should be between 1 and 2 full time equivalents.
As outlined in Table 1, CIDAs ratios for support personnel to active employees and the ratio of
support personnel to user are significantly lower than the other organizations, and near the
middle of the pack based on the number of users. The figures point to an overstaffing situation
within the SAP HR support group however other factors must be taken into consideration.
Specifically, the following difference were noted:
Individuals within the support group are currently working on the implementation of new
functionality (SFS);
The support group is currently leading and/or performing data quality activities for clean up
purposes, which is ultimately outside of the scope of their mandate for delivery; and,
Other organizations included in the benchmarking survey have training super users within the
individual user groups, whereas CIDA has kept the notion of centralized support.
Furthermore, the SAP support group is currently meeting their specific service level agreement
timelines, with a minimum of spare resource cycles as was noted in our interviews. Finally, as
the SFS moves into the production environment, additional support requirements will be created
to cover the new functionality and end user support requirements.
If the SAP support group is to be reduced, functions currently being undertaken by individuals
within this group will need to be performed by the business functions. Specifically, the
responsibility for data quality and verification would need to be shifted to the Branches and
support functions (i.e. IMTB) within CIDA.
Recommendation
14.
It is recommended that CRC determine the required staffing levels for the SAP HR
Support group after the current data cleanup task has been completed and after the SFS
functionality has been implemented.
Management response
14.
Agree that resource levels should be validated but suggest that this be done in concert
with other initiatives currently in play, including but not exclusively those recommended
in the audit report.

19
CIDA is the only government department in Schedule I.1 of the Financial Administration
Act that uses the SAP-HR module. All other public sector organizations using SAP-HR
have terms and conditions of employment or HR business practices that do not conform
in whole or in part to those of CIDA. Therefore, benchmarking staffing levels to other
organizations that do not share the same business requirements is of limited value.
Maintenance of data integrity and training costs are a major ongoing investment because
staff recruited to CIDA from other government departments and trained in a shared intergovernment system must learn a new application before they can become fully CIDAfunctional. This ongoing demand in large part explains the current level and focus of
CIDAs SAP-HR resources.
This situation is well known within CIDA and has generally viewed, up to now, as an
accepted cost of doing business because the benefits to the SAP system overall were
considered to outweigh the investment costs and risks of maintaining the SAP-HR
module.
We agree with the audit findings that regardless of the chosen accountability model,
resources are still required to support the application. The question is whether they can be
more effectively managed if the accountabilities were shifted to other parts of CIDA.
Initiatives In Play:
1.
The increasing interest in the government-wide Shares Services initiatives for

corporate functions such as human resources has raised the awareness of
CIDAs management to review its present reliance on the SAP-HR module
situation in light of these wider government thrusts. HRD will play a key role in
supporting this review, being led by the CIO, and look for ways to optimize SAPHR resources to ensure adequate service levels are maintained at reasonable cost
to CIDA until management decisions are made regarding benefits and risks of
maintaining the SAP-HR module over the long term.
2.
HRD will provide for knowledgeable resources to partner with the SAP-HR
support team to update the business process flow documentation, system
configuration, monitor for system weaknesses and facilitate improved training of
end users. The working assumption is that if better HR business practices are
documented, monitored and maintained by the functional business authority, less
investment will be required in ongoing system refresher training courses and daily
interventions by the SAP-HR staff to assist users in the SAP-HR module
application.
Under the leadership of the VP HRCS, an internal review of the 3 SAP modules for
which HRCSB is responsible to support is currently underway to look for ways to further
optimize the investment of SAP resources. HRD is contributing to this review and will
implement the decisions, once known.
20
3.3
Observations Arising from the Assessment of SAP HR Functionality
Within the preliminary survey and within the interviews conducted as part of this and other
audits of HR related activities, a number of observations were made with regards to the
functionality of the HR system. Comments ranged from the lack of useable reports to lack of
understanding of system functionality. SAP HR functionality and set-up are complex areas to
understand.
After obtaining an understanding a high-level of the business needs for SAP HR within CIDA
and after reviewing the set-up and effectiveness of the applications control framework, all of the
expected functionality required to perform daily activities related to the movement of employees,
the management of the organizational structure, and the entry and approval of time and leave
requests have been implemented. Therefore, the basic needs for the management of employee
information, organizational structure as well as leave and overtime processing are being met by
the current system.
Nevertheless, two specific observations have come to our attention. First, there is a need for
additional business training to be provided to users of the HR functionality. Current training
programs are focused on the technical data entry steps of SAP transactions without necessarily
providing participants with background as to the importance of their work and its impact on
decision-making.
Second, difficulties in reporting on SAP information are experienced by a large number of
organizations, including CIDA. However, a significant number of standard SAP reports are
delivered with the application and CIDA has developed custom reports to serve their users. If
users feel that they are lacking information, specific causes could be the lack of understanding of
the report output contents, reports that do not meet end user requirements and/or overall data
integrity issues.
Recommendations
15.
It is recommended that additional HR business process focused training (as opposed to

SAP data entry training) be developed by HRD to enhance the business process and
policy requirements knowledge of users, and that the materials be incorporated into the
regular training program for SAP HR users.
16.
It is recommended that the SAP HR Support Group examine the reporting requirements
of CIDA HR users and determine whether the current reports available address their
needs. If addition reports or information is required, we further recommend that
additional reports be developed. Alternatively, if the examination identified gaps in
report understanding, we recommend that action plans be developed to close the gaps
through additional training.

