hrim risks and controls 2011
TRANSCRIPT
-
7/31/2019 HRIM Risks and Controls 2011
1/101
Risks and Controls
Better Practice Guide March 2011
Human Resource Information Systems
-
7/31/2019 HRIM Risks and Controls 2011
2/101
ISBN No. 0 642 81168 7
Commonwealth o Australia 2011
Copyright Information
This work is copyright. Apart rom any use as permitted under the Copyright Act 1968, no part may be reproduced by any process
without prior written permission rom the Commonwealth.
Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth Copyright Administration,
AttorneyGenerals Department, 35 National Circuit, Barton ACT 2600 http://www.ag.gov.au/cca
Questions or comments on the Guide may be reerred to the ANAO at the address below.
The Publications Manager
Australian National Audit Ofce
GPO Box 707
Canberra ACT 2601
Email: [email protected]
Website: http://www.anao.gov.au
Disclaimer
This Better Practice Guide is not a recommendation o the SAP and/or Oracle Peoplesot systems, nor an endorsement o the
SAP and/or Oracle Peoplesot systems by the ANAO. Australian Government agencies are responsible or deciding whether
SAP is suitable or their purposes and or implementing and testing SAP.
The AuditorGeneral, the ANAO, its ofcers and employees are not liable, without limitation or any consequences incurred,
or any loss or damage suered by an agency or by any other person as a result o their reliance on the inormation contained
in this Better Practice Guide or resulting rom their implementation or use o the SAP and/or Oracle Peoplesot systems, and to
the maximum extent permitted by law, exclude all liability (including negligence) in respect o the Better Practice Guide or its use.
-
7/31/2019 HRIM Risks and Controls 2011
3/101iIntroduction
Foreword
Establishing and monitoring internal controls over human resource (HR) inormation are important management unctions. Internal
control is undamental to addressing risks to the completeness and accuracy o inormation and thus to providing assurance over the
reliability o HR inormation, its compliance with applicable laws and regulations and the eectiveness and eciency o operations.
Increasingly, entities are utilising Human Resource Management Inormation Systems (HRMIS) to assist in managing their workorce
and in meeting their employer obligations. The eective discharge o these responsibilities is necessary to support the development and
implementation o government programs and activities. However, the integration o technology to support managing a modern workorce
can introduce a range o inormation management risks. With this in mind, the Guide emphasises the important role o both system and
manual controls in maintaining the integrity and condentiality o HR inormation.
The Guide provides an overview o signicant risks and controls that are relevant to key HR unctions, with particular ocus within each
chapter on managing risks through implementation o better practice principles. The Guide identies better practice system controls, and
describes manual or process controls that are relevant to support or strengthen the implementation o system controls.
The Guide discusses risks and controls associated with the design, implementation and maintenance o the HRMIS and will be useul to
assist HR system managers and practitioners to:
implement better practices to improve the eect iveness and eciency o HR and payroll processes;
strengthen system controls and appropriately manage and segregate user access to key system unctions; and
increase awareness o system controls within the PeopleSot and SAP HR systems that are used by a large number o Australian
Government entities.
Implementation o controls should have due regard to the cost benet involved. Equally, reducing controls or cost-saving reasons should
be careully managed as the operating risk prole may be increased.
The Guide is supported by a Supplement available rom the ANAO website. The Supplement provides better practice examples or
implementing controls or the SAP and PeopleSot HRMIS applications as the key HR systems used within Australian Government entities.
Ian McPhee
Auditor-General
February 2011
-
7/31/2019 HRIM Risks and Controls 2011
4/101ii Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
Contents
Foreword i
Chapter 1. Introduction 1
Purpose o this Guide 3
Structure o this Guide 4
Key Human Resource unctions and risks 5
Central themes in this Guide 6
Identiying relevant controls 9
Chapter 2. HR and payroll data management 11
Key control objectives 14
Legislative and compliance considerations 14
Managing master data 15
Feature article: HR inormation and good privacy practice 17
Chapter 3. Workorce management 29
Key control objectives 31
Legislative and compliance considerations 31
Employee commencements 32
Employee exits and terminations 35
Chapter 4. Payroll processing and administration 39
Key control objectives 41
Legislative and compliance considerations 42
Time reporting 43
Payroll accounting 47
Feature article: Implementing sel-service unctionality 55
Chapter 5. System maintenance and integration 57
Key control objectives 59
Legislative and compliance considerations 60
Managing system interaces 61
Managing system rules 64
Managing sotware updates 69
Feature article: Managing and maintaining the HRMIS 70
Appendices 73
Index 91
-
7/31/2019 HRIM Risks and Controls 2011
5/1011
Introduction
Introduction
Chapter 1.Introduction
Purpose o this Guide 3
Structure o this Guide 4
Key Human Resource unctions and risks 5
Central themes in this Guide 6
Identiying relevant controls 9
-
7/31/2019 HRIM Risks and Controls 2011
6/101
-
7/31/2019 HRIM Risks and Controls 2011
7/1013
Introduction
Introduction
Chapter 1. Introduction
Purpose o this GuideThe HRMIS is important to strategic decision-making as well as supporting day-to-day operational planning and administration.
The Guide is intended or HR practitioners and system managers and discusses signicant risks and controls relevant to the eective
management o key HR unctions.
HR and payroll unctions are closely linked and changes in one process may create issues in another. As such, there is an emphasis in
this Guide on implementing controls to saeguard the privacy and integrity o inormation.
The technology inrastructure is now in place and the key role or HR IT sta is no longer
creating and maintaining systems but making sure the inormation and workfow meettheir organisational objectives.
Lynne Mealy, President and Chie Executive Ocer o the International Association or Human Resource Inormation Management1
Government imperatives and stakeholder requirements carry implications or managing the workorce. The recent Blueprint or the
Reorm o Australian Government Administration2recommended an agenda or nine key areas and established that responsibilities o
executive managers should include a commitment to ensuring that Inormation Technology (IT) systems are appropriately implemented
and maintained. Several recommendations were made or entities to implement more eective governance rameworks and improve the
eciency o corporate unctions.
Further, the Gershon Review3
recommended cross-departmental initiatives or the sharing o IT inrastructure. These initiatives aredesigned to improve the eciency o the delivery o government services, but may also increase both risk and the need or more
sophisticated governance processes between entities.
1 As quoted in Kelli W Vito,Auditing Human Resources, The Institute o Internal Audit Research Foundation, 2007.2 Ahead o the Game: Blueprint or the Reorm o Australian Government Administration, March 2010.
3 Review o the Australian Governments Use o Inormation and Communications Technology, August 2008.
4 The Online Supplementis available or download at the ANAO website, or an electronic version is available by contacting the ANAO on 02 6203 7300 or via email on:
-
7/31/2019 HRIM Risks and Controls 2011
8/1014 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
Structure o this Guide
The Human Resource Management Inormation Systems Risks and Controls Better Practice Guideis divided into two parts, the Guide
and an Online Supplement.4 Both parts are structured according to key HR unctions and activities. The Guide discusses signicant risks
and controls relevant to key HR unctions, and contains three eature articles that provide additional relevant discussion on aspects o
managing HR inormation, implementing sel-service unctionality and managing the HRMIS.
The Online Supplementprovides additional detail relevant to entities using either the Oracle PeopleSot or the SAP ECC 6.0 installation
o the relevant HRMIS. It provides additional detail concerning better practice and control guidelines when implementing and using these
HRMIS installations.
