1. Unit:
Subject: Sarbanes-Oxley Act Review - Human Resources and Payroll
Title: Risk and Control Identification
Year end:
OBJECTIVE
OBJECTIVE
CATEGORY
RISK
REFERENCE
POTENTIAL RISK CONTROLS
PERSONNEL RECORDS
Personnel files contain accurate, valid and complete
information.
HRP
101
Content of personnel files is not prescribed in terms of a
formalised policy and procedure. Personnel information is
not available as and when required. Invalid, inaccurate or
incomplete information is acquired and retained in the
personnel files.
A company policy exists as a guideline for all the records /
information that should be retained (complying to applicable laws
and regulations) in each employee's personnel file. Personnel
files should contain a standardised index / list of contents. A
responsible senior employee should check / review the
information for accuracy and completeness (and sign the
personnel files as evidence of review).
Required human resources and payroll documentation is
retained for mandatory retention periods.
HRP
102
Records are lost or prematurely destroyed. Access (physical and IT) to the employee records should be
limited and only granted to authorised personnel. Records
should be safeguarded in a strongroom. Records and
documents can only be destroyed once the applicable laws and
regulations regarding the retention of documents, etc. are
considered.
2. OBJECTIVE
OBJECTIVE
CATEGORY
RISK
REFERENCE
POTENTIAL RISK CONTROLS
Confidentiality of human resources information is maintained.
Human resource and payroll records are subject to proper
security procedures.
HRP
103
Information contained in personnel files is not restricted to
authorised employees only. Human resource and payroll
records are not subject to proper security procedures.
Confidentiality of sensitive information is not promoted:
Human resource personnel divulge confidential information.
Procedures preventing unauthorised access to payroll
information (including payroll reports) should be enforced.
Access (physical and IT) to the employee records should be
limited and only granted to authorised personnel. Records
should be safeguarded in a strongroom. A separate salaries and
wages bank account should be maintained to ensure payroll
confidentiality.
Periodic security compliance reviews should be conducted to
identify weaknesses in the payroll system. A company policy
exists to prohibit the spreading of confidential information.
Disciplinary actions must be taken against employees who
violate any company policies including the spreading of
confidential information.
WORKFORCE PLANNING
The demand for and availability of human resources should be
forecasted. Shortages and surplus conditions should be
identified.
HRP
201
The entity may be unaware of its current / future staffing
needs. The Company may not have sufficient employees
with the appropriate skills to achieve its objectives. (The
work force may be inadequate or excessive given corporate
objectives). Company may hire employees in excess of /
inadequate to meet its manpower needs. (Optimal staffing
levels are not achieved). High operational costs may be
incurred due to extensive use of overtime, contract or
consulting resources. Poor matching of skills with job duties
may exist. Inequitable workload distribution may exist.
The human resource implications of changes in strategic
objectives and priorities, organisation, technology, legislation,
products or programs, should be identified. The number, type,
level, and location of human resources required to carry out
organisational objectives and operational plans should be
identified. Current, accurate inventories of basic employment
data for all employees should be maintained. surplus conditions
should be identified. Relevant career data inventories, including
information experience, skills, and promotion potential for critical
occupational groups and levels should be maintained. The impact
of identified shortages and surpluses should be considered in the
preparation of operational and financial plans.
Action plans should be prepared to address imbalances in the
numbers and / or skills of human resources which have been
identified.
HRP
202
Imbalances in the number and skills of human resources
may not be considered in the operational and financial
objectives.
The Company may not have sufficient employees with the
appropriate skills to achieve its objectives.
Action plans that include activities such as engagements,
terminations, training, development and relocation should identify
the costs of implementation, the implementation time frame, and
the individuals responsible for implementation.
Action plans should be monitored on a regular basis and the
results assessed to ensure objectives are being met and to
identify modifications to the plans that may be required.
3. OBJECTIVE
OBJECTIVE
CATEGORY
RISK
REFERENCE
POTENTIAL RISK CONTROLS
Maintain employee turnover at an acceptable level. HRP
203
Non-competitive compensation levels and employee
benefits resulting in company being unable to retain staff.
Human Resources should perform benchmarking exercises to
test and evaluate company benefits against other market related
institutions. The results of benchmarking exercises should be
recorded and reported and kept for future reference.
LEGISLATIVE ENVIRONMENT (Regulatory Challenges)
Compliance with applicable laws, regulations and company
policies.
HRP
301
Management or supervisory personnel are unaware of or
ignore legal and regulatory requirements, and company
policies. Employment laws and regulations may be violated
resulting in fines, penalties or litigation.
Management, supervisory personnel and Human Resources staff
should read, and sign as evidence of awareness, legal and
regulatory requirements, media circulations and company
policies, on an on-going basis. Management and supervisory
personnel should sign a document, on a yearly basis, as proof
that they are aware of the contents, understand and adhere to
legal, regulatory requirements, Employment Equity Act, Basic
Conditions of Employment and company policies and
procedures. Non-adherence to the requirements should result in
appropriate disciplinary action being instituted. A senior,
independent manager should review these signed documents as
proof that personnel are aware of and adhere to company
policies and legal procedures. All signed documentation should
be filed and safeguarded for future reference.
Maintain records that demonstrate compliance with applicable
laws and regulations.
HRP
302
Records are not retained to demonstrate compliance with
applicable laws and regulations.
