Cisa & cism people soft audit plans ic qs

1,685 views

Published on

people soft audit plans

Published in: Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,685
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Cisa & cism people soft audit plans ic qs

  1. 1. Information Systems Audit and Control Association www.isaca.org Security, Audit and Control Features PeopleSoft Audit Plans and Internal Control QuestionnairesInformation Systems Audit and Control AssociationWith more than 35,000 members in more than 100 countries, the Information Systems Audit and Control Association® (ISACA®)(www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACAsponsors international conferences, publishes the Information Systems Control Journal™, develops international information systemsauditing and control standards, and administers the globally respected Certified Information Systems Auditor™ (CISA ®) designationearned by more than 35,000 professionals since inception, and Certified Information Security Manager (CISM™) designation, agroundbreaking credential earned by 5,000 professionals in its first two years.IT Governance Institute®The IT Governance Institute (ITGI) (www.itgi.org) was established in 1998 to advance international thinking and standards in directingand controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports business goals, optimizesbusiness investment in IT, and appropriately manages IT-related risks and opportunities. The IT Governance Institute offers symposia,original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities.Purpose of Audit Programs and Internal Control QuestionnairesOne of ISACA’s goals is to ensure that educational products support member and industry information needs. Responding to memberrequests for useful audit programs, ISACA’s Education Board has released audit programs and internal control questionnaires, formember use through K-NET. These products are developed from ITGI publications, or provided by practitioners in the field.Control Objectives for Information and related TechnologyControl Objectives for Information and related Technology (COBIT®) has been developed as a generally applicable and acceptedstandard for good information technology (IT) security and control practices that provides a reference framework for management,users, and IS audit, control and security practitioners. The audit programs included in K-NET have been referenced to key COBITcontrol objectives.DisclaimerITGI, ISACA and the author of this document have designed the publication primarily as an educational resource for controlprofessionals. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not beconsidered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed toobtaining the same results. In determining the propriety of any specific procedure or test, the controls professional should apply his/herown professional judgment to the specific control circumstances presented by the particular systems or information technologyenvironment. Users are cautioned not to consider these audit programs and internal control questionnaires to be all-inclusive orapplicable to all organizations. They should be used as a starting point to build upon based on an organization’s constraints, policies,practices and operational environment.
  2. 2. The purpose of these audit plans and internal control questionnaires (ICQ) is to provide the audit,control and security professional with a methodology for evaluating the subject matter of the ITGovernance Institute publication Security, Audit and Control Features PeopleSoft®: A Technical andRisk Management Guide. They examine key issues and components that need to be considered forthis topic. The review questions have been developed and reviewed with regard to COBIT. Note: Theprofessional should customize the audit plans and ICQs to define each specific organization’sconstraints, policies and practices.The following are included here:1. PeopleSoft Human Resources Business Cycle Audit Plan Page 32. PeopleSoft Human Resources Business Cycle Audit ICQ Page 103. PeopleSoft Payroll Business Cycle Audit Plan Page 124. PeopleSoft Payroll Business Cycle Audit ICQ Page 255. PeopleSoft Security Administration Cycle Audit Plan Page 326. PeopleSoft Security Administration Cycle Audit ICQ Page 457. COBIT® Control Objectives Page 49 2
  3. 3. 1. PeopleSoft Human Resources Business Cycle Audit Plan Documentation/Matters COBIT Control Objective/Test Arising ReferencesPreliminary Audit StepsGain an understanding of the PeopleSoft environment.a. The same background information obtained for the PO2 PeopleSoft Application Security audit plan is required PO3 for, and relevant to, the business cycles. In particular, PO4 the following information is important: PO6 � Determine the version and release of the PeopleSoft PO9 software implemented. AI2 � Determine the total number of named users (for AI6 comparison with logical access security testing DS2 results). DS5 � Determine the number of PeopleSoft instances. M1 � Identify the modules that are being used. M2 � Determine if there have been any locally developed reports or tables created by the organization � Obtain details of the risk assessment approach taken by the organization to identify and prioritize risks. � Obtain copies of the organization’s key security policies and standards. � Review outstanding audit findings, if any, from previous years.b. In addition, obtain details of the following: AI1 � The organizational model as it relates to HR DS5 activity, i.e., HR Organization Unit Structure in the DS6 PeopleSoft software and HR Organization Chart (required when evaluating the results of access security control testing) � Interview the systems implementation team, if possible, and obtain process design documentation for HR.Identify the significant risks and determine the key controls.c. Develop a high-level process flow diagram and overall PO9 understanding of the HR processing cycle, including AI1 the following subprocesses: DS13 � Master data maintenance � Commencements � Personal development � Terminations 3
  4. 4. Documentation/Matters COBIT Control Objective/Test Arising Referencesd. Assess the key risks, determine key controls or control PO9 weaknesses, and test controls (refer to the following DS5 sample testing program and chapter 4 for techniques for DS9 testing configurable controls and logical access security) M2 in regard to the following factors: � The controls culture of the organization � The need to exercise judgement to determine the key controls in the process and whether the controls structure is adequate. (Any weaknesses in the control structure should be reported to executive management and resolved.)1. Master Data Maintenance1.1 Access to HR setup tables and master file transaction is appropriately restricted.1.1.1 Review access security matrices and access AI2 assignment documentation to gain an understanding AI6 of the security design. Corroborate this by DS5 generating a list of users with access to Administer DS6 Workforce, Compensate Employees and Define DS11 Business Rules and Global HR Rules menus and DS13 review their level of access by writing the following query in PeopleSoft Query Manager: SELECT B.OPRID, B.OPRCLASS, A.MENUNAME, A.BARNAME, A.BARITEMNAME, A.PNLITEMNAME, A.AUTHORIZEDACTIONS, A.DISPLAYONLY FROM PSAUTHITEM A, PSOPRCLS B WHERE A.OPRID = B.OPRCLASS Order by B.OPRID, B.OPRCLASS, A.MENUNAME to ensure that the user IDs (OPRID), permission lists (OPRCLASS) and components (MENUNAME) are listed in alphabetical order. Also, generate a list of users with access to the setup pages within PeopleSoft menus and review their level of access by writing the following query in PeopleSoft Query Manager: SELECT A.OPRID, A.MENUNAME, A.BARNAME, A.BARITEMNAME, A.PNLITEMNAME, A.DISPLAYONLY, A.AUTHORIZEDACTIONS FROM PSAUTHITEM A WHERE A.BARNAME LIKE SETUP% Order by B.OPRID to ensure that the user IDs (OPRID) are listed in alphabetical order. 4
