SAP Audit Guide

for Human Resources

 This audit guide is designed to assist the
review of human resource processes that
rely upon controls enabled in SAP systems.

The specific areas examined in this guide are relevant

configurables, transactions, authorizations and reports
in Personnel Management and other sub-modules in
the Human Capital Management (HCM) application of
SAP ERP.

The guide provides instructions for assessing

application-level controls in the following areas:

HR Master Data

Time Management

Travel Management

Payroll Processing

Employee Self Service

The guide is delivered using clear, non-technical terms

to enable financial and operational auditors to
successfully navigate the complexities of SAP security.
Other volumes of this guide deal with SAP controls in
areas such as Financial Accounting, Revenue,
Expenditure, Inventory, and Basis.

HR Master Data

Organizational and employee-level master data is

maintained through the Personnel Management
module in versions 4.6 and above. HR-related data
fields are grouped and controlled in this module
through records known as infotypes. There are multiple
infotypes, each identified through a unique four-digit
code. Examples include Personal Data (0002) which
contains fields for an employee’s first name, last name
and date of birth, among other areas. Codes between
0000 – 0999 are assigned to HR/payroll data, 1000 –
1999 are used for organizational data, and 2000 –
2999 are used for time-related data. Infotypes can have
numerous subtypes and, since HR data is time-
dependent, an employee can have multiple records for

Human the same infotype. The complete list of infotypes

configured in SAP can be viewed through the menu
path IMG - Personnel Management - Personnel

Resources Administration - Customizing Procedures - Infotypes.

Access to master data should be configured at the
infotype level and correspond to role requirements.
SAP Audit Guide
Within each SAP client, company codes are usually
configured with several personnel areas and sub-areas
 2
and Employee groups and sub-groups. These areas and
groups control wage types, pay scales, default values for
basic pay and other critical areas of employee master data.
The enterprise structure including specific settings in
personnel areas and employee groups within each
company code should be closely reviewed using
transaction EC01. Furthermore, a sample of master records
should be reviewed to ensure that employees are assigned
to the correct areas and groups.
Master records should also be reviewed to ensure
employees are assigned to the appropriate health,
insurance, savings and other benefit plans. Configured
plans and associated rules should be reviewed through
IMG – Personnel Management – Benefits.
To safeguard against the risk of duplicate employees in the
system, SAP should be configured to compare information
such as last name, first name and date of birth against
existing records during the entry of new employees. This is
performed through IMG – Personnel Management –
Personnel Administration – Customizing – Dynamic Actions
– Activate Concurrent Employment for Personnel
Administration. Once configured, SAP will automatically
display possible matches against both active and inactive
records.
SAP should also be configured to provide a sufficient audit
trail for changes to key infotypes. This is performed through
tables HR Documents: Infotypes with Documents
(V_T585A), HR Documents: Field Group Definition
(V_T585B), and HR Documents: Field Group
Characteristics (V_T585C). Changes are displayed in report
RPUAUD00 (Logged Changes in Infotype Data).
Access to key master data transactions such as PA10
(Personnel File), PA20 (Display HR Master Data), PA30
(Maintain HR Master Data) and PA40 (Personnel Actions)
and authorization object P_ORGIN should be restricted and
based on role requirements. Access should be qualified
with the P_PERNR authorization object which prevents
users from changing specific infotypes in their own
personnel records. Write operations W, S, D and E should
be specified in the AUTHC (Authorization code) field of the
P_PERNR object and the PSIGN field should be set to E
(Exclude). The infotypes that are subject to the exclusion
should be listed in the INFTY field. Users should not be
granted inconsistent authorizations since this could
override any exclusions. For example, an authorization with
AUTHC = * and PSIGN = I (Include) will grant read access
to all personnel records for infotypes specified in INFTY,
regardless of exclusions for the same infotypes configured
through other authorizations.
Consideration should be given to implementing dual control
over master data changes. This can be achieved by
preventing changes in master records entered by one set
of users from taking effect until they are released by
another set of users with the appropriate authorizations.
The latter group should have the authorizations to release
changes but should not be able to enter master data.
Time Management
Time-related data including working hours, absences,
overtime and allowances can be pulled from external time
recording systems or entered directly into SAP through
channels such as the Cross-Application Time Sheet (CATS)
function. CATS integrates directly with other components of
SAP including Logistics and Project Systems through
Business Application Programming Interfaces (BAPIs).
Accounting integration for time-data infotypes is enabled by
default but can be disabled through customization.
Therefore, the Infotype with Acct/ Logistics Data area of
IMG for HCM should be closely reviewed to ensure that
integration is not deselected for any infotype. If Workforce
Management (WFM) is used to manage employee time
data, the mapping of SAP infotypes to WFM specification
types should be reviewed in the WFM Core.
Time entry rules including validation checks, tolerances and
controls for required, suppressed and optional fields are
configured and applied through CATS profiles. The settings
for each CATS profile assigned to every user interface
should be reviewed in the Time Sheet area of the Cross-
Application Components area of IMG. Release procedures
are also defined with each profile. Approvals can be
triggered manually but SAP Business Workflow should be
used wherever possible to support time sheet review and
approval. The attributes of workflows should be reviewed
through the Workflow Builder.
Other areas of IMG that should be carefully reviewed
include rules for Work Schedules, Time Data Recording
and Administration, and Schemas in Personnel Time
Management. The last is particularly important since it
impacts Time Evaluation.
This is an SAP function that detects potential errors in time-
related data entered during a pay period prior to processing.
Time Evaluation should be configured as a daily scheduled job.
Errors and warnings generated by the Time Evaluation report
RPTIME00 should be reviewed and resolved by administrators
before time data is transferred to payroll. This report displays
exceptions to rules configured in the schemas. Examples could
include employees or contractors that have reported more than
8 hours in a day or 40 hours in a week or registered more than
20 days of vacation leave. The Time Management Status in the
Planned Working Time infotype (0007) in every record for hourly
employees should not be set to zero since this will exclude
employees from Time Evaluation.