21
Management responses
15.
Agree
A corrective action plan is underway to ensure that:
SAP reflects current and anticipated (e.g. PSMA) HRM policy and business
process requirements (part of CIDA HRM Project and PSMA Implementation);
Delegation of Authorities for HRM are up-to-date (part of Middle Manager and
PSMA Implementation Projects);
SAP-HR reflects current HRM accountabilities (part of SHIP action plan); and
End users are provided the necessary tools, trained in the application of the
business processes and are held to account for the quality of their data
management input through the application of active monitoring of the HR
business process and SAP-HR data management practices conducted by HRD in
its role as the departmental business owner.
This comes under the SAP-HR Improvement Project (SHIP) initiative.
16.
Agree.
This recommendation will be prioritized through the SHIP action plan and in consultation
with those responsible for the HRM business functions (HRD) and Branch end-users.
Clean up of data, documentation and training of the correct business process flows and
consultation with the end users regarding their information needs will be done during
2005-2006 as part of the SHIP action plan. Assuming SAP-HR is still the module of
choice, during 2006-2007 new tools will be designed and implemented to ensure more
useful and higher quality information for end users and to support internal monitoring
and internal and external reporting requirements.

22
Conclusion
Our audit was specifically designed to meet the objectives outlined in section 2 of the report. It
was conducted in accordance with generally accepted auditing standards.
With respect to the accuracy and integrity of the information emanating from the SAP
application, the results of our audit enable us to conclude that the functionality required to
support the business needs of HRD and the Agency overall has been implemented. However
some areas for improvement in the effectiveness and efficiency of the business processes and
reporting have been identified and provided as recommendations within the body of the report.
Data integrity must also be improved as personnel movements are not being reflected on a timely
basis for all required updates.
Opportunities for improvement of the control framework also exist through increased monitoring
of changes to master data elements, and through the performance of periodic data quality reviews
by the Branches and other business owners within the Agency.
An adequate framework for the design of user access privileges has been developed to protect
sensitive information and to ensure access to perform critical maintenance functions for HR data
is appropriately restricted. The audit indicated, however, that there are currently some security
configuration issues that must be addressed and, as well, the use of generic accounts must be
investigated and corrected to ensure that the designed framework of controls is properly
implemented.
Based on the results accumulated through a benchmarking survey, the size of the SAP HR
support group is larger than those of the organizations polled. However, CIDAs support group
provides a broader range of services to the user population than the majority of the other
organizations used a benchmark. Therefore, once the new SFS functionality is implemented and
subsequent to the data cleanup task, CRC should determine the size of the SAP HR support
group in accordance with its expected return on investment.
Finally, in terms of an assessment of the extent to which the SAP HR module is meeting the
needs of HRD and of the Agency overall, the distinction must be drawn between system-based
controls and management/monitoring controls outside the system. For the system-based
controls, with the exception of the identified security configuration and access problems, the
business process appears to be well supported by the SAP HR module. The audit revealed,
however, that improvement is required in supporting management and monitoring processes that
are required to ensure that system transactions are recorded as intended.

23
Appendix A Summary of Audit Recommendations

SAP HR Audit
Project
Number of
Recommendations
Internal Audit of
SAP HR
16
Completed
Ongoing
Recommendations
Management's Responses
1.
It is recommended that the HRD
modify
the
business
processes
surrounding acting situations to
incorporate the entry of all acting
situations into the SAP HR application,
regardless of whether or not there is an
effect on pay.
It is further
recommended that all terminated acting
assignments be reflected in the system
on a timely basis.
Agree that rationalization of leave and overtime

approval authorities are required to reflect EX
acting situations that do not result in changes to
rates of pay but disagree with the proposed
corrective action plan.
The Branch Administration Officers (BAO) can
amend the reporting relationships to reflect acting
situation in the SAP system now, without a system
configuration.
The Human Resources Division (HRD) agrees to
remind BAOs of the need to amend the reporting
relationships of employees when someone is acting
in an EX position and to ensure that this procedure
is reviewed as part of regular SAP-HR monitoring
practices.

Work in Progress
Date
Status
HRD to send reminders

to BMOs of the
requirement and method
to amend reporting
relationships for the
purposes of SAP-HR
leave and overtime
administration.
Procedure will be
incorporated into the
SHIP action plan
24
Recommendations
2.
It is recommended that HRD, in
collaboration with IMTB and the
Branches develop a set of periodic
monitoring procedures and reports for
review
and
follow-up
by
the
Responsible Managers within CIDA.
The periodic review will serve to assess
the
integrity
of
the
current
organizational structures and personnel
assignments within a specific area of
responsibility and will also identify
acting situations that have not been
recorded and/or expired acting situations
that have not been recorded. It is further
recommended that the review be
performed at least every 4 months and
that the process be facilitated and
monitored by the HRD.
Agree
3. It is recommended that the

Compensation and Benefits Directorate
perform
a
reconciliation
of
position/employee classification data
and pay rates within SAP to information
recorded in the On-Line Pay application
every 4 months.
Agree