Figure 1 depicts the above structure:
Figure 1: Better Practice Guide Structure
1. Introduction
Online Supplement
Orade PeopleSot Enterprise Release 8.0 Human Resources Module
SAP Human Capital Resource Module
2. HR and payroll data management
Managing master data
Feature article: HR Inormation
and good privacy practice
3. Workorce management
Employee commencements
Employee exits and terminations
Feature article: Implementing
sel-service unctionalilty
4. Payroll processing and administration
Time reporting
Payroll accounting
Feature article: Managing and
maintaining the HRMIS
5. System maintenance and integration
Managing system interfaces
Managing system rules Managing software updates
Appendices
-
7/31/2019 HRIM Risks and Controls 2011
9/1015
Introduction
Introduction
Key Human Resource unctions and risks
The major chapters o the Guide provide an overview o signicant risks and controls that are relevant to key HR unctions. Establishing
and monitoring the eectiveness o internal controls are important management unctions and each chapter o the Guide provides details
o better practice controls that are relevant to mitigating risks.
Chapter 2. HR and payroll data management
Input and maintenance o HR and payroll data poses a signicant area o risk in any HRMIS. It is important that controls are implemented
to contribute to the maintenance o HR and payroll data that provides or accurate and complete employee inormation and payroll
transactions.
Chapter 3. Workorce management
Workorce management is a key strategic consideration within government entities. As with most other organisations, human capital
is considered a signicant asset, and the recruitment and maintenance o the right workorce is the key to success or operational
and strategic objectives.
The chapter ocuses on workorce management activities within a HRMIS to strengthen processes associated with the collection and
maintenance o employee inormation, and in this context, the main activities that are discussed are:
Employee commencements; and
Employee exits and terminations.
Chapter 4. Payroll processing and administration
Payroll processing and administration is highly dependent on a number o inter-linking HR unctions. The HRMIS provides a number o
unctions in perorming payroll calculations that are crucial to ensuring that calculations are accurately perormed. There are a number
o supporting controls, particularly relevant to payroll disbursement and posting o payroll expenses to the General Ledger.
The chapter discusses risks and controls relevant to:
Time reporting;
Payroll accounting; and
Processing o applicable deductions.
Chapter 5. System maintenance and integration
There are a number o unctions and conguration options that can be used within an HRMIS to enhance the control environment or to
increase eciency within HR management processes. The chapter recognises that the extent o conguration o system controls varies
across organisations. Factors such as entity size, size o the HR team, and whether payroll processing is outsourced contribute to the
business requirements to operate and congure controls. The chapter provides an overview on additional congurable controls that may
contribute to increasing the eciency o the HR unction and may equally contribute to the accuracy o the HR outputs.
Topics covered include:
Managing system interaces;
Managing system rules; and
Managing sotware updates.
-
7/31/2019 HRIM Risks and Controls 2011
10/1016 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
Central themes in this Guide
The HR unction is the custodian o a variety o sensitive employment data and inormation. In this context, identiying signicant risks
and implementing eective system controls are essential to saeguard the integrity o this inormation. There are several key areas that
should be considered:
Managing HR and payroll data;
Legislation and compliance; and
Risks and controls.
The relevance o these areas to chapters o this Guide is discussed below.
Managing HR and payroll data
Input and maintenance o personnel inormation pose a signicant area o risk in any HRMIS. Ensuring that inormation is updated in the
HRMIS in a timely manner and that updates are authorised is the key to the accurate perormance o all HR unctions.
HR and payroll data are important to eective management o the human resource unction, as they underlie every transaction conducted.
Eective controls over employee inormation and master data is essential to maintain the integrity and condentially o employee
inormation. The HR and payroll data managementchapter provides urther inormation on signicant risks and controls associated
with managing master data.
The Australian Government Protective Security Policy Framework5 requires Australian Government entities to protect inormation
resources, including Inormation and Communication Technology (ICT) systems, rom compromise and misuse. In addition, the Australian
Government ICT Security Manual (ISM)6 outlines a combination o physical, personnel, inormation, IT and communications measures to
assist entities to implement IT security controls that satisy the minimum standards required to protect inormation stored or transmitted
via electronic means.7
The ANAO has issued other Better Practice Guides, including the SAP ECC 6.0 Security and Control Better Practice Guide, that outline
key measures that can be implemented in SAP environments to improve the security o inormation.
The Online Supplement to this Guide discusses security risks and recommendations or optimising security and access controls or the
HR unctionality supported by Oracle PeopleSot and SAP applications. Security controls in both applications are inherently complex and
require considerable knowledge and skill to implement.
Australian Government entities are required to comply with the Inormation Privacy Principles.8 Good privacy practices are important
when dealing with the payroll and human resource processes, given the sensitivity o data being collected and stored.
Legislation and compliance
Given the current demand or both the disbursement o payroll and associated payments to be made electronically as well as or certain
HR inormation to be exchanged electronically, eective controls over managing employee inormation and processing the payroll reduce
the likelihood o errors or potential non-compliance with legislation.
Inormation maintained by government HR teams is a key input to internal management reports. In addition the Annual Report, incorporating
the Financial Statements, includes a report o SES Remuneration and an overview o workorce composition. Further, entities are required
to provide inormation or a range o Australian Government reports, such as the State o the Service Report.
Relevant legislation or compliance requirements or Australian Government entities are discussed with consideration to the purpose o
the legislation and its usage in Government.Appendix 2 provides an overview o relevant legislation.
5 The Australian Government Protective Security Framework is available at the Attorney Generals website: www.ag.gov.au6 Deence Signals Directorate (DSD),Australian Government Inormation and Communications Technology Security Manual. The current version o the Manual was
released in December 2010.
7 For urther inormation on IT Security Management reer to the Australian National Audit Oce (2005), IT Security Management, Audit Report No. 23, 2005-06.
8 Further inormation is accessible at: http://www.privacy.gov.au
-
7/31/2019 HRIM Risks and Controls 2011
11/1017
Introduction
Introduction
Risks and controls
The Guide provides an overview o the key HR unctions being discussed and introduces relevant risks and control objectives. Control
objectives are high-level statements by management that provide a link between organisational risks and the internal controls and
activities implemented by entities to mitigate such risks.
Risks relevant to the HR unction are discussed and better practice controls recommended to mitigate these risks. Risks and controls are
identied in this Guide using an R or risk and each is given a unique number or easy identication. Each chapter provides discussion,
as relevant to the topic, on those system and manual controls relevant to mitigating or reducing the impact o a risk. Additional controls,
where relevant, oten manual in nature, which are related to other HR processes are discussed under the section heading: Optimising
the control environment.
There are signicant HR risks surrounding segregation o duties. Segregation o duties is one o the key concepts o internal
control as well as being a sound management practice. At its basic level, segregation implies that no individual is in a position
to initiate, approve and review the same HR activity. In reality this requirement is oten dicult to implement and sometimes
costly to achieve.
Good segregation has as its primary objective the prevention o raud and errors, and is a critical consideration when assigning
system and user access. The objective is achieved by distributing key HR activities among multiple individuals and/or limiting
the number o individuals with access to incompatible activities, e.g. managing HR master data and payroll processing. Oten
compensating controls will be required to manage or monitor the risks.
Control mechanisms available to assist with implementing eective segregation include:
Audit trails;
Reconciliations;
Exception reports; and
Supervisory review.
System and manual controls
Within this Guide, system controls are denoted by an S preceding a reerence number and are numbered within the range
1 to 39. Manual controls are denoted by an M preceding a reerence number and are numbered within the range 50 to 65.
System controls
Most business processes are automated and integrated with other business or corporate systems, resulting in many o the controls at
this level being automated as well. System controls include tests that conrm the accuracy o programmed business rules, mathematical
calculations, balancing or reconciling control activities, and data validation checks. System controls, being binary in nature, are not
subject to intermittent human error. Such controls are generally considered to be more reliable than manual controls, but have an
implementation cost in initially conguring the control to support business requirements. The controls that are suggested in this Guide
are standard conguration controls that are available through normal l icensing terms and conditions or most HRMIS applications.
Additionally, the Online Supplementprovides detail on suggested better practice implementation o system controls or the PeopleSot
and SAP applications.
