SAP HR Audit Program

Document: Audit Program Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1 Submitted by Ludwina MJ WUYTS – December 2002. PART A: PLANNING AND ADMINISTRATION 1. Objective

To confirm that the SAP HR phase1 implementation has achieved its stated objectives and that proper controls have been installed into the system and or into the project plans in order to guarantee a successful continuation for phase2.

2.

Scope

• To review the system’s objectives for phase1 and compare them to what has been delivered. During the post-implementation review, careful attention should be paid to end user’s utilisation and overall satisfaction with the system. This will indicate whether the system’s objectives and requirements were achieved; • Review that the cost benefits identified in the feasibility study are being measured, analysed and accurately reported to management; • Evaluate the adequacy of the security access restrictions to sensitive HR data (incl. backup strategy); • Ensure consistency with the laws and regulations governing storage and transmission of personnel data; • Confirm that the data conversion was complete and accurate; • Confirm that there are plans and/or resources to ensure appropriate level of training and sustainment.

3.

Overview

who

√/ √

3.1 Initial meeting 3.2 Describe org struct.: roles & responsibilities, contact details 3.3 Describe phase 1 (incl. project plans, budget, etc.) 3.4 Describe phase 2 (incl. project plans, budget, etc.) 3.5 List all planned absences for key personnel during the project

√

3.6 Any known control concerns? Describe!

Page 1

Document: Audit Program Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1 PART B: AUDIT AREAS 1.

SAP HR organisation and Relationships (~ COBIT PO4)

HIGH-LEVEL CONTROL OBJECTIVE To deliver the right HR services to the entire organisation (successful rollout of SAP HR). - Indication of resources: PEOPLE - Information criteria impacted: EFFECTIVENESS (P) + EFFICIENCY (S) CONTROL OBJECTIVES 1.1 Planning or Steering Committee – Project Team

Committee needed to oversee the project and its activities; should include representatives from senior mgmt, user mgmt and IT function, should meet regularly. AUDIT WORK: • verify that responsibility has been defined for both the steering committee and the project team and reporting lines • check if goals inline with organisation’s objectives • ensure that action items are resolved in a timely manner • verify if there is a clear data and system ownership • is coordination and communication effective between all parties involved • is there effective coordination with other related projects. ( Use Incentive Plan as a test of use of system and awareness of other projects and initiatives. After discussion this may prove to be not applicable but worthwhile to confirm nonetheless.)

1.2 Review of departmental achievements

Framework should be in place for reviewing the department’s structure to continuously meet objectives and changing circumstances. AUDIT WORK: • review project plan phase 1 and actual status

1.3 Roles & Responsibilities

All personnel involved should know their role & responsibility; should have sufficient authority to exercise role assigned; segregation of duties should have been considered; people should have the necessary skills. AUDIT WORK: • review org. chart • review job descriptions – do they exist and are they kept up-to-date? • interview key people

Page 2

Document: Audit Program Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1

2. Investment Management (~ COBIT PO5) HIGH-LEVEL CONTROL OBJECTIVE To control disbursement of financial resources. - PEOPLE – APPLICATION – TECHNOLOGY – FACILITY - EFFECTIVENESS (P) – EFFICIENCY (P) – RELIABILITY (S) CONTROL OBJECTIVES 2.1 Annual Budget

There should be an approved budget for the project that’s inline with the company’s long and short term plans (strategy). AUDIT WORK: • Review budget / actual spending for the project (variances) • Review policies, methods and procedures relating to budgeting and costing (ensure that all costs are captured) at both the management accounts and statutory level. • Evaluate cost and benefit monitoring – justification for variances

3.