Date
Status
March 31, 2006
Part of SHIP action plan.
December 2005
Part of the SHIP action

plan
HRD, in collaboration with IMTB and the branches

will identify appropriate monitoring tools to enable
the Responsible Manager within CIDA to
periodically review the acting situation within the
managers own branch. Also, HRD will assess the
integrity of the organizational structures at the
Agency level.
Roles and responsibilities will be defined and
process
installed
through
the
SAP-HR
Business process and definition of roles and
responsibilities through the SAP-HR Improvement
Project (SHIP) initiative.
Files are being created to compare data between

On-Line Pay System and SAP-HR employees
position classification and pay scale.
This comes under the SAP-HR Improvement
Project (SHIP) initiative Enhancement of Quality
control.
25
Recommendations
Date
4. It is recommended that IMTB, in Agree

conjunction with HRD and the SAP
Support Group correct the configuration This recommendation was acted upon with SR1733
of the security role for the Branch and completed May 13, 2004.
Administrators and to eliminate the
ability to submit and approve their own
overtime
and
leave
requests.
Specifically, the Branch Administrators
access should be limited to submitting
their own requests for subsequent
approval by their Supervisors.
5. It is recommended that HRD and the
SAP Support Group develop monitoring
procedures for the review of leave
balances by Responsible Managers on a
monthly basis.
Status
COMPLETED
Agree
August 2005
In progress
Supervisors and RC managers will be reminded of

their responsibility to regularly review their
employees leaves calendar to ensure that leave
taken is recorded appropriately. HRD will send out
a reminder to managers to this effect.
A new tool to be launched in September 2005, September 2005
Manager Self Services (MSS) will assist managers
in this regard.
6. It is recommended that IMTB, in Agree

cooperation with the SAP HR Support
March 2006
group, review the configuration of This recommendation is already being addressed

plan
26
Recommendations
access privileges assigned to the Branch

Administrative Officers to ensure that
the configuration supports the needs of
the business. Specific attention should
be focused on the creation and
activation of positions by the Branch
Administrative Officers as they can
currently create new positions without
intervention
from
Classification
Division. This configuration will allow
the Classification Division to approve
the position and classification data for
new positions and/or individuals, as
outlined in their roles & responsibilities.
through a workflow process that will identify the

approval of the different authorized persons within
the classification of a position process in the SAPHR system.
Date
The Workflow section within IMTB is currently

working with the SAP-HR Support group. Also,
the Branch Administrators role is being reviewed
to limit their access when creating a position for
classification.
Guidelines on the Service Standards will be
developed by the Classification Section and
communicated to the BAO.
This comes under the SHIP-HR Improvement

7. It is recommended that the access of Agree
non-HR SAP Support Group members
and IMTB users be reviewed and that This was done in conjunction with item 13, SR March 2005
3462.
access to HR information be removed.
8. It is recommended that HRD should Agree
perform Privacy Impact Assessments in
accordance with Treasury Board However, Privacy Impact Assessments are the March 2006
requirements.
responsibility of both the Business Owner (HRD)
and the System Owner (IMTB). IMTB supports
system owners in the preparation of Preliminary
Status
Completed
Part of SHIP action plan
27
Recommendations
Date
Status
PIA's. IMTB is incorporating processes into the

SR and System Development Procedures to identify
systems changes and systems requests that may
require PIA's; and, ensuring that System Owners
and the Privacy Coordinator are informed.
These assessments will be conducted and modifed
if needed.
9. It is recommended that the ability to Agree
view personal information through
December 2004
direct query of HR tables (through SR3194 was registered, addressed & completed in
transaction SE16) be removed from end- December 2004.
users by IMTB.
10. It is recommended that the ability to Agree
execute reports and programs through
June 2004
transaction SA38, a central mechanism
Transactions SE38 & SA38 have been
that bypasses transactional and reporting
removed in most job roles via SRs 2250
restrictions configured be removed from
(HR Job roles), SR3039 & SR3058.
end-user access profiles by IMTB.
The remaining job roles for the SAP
Functional teams and ABAP teams are
limited by programs and are required for
their job, therefore cannot be removed.

COMPLETED
COMPLETED
28
Recommendations
Date
11. It is recommended that the Agree

configuration
of
the
P_ABAP
March 2005
authorization object be reviewed and HR Job roles were reviewed. SR3463 was opened.
corrected by IMTB.
12. It is recommended that IMTB limit Agree
the use of generic accounts.
March 2005
Workflow related accounts (as referred to on page
16 of the audit report) are not generic accounts.
As with the HRAIS accounts, they are tied directly
to support personnel through the text field name on
the account. Access is being revised (through SR
3314) ensuring limited access to information. The
Phoenix and ACDI-CIDA accounts are also
being revised to ensure that minimal access is
granted.
13. It is further recommended that Agree
IMTB, in conjunction with HRD and the
March 2005
SAP Support Group, develop a set of SR3462 was opened and appropriate configuration
security monitoring procedures focused was done into SAP-HR to action this
on reviewing lists of users with access recommendation.
to personal information and critical
update transactions and infotypes in
order to identify potential access
irregularities for correction.
14. We recommended that CRC Agree that resource levels should be validated but
determine the required staffing levels suggest that this be done in concert with other
for the SAP HR Support group after the initiatives currently in play, including but not
current data cleanup task has been exclusively those recommended in the audit report.
Status
COMPLETED
COMPLETED
COMPLETED
29
Recommendations
Date
Status
completed
and
after
the
SFS
functionality has been implemented.
CIDA is the only Schedule 1.1 government Ongoing
department that uses the SAP-HR module. All other
public sector organizations using SAP-HR have
terms and conditions of employment or HR
business practices that do not conform in whole or
in part to those of CIDA. Therefore, benchmarking
staffing levels to other organizations that do not
share the same business requirements is of limited
value. Maintenance of data integrity and training
costs are a major ongoing investment because staff
recruited to CIDA from other government
departments and trained in a shared intergovernment system must learn a new application
before they can become fully CIDA-functional.
This ongoing demand in large part explains the
current level and focus of CIDAs SAP-HR
resources.
This situation is well known within CIDA and has
generally viewed, up to now, as an accepted cost of
doing business because the benefits to the SAP
system overall were considered to outweigh the
investment costs and risks of maintaining the SAPHR module.
We agree with the audit findings that regardless of
the chosen accountability model, resources are still
With the approval of

