Audit Office aims for better HR systems
I was pleased to see that the Australian National Audit Office last month released a better practice guide for human resources system implementations (PDF).
Certainly the Queensland Health debacle has shown that these systems can be complicated and that mistakes can mean very upset workers.
The better practice guide notices that introducing systems to manage the workforce introduces information management risks, which means that manual controls have to be implemented to maintain the integrity and confidentiality of HR information.
"HR and payroll functions are closely linked and changes in one process may create issues in another. As such, there is an emphasis in this guide on implementing controls to safeguard the privacy and integrity of information," it says.
The guide splits the risk into financial, compliance, fraud and protection of information risks. Financial risks impact the financial position of the government entity. Compliance risks could breach Australian legislative requirements. Fraud risks could lead to someone intentionally deceiving the company for personal gain. Protection of information risks could lead to data breaches.
It then suggests system and manual control processes to reduce the risks.
An example of a financial risk would be, for example, when a non-existent or duplicate employee is added to the payroll, as happened in the case of Queensland Health, where deceased nurses were found to be on the payroll. It leads to overpayment, but can also be a fraud risk, as the identities could be used to process fraudulent payments.
The guide suggests that access to add an employee be restricted to "appropriate" individuals and segregated from payroll maintenance as a system control. The listing of current employees should also be manually checked when adding a new employee to make sure there are no duplicates.
An example of an information security risk laid out by the guide is when an employee is not deactivated when employment is terminated. This is a financial issue as it may lead to overpayment, but if the entity uses single sign on, it could also mean that the employee still has network access.
The guide suggests that application changes the status of employees to terminated when the termination date is entered and automatically disable access to systems based on the termination date. Manual checks were also suggested where managers are sent lists of their current employees to verify.
The guide also includes a functional overview of popular HR systems from Oracle's PeopleSoft and SAP.
Although much of the advice seems to be common sense, or at least understandable, having it available in one place seems a good way to start an implementation or HR roll-out.
Would you find this guide (PDF) helpful?