SAP HR Audit Program - Download as DOC

Document Sample
SAP HR Audit Program - Download as DOC Powered By Docstoc
					                                  Document: Aud it Program
                    Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1

Submitted by Ludwina MJ WUY TS – December 2002.

PART A: PL ANNING AND ADMINISTRATION

1. Objective               To confirm that the SAP HR phase1 implementation has
                           achieved its stated objectives and that proper controls
                           have been installed into the system and or into the
                           project plans in order to guarantee a successful
                           continuation for phase2.

2.   Scope                  To review the system’s objectives for phase1 and
                             compare them to what has been delivered. During the
                             post-implementation review, careful attention should
                             be paid to end user’s utilisation and overall satisfaction
                             with the system. This will indicate whether the
                             system’s objectives and requirements were achieved;
                            Review that the cost benefits identified in the feasibility
                             study are being measured, analysed and accurately
                             reported to management;
                            Evaluate the adequacy of the security access
                             restrictions to sensitive HR data (incl. backup
                             strategy);
                            Ensure consistency with the laws and regulations
                             governing storage and transmission of personnel data;
                            Confirm that the data conversion was complete and
                             accurate;
                            Confirm that there are plans and/or resources to
                             ensure appropriate level of training and sustainment.

3.   Overvie w                                                                             who   /
3.1 Initial meeting                                                                               
3.2 Describe org
struct.: roles &
responsibilities,
contact details

3.3 Describe phase 1
(incl. project plans,
budget, etc.)

3.4 Describe phase 2
(incl. project plans,
budget, etc.)

3.5 List all planned
absences for key
personnel during the
project

3.6 Any known control                                                                             
concerns? Describe!




                                                    Page 1
                                 Document: Aud it Program
                   Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1

PART B: AUDIT AREAS

1.   SAP HR organisation and Re lationships (~ COBIT PO4)

HIGH-LEVEL CONTROL OBJEC TIVE
   To deliver the right HR services to the entire organisation (succ essful rollout of SAP
   HR).
   -  Indication of resources: PEOPLE
   -  Information criteria impacted: EFFECTIVENESS (P) + EFFICIENCY (S)

      CONTROL
     OBJECTIVES

1.1 Planning or           Committee needed to oversee the project and its
Steering Committee –      activities; should include representatives from senior
Project Team              mgmt, user mgmt and IT function, should meet regularly.

                          AUDIT WORK:
                                verify that responsibility has been defined for
                                 both the steering committee and the project
                                 team and reporting lines
                                check if goals inline with organisation’s
                                 objectives
                                ensure that action items are resolved in a timely
                                 manner
                                verify if there is a clear data and system
                                 ownership
                                is coordination and communication effective
                                 between all parties involved
                                is there effective coordination with other related
                                 projects. ( Use Incentive Plan as a test of use of
                                 system and awareness of other projects and
                                 initiatives. After discussion this may prove to be
                                 not applicable but worthwhile to confirm
                                 nonetheless.)

1.2 Review of             Framework should be in place for reviewing the
departmental              department’s structure to continuously meet objectives
achievements              and changing circumstances.

                          AUDIT WORK:
                                review project plan phase 1 and actual status

1.3 Roles &               All personnel involved should know their role &
Responsibilities          responsibility; should have sufficient authority to exercise
                          role assigned; segregation of duties should have been
                          considered; people should have the necessary skills.

                          AUDIT WORK:
                                review org. chart
                                review job descriptions – do they exist and are
                                 they kept up-to-date?
                                interview key people




                                                   Page 2
                                Document: Aud it Program
                  Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1


2. Investment Management (~ COBIT PO5)

HIGH-LEVEL CONTROL OBJEC TIVE
   To control disbursement of financial resources.
   -  PEOPLE – APPLICATION – TECHNOLOGY – FACILITY
   -  EFFECTIVENESS (P) – EFFICIENCY (P) – RELIABILITY (S)

      CONTROL
     OBJECTIVES
2.1 Annual Budget        There should be an approved budget for the project that’s
                         inline with the company’s long and short term plans
                         (strategy).

                         AUDIT WORK:
                               Review budget / actual spending for the project
                                (variances)
                               Review policies, methods and procedures
                                relating to budgeting and costing (ensure that all
                                costs are captured) at both the management
                                accounts and statutory level.
                               Evaluate cost and benefit monitoring –
                                justification for variances



3.   Compliance with exte rnal requirements (~ COBIT PO8)

HIGH-LEVEL CONTROL OBJEC TIVE
   To meet legal, regulatory and contractual obligations.
   -  PEOPLE – APPLICATION – DATA
   -  EFFECTIVENESS (P) – COMPLIANCE (P) – RELIABILITY (S)

      CONTROL
     OBJECTIVES
3.1 Contractual          Mgmt should ensure those formal contracts are in place
obligations              with all 3rd parties involved.