  5. 5. Documentation/Matters COBIT Control Objective/Test Arising References The A.AUTHORIZEDACTIONS column contains values that represent the type of actions that the user is authorized to perform, where high-risk values are: 1—Add 2—Update/Display 3—Add, Update/Display 4—Update/Display All 8—Correction 12—Update/Display All 15—Add, Update/Display, Update/Display All, Correction Note: The A.DISPLAYONLY column will have value of 0 or 1. A value of 1 means all fields in the page are display only to the user, 0 means this setting is turned off and the action type codes will indicate the level of access granted. Generate a list of users and the row-level security defined by writing the following query in PeopleSoft Query Manager: SELECT A.OPRID, A.DEPTID, B.SETID, B.DESCR, A.ACCESS_CD, A.TREE_NODE_NUM, A.TREE_NODE_NUM_END FROM PS_SCRTY_TBL_DEPT A, PS_DEPT_TBL B, WHERE A.SETID = B.SETID AND A.DEPTID = B.DEPTID AND B.EFFDT = (SELECT MAX(B_ED.EFFDT) FROM PS_DEPT_TBL B_ED WHERE B.SETID = B_ED.SETID AND B.DEPTID = B_ED.DEPTID AND B_ED.EFFDT <= SYSDATE Order by B.OPRID, B.DESCR to ensure that the user IDs (OPRID) and descriptions (DESCR) are listed in alphabetical order. Select a sample of HR users and assess whether they have access to update their own human resources data (e.g., job) by observing them attempting to make such changes.1.2 Access to make changes to employee HR master data is appropriately restricted1.2.1 Review security design documentation detailing the PO9 configured controls implemented in the system and AI2 5
  6. 6. Documentation/Matters COBIT Control Objective/Test Arising Referencesapproved by management. In particular, review the AI6online edit and validation checks, range checks, etc. DS6For either a sample of the edit and validation checks DS9or for the entire population, enter changes toemployee data and observe the outcome to theseattempts. Organizations may be reluctant to allowauditors to have access to make test changes in theproduction environment. Consequently, audit testsshould be performed in the test or quality assurance(QA) environment. It is important to corroborate thatthe configuration of controls in the test/QAenvironment is the same as that in the productionenvironment.For example, attempt to change the bank ID andbranch ID of employees’ bank information viaHome�Administer Workforce�AdministerWorkforce (Country)�Use�Bank Accounts.Change the bank ID and/or branch ID to anerroneous value and observe whether a warningmessage is displayed.Attempt to change the employee’s paygroup viaHome�Administer Workforce�AdministerWorkforce (Country)�Use�Job Data�Humanresources. Change the Paygroup field to anerroneous value and observe whether a warningmessage is issued.Review the Date Last Increase field (viaHome�Administer Workforce�AdministerWorkforce (Country)�Use�Job Data�Employment Data, at the bottom of the page) anddetermine whether this corresponds to the lastauthorized pay increase. It should be noted that notall potential pay increase scenarios impact this datechange.Consequently, testing this technique may not beconsidered an effective audit technique on its ownto identify potential unauthorized changes andshould be supplemented by other testing techniques.For example, to obtain a sample of employees,generate a compensation history by writing thefollowing query in Query Master:SELECT JO.EFFDT, JO.ACTION,JO.ACTION_REASON, JO.ANNUAL_RT 6
  7. 7. Documentation/Matters COBIT Control Objective/Test Arising References FROM PS_JOB JO WHERE JO.CHANGE_AMT <> 0 AND JO.EMPLID = ‘specific EmplID’ Order by JO_EFFDT to ensure that the output is ordered by effective-date (EFFDT). Review the compensation history and investigate the validity of the changes.1.2.2 Review security design documentation detailing the AI4 configured controls implemented in the system and DS9 approved by management, in particular the audit M4 trails set up. Determine with relevant management the procedures in place for generating, reviewing and investigating audit reports showing changes to employee master data. Inspect a sample of audit trail reports for evidence of review and rectification of exception items identified.2. Commencements2.1 Access to the hiring process is appropriately restricted.2.1.1 Review access security matrices and access PO10 assignment documentation to gain an understanding of the security design. Determine if such documentation was authorized by management prior to implementation.2.1.2 Generate lists of users with access to the DS5 Administer Workforce, Develop Workforce, DS11 Recruit Workforce and Applicant Contract Data menus and review their level of access by writing the SQL query detailed in Master Data Maintenance Testing Techniques 1.1.1 in PeopleSoft Query Manager.2.2 Access to make changes to employee contract data is appropriately restricted.2.2.1 Review security design documentation detailing the AI1 configured controls implemented in the system and DS11 approved by management, in particular the online DS13 edit and validation checks, range checks, etc. For either a sample of the edit and validation checks or for the entire population, enter changes to employee contract data via Home�Develop Workforce�Recruit Workforce (Country)�Use� Applicant Contract Data. Observe the success or failure of these attempts and whether a warning message is displayed. Organizations may be reluctant to allow auditors to have the access to make test changes in the production environment. Consequently, the following audit tests should be 7
  8. 8. Documentation/Matters COBIT Control Objective/Test Arising References performed in the test or QA environment. It is important to corroborate that the configuration of controls in the test/QA environment is the same as that in the production environment.3. Personal Development3.1 Access to career planning is appropriately restricted.3.1.1 Review access security matrices and access DS5 assignment documentation to gain an understanding DS11 of the security design. Determine if such documentation was authorized by management prior to implementation. Generate lists of users with access to Career Planning via Home�Develop Workforce�Plan Careers�Use�Career Plan. Also review their level of access by writing the SQL query detailed in Master Data Maintenance Testing Technique 1.1.1 in PeopleSoft Query Manager. Select a sample of HR users and assess whether they have access to update the strengths and development area pages of their own career plans by observing them attempting to make such changes.3.2 Access to succession planning is appropriately restricted.3.2.1 Review access security matrices and access PO4 assignment documentation to gain an understanding PO!! of the security design. Determine if such AI1 documentation was authorized by management prior AI2 to implementation. DS5 Generate lists of users with access to Succession Planning via Home�Develop Workforce�Plan Successions (Country)�Use�Succession Plan. Also review their level of access by writing the SQL query detailed in Master Data Maintenance Testing Technique 1.1.1 in PeopleSoft Query Manager. Select a sample of HR users and assess whether they have access to update the succession plans by observing them attempting to make such changes.3.3 Access to training administration is appropriately restricted. 8
  9. 9. Documentation/Matters COBIT Control Objective/Test Arising References3.3.1 Review access security matrices and access AI2 assignment documentation to gain an understanding AI4 of the security design. Determine if such DS5 documentation was authorized by management prior to implementation. Generate lists of users with access to Succession Planning through one of the following paths: � Home�Develop Workforce� Administer Training (Country)� Setup�Training Program Table� Training Program Table � Develop Workforce�Manage Competencies (Country)�Setup� Training Program Table � Develop Workforce�Plan Careers� Setup�Training Program Table� Training Program Table Also review their level of access by writing the SQL query detailed in Master Data Maintenance Testing Technique 1.1.1 in PeopleSoft Query Manager.4. Terminations4.1 Access to process terminations is appropriately restricted.4.1.1 Review access security matrices and access PO7 assignment documentation to gain an understanding DS13 of the security design. Determine if such documentation was authorized by management prior to implementation.4.1.2 Generate lists of users with access to terminate PO7 employees on the system via Home�Administer DS5 Workforce� Administer Workforce (Country)� DS11 Use�Job Data. Review their level of access by writing the SQL query detailed in Master Data Maintenance Testing Techniques 1.1.1 in PeopleSoft Query Manager. 9
  10. 10. 2. PeopleSoft Human Resources Cycle Internal Control Questionnaire Control Objective/Question Response Comment COBIT Reference Yes No N/A1. Master Data Maintenance1.1 Access to HR setup tables and master file transaction is appropriately restricted.1.1.1 Are there security matrices and PO7 documentation in place that define DS5 roles, permission lists, menus and DS11 pages per job function for human resources? Who has access to define business rules and administration of employee human resources data? Are these users appropriate? Who has access to add/correct/update access to Define Business Rules? This should be restricted to the human resources administrator.1.2 Access to make changes to employee HR master data is appropriately restricted.1.2.1 Have edit and validation checks been DS11 implemented to ensure valid data changes? What type of edit and validation checks are in place? Who has access to make changes to the employee HR master data? Are these users appropriate?1.2.2 Are audit logs of changes to employee DS13 master data reviewed by management M1 on a periodic basis?2. Commencements2.1 Access to the hiring process is appropriately restricted.2.1.1 Are there security matrices and PO7 documentation in place that define DS5 roles, permission lists, menus and pages per job function for the HR? Has this documentation been reviewed DS4 and approved by management prior to implementation?2.1.2 Who has access to the function to hire PO4 employees and maintain employee DS4 contract information? Are these users appropriate and has segregation of duties been considered? 10
  11. 11. Control Objective/Question Response Comment COBIT Reference Yes No N/A2.2 Access to make changes to employee contract data is appropriately restricted.2.2.1 Has the security design documentation PO4 detailed the configured controls in the AI2 system? Was this documentation DS9 approved by management? What types of edit and validation checks are in place?3. Personal Development3.1 Access to career planning is appropriately restricted.3.1.1 Are there security matrices and PO7 documentation in place that define AI4 roles, permission lists, menus and M1 pages per job function for HR? Has this documentation been reviewed and approved by management prior to implementation?3.1.2 Who has access to maintain the DS5 employee strengths and development areas as part of an employee’s career plan? Are these users appropriate HR personnel?3.2 Access to succession planning is appropriately restricted.3.2.1 Who has access to succession PO7 planning? Are these users appropriate HR personnel?3.3 Access to training administration is appropriately restricted.3.3.1 Who has access to maintain the PO7 training course table? Are these users DS5 appropriate HR personnel? DS114. Terminations4.1 Access to process terminations is appropriately restricted.4.1.1 Are there security matrices and PO7 documentation in place that define PO8 roles, permission lists, menus and pages per job function for HR? Has this documentation been reviewed and approved by management prior to implementation?4.1.2 Who has access to the terminations PO7 process? Are these users appropriate DS5 HR personnel? 11
  12. 12. 3. PeopleSoft Payroll Business Cycle Audit Plan COBIT Control Objective/Test Documentation/Matters Arising ReferencesPreliminary Audit StepsGain an understanding of the PeopleSoft environment.a. The same background information obtained for the PO2 PeopleSoft Application Security audit plan is required PO3 for, and relevant to, the business cycles. In particular PO4 the following information is important: PO6 � Determine what version and release of the PO9 PeopleSoft software has been implemented. AI1 � Determine the total number of named users (for AI2 comparison with logical access security testing AI6 results). M2 � Determine the number of PeopleSoft instances. � Identify the modules that are being used. � Determine whether the organization has created any locally developed reports or tables. � Obtain details of the risk assessment approach taken in the organization to identify and prioritize risks. � Obtain copies of the organization’s key security policies and standards. � Review outstanding audit findings, if any, from previous years.b. Obtain details of the following: AI1 � The organizational model as it relates to payroll AI3 activity, i.e., payroll organization unit structure in the PeopleSoft software and payroll organization chart (required when evaluating the results of access security control testing). � Interview systems implementation team, if possible, and obtain process design documentation for payrolls.Identify the significant risks and determine the key controls.c. Develop a high-level process flow diagram and overall PO9 understanding of the payroll processing cycle including AI1 the following subprocesses: DS13 � Master Data Maintenance � Recording Attendance and Leave Processing Risks � Calculating and Disbursing Payroll � Reporting and Reconciliation 12
  13. 13. COBIT Control Objective/Test Documentation/Matters Arising Referencesd. Assess the key risks, determine key controls or control PO9 weaknesses and test controls (refer to the following DS5 sample testing program and chapter 4 for techniques for DS9 testing configurable controls and logical access M2 security) regarding the following factors: � The controls culture of the organization � The need to exercise judgement to determine the key controls in the process and whether the controls structure is adequate. (Any weaknesses in the control structure should be reported to executive management and resolved.)1. Master Data Maintenance1.1 Access to payrolls setup tables and master file transaction is restricted appropriately.1.1.1 Review access security matrices and access AI2 assignment documentation to gain an understanding AI6 of the security design. Corroborate this DS5 understanding by generating lists of users with DS6 access to the Administer Workforce, Compensate DS11 Employees, Define Business Rules and Global DS13 Payroll Rules menus and reviewing their level of access by writing the following query in PeopleSoft Query Manager: SELECT B.OPRID, B.OPRCLASS, A.MENUNAME, A.BARNAME, A.BARITEMNAME, A.PNLITEMNAME, A.AUTHORIZEDACTIONS, A.DISPLAYONLY FROM PSAUTHITEM A, PSOPRCLS B WHERE A.OPRID = B.OPRCLASS Order by B.OPRID, B.OPRCLASS, A.MENUNAME, to ensure that the user IDs (OPRID), permission lists (OPRCLASS) and components (MENUNAME) are listed in alphabetical order. Also, generate a list of users with access to the setup pages within PeopleSoft menus and review their level of access by writing the following query in PeopleSoft Query Manager: SELECT PSOPRDEFN.OPRID, PSOPRDEFN.OPRDEFNDESC, PSROLEUSER.ROLENAME, PSROLECLASS.CLASSID, PSAUTHITEM.MENUNAME, PSAUTHITEM.BARNAME, PSAUTHITEM.BARITEMNAME, PSAUTHITEM.PNLITEMNAME, 13
  14. 14. COBIT Control Objective/Test Documentation/Matters Arising ReferencesPSAUTHITEM.DISPLAYONLY,PSAUTHITEM.AUTHORIZEDACTIONSFROM PSAUTHITEM INNER JOIN((PSROLEUSER INNER JOIN PSOPRDEFN ONPSROLEUSER.ROLEUSER =PSOPRDEFN.OPRID) INNER JOINPSROLECLASS ON PSROLEUSER.ROLENAME= PSROLECLASS.ROLENAME) ONPSAUTHITEM.CLASSID =PSROLECLASS.CLASSIDWHERE (((PSAUTHITEM.BARNAME) Like"*setup*") AND((PSOPRDEFN.ACCTLOCK)<>1))ORDER BY PSOPRDEFN.OPRIDThe column A.AUTHORIZEDACTIONS columncontains values that represent the type of actions(action types) that the user is authorized to perform,where high-risk values are: 1—Add 2—Update/Display 3—Add, Update/Display 4—Update/Display All 8—Correction12—Update/Display All15—Add, Update/Display, Update/Display All, CorrectionNote: The A.DISPLAYONLY column will have avalue of 0 or 1. A value of 1 means all fields in thepage are displayed only to the user, 0 means thissetting is turned off and the action type codes willindicate the level of access granted.Generate a list of users and the row level securitydefined by writing the following query inPeopleSoft Query Manager:SELECT A.OPRID, A.DEPTID, B.SETID,B.DESCR, A.ACCESS_CD,A.TREE_NODE_NUM,A.TREE_NODE_NUM_ENDFROM PS_SCRTY_TBL_DEPT A,PS_DEPT_TBL B,WHERE A.SETID = B.SETIDAND A.DEPTID = B.DEPTID 14
