1. OBJECTIVE AND SCOPE

The objective of this procedure is to describe the BFC internal controls (users access, customizing activities, sensitive Admin actions…).

Both maintenance and customizing activities must be performed in compliance with internal controls designed with Data Compliance and Audit team and audited twice a year by Deloitte (mid-year and year-end cycles).

2. BFC INTERNAL CONTROLS

BFC Administration team is the control owner of the following internal controls: Audit

SEC-01 (APP.05) Password Management

SEC-03 (APP.01) Functional Profiles

SEC-04 (APP.10) Access Rights

SEC-07 (APP.01) Access Requests

SEC-09 Authorization contact

SEC-10 (APP.03) Audit Trails

SEC-11 (APP.02) Users Deactivation

2.1 SEC-01 (APP.05) Password Management

Purpose: Check the compliance of the password guidelines implementation

This Control is restricted to “Internal Users” as “External Users” are using the Single Sign On.

Description: The Administration Manager reconciles an extract of password settings from the Financial Consolidation system and the password guidelines included in the security policy: all the directives must be respected.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Completeness, Accuracy and Restricted Access

Frequency: Yearly

Control evidence:

In “Action” menu / “Password Manager” option, the BFC Administration team defines length of Internal password as well as their validity duration.

After 60 days using the same password, BFC will automatically oblige the Internal user to change his / her password. Without this renewal, the Internal user cannot connect anymore to BFC.

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_12-47-58.png

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_12-48-36.png