Date post: | 03-Apr-2018 |
Category: |
Documents |
Upload: | steinfatt1 |
View: | 217 times |
Download: | 0 times |
of 28
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
1/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU
Alternate Formats
Share this page
Home > About International Development > Performance > Internal Audit > ARCHIVED - SAP HR System
ARCHIVED - SAP HR System
This Web page has been archived on the Web.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping
purposes. It has not been altered or updated after the date of archiving. Web pages that are
archived on the Web are not subject to the Government of Canada Web Standards. As per the
Communications Policy of the Government of Canada, you can request alternate formats by
contacting us.
Internal Audit Report
July 7, 2005
Summary
1. Context
2. Objective, Scope and Methodology
2.1 Objectives
2.2 Scope
2.3 Methodology
3. Observations and Recommendations
3.1 Observations Arising from the review of SAP HR Processes
3.2. Observations Arising from the Benchmarking of the SAP Support Group Structure
3.3 Observations Arising from the Assessment of SAP HR Functionality
Conclusion
Appendix A Summary of Audit Recommendations
Appendix B Control Objectives/Audit Criteria for the SAP HR Process Review
Appendix C - SAP HR Control Framework
Summary
At the request of the Director General of the Human Resources Division (HRD), the Performance
Review Branch performed a preliminary survey in order to identify issues relating to Human
Resource Management.
As a result, three follow-on reviews/audits were identified and initiated. This report is on the audit
and assessment of the SAP HR module in operation at CIDA.
The overall objective of the audit is to assess the functionality of the SAP HR system, by:
Documenting the system controls and to assess the adequacy and use system;
Assessing the accuracy and integrity of the information emanating from the application;
Assessing the effectiveness and efficiency of the system and to identify areas for
http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app1http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#conclusionhttp://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a32http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a31http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a3http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a23http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a21http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a2http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a1http://www.acdi-cida.gc.ca/contactushttp://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12316http://www.acdi-cida.gc.ca/homehttp://www.acdi-cida.gc.ca/aboutcidahttp://www.acdi-cida.gc.ca/performancehttp://www.acdi-cida.gc.ca/internalaudithttp://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app3http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app2http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app1http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#conclusionhttp://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a33http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a32http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a31http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a3http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a23http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a22http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a21http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a2http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a1http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#sumhttp://www.acdi-cida.gc.ca/contactushttp://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12316http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#archivedhttp://www.acdi-cida.gc.ca/internalaudithttp://www.acdi-cida.gc.ca/performancehttp://www.acdi-cida.gc.ca/aboutcidahttp://www.acdi-cida.gc.ca/homehttp://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#pdf7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
2/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 2
improvement;Reviewing and evaluating the appropriateness of access authorities to ensure the
privacy/protection of personal data;
Benchmarking the level of resources required to maintain and to enhance the system against
similar organizations; and,
Assessing the extent to which the SAP HR module is meeting the needs of HRD and of the
Agency overall.
As a result, we can conclude that the functionality required to support the business needs of HRD
and the Agency overall has been implemented. However some areas for improvement in theeffec tiveness, efficiency and data integrity within the business processes and reporting have been
identified. Opportunities for improvement of the control framework are also required with a specific
focus on increased monitoring of changes to master data elements, and through the performance
of periodic data quality reviews. An adequate framework for the design of user access privileges
has been developed however issues currently exist with the technical implementation through the
SAP application security functionality.
Based on the results accumulated through a benchmarking survey, the size of the SAP HR support
group is larger than those of the organizations polled.
The main observations and recommendations arising from the audit are:
HRD should modify the business processes surrounding acting situations to incorporate theentry of all EX acting situations into the SAP HR application and ensure that all terminated
acting assignments be reflected in the system on a timely basis;
HRD, in collaboration with IMTB and the Branches, should develop a set of periodic monitoring
procedures and reports for review and follow-up by the Responsible Managers within CIDA.
Compensation and Benefits Directorate should perform a reconciliation of position/employee
classification data and pay rates within SAP to information recorded in the On-Line Pay
application once a year.
IMTB, in conjunction with HRD and the SAP Support Group should correct the configuration of
the security role for the Branch Administrators and to eliminate the ability to submit and
approve their own overtime and leave requests;
HRD and the SAP Support Group should develop monitoring procedures for the review of leave
balances by Responsible Managers on a regular basis;IMTB, in cooperation with the SAP HR Support group, review the configuration of access
privileges assigned to the Branch Administrative Officers to prevent them from creating and
activating new positions thereby allowing the Classification Division to approve the position
and classification data for new positions and/or individuals, as outlined in their roles &
responsibilities;
IMTB should remove access of non-HR SAP Support Group members and IMTB users that are
not involved in supporting HR;
IMTB should perform Privacy Impact Assessments in accordance with Treasury Board
requirements;
IMTB should remove the ability to view personal information through direct query of HR
tables, the ability to execute reports through SA38 and that the configuration of security
over reporting of HR information be adjusted to protect personal information;IMTB should limit the use of generic accounts;
IMTB, in conjunction with HRD and the SAP Support Group should develop a set of security
monitoring procedures in order to identify potential access irregularities for correction;
CRC should decide on the staffing levels for the SAP HR Support group;
HR business process focused training (as opposed to SAP data entry training) should be
developed by HRD to enhance the business process and policy requirements knowledge of
users; and,
SAP HR Support Group should examine the reporting requirements of CIDA HR users and
determine whether the current reports available address their needs
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
3/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 3
1. Context
At the request of the Director General of the Human Resources Division (HRD), the Performance
Review Branch performed a preliminary survey in order to identify issues relating to Human
Resource Management.
As a result, three follow-on reviews/audits were identified and initiated. This report is on the audit
and assessment of the SAP HR module in operation at CIDA.
Overview of SAP Human Resources Modules
The Human Resources module of SAP in operation at CIDA is divided into three major applications -
Personnel Administration (PA), Organization Management (PD) and Time Management. The PA sub-
application includes employee information and employee classifications. The PD sub-application
covers organization management, which includes the organizational structure, the position
classifications and other organizational structure information. The Time Management functionality is
used to capture requests for leave and overtime compensation and to provide an electronic
approval of the requests from employees' supervisors.
The new Salary Forecasting System (SFS) within SAP was implemented as of April 1st, 2004. This
functionality will use the salary information captured for Agency employees within the SAPapplication and essentially provide a budget figure for salaries remaining to be paid within a given
fiscal/budget year. As of March 2004, CIDA's salary forecasting system was not within the SAP
system.
Infotypes
Functionality within the SAP application and the information stored with an employee's on-line
personnel file is centred on the concept of an "infotype". By definition, an infotype is a screen with
the SAP application that captured specific pieces/elements of information. For example, infotype
0002 contains personal information (name, date of birth, SIN) for all employees, and infotype 0008
contains basic/annual salary information. As this concept is central to the operation of the system,
the information within sensitive/personal infotypes must also be adequately protected fromunauthorized change or viewing.
2. Objective, Scope and Methodology
2.1 Objectives
The overall objective of the audit is to assess the functionality of the SAP HR system, including the
following:
Review of SAP HR Processes (Sect ion 3.1)
To document the system controls and to assess the adequacy and use system;
To assess the accuracy and integrity of the information emanating from the application;
To assess the effectiveness and efficiency of the system and to identify areas for
improvement;
To review and evaluate the appropriateness of access authorities to ensure the
privacy/protection of personal data;
Benchmarking of the SAP Support Group Structure (Sect ion 3.2)
To benchmark the level of resources required to maintain and to enhance the system against
public sector organizations with SAP HR ( two in the Federal Government and two others);
http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a32http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a317/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
4/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 4
and,
Assessment of SAP HR Functionality (Sect ion 3.3)
To assess the extent to which the SAP HR module is meeting the needs of HRD and of the
Agency overall.