  15. 15. COBIT Control Objective/Test Documentation/Matters Arising References AND B.EFFDT = (SELECT MAX(B_ED.EFFDT) FROM PS_DEPT_TBL B_ED WHERE B.SETID = B_ED.SETID AND B.DEPTID = B_ED.DEPTID AND B_ED.EFFDT <= SYSDATE Order by B.OPRID, B.DESCR to ensure that the user IDs (OPRID) and descriptions (DESCR) are listed in alphabetical order. Select a sample of payroll users and assess whether they have access to update their own payroll data (e.g., salary, job) by observing them attempting to make such changes.1.2 Access to make changes to payroll setup tables is restricted appropriately.1.2.1 Review security design documentation detailing the AI3 configured controls implemented in the system and AI6 approved by management. In particular, check the configuration controls defined for the mandatory fields in payroll table data entry. Observe a system administrator delete one of the mandatory fields and attempt to save the change. Observe if a warning/error message is displayed.1.3 Access to make changes to employee payroll master data is restricted appropriately.1.3.1 Review security design documentation detailing the AI5 configured controls implemented in the system and AI6 approved by management, in particular the online DS5 edit and validation checks, range checks, etc. DS9 DS11 For either a sample of the edit and validation checks or for the entire population, enter changes to employee data and observe the success or failure of these attempts. For example, attempt to change the bank ID and branch ID of an employee’s bank information (via Home�Administer Workforce�Administer Workforce (Country)�Use�Bank Accounts). Change the bank ID and/or branch ID to an erroneous value and observe whether a warning message is displayed. Attempt to change the employee’s paygroup (via Home�Administer Workforce�Administer Workforce (Country)�Use�Job Data�Payroll). Change the paygroup field to an erroneous value and observe whether a warning message is issued. 15
  16. 16. COBIT Control Objective/Test Documentation/Matters Arising ReferencesReview the Date Last Increase field (viaHome�Administer Workforce�AdministerWorkforce (Country)�Use�Job Data�Employment Data, at the bottom of the page) anddetermine whether this corresponds to the lastauthorized pay increase. It should be noted that notall potential pay increase scenarios impact this datechange.Organizations may be reluctant to allow auditors tohave access to make test changes in the productionenvironment. Consequently, the following audittests should be performed in the test or QAenvironment. It is important to corroborate that theconfiguration of controls in the test/QAenvironment are the same as those in the productionenvironment.For a sample of employees, generate acompensation history by writing the followingquery in Query Master:SELECT A.EMPLID,(CONVERT(CHAR(10),A.EFFDT,121)),A.ACTION, A.ACTION_REASON,A.ANNUAL_RTFROM PS_JOB A, PS_EMPLMT_SRCH_QRY A1WHERE A.EMPLID = A1.EMPLIDAND A.EMPL_RCD = A1.EMPL_RCDAND A1.ROWSECCLASS = DPALLAND ( A.EFFDT = (SELECTMAX(A_ED.EFFDT) FROM PS_JOB A_EDWHERE A.EMPLID = A_ED.EMPLIDAND A.EMPL_RCD = A_ED.EMPL_RCDAND A_ED.EFFDT <=SUBSTRING(CONVERT(CHAR,GETDATE(),121), 1, 10))AND A.EFFSEQ = (SELECTMAX(A_ES.EFFSEQ) FROM PS_JOB A_ESWHERE A.EMPLID = A_ES.EMPLIDAND A.EMPL_RCD = A_ES.EMPL_RCD 16
  17. 17. COBIT Control Objective/Test Documentation/Matters Arising References AND A.EFFDT = A_ES.EFFDT) AND A.CHANGE_AMT <> 0 AND A.EMPLID = ?????? Review the compensation history and investigate the validity of the changes.1.3.2 Review security design documentation detailing the AI1 configured controls implemented in the system and AI4 approved by management, in particular the audit DS9 trails set up. Determine with relevant management the procedures in place for generating, reviewing and investigating audit reports showing changes to employee master data. Inspect a sample of audit trail reports for evidence of review and rectification of identified exception items.1.4 Online edit and validation checks and ranges checks are configured in the system.1.4.1 Review security design documentation detailing the AI2 configured controls implemented in the system and DS11 approved by management. In particular, review the online edit and validation checks, range checks, etc. For a sample of employee data or for the entire population, enter changes to employee data, test for edit and validation checks and observe the success or failure of these attempts.1.5 Edit and validation checks are in place for maximum and minimum salary.1.5.1 Review security design documentation detailing the AI2 configured controls implemented in the system and DS5 approved by management. In particular, review the DS11 online edit and validation checks, range checks, etc. Corroborate this understanding by inspecting the Salary Increase Matrix tables (via Home� Administer Workforce�Setup�Salary Increase Matrix Table) and compare the limits configured to those defined in the security design documentation. For a sample of the salary plans, enter changes to compensation rates for employees enrolled in those plans and observe the outcome of these attempts.2. Recording Attendance and Leave Processing2.1 Access to record attendance is restricted appropriately.2.1.1 Review access security matrices and access AI2 assignment documentation to gain an understanding DS11 of the security design. Corroborate this understanding by generating lists of users with access to the menus. Enter time using: 17
  18. 18. COBIT Control Objective/Test Documentation/Matters Arising References Home�Administer Workforce�Capture Time and Labor�Use�Rapid Entry or Home�Self Service�Employee�Tasks�Weekly Punch Time Review their level of access by writing the SQL query detailed in 1.1.1 (under Master Data Maintenance Testing Techniques) in PeopleSoft Query Manager.2.2 Access to process leave is restricted appropriately.2.2.1 Review access security matrices and access DS5 assignment documentation to gain an understanding DS10 of the security design. Corroborate this DS13 understanding by generating lists of users with M1 access to the following pages: � Enter and approve leave (or vacation) requests: Home�Administer Workforce�Monitor Absence (GBL)�Use�Vacation Request � Self-service absence request: Home�Self Service�Employee�Task�Absence History�New Absence Request � Self-service absence approval: Home�Self Service�Manager�Task�Approve Absence Request Review their level of access by utilizing the query in PeopleSoft detailed in test 1.1.1 (Master Data Maintenance Testing Techniques).2.3 Attendance submitted is valid and approved.2.3.1 Review business process documentation to DS1 determine the procedures in place for submitting DS3 and approving time and attendance. Corroborate this understanding by observing the submission and approval process of time reporter attendance. Review the workgroup settings (via Home�Define Business Rules�Define Time and Labor�Setup 1�Workgroup) and determine whether the workgroup timesheets are set to Needs Approval.2.4 Valid time worked is processed on a timely basis.2.4.1 Review business process documentation to AI1 determine the procedures are in place for submitting and approving time and attendance, and the timetable in place to run the time administration batch process. 18
  19. 19. COBIT Control Objective/Test Documentation/Matters Arising References2.4.2 Review business process documentation to AI1 determine the procedures in place for identifying AI4 and rectifying time and attendance exceptions. DS3 Corroborate this understanding by reviewing the Manage Time pages for a sample of time exceptions reports (via Home�Administer Workforce�Capture Time and Labor�Manage�Manage Exceptions) to ensure that no exceptions were left unresolved.2.5 Leave requests are valid and approved.2.5.1 Review business process documentation to AI1 determine the procedures in place for the AI4 submission and approval of leaves of absence. Corroborate this understanding by observing the submission and approval of vacation and general leave requests.2.5.2 Create a dummy leave request (via Home� DS5 Administer Workforce�Monitor Absence DS11 (GBL)�Use�Vacation Request) and attempt to enter a fictitious leave code. Observe the success or failure of the result.2.5.3 Create a dummy leave request (via Home� DS5 Administer Workforce�Monitor Absence DS11 (GBL)�Use�Vacation Request), attempt to enter a leave period greater than the available leave balance, and observe the outcome of the result. Note: Ensure that the vacation accrual run has been processed beforehand to update the leave accrual.2.5.4 Determine the processes and procedures in place DS13 over employees taking leave without pay. If a notional salary is entered into the system during the period of leave, corroborate this by inspecting the employee’s salary records. Alternatively, review audit logs of changes to employee records.3. Calculating and Disbursing Payroll3.1 Access to payroll processing is restricted appropriately.3.1.2 Review access security matrices and access PO7 assignment documentation to gain an understanding DS4 of the security design. Corroborate this DS5 understanding by generating lists of users with access to the following pages: � Paysheet Creation: Home� Compensate Employees�Manage Payroll Process 19