A company policy exists as a guideline for all the records that
should be retained (complying to applicable laws and regulations,
e.g. Archive act & retention of documents guidelines) for each
employee.
Compliance with the Basic Conditions of Employment Act. HRP
303
Working conditions of employees do not meet minimum
standards: Provisions relating to working hours are not
applied e.g. the rule of a 40-hour working week, meal
intervals, maximum amount of overtime hours is exceeded.
Minimum wage / salary / rate per hour basic conditions are
not applied. Provisions relating to leave (annual, sick,
maternity and family responsibility) are not applied.
Compliance with the Basic Conditions of Employment Act is
monitored by management.
4. OBJECTIVE
OBJECTIVE
CATEGORY
RISK
REFERENCE
POTENTIAL RISK CONTROLS
Compliance with the Occupational Health and Safety Act. HRP
304
Health & Safety in the work place is not established.
Smoking laws not implemented in the work place
Risk management should ensure that the company abide to all
applicable health and safety laws and regulations for the
workplace and enforce all these health and safety laws and
regulations. Notifications should be placed where required.
Disciplinary actions must be taken against employees,
contractors and other parties who violate any health and safety
regulations.
Compliance with the Employment Equity Act. HRP
305
Unequal opportunities. Unfair discrimination occurs in the
workplace. Company does not plan for access to building &
toilet facilities for "handicapped" people. All staff are not
considered for training
Compliance with the Employment Equity Act is monitored by
management. Company should have alternative access to
buildings for handicapped people and adequate toilet facilities for
them. The company should adhere to the applicable laws and
regulations for the correct work force ratios.
Compliance with the Labour Relations Act HRP
306
Fundamental "worker's rights" of employees are
disregarded. Unfair dismissals. Labour organisations may
call for strikes or work slowdowns. Inappropriate action is
taken by the company in response to labour action.
Compliance with the Labour Relations Act is monitored by
management. Company should ensure that actions taken
against strikes and slowdowns comply with relevant labour laws
and legislation in conjunction with the legal department..
EMPLOYEE RELATIONS
The grievance and arbitration process should be used as a
tool for timely, efficient, and effective disposition of disputes.
HRP
401
Productivity may be reduced due to untimely and inefficient
resolution of grievances.
The Company may be subject to unfavorable publicity when
grievances are handled externally.
The cost of dispute resolution may escalate when
grievances are handled externally.
Managers should be aware of the organisational climate,
employee attitudes, and causes of grievances.
Employee grievances should be administered expeditiously.
Dispute dispositions should be communicated and resolutions
implemented.
Disciplinary activity should be monitored and reviewed to
highlight potential areas of concern requiring management
attention.
EMPLOYEE RECRUITMENT AND SELECTION
Employee Authorisation
5. OBJECTIVE
OBJECTIVE
CATEGORY
RISK
REFERENCE
POTENTIAL RISK CONTROLS
The requirement to employ is formally motivated. HRP
501
The requirement to employ is not formally motivated and
communicated to the person authorising the new
employment position. The authorising process is not
formally provided for in the units policies and procedures.
The authorising process is not performed in terms of
prescribed company policies. The authorising official is not
appropriate and sufficiently senior.
Formal procedures exists to address the exact requirements for a
new employment position and should be communicated to all
managers that motivate these new positions. No new
employment position should be authorised unless a proper
motivation is communicated and received by Human Resources.
The motivation should formally include the following information:
a) Required skills profile, b) position grading, c) date required
and d) job description. Formal company policy and procedures
exists to address the authorising process. There should be a
formalised authorisation and review process performed by an
appointed senior Human Resources official. The authorisation
process should include a signature as proof of review that
procedure was followed.
The need for the position, job requirements and selection
criteria should be clearly defined (in terms of a detailed
position specification).
HRP
502
Employment equity and equality of access requirements
may not be met.
Changes in operational or business plans, new technology,
or new services which may require employees with different
skills may not be considered in the replacement process.
The need for filling a vacant position should be reviewed before
staffing activities begin.
The number, type, level, and work location of persons sought and
when they are required should be specified.
A description of the purpose of the job, the main tasks to be
carried out, and the terms and conditions of employment should
be documented and made available to persons with recruitment
responsibilities.
The selection criteria should be based on the job requirements,
experience, personal characteristics desired, and application of
employment equity directives.
Employee Recruitment and Selection
Authorised employment requests are communicated timeously
to the recruiting function.
HRP
503
Authorised employment requests are not communicated
timeously to the recruiting function.
Formal company policy and procedures should be developed to
address timeous communication to the recruiting function for all
authorised employment requests.
Recruitment activities should maximise the likelihood of
attracting qualified candidates at a reasonable cost, within a
reasonable period of time, and with due regard to equality of
access. The appropriate profile of potential employees are
sourced for consideration by the recruiting activity.
HRP
504
The cost of recruitment may not be cost justified.
Recruitment activities may not be focused on qualified
audiences or candidates. Appropriate and relevant sources
for potential candidates are not identified. Potential
candidates who have not been screened and interviewed
are not timeously identified.
Alternative methods for filling a position including internal versus
external recruitment, advertising, and use of agencies should be
considered.
The area of search should be sufficient to attract qualified
candidates at a reasonable cost.
Turnaround time for filling positions should be reasonable.