Tracking of payrates modifications in SAP ???? 1988



  • Hello,
    I am looking for a detective control in SAP that would work as an exception report listing all the modifications done in the employees masterfile during a certain period of time:

    • Employee payrates
    • Employee deductions
    • Employee status,…
      Do you know if it possible in SAP ?
      Thanks


  • Of course it’s possible.
    It is standard functionlity within the PA or PD audit log depending on which particular master data you’re interested in.



  • OK, why break the habit of a lifetime, I’ll ask a stupid question.
    Why?
    Why would you have to drill down this far to gain SOX assurance? Surely a nice high level reasonableness check would identify any material errors in a low risk area?



  • We’ve got the same control in our company…
    Yes, I probably could have argued that it was immaterial in a SOX perspective, but it’s still a part of our internal controls to make sure there are no unauthorised changes to the payroll data.



  • I tried to argue the fact that if material errors occur, it would be catched during the approval of the payroll register but our internal and external autitors aprroached it in a different way:
    ‘As the payrates are used everyweek for at least 100 employees, even an immaterial error could become large at the end of the year’. It would do the pile-up effect and become material over time.
    For SOX, it is true that it goes far but as internal control, it is not that bad.
    Thanks for the tip Denis



  • OK, why break the habit of a lifetime, I’ll ask a stupid question.
    Why?
    Why would you have to drill down this far to gain SOX assurance? Surely a nice high level reasonableness check would identify any material errors in a low risk area?
    Why?
    Because an effectively designed process will have an appropriate balance of prevent and detect controls. It may be that you focus your testing on the detect controls but the prevent controls should also be there.



  • Agreed but

    1. Given the high volume of low value payments would this not be a low risk of material error and therefore not need extensive work?
    2. Would not the controls over delegated authority/access be sufficient in such circumstance to serve as preventative controls rather than to drill into the specifics themselves? That coupled with detective high level reviews would give you all the assurances you need that a material error could not occur.


  • Agreed but

    1. Given the high volume of low value payments would this not be a low risk of material error and therefore not need extensive work?
      Agreed
    2. Would not the controls over delegated authority/access be sufficient in such circumstance to serve as preventative controls rather than to drill into the specifics themselves? That coupled with detective high level reviews would give you all the assurances you need that a material error could not occur
      You are right, in the majority of cases.
      However, there are circumstances where more work might be appropriate i.e. where specific risks exist within the process or there has been particular problems/errors in the past or perhaps where the team is to small to allow adequate segregation of duties.
      Horses for courses.


  • I do agree with you Denis.
    Sometimes though it just seems to me that those of us trying to enforce SOX compliance do not kick back enough on the internal/external auditors demands and make them justify their comments. All too often the key controls they identify seem to focus on operational/business risk rather than SOX risk coupled with a failure to contextualise in terms of materiality. I have found this agressive and proactive approach has significantly reduced the level of work needed to ensure SOX compliance.



  • During FY06 I started employing a much more agressive approach with the auditors as I was a working with them on a daily basis. It has also resulted in much less tedious controls being implemented simply to catch non-material FS impacting items.



  • During FY06 I started employing a much more agressive approach with the auditors as I was a working with them on a daily basis. It has also resulted in much less tedious controls being implemented simply to catch non-material FS impacting items.


Log in to reply