  20. 20. COBIT Control Objective/Test Documentation/Matters Arising References (Country)�Process�Paysheet � Payroll Calculation: Home� Compensate Employees�Manage Payroll Process (Country)�Process�Pay Calculation � Payroll Confirmation: - Home�Compensate Employees� Manage Payroll Process (Country)�Process�Pay Confirmation - Home�Compensate Employees�Manage Global Payroll Process�Process� Payroll/Absence Run Control � Review their level of access by writing the query detailed in 1.1.1 (under Master Data Maintenance Testing Techniques) in PeopleSoft Query Manager.3.2 Access to online checks is restricted appropriately.3.2.1 Review access security matrices and access DS11 assignment documentation to gain an understanding DS13 of the security design. Corroborate this M1 understanding by generating lists of users with access to the following page: Home�Compensate Employees�Manage Payroll Process (Country)�Online Check/Cheque Review their level of access by writing the query detailed in 1.1.1 (under Master Data Maintenance Testing Techniques) in PeopleSoft Query Manager.3.3 Access to banking process is restricted appropriately.3.3.1 Review access security matrices and access PO11 assignment documentation to gain an understanding DS5 of the security design of any bank transfer/interface application software utilized. Corroborate this understanding via inquiries with the payroll manager and/or payroll administrator. Determine any additional security controls over the bank transfer/interface application; for example, in addition to user ID and passwords, the use of one- time personal identification numbers (PINs). Corroborate this understanding via observation of the payment file transfer process. Review the system-generated access control listing to determine the appropriateness of access compared with the roles and responsibilities of the individual users. 20
  21. 21. COBIT Control Objective/Test Documentation/Matters Arising References Review a sample of security audit trail reports for evidence of independent review and investigation.3.4 Discrepancies and exceptions are reviewed and corrected.3.4.1 Review approved payroll processing procedures and PO6 security design documentation to gain an AI6 understanding of the procedures surrounding the DS5 payroll processes. M1 Interview payroll administration staff to determine the audit evidence available for inspection. Select a sample of payruns and review the associated Payroll Error Message for Employees Report (PAY011) for evidence of investigation and rectification. Determine whether the Payroll Pre-calculation Audit SQR (PAY035) has been run and reviewed for each payrun prior to the payroll calculation stage.3.5 Edit and validation rules are in place to identify errors in the payroll.3.5.1 Review approved payroll processing procedures and AI4 security design documentation to gain an M1 understanding of the procedures surrounding the payroll processes. Interview payroll administration staff to determine the audit evidence available for inspection. Select a sample of payruns and review the associated Payroll Error Message for Employees Report (PAY011) for evidence of investigation and rectification.3.6 Payroll runs are reviewed and approved by the payroll administrator/manager.3.6.1 Review approved payroll processing procedures and DS1 security design documentation to gain an DS3 understanding of the procedures surrounding the payroll processes. Interview payroll administration staff to determine the audit evidence available for inspection. Where possible, select a sample of payruns and determine whether the payroll administrator or payroll manager reviewed and approved the following, prior to the final processing of the payment file: � General deductions by recipient � Individual deductions by recipient � Employee net pay3.7 Interface controls are in place for electronic funds transfer (EFT). 21
  22. 22. COBIT Control Objective/Test Documentation/Matters Arising References3.7.1 Review approved payroll processing procedures DS11 documentation to gain an understanding of the DS13 procedures surrounding the payroll processes. M1 Specifically, review the mechanisms in place surrounding the transfer of PeopleSoft payment files to the bank, including the encryption of the payment file. Corroborate this understanding via inquiries with the payroll administrator and manager. For a sample of payruns, review the payment files for the existence of header and trailer records. Review any associated positive acknowledgement reports/messages from the bank and compare the number of records and monetary amounts to the payment file. Review any reconciliations performed between the payment files generated by the organization and the files received and processed by the bank for evidence of independent review and investigation of any reconciling items. Inspect the contents of the payment file to determine whether the data are encrypted prior to transmission or remain in a cleartext format.3.7.2 Review approved payroll processing procedures DS4 documentation to gain an understanding of the DS11 procedures surrounding the payroll processes. DS13 Specifically, review the mechanisms in place M1 surrounding the transfer of PeopleSoft payment files to the bank and the storage of the payment files, if there is a time delay between the payroll finalization in PeopleSoft and the transfer/interface with the bank systems. Corroborate this understanding via inquiries with the payroll administrator and manager. Review the location for storage of the payment files. If this is a network directory, review whether access to the directory is restricted, check the appropriateness of the access granted and review if the same is based on the roles and responsibilities of the users with access. If the transfer of the payment files from PeopleSoft to the bank transfer/interface application is a physical transfer of a floppy disk or other medium, determine the storage location and assess whether the physical security of that location is adequate. For example, determine whether the payment file is stored in a fireproof safe/lockable cupboard, and 22
  23. 23. COBIT Control Objective/Test Documentation/Matters Arising References assess who has access to the file and the appropriateness of such access.4. Terminations4.1 Access to GL run control processes is restricted appropriately.4.1.1 Review access security matrices and access DS5 assignment documentation to gain an understanding M1 of the security design. Corroborate this understanding by generating lists of users with access to the following pages: Home�Compensate Employees�Manage Global Payroll Process�Process�General Ledger Run Control. Review their level of access by writing the query detailed in 1.1.1 (under Master Data Maintenance Testing Techniques) in PeopleSoft Query Manager.4.2 Access to PeopleSoft reporting is restricted appropriately.4.2.1 Review payroll procedural documentation, access DS5 security matrices and access assignment DS13 documentation to gain an understanding of the key M1 payroll reports available and generated as well as the security design around such reports. Corroborate this understanding by generating lists of users with access to Home�Compensate Employees� Manage Payroll Process�Reports 1 and 2. Review their level of access by utilizing the query in PeopleSoft detailed in previous test 3.2.1.4.3 GL reconciliations are performed at period-ends.4.3.1 Review period-end and payroll procedural DS13 documentation to gain an understanding of the processes surrounding the reconciliation of the payroll module and the GL. For a sample of periods, review the reconciliations for evidence of timely performance, independent review and approval, and the investigation and clearance of reconciling items. Inquire with management the reasons for large and/or recurring reconciling items.4.4 Bank reconciliations are performed at period-ends.4.4.1 Review period-end procedural documentation to PO6 gain an understanding of the processes surrounding DS13 the reconciliation of the general ledger to the M1 various bank statements received from the organization’s source banks. 23
  24. 24. COBIT Control Objective/Test Documentation/Matters Arising ReferencesFor a sample of periods, review the reconciliationsfor evidence of timely performance, independentreview and approval, and the investigation andclearance of reconciling items. Inquire withmanagement the reasons for large and/or recurringreconciling items. 24