2.2 Scope
The audit was focused on the assessment of functionality with the SAP HR application. This
included a detailed review and examination of the configuration of the system as well as theconfiguration and assignment of spec ific access rights to users. Processes and procedures
supporting the integrity of the data within the application were also evaluated, such as the use of
monitoring reports for the verification of data, subsequent to entry into the system.
The evaluation of the new SFS functionality was also excluded, as it was not implemented as of
March 31, 2004. Also excluded from the scope of the review were the processes, procedures and
overall control framework in place within PWGSC's On-Line Pay (OLP) application.
The focus of the audit was strictly the review and assessment of the control framework and the
functionality of CIDA's SAP HR application.
2.3 Methodology
This audit was performed according to the Treasury Board policy on internal audit and audit
standards of the Institute of Internal Auditors. The audit was conducted from February 10, 2004 to
March 31, 2004. Our audit approach was:
To gather information on concerns over SAP HR within CIDA by reviewing 2 other HR internal
audits that were recently completed along with the preliminary survey of the HR function;
To develop internal control objectives relating to the SAP HR functionality implemented at
CIDA against which to perform the detailed control-based analysis;
To gather information on the current SAP HR functionality, supporting business processes
and control framework supporting the accuracy and completeness of the data through aselection of interviews and system set-up review;
To review and analyze supporting process documentation relating to SAP HR processes, as
provided by interviewees;
To perform an assessment of the efficiency and effectiveness of the SAP system and
processes;
To perform a review of the key system based controls in SAP HR, including user access rights
to perform
HR related functions, the protection of personal information and configuration data validation
rules;
To perform accumulate data on support group size and composition through the completion
of surveys by local organizations (public sector and other) utilizing SAP HR for benchmarking
purposes; and/To perform a benchmarking of the size and composition of the SAP HR support group against
similar organizations.
The control objectives and audit criteria are documented within Appendix B.
Process descriptions and control framework are included in Appendix C. The control framework
presentation was used to analyze and to identify internal control strength and weaknesses
associated with the SAP HR audit work. It was also used to analyze whether the particular
objectives and assertions have been satisfied with the existing control processes/procedures
identified.
http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#a337/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
5/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 5
3. Observations and Recommendations
3.1 Observations Arising from the review of SAP HR Processes
The following observations stem from the interviews of SAP HR support group and users of the
system, and through a review of documentation outlining the set-up or configuration of the system
and access profiles, as well as the design of supporting business processes. The appropriateness of
the assignment of access rights to users was also reviewed as well as the configuration of the SAP
access profiles.
HR Master Data
Overall, the integrity of HR related information is supported through the implementation of system-
based checks and validations, which are currently in operation within the HR module. For example,
with regards to the hiring of an employee, the application has been set-up with pre-established
routines to take users to the necessary screens for population of data, required fields have been
configured within the screens and access rights to perform the maintenance actions have been
restricted to authorized individuals.
It was noted, however, that selected personnel movement situations (such as EX ac ting
assignments that do not affec t pay) are currently not being entered into the system. This has anadverse impact on the routing for the approval of an employee's request for overtime and leave
requests established in the system, as the organizational structure is not updated with the most
current information. For example, if an EX-01 level individual acts as an EX-02, no change are
made in SAP HR until a 3-month period has elapsed, as no payroll changes are required. It was
further noted that the expiration of acting assignments are not being reflected on a timely basis.
These actions require user intervention within the application and the lack of system updates to
reflect the ac tual movements decreases the overall integrity and accuracy of the data in the HR
application.
The impact of this situation is that leave balances may not be updated on a timely basis and/or
overtime due to an employee may not be paid on a timely basis. Alternatively, this situation could
result in requests for leave and overtime being approved by an unauthorized person for the purposeof clearing old items in the system.
While the system-based controls are appropriate, it was noted during the audit that opportunities
for improvement of the data integrity verification procedures exist. Specifically, a number of
current manual and/or monitoring (i.e. non system-based) validation processes, which are normally
put in place to detect anomalies in data captured, are candidates for improvement. There are
currently no formal processes in place for the periodic review and approval of SAP HR information
by responsible managers within the Branches, or by individuals within HRD. This includes both the
review of organizational structure and personnel assignments in SAP (at the Branch level) and/or
the comparison and reconciliation of pay information against PWGSC's On-Line Pay system by
Compensation and Benefits. The On-Line Pay application contains more pristine information on pay
and benefits as Agency employees are currently paid via this system. Comparisons to this sourceof information strengthen the integrity of the classification and payroll related employee data
captured in the SAP application.
References (additional details see Appendix C HR Control Framework):
Control Weakness #1 - Acting Assignments;
Control Weakness #2 - Monitoring Reports for HR Master Data
Control Weakness #3 - PWGSC On-line Pay Reconciliation with SAP
Recommendations
http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app37/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
6/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 6
1. It is recommended that the HRD modify the business processes surrounding acting situations to
incorporate the entry of all acting situations into the SAP HR application, regardless of whether or
not there is an effect on pay. It is further recommended that all terminated acting assignments be
reflected in the system on a timely basis.
2. It is recommended that HRD, in collaboration with IMTB and the Branches develop a set of
periodic monitoring procedures and reports for review and follow-up by the Responsible Managers
within CIDA. The periodic review will serve to assess the integrity of the current organizational
structures and personnel assignments within a specific area of responsibility and will also identify
acting situations that have not been recorded and/or expired act ing situations that have not beenrecorded. It is further recommended that the review be performed at least every 4 months and
that the process be facilitated and monitored by the HRD.
3. It is recommended that the Compensation and Benefits Directorate perform a reconciliation of
position/employee classification data and pay rates within SAP to information recorded in the On-
Line Pay application once a year.
Management Responses
1. Agree that rationalization of leave and overtime approval authorities are required to reflect EX
acting situations that do not result in changes to rates of pay but disagree with the proposed
corrective action plan.
The Branch Administration Officers (BAO) can amend the reporting relationships to reflect acting
situation in the SAP system now, without a system configuration.
The Human Resources Division (HRD) agrees to remind BAOs of the need to amend the reporting
relationships of employees when someone is acting in an EX position and to ensure that this
procedure is reviewed as part of regular SAP-HR monitoring practices.
2. Agree. HRD, in collaboration with IMTB and the branches will identify appropriate monitoring
tools to enable the Responsible Manager within CIDA to periodically review the acting situation
within the manager's own branch. Also, HRD will assess the integrity of the organizational
structures at the Agency level.
Roles and responsibilities will be defined and process installed through the SAP-HR Improvement
Project (SHIP) initiative.
Business process and definition of roles and responsibilities through the SAP-HR Improvement
Project (SHIP) initiative.
3. Agree. Files are being created to compare data between "On-Line Pay" System and SAP-HR
employee's position classification and pay scale.
This comes under the SAP-HR Improvement Project (SHIP) initiative - Enhancement of Quality
control.