                         AUDIT WORK:
                               Review SAP contract: ensure compliance with
                                the contract i.e. software licences etc.
                               Review contracts with consultants if any

3.2 Privacy,             Mgmt should ensure compliance with privacy, intellectual
Intellectual Property    property, transborder data flow and cryptographic
and Data Flow            regulations applicable to the practices of the organisation.

                         AUDIT WORK:
                               Ensure that data being transmitted across state
                                and international borders does not violate local
                                and export laws
                               Ensure compliance with privacy regulations
                               If encryption is used check if conform with
                                regulations (i.e. length of the key)
                               Ensure that sensitive/private information is
                                being afforded appropriate security and privacy
                                protection – internally and externally




                                                  Page 3
                                Document: Aud it Program
                  Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1


4. Project Management (~COBIT PO10)

HIGH-LEVEL CONTROL OBJEC TIVE
   To set priorities and to deliver on time and w ithin the budget.
   -  PEOPLE – APPLICATION – TECHNOLOGY – FACILITY
   -  EFFECTIVENESS (P) – EFFICIENCY (P)

     CONTROL
    OBJECTIVES
4.1 Project mgmt         AUDIT WORK:
framework                   Review the framework for:
                             Scope and boundaries
                             Planning; staffing (roles & resp.); tasks
                                 breakdown; milestones; budget; checkpoints &
                                 approvals
                             Completeness
                             Current status
                             Documentation
                                 …
                            Need to identify potential weakness – e.g project is
                             Poorly managed;
                             Exceeding milestones dates;
                             Exceeding costs;
                             Not been authorised;
                             Not technically feasible;
                             Not cost justified;
                             Not achieving planned benefits;
                             Not meeting internal control & security
                                 requirements;
                             Not thoroughly tested;
                            Are deviations from the original project plan
                             documented & approved by team? If a change
                             occurred, was everyone informed?



5. SAP HR installation (~ COBIT AI5)

HIGH-LEVEL CONTROL OBJEC TIVE
   To verify and confirm that the solution is fit for the intended purpose.
   -  PEOPLE – APPLICATION – TECHNOLOGY – FACILITY - DATA
   -  EFFECTIVENESS (P) – INTEGRITY (S) – AVAILABILITY (S)

     CONTROL
    OBJECTIVES

5.1 Technical -          AUDIT WORK:
infrastructure                 Describe the technical system specifications;
                                where application resides, backup procedures;
                                responsibilities for the technical aspects, etc.

5.2 Training             AUDIT WORK:
                               Detailed review of the training materials for SAP
                                team – interview key people.
                               Is there an ongoing training and education
                                process in place?
                               Awareness for confidentiality HR data?
                               Identify skill GAPS if any




                                                 Page 4
                                Document: Aud it Program
                  Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1



5.3 Implementation       AUDIT WORK:
                               Has functionality been delivered?
                               Does system meet user requirements?
                               Evaluate user satisfaction (interviews)
                               Review test plans – system & acceptance testing
                                etc..
                               Verify separation of “TEST” and “LIVE”
                                environment & review transfer process
                               Check user profiles for access restrictions –
                                consistent with job descriptions – see also 7.
                                SECURITY
                               If customisation took place, has it been
                                documented?



6. Change management (~COBIT AI6)

HIGH-LEVEL CONTROL OBJEC TIVE
   To minimise the likelihood of disruption, unauthorised alterations and errors.
   -  PEOPLE – APPLICATION – TECHNOLOGY – FACILITY - DATA
   -  EFFECTIVENESS (P) – EFFICIENCY (P) -INTEGRITY (P) – AVAILABILITY (P) –
      RELIABILITY (S)

      CONTROL
     OBJECTIVES

6.1 Change request       AUDIT WORK:
initiation and control         Describe and review the procedures in place &
                                assess if internal controls are adequate.

                                 Implications of how they prioritise change
                                 requests and cost them should be considered
                                 when reviewing the above procedures.




7.   Security (~ COBIT DS5)

HIGH-LEVEL CONTROL OBJEC TIVE
   To safeguard information against unauthorised use, disclosure or modif ication,
   damage or loss.
   -  PEOPLE – APPLICATION – TECHNOLOGY – FACILITY - DATA
   -  CONFIDENTIALITY (P) -INTEGRITY (P) – AVAILABILITY (S) – COMPLIANCE (S) -
      RELIABILITY (S)

      CONTROL
     OBJECTIVES

7.1 Identification,      This review does only consider security review within the
Authentication and       application.
Access                   AUDIT WORK:
                                 List all user IDs – are there default users
                                  (default passwords) left on the system?
                                 Are access privileges inline with the job
                                  descriptions – consider view, add, change and
                                  delete options?
                                 Verify access to PCs that have SAP HR installed;
                                 Are there regular password changes enforced by
                                  the system?




                                                 Page 5
                                Document: Aud it Program
                  Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1

                                 Is there a procedure in place for user account
                                  management – joiners , leavers?
                                 Is there a procedure in place for security
                                  violation reporting?
                                 Has data been classified : highly sensitive – no
                                  sensitivity?

7.2 Business             AUDIT WORK:
continuity                     Review recovery arrangements.



8.   Use rs education and training (~ COBIT DS7)

HIGH-LEVEL CONTROL OBJEC TIVE
   To ensure that users are making effective use of SAP HR module and are aware of
   the risks and responsibilities involved.
   -  PEOPLE
   -  EFFECTIVENESS (P) - EFFICIENCY (S)

      CONTROL
     OBJECTIVES
8.1 Users education /    AUDIT WORK:
training                       Check system documentation
                               User manuals
                               Was a training plan developed – review
                               Was training prior to implementation?
                               Are all aspects covered in the training: data
                                entry – backups – management reporting –
                                disaster recovery – etc.

8.2 Identification of    AUDIT WORK:
additional training            User survey to verify if training has been
needs                           adequate.



9. Assist and Adv ise Users (~ COBIT DS8)

HIGH-LEVEL CONTROL OBJEC TIVE
   To ensure that any problem experienced by the user is appropriately resolved.
   -  PEOPLE - APPLICATION
   -  EFFECTIVENESS (P) - EFFICIENCY (P)

      CONTROL
     OBJECTIVES

9.1 Help Desk            Is the “first level support” covered by helpdesk?
                         If no, please describe what is currently the situation and
                         check plans for the future.
                         If yes, carry out:
                         AUDIT WORK:
                                  Describe help desk activities RE:SAP HR support
                                  Verify if helpdesk function is adequate – user
                                   satisfaction – staff competency – escalation
                                   procedures sufficient – resolution in a timely
                                   manner?




                                                 Page 6
                                Document: Aud it Program
                  Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1


10. Data / Information Management (~ COBIT DS11)

HIGH-LEVEL CONTROL OBJEC TIVE
   To ensure that data remains complete, accurate and valid during its input, update
   and storage.
   -  DATA
   -  INTEGRITY (P) - RELIABILITY (P)

     CONTROL
    OBJECTIVES

10.1 Data preparation    Procedures needed for data preparation by different
procedures               locations to ensure that errors and omissions are
                         minimised; ensure that irregularities are detected,
                         reported and corrected.

                         AUDIT WORK:
                               Review the process how data was originally
                                uploaded into SAP.
                               Questionnaire to # locations.

10.2 Source data s/b     Ensure that all source data has been prepared by
complete, accurate       authorised personnel who are acting within their
and authorised           authority and that an adequate segregation of duties is in
                         place regarding the origination and approval.


10.3 Data input          Establish appropriate procedures to ensure that data
authorisation            input is performed only by authorised staff
procedures
                         AUDIT WORK:
                               Initial upload covered in 10.1 & 10.2
                               Review the current process.

10.4 Accuracy,           Input should be subject to a variety of controls to check
Completeness and         for accuracy, completeness and validity.
Authorisation checks
                         AUDIT WORK:
                               Review the current process – compare master
                                files before and after input

10.5 Protection of       Mgmt should ensure that adequate protection of sensitive
sensitive information    information is provided during transmission and transport
during transmission      against unauthorised access, modification and
and transport            misaddressing (consider integrity, confidentiality and
                         non-repudation).

                         AUDIT WORK:
                               Review s/b covered in points 3.2 & 7

10.6 Protection of       Mgmt should define and implement procedures to prevent
disposed sensitive       access to sensitive information from computers, disks
information              and other equipment or media when they are disposed of
                         or transferred to another use. Such procedures should
                         guarantee that data marked as deleted or to be disposed
                         cannot be retrieved by any internal or third party.

                         AUDIT WORK:
                               Verify if any procedures in place and review if
                                yes

10.7 Storage             Procedures should be in place for data storage, which
management & terms       consider retrieval requirements & retention periods (need
                         to meet legal & business requirements for all applicable




                                                  Page 7
                                Document: Aud it Program
                  Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1

                         countries).

                         AUDIT WORK:
                               Verify if any procedures in place and review if
                                yes

10.8 Backup and          A proper strategy needed for backup and restoration of
restoration              the data.

                         AUDIT WORK:
                               S/b covered in 7.2

10.9 Authentication &    Information received from external parties (e.g. inland
Integrity                revenue, certificates, etc.) should be appropriately
                         checked before entered into system.

                         AUDIT WORK:
                               Review adequacy of process in place if any.

10.10 Continued          Mgmt should ensure that the integrity and correctness of
Integrity of Stored      the data kept on files and other media is checked
Data                     periodically.

                         AUDIT WORK:
                               Verify if process in place to ensure this (e.g. if
                                requests received to update data – verify the
                                authenticity of the source and contents )



11. Other Areas

     CONTROL
    OBJECTIVES

11.1




PART C: AUDIT SUMMARY (FINDINGS)

See re port as attac hed.




                                                  Page 8