Compliance with external requirements (~ COBIT PO8)

HIGH-LEVEL CONTROL OBJECTIVE To meet legal, regulatory and contractual obligations. - PEOPLE – APPLICATION – DATA - EFFECTIVENESS (P) – COMPLIANCE (P) – RELIABILITY (S) CONTROL OBJECTIVES 3.1 Contractual obligations

Mgmt should ensure those formal contracts are in place with all 3rd parties involved. AUDIT WORK: • Review SAP contract: ensure compliance with the contract i.e. software licences etc. • Review contracts with consultants if any

3.2 Privacy, Intellectual Property and Data Flow

Mgmt should ensure compliance with privacy, intellectual property, transborder data flow and cryptographic regulations applicable to the practices of the organisation. AUDIT WORK: • Ensure that data being transmitted across state and international borders does not violate local and export laws • Ensure compliance with privacy regulations • If encryption is used check if conform with regulations (i.e. length of the key) • Ensure that sensitive/private information is being afforded appropriate security and privacy protection – internally and externally

Page 3

Document: Audit Program Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1

4. Project Management (~COBIT PO10) HIGH-LEVEL CONTROL OBJECTIVE To set priorities and to deliver on time and within the budget. - PEOPLE – APPLICATION – TECHNOLOGY – FACILITY - EFFECTIVENESS (P) – EFFICIENCY (P) CONTROL OBJECTIVES 4.1 Project mgmt framework

AUDIT WORK: • Review the framework for: Scope and boundaries Planning; staffing (roles & resp.); tasks breakdown; milestones; budget; checkpoints & approvals Completeness Current status Documentation … • Need to identify potential weakness – e.g project is Poorly managed; Exceeding milestones dates; Exceeding costs; Not been authorised; Not technically feasible; Not cost justified; Not achieving planned benefits; Not meeting internal control & security requirements; Not thoroughly tested; • Are deviations from the original project plan documented & approved by team? If a change occurred, was everyone informed?

5. SAP HR installation (~ COBIT AI5) HIGH-LEVEL CONTROL OBJECTIVE To verify and confirm that the solution is fit for the intended purpose. - PEOPLE – APPLICATION – TECHNOLOGY – FACILITY - DATA - EFFECTIVENESS (P) – INTEGRITY (S) – AVAILABILITY (S) CONTROL OBJECTIVES 5.1 Technical infrastructure

AUDIT WORK: • Describe the technical system specifications; where application resides, backup procedures; responsibilities for the technical aspects, etc.

5.2 Training

AUDIT WORK: • Detailed review of the training materials for SAP team – interview key people. • Is there an ongoing training and education process in place? • Awareness for confidentiality HR data? • Identify skill GAPS if any

Page 4

Document: Audit Program Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1

5.3 Implementation

AUDIT WORK: • Has functionality been delivered? • Does system meet user requirements? • Evaluate user satisfaction (interviews) • Review test plans – system & acceptance testing etc.. • Verify separation of “TEST” and “LIVE” environment & review transfer process • Check user profiles for access restrictions – consistent with job descriptions – see also 7. SECURITY • If customisation took place, has it been documented?

6. Change management (~COBIT AI6) HIGH-LEVEL CONTROL OBJECTIVE To minimise the likelihood of disruption, unauthorised alterations and errors. - PEOPLE – APPLICATION – TECHNOLOGY – FACILITY - DATA - EFFECTIVENESS (P) – EFFICIENCY (P) -INTEGRITY (P) – AVAILABILITY (P) – RELIABILITY (S) CONTROL OBJECTIVES 6.1 Change request initiation and control

AUDIT WORK: • Describe and review the procedures in place & assess if internal controls are adequate. Implications of how they prioritise change requests and cost them should be considered when reviewing the above procedures.

7.

Security (~ COBIT DS5)

HIGH-LEVEL CONTROL OBJECTIVE To safeguard information against unauthorised use, disclosure or modification, damage or loss. - PEOPLE – APPLICATION – TECHNOLOGY – FACILITY - DATA - CONFIDENTIALITY (P) -INTEGRITY (P) – AVAILABILITY (S) – COMPLIANCE (S) RELIABILITY (S) CONTROL OBJECTIVES 7.1 Identification, Authentication and Access

This review does only consider security review within the application. AUDIT WORK: • List all user IDs – are there default users (default passwords) left on the system? • Are access privileges inline with the job descriptions – consider view, add, change and delete options? • Verify access to PCs that have SAP HR installed; • Are there regular password changes enforced by the system?

Page 5

Document: Audit Program Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1 • • • 7.2 Business continuity

8.

Is there a procedure in place for user account management – joiners , leavers? Is there a procedure in place for security violation reporting? Has data been classified : highly sensitive – no sensitivity?

AUDIT WORK: • Review recovery arrangements.

Users education and training (~ COBIT DS7)

HIGH-LEVEL CONTROL OBJECTIVE To ensure that users are making effective use of SAP HR module and are aware of the risks and responsibilities involved. - PEOPLE - EFFECTIVENESS (P) - EFFICIENCY (S) CONTROL OBJECTIVES 8.1 Users education / training

AUDIT WORK: • Check system documentation • User manuals • Was a training plan developed – review • Was training prior to implementation? • Are all aspects covered in the training: data entry – backups – management reporting – disaster recovery – etc.

8.2 Identification of additional training needs

AUDIT WORK: • User survey to verify if training has been adequate.

9. Assist and Advise Users (~ COBIT DS8) HIGH-LEVEL CONTROL OBJECTIVE To ensure that any problem experienced by the user is appropriately resolved. - PEOPLE - APPLICATION - EFFECTIVENESS (P) - EFFICIENCY (P) CONTROL OBJECTIVES 9.1 Help Desk

Is the “first level support” covered by helpdesk? If no, please describe what is currently the situation and check plans for the future. If yes, carry out: AUDIT WORK: • Describe help desk activities RE:SAP HR support • Verify if helpdesk function is adequate – user satisfaction – staff competency – escalation procedures sufficient – resolution in a timely manner?

Page 6

Document: Audit Program Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1

10.Data / Information Management (~ COBIT DS11) HIGH-LEVEL CONTROL OBJECTIVE To ensure that data remains complete, accurate and valid during its input, update and storage. - DATA - INTEGRITY (P) - RELIABILITY (P) CONTROL OBJECTIVES 10.1 Data preparation procedures

Procedures needed for data preparation by different locations to ensure that errors and omissions are minimised; ensure that irregularities are detected, reported and corrected. AUDIT WORK: • Review the process how data was originally uploaded into SAP. • Questionnaire to # locations.

10.2 Source data s/b complete, accurate and authorised

Ensure that all source data has been prepared by authorised personnel who are acting within their authority and that an adequate segregation of duties is in place regarding the origination and approval.

10.3 Data input authorisation procedures

Establish appropriate procedures to ensure that data input is performed only by authorised staff AUDIT WORK: • Initial upload covered in 10.1 & 10.2 • Review the current process.

10.4 Accuracy, Completeness and Authorisation checks

Input should be subject to a variety of controls to check for accuracy, completeness and validity. AUDIT WORK: • Review the current process – compare master files before and after input

10.5 Protection of sensitive information during transmission and transport

Mgmt should ensure that adequate protection of sensitive information is provided during transmission and transport against unauthorised access, modification and misaddressing (consider integrity, confidentiality and non-repudation). AUDIT WORK: • Review s/b covered in points 3.2 & 7

10.6 Protection of disposed sensitive information

Mgmt should define and implement procedures to prevent access to sensitive information from computers, disks and other equipment or media when they are disposed of or transferred to another use. Such procedures should guarantee that data marked as deleted or to be disposed cannot be retrieved by any internal or third party. AUDIT WORK: • Verify if any procedures in place and review if yes

10.7 Storage management & terms

Procedures should be in place for data storage, which consider retrieval requirements & retention periods (need to meet legal & business requirements for all applicable

Page 7

Document: Audit Program Area: POST IMPLEMENTATION REVIEW SAP HR - phase 1 countries). AUDIT WORK: • Verify if any procedures in place and review if yes 10.8 Backup and restoration

A proper strategy needed for backup and restoration of the data. AUDIT WORK: • S/b covered in 7.2

10.9 Authentication & Integrity

Information received from external parties (e.g. inland revenue, certificates, etc.) should be appropriately checked before entered into system. AUDIT WORK: • Review adequacy of process in place if any.

10.10 Continued Integrity of Stored Data

Mgmt should ensure that the integrity and correctness of the data kept on files and other media is checked periodically. AUDIT WORK: • Verify if process in place to ensure this (e.g. if requests received to update data – verify the authenticity of the source and contents )

11.Other Areas CONTROL OBJECTIVES 11.1

PART C: AUDIT SUMMARY (FINDINGS) See report as attached.

Page 8