-
7/31/2019 HRIM Risks and Controls 2011
12/1018 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
Manual controls
Manual controls (also called process controls) are a discretional management or monitoring practice that may be perormed by an entity.
Oten these controls reer to the review or reconciliation o a report to identiy irregularities. Such controls are generally considered to be
detective controls as they provide inormation or an output that may be reviewed or analysed in order to detect irregularities. Responses
to a number o risks in this Guide recommend the implementation o manual controls as they acilitate validation or checks to conrm
that a control activity has been authorised. Such controls oten require certain reports to be run rom the HRMIS.
Optimising the control ramework
The Guide also highlights controls that, i implemented, may improve the eciency with which an entity perorms HR activities or improve
the operating eectiveness o existing controls. Such controls oten enhance the ongoing activities or processes related to the HR
unction. With this in mind, implementation o controls should have due regard to the cost benet involved.
Risk types and classifcations used in this Guide
There are numerous methods or classiying and identiying risks. The ollowing is a shorthand approach that has been adopted by the
ANAO or the classication o risks in this Guide, while recognising that actual risks may oten overlap more than one risk type:
Financial Risk: a risk that impacts the nancial
position o the entity.
Compliance and Reporting Risk: a risk that the entity
could be in breach o Australian legislative or regulatory
requirements.
Fraud Risk: a risk that an intentional deception could
be made or personal gain, or to damage another
individual or the entity.
Protection o Inormation Risk: a risk that personal
inormation about individuals could be disclosed without
the consent o the individual or that inormation is not
adequately protected.
Appendix 3provides a summary o the HR risks and controls discussed in this Guide.
-
7/31/2019 HRIM Risks and Controls 2011
13/1019
Introduction
Introduction
Identiying relevant controls
Controls are generally dened as a systematic measure that is implemented by management to:
Conduct business in an orderly and ecient manner;
Saeguard assets and resources;
Deter and detect errors, raud, and thet; and
Conrm accuracy and completeness o accounting data.
Risks identied in this Guide that are related to the HR unction are not all equal in likelihood, impact or in nancial signicance.
The consideration to implement controls should have due regard to the cost benet o mitigating identied risks.
A commonly asked question is What is a relevant control? While there is no authoritative denition or relevant controls, there are
a number o actors that are relevant in determining which controls to implement. For example:
Relevant controls oten support more than one control objective. For instance, user access controls support the existence o nancial
transactions and segregation o duties. In most cases, a combination o relevant controls is an eective way to achieve a particular
objective or series o objectives. Placing too much reliance on a single control could create a single point o ailure.
Preventive controls are typically more eective than detective controls. For example, preventing a raud rom occurring is ar better
than simply detecting it ater the act.
Automated controls are generally more reliable than manual or process controls and the reliability o automated controls is dependent
upon an entity maintaining an eective control environment. For example, automated controls that orce periodic changes to user
passwords are more reliable than generic policies.
Customisation vs confguration
The Gershon Review9 o 2008 stated that Many submissions indicated that there are no specic inhibitors to using commercial-
o-the-shel (COTS) solutions without customisationthere is oten unnecessary excessive customisation by agencies. Thiserodes the inherent benets oered by commercial o-the-shel products, and increases costs. The report noted that as a
means to reduce expenditure, entities should reduce expenditure associated with customisation o sotware.
For the purposes o this Guide:
Customisation is dened as programming changes made to the application that directly change the source code or the
underlying table structures. Customisation may cause an increase in costs due to the diculty o subsequent upgrades and
could hinder uture adoption o new eatures or unctions that may be oered in later sotware releases.
Confguration is dened as parameter changes that can be made without manipulating the source code or underlying
table structures. Conguration is a non-invasive change to sotware settings or options that alters the business logic and
conguration.
The system controls identied in theOnline Supplemento this Guide as better practice considerations or implementation o eective
system controls relate to available unctionality, and do not require customisation.
9 Review o the Australian Governments Use o Inormation and Communications Technology, August 2008, p.35.
-
7/31/2019 HRIM Risks and Controls 2011
14/10110 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
-
7/31/2019 HRIM Risks and Controls 2011
15/10111
Introduction
Introduction
Chapter 2.HR and payroll data
management
Key control objectives 14
Legislative and compliance considerations 14
Managing master data 15
Feature article: HR information and good privacy practice 17
-
7/31/2019 HRIM Risks and Controls 2011
16/101
-
7/31/2019 HRIM Risks and Controls 2011
17/10113
HRandpayroll
datamanagement
HR and payroll data management
Chapter 2. HR and payroll data management
This chapter ocuses more broadly on general practices or appropriate maintenance o HR and payroll data. Other chapters o this Guide
address risks and controls associated with management o transactions, or management o certain types o HR data. The importance o
master data and its linkages to other HR processes discussed in this Guide is outlined inFigure 2below. In addition, the eature article
presents HR inormation and good privacy practice.
Input and maintenance o HR and payroll data is a signicant area o risk. Accurate, complete and timely perormance o system
calculations and reporting is dependent upon the eectiveness o processes associated with management o data in the HRMIS.
Employee inormation may be stored as standing master data (which is drawn upon by nearly every activity in the payroll process
including time entry, payroll processing and benets administration), or as inormation subject to regular change and update
(e.g. perormance management).
Data in the HRMIS may be categorised as either master data or reerence data, both being important to the accuracy and completeness
o HR unctions.
Master data is inormation that is critical to the operation o the HR unction. Master data is generally used to support
transactional processes and operations, but its use is also central to business analytics and reporting.
HR master data includes personal inormation or example, rst name, surname, address, banking details, salary inormation
and qualications. Certain types or categories o master data may be considered more sensitive than others (or example,
bank details are commonly considered a key data type due to the ability to process raudulent transactions in an unsecured
environment). However, risks and impacts associated with data management are applicable to all types o master data.
Inormation such as position, conditions o employment, and pay rates are used by several unctional groups and may
consequently be stored in dierent data systems across an entity and not be reerenced centrally. Eective data management
practices assist to prevent and detect such data anomalies.
Reerence data is inormation that is subject to change and update and is important or planning, decision-making or historical
reerences. Typically, reerence data includes inormation contained in audit logs.
Oten the terms are used interchangeably. For example, taxation rates are a key table in an HRMIS and their unction may be
described as either reerence data or master data. Generally, this Guide reers to master data, however the principles and risks
apply to all data types that are entered, modied and stored in a HRMIS.
Figure 2: Master data and linkages to HR processes
Workorce managementHR and payroll
data management
Payroll processing
and administration
HRMIS
master data
central and critical
Payroll processing
Deductions
Employee commencements
Exits and terminations
Employee benefts
-
7/31/2019 HRIM Risks and Controls 2011
18/10114 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
Key control objectives
Control objective Risks mitigated
R201: HR master data is inaccurate.
R202: HR master data is not secure.
HR and payroll data is appropriately maintained to provide
accurate and complete employee inormation and payrolltransactions.
Legislative and compliance considerations
Saeguarding the privacy o employee inormation is an important consideration. Requirements o the Inormation Privacy Principles
or the Australian Government are outlined in the eature article on HR Information and good privacy practice. Privacy practices are
relevant when dealing with sensitive employee inormation. HR practitioners should be amiliar with requirements relating to collection,
storage, retention and disclosure o personal inormation or prospective, current and uture employees. Additionally, there are obligations
on entities to comply with the Australian Government Protective Security Framework and implement general practices generally to ensurethat inormation is appropriately saeguarded.
-
7/31/2019 HRIM Risks and Controls 2011
19/10115
HRandpayroll
datamanagement
HR and payroll data management
Managing master data
While adequate processes should be established to securely store hard copy inormation, it is inormation stored within system records
which is most vulnerable and oten subject to unauthorised access. The primary control to protect condential inormation is to restrict
user ability to perorm unctions such as to establish, view and amend master data.
