Audit and Assurance

Expand all | Collapse all

HR Auditing.

  • 1.  HR Auditing.

    Posted 27 days ago
    Edited by Mohd Aidil Mohd Harith 27 days ago
    I am about to embark on an HR audit which includes Data Analytics. Is there a good HR audit work program I can use? I am not sure where to start though.

    I have obtained the database schema from the HR system just to see what kind of data I can abstract and perform an ACL analysis. Currently the HR system and its Database are 100% managed by the HR. The IT Department have no access into the HR system (including Database) due to very sensitive data in it (e.g payroll). If there is a problem with the system, the HR will communicate directly with the vendor. Is this an issue?

    How do I start with the data analytics. I plan to abstract data like employee ID, Name, Position, Gender, KPI rating, Bonus, Salary, so I can check if there are duplication record, if there are bonuses that are given to employees who did not perform, salaries that are too high for an employee of a lower position etc.

    Let me know if you can suggest more.

    Thank you.


  • 2.  RE: HR Auditing.

    Posted 26 days ago
    Edited by David Astles 26 days ago
    Your HR database arrangement is strange and I suggest is a product of skewed thinking. Do you think that the HR department administering the database is more or less secure than a couple of IT people administering it? Why is it better to allow the vendor access (presumably) than staff you have chosen? The data you describe is no more sensitive than in other organisations who wouldn't do this. What other problems is this arrangement hiding (support, access management, backup, ...)? Actually, you can manage the problem of visibility by auditing accesses (do HR even know this is possible?) or two-person working.

    What is the scope of the audit? What do you want to prove? You should normally start with an objective rather than a decision to just look at something. What about policy adherence? Data integrity is something that could be checked. What processes determine the data and what records support that? What privileges do people have? Can they change their own salaries, is there segregation of duties, two-person operation, staff rotation?

    It sounds a bit of a can of worms to be honest. Does your executive board know about this? Do you work to any information management standard? How about looking at some of the basic elements of those?

    How does this database integrate to other business processes?

    Dave

    ------------------------------
    Dr Dave
    CISO
    ------------------------------



  • 3.  RE: HR Auditing.

    Posted 25 days ago
    I agree with Dr. Dave - the exclusion of the IT group from information systems, especially those containing sensitive data and subject to various regulatory requirements is a red flag, as is the direct control of the vendor by the business unit to the exclusion of the IT team.

    In many companies, such a system which bypasses IT controls and review is referred to as a "skunkworks" system, and is often the weakest point in the company's armor - while at the same time, containing the most valuable information assets.

    Fixing the issues need not change anything with regard to the access controls for the sensitive data. It is not necessary to give IT roles permissions to read etc the data in order to give IT the ability to administer, monitor and manage the systems - and manage the vendor. In fact, if IT (and the InfoSec teams) had been involved in the system design/RFP from the start, separation of duties, including ACLs denying data access to account in roles that have administrative privileges would likely be required (and are something to look for).

    Jim

    ------------------------------------

    Jim Scardelis, CISA, CISSP, PCI 3DS, PCIP, CIPP/US, CIPP/C, CIPP/E, CIPT, MCSE

    Senior Security Consultant, North America RMG PCI Services
    Payment Software Company (PSC), part of NCC Group

    email
    jscardelis@paysw.com web www.paysw.com
    tel. +1.408.228.0961x140 mobile +1.425.766.1897 fax +1.408.340.5433

    Any views or opinions contained in this communication are solely those of the author, and do not necessarily represent those of any organizations or entities the author may be associated with.









  • 4.  RE: HR Auditing.

    Posted 24 days ago

    As I read, I assume that your HR system is probably hosted in third party DC or cloud system like ADP who provides access to reports, So if you need to audit then cloud audit approach to be used and good to know the DB server they use. In that case you may need to request few DB tables (employee tables) from department to do analytics manually. If not possible the best method in similar scenario will be to ask access to reporting server or use power BI or similar Business intelligence tools and connect to the database in-order to create reports you may need. Mostly access can be obtained based on SLA with the service provider, hope this helps to move forward.



    ------------------------------
    Rajesh Cherian
    IS Consultant (CISM|ITIL)
    ------------------------------



  • 5.  RE: HR Auditing.

    Posted 24 days ago
    Hi,

    First you need to define the objective and scope of the audit work.Also it is a good approach to have a integrated audit by understanding the HR procedure and identifying which processes and automated and manual.

    Specific SOD check needs to be verified with regards to employe salary update and payroll run. It should not be with the same user.

    check whether a grading policy is set by management and is it implemented in the system and if yes , do a negative testing to ensure that salary are accepted for an employe more than the grade range, including allowance.if the system accepts them that it is a issue.

    now if it a SAP then there are different set of control to test for HR and the same applies to Oracle HRMS

    Considering the ownership of HR system it should be with IT. If it is an oracle hrms or SAP then a functional consultant with in the department is ok but technical capabilities should be with IT ( Infra support) and audit logs and management with info security.

    i hope this will be helpful

    kind regards

    ------------------------------
    Ozair Nagina
    Senior Internal Auditor
    ------------------------------