Leave and Overtime Recording
CIDA has developed an Agency specific solution for the creation/entry of leave requests and
overtime entitlements. In this business model, employees are responsible for entering their own
requests for leave, requests for approval for overtime worked, as well as selecting the method they
would like to be compensated for their overtime entitlement (i.e. banked time or cash payout).
Upon entry of the request, SAP automatically verifies whether the request is in accordance with
the employee's appropriate collective agreement provisions. The employee's Supervisor is then
responsible for examining the requests and for approving or "unlocking" the item so that it can be
committed to the database/recorded and settled (i.e. banked or paid out).
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
7/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 7
Generally, the SAP access roles for Employees and Supervisors were appropriately configured to
enforce the business rules/process outlined above. However, when the access rights were
combined with other access rights in SAP, 31 Branch Administrative Officers had the ability to
enter and approve/unlock their own requests. This situation increases the risk of unauthorized
overtime being paid out as employees can submit and approve these individuals own overtime
requests. This represented a known issue within the SAP system with a decision taken by
management to control the process through detective/monitoring type processes.
Furthermore, there are no periodic review processes in place to provide for the integrity of leavedata for employees. Without a proper detective control to ensure the employees are recording all
leave taken in SAP, individuals could possibly take more leave than they are entitled to and/or the
Agency could pay out amounts for invalid/inaccurate balances. The system can help managers
monitor whether employees are recording their leave or not.
References (additional details see Appendix C HR Artpack):
Control Weakness #4 - Unauthorized Approval of Overtime
Control Weakness #5 - Monitoring of Leave Balances Accuracy
Recommendations
4. It is recommended that IMTB, in conjunction with HRD and the SAP Support Group correct the
configuration of the security role for the Branch Administrators and to eliminate the ability to
submit and approve their own overtime and leave requests. Specifically, the Branch Administrators
access should be limited to submitting their own requests for subsequent approval by their
Supervisors.
5. It is recommended that HRD and the SAP Support Group develop monitoring procedures for the
review of leave balances by Responsible Managers on a monthly basis.
Management Responses
4. Agree. This recommendation was acted upon with SR1733 and completed May 13, 2004.
5. Agree. Supervisors and RC managers will be reminded of their responsibility to regularly review
their employees' leaves calendar to ensure that leave taken is recorded appropriately. HRD will
send out a reminder to managers to this effect.
A new tool to be launched in September 2005, Manager Self Services (MSS) will assist managers in
this regard.
Organizational Management
The organizational management functionality within SAP contains the active organizational
structure of the Agency, including the design of specific organization units (i.e. Branches) andpositions. Individual positions are created as elements of master data and include reporting
relationship between positions and classification/planned compensation based on collective
bargaining agreements. When employees are hired, they will then inherit the attributes of the
position including the salary and classification and the employee will also be placed into the
appropriate place in the organizational structure. This is referred to the integration of Personnel
Administration and Organizational Management within SAP HR.
The maintenance of position data at CIDA is a shared responsibility between the Branches (Branch
Administrative Officers and the Branch Managers) and the Classification Division. The current
business process stipulates that the Branch Administrative Officer is responsible for setting up the
new position or making a position data change in a "proposed" status for subsequent approval by
http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app37/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
8/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 8
the Branch/Responsible Manager. Subsequently, the Classification Officer reviews the classificationand either approves or rejects the position. If it is approved, the position becomes active and the
position is introduced into CIDA's organizational structure. This "self-service" type of business
process is becoming more popular for SAP clients and the sharing of data entry functions as
outlined above is consistent with the trends occurring elsewhere in the public and private sectors.
In this new business model, end-user departments (such as the Branches) are typically responsible
for data entry with an oversight function being performed by a centralized body.
Branch Administrative Officers currently have the access in the SAP system to create positions,
assign a classification in SAP and make them active within the organizational structure at CIDA.They also have the ability to appoint or hire individuals into these positions. When this type of
access is combined with position maintenance access, a segregation of duties risk within SAP is
created as individuals could be appointed or hired into positions without a proper classification. The
risk of improper classification and non-compliance with delegation of authorities is also increased as
Branch Administrative Officers and the Responsible Managers also do not currently have the
delegation/classification authority for positions. To compensate for this risk, the SAP HR Support
group developed a monitoring report that provides a listing of the new positions that have been
created and classified in the system on a daily basis. This monitoring report is supposed to be
reviewed by the Classification Division, with any required corrections discussed with the Branches.
It was noted, however, that this report is currently not being reviewed on a daily/regular basis
given workload and backlog issues within the Classification Division.
References (additional details see Appendix C HR Artpack):
Control Weakness #6 - Position Master Record Maintenance
Recommendation
6. It is recommended that IMTB, in cooperation with the SAP HR Support group, review the
configuration of access privileges assigned to the Branch Administrative Officers to ensure that the
configuration supports the needs of the business. Specific attention should be focused on the
creation and activation of positions by the Branch Administrative Officers as they can currently
create new positions without intervention from Classification Division. This configuration will allow
the Classification Division to approve the position and classification data for new positions and/orindividuals, as outlined in their roles & responsibilities.
Management response
6. Agree. This recommendation is already being addressed through a workflow process that will
identify the approval of the different authorized persons within the classification of a position
process in the SAP-HR system.
The Workflow section within IMTB is currently working with the SAP-HR Support group. Also, the
Branch Administrator's role is being reviewed to limit their access when creating a position for
classification.
Guidelines on the Service Standards will be developed by the Classification Section and
communicated to the BAO.
This comes under the SHIP-HR Improvement Project (SHIP) initiative.
Security and Privacy
Human Resource applications typically contain a number of elements of personal information that
must be protected from unauthorized disclosure. Given the importance of emergency contact and
the financial impact of pay information (with the implementation of SFS), it is important to limit the
ability to update this information to only authorized individuals.
http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app37/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
9/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 9
At the time of the SAP HR implementation in October 2000, an assessment of the information
captured in the system was performed to identify elements of information that should not be
available for viewing to persons other than those designated. Specific examples of data covered in
this analysis include employment equity information and personal qualifications. Treasury Board
requirements state that a Privacy Impact Assessment (PIA) must be undertaken for any major
system change where personal information is involved. In the new fiscal year, CIDA is planning to
implement new functionality for salary forecasting (Salary Forecasting System - SFS) and no PIA
has been undertaken to date.
In general, while the security and privacy design approach/framework in CIDA for granting HR
access appears adequate for protecting personal information, there were some configuration
breakdowns/abnormalities noted during the audit that circumvented the key planned controls for
users to be limited to their own areas of responsibility (i.e. Branch) for the performance of HR
report execution.
The two configuration exceptions related to the viewing/reporting of information. The first
exception is that as of March 22, 2004, over 1700 (i.e. all CIDA employees and consultants) user
accounts had access to view HR data at the table level through table browser transactions (SAP
transaction code SE16). Effectively, this profile configuration represents a "back door" that allows
users to view information (including sensitive HR information) that is not required for their job
functions. This configuration could also result in violations of the Privacy Act that outlinesrequirements for protection of personal information for government employees.
The second exception involves the configuration of an SAP delivered "override". Specifically, when
the P_ABAP authorization object is configured with specific values and assigned to users, the
regular SAP security checks performed during the execution of HR reports are deactivated. For
example, if users are assigned access profiles that prevent them from viewing employees outside of
their area of responsibility (i.e. Branch), the configuration of the override will allow them to see
employees outside of their Branch on reports if requested (i.e. information that they are not
authorized to view). Authorizations set up in this manner allow individuals to have access to all HR
information on a report even though their user profile is configured to restrict them accessing the
data. Currently, 129 users have been provided with this override.