Risks and controls
R201: HR master data is inaccurate
Risk type
Impact Employee details may be incorrectly entered or maintained, which may result in duplicate payments,
or errors with superannuation contributions or employee deductions, or unapproved changes to the
allocation o roles or delegations.
Better practice System controls
S01: Dene key data entry elds.
Key data elds should be dened in the system to conrm that inormation necessary to the completion
o master data entry is entered.
S02: Restricting user access to view, establish and amend master data.
Access to view, establish and update master data should be restricted to appropriately authorised
users. Users with the ability to view master data should also be appropriately restricted to reduce the
likelihood o inappropriate viewing or distribution o data.
S03: Validation checks on certain elds warn the user that the inormation is duplicated in another
employee record.
Validation checks should be congured to decrease the likelihood o inaccurate inormation being
entered (or example, tax le number cannot be duplicated in another employee record). Implementing
this control will prevent the data rom being established.
Manual controls
M50: Establishment and amendment o master data occurs only when supported by appropriately
approved documentation.
All master data established and all amendments processed to master data should be supported by
appropriate documentation (approved by an appropriate authority where relevant).
-
7/31/2019 HRIM Risks and Controls 2011
20/10116 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
R202: HR master data is not secure
Risk type
Impact Unauthorised users may have access to view and maintain sensitive HR and payroll data, which
may compromise the condentiality o personnel records and may also result in the processing o
raudulent payroll payments.
Better practice S04: Access to HR master data is appropriately congured and managed.
Implementing appropriate user access controls requires:
Identication and implementation o segregation o duty requirements to validate update/modiy/
delete master data within the HRMIS is complete and appropriately authorised;
Access to the application and to underlying data (such as the database) is assigned based on
user proles and/or roles; and
Employees should be limited in their ability to modiy reerence data items (salary, vacation hours,
and hire date) or their own records. With Web Client applications (sel-service), the client may
allow an employee to be able to modiy their own data with the exception o high-risk data elds,
including salary, hourly rate, additional pay, job grade.
Access controls provide appropriate restrictions to user access to certain data types. Access should
be controlled at three levels:
Restrict access to appropriate users (or example, HR personnel but in some situations access
may be wider i Employee Sel Service is implemented);
For each authorised user, restrict access to particular types o master data (or example, only
some authorised users will have access to bank details); and
For each user and each type o data, speciy whether access is view or edit access.
Control S02. Restricting user access to view, establish and amend master datais also relevant.
Manual controls
M51: Review o system conguration reports.
Generally system conguration change reports are available rom the HRMIS and may be reviewed
periodically to monitor changes to key controls or conguration settings. Such reports should be run
periodically. Consideration should be given to ensuring that appropriate audit tables and associated
logs are also congured. Failure to congure such tables may mean that important inormation is not
available or inclusion in monitoring reports.
Optimising the control ramework
Control item Description
Clean desk policy and
appropriate fling o
hard copy employee
records
Within HR and payroll teams, care must be taken to appropriately store hard copy documents
containing sensitive employee master data. A clean desk policy and policies around shredding and
retention o documentation should be considered.
-
7/31/2019 HRIM Risks and Controls 2011
21/10117
HRandpayroll
datamanagement
HR and payroll data management
Feature article: HR inormation and good privacy practice10
During each stage o the employment liecyclebeore, during and ater employmentagencies will collect personal inormation. This
means that it is very important that agencies have in place systems to collect and manage this inormation in a way that complies with
all legal and policy requirements. Australian Government entities are required to comply with the eleven Inormation Privacy Principles
under section 14 o The Privacy Act 1988 (Cth). These Inormation Privacy Principles are reproduced at the end o this article.
A separate set o principles, the National Privacy Principles apply to some private sector organisations. I agencies outsource their
HR unctions to a private sector organisation, the service provider will need to comply with both the Inormation Privacy Principles and
the National Privacy Principles. Further detail is available in an inormation sheet: Privacy Obligations or Commonwealth Contracts and
is available rom the Oce o the Australian Inormation Commissioner (OAIC).
This article highlights better practice considerations or Australian Government agencies11 in order to reduce the risk o non-compliance
with these key legislative requirements.
Separate guidance and more detail on the Inormation Privacy Principles and the National Privacy Principles is set out on the
Commissioners website: www.oaic.gov.au
Inormation Privacy Principles
A summary o the eleven Inormation Privacy Principles (IPP) is outlined in the diagram below:
Manner and purpose o collection o personal inormationIPP 1
Solicitation o personal inormation rom individual concernedIPP 2
Solicitation o personal inormation generallyIPP 3
Storage and security o personal inormationIPP 4
Inormation relating to records kept by record-keeperIPP 5
Alteration o records containing personal inormationIPP 7
Record-keeper to check accuracy o personal inormation beore useIPP 8
Personal inormation to be used only or relevant purposesIPP 9
Limits on use o personal inormationIPP 10
Limits on disclosure o personal inormationIPP 11
Access to records containing personal inormationIPP 6
10 The ANAO acknowledges the input o the Oce o the Australian Inormation Commissioner in reviewing this article.
11 This eature article reers to the term agency rather than the term entity that is used throughout other sections o this Guide. This change in reerence is deliberate in
order to maintain consistency with reerences used in the legislation.
-
7/31/2019 HRIM Risks and Controls 2011
22/10118 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
Personal inormation includes any inormation or an opinion about an individual whose identity is apparent, or can reasonably
be ascertained, rom the inormation or opinion. Where inormation is stored in a personnel le, the entire content o the le is likely
to be personal inormation as it directly relates to the individual. Section 6 o the Privacy Act 1988 provides a ull denition o
personal inormation.
IPP 1 Manner and purpose o collection o personal inormationInormation Privacy Principle 1 prohibits agencies rom collecting personal inormation or inclusion in a record or a generally available
publication unless:
(a) the inormation is collected or a purpose that is a lawul purpose directly related to a unction or activity o [the agency]; and
(b) the collection o the inormation is necessary or or directly related to that purpose.
In addition, the inormation should not be collected by unlawul or unair means. The nature o human resources and payroll processes
means that collection o personal inormationincluding tax le numbers and bank detailsis a necessity. Particular care needs
to be taken in relation to inormation requested or pre-employment security or health checks as this will usually involve very
sensitive inormation.
Better practice considerations
Training should be provided to HR and payroll personnel to
ensure they are aware o what constitutes unlawul or unair
means to collect inormation.
Personnel involved in HR unctions that legitimately
require the collection o personal inormation are aware
o the manner in which inormation should be collected.
Each entity should document a policy clearly stipulating the
purpose or collection o personal inormation at all stages o
the employment process.
There is an clear link between the information collected,
and the purpose or collecting that inormation.
IPP 2 Solicitation o personal inormation rom individual concerned
Inormation Privacy Principle 2 requires the agency to clearly inorm the individual rom whom the inormation is being collected:
the purpose or which the inormation is being collected;
i that inormation is being collected as required by or under law and, i so, what that law is; and
any person or body to whom the inormation is usually disclosed.
The collector must inorm the individual prior to collection o the personal inormation, or as soon as practicable ater collection.
This principle applies no matter how inormation is requested. For example, agencies will be collecting inormation as part o their
recruitment processes i individuals:
complete an online sel-assessment;
provide hardcopy or electronic inormation with their applications;
answer questions at the interview; or
provide urther inormation as part o pre-engagement security checks.
-
7/31/2019 HRIM Risks and Controls 2011
23/10119
HRandpayroll
datamanagement
HR and payroll data management
This means that it is important that agencies:
assess what inormation is being requested at each stage o the employment cycle;
assess what purposes the agency will use that inormation or;
assess what other agencies or third parties the inormation may be disclosed to; and
notiy individuals about those purposes and potential disclosure at the point o collection.
Better practice considerations
Use o a standard inormation sheet be provided to individuals
(or example, job applicants) rom whom common personal
inormation is required. This inormation should also be readily
available to personnel involved in recruitment processes.
The individual should be informed of the purpose for
collection o inormation and the authorisation or the
collection.
IPP 3 Solicitation o personal inormation generallyInormation Privacy Principle 3 builds on the requirements or collection o inormation under Inormation Privacy Principle 1. It requires
that agencies take steps to provide that the inormation collected is:
relevant to the purpose or which it is collected; and
up-to-date and complete.
It also emphasises that collection o the inormation should not intrude to an unreasonable extent upon the personal aairs o the
individual concerned.
At each stage o the employment cycle it will be necessary to collect some personal inormation. The purpose o much o that inormation
will be clear. For example, agencies will need to collect bank account inormation rom employees in order to pay them.
There may still be some inormation where judgement is required as to whether or not it is unreasonable to collect the inormation. For
example, entities should be cautious when using applicant testing procedures. These tests should only ask job-related questions and not
ask overly intrusive questions.
It is also important or agencies to consider where inormation is being obtained rom as part o their obligation to collect inormation that
is accurate and up-to-date. This means that generally it is better practice to collect inormation rom the individual concerned, unless this
is not possible in the circumstances (or example, in the case o reeree checks).
Better practice considerations
Policies on lawul and reasonable questioning o job applicantsare developed and communicated to relevant employees.
Inormation collected should not be unreasonably intrusiveand should be relevant, up to date and complete.
-
7/31/2019 HRIM Risks and Controls 2011
24/10120 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
IPP 4 Storage and security o personal inormation
Inormation Privacy Principle 4 requires that agencies make certain that records containing personal inormation are protected, by such
security saeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modication or
disclosure, and against other misuse.
This principle relates to inormation stored both in IT systems and in hard copy. This means that agencies' HR systems and procedures
include the ollowing:
backup controls are put in place, including regular backup o inormation and o-site storage o backup tapes;
hard copy inormation is stored in locked reproo cabinets;
access to buildings and rooms in which inormation is stored is appropriately restricted;
access to inormation systems (including backup systems) in which inormation is stored is appropriately restricted based
on job requirements;
access to underlying data (such as employee les) is appropriately restricted; and
identity verication checks are undertaken prior to releasing personal inormation to the individual, or other authorised ocers.
In addition, where the collector is required to provide inormation to another person or entity, reasonable steps should be taken so that the
third party does not disclose the contents o the inormation. This could include simply inorming the person or entity o the condential
nature o the inormation (which is generally adequate or government personnel or entities), or requesting that the person or entity signs
a non-disclosure agreement prior to releasing the inormation.
Particular care should be taken when any part o the HR unction is outsourced to ensure that the agency has done everything
reasonably within [its power] to prevent unauthorised use or disclosure o inormation [contained within employee records].
Better practice considerations
Implementation o inormation system controls are sucient
to saeguard inormation stored by the agency.
Security saeguards are implemented to protect personalinoramtion against loss, unauthorised access, use
modifcation, disclosure, and misuse.
System considerations
Payroll master data is an area o high-risk in terms o raud or overpayments. Accordingly, user access to perorm unctions such as
amending or updating master data should be restricted, with access being provided in line with job requirements. Users that have access
to amend or update master data should not have the ability to perorm payroll unctions. Periodic review o this data is an important
control, such as review o a master data change report. Changes to master data should be periodically checked against the source
documentation that requested and authorised the amendment.
-
7/31/2019 HRIM Risks and Controls 2011
25/10121
HRandpayroll
datamanagement
HR and payroll data management
IPP 5 Inormation relating to records kept by record-keeper
Inormation Privacy Principle 5 relates to the systems that agencies have in place to ascertain and disclose the type o personal
inormation they hold. Agencies must maintain a master record that sets out:
the nature o the records o personal inormation kept by or on behal o the [agency] (i.e. the type o personal inormation stored);
the purpose or which each type o record is kept;
the classes o individuals about whom records are kept;
the period or which each type o record is kept;
the persons who are entitled to have access to personal inormation contained in the records and the conditions under which they
are entitled to have that access; and
the steps that should be taken by persons wishing to obtain access to that inormation.
This master record should not itsel contain any personal inormation as it must be:
made available or public inspection; and
provided to the Privacy Commissioner every year in June.
Usually agencies will appoint a privacy ocer who coordinates the submission o these records on a whole o agency basis.
Better practice considerations
Data management policies stipulate inormation that is required
to be maintained.
Entities are aware o the type and nature o the
inormation they are collecting and retaining.
System considerations
Systems should be congured to require entry o the above inormation beore a new listing o records can be created.
IPP 6 Access to records containing personal inormation
Inormation Privacy Principle 6 allows individuals to access any records that contain personal inormation about them except to the
extent that the [agency] is required or authorised to reuse to provide the individual with access to that record under the applicable
provisions o any law o the Commonwealth that provides or access by persons to documents.
This principle allows an individual about whom personal inormation has been collected to have access to that inormation, unless
restricted under another law. This right to access is separate rom the reedom o inormation process. IPP 6 provides the same right
o access to inormation as is available under the Freedom o Inormation Act 1982(Cth), but the FOI Act contains dierent review and
appeal provisions. For example, under the FOI Act an agency must release requested documents unless they all within certain exemption
categories, and under current reorms to the FOI Act, there is no charge or access to personal inormation.
A particular application o this in the HR context is that an agency employee may ask to view their own personnel le at any time. Similarly,
job applicants may also ask to view notes made about them, or reasons documented or their lack o success in securing a role.
It is important or inormation to be maintained and disposed o in accordance with relevant legislation and agencies should conrm
record-keeping obligations beore disposing o inormation. Data cleansing activities should be undertaken in accordance with the
requirements to retain Commonwealth Records under theArchives Act 1983(Cth), and records should only be disposed o in accordance
with a disposal authority.
Better practice considerations
Inormation should be periodically reviewed and disposed
o, where no longer required, in accordance with relevant
disposal authorities.
Inormation is maintained in accordance with legislation.
-
7/31/2019 HRIM Risks and Controls 2011
26/10122 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
IPP 7 Alteration o records containing personal inormation
Inormation Privacy Principle 7 requires agencies to:
take such steps (i any), by way o making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to
ensure that their records o personal inormation:
(a) are accurate; and
(b) has regard to the purpose or which the inormation was collected or is to be used and to any purpose that is directly related to that
purpose, relevant, up to date, complete and not misleading.
Employee sel-service acilities allow or the modication o many items o personal inormation by employees in a way that enables these
records to be maintained accurately and in a timely manner. This does not remove agencies responsibilities or ensuring that records
are up-to-date. Where an individual requests a change to their personnel le, i the change is not made this also needs to be noted on
their personnel le, including the reasons or not making the change. Accordingly agencies procedures and systems should have the
acility to do this.
Better practice considerations
Perorm a reconciliation between data recorded in the HRMIS
at a point in time to authorised documentation to ensure the
change was made accurately.
Updates to payroll or HR master data are inaccurate or
are processed appropriately authorised.
IPP 8 Record-keeper to check accuracy etc o personal inormation beore use
Inormation Privacy Principle 8 requires agencies not to use personal inormation without taking such steps (i any) as are, in the
circumstances, reasonable to ensure that, having regard to the purpose or which the inormation is proposed to be used, the inormation
is accurate, up to date and complete.
Inormation Privacy Principle 8 builds on IPP 7 by requiring the agency to take reasonable steps prior to using inormation to ensure that
it is accurate, up to date and complete. Consideration should be given to requesting that personnel conrm details that may be out o
date (either on a periodic basis or prior to use o inormation).
IPP 9 Personal inormation to be used only or relevant purposes
Inormation Privacy Principle 9 requires that an agency who has possession or control o a record that contains personal inormation
shall not use the inormation except or a purpose to which the inormation is relevant. In other words, agencies should only use personal
inormation or a purpose to which it is relevant.