  25. 25. 4. PeopleSoft Payroll Business Cycle Audit ICQ Control Objective/Question Response Comment COBIT Yes No N/A References1. Master Data Maintenance1.1 Access to payroll setup tables and master file transactions is restricted appropriately.1.1.1 Who has access to define business PO10 rules, administration of employee DS11 payroll data and compensation? Are M1 these users appropriate? Who has add/correction/update access to Define Business Rules? This should be restricted to the payroll administrator only. Are error messages displayed when access is denied?1.2 Access to make changes to payroll setup tables is restricted appropriately.1.2.1 Are validation checks in place to DS5 ensure all mandatory data are input in the payroll table? Who has access to make changes to the payroll set up tables? Are theses users appropriate?1.3 Access to make changes to employee payroll master data is restricted appropriately.1.3.1 Are edit and validation changes in DS5 place to ensure changes made to the DS11 employee payroll master data are valid and accurate? If an invalid change is made, is this prevented from being processed and how is the user alerted? Who has access to make employee payroll master data changes? Are these users appropriate?1.3.2 Are audit logs kept of changes to the DS10 employee master data and are these DS12 reviewed by management on a periodic basis?1.4 Online edit, validation and range checks are configured in the system.1.4.1 How does the organization prevent DS11 employees being paid more than the specified amounts? Is the Maximum Yearly Earnings field utilized? 25
  26. 26. Control Objective/Question Response Comment COBIT Yes No N/A References1.5 Edit and validation checks are in place for maximum and minimum salary.1.5.1 How are the Salary Increase matrices DS5 set up? Who defines the minimum and DS13 maximum salary for a particular salary plan/grade? Does the system perform automatic validation when the compensation rate is changed against the Salary Increase matrices? Is a warning message displayed to notify the user if the change falls outside the parameters? Can this message be ignored/overwritten?2. Recording Attendance and Leave Processing2.1 Access to record attendance is restricted appropriately.2.1.1 Are employees classified as exception AI4 time reporters or positive time AI6 reporters? DS11 DS13 If the time is recorded manually, who has access to input the manually approved time record? Are these users appropriate? If the time is recorded online, who has access to approve the time online? Are these users appropriate? How does the organization prevent approvers approving their own time records?2.2 Access to process leave is restricted appropriately.2.2.1 Are there documented procedures in AI4 place for processing leave? AI6 DS9 Is the application for leave of absence performed via manually approved forms or via the self-service functionality within the system? If the self-service option is being employed, who has access to approve leave online? Are these users appropriate? Who has access to the GL run control process? Are these users appropriate? 26
  27. 27. Control Objective/Question Response Comment COBIT Yes No N/A References2.3 Attendance submitted is valid and approved.2.3.1 For manual attendance, who manually PO6 approves the timesheets? In addition, DS5 who has access to input the approved time records? Are these users appropriate? Who can approve time online? Are these users appropriate? Does the system automatically perform validations to ensure that time reporters are active?2.4 Valid time worked is processed on a timely basis.2.4.1 Are there documented procedures in AI4 place to ensure the timely submission, approval and input of timesheets, whether manual or online?2.4.2 Are exceptions reviewed and DS3 investigated? Who performs these reviews and how often are they performed?2.5 Leave requests are valid and approved.2.5.1 Who reviews and approves leaves of DS10 absence requests? How does the organization ensure that excessive leave has not been taken?2.5.2 Does the system have validation AI6 checks in place to ensure that valid DS11 leave codes are entered? If an invalid leave code occurs, is the process stopped and the user prevented from proceeding?2.5.3 Does the system automatically check DS11 the leave request against the employee’s entitled leave balance? If the leave request exceeds the entitlement, can the leave still be approved or does the process cease at this point? 27
  28. 28. Control Objective/Question Response Comment COBIT Yes No N/A References2.5.4 How does the organization ensure that DS5 unpaid leave is not paid out? DS12 Is this performed via automatic or manual data parameters on the system?3. Calculating and Disbursing Payroll3.1 Access to payroll processing is restricted appropriately.3.1.1 Has security access design AI1 documentation defining the access AI2 required for individual jobs in the DS5 payroll function been approved by management? Who has access to payroll processing? Are these users appropriate? Who has access to create paysheets (and associated adjustments), run the payroll calculation and confirm the payroll? Do users have access to their own human resources and payroll records?3.2 Access to online checks is restricted appropriately.3.2.1 Who has access to create and process DS5 online checks? Are these appropriate members of the payroll function?3.3 Access to the banking process is restricted appropriately.3.3.1 Who has access to the bank control DS5 run process? Are these users DS11 appropriate? Who has access to the EFT file? Where is the file downloaded? Is it a secure location, and is access restricted to only those users who require it? Is the file encrypted?3.3.2 Does the organization utilize a special AI1 bank application to transfer the DS5 payment file to the bank? DS13 Who has access to this application? 28
  29. 29. Control Objective/Question Response Comment COBIT Yes No N/A References Are logical access controls in place when logging onto the bank transfer/interface application (e.g., password and user ID combinations)? Are audit trail reports maintained to log all user activity on the bank transfer/interface application?3.4 Discrepancies and exceptions are reviewed and corrected.3.4.1 Are payroll processing procedures and AI4 security design documentation in DS8 place and approved by management? DS10 DS11 Are errors from the Payroll Error Message for Employees Report (PAY011) reviewed, investigated and resolved? Is the Payroll Precalculation Audit SQR (PAY035) run and reviewed prior to the payroll calculation stage to identify possible errors due to lack of integrity of data?3.5 Edit and validation rules are in place to identify errors in the payroll.3.5.1 Are errors from the Payroll Error DS11 Message for Employees report (PAY011) reviewed, investigated and resolved?3.6 Payroll runs are reviewed and approved by the payroll administrator/manager.3.6.1 Are errors from the Payroll Error DS10 Message for Employees report DS11 (PAY011) reviewed, investigated and DS13 resolved? Do outstanding exceptions have the OK to Pay flag set to no to remove the paylines from the final pay confirmation?3.6.2 Are the following reviewed prior to DS11 final processing and authorization of the payment file: � General deductions by recipient � Individual deductions by recipient � Employee net pay3.7 Interface controls are in place for electronic funds transfer (EFT). 29
  30. 30. Control Objective/Question Response Comment COBIT Yes No N/A References3.7.1 Are interface controls in place for the DS5 download and transfer of payment DS11 files? DS13 Are header and trailer records used? How does the organization ensure that the bank receives the complete and accurate file? Are reconciliations performed? Is the payment file encrypted?3.7.2 Is there a time delay between DS3 processing the payment file in PeopleSoft and the transmission to the bank? Where is the file located during the delay? Is it secure and accessible only to appropriate personnel?4. Reporting and Reconciliation 4.1 Access to GL run control processes is restricted appropriately. 4.1.1 Does the security design PO10 documentation define the access requirements for individual jobs in the payroll function? Is this documentation approved by management? Who has access to update the general ledger with payroll data via the GL run control process? Are these users appropriate?4.2 Access to PeopleSoft reporting is restricted appropriately.4.2.1 Does the security design DS5 documentation define the access requirements for individual jobs in the payroll function? Is this documentation approved by management? Who has access to PeopleSoft reports? Are these users appropriate?4.3 GL reconciliations are performed at period-ends. 30