The audit of the HR end user access profiles revealed that 14 roles/profiles had been given access
to run programs directly (i.e. other than through specific access to reports/transactions) through
the ability to execute programs through a centralized mechanism (transaction SA38). The effect of
this functionality is essentially to bypass transactional restrictions imposed on users. These
transactions could also provide access to sensitive HR reports and transactions and therefore,
provide an alternative means of accessing HR information. Although the configuration does restrict
the users to specific reports within the HR function (through the use of authorization group flags
and authorization object S_PROGRAM), there are a number of reports in SAP, including HR reports,
for which this level of protection is not available.
Access to perform maintenance of specific pieces of information or infotypes and/or viewing of
selected sensitive infotypes is also available to SAP Support personnel who are not directlyinvolved with the support of the HR modules. This includes selected Support individuals for SAP
financial applications, as well as members of IMTB (such as Security Administrators).
A specific issue test conducted as part of the audit was to examine the use of generic accounts
within the system. Generic accounts/IDs are defined as user accounts that are not directly t ied to
an individual and/or are shared for maintenance purposes. The SAP HR support group has adopted
a specific naming convention for their group's users. Specifically, the HRAIS series of accounts
were created to prevent users from calling SAP support group members directly if a change is made
to an employee's information. However, members of the support have been given their own unique
HRAIS (i.e. HRAIS01, HRAIS02, etc.) account that is tied directly to them through the text field
name on the account. They are also responsible for keeping the confidentiality of their own
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
10/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 10
passwords. Finally, the same HRAIS account will not be assigned to a new employee after the
departure of support group team member. Therefore, the HRAIS series of accounts is not
considered to be generic accounts.
Nevertheless, there are some generic accounts that currently have access to perform maintenance
functions and/or view sensitive information. Accounts such as WFADMIN, WFADMIN2,
WFADMINTEST, WORKFLOW, PHOENIX, ACDI-CIDA are all accounts that have access to perform HR
functions.
References (additional details see Appendix C HR Artpack):
Control Weakness #7 - Non SAP HR Support Group Access
Control Weakness #8 - Privacy Impact Assessment
Control Weakness #9 - SAP HR Table Access
Control Weakness #10 - SAP HR Report Execution
Control Weakness #11 - SAP HR Reporting
Control Weakness #12 - Generic Accounts
Control Weakness #13 - Monitoring Procedures
Recommendations
7. It is recommended that the access of non-HR SAP Support Group members and IMTB users bereviewed and that access to HR information be removed.
8. It is recommended that IMTB should perform Privacy Impact Assessments in accordance with
Treasury Board requirements.
9. It is recommended that the ability to view personal information through direct query of HR tables
(through transaction SE16) be removed from end-users by IMTB.
10. It is recommended that the ability to execute reports and programs through transaction SA38,
a central mechanism that bypasses transactional and reporting restrictions configured be removed
from end-user access profiles by IMTB.
11. It is recommended that the configuration of the P_ABAP authorization object be reviewed and
corrected by IMTB.
12. It is recommended that IMTB limit the use of generic accounts.
13. It is further recommended that IMTB, in conjunction with HRD and the SAP Support Group,
develop a set of security monitoring procedures focused on reviewing lists of users with access to
personal information and critical update transactions and infotypes in order to identify potential
access irregularities for correction.
Management Responses
7. Agree. This was done in conjunction with item 13, SR 3462.
8. Agree. However, Privacy Impact Assessments are the responsibility of both the Business Owner
(HRD) and the System Owner (IMTB). IMTB supports system owners in the preparation of
Preliminary PIA's. IMTB is incorporating processes into the SR and System Development Procedures
to identify systems changes and systems requests that may require PIA's; and, ensuring that
System Owners and the Privacy Coordinator are informed.
These assessments will be conducted and modifed if needed.
This co mes under the SAP-HR Improvement Project (SHIP) initiative.
http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#app37/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
11/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 1
9. Agree. SR3194 was registered, addressed & completed in December 2004.
10. Agree. Transactions SE38 and SA38 have been removed in most job roles via SRs 2250 (HR Job
roles), SR3039 and SR3058.
The remaining job roles for the SAP Functional teams and ABAP teams are limited by programs and
are required for their job, therefore cannot be removed.
11. Agree. HR Job roles were reviewed. SR3463 was opened.
12. Agree. Workflow related accounts (as referred to on page 16 of the audit report) are not
"generic" accounts. As with the HRAIS accounts, they are tied directly to support personnel
through the text field name on the account. Access is being revised (through SR 3314) ensuring
limited access to information. The "Phoenix" and "ACDI-CIDA" accounts are also being revised to
ensure that minimal access is granted.
13. Agree. SR3462 was opened and appropriate configuration was done into SAP-HR to action this
recommendation.
3.2. Observations Arising from the Benchmarking of the SAP Support GroupStructure
The preliminary survey conducted prior to the execution of specific audits outlined that HRD
currently has ten staff to maintain the SAP HR module.
Further examination of the ten positions revealed that there is a Manager included in that figure
who also has other responsibilities, as well as the following individuals as of May 4, 2004, and there
is currently one full-time consulting SAP HR expert on site who provides expert advice on the
development and implementation of the Salary Forecasting System:
2 Senior HR Systems Officers;
3 HR Systems Officers;
1 HR Junior System Officer;2 Full Time Experts consultants, and;
2 Full time Junior consultants;
1 Full time SAP HR consultant.
The total number of support employees for SAP HR is eleven.
Table 1 - Benchmarking Data
Area
Organization1
(PublicSector)
Organization 2(PublicSector)
Organization 3(Public Sector)
Organization4
(PublicSector)
CIDA
SAP HRFunctionality
PA, PD,Time Entry
(CATS)
PA, PD,Time Entry,Training &
Events, Payroll
PA, PD,Time Entry, Training
&Events, Payroll PA, PD
PA, PD,Time
ApproximateNumberof SAP HRUsers(excludingemployeeself-service)
500 2,000 2,500 290 300
Number ofEmployees
3,500 45,000 43,000 9,600 1,550
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
12/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 12
Number ofSupportEmployees
1.25 50 40 3.25 11
Number ofSAP HRConsultantsin SupportGroup
.25(programmer)
5 (moduleexperts)
10 (module experts,programmers)
0 4
Ratio of
SupportGroup toUsers
1:400 1:40 1:63 1:90 1:27
Ratio ofSupportGroup toEmployees
1:2800 1:900 1:1075 1:2950 1:141
HR MasterDataMaintenanceModel
Decentralized Decentralized Decentralized Centralized Decentralized
Table 1 summarizes the results of the benchmarking survey that was conducted for 4 public sector
organizations that currently use some components of the SAP HR module. Two key ratios, the ratioof support group employees to users and the ratio of support group employees to employees, were
calculated and used as the primary basis for comparison of their support structures versus CIDA's.
Based on the comparative ratios, CIDA's SAP HR support group composition should be between 1
and 2 full time equivalents.
As outlined in Table 1, CIDA's ratios for support personnel to active employees and the ratio of
support personnel to user are significantly lower than the other organizations, and near the middle
of the pack based on the number of users. The figures point to an overstaffing situation within the
SAP HR support group however other factors must be taken into consideration.
