1. OBJECTIVE AND SCOPE
The objective of this procedure is to describe the BFC internal controls (users access, customizing activities, sensitive Admin actions…).
Both maintenance and customizing activities must be performed in compliance with internal controls designed with Data Compliance and Audit team and audited twice a year by Deloitte (mid-year and year-end cycles).
2. BFC INTERNAL CONTROLS
BFC Administration team is the control owner of the following internal controls: Audit
SEC-01 (APP.05) Password Management
SEC-03 (APP.01) Functional Profiles
SEC-04 (APP.10) Access Rights
SEC-07 (APP.01) Access Requests
SEC-09 Authorization contact
SEC-10 (APP.03) Audit Trails
SEC-11 (APP.02) Users Deactivation
2.1 SEC-01 (APP.05) Password Management
Purpose: Check the compliance of the password guidelines implementation
This Control is restricted to “Internal Users” (authentication type internal) as “External Users” (authentication type external) are using the Single Sign On.
Description: The Administration Manager reconciles an extract of password settings from the Financial Consolidation system and the password guidelines included in the security policy: all the directives must be respected.
Control type: (Completeness, Accuracy, Validation, and Restricted Access): Completeness, Accuracy and Restricted Access
Frequency: Yearly
Control evidence:
In “Action” menu / “Password Manager” option, the BFC Administration team defines length of Internal password as well as their validity duration.
After 60 days using the same password, BFC will automatically oblige the Internal user to change his / her password. Without this renewal, the Internal user cannot connect anymore to BFC.
The Single Sign On enables users to use their personal login and password (the one used to connect to their computer) to connect also to BFC.
When they will change their Windows password, it will be automatically taken into account by BFC too.
Evidence stored in GDrive: https://drive.google.com/drive/folders/1GI_ZB6EsHhhHrVKSolXdjofT3ip0LFNI
2.2 SEC-03 (APP.01) Functional Profiles
Purpose: All the Functional Profiles creation/modification requests are formally validated by the Consolidation Manager (KUF = Key User Function).
Description: The BFC Administration Manager, before updating the role into the system, checks manually the presence of incompatibilities in the role design, according to the matrix of incompatible actions. In case of some incompatibilities are found he/she informs the Consolidation Manager (KUF) who validates them.
A functional profile defines the types of rights to perform specific tasks in the application. For example, whether or not a user is authorized to create, change or delete data in schedules.
The major risk to be managed is to avoid uncontrolled data modification in BFC due to the allocation of an inappropriate Functional Profile.
Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation, Accuracy
Frequency: On Flow
A) Functional Profiles created in BFC since its implementation in 2005
B) Functional Profiles currently used (10/11/2021)
C) Description of Functional Profiles currently used (10/11/2021)
Evidence stored in GDrive: https://drive.google.com/drive/folders/19Dc-vvsciksgLYn2UK4uYbuZbLyxGdw2
2.3 SEC-04 (APP.10) Access Rights
Purpose: Matrix of incompatible transactