1. OBJECTIVE AND SCOPE

The objective of this procedure is to describe the BFC internal controls (users access, customizing activities, sensitive Admin actions…).

Both maintenance and customizing activities must be performed in compliance with internal controls designed with Data Compliance and Audit team and audited twice a year by Deloitte (mid-year and year-end cycles).

2. BFC INTERNAL CONTROLS

BFC Administration team is the control owner of the following internal controls: Audit

SEC-01 (APP.05) Password Management

SEC-03 (APP.01) Functional Profiles

SEC-04 (APP.10) Access Rights

SEC-07 (APP.01) Access Requests

SEC-09 Authorization contact

SEC-10 (APP.03) Audit Trails

SEC-11 (APP.02) Users Deactivation

2.1 SEC-01 (APP.05) Password Management

Purpose: Check the compliance of the password guidelines implementation

This Control is restricted to “Internal Users” (authentication type internal) as “External Users” (authentication type external) are using the Single Sign On.

Description: The Administration Manager reconciles an extract of password settings from the Financial Consolidation system and the password guidelines included in the security policy: all the directives must be respected.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Completeness, Accuracy and Restricted Access

Frequency: Yearly

Control evidence:

In “Action” menu / “Password Manager” option, the BFC Administration team defines length of Internal password as well as their validity duration.

After 60 days using the same password, BFC will automatically oblige the Internal user to change his / her password. Without this renewal, the Internal user cannot connect anymore to BFC.

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_12-47-58.png

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_12-48-36.png

The Single Sign On enables users to use their personal login and password (the one used to connect to their computer) to connect also to BFC.

When they will change their Windows password, it will be automatically taken into account by BFC too.

Evidence stored in GDrive: https://drive.google.com/drive/folders/1GI_ZB6EsHhhHrVKSolXdjofT3ip0LFNI

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_14-37-45.png

2.2 SEC-03 (APP.01) Functional Profiles

Purpose: All the Functional Profiles creation/modification requests are formally validated by the Consolidation Manager (KUF = Key User Function).

Description: The BFC Administration Manager, before updating the role into the system, checks manually the presence of incompatibilities in the role design, according to the matrix of incompatible actions. In case of some incompatibilities are found he/she informs the Consolidation Manager (KUF) who validates them.

A functional profile defines the types of rights to perform specific tasks in the application. For example, whether or not a user is authorized to create, change or delete data in schedules.

The major risk to be managed is to avoid uncontrolled data modification in BFC due to the allocation of an inappropriate Functional Profile.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation, Accuracy

Frequency: On Flow

A) Functional Profiles created in BFC since its implementation in 2005

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_14-28-8.png

B) Functional Profiles currently used (10/11/2021)

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_14-30-18.png

C) Description of Functional Profiles currently used (10/11/2021)

Evidence stored in GDrive: https://drive.google.com/drive/folders/19Dc-vvsciksgLYn2UK4uYbuZbLyxGdw2

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_14-37-2.png

2.3 SEC-04 (APP.10) Access Rights

Purpose: Matrix of incompatible transactions by critical level is maintained and updated in order to include each new critical transaction.

Description: The file “IT FC SEC-04 Access Rights 2021” is a validation of the updated matrix of incompatibilities by the Key User Function (Consolidation manager):

The "Responsibilities Matrix" tab is a Description of the Functional Profiles that are used in BFC.
This matrix is approved before each Audit Sprint by the Consolidation Manager (KUF).
The content in BFC is validated at each Audit Sprint to check if the Functional Profiles are correctly implemented in the system.
This matrix is signed by the Consolidation Manager (KUF), scanned and published in Google Drive.

The "Functional Profiles Definitions" tab is a detailed description of the Functional Profiles.

Control type (Completeness, Accuracy, Validation, and Restricted Access): Validation

Evidence stored in GDrive: https://drive.google.com/drive/folders/1cZ5Dm7QTzifrxoy6yjRXabrdURMwPlo2

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_15-0-54.png