Audit Sample by uqx20403

VIEWS: 77 PAGES: 8

More Info
									Company (Name):
                                                                                     A total of 48 tests have been                           Contains detailed testing                                                              Links to the pre-populated test
Fiscal Year End (Date):
                                                                                     designed to evaluate ALL KEY risks                      instructions, rather than generic                                                      sheets with fill-in fields for
Tested on (Date)/ tested by (Name):
                                                                                     based on best practices and the                         descriptions of the tests to be                                                        company-specific information.
Tested in (System):


Payroll and HR (Personnel) - Audit Program for SAP R/3 - SAMPLE
Control Activity                        Control         Control     IT Nature       Control Rating Query       Testing Procedures:                                                                                                     Testing Reference       Conclusion
                                        Activity Type   Nature      IT Dependent/   High/          No          For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain            Reference to supporting Effective/
                                        Preventive/     Manual/     Non IT-         Medium/                    reasonable assurance that controls operate effectively in accordance with established policies, procedures, and         evidence considered     Ineffective
                                        Detective       Automated   Dependent       Low                        guidelines. The following testing procedures will assist auditors in performing tests of control for each control       pertinent
                                                                                                               activity.
Hiring Personnel

Control Objective HR1: Additions to the payroll master files represent valid employees. All new employees are added to the payroll master files.
Control Objective Assertion: [Balance Sheet] Payroll related accruals / provisions & [Income Statement] Salaries, Wages & Related Expenses: Validity, Completeness
HR1.03: The personnel and the          Preventive       Automated   IT Dependent    High                 2     A job is a general classification of task areas (e.g. head of department). A job is a standard description of an                Tab 2
organizational reporting structure are                                                                         activity that can be performed by a person. Perform the following procedures to generate a listing of users with
current.                                                            In addition to the written step-           access to maintain or edit existing jobs in SAP R/3:
                                                                    by-step instructions, screen-
Access to modify personnel and                                      prints from SAP will be provided           Execute transaction code SUIM
organizational reporting structure in                               to visually assist those new to            Proceed to the Users By Authorization Values screen via "User " -> "Users By Complex Selection Criteria " ->
SAP R/3 is limited to appropriate                                   the system.                                "By Authorization Values "
personnel.
                                                                                                               AUTHORIZATION OBJECT 1:
                                                                                                               • S_TCODE:
                                        Covers ALL principal hr/payroll                                          PO03 (Maintain Jobs)
                                        subprocesses:
                                        • Hiring Personnel                                                     AUTHORIZATION OBJECT 2:
                                        • Terminating Personnel                                                • PLOG:
                                        • Recording Time                                                         Plan Version (PLVAR): * (means users authorized to maintain jobs in ANY/SOME plan version(s))
                                        • Calculating Payroll                                                    Subtype (SUBTYP): * (means access to maintain ANY/SOME subtypes of given infotypes)
                                        • Disbursing Payroll                                                     Planning Status (ISTAT): * (means ANY planning status in which the user is authorized for access)
                                        • Maintaining Master Files                                               Function Code (PPFCODE): INSE (Insert) OR AEND (Change) OR DEL (Delete) OR "*" (All/Any)
                                                                                                                 Infotype (INFOTYP): * (means users authorized to maintain jobs for ANY/SOME infotypes)
                                                                                                                 Object Type (OTYPE): C (means "Jobs") OR P (means "Persons/Employees") OR "*" (All/Any)


                                                                                                               Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is
                                                                                                               appropriate for such users to have such access, based on their job responsibilities and established policies,
                                                                                                               procedures, standards, and guidance. Compare the results of the test with the information obtained from the
                                                                                                               interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your
                                                                                                               conclusions.


HR1.01: Employee master file is      Detective          Manual      IT Dependent    Medium               8     Procedures to ensure that the new employees added to the HR/Payroll master files represent valid hires:                         Tab 8
regularly reviewed by the department
managers to ensure that the                                                                                    Perform the following procedures to produce a listing of employees hired during the period of intended reliance
employee list is current.                                                                                      (your audit timeframe):




b54bcb4f-bd9d-403b-a4a3-aa0544be340a.xls                                                                                                                                                                                                                                     Page 1 of 8
HR1.01: Employee master file is       Detective       Manual          IT Dependent     Medium            8                                                                                                                                      Tab 8
Control Activity by the department
regularly reviewed                    Control         Control         IT Nature        Control Rating Query       Testing Procedures:                                                                                                 Testing Reference       Conclusion
managers to ensure that the           Activity Type   Nature          IT Dependent/    High/          No          For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain        Reference to supporting Effective/
employee list is current.             Preventive/     Manual/         Non IT-          Medium/                    reasonable assurance that controls operate effectively in accordance with established policies, procedures, and     evidence considered     Ineffective
                                      Detective       Automated       Dependent        Low                        guidelines. The following testing procedures will assist auditors in performing tests of control for each control   pertinent
                                                                                                                  activity.

Hiring Personnel                                                                                                  • Execute transaction S_AHR_61016150
                                                                                                                    OR
                                                                                                                    Execute transaction SA38 -> enter RPLNHRU0 and click on "Execute"
                                                                                                                    Limit the query to appropriate timeframe using "New Employees in Period" field
                                                                                                                    Limit the query to new hires using "Hire/Rehire Event Type"
                                                                                                                    Click on "Execute" icon on the top of the screen

                                                                                                                  Using attribute sampling guidelines, select an adequate sample of new hires over the period of intended reliance,
                                                                                                                  and examine documentary evidence (e.g., approval forms, etc.) indicating their appropriateness. Document your
                                                                                                                  sampling testing, test results, and conclusions in the Tab referenced in the "Testing Ref." Column.



                • • •                                                                                                                                                     • • •

*** THIS IS A SAMPLE, NOT A COMPLETE AUDIT PROGRAM ***

The complete audit program is available at http://soxmadeeasy.com/SAP_HR_Payroll.html and contains 48 tests designed to help audit, risk and security professionals attain reasonable assurance that controls over Payroll
and HR (Personnel) business cycle in SAP R/3 operate effectively and in accordance with management's intentions, including:

• Hiring Personnel - This control framework is developed to ensure that the employee list is current, that the additions to the payroll master files represent valid employees, and that all new employees are
  added to the payroll master files. Highlights of the items covered within this control framework:
  - SAP tools to ensure accuracy and integrity of HR/Payroll master data
  - Appropriateness of access to maintain sensitive employee master records in SAP R/3 (transactions PA20, PA30, PRMS, PRMD, etc.)
  - Appropriateness of access to perform personnel actions (e.g., hire, rehire, position or pay change, transfer, retirement, termination, leave of absence) using transactions PA40, PA41, PA42, PRMM, etc.
  - Employee access to maintain their own employee master records and personnel actions
  - Appropriateness of access to maintain jobs, positions, and organizational units in SAP R/3 (transactions PO03, PO13, PO10)
  - The reconciliation of the payroll master files to the time recording system, including interface controls for the entities using third party time tracking tools (e.g., Kronos) and more.


• Terminating Personnel - Controls to ensure that any deletions from the payroll master files represent valid terminations and that terminated employees are removed from the payroll master files or their
  employment status updated appropriately (i.e., left the company, in company but inactive, retiree, etc). Highlights of the items covered within this control framework:
  - SAP tools to ensure accuracy, timeliness and validity of employment status changes
  - Procedures to ensure that employees with inactive employment status in the HR/Payroll master files represent valid terminations
  - Procedures to ensure that application access to SAP R/3 is disabled for employees with inactive employment status in the HR/Payroll master files and more.

• Recording Time and Disbursing Payroll - Control framework developed to ensure that time and attendance data reflects actual time worked and is authorized. Highlights of the items covered within
  this control framework:
  - Appropriateness of access to maintain time data (i.e., attendances and absences), including access to maintain personal time data (transactions PA61, PA62, PA63, PA71, PA30, CAT2, CAT4, CAT6, etc.)
  - Appropriateness of access to maintain work schedules (PT01, PT02)
  - SAP tools to monitor the attendance and absence time, and deviation from attendance and absence quotas
  - Monitoring recorded time worked as well as overtime hours worked and payment for such overtime
  - Monitoring time evaluation reports, reconciling time recorded using clocking mechanism (e.g., clock cards or timesheets) to payroll reports
  - SAP tools to monitor compliance with payroll disbursement processing schedule
  - Appropriateness of access to payroll processing in SAP R/3 (PC00_M99_PA03_RELEA, PC00_M99_PA03_CORR, PC00_M99_PA03_CHECK, PC00_M99_CIPE, etc.)
  - Appropriateness of mapping payroll areas (i.e., wage payments and deductions) to elements in SAP Financial Accounting (FI) module (i.e., accounts in the FI Chart of Accounts)
  - Payroll simulation prior to the processing of payroll
  - Financial posting simulation process prior to the posting to the FI, and CO modules




b54bcb4f-bd9d-403b-a4a3-aa0544be340a.xls                                                                                                                                                                                                                                    Page 2 of 8
 - Appropriateness of access to maintain time data (i.e., attendances and absences), including access to maintain personal time data (transactions PA61, PA62, PA63, PA71, PA30, CAT2, CAT4, CAT6, etc.)
 - Appropriateness of access to maintain work schedules (PT01, PT02)
 - SAP tools to monitor the attendance and absence time, and deviation from attendance and absence quotas
 - Monitoring recorded time worked as well as overtime hours worked and payment for such overtime
 - Monitoring time evaluation reports, reconciling time recorded using clocking mechanism (e.g., clock cards or timesheets) to payroll reports
 - SAP tools to monitor compliance with payroll disbursement processing schedule
 - Appropriateness of access to payroll processing in Control (PC00_M99_PA03_RELEA, PC00_M99_PA03_CORR, PC00_M99_PA03_CHECK, PC00_M99_CIPE, etc.)
Control Activity                        Control          SAP R/3         IT Nature     Control Rating Query       Testing Procedures:                                                                                                     Testing Reference       Conclusion
                                                                         IT Dependent/ High/                      For each control activity selected for testing, auditor of Accounts)
                                         areas (i.e., wage payments and deductions) to elements in SAP Financial Accounting (FI) module (i.e., accounts in the FI Chartneeds to perform adequate testing procedures to gain
 - Appropriateness of mapping payrollActivity Type Nature                                               No                                                                                                                                Reference to supporting Effective/
 - Payroll simulation prior to the processing of payroll Manual/
                                        Preventive/                      Non IT-       Medium/                    reasonable assurance that controls operate effectively in accordance with established policies, procedures, and         evidence considered     Ineffective
                                                                         Dependent
 - Financial posting simulation process prior to the posting to the FI, and CO modules Low
                                        Detective        Automated                                                guidelines. The following testing procedures will assist auditors in performing tests of control for each control       pertinent
                                                                                                                  activity.

Hiring Personnel
• Maintaining Payroll Master Files - Controls to ensure that all valid changes to the payroll master files are input and processed. Highlights of the items covered within this control framework:
  - Logging of changes to the HR/Payroll master records and monitoring procedures to ensure that such changes are valid and input accurately
  - Appropriateness of existing segregation/separation of duties within human resources and payroll functions
  - Appropriateness of access to maintain withholding tables (tax tables) in SAP R/3 - access to maintain tax entries and update tax authorities in SAP R/3 using transactions OGS8 or OGS3, and more.


The audit program covers all critical monitoring tools and techniques, configuration settings and access controls to ascertain the reliability of the SAP R/3 control environment over the Payroll and HR (Personnel) business process.




b54bcb4f-bd9d-403b-a4a3-aa0544be340a.xls                                                                                                                                                                                                                                        Page 3 of 8
Exception Details          Mitigating Controls        Planned Remediation Procedures   Planned           Remediation   Ref. to Post-
For ineffective controls   For ineffective controls   For ineffective controls         Remediation       Status        Remediation
                                                                                       Date              Completed/    Testing Details
                                                                                       For ineffective   In Progress   If applicable
                                                                                       controls




b54bcb4f-bd9d-403b-a4a3-aa0544be340a.xls                                                                                                 Page 4 of 8
Exception Details          Mitigating Controls        Planned Remediation Procedures   Planned           Remediation   Ref. to Post-
For ineffective controls   For ineffective controls   For ineffective controls         Remediation       Status        Remediation
                                                                                       Date              Completed/    Testing Details
                                                                                       For ineffective   In Progress   If applicable
                                                                                       controls




b54bcb4f-bd9d-403b-a4a3-aa0544be340a.xls                                                                                                 Page 5 of 8
Exception Details          Mitigating Controls        Planned Remediation Procedures   Planned           Remediation   Ref. to Post-
For ineffective controls   For ineffective controls   For ineffective controls         Remediation       Status        Remediation
                                                                                       Date              Completed/    Testing Details
                                                                                       For ineffective   In Progress   If applicable
                                                                                       controls




b54bcb4f-bd9d-403b-a4a3-aa0544be340a.xls                                                                                                 Page 6 of 8
b54bcb4f-bd9d-403b-a4a3-aa0544be340a.xls                                                                         Tab 2




Users with access to maintain or edit existing jobs in SAP R/3:

Count        User ID       User Name           Locked?                       Valid From   Valid Through       User Type                      Access Appropriate Exceptions   Comments/ Exception
*Insert                                        (Yes/No)                                   *Exclude IDs that   *Exclude D (System) and C      as per the Job     Noted?       Detail
additional                                     *Exclude locked user IDs                   are past their      (Communication) IDs (no end    Responsibilities?  (Yes/No)
rows as                                        ("0" or "Blank" in this field              validity date (no   user access); leave A          (Yes/No)
needed                                         means that user ID is NOT                  access)             (Dialog) and S (Service) IDs
                                               locked)                                                        for analysis
1
2
3
4
5


Total              0                                                                                                                                 0               0




                                                                                                                                                                                                   Page 7 of 8
b54bcb4f-bd9d-403b-a4a3-aa0544be340a.xls                                                                           Tab 8




Listing of new employees added to the HR/Payroll master files between [date] and [date]:

Count        Employee ID     Employee Name                                Start Date            Selected For   Employee is a      Approved By                                    Approved On Exceptions         Comments/ Exception Detail
*Insert                                                                   * Do not list         Testing?       Valid New Hire?    (Name, Title)                                  (Date)      Noted?
additional                                                                employees hired       (Yes/No)       (Yes/No)                                                                      (Yes/No)
rows as                                                                   before or after the
needed                                                                    period of intended                                     Complete for new employees selected for testing in Column "E". N/A for remaining new hires.
                                                                          reliance

1
2
3
4
5


Total               0                                                                                  0               0                                                                               0




                                                                                                                                                                                                                                  Page 8 of 8

								
To top