  31. 31. Control Objective/Question Response Comment COBIT Yes No N/A References4.3.1 Has the payroll processing and period- DS13 end timetable been defined and approved? Have the specified dates for the execution of the GL run control process been defined and approved? Are reconciliations performed between the payroll module and the general ledgers? Are these reviewed and approved?4.4 Bank reconciliations are performed at period-ends.4.4.1 Have month-end procedures been AI4 documented and approved? DS11 Are reconciliations performed between the GL and the relevant bank statements for all source bank accounts? 31
  32. 32. 5. PeopleSoft Security Administration Cycle Audit Plan COBIT Control Objective/Test Documentation/Matters Arising ReferencesPreliminary Audit StepsGain an understanding of the PeopleSoft environment.a. Determine what version and release of the PeopleSoft AI2 software has been implemented. If multiple versions, document the various versions.b. Obtain details of the following: AI2 � Operating system(s) and platforms DS11 � Total number of named users (for comparison with limits specified in contract) � Number of PeopleSoft instances � Database management system used to store data for the PeopleSoft system � Location of the servers and the related LAN/WAN connections (need to verify security and controls, including environmental, surrounding the hardware and the network security controls surrounding the connectivity). If possible, obtain copies of network topology diagrams. � Listing of business partners, related organizations and remote locations that are permitted to connect to the PeopleSoft environment � Various means used to connect to the PeopleSoft environment (e.g., dial-up, remote access server) and the network diagram if availablec. Determine whether separate systems for development, DS9 test and production were implemented and whether each instance is a totally separate system or within the same system.d. Determine whether the PeopleSoft production DS13 environment is connected to other PeopleSoft or non- PeopleSoft systems. If yes, obtain details as to the nature of connectivity, frequency of information transfers, and security and control measures surrounding these transfers (to ensure accuracy and completeness).e. Identify the modules that are being used. AI2 AI3 32
  33. 33. COBIT Control Objective/Test Documentation/Matters Arising Referencesf. Identify whether the organization has implemented any PO4 of the following new e-enabled solutions: � Supply chain management � Supplier relationship management � Customer relationship management � Enterprise performance management � Enterprise service automationg. Determine whether the organization make use of any PO3 other e-enabled functionality. DS9 If yes, describe functionality and purpose.h. Determine whether the organization has created any DS11 locally developed reports or tables. If yes, determine how these programs/reports or tables are used. Depending on the importance/extent of use, review and document the development and change management process surrounding the creation/modification of these programs/reports or tables.i. Obtain copies of the organization’s key security DS5 policies and standards. Highlight key areas of concern, including: � Information security policy � Sensitivity classification � Logical and physical access control requirements � Network security requirements, including requirements for encryption, firewalls, etc. � Platform security requirements (e.g., configuration requirements)j. Obtain information regarding any awareness programs DS7 that have been delivered to staff on the key security policies and standards. Consider specifically the frequency of delivery and any statistics on the extent of coverage (i.e., what percentage of staff has received the awareness training).k. Maintain permission lists, roles and user profiles. AI4 DS11 Determine whether job roles, including the related transactions, been defined and documented. Determine whether procedures exist for maintaining (creating/changing/deleting) permission lists and whether they are followed. 33
  34. 34. COBIT Control Objective/Test Documentation/Matters Arising Referencesl. Adequate access administration procedures should exist DS5 in written form. Determine whether any of the following procedures exist within the organization: � Procedures to add/change/delete user profiles � Procedures to handle temporary access requests � Procedures to handle emergency access requests � Procedures to remove users who have never logged into the system � Procedures to automatically notify the administration staff when staff holding sensitive or critical positions leave the organization or change positions If yes, document the process and comment on compliance with the policies and standards, and the adequacy of resulting documentation.m. Obtain copies of the organization’s change AI6 management policies, processes, procedures, and change documentation. Consider specifically: � Development and migration processes and procedures � Emergency change processes and procedures � Development standards, including naming conventions, testing requirements, and move to production requirementsn. Determine whether the organization has a defined DS3 process for creating and maintaining instances. If yes, DS9 obtain copies and documentation related to the creation and maintenance of instances.o. Review outstanding audit findings, if any, from M! previous years. Assess impact on current audit. M4Identify the significant risks and determine the key controls.p. Obtain details of the risk assessment approach taken in PO9 the organization to identify and prioritize risks.p. Obtain copies of and review: PO9 � Completed risk assessments impacting the M4 PeopleSoft environment � Approved requests to deviate from security policies and standards � The impact of the above documents on the planning of the PeopleSoft audit 34
  35. 35. COBIT Control Objective/Test Documentation/Matters Arising Referencesr. If a recent implementation/upgrade was completed, AI2 obtain a copy of the security implementation plan. AI4 Assess whether the plan took into account the AI5 protection of critical objects within the organization DS5 and segregation of duties. Assess whether an appropriate naming convention (e.g., for profiles) was developed to help security maintenance and to comply with required PeopleSoft naming conventions.1. Development and Integration Tools1.1 Access to development and integration tools is restricted to authorized users and segregated from incompatible duties.1.1.1 Review access security matrices and access DS5 assignment documentation to gain an understanding of the security design. Corroborate this understanding by generating lists of users with access to the Application Designer and Application Engine menus, and reviewing their level of access by writing and executing the following query in PeopleSoft Query Manager: SELECT B.OPRID, B.OPRCLASS, A.MENUNAME, A.BARNAME, A.BARITEMNAME, A.PNLITEMNAME, A.AUTHORIZEDACTIONS, A.DISPLAYONLY FROM PSAUTHITEM A, PSOPRCLS B WHERE A.OPRID = B.OPRCLASS Order by B.OPRID, B.OPRCLASS, A.MENUNAME, to ensure that the user IDs (OPRID), Permission Lists (OPRCLASS) and Components (MENUNAME) are listed in alphabetical order. The A.AUTHORIZEDACTIONS column contains values that represent the type of actions (action types) that the user is authorized to perform, where high-risk values are: 1—Add 2—Update/Display 3—Add, Update/Display 4—Update/Display All 8—Correction 12—Update/Display All 15—Add, Update/Display, Update/Display All, Correction Note: The value of A.DISPLAYONLY column will 35