Access to the time management transactions listed in Table A

should be restricted, including the ability to approve timesheets,
which should be assigned exclusively to functional managers.
The dummy infotype 0316 is the authorization required for time
sheet entry. Infotype 0328 is required for time approval.

TRANSACTION DESCRIPTION

CAT2, CAT3 Time Sheet: Initial Screen

Time Sheet: Approve Times (Select

CAPS
by Master Data)

Time Sheet: Approve Times

CAT4
(Selection by Org. Assignment)

CAPP Time Sheet: Approve Times

PP61 Change Shift Plan: Entry Screen

PA61 Maintain Time Data

PA62 List entry for  additional data

PA63 Maint. time data

PA64 Calendar entry

PA70 Fast Entry (Time Data)

Table A: Time Management Transactions Master records

should not be
Time Management

SAP Travel Management uses workflow to track and approve

configured to
trip requests, book approved requests through integration with
external reservation systems, and record, reimburse and post exclude hourly
employees from
travel expenses. It performs an important control function by
enforcing compliance with travel policies. The relevant rules,
profiles and parameters for travel components should be
reviewed in IMG – Financial Accounting – Travel Management to
ensure alignment with travel policies and procedures.
time evaluation 3
 Travel policies are maintained with
the TRAVEL_MANAGER role
4

Standard Travel Management roles should be assigned to

TRANSACTION DESCRIPTION
users. Most employees should be assigned the
SAP_FI_TV_TRAVELER role, which enables users to PRMM Personnel Actions
request trips, check travel services and enter travel
expenses. For organisations that opt for a centralized rather PRMD Maintain HR Master Data
than decentralized model, these tasks will be performed by
PRMS Display HR Master Data
a smaller group of users with the
S A P _ F I _ T V _ T R AV E L _ A S S I S TA N T r o l e . T h e PRAA Automatic Vendor Maintenance
MANAGER_GENERIC and ADVANCE_PAYER roles should
assigned to users responsible for approving trip requests, PRAP Approval of Trips
expense statements and/or advances. The
ADMINISTRATOR role should be closely safeguarded since PR02 Travel Calendar
it provides users with the ability to approve expense PR03 Trip Advances
statements for all travelers in the enterprise. The same rule
applies to the TRAVEL_MANAGER role which allows users PR04 Edit Weekly Report
to change configuration parameters for areas such as travel
policies and maintain HR master data. PR05 Travel Expense Manager

Travel expenses should be transferred to FI after approval PRCC Import Credit Card Files
for posting to the relevant GL accounts. This is performed
PRCCD Display Credit Card Receipts
through transactions PFRI (Create Posting Run) and PRRW
(Manage Posting Runs). Payments can be processed TPMM Personnel Actions (Travel Planning)
through payroll, check or direct deposit. Transactions
PRDX, PRD1 and FDTA are used for direct deposit, PRPY Maintain HR Master Data (Travel
TPMD
for payroll and PRCU for check printing. Other significant Planning)
transactions are listed in Table B.
Display HR Master Data (Travel
TPMS
Planning)

