Informational (IS) Risk Management
Management of Information Systems is critical in any organization. Its success counts extensively on the reliability of the information provided, secure storage and the ease of retrieval. An organization who’s Information System is wanting stands a high chance to fail in future. Being extremely crucial, this paper focusses on the management of Human Resource Information System, its security vulnerabilities as well as the controls.
As observed in the market today, many organizations have adopted the electronic method of managing information related to Human Resource. While this revolutionizes the Management of the said Information System bringing a whole new face and promoting efficiencies, a couple of risks accrue. First, with computers, discretion may not be kept to the optimum as some potentially dangerous information may leak due to the vulnerability of computers and the corresponding software used. To this effect, this paper provides a vast insight on some of the dangerous security threats providing ways on how to curb this and intensify security in the management of Human Resource Information System.
The risks that face an organization can be identified in the following categories financial risk, fraud risk, reporting and compliance risk, as well as, information protection risk. Financial risks refer to the risks that directly impact on the organization or individual’s financial position while fraud risks refer to the intentional deception made to damage another person or organization either for personal gain or malice. Reporting and compliance risk refers to the organization breaching the local or national policies and demands and lastly, the Information protection risk occurs when personal information on some individuals or discrete information about the company is not protected sufficiently leading to leakage.
The management of payroll data by the HR poses a major risk in any Human Resource Management Information System. The involvement of two types of data, that is, reference data or master data exposes it to the risk of inaccuracy and insecurity. Master data is the information used to support general operations and transactions, while being extremely pivotal in business reporting and analytics. That notwithstanding, the master data harbors personal information such as names, next of kin, address, qualifications and information on salary. Some master data categories like the bank details are extremely sensitive and provide channels for fraudulent practices in an insecure system. Other information such as rates of pay terms of employment and position may be required by various functional groups and as a result, may be stored in various data systems in the organization rather than being centrally referenced. Reliable data management helps in such instances to detect and prevent anomalies.
On the other hand, reference data is dynamic due to its susceptibility to change and update. However, it is extremely essential for historical references, planning and decision making. Unlike the master data, reference data does not clearly give the reasons for the capture, update or change of the data. The challenge of gathering, storing and making available definitions for each reference data rows is not similar to the necessity to fathom the context in master data. However, there is dire need for organizations to provide quality and reliable information through clear definitions in reference data.
Policy and legislative compliance
Another risk that poses a great challenge in Human Resource Management Information System is the disclosure of personal information appertaining to employees. This happens when the system leaves a loophole where unauthorized users can access such vital information either through poor encryption or invasion by hackers. It is, therefore, important for the HR practitioners to have the necessary knowledge of the requirements to obtain, store, retain and disclose personal information for both the current and the future employees. Additionally, both the local and the national policies provide organizations with an obligatory mandate to deploy practices that ensure vital employee information is thoroughly safeguarded. However, to control personal information of the employees from being disclosed, organization’s need to restrict users who gain access to such databases.
Additionally, the HR practitioners should provide strong encryption and firewalls that bar intruders from accessing and interfering with the employees’ details. On the same note, an employee’s details may be incorrectly entered resulting to such occurrences like payment duplication, errors in employee deductions or even unapproved changes in roles and delegations. In order to avoid such from occurring, regular validation checks should be provided in the system to inform the user when duplication has occurred or information has been wrongly entered in order to effect the necessary changes. Further, all amendments, changes and updates on the master data should be accompanied by corresponding documentation for future referencing.
Workforce management
It is the duty of the HR to maintain workforce in the organization, determining when to recruit new employees, organizing training and development programs, as well as, determining who to recognize and reward. In the process, the HR is exposed to the risks of duplicate or non-existent employees who have been added to the payroll, termination balances and payments are calculated inaccurately and deactivation of the employee may not be effected after the termination of employment. To control these risks, correct information appertaining to each employee should be entered into the system and thoroughly cross-checked for any anomalies. Further, the information should be maintained ensuring that the relevant updates to the employee’s information and approved changes are automatically adjusted in the system. It is also common for the system to become obsolete in the event that it does not accommodate future changes.
For instance, when an employee makes a permanent change or a temporary change that involves them taking a particular position for some time, then the system should be in the position to reflect that with the corresponding payments and benefits for each position. It should also be able to provide for the total time worked overtime or in the temporary position and include that in time reporting. This will help account for the total time of each worker in a given position with the corresponding accurate payments and benefits. On the same note, some workers may take up more than one role for a given time for a particular purpose and the system should be up to date to reflect such information without miss. The challenge of “ghost” employees can be dealt with by restricting the users who gain access to employees’ information and also regulating the ability to modify their information.
On the termination of employment, the employer or the employee should provide a letter of notice. On the indicated date of employment termination, calculations of termination payment are made, the employee then returns all property belonging to the employer that was in their custody and at the same time the employee’s physical and logical access rights are removed from the system.
Administration and processing of payroll
This involves risks and control measures appertaining to payroll accounting and time reporting. This is done with particular focus on the supporting controls that are relevant in the disbursement of payroll and posting expenses of payroll to the general ledger that needs to be implemented for completeness and accuracy. In this sense then a couple of risks are involved. These include incomplete or inaccurate entry of time data for employees, unapproved leave or one taken against the entitlements, inaccurate updates of employee shifts and inaccurate amendment of recorded time in earlier periods or with negligence of appropriate authority. Calculation of payroll could also be incomplete or inaccurate. Other risks include breaching of local and national policies. These consist of taxation payments, legislative requirements and arrangements of salary sacrifice. Additionally, increment of payment to employees due to performance or other concerns could be wrongly calculated and approved before disbursement. This should be controlled through proper policies and accommodation in the system.
In conclusion, Human Resource Management Information System could lead to detrimental effects in the organization if founded on an insecure environment. Security systems therefore need to be highly intensified to avoid dangerous consequences when any of the highlighted risks occurs. It is the duty of the Human Resource department to ensure that important information regarding employees is well secured and the local statutory is adhered to. This prevents unnecessary interruptions of workflow increasing productivity in the organization. Further, employees are confident with their system to secure their information and therefore give the best towards their roles in the organization.
References
Rietsema, D. (2013, September 11). What is HRIS? Retrieved from www.hrpayrollsystems.net: http://www.hrpayrollsystems.net/hris/
McPhee, I. (2013, June 18). Human Resource Management Information Systems Risks and controls. Retrieved from www.anao.gov.au: http://www.anao.gov.au/~/media/Files/Better%20Practice%20Guides/2012%202013/ANAO-BPG-HRMIS.pdf
Zafar, H., Clark, J. G., & Ko, M. (2014, May 9). An Exploration of Human Resource Management Information Systems Security. Journal of Emerging Knowledge on Emerging Markets, 489-510. Retrieved from digitalcommons.kennesaw.edu: http://digitalcommons.kennesaw.edu/cgi/viewcontent.cgi?article=1060&context=jekem
