Audit Controls for HR Security and Payroll
A Consolidated Control Matrix for Testing Access Governance and Payroll Processing in SAP S/4HANA
Payroll sits at the intersection of two related risks. One is a security risk: who can create an employee, change a pay rate, or release a payroll run. The other is a processing risk: whether time worked, payroll calculations, and disbursements are complete, accurate, and posted in the right period. Rather than testing these as two separate programs, the matrix below brings all forty-eight underlying controls together in a single sequence, following the employee and pay cycle from hire through disbursement and master-data maintenance, while still tagging each control by domain (Security or Payroll) so the type of risk it addresses, and who typically owns it, remains clear at a glance.
Security-tagged controls are preventive and largely automated: they restrict, at the system level, who can touch HR and payroll data in the first place, and are tested by querying user access (transaction codes and authorization objects) against job responsibilities. Payroll-tagged controls are management is actively reviewing the results of the process, master-data listings, time-evaluation reports, payroll simulations, and disbursement reconciliations and resolving any exceptions found. A single point of access failure and a single missed management review represent different failure modes, so the domain tag stays attached to every row even though the controls are now tested and reported together.
Consolidated Control Matrix
Reading the Matrix
Every control in the matrix is documented the same way, no matter which domain it belongs to. You get a plain description of what the control is supposed to do, whether it’s meant to prevent a problem or catch one after the fact, whether a person or the system is doing the work, how risky it is, and a quick summary of how to test it. In the full working paper, each row also points to the exact test step and evidence tab where the sampling and results live and wraps up with a simple call: effective or not. If a control doesn’t hold up, the paper doesn’t just note that and move on, it records what went wrong, any backup control that’s catching the risk in the meantime, and management’s plan and deadline to fix it. That finding stays open until someone actually goes back and confirms the fix worked.
Read straight through, the matrix basically tells the story of one pay period, start to finish. HR1 makes sure the people being added to the system are real employees. HR2 makes sure the people leaving are actually taken off. HR3 through HR5 check that hours worked are captured in full and on time. HR6 is about the payroll run itself making sure it’s controlled properly and that only the right people can trigger it. HR7 checks that what employees were actually paid matches what was recorded. And HR8 ties it all together by confirming that changes to master data keep getting reviewed and that no one person can do too much on their own.
Disclaimer
This article is provided for educational and informational purposes only. Organizations should assess their own business, security, and compliance requirements before making any authorization or access control decisions.