To assist with complying with this IPP, it is suggested that agencies develop a clear policy on use o personal inormation, and provide
training to relevant personnel concerning the appropriate use o inormation.
-
7/31/2019 HRIM Risks and Controls 2011
27/10123
HRandpayroll
datamanagement
HR and payroll data management
IPP 10 Limits on use o personal inormation
Inormation Privacy Principle 10 applies in addition to Inormation Privacy Principle 9. This means that inormation can only be used or
a purpose i:
it is relevant to that purpose (IPP 9); and
either it was collected or that purpose or one o the exemptions apply (IPP 10).
The exemptions under Inormation Privacy Principle 10 are:
(a) the individual concerned has consented to use o the inormation or that other purpose;
(b) the agency believes on reasonable grounds that use o the inormation or that other purpose is necessary to prevent or lessen
a serious and imminent threat to the lie or health o the individual concerned or another person;
(c) use o the inormation or that other purpose is required or authorised by or under law;
(d) use o the inormation or that other purpose is reasonably necessary or enorcement o the criminal law or o a law imposing
a pecuniary penalty, or or the protection o the public revenue; or
(e) the purpose or which the inormation is used is directly related to the purpose or which the inormation was obtained.
There are also exceptions in other circumstances, such as enorcement o criminal law, imposing a pecuniary penalty, or the protection
o public revenue.
IPP 11 Limits on disclosure o personal inormation
Inormation Privacy Principles 9 and 10 restrict the use that agencies can make o personal inormation. Principle 11 restricts the
disclosure o personal inormation, which includes disclosure to other agencies. Agencies must not disclose personal inormation unless:
the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that inormation o that kind is
usually passed to that person, body or agency;
the individual concerned has consented to the disclosure;
the [agency] believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to
the lie or health o the individual concerned or o another person;
the disclosure is required or authorised by or under law; or
the disclosure is reasonably necessary or the enorcement o the criminal law or o a law imposing a pecuniary penalty, or or the
protection o the public revenue.
-
7/31/2019 HRIM Risks and Controls 2011
28/10124 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
Inormation Privacy Principles
Principle 1
Manner and purpose o collection o personal inormation
1. Personal inormation shall not be collected by a collector or inclusion in a record or in a generally available publication unless:
(a) the inormation is collected or a purpose that is a lawul purpose directly related to a unction or activity o the collector; and
(b) the collection o the inormation is necessary or or directly related to that purpose.
2. Personal inormation shall not be collected by a collector by unlawul or unair means.
Principle 2
Solicitation o personal inormation rom individual concerned
Where:
(a) a collector collects personal inormation or inclusion in a record or in a generally available publication; and
(b) the inormation is solicited by the collector rom the individual concerned;
the collector shall take such steps (i any) as are, in the circumstances, reasonable to ensure that, beore the inormation is collected or,
i that is not practicable, as soon as practicable ater the inormation is collected, the individual concerned is generally aware o:
(c) the purpose or which the inormation is being collected;
(d) i the collection o the inormation is authorised or required by or under law, the act that the collection o the inormation is so
authorised or required; and
(e) any person to whom, or any body or agency to which, it is the collector's usual practice to disclose personal inormation o the kind
so collected, and (i known by the collector) any person to whom, or any body or agency to which, it is the usual practice o that
rstmentioned person, body or agency to pass on that inormation.
Principle 3
Solicitation o personal inormation generally
Where:
(a) a collector collects personal inormation or inclusion in a record or in a generally available publication; and
(b) the inormation is solicited by the collector;
the collector shall take such steps (i any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose or which
the inormation is collected:
(c) the inormation collected is relevant to that purpose and is up to date and complete; and
(d) the collection o the inormation does not intrude to an unreasonable extent upon the personal aairs o the individual concerned.
-
7/31/2019 HRIM Risks and Controls 2011
29/101
HRandpayroll
datamanagement
25HR and payroll data management
Principle 4
Storage and security o personal inormation
A record-keeper who has possession or control o a record that contains personal inormation shall ensure:
(a) that the record is protected, by such security saeguards as it is reasonable in the circumstances to take, against loss, against
unauthorised access, use, modication or disclosure, and against other misuse; and
(b) that i it is necessary or the record to be given to a person in connection with the provision o a service to the record-keeper, everything
reasonably within the power o the record-keeper is done to prevent unauthorised use or disclosure o inormation contained
in the record.
Principle 5
Inormation relating to records kept by record-keeper
1. A record-keeper who has possession or control o records that contain personal inormation shall, subject to clause 2 o this Principle,
take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
(a) whether the record-keeper has possession or control o any records that contain personal inormation; and
(b) i the record-keeper has possession or control o a record that contains such inormation:
(i) the nature o that inormation;
(ii) the main purposes or which that inormation is used; and
(iii) the steps that the person should take i the person wishes to obtain access to the record.
2. A record-keeper is not required under clause 1 o this Principle to give a person inormation i the record-keeper is required or
authorised to reuse to give that inormation to the person under the applicable provisions o any law o the Commonwealth that
provides or access by persons to documents.
3. A record-keeper shall maintain a record setting out:
(a) the nature o the records o personal inormation kept by or on behal o the record-keeper;(b) the purpose or which each type o record is kept;
(c) the classes o individuals about whom records are kept;
(d) the period or which each type o record is kept;
(e) the persons who are entitled to have access to personal inormation contained in the records and the conditions under which
they are entitled to have that access; and
() the steps that should be taken by persons wishing to obtain access to that inormation.
4. A record-keeper shall:
(a) make the record maintained under clause 3 o this Principle available or inspection by members o the public; and
(b) give the Commissioner, in the month o June in each year, a copy o the record so maintained.
-
7/31/2019 HRIM Risks and Controls 2011
30/10126 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
Principle 6
Access to records containing personal inormation
Where a record-keeper has possession or control o a record that contains personal inormation, the individual concerned shall be entitled
to have access to that record, except to the extent that the record-keeper is required or authorised to reuse to provide the individual with
access to that record under the applicable provisions o any law o the Commonwealth that provides or access by persons to documents.
Principle 7
Alteration o records containing personal inormation
1. A record-keeper who has possession or control o a record that contains personal inormation shall take such steps (i any), by way
o making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:
(a) is accurate; and
(b) is, having regard to the purpose or which the inormation was collected or is to be used and to any purpose that is directly
related to that purpose, relevant, up to date, complete and not misleading.
2. The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law o the Commonwealth that
provides a right to require the correction or amendment o documents.
3. Where:
(a) the record-keeper o a record containing personal inormation is not willing to amend that record, by making a correction,
deletion or addition, in accordance with a request by the individual concerned; and
(b) no decision or recommendation to the eect that the record should be amended wholly or partly in accordance with that request
has been made under the applicable provisions o a law o the Commonwealth;
the record-keeper shall, i so requested by the individual concerned, take such steps (i any) as are reasonable in the circumstances to
attach to the record any statement provided by that individual o the correction, deletion or addition sought.
Principle 8
Record-keeper to check accuracy etc o personal inormation beore use
A record-keeper who has possession or control o a record that contains personal inormation shall not use that inormation without
taking such steps (i any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose or which the inormation
is proposed to be used, the inormation is accurate, up to date and complete.
Principle 9
Personal inormation to be used only or relevant purposes
A record-keeper who has possession or control o a record that contains personal inormation shall not use the inormation except or a
purpose to which the inormation is relevant.