Specifically, the following difference were noted:
Individuals within the support group are currently working on the implementation of new
functionality (SFS);
The support group is currently leading and/or performing data quality activities for clean up
purposes, which is ultimately outside of the scope of their mandate for delivery; and,
Other organizations included in the benchmarking survey have t raining super users within the
individual user groups, whereas CIDA has kept the notion of centralized support.
Furthermore, the SAP support group is currently meeting their specific service level agreement
timelines, with a minimum of spare resource cycles as was noted in our interviews. Finally, as the
SFS moves into the production environment, additional support requirements will be created to
cover the new functionality and end user support requirements.
If the SAP support group is to be reduced, functions currently being undertaken by individuals
within this group will need to be performed by the business functions. Specifically, the
responsibility for data quality and verification would need to be shifted to the Branches and
support functions (i.e. IMTB) within CIDA.
Recommendation
14. It is recommended that CRC determine the required staffing levels for the SAP HR Support
group after the current data c leanup task has been completed and after the SFS funct ionality has
been implemented.
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
13/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 13
Management response
14. Agree that resource levels should be validated but suggest that this be done in concert with
other initiatives currently in play, including but not exclusively those recommended in the audit
report.
CIDA is the only government department in Schedule I.1 of the Financial Administration Act that
uses the SAP-HR module. All other public sector organizations using SAP-HR have terms and
conditions of employment or HR business practices that do not conform in whole or in part to those
of CIDA. Therefore, benchmarking staffing levels to other organizations that do not share the samebusiness requirements is of limited value. Maintenance of data integrity and training costs are a
major ongoing investment because staff recruited to CIDA from other government departments and
trained in a shared inter-government system must learn a new application before they can become
fully CIDA-functional. This ongoing demand in large part explains the current level and focus of
CIDA's SAP-HR resources.
This situation is well known within CIDA and has generally viewed, up to now, as an accepted cost
of doing business because the benefits to the SAP system overall were considered to outweigh the
investment costs and risks of maintaining the SAP-HR module.
We agree with the audit findings that regardless of the chosen accountability model, resources are
still required to support the application. The question is whether they can be more effectivelymanaged if the accountabilities were shifted to other parts of CIDA.
Initiatives In Play:
1. The increasing interest in the government-wide Shares Services initiatives for "corporate"
functions such as human resources has raised the awareness of CIDA's management to
review its present reliance on the SAP-HR module situation in light of these wider government
thrusts. HRD will play a key role in supporting this review, being led by the CIO, and look for
ways to optimize SAP-HR resources to ensure adequate service levels are maintained at
reasonable cost to CIDA until management decisions are made regarding benefits and risks of
maintaining the SAP-HR module over the long term.
2. HRD will provide for knowledgeable resources to partner with the SAP-HR support team toupdate the business process flow documentation, system configuration, monitor for system
weaknesses and facilitate improved training of end users. The working assumption is that if
better HR business practices are documented, monitored and maintained by the functional
business authority, less investment will be required in ongoing system refresher training
courses and daily interventions by the SAP-HR staff to assist users in the SAP-HR module
application.
Under the leadership of the VP HRCS, an internal review of the 3 SAP modules for which HRCSB is
responsible to support is currently underway to look for ways to further optimize the investment of
SAP resources. HRD is contributing to this review and will implement the decisions, once known.
3.3 Observations Arising from the Assessment of SAP HR Functionality
Within the preliminary survey and within the interviews conducted as part of this and other audits
of HR related activities, a number of observations were made with regards to the functionality of
the HR system. Comments ranged from the lack of useable reports to lack of understanding of
system functionality. SAP HR functionality and set-up are complex areas to understand.
After obtaining an understanding a high-level of the business needs for SAP HR within CIDA and
after reviewing the set-up and effectiveness of the application's control framework, all of the
expected functionality required to perform daily activities related to the movement of employees,
the management of the organizational structure, and the entry and approval of time and leave
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
14/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 14
requests have been implemented. Therefore, the basic needs for the management of employeeinformation, organizational structure as well as leave and overtime processing are being met by the
current system.
Nevertheless, two specific observations have come to our attention. First, there is a need for
additional business training to be provided to users of the HR functionality. Current training
programs are focused on the technical data entry steps of SAP transactions without necessarily
providing participants with background as to the importance of their work and its impact on
decision-making.
Second, difficulties in reporting on SAP information are experienced by a large number of
organizations, including CIDA. However, a significant number of standard SAP reports are delivered
with the application and CIDA has developed custom reports to serve their users. If users feel that
they are lacking information, specific causes could be the lack of understanding of the report
output contents, reports that do not meet end user requirements and/or overall data integrity
issues.
Recommendations
15. It is recommended that additional HR business process focused training (as opposed to SAP
data entry training) be developed by HRD to enhance the business process and policy requirements
knowledge of users, and that the materials be incorporated into the regular training program forSAP HR users.
16. It is recommended that the SAP HR Support Group examine the reporting requirements of CIDA
HR users and determine whether the current reports available address their needs. If addition
reports or information is required, we further recommend that additional reports be developed.
Alternatively, if the examination identified gaps in report understanding, we recommend that action
plans be developed to close the gaps through additional training.
Management responses
15. Agree. A c orrective act ion plan is underway to ensure that:
SAP reflects current and anticipated (e.g. PSMA) HRM policy and business process
requirements (part of CIDA HRM Project and PSMA Implementation);
Delegation of Authorities for HRM are up-to-date (part of Middle Manager and PSMA
Implementation Projects);
SAP-HR reflects current HRM accountabilities (part of SHIP action plan); and
End users are provided the necessary tools, trained in the application of the business
processes and are held to account for the quality of their data management input through
the application of active monitoring of the HR business process and SAP-HR data
management practices conducted by HRD in its role as the departmental business owner.
This comes under the SAP-HR Improvement Project (SHIP) initiative.
16. Agree. This recommendation will be prioritized through the SHIP action plan and in consultation
with those responsible for the HRM business functions (HRD) and Branch end-users.
Clean up of data, documentation and training of the correct business process flows and
consultation with the end users regarding their information needs will be done during 2005-2006 as
part of the SHIP action plan. Assuming SAP-HR is still the module of choice, during 2006-2007 new
tools will be designed and implemented to ensure more useful and higher quality information for end
users and to support internal monitoring and internal and external reporting requirements.
Conclusion
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
15/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 15
Our audit was specifically designed to meet the objectives outlined in section 2 of the report. It
was conducted in accordance with generally accepted auditing standards.
With respect to the accuracy and integrity of the information emanating from the SAP application,
the results of our audit enable us to conclude that the functionality required to support the
business needs of HRD and the Agency overall has been implemented. However some areas for
improvement in the effectiveness and efficiency of the business processes and reporting have been
identified and provided as recommendations within the body of the report. Data integrity must also
be improved as personnel movements are not being reflected on a timely basis for all requiredupdates.
Opportunities for improvement of the control framework also exist through increased monitoring of
changes to master data elements, and through the performance of periodic data quality reviews by
the Branches and other business owners within the Agency.
An adequate framework for the design of user access privileges has been developed to protect
sensitive information and to ensure access to perform critical maintenance functions for HR data is
appropriately restricted. The audit indicated, however, that there are currently some security
configuration issues that must be addressed and, as well, the use of generic accounts must be
investigated and corrected to ensure that the designed framework of controls is properly
implemented.