TP01 Planning Manager

Table B: Travel ManagementTransactions

 5
Payroll Processing
Master data should be locked during a payroll run to
prevent any changes. This is performed through Payroll
Control Records, accessed through transaction PA03
(Maintain Personnel Control Record). Each pay area has an
individual control record. The payroll period selected as the
basis for the control records should be set to the period
immediately before the live period. Also, the maximum
number of past periods that are open for payroll
adjustments should be appropriately set in the Earliest
Retro Acctq Period field. Note that SAP uses the earliest
personal retroactive accounting date set in the Payroll
Status infotype (0003) in each employee master record if
this does not match the date set in the control record.
Payroll control records can be used to determine which
employees were included and rejected in the last payroll
run. The latter group can be identified by selecting Incorrect
Pers. Nos. and Locked Pers. Nos.
The ability to enter or update certain infotypes during a
payroll run through transactions such as PAKG/ PAUX
(Adjustments Workbench) should be restricted. The
employee remuneration information infotype should be
configured to prevent adjustments to wage types such as
salaries since any adjustment will override the value in the
master record. This should be performed through the IMG
area Maintain Wage Types. Minimum and maximum values
can be configured for each wage type. The latter is highly
recommended. Rounding divisors for wage types should
be reviewed to ensure they are configured appropriately
(divisors can be set anywhere between 1 and 100). The
posting characteristics including time-dependencies for
wage types and month-end accruals should also be
reviewed under account assignments. Wage types are
mapped to symbolic accounts which in turn are mapped to
GL accounts.
Gross and net pay calculations are performed by the
system based on processing rules known as personnel
calculation rules. These rules are grouped in schemas and
can be adjusted through transactions PE01 (Maintain
Payroll Schemas), PE01N (Editor for Payroll Schemas),
PE02 (Maintain Calculation Rules), PE02N (Editor for PC
rules) and PE04 (Create Functions and Operations). Access
to these sensitive functions should be safeguarded.
There are a number of standard SAP reports that should be
reviewed by management during each payroll run to
confirm the validity of any adjustments and identify
discrepancies. These include reports RPCEDT00 (Payroll
Exceptions), RPUAUD00 (Logged Changes in Infotype
Data) and RPURECG0 (Payroll Results).
Advances, bonuses, corrections and other forms of
payments or deductions outside scheduled payroll runs are
processed through the Off-Cycle Work Bench (transaction
PUOC) for individual employees or through batch input
using the One-Time Payments Off-Cycle infotype (0267) for
multiple employees. Reason codes should be configured
and consistently applied for all payments. Furthermore,
procedures should be in place to ensure that off-cycle
functions are used to process and record payroll data for
manual checks created outside the system.
SAP Payroll integrates into the FI AP payment program for
check printing and Automated Clearing House (ACH)
transfers. The latter is performed through Payroll – Bank
Transfer – Pre DME Program. DME is an acronym for Data
Medium Exchange. This process creates a preliminary DME
file that should be validated by management before the final
file is generated in CEMTEX format and transferred to a
designated processing bank. The Bank Deposit Summary
report should be sent to the bank along with the file to
enable reconciliation. Payments methods and banking
information are configured in IMG - Personnel
Administration – Personal Data – Bank Details – Define
Payment Methods and Payroll – Data Medium Exchange –
Preliminary Programs for DME – Set Up House Banks.
The above process will update the check register in FI AP
but will not update accounts in the General Ledger. This
has to be manually performed through transaction PCP0
(Edit Posting Runs) or through the menu path Payroll –
Subsequent Activities – Per Payroll Period – Evaluation –
Posting to Accounting – Execute Posting Run/ Process
Posting Run/ Check Completeness.
Payables to tax authorities, benefit providers and other third
parties should be transferred to AP for settlement through
Payroll – Subsequent Activities – Per Payroll Period –
Evaluation – Third Party Remittance.
 6

Employee Self Service

Employee Self-Service (ESS) is a Web Dynpro (Java)

application that operates on the Enterprise Portal (EP). It
enables employees to maintain their personal information,
enter leave requests, update timesheets, display pay slips,
and perform other similar functions. Employees must be
assigned a user record in the J2EE with an appropriate role
to be able to use ESS. This is performed through the
HRUSER transaction or the menu path IMG – Personnel
Management – Employee Self-Service (ITS Version) –
General Settings for ESS – Create SAP Users for ESS.

Users should be a assigned single role from a copy of the

composite SAP_EMPLOYEE_ERP role provided by SAP
and should only have the ability to update their own data
for certain types of infotypes. Bank account information, for
example, should only be updated centrally by authorized
HR users. This should be configured through the P_PERNR
authorization object rather than P_ORGIN. The former
takes precedence over the latter. ESS users without
P_PERNR may be able to view and update records
belonging to other employees.
Layer Seven Security empowers organisations to realize the potential of
SAP systems. We serve customers worldwide to secure systems from
cyber threats. We take an integrated approach to build layered controls for
defense in depth

Address Web
Westbury Corporate Centre www.layersevensecurity.com
Suite 101 Email
2275 Upper Middle Road info@layersevensecurity.com
Oakville, Ontario Telephone
L6H 0C3, Canada 1 888 995 0993
© Copyright Layer Seven Security 2012 - All rights reserved.

No portion of this document may be reproduced in whole or in part without the prior written
permission of Layer Seven Security.

Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the
information presented, but the professional staff of Layer Seven Security makes every reasonable
effort to present the most reliable information available to it and to meet or exceed any applicable
industry standards.

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP
NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. Business Objects and the Business Objects logo,
BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business
Objects products and services mentioned herein are trademarks or registered trademarks of Business
Objects in the United States and/or other countries.