-
7/31/2019 HRIM Risks and Controls 2011
31/101
HRandpayroll
datamanagement
27HR and payroll data management
Principle 10
Limits on use o personal inormation
1. A record-keeper who has possession or control o a record that contains personal inormation that was obtained or a particular
purpose shall not use the inormation or any other purpose unless:
(a) the individual concerned has consented to use o the inormation or that other purpose;(b) the record-keeper believes on reasonable grounds that use o the inormation or that other purpose is necessary to prevent or
lessen a serious and imminent threat to the lie or health o the individual concerned or another person;
(c) use o the inormation or that other purpose is required or authorised by or under law;
(d) use o the inormation or that other purpose is reasonably necessary or enorcement o the criminal law or o a law imposing a
pecuniary penalty, or or the protection o the public revenue; or
(e) the purpose or which the inormation is used is directly related to the purpose or which the inormation was obtained.
2. Where personal inormation is used or enorcement o the criminal law or o a law imposing a pecuniary penalty, or or the protection
o the public revenue, the record-keeper shall include in the record containing that inormation a note o that use.
Principle 11
Limits on disclosure o personal inormation
1. A record-keeper who has possession or control o a record that contains personal inormation shall not disclose the inormation to a
person, body or agency (other than the individual concerned) unless:
(a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that inormation o that kind
is usually passed to that person, body or agency;
(b) the individual concerned has consented to the disclosure;
(c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent
threat to the lie or health o the individual concerned or o another person;(d) the disclosure is required or authorised by or under law; or
(e) the disclosure is reasonably necessary or the enorcement o the criminal law or o a law imposing a pecuniary penalty, or or
the protection o the public revenue.
2. Where personal inormation is disclosed or the purposes o enorcement o the criminal law or o a law imposing a pecuniary penalty,
or or the purpose o the protection o the public revenue, the record-keeper shall include in the record containing that inormation
a note o the disclosure.
3. A person, body or agency to whom personal inormation is disclosed under clause 1 o this Principle shall not use or disclose the
inormation or a purpose other than the purpose or which the inormation was given to the person, body or agency.
-
7/31/2019 HRIM Risks and Controls 2011
32/10128 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
-
7/31/2019 HRIM Risks and Controls 2011
33/10129
Introduction
Introduction
Chapter 3.Workorce management
Key control objectives 31
Legislative and compliance considerations 31
Employee commencements 32
Employee exits and terminations 35
-
7/31/2019 HRIM Risks and Controls 2011
34/101
-
7/31/2019 HRIM Risks and Controls 2011
35/10131
Workforcemanagem
ent
Workorce management
Chapter 3. Workorce management
This chapter discusses activities relating to engagement o employees, managing promotions and transers, and employee departures.
Implementing eective controls in these areas are important to appropriately maintain employee inormation in the entitys HRMIS and to
ensure that payroll processing is accurate. Risks and controls or appropriately saeguarding employee related inormation is discussed
underHR and payroll data management.
Workorce management is a key strategic consideration or government entities. Workorce management covers a range o activities and
may include actions such as: recruitment o employees, learning and development, succession planning, and rewards and recognition.
Key control objectives
Control objective Risks mitigated
R301: Non-existent or duplicate employee is added tothe payroll.
R302: Termination payments and balances are
inaccurately calculated.
R303: Employee is not deactivated when employment
is terminated.
Appropriate and accurate employee inormation is collected
and maintained.
Legislative and compliance considerations
Activities undertaken within the workorce management process are subject to various legislative and compliance requirements.The ollowing table provides an overview o key legislation that is relevant to Workorce Management procedures. See the list o general
legislation atAppendix 2.
Legislation Purpose
Public Service Act 1999 Governs the establishment and operation o, and employment in, the Australian Public Service.
Part 4 o the Act addresses methods o setting employment terms and conditions, employee transers
between agencies and termination o employment requirements.
Public Service
Regulations 1999
Parts 3 and 8 o the Regulations deal with issues in relation to APS employees. These include matters
such as the date o eect o promotions and the engagement o SES and non-SES employee or aspecied term (Part 3) and terms and condition s o employment o APS employees ater machinery
o government changes (Part 8).
Public Service
Commissioners
Directions 1999
The Commissioners Directions regulate matters including the engagement and promotion o APS
employees (Chapter 4 ) and a wide variety o matters in relation to the employment o SES employees
(Chapter 6 ).
Public Service
Classication Rules
2000
The Classication Rules detail the permitted classications o APS employees and requirements around
moving employees rom training classications to ordinary classications.
Part 11 o the
Financial Management
and Accountability
Regulations 1997
The Financial Management and Accountability Regulations 1997 are made under the Financial
Management and Accountability Act 1997. Their purpose is to provide accountability and consistency
across Commonwealth Government entities. Part 11 relates to the method o accounting or the
transer o leave entitlements or employees moving between agencies.
-
7/31/2019 HRIM Risks and Controls 2011
36/10132 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
Employee commencements
The employee commencement process encompasses identication o the requirement to ll a vacant role or create a new role, approval
to seek and appoint an individual, selection o the individual and the administration associated with the new hire.
Upon acceptance o the oer, the new employee is required to provide personal inormation to enable set-up o an employee record on
the HR and payroll systems (reer HR and payroll data management).A considerable amount o inormation relating to the successul
applicant is requiredranging rom the new employee address to planned working time and salary and leave entitlements.
Given the sensitive content o employee conditions o employment it is important to consider the principles detailed in the
Australian Government Information Privacy Principles. Principle 4 requires a record-keeper (entity) to protect the record (employment
contract) by such security saeguards as it is reasonable in the circumstances to take, against loss, unauthorised access, use, modication
or disclosure and any other misuse.
Transfers and promotions
A transer in the context o the HR process may mean one o the ollowing:
Intra-agency transer: an APS employee moving to a dierent job within the same entity (or agency); or Inter-agency: An APS employee moving rom one entity (or agency) to another.
A key objective in managing employee transers, either inter-agency or intra-agency, is to transer complete and accurate records relating
to that employee, particularly accrued benets.
A broader denition o intra-agency transer reers to an employee permanently changing position or working in a dierent position on a
temporary basis (or example, covering another employees extended absence or working in a higher duty capacity than their stipulated
role). Ensuring master data and time accurately refects the position in which all employees are working is reerred to as Position
Management.
Position management
Employees are allocated to a particular role or position in the HRMIS. Attributes associated with a position description include: the pay
rate and benets.
Employees may occupy more than one position in the ollowing ways:
Permanent transer: making a permanent move;
Temporary transfer: making a short-term move rom one position to another; or
Higher duties: occupying more than one position or a dened purpose and or a short period o time.
There are several approaches that may be used to refect this in the HRMIS. In the rst two instances, it is likely that the employees
record will be modied to refect the change in position. In the third instance, where the employee works within his or her own position,
and a higher position, the time spent in the higher position may be controlled through the time reporting process and receive additionalbenets via the payroll process. The unctionality to manage employee positions within the organisational chart is discussed urther in
System maintenance and integration.
-
7/31/2019 HRIM Risks and Controls 2011
37/10133
Workforcemanagem
ent
Workorce management
Risks and controls
R301: Non-existent or duplicate employee is added to the payroll
Risk type
Impact Ghost or duplicate employees on the payroll lead to overpayment or processing o raudulent payments.
Better practice System Controls
S05:Access to add an employee should be restricted to appropriate individuals and segregated rom
payroll maintenance.
Access to modiy employee inormation should be restricted to decrease the likelihood o inappropriate or
unapproved changes to employee inormation which may impact upon the accuracy and completeness
o inormation maintained in the HRMIS. Additionally, restricting access in accordance with privacy
principles reduces the risk o inappropriate disclosure o employee inormation.
Also reer toS03:Validation checks on key elds warn the user that the inormation is duplicated inanother employee record.
Manual Controls
M52: When adding a new employee, a listing o current employees should be reviewed to reduce the
risk o duplicating the employee record.
A system report o all current employees should be generated prior to adding a new employee, and
checked to conrm the employee does not already exist in the system.
A system report o all new employee additions should be generated monthly and an individual who
is independent rom the employee set-up process should check each addition against supporting
paperwork (or example, approval to hire, employee inormation including bank account) to validate theset-up was authorised and has been completed accurately.