Based on the results accumulated through a benchmarking survey, the size of the SAP HR support
group is larger than those of the organizations polled. However, CIDA's support group provides a
broader range of services to the user population than the majority of the other organizations used
a benchmark. Therefore, once the new SFS functionality is implemented and subsequent to the
data cleanup task, CRC should determine the size of the SAP HR support group in accordance with
its expected return on investment.
Finally, in terms of an assessment of the extent to which the SAP HR module is meeting the needs
of HRD and of the Agency overall, the distinction must be drawn between system-based controls
and management/monitoring controls outside the system. For the system-based controls, with the
exception of the identified security configuration and access problems, the business processappears to be well supported by the SAP HR module. The audit revealed, however, that
improvement is required in supporting management and monitoring processes that are required to
ensure that system transactions are recorded as intended.
Appendix A Summary of Audit Recommendations
SAP HR Audit
Project Number ofRecommendations Completed Ongoing Work inProgress
Internal Audit of SAP
HR
16
Recommendations Management's Responses Date Status
1. It is recommended that
the HRD modify the business
processes surrounding acting
situations to incorporate the
entry of all acting situations
Agree that rationalization of leave
and overtime approval authorities are
required to reflect EX acting
situations that do not result in
changes to rates of pay but disagree
HRD to send
reminders to
BMOs of the
requirement
and method to
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
16/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 16
into the SAP HR application,
regardless of whether or not
there is an effect on pay. It
is further recommended that
all terminated acting
assignments be reflected in
the system on a timely basis.
with the proposed corrective action
plan.
The Branch Administration Officers
(BAO) can amend the reporting
relationships to reflect acting
situation in the SAP system now,
without a system configuration. The
Human Resources Division (HRD)
agrees to remind BAOs of the need toamend the reporting relationships of
employees when someone is acting in
an EX position and to ensure that
this procedure is reviewed as part of
regular SAP-HR monitoring practices.
amend
reporting
relationships
for the
purposes of
SAP-HR leave
and overtime
administration.
Procedure willbe
incorporated
into the SHIP
action plan
2. It is recommended that
HRD, in collaboration with
IMTB and the Branches
develop a set of periodic
monitoring procedures and
reports for review and follow-
up by the ResponsibleManagers within CIDA. The
periodic review will serve to
assess the integrity of the
current organizational
structures and personnel
assignments within a specific
area of responsibility and will
also identify acting situations
that have not been recorded
and/or expired acting
situations that have not been
recorded. It is further
recommended that the
review be performed at least
every 4 months and that the
process be facilitated and
monitored by the HRD.
Agree
HRD, in collaboration with IMTB and
the branches will identify appropriate
monitoring tools to enable the
Responsible Manager within CIDA to
periodically review the actingsituation within the manager's own
branch. Also, HRD will assess the
integrity of the organizational
structures at the Agency level.
Roles and responsibilities will be
defined and process installed through
the SAP-HR Improvement Project
(SHIP) initiative.
Business process and definition of
roles and responsibilities through the
SAP-HR Improvement Project (SHIP)
initiative.
March 31,
2006
Part of SHIP
action plan.
3. It is recommended that
the Compensation and
Benefits Directorate perform
a reconciliation of
position/employee
classification data and payrates within SAP to
information recorded in the
On-Line Pay application every
4 months.
Agree
Files are being created to compare
data between "On-Line Pay" System
and SAP-HR employee's position
classification and pay scale.
This comes under the SAP-HR
Improvement Project (SHIP) initiative
- Enhancement of Quality control.
December
2005
Part of the
SHIP action
plan
4. It is recommended that
IMTB, in conjunction with
HRD and the SAP Support
Group correct the
configuration of the security
role for the Branch
Administrators and to
Agree
This recommendation was acted upon
with SR1733 and completed May 13,
2004.
COMPLETED
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
17/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 17
eliminate the ability to submit
and approve their own
overtime and leave requests.
Specifically, the Branch
Administrators access should
be limited to submitting their
own requests for subsequent
approval by their Supervisors.
5. It is recommended that
HRD and the SAP SupportGroup develop monitoring
procedures for the review of
leave balances by
Responsible Managers on a
monthly basis.
Agree
Supervisors and RC managers will be
reminded of their responsibility to
regularly review their employees'
leaves calendar to ensure that leave
taken is recorded appropriately. HRD
will send out a reminder to managers
to this effect.
A new tool to be launched in
September 2005, Manager Self
Services (MSS) will assist managers
in this regard.
August
2005
September
2005
In progress
6. It is recommended that
IMTB, in cooperation with the
SAP HR Support group,
review the configuration of
access privileges assigned to
the Branch Administrative
Officers to ensure that the
configuration supports the
needs of the business.
Specific attention should be
focused on the creation andactivation of positions by the
Branch Administrative
Officers as they can
currently create new
positions without intervention
from Classification Division.
This configuration will allow
the Classification Division to
approve the position and
classification data for new
positions and/or individuals,
as outlined in their roles &responsibilities.
Agree
This recommendation is already being
addressed through a workflow
process that will identify the approval
of the different authorized persons
within the classificat ion of a position
process in the SAP-HR system. The
Workflow section within IMTB is
currently working with the SAP-HR
Support group. Also, the BranchAdministrator's role is being reviewed
to limit their access when creating a
position for classification.
Guidelines on the Service Standards
will be developed by the Classification
Section and communicated to the
BAO.
This comes under the SHIP-HR
Improvement Project (SHIP) initiative.
March
2006
Part of the
SHIP action
plan
7. It is recommended that
the access of non-HR SAP
Support Group members and
IMTB users be reviewed and
that access to HR information
be removed.
Agree
This was done in conjunction with
item 13, SR 3462.
March
2005
Completed
8. It is recommended that
HRD should perform Privacy
Impact Assessments in
Agree
However, Privacy Impact
March
2006
Part of SHIP
action plan
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
18/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 18
accordance with Treasury
Board requirements.
Assessments are the responsibility of
both the Business Owner (HRD) and
the System Owner (IMTB). IMTB
supports system owners in the
preparation of Preliminary PIA's. IMTB
is incorporating processes into the SR
and System Development Procedures
to identify systems changes and
systems requests that may require
PIA's; and, ensuring that SystemOwners and the Privacy Coordinator
are informed.
These assessments will be conducted
and modifed if needed.
This comes under the SAP-HR
Improvement Project (SHIP) initiative.
9. It is recommended that
the ability to view personal
information through direct
query of HR tables (throughtransaction SE16) be
removed from end-users by
IMTB.
Agree
SR3194 was registered, addressed &
completed in December 2004.
December
2004
COMPLETED
10. It is recommended that
the ability to execute reports
and programs through
transaction SA38, a central
mechanism that bypasses
transactional and reporting
restrictions configured be
removed from end-useraccess profiles by IMTB.
Agree
Transactions SE38 & SA38 have
been removed in most job roles via
SRs 2250 (HR Job roles), SR3039 &
SR3058.
The remaining job roles for the
SAP Functional teams and ABAP
teams are limited by programs andare required for their job,
therefore cannot be removed.
June 2004 COMPLETED
11. It is recommended that
the configuration of the
P_ABAP authorization object
be reviewed and corrected
by IMTB.
Agree HR Job roles were reviewed.
SR3463 was opened.
March
2005
COMPLETED
12. It is recommended that
IMTB limit the use of generic
accounts.
Agree
Workflow related accounts (as
referred to on page 16 of the auditreport) are not "generic" accounts.