CRC and under the
direction of the CIO, an
inter-Branch project team
30
Recommendations
required to support the application. The question is
whether they can be more effectively managed if
the accountabilities were shifted to other parts of
CIDA.
Initiatives In Play:
1.
2.

The increasing interest in the government-wide

Shares Services initiatives for corporate
functions such as human resources has raised
the awareness of CIDAs management to
review its present reliance on the SAP-HR
module situation in light of these wider
government thrusts. HRD will play a key role
in supporting this review, being led by the
CIO, and look for ways to optimize SAP-HR
resources to ensure adequate service levels are
maintained at reasonable cost to CIDA until
management decisions are made regarding
benefits and risks of maintaining the SAP-HR
module over the long term.
HRD will provide for knowledgeable resources
to partner with the SAP-HR support team to
update
the
business
process
flow
documentation, system configuration, monitor
for system weaknesses and facilitate improved
training of end users. The working assumption
Date
Status
is being established to
assess the impacts and
implications of the
Shared Services Initiative
on the SAP system,
including the SAP-HR
module.
Work has begun in HRD
through the establishment
of an internal working
group to discuss HR
business process flow
requirements, identify
SAP-HR changes and
engage end-users in the
clean up of data and the
application of revised
procedures.
HRCSB internal review

in progress.
31
Recommendations
Date
Status
is that if better HR business practices are

documented, monitored and maintained by the
functional business authority, less investment
will be required in ongoing system refresher
training courses and daily interventions by the
SAP-HR staff to assist users in the SAP-HR
module application.
Under the leadership of the VP HRCS, an internal
review of the 3 SAP modules for which HRCSB is
responsible to support is currently underway to
look for ways to further optimize the investment of
SAP resources. HRD is contributing to this review
and will implement the decisions, once known.
15. It is recommended that additional Agree
HR business process focused training
March 2006
(as opposed to SAP data entry training) A corrective action plan is underway to ensure that:
be developed by HRD to enhance the
SAP reflects current and anticipated (e.g.
business
process
and
policy
PSMA) HRM policy and business process
requirements knowledge of users, and
requirements (part of CIDA HRM Project
that the materials be incorporated into
and PSMA Implementation);
the regular training program for SAP
Delegation of Authorities for HRM are upHR users.
to-date (part of Middle Manager and
PSMA Implementation Projects);
SAP-HR
reflects
current
HRM
accountabilities (part of SHIP action plan);
and
Work in progress
32
Recommendations
Date
Status
End users are provided the necessary tools,

trained in the application of the business
processes and are held to account for the
quality of their data management input
through the application of active
monitoring of the HR business process and
SAP-HR data management practices
conducted by HRD in its role as the
departmental business owner.
Agree
16. It is recommended that the SAP HR
Support Group examine the reporting
requirements of CIDA HR users and
determine whether the current reports
available address their needs.
If
addition reports or information is
required, we further recommend that
additional reports be developed.
Alternatively, if the examination
identified gaps in report understanding,
we recommend that action plans be
developed to close the gaps through
additional training.

March 2006
This recommendation will be prioritized through
the SHIP action plan and in consultation with those
responsible for the HRM business functions (HRD)
and Branch end-users.
Clean up of data, documentation and training of the
correct business process flows and consultation
with the end users regarding their information
needs will be done during 2005-2006 as part of the
SHIP action plan. Assuming SAP-HR is still the March 2007
module of choice, during 2006-2007 new tools will
be designed and implemented to ensure more useful
and higher quality information for end users and to
support internal monitoring and internal and
external reporting requirements.

plan
Last phase of the SHIP

action plan
33
Recommendations
Date
Status


34
Internal Audit of SAP HR System
Appendix B Control Objectives/Audit Criteria for the SAP HR Process

Review
The following control objectives/audit criteria were developed during the planning phase of this audit to
capture the required audit criteria on which to base the assessment of the control framework and the
security access rights. The criteria have been segregated to reflect the sub-processes that form the basis
for the SAP HR supported process.
HR Master Data
1
All changes to the SAP HR and payroll master files are complete, valid and timely
2
Agency employee information transferred to the Compensation Systems is
accurate, valid and timely.
3
Terminated employees are removed from the payroll maser file and all deletions
are valid (and are within statutory requirements).
4
Leave/absence data and balances reflect actual absences and entitlements for
employees and requests are properly authorized.
5
All valid changes to organizational units, positions and other master data are
accurate, valid, timely and in accordance with relevant legislation.
Security and Privacy
6
Access to personal/sensitive information is adequately restricted to only
authorized individuals.
7
Segregation of duties is appropriate and system access is restricted to authorized
personnel.

35
SAP HR
REVIEW OF SAP HR SYSTEM

CANADIAN INTERNATIONAL DEVELOPMENT AGENCY
Appendix C SAP HR Control Framework
MARCH 31, 2004
DRAFT

36
SAP HR
INTRODUCTION
This document analyzes the control framework within a particular application or process. For
each process reviewed, the following documents were prepared:
1. Flow Diagram
2. Control Framework and Evaluation Matrix
3. Process Descriptions
The application flow diagram aims to convey the most important elements of the process and as
a result, certain infrequent or insignificant detail is intentionally omitted. The following icons
are used on the diagrams:
1
Control Points;
Financial/Business Exposure;
Main Flow of Transactions;
The above icon types cross-refer to the control evaluation matrix, which compares the identified
controls to the control objectives for the area and assesses the degree to which the objectives are
supported by controls. The following icons are used on the control evaluation matrix:
The identified control supports this control objective;
Weaknesses were found for this control;
A description of the control or weakness can also be found on the control evaluation matrix. Blue
text indicates a control and red text indicates a weakness or inefficiency

37
SCOPE OF THIS REVIEW

This review considered controls and weaknesses throughout the SAP HR System.
The review included discussions with CIDA staff and testing of certain system and manual control activities.
Description
Control Objective
HR Master Data Maintenance
Control/
Weakness
Control/
Weakness
Reference
Organizational
Management
Security & Privacy
1. All changes to
the SAP HR master
files are accurate,
complete, valid and
timely.
2. Agency
employee
information entered
into the
Compensation
system is accurate,
complete, valid and
timely.
3. Terminated
employees are
removed from the
payroll master file
and all deletions are
valid).
4. Leave/ absence
data and balances
reflect actual
absences and
entitlements for
employees and
requests are
properly
authorized.
5. Overtime entered
is accurate and
valid and calculated
in accordance with
collective
agreements.
6. All changes to
organizational
units, positions and
other data org
structure data
elements are timely,
accurate, valid and
complete.
7. Access to
personal/ sensitive
information is
restricted to only
authorized
individuals.
8. Segregation of
duties appropriate
and system access is
appropriately
restricted to
authorized personnel.
Accuracy
Validity
Completeness
Cut-off
Accuracy
Validity
Completeness
Cut-off
Validity
Accuracy
Accuracy
Validity
Accuracy
Validity
Accuracy
Validity
Completeness
Cut-off
Validity
Validity
Completeness
Accuracy
HR MASTER DATA MAINTENANCE
SAP Security
for HR
Master Data
The SAP security and authorization concept is utilized to restrict the ability to update personnel information (transactions PA30
and PA40) to only authorized individuals. Access restrictions at the infotype level have also been configured for specific roles.
38
SAP HR
SAP Input
Controls for
Master Data
Mandatory fields are configured for infotypes included in personnel files within SAP, in order to ensure that all relevant
information is captured.
Personnel actions (a grouping of functionality to accomplish specific HR activities such as hiring) have been configured for major
HR administrative tasks to ensure that all relevant infotypes are completed for personnel related activities. Time constraints, an
element of SAP configuration that specifies whether infotypes must be populated, have also been configured at the infotype level to
control the completeness of infotypes within an on-line personnel file.
Acting
Assignments
Selected acting situations (i.e. one month or above) that do not affect pay are currently not entered into SAP. For example, an EX01 employee acting at an EX-02 level is currently not entered into the system until 3 months has elapsed. The lack of update of the
org structure has an impact on the proper routing of workflow items for approval.
In addition, it was further noted that expired acting situations were not updated in SAP on a timely basis.
Planned
Compensatio
n
Pay scales that are aligned with the relevant public sector collective agreements have been configured in SAP. Changes to the
collective agreements are controlled through the formal Service Request process at CIDA.
Integration
with Org
Management
Pay scale/salary information is defaulted into the personnel file (infotype 0008) based on information stored on the position master
record. However, users can change the information brought in to accommodate Salary Protected employees (employees that have
been designated as surplus and given a lower classification, but still paid at their previous pay rate).

39
39
SAP HR
Monitoring
Reports for
HR Master
Data
There is currently no formalized review and/or approval of active employee listings, staffing reports or organizational charts by the
Responsible Managers or Financial Authorities on a periodic basis.
PWGSC
Reconciliatio
n with SAP
There is currently no formal reconciliation of employee pay rates in the PWGSC On-Line Pay system to the records in SAP.
LEAVE AND OVERTIME RECORDING
SAP Security
for Leave
and Overtime
The SAP security and authorization concept is utilized to restrict the ability to unlock/approve requests for leave (SAP transactions
ZAPT, PA61)
Leave
Entitlement
Validation
Prior to the completion of a leave request, SAP verifies that the employee is entitled to the type of leave requested and that the
minimum/maximum amounts requested are in line with the appropriate collective agreement provisions. The SAP Time
Evaluation functionality is utilized to perform the check.
Quota
Balances
Prior to completing the on-line approval transaction, SAP automatically verifies whether an employee has an adequate leave
entitlement remaining to accommodate the request. If the quantity remaining is insufficient, the Supervisor is not permitted to
save/approve the application. The SAP Time Evaluation functionality is utilized to perform the check.
Upon successful approval of leave, SAP automatically updates the quota balance(s) for an employee.