Risks and controls associated with inter-agency transers are similar to risks associated with the employee commencement and exit
process that is discussed in Employee exits and terminations. An additional risk or inter-agency transers involves the transer o
leave entitlements and other benets. The risks generally with intra-agency transers relate to controls associated with the management
o positions in the HRMIS. The eect o transers on the organisational chart is addressed in System maintenance and integration.
-
7/31/2019 HRIM Risks and Controls 2011
38/10134 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
Optimising the control ramework
Generally, determining employee conditions o employment is perormed outside o the HRMIS. It is important that the organisation
hierarchy and payroll calculation rules are established and maintained to provide consistency with conditions o employment.
Further detail on conguring key system controls or implementing supporting manual controls is provided in the discussion on
System maintenance and integration.
The ollowing items should be considered to enhance the maintenance o the employee commencement process:
Control item Description
Development
o standardised
reerence and
background check
procedures
A security clearance and reerence checking policy should be developed and documented. Sign-o
certiying compliance with this standard should be obtained or each selected candidate prior to
progressing to appointment stage. Documentation supporting the background/reerence checking
and security clearance should be retained.
Inormation
collected during
the application
process is handled
in accordance with
Privacy legislation
Training on Inormation Privacy Principles and obligations placed upon those responsible or handling
and retention o personal inormation should be provided to all employees involved in the employee
recruitment process.
Managing transer
requirements
Part 11 o the Financial Management and Accountability Regulations 1997stipulates arrangements
or transer o employee leave entitlements when employees move between agencies.
A standard employee
appointment orm is
used to document
new employee details
and is appropriately
authorised beore the
new hire is entered
into the system.
A new hire template orm should be developed and utilised to capture key inormation to be keyed
into the system, including employee personal details and HR inormation such as salary and position.
This orm should be signed o prior to entry o inormation into the system.
-
7/31/2019 HRIM Risks and Controls 2011
39/10135
Workforcemanagem
ent
Workorce management
Employee exits and terminations
The employee exit process is init iated when either the employer or employee provides notice o termination. During an employees notice
period, key tasks undertaken are completion o operational responsibilities, knowledge transer and an exit interview between employer
and employee.
At the employees date o termination, a termination payment is calculated. The employee returns all property owned by the employer,
and the employees logical and physical access is removed.
A termination payment is the nal payment made to an employee which incorporates payout o all entitlements. The payment will include
salary/wages or all days worked and the payout o leave entitlements in line with policy or legal requirements.
Amounts may be deducted rom termination payments based on policy or agreed Conditions o Employment. These could include, or
example, relocation or study costs paid to the employee may be recovered i the employee is terminated within a dened period. In
instances o involuntary termination or retirement, a termination package inclusive o additional entitlements may need to be calculated.
Termination payments are made as a one-o payment on the date o termination, or included in the next pay run.
Risk and controls
R302: Termination payments and balances are inaccurately calculated
Risk type
Impact Termination payment is incorrect, resulting in incorrect salary and leave entitlements being paid or
reported.
Better practice System Controls
S06:Application will warn user i termination date in the past is entered.
The system should be congured such that i a termination date in the past is entered, a warning
message is generated to reduce the occurrence o backdating o terminations and to accurately
process termination payments and calculations.
S07:Workfow operates to require independent approval verication o termination date entered.
Automated workfow approvals utilising organisation hierarchy positions delegations o authority should
be utilised to approve terminations. The approver should veriy the termination date o the employee
prior to approving.
S08:Application automatically calculates payments based on master data, termination date entered,
and leave entitlements.
Use o system unctionality to calculate and report entitlements and balances is more accurate. The
eectiveness o this control requires accurate data entry and maintenance o employee inormation
and master data.
Manual Controls
M53:An independent authority checks the termination date per notication documentation to the date
entered in the system.
On a monthly basis, a report o all terminations is generated and an individual who does not have access
to terminate employees checks that all termination dates were accurately entered, with reerence to
termination documentation (or example, resignation letter).
-
7/31/2019 HRIM Risks and Controls 2011
40/10136 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
R303: Employee is not inactivated when employment is terminated
Risk type
Impact Employee record is not fagged as terminated which may result in subsequent payment to the
employee. For entities using single sign on (which enables access to all applications without requiring
separate passwords, by using credentials at the network sign-on level), ailure to inactivate terminated
employees may also ail to inactivate network access.
Better practice System Controls
S09:Application automatically changes status o employee to terminated as at termination date entered.
Systems are congured to automatically change the status o employees to terminated as at the
entered termination date. This is typically enabled through automated batch processing.
S10:Application automatically disables terminated employees access to systems based on termination
date entered.
This control is possible where position-based security is utilised. Appropriate use o the termination
date is important where single-sign access is granted based on a commencement or termination date.
S11:Application does not allow payment to be disbursed to employees with terminated status.
Operation o this control typically does not require specic conguration within the system, as it is
deemed standard unctionality. It may be possible in some circumstances to process ad-hoc payments
to terminated employees using some applications
Manual Controls
M54: Department/Cost Centre Managers are periodically provided with a listing o employees or
which they are responsible. This listing is checked to determine whether it contains any employees nolonger working within the Department
System generated listings o current employees per Department/Area/Cost Centre should be provided
to relevant Managers to veriy current employees. This check assists in detecting employees who have
transerred or been terminated and inormation regarding the transer or termination has not been
recorded in the system.
-
7/31/2019 HRIM Risks and Controls 2011
41/10137
Workforcemanagem
ent
Workorce management
Optimising the control ramework
The ollowing items should be considered to improve management o employee inormation relevant to employee departures:
Control item Description
Employee Exit
checklist
An Employee Exit checklist assists HR in completing all steps to mitigate risks associated with
employee termination. The checklist should include the requirement to return all entity property rom
the terminated employee and remove physical and system access.
Reconciliation o
terminations
A listing o terminations is maintained external to the system by the HR section as notications
are received. This listing is reconciled to a listing o all terminated employees within the system
each month.
Perorming a check o an external record o terminations against a system generated listingon a monthly basis assists in ensuring all terminations have been recorded in the system in the
correct period.
-
7/31/2019 HRIM Risks and Controls 2011
42/10138 Managing Human Resource Inormation Systems Risks and Controls Better Practice Guide
-
7/31/2019 HRIM Risks and Controls 2011
43/10139
Introduction
Introduction
Chapter 4.Payroll processing
and administration
Key control objectives 41
Legislative and compliance considerations 42
Time reporting 43
Payroll accounting 47
Feature article: Implementing self-service functionality 55
-
7/31/2019 HRIM Risks and Controls 2011
44/101
-
7/31/2019 HRIM Risks and Controls 2011
45/10141
Pa
yrollprocessing
an
dadministration
Payroll processing and administration
Chapter 4. Payroll processing and administration
This chapter discusses risks and controls relative to the accuracy and completeness o payroll processing and includes HR activities related
to time recording and payroll accounting. Extensive reerence is made to legislation related to payroll deductions and superannuation.
The eature article discusses implementing sel-service unctionality.
The payroll processing and administration is highly dependent on a number o inter-linking unctions and activities:
Accuracy: the payroll calculation will only be accurate i using complete and accurate master data (see HR and payroll data
managementandWorkforce management chapters or discussion on risks and controls related to obtaining and managing HR data).
Completeness: the payroll processing will only be accurate i employee time and leave requests have been correctly captured and all
deductions have been properly processed.
Key control objectives
Control objective Risks mitigated
Accurately process employee payroll or each pay period. R405: Payroll calculation is inaccurate or incomplete.
Gross pay and deductions are accurately calculated and only
applicable deductions are processed.
R406: Statutory obligations or payment o taxation
are breached.
R407: Breach o legislative requirements relating to
superannuation.
R408: Salary sacrice arrangements are not
appropriately managed.
Additional payment