  36. 36. COBIT Control Objective/Test Documentation/Matters Arising References have value of 0 or 1. A value of 1 means all fields in the page are display only to the user; 0 means this setting is turned off and the action type codes will indicate the level of access granted.1.2 Security documentation is available for object security and is in line with management’sintentions.1.2.1 Review security documentation to gain an DS8 understanding of the object security design. DS13 Corroborate by generating a list of users with access to object groups by writing the following query in Query Manager: SELECT A.OPRID, A.OBJGROUPID, A.DISPLAYONLY FROM PSOPROBJ A Generate a list of objects groups and the objects defined in them by writing the following query in Query Manager: SELECT A.OBJGROUPID, ENTTYPE, ENTNAME FROM PSOBJGROUP Review the output from both queries to determine appropriateness and compliance with security documentation. Generate a list of users with access to PeopleTools menus via the query detailed in 1.1.1 (under Development and Integration Tools Testing Techniques).2. Data Management Tools2.1 Access to sensitive pages in production is restricted to authorized users and segregated from incompatible duties.2.1.1 Review access security matrices and access AI4 assignment documentation to gain an understanding DS5 of the security design. Corroborate this understanding by generating lists of users with access by running the SQL query detailed in 1.1.1 (under Development and Integration Tools Testing Techniques), and review users with access to the previously discussed menus and pages. Review security procedures created by management that identify whether the SQR Alter tool and DDDAudit.SQR and SYSAudit.SQR reports are run and independently reviewed and investigated by management. Corroborate this by selecting a sample of reports and reviewing for evidence of 36
  37. 37. COBIT Control Objective/Test Documentation/Matters Arising References independent review and follow-up of exceptional items.3. Operations Tools3.1 Access to the process schedule manager functions is restricted to authorized users.3.1.1 Review the system design documentation relating PO9 to access security (design of roles and permission AI1 lists), any established policies, procedures, AI4 standards and guidance related to the maintenance DS5 of roles/permission lists and in particular the design DS8 and assignment of process scheduler access, process groups and process profiles. Corroborate this understanding by generating and reviewing a list of user IDs with access to process scheduler menus. The list can be generated by writing the following query in PeopleSoft Query Manager: SELECT A.OPRID, A.MENUNAME, A.BARNAME, A.BARITEMNAME, A.PNLITEMNAME, A.DISPLAYONLY, A.AUTHORIZEDACTIONS FROM PSAUTHITEM A WHERE A.MENUNAME = PROCESS_SCHEDULER The AUTHORIZEDACTIONS column contains values that represent the type of actions (action types) that the user is authorized to perform. Review the results of query executed as per 1.1.1 (under Development and Integration Tools Testing Techniques) and check for high-risk values. Generate and review a list of Process Groups assigned to user IDs by writing the following query: SELECT A.OPRID, A.PRCSGRP FROM PSAUTHPRCS A Order by A.OPRID to ensure that the user IDs (OPRID) are listed in alphabetical order. Generate and review a list of users and their process profile configurations by writing the following query: SELECT A.OPRID, A.SRVRDESTFILE, A.SRVRDESTPRNT, A.CLIENTDESTFILE, A.CLIENTDESTPRNT, A.DISABLEREFRESH, 37
  38. 38. COBIT Control Objective/Test Documentation/Matters Arising References A.REFRESHRATE, A.LOADMONITOR, A.PRCSNOTIFY, A.NOTIFYAUDIBLE, A.OVRDOUTDEST, A.OVRDSRVRPARMS, A.RQSTSTATUSUPD, A.RQSTSTATUSVIEW, A.SRVRSTATUSUPD, A.SRVRSTATUSVIEW, A.RECURUPD FROM PSPRCSPRFL A Order by A.OPRID to ensure that the user IDs (OPRID) are listed in alphabetical order.4. Security Administration Tools4.1 Security administration profiles are segregated and assigned to system management staff.4.1.1 Determine that the security administration functions PO4 have been assigned appropriately, administrator AI6 tasks are segregated and object migration functions DS5 are assigned appropriately. Review access security DS13 matrices and access assignment documentation to gain an understanding of the security design. Corroborate this understanding by generating lists of users with access to the above menu names and reviewing their level of access by performing the test described in test 1.1. (Development and Integration Tools Testing Technique.) Security administrator menu names (components) include: � MAINTAIN_SECURITY � DEFINE_GENERAL_OPTIONS / OPERATOR_PREFERENCES � OBJECT_SECURITY � SECURITY_ADMINISTRATOR � TREE_MANAGER � UTILITIES Object migration menu names (components) include: � APPLICATION_DESIGNER � DATA_MOVER If owing to resource issues, full segregation is not possible, ensure that one of the following is employed: � The ability to create/maintain roles or permission lists and assign them to user profiles is included in the user profile for security administrator 1. The ability to migrate roles, permissions lists and user profiles to the production instance is 38
  39. 39. COBIT Control Objective/Test Documentation/Matters Arising References contained in the user profile of security administrator 2. � The ability to migrate roles/permission lists into production and assign permission lists and roles to user profiles is included in the user profile of security administrator 1, and the ability to create/maintain permission lists, roles or user profiles is contained in the user profile of security administrator 2. This scenario is acceptable, but may cause some control concerns, as this may be more difficult to implement appropriately.4.2 PeopleSoft access security design is documented and signed off by management during the implementation.4.2.1 Review system design documentation relating to PO4 access security, policies and procedures for PO5 maintaining roles/permissions lists, etc. Ascertain AI2 from management if these have been maintained DS5 accurately since implementation. DS8 Test 1: Generate a list of user IDs and the roles assigned to them by writing the following query in PeopleSoft Query Manager: SELECT B.OPRID, B.OPRCLASS, B.CLASSCOUNT, A.MENUNAME, A.BARNAME, A.BARITENAME, A.PNLITEMNAME, A.AUTHORIZEDACTIONS, A.DISPLAYONLY FROM PSAUTHITEM A, PSOPRCLS B WHERE A.OPRID = B.OPRCLASS Order by B.OPRID, B.OPRCLASS, A.MENUNAME, to ensure that the user IDs (OPRID), Permission Lists (OPRCLASS) and Components (MENUNAME) are listed in alphabetical order. Where the CLASSCOUNT is greater than 1, this means that the user has been assigned more than one role. Investigate this further manually on an individual user’s security profile. Take a representative sample of user profiles from the system, and confirm them against the original documentation. Resolve discrepancies with management. 39
  40. 40. COBIT Control Objective/Test Documentation/Matters Arising References Test 2: Test changes made to roles/permission lists/user profiles since the implementation of the system. Download the security table to be reviewed (e.g., PSAUTHITEM). Select a sample of changes (reflected by the addition of a new row) from the systems and trace them back to current documentation. Check that these changes were appropriately approved. (Management must implement system audits on the relevant tables for this test to be effective.)4.3 SYSADM password, capabilities and permissions are adequately reviewed and controlled.4.3.1 With the systems administrator, attempt to log on as DS5 SYSADM with the default password and observe DS11 the success or failure of the attempt. Generate lists of users with access to the previous menu names by writing the query detailed in 1.1.1 (Development and Integration Tools Testing Techniques) in PeopleSoft Query Manager. Review the output for appropriateness of the access provided, focusing on user IDs with combinations of the menu names detailed. Select a sample of key users and review the user profile setting under the administrator page. Determine if the Is User System Administrator? box is selected.4.4 Default PeopleSoft passwords for the superuser IDs have been changed and access appropriately restricted.4.4.1 Attempt to gain access to the PeopleSoft system DS5 using the default user IDs and passwords. Observe the success or failure of the attempts.4.5 Access to powerful profiles is restricted.4.5.1 Generate lists of users and their access by writing DS5 the query detailed in 1.1.1 (Development and DS8 Integration Tools Testing Techniques) in DS11 PeopleSoft Query Manager. Review the output for appropriateness of the access provided by focusing on user IDs containing the powerful permission lists. The user list identified by this test should be checked with management to ascertain whether the individuals who have access to the above- mentioned functionality require this access, based on their job responsibilities and established polices, 40

×