As with the HRAIS accounts, they
are tied directly to support personnel
through the text field name on the
account. Access is being revised
(through SR 3314) ensuring limited
access to information. The "Phoenix"
and "ACDI-CIDA" accounts are also
being revised to ensure that minimal
access is granted.
March
2005
COMPLETED
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
19/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 19
13. It is further
recommended that IMTB, in
conjunction with HRD and the
SAP Support Group, develop
a set of security monitoring
procedures focused on
reviewing lists of users with
access to personal
information and critical
update transactions andinfotypes in order to identify
potential access irregularities
for correction.
Agree
SR3462 was opened and appropriate
configuration was done into SAP-HR
to action this recommendation.
March
2005
COMPLETED
14. We recommended that
CRC determine the required
staffing levels for the SAP HR
Support group after the
current data cleanup task
has been completed and
after the SFS functionality
has been implemented.
Agree that resource levels should be
validated but suggest that this be
done in concert with other initiatives
currently in play, including but not
exclusively those recommended in the
audit report.
CIDA is the only Schedule 1.1
government department that usesthe SAP-HR module. All other public
sector organizations using SAP-HR
have terms and conditions of
employment or HR business practices
that do not conform in whole or in
part to those of CIDA. Therefore,
benchmarking staffing levels to other
organizations that do not share the
same business requirements is of
limited value. Maintenance of data
integrity and training costs are a
major ongoing investment becausestaff recruited to CIDA from other
government departments and trained
in a shared inter-government system
must learn a new application before
they can become fully CIDA-
functional. This ongoing demand in
large part explains the current level
and focus of CIDA's SAP-HR
resources.
This situation is well known within
CIDA and has generally viewed, up to
now, as an accepted cost of doing
business because the benefits to the
SAP system overall were considered
to outweigh the investment costs
and risks of maintaining the SAP-HR
module.
We agree with the audit findings that
regardless of the chosen
accountability model, resources are
still required to support the
Ongoing With the
approval of
CRC and under
the direction
of the CIO, an
inter-Branch
project team
is being
established toassess the
impacts and
implications of
the Shared
Services
Initiative on
the SAP
system,
including the
SAP-HR
module.
Work has
begun in HRD
through the
establishment
of an internal
working group
to discuss HR
business
process flow
requirements,
identify SAP-
HR changes
and engage
end-users in
the clean up
of data and
the
application of
revised
procedures.
HRCSB internal
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
20/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 20
application. The question is whether
they can be more effectively
managed if the accountabilities were
shifted to other parts of CIDA.
Initiatives In Play:
1. The increasing interest in the
government-wide Shares Services
initiatives for "corporate" functionssuch as human resources has raised
the awareness of CIDA's management
to review its present reliance on the
SAP-HR module situation in light of
these wider government thrusts. HRD
will play a key role in supporting this
review, being led by the CIO, and
look for ways to optimize SAP-HR
resources to ensure adequate service
levels are maintained at reasonable
cost to CIDA until management
decisions are made regarding benefitsand risks of maintaining the SAP-HR
module over the long term.
2. HRD will provide for knowledgeable
resources to partner with the SAP-HR
support team to update the business
process flow documentation, system
configuration, monitor for system
weaknesses and facilitate improved
training of end users. The working
assumption is that if better HR
business practices are documented,monitored and maintained by the
functional business authority, less
investment will be required in ongoing
system refresher training courses and
daily interventions by the SAP-HR
staff to assist users in the SAP-HR
module application. Under the
leadership of the VP HRCS, an
internal review of the 3 SAP modules
for which HRCSB is responsible to
support is currently underway to look
for ways to further optimize theinvestment of SAP resources. HRD is
contributing to this review and will
implement the dec isions, once known.
review in
progress.
15. It is recommended that
additional HR business
process focused training (as
opposed to SAP data entry
training) be developed by
HRD to enhance the business
process and policy
Agree
A corrective action plan is underway
to ensure that:
SAP reflects current and
anticipated (e.g. PSMA) HRM
policy and business process
March
2006
Work in
progress
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
21/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 2
requirements knowledge of
users, and that the materials
be incorporated into the
regular training program for
SAP HR users.
requirements (part of CIDA HRM
Project and PSMA
Implementation);
Delegation of Authorities for HRM
are up-to-date (part of Middle
Manager and PSMA
Implementation Projects);
SAP-HR reflects current HRM
accountabilities (part of SHIP
action plan); andEnd users are provided the
necessary tools, t rained in the
application of the business
processes and are held to account
for the quality of their data
management input through the
application of active monitoring of
the HR business process and SAP-
HR data management practices
conducted by HRD in its role as
the departmental business owner.
This comes under the SAP-HR
Improvement Project (SHIP) initiative.
16. It is recommended that
the SAP HR Support Group
examine the reporting
requirements of CIDA HR
users and determine whether
the current reports available
address their needs. If
addition reports or
information is required, we
further recommend that
additional reports be
developed. Alternatively, if
the examination identified
gaps in report understanding,
we recommend that action
plans be developed to close
the gaps through additional
training.
Agree This recommendation will be
prioritized through the SHIP action
plan and in consultation with those
responsible for the HRM business
functions (HRD) and Branch end-
users.
Clean up of data, documentation and
training of the correct business
process flows and consultation with
the end users regarding their
information needs will be done during
2005-2006 as part of the SHIP action
plan. Assuming SAP-HR is still the
module of choice, during 2006-2007
new tools will be designed and
implemented to ensure more useful
and higher quality information for end
users and to support internal
monitoring and internal and external
reporting requirements.
This comes under the SAP-HR
Improvement Project (SHIP) initiative.
March
2006
March
2007
Part of the
SHIP action
plan
Last phase of
the SHIP
action plan
Appendix B Control Objectives/Audit Criteria for the SAP HR ProcessReview
The following control objectives/audit criteria were developed during the planning phase of this
audit to capture the required audit criteria on which to base the assessment of the control
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
22/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 22
framework and the security access rights. The criteria have been segregated to reflect the sub-
processes that form the basis for the SAP HR supported process.
HR Master Data
1. All changes to the SAP HR and payroll master files are complete, valid and
timely
2. Agency employee information transferred to the Compensation Systems is
accurate, valid and timely.3. Terminated employees are removed from the payroll maser file and all deletions
are valid (and are within statutory requirements).
Leave and Overtime Recording
4. Leave/absence data and balances reflect actual absences and entitlements for
employees and requests are properly authorized.
Organizational Management
5. All valid changes to organizational units, positions and other master data are
accurate, valid, timely and in accordance with relevant legislation.
Security and Privacy
6. Access to personal/sensitive information is adequately restricted to only
authorized individuals.
7. Segregation of duties is appropriate and system access is restricted to
authorized personnel.
Appendix C - SAP HR Control Framework
March 31, 2004
ARTpack Project
Introduction
This document analyzes the control framework within a particular application or process. For each
process reviewed, the following documents were prepared:
1. Flow Diagram
2. Control Framework and Evaluation Matrix
3. Process Descriptions
The application flow diagram aims to convey the most important elements of the process and as a
result, certain infrequent or insignificant detail is intentionally omitted. The following icons are used
on the diagrams:
Control Points
Financial/Business Exposure;
7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
23/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 23
Main Flow of Transactions;
The above icon types cross-refer to the control evaluation matrix, which compares the identified
controls to the control objectives for the area and assesses the degree to which the objectives
are supported by controls. The following icons are used on the control evaluation matrix:
The identified control supports this control objective
Weaknesses were found for this control
A description of the control or weakness can also be found on the control evaluation matrix. Blue
text indicates a control and red text indicates a weakness or inefficiency (see PDF version).
Scope of this Review
This review considered controls and weaknesses throughout the SAP HR System.
The review included discussions with CIDA staff and testing of certain system and manual control
activities. Consult the table below in large format.
Description Control Objective
HR Master DataMaintenance
Leave and Over-time Recording
Organizationalanagement
Security & Privacy
Control/Weakness
Control/WeaknessReference
1. All changesto the SAP HRmaster file sare accurate,complete,valid andtimely.
2. Agencyemployeeinformationenteredinto theCompensationsystem isaccurate,complete,valid andtimely.
3. Terminatedemployees areremoved fromthe payrollmaster file andall deletions arevalid).
4. Leave/ absence dataand balances reflectactual absences andentitlements foremployees and requestsare properlyauthorized.
5. Overtimeentered isaccurate andvalid andcalculated inaccordance withcollectiveagreements.
6. All changes toorganizational units,positions and other dataorg structure dataelements are timely,accurate, valid andcomplete.
7. Access topersonal/sensitiveinformation isrestricted toonlyauthorizedindividuals.
8. Segregation ofduties appropriateand system accessis appropriatelyrestricted toauthorizedpersonnel.
AccuracyValidityCompletenessCut-off
AccuracyValidityCompletenessCut-off
ValidityAccuracy
AccuracyValidity
AccuracyValidity
AccuracyValidityCompletenessCut-off
Validity ValidityCompletenessAccuracy
HR Master Data Maintenance
SAP Security
for HRMaster Data
The SAP security and authorization concept is utilized to re strict the ability to update pe rsonnel information (transactions PA30 and PA40) to only authorized individ uals. Accessrestrictions at the infotype le vel hav e also bee n configured for specific roles.
SAP InputControls forMaster Data
Mandatory fields are configured for infotypes included in pe rsonnel files within SAP, in orde r to ensure that all rele vant information is captured.
Personnel a ctions (a grouping of functionality to accomplish specific HR activities such as hiring) hav e bee n configured for major HR administrative tasks to ensure that all re levantinfotypes are completed for per sonnel rel ated activities. Time constraints, an element of SAP configuration that specifies whether infotypes must be populated, have a lso been configuredat the infotype lev el to control the completeness of infotypes within an on-line pe rsonnel file.
ActingAssignments
Selected acting situations (i.e. one month or above ) that do not affect pay are curre ntly not entered into SAP. For ex ample, an EX-01 employe e acting at an EX-02 level is currently notentered into the system until 3 months has elapsed. The lack of update of the org structure has an impa ct on the prope r routing of work flow items for appr oval.
In addi tion, it was further noted that expir ed acting situations were not updated in SAP on a timely basis.
PlannedCompensation
Pay scales that are aligned with the rel evant public sector collective agree ments have been configured i n SAP. Changes to the collective a greeme nts are controlled through the formalService Reque st process at CIDA.
Integrationwith OrgManagement
Pay scale/salary information is defaulted into the personnel file (infotype 0008) ba sed on information stored on the position master r ecord. Howev er, users can change the informationbrought in to accommodate Salary Protected employee s (employee s that have be en designated as surplus and giv en a lowe r classification, but still paid at their pre vious pay r ate).
MonitoringReportsfor HRMaster Data
There i s currently no formali zed revie w and/or appr oval of active employ ee listings, staffing repor ts or orga nizational charts by the Responsible Manager s or Financial Authorities on aperiodic basis.
PWGSCReconciliationwith SAP
http://www.acdi-cida.gc.ca/acdi-cida/ACDI-CIDA.nsf/eng/NAT-114155745-SL6http://www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU#pdf7/28/2019 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
24/28
6/19/13 ARCHIVED - SAP HR System - Canadian International Development Agency (CIDA)
www.acdi-cida.gc.ca/acdi-cida/acdi-cida.nsf/eng/NAT-1013101052-JMU 24
There is currently no formal re conciliation of employee p ay rates in the PWGSC On-Line Pay system to the records in SAP.
Leave and Overtime Recording
SAP Securityfor Leave andOvertime
The SAP security and authorization concept is utilized to re strict the ability to unlock/appr ove requests for leave (SAP transactions ZAPT, PA61)
LeaveEntitlementValidation
Prior to the completion of a leave r equest, SAP verifies that the emplo yee is entitled to the type of lea ve r equested and that the minimum/maximum amounts requested are in line withthe appropri ate collective agree ment provisions. The SAP Time Evaluation functionality is utilized to perform the check.
QuotaBalances
Prior to completing the on-line approv al transaction, SAP automatically veri fies whether an employ ee has an ade quate leave entitlement remaining to accommodate the req uest. If thequantity remaining is i nsufficient, the Superv isor is not permi tted to save/ approv e the appli cation. The SAP Time Evaluation functionality is utilized to perform the check.
Upon successful approv al of leav e, SAP automatically updates the quota balance(s) for an employe e.
SAP Securityfor Leave andOvertimeApprovals
The SAP security and authorization concept is utilized to re strict the ability to unlock/appr ove submitted ov ertime re cords.
UnauthorizedApproval ofOvertime
Situations have bee n noted where employ ees were ab le to submit their requests for paid overtime and ap prove their own requests. This could result in unauthorized ove rtime paymentsbeing generated for e mployees.
Monitoringof LeaveBalances
There are currently no processes or procedures in place to perform a periodic review of employee leave balances, to ensure that all leave taken is being recorded in SAP.
Organizational Management
SAP Securityfor OrganManagement
The SAP security and authorization concept is utilized to re strict the ability to update position master data to appr opriate pe rsonnel.
SAP InputControls forOrganizationalManagement
Mandatory fields are configured for or ganizational management infotypes, in order to ensure that all rel evant information is captured.
Actions have also be en configured for k ey or ganizational structure maintenance activities to ensure that all relev ant infotypes are completed for the creation of new objects (i.e.positions). Time constraints have al so been configured at the infotype level to control the comple teness of infotypes for these ob jects.
PositionMasterRecordMaintenance
Branch Administrative Officers currently hav e access to create, approve and active new positions without the Classification Division rev iewing the ap propri ateness of the classificationdata. Branch Administrative Officers also have the a bility to per form personnel movements. To mitigate this segregation of duties risk, the SAP HR Support Group crea ted monitoring
repor ts for Classification to revi ew; howev er, it was noted that the reports are curr ently not being re viewe d on a re gular basis by the Classification Division.
Security and Privacy
Security/Privacy ofHR Data
The SAP security and authorization concept is utilized to re strict the ability to update pe rsonnel information (transactions PA30 and PA40) to only authorized individ uals. Accessrestrictions at the infotype le vel hav e also bee n configured for specific roles.
Non SAP HRSupportGroup Access
Non-HR SAP support indiv iduals currently hav e the abi lity to maintain critical infotypes such as infotype 0008 (basic pay) .
PrivacyImpactAssessment
A formal Privacy I mpact Assessment has not been pe rformed since the initial imple mentation of SAP HR, and some significant changes have either b een imple mented or are planned forimplementation.
SAP HR
Table Acc ess
An excessive number of users have the ability to view pe rsonal information through direct query of HR tables (through transaction SE16).