Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
HR Master Data
Human
Resources
SAP Audit Guide
2
and Employee groups and sub-groups. These areas and
groups control wage types, pay scales, default values for
basic pay and other critical areas of employee master data.
The enterprise structure including specific settings in
personnel areas and employee groups within each
company code should be closely reviewed using
transaction EC01. Furthermore, a sample of master records
should be reviewed to ensure that employees are assigned
to the correct areas and groups.
Master records should also be reviewed to ensure
employees are assigned to the appropriate health,
insurance, savings and other benefit plans. Configured
plans and associated rules should be reviewed through
IMG Personnel Management Benefits.
To safeguard against the risk of duplicate employees in the
system, SAP should be configured to compare information
such as last name, first name and date of birth against
existing records during the entry of new employees. This is
performed through IMG Personnel Management
Personnel Administration Customizing Dynamic Actions
Activate Concurrent Employment for Personnel
Administration. Once configured, SAP will automatically
display possible matches against both active and inactive
records.
SAP should also be configured to provide a sufficient audit
trail for changes to key infotypes. This is performed through
tables HR Documents: Infotypes with Documents
(V_T585A), HR Documents: Field Group Definition
(V_T585B), and HR Documents: Field Group
Characteristics (V_T585C). Changes are displayed in report
RPUAUD00 (Logged Changes in Infotype Data).
Access to key master data transactions such as PA10
(Personnel File), PA20 (Display HR Master Data), PA30
(Maintain HR Master Data) and PA40 (Personnel Actions)
and authorization object P_ORGIN should be restricted and
based on role requirements. Access should be qualified
with the P_PERNR authorization object which prevents
users from changing specific infotypes in their own
personnel records. Write operations W, S, D and E should
be specified in the AUTHC (Authorization code) field of the
P_PERNR object and the PSIGN field should be set to E
(Exclude). The infotypes that are subject to the exclusion
should be listed in the INFTY field. Users should not be
granted inconsistent authorizations since this could
override any exclusions. For example, an authorization with
Time Management
Time-related data including working hours, absences,
overtime and allowances can be pulled from external time
recording systems or entered directly into SAP through
channels such as the Cross-Application Time Sheet (CATS)
function. CATS integrates directly with other components of
SAP including Logistics and Project Systems through
Business Application Programming Interfaces (BAPIs).
Accounting integration for time-data infotypes is enabled by
default but can be disabled through customization.
Therefore, the Infotype with Acct/ Logistics Data area of
IMG for HCM should be closely reviewed to ensure that
integration is not deselected for any infotype. If Workforce
Management (WFM) is used to manage employee time
data, the mapping of SAP infotypes to WFM specification
types should be reviewed in the WFM Core.
Time entry rules including validation checks, tolerances and
controls for required, suppressed and optional fields are
configured and applied through CATS profiles. The settings
for each CATS profile assigned to every user interface
should be reviewed in the Time Sheet area of the CrossApplication Components area of IMG. Release procedures
are also defined with each profile. Approvals can be
triggered manually but SAP Business Workflow should be
used wherever possible to support time sheet review and
approval. The attributes of workflows should be reviewed
through the Workflow Builder.
Other areas of IMG that should be carefully reviewed
include rules for Work Schedules, Time Data Recording
and Administration, and Schemas in Personnel Time
Management. The last is particularly important since it
impacts Time Evaluation.
This is an SAP function that detects potential errors in timerelated data entered during a pay period prior to processing.
Time Evaluation should be configured as a daily scheduled job.
Errors and warnings generated by the Time Evaluation report
RPTIME00 should be reviewed and resolved by administrators
before time data is transferred to payroll. This report displays
exceptions to rules configured in the schemas. Examples could
include employees or contractors that have reported more than
8 hours in a day or 40 hours in a week or registered more than
20 days of vacation leave. The Time Management Status in the
Planned Working Time infotype (0007) in every record for hourly
employees should not be set to zero since this will exclude
employees from Time Evaluation.
Access to the time management transactions listed in Table A
should be restricted, including the ability to approve timesheets,
which should be assigned exclusively to functional managers.
The dummy infotype 0316 is the authorization required for time
sheet entry. Infotype 0328 is required for time approval.
TRANSACTION
DESCRIPTION
CAT2, CAT3
CAPS
CAT4
CAPP
PP61
PA61
PA62
PA63
PA64
Calendar entry
PA70
Time Management
SAP Travel Management uses workflow to track and approve
trip requests, book approved requests through integration with
external reservation systems, and record, reimburse and post
travel expenses. It performs an important control function by
enforcing compliance with travel policies. The relevant rules,
profiles and parameters for travel components should be
reviewed in IMG Financial Accounting Travel Management to
ensure alignment with travel policies and procedures.
Master records
should not be
configured to
exclude hourly
employees from
time evaluation
TRANSACTION
DESCRIPTION
PRMM
Personnel Actions
PRMD
PRMS
PRAA
PRAP
Approval of Trips
PR02
Travel Calendar
PR03
Trip Advances
PR04
PR05
PRCC
PRCCD
TPMM
TPMD
TPMS
TP01
5
Payroll Processing
Master data should be locked during a payroll run to
prevent any changes. This is performed through Payroll
Control Records, accessed through transaction PA03
(Maintain Personnel Control Record). Each pay area has an
individual control record. The payroll period selected as the
basis for the control records should be set to the period
immediately before the live period. Also, the maximum
number of past periods that are open for payroll
adjustments should be appropriately set in the Earliest
Retro Acctq Period field. Note that SAP uses the earliest
personal retroactive accounting date set in the Payroll
Status infotype (0003) in each employee master record if
this does not match the date set in the control record.
Payroll control records can be used to determine which
employees were included and rejected in the last payroll
run. The latter group can be identified by selecting Incorrect
Pers. Nos. and Locked Pers. Nos.
The ability to enter or update certain infotypes during a
payroll run through transactions such as PAKG/ PAUX
(Adjustments Workbench) should be restricted. The
employee remuneration information infotype should be
configured to prevent adjustments to wage types such as
salaries since any adjustment will override the value in the
master record. This should be performed through the IMG
area Maintain Wage Types. Minimum and maximum values
can be configured for each wage type. The latter is highly
recommended. Rounding divisors for wage types should
be reviewed to ensure they are configured appropriately
(divisors can be set anywhere between 1 and 100). The
posting characteristics including time-dependencies for
wage types and month-end accruals should also be
reviewed under account assignments. Wage types are
mapped to symbolic accounts which in turn are mapped to
GL accounts.
Gross and net pay calculations are performed by the
system based on processing rules known as personnel
calculation rules. These rules are grouped in schemas and
can be adjusted through transactions PE01 (Maintain
Payroll Schemas), PE01N (Editor for Payroll Schemas),
PE02 (Maintain Calculation Rules), PE02N (Editor for PC
rules) and PE04 (Create Functions and Operations). Access
to these sensitive functions should be safeguarded.
There are a number of standard SAP reports that should be
reviewed by management during each payroll run to
confirm the validity of any adjustments and identify
6
Employee Self Service
Employee Self-Service (ESS) is a Web Dynpro (Java)
application that operates on the Enterprise Portal (EP). It
enables employees to maintain their personal information,
enter leave requests, update timesheets, display pay slips,
and perform other similar functions. Employees must be
assigned a user record in the J2EE with an appropriate role
to be able to use ESS. This is performed through the
HRUSER transaction or the menu path IMG Personnel
Management Employee Self-Service (ITS Version)
General Settings for ESS Create SAP Users for ESS.
Users should be a assigned single role from a copy of the
composite SAP_EMPLOYEE_ERP role provided by SAP
and should only have the ability to update their own data
for certain types of infotypes. Bank account information, for
example, should only be updated centrally by authorized
HR users. This should be configured through the P_PERNR
authorization object rather than P_ORGIN. The former
takes precedence over the latter. ESS users without
P_PERNR may be able to view and update records
belonging to other employees.
Web
www.layersevensecurity.com
Email
info@layersevensecurity.com
Telephone
1 888 995 0993