40
40
SAP HR
SAP Security
for Leave
and Overtime
Approvals
The SAP security and authorization concept is utilized to restrict the ability to unlock/approve submitted overtime records.
Unauthorized
Approval of
Overtime
Situations have been noted where employees were able to submit their requests for paid overtime and approve their own requests.
This could result in unauthorized overtime payments being generated for employees.
Monitoring
of Leave
Balances
There are currently no processes or procedures in place to perform a periodic review of employee leave balances, to ensure that all
leave taken is being recorded in SAP.
ORGANIZATIONAL MANAGEMENT
SAP Security
for Org
Management
The SAP security and authorization concept is utilized to restrict the ability to update position master data to appropriate personnel.
SAP Input
Controls for
Org
Management
10
Mandatory fields are configured for organizational management infotypes, in order to ensure that all relevant information is
captured.
Actions have also been configured for key organizational structure maintenance activities to ensure that all relevant infotypes are
completed for the creation of new objects (i.e. positions). Time constraints have also been configured at the infotype level to
control the completeness of infotypes for these objects.
41
41
SAP HR
Position
Master
Record
Maintenance
Branch Administrative Officers currently have access to create, approve and active new positions without the Classification
Division reviewing the appropriateness of the classification data. Branch Administrative Officers also have the ability to perform
personnel movements. To mitigate this segregation of duties risk, the SAP HR Support Group created monitoring reports for
Classification to review; however, it was noted that the reports are currently not being reviewed on a regular basis by the
Classification Division.
SECURITY & PRIVACY
Security
/Privacy of
HR Data
11
The SAP security and authorization concept is utilized to restrict the ability to update personnel information (transactions PA30
and PA40) to only authorized individuals. Access restrictions at the infotype level have also been configured for specific roles.
Non SAP HR
Support
Group
Access
Non-HR SAP support individuals currently have the ability to maintain critical infotypes such as infotype 0008 (basic pay).
Privacy
Impact
Assessment
A formal Privacy Impact Assessment has not been performed since the initial implementation of SAP HR, and some significant
changes have either been implemented or are planned for implementation.
SAP HR
Table Access
An excessive number of users have the ability to view personal information through direct query of HR tables (through transaction
SE16).

42
42
SAP HR
SAP HR
Report
Execution
10
An excessive number of end-users have the ability to execute reports and programs through transaction SA38, a central mechanism
that bypasses transactional and reporting restrictions configured.
SAP HR
Reporting
11
The configuration around SAP HR reporting is currently not in accordance with best practices. Specifically, the configuration of
authorization P_ABAP has effectively deactivate a level of data restrictions (i.e. at the Branch level) allowing users to only see
information (personal and non-personal) for individuals outside of their areas of responsibility.
Generic
Accounts
12
There are currently generic/shared accounts that have access to perform update and reporting functions for HR information.
Monitoring
Procedures
13
There are currently no monitoring procedures in place to periodically review and validate viewing and update access listing for key
HR functions within the system.
Summary of
Controls and
Weaknesses
Control
Objective
Met
Weaknesses
Noted

Control
Objective
Met
Weaknesses
Noted
Control
Objective
Met
Weaknesses
Noted
Control
Objective
Met
Control
Objective
Met
Weaknesses
Noted
43
Control
Objective
Met
Weaknesses
Noted
Control
Objective
Met
Weaknesse
s Noted
Control
Objective
Met
Weaknesses
Noted
43
Process Description
HR Master Data
A Branch first identifies a staffing need and an appropriate HR/staffing activity is undertaken to
fulfill the requirement. Possible scenarios for filling the position include an internal transfer
within CIDA, a new employee, a secondment or an acting situation among others. After the
staffing events have been completed, the HR Advisor/Assistant prepares two copies of the letter
of offer and sends them to the candidate. Upon receiving the decision from the candidate, the
HR Advisor/Assistant updates the Eligibility List in SAP (transaction ZEGB in SAP). If the
candidate declines the offer, then the HR Advisor/Assistant selects the next qualified candidate
from the eligibility list, and continues the process until a candidate accepts. A letter of offer is
then produced and sent to the chosen candidate for acceptance. The letter of offer also represents
the notification/trigger for an entry in the SAP HR system. No SAP system updates (with the
exception of the updates to the Eligibility List) are performed prior to the signed letter of offer
being received by the HR Advisor/Assistant.
Once the candidate accepts the offer, a signed copy of the letter of offer is returned to the HR
Advisor/Assistant, a copy is filed, and the announcement is posted on Entre-Nous (CIDAs
Intranet site). The HR Advisor/Assistant is also responsible for managing the appeal process.
After the appeal period has expired, the HR Advisor/Assistant makes three copies of the letter of
offer, and sends one each to the Compensation and Benefits Advisor, the Branch Administrative
Officer for the hiring Branch, and the Employment Equity Division. Upon receipt of the signed
letter of offer, the Branch Administrative Officer performs the necessary action (i.e. hiring,
promotion, transfer) in the SAP system and enters the relevant information from the letter of
offer. The Compensation and Benefits Advisor verifies the accuracy of the salary, bilingual
bonus (if applicable), and the date of the next statutory increase. Should any corrections be
required, the Compensation and Benefits Advisor makes the appropriate entries.
For all of the staffing needs noted above, and for other types of personnel movements (transfers
within CIDA, terminations, etc.) or other personnel file updates (salary changes, change in work
hours, etc.), a requirement for the entry of HR information into SAP arises. Each requirement is
supported and/or initiated by the receipt of appropriate, approved documentation.
The data entry functions are shared amongst a small number of groups within the Agency
depending on the nature of the update required. Pre-configured HR actions are utilized during
the creation and/or maintenance of an employees file in the system. SAP HR actions essentially
walk users through a system-based sequence to complete the required elements of information
for a given HR activity (such as hiring, termination, transfer, etc.) Actions configured in SAP
for personnel movements are (they are presented along with the group responsible for
performance of the update):
01 Take on Strength (TOS) Branch Administration Officers
02 Struck off Strength (SOS) Advisor, Pay and Benefits

44
SAP HR
04 Extension Branch Administration Officers
05 Change: Basic Salary/Work Hours Branch Administration Officers, Advisor, Pay

and Benefits
06 Change of Position/Pay/Status Branch Administration Officers, Assignment

Division, Languages Program and Education Leave Advisor
07 Rehabilitation Advisor, Pay and Benefits
08 Re-Entry after SOS/New Sec.In Branch Administration Officers
13 Temporary Struck Off Strength Branch Administration Officers, Advisor, Pay and
Benefits, Assignment Division, Languages Program and Education Leave Advisor
14 Re-Taken on Strength (RTOS) Branch Administration Officers, Advisor, Pay and

Benefits
15 Assignment/Sec.Out (LWP) Branch Administration Officers, Assignment

Division, Languages Program and Education Leave Advisor
16 Secondment in Branch Administration Officers
18 Return to Substantive Position Branch Administration Officers
19 End of Secondment-In Branch Administration Officers
22 Acting Situation Branch Administration Officers
For each of the actions, a series of infotypes appear in a pre-determined sequence. An infotype
is a grouping of information that is entered/shown on a specific screen in SAP. For example,
basic pay/salary information is stored on infotype 0008.
After the successful completion of one of the actions listed above, the employees personnel file
in SAP is updated. In addition, the assignment of employees to positions within the
organizational structure in SAP is automatically updated through this process if the action
involves movement of personnel into, within or outside of the Agency.
Employees are paid by PWGSC on behalf of Treasury Board through the On-Line Pay
application. As such, the basic pay and other entitlements information (with the exception of
leave and overtime described in the Time Recording section below) captured in SAP is currently
not directly relevant for payroll purposes. With the introduction of the Salary Forecasting
System (SFS), however, this information will be used in the forecasting of salary costs for
budgeting/planning purposes. The Compensation and Benefits Directorate (and specifically, the
Compensation and Benefits Advisors) are responsible for data entry of payroll and benefits
changes in to the various PWGSC On-Line Pay application. The Compensation and Benefits
Advisors are notified of any new hirings, promotions or other changes through the receipt of a
letter of offer, approved by the relevant certified HR Practitioner (i.e. HR Advisor/Assistant).
The Compensation and Benefits Advisors also handle payroll enquiries from employees. Should
any adjustments to employee pay records be required, the Compensation and Benefits Advisors
performs the update in the PWGSC compensation system and notify the appropriate Branch
45
SAP HR
Administrative Officer. Corrections to an employees information are made by the appropriate

person, depending on what action is required in the system (see list of actions above).
CIDA has developed a custom SAP solution for the collection of the following time related data:
Requests for leave; and,
Overtime.
Leave
Employees are responsible for entering their own leave requests either directly into SAP
(transaction ZAPT) or through the use of the Employee Self-Service (ESS) application. For
requests for leave, the SAP system automatically verifies whether the employee is entitled to the
type of leave being requested and whether the number of days falls within the pre-established
minimum and maximum days allowed. Leave entitlements are defined in the collective
agreements for each category/classification of employee. For valid requests, the employees
entries are saved in a locked status in the system and are not granted until an approval from the
employees supervisor is provided. SAP workflow functionality is used to route the request to
the employees Manager for approval based on the reporting relationships defined in the SAP
organizational structure.
The supervisor must then approve/unlock the transaction in the system for the item to be
completed. This is achieved through either transaction ZAPT, PA61, the SAP Business
Workplace (transaction SBWP) or via Lotus Notes. At the time of approval, SAP verifies
whether or not the employee has the requisite amount of vacation entitlement remaining. Should
an adequate balance not exist, the supervisor is not able to complete the approval function (i.e.
unlock and save the request). Upon successfully completion of the approval, the employees
corresponding quota/bank of leave is also reduced by the approved amount.
On an annual basis (March 31), vacation payouts are calculated and recorded for unused
balances that cannot be carried forward to the subsequent year. The Quota Balance Report
(RPTBAL00 in SAP) is executed by the Compensation and Benefits Advisor and the excess
entitlements are automatically calculated by SAP. The excess entitlement is defined as the
amount over and above the allowable carry-forward number of days (i.e. 35 days.) Responsible
financial authorities within the Agency are then notified of the amounts applicable for their areas
of responsibility for budget planning purposes. The Branch Administration Officers also have
the ability to execute the report throughout the year if required. The amounts to be paid are then
entered into the PWGSC compensation system by the Compensation and Benefits Advisor for
settlement.
Overtime
Employees must also enter their own overtime information through the ESS application. As with
the requests for leave, any overtime worked and recorded must be approved/unlocked by the
employees supervisor. Overtime can either be paid in cash or banked. The employee makes the
choice at the time of entry into the system. Nevertheless to be paid and/or banked, the request
46
SAP HR
must be changed into unlocked (approved) status. For employees who have selected to have
their overtime paid in cash, the total number of hours of overtime entitlements is calculated by
SAP (i.e. 1.5 times the hours worked, 1.75 times the hours worked, etc.) through the execution of
the approved overtime report (transaction ZAHRPAYOTREP) by the Compensation and
Benefits Advisor. The Compensation and Benefits Advisor then enter the number of hours into
the PWGSC On-Line Pay system for payment to the employee.
On an annual basis (October 1), unused banked overtime balances are identified and settled with
employees. The process followed is the same as outlined above for the settlement of unused,
excess vacation balances.
Within the Organizational Management side of SAP HR, CIDA captures information on
organizational units (responsibility centers) and positions. Changes to the organization structure
are initiated by the Branches and entered into SAP by the Branch Administrative Officers. Per
the CIDA business process, the Branch Administrative Officer creates the position in a
planned status within the system. Subsequently, either the Branch Administration Officer or
the Manager changes the status from planned to submitted. The Classification Officer is then
responsible to ensure that the position is assigned the proper classification by reviewing the data
in the system; the Classification Officer is also responsible for making any adjustments
necessary to the classification. Required information includes the identification of a
supervisor/subordinate relationship, a pay scale (pay grade and step) and classification
information among others.
Once the Classification Officer has reviewed a position, the entry can either be moved to
approved or rejected status. If the position is approved, it is then made active and integrated
into the organizational structure for CIDA. If the position is rejected, the Branch Administration
Officer is notified and the organizational structure is not updated. Pre-configured actions that
walk users through the sequence of required infotypes for creation of organization units and
positions within SAP are also used.
Security & Privacy
A role based security strategy has been developed and configured to provide users with access to
only those transaction and infotypes required for their job functions. SAP security configuration
is also utilized to protect personal information such as employment equity information, home
address and qualifications recorded on specific infotypes. Finally, users are limited to viewing
and maintaining HR information for only those employees within their area of responsibility. For
example, the design calls for Branch Administrative Officers to be limited to performing tasks
and view information for only those employees within their Branch.

47

SAP HR System - Internal Audit Report

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

SAP HR System - Internal Audit Report

Enviado por

Direitos autorais:

Formatos disponíveis

Internal Audit Report

Canadian International Development Agency

Internal Audit of the SAP HR System

Objective, Scope and Methodology........................................................................................ 6

Observations & Recommendations......................................................................................... 8

Observations Arising from the review of SAP HR Processes ......................................... 8

Observations Arising from the Assessment of SAP HR Functionality ......................... 21

Internal Audit Report July 7, 2005

Canadian International Development Agency

Internal Audit of the SAP HR System

Internal Audit Report July 7, 2005

Internal Audit of the SAP HR System

Compensation and Benefits Directorate should perform a reconciliation of

IMTB should limit the use of generic accounts;

Internal Audit Report July 7, 2005

Internal Audit of the SAP HR System

Internal Audit Report July 7, 2005

Internal Audit of the SAP HR System

Objective, Scope and Methodology

To review and evaluate the appropriateness of access authorities to ensure the

Benchmarking of the SAP Support Group Structure (Section 3.2)

Assessment of SAP HR Functionality (Section 3.3)

Internal Audit Report July 7, 2005

Internal Audit of the SAP HR System

To gather information on concerns over SAP HR within CIDA by reviewing 2 other HR

To develop internal control objectives relating to the SAP HR functionality implemented at

To gather information on the current SAP HR functionality, supporting business processes

To review and analyze supporting process documentation relating to SAP HR processes, as

Internal Audit Report July 7, 2005

Internal Audit of the SAP HR System

Observations & Recommendations

Observations Arising from the review of SAP HR Processes

Internal Audit of the SAP HR System

Control Weakness #1 Acting Assignments;

Control Weakness #2 Monitoring Reports for HR Master Data

Control Weakness #3 PWGSC On-line Pay Reconciliation with SAP

Internal Audit Report July 7, 2005

Internal Audit of the SAP HR System

It is recommended that the Compensation and Benefits Directorate perform a

Leave and Overtime Recording

Internal Audit Report July 7, 2005

Internal Audit of the SAP HR System

Control Weakness #4 Unauthorized Approval of Overtime

Control Weakness #5 Monitoring of Leave Balances Accuracy

Agree. Supervisors and RC managers will be reminded of their responsibility to regularly

Internal Audit Report July 7, 2005

Internal Audit of the SAP HR System

Internal Audit Report July 7, 2005

Internal Audit of the SAP HR System

References (additional details see Appendix C HR Artpack):

Control Weakness #6 Position Master Record Maintenance

Security and Privacy

Internal Audit of the SAP HR System

Internal Audit Report July 7, 2005

Internal Audit of the SAP HR System

Control Weakness #7 Non SAP HR Support Group Access

Control Weakness #8 Privacy Impact Assessment

Control Weakness #9 SAP HR Table Access

Control Weakness #10 SAP HR Report Execution

Control Weakness #11 SAP HR Reporting

Control Weakness #12 Generic Accounts

Control Weakness #13 Monitoring Procedures

Internal Audit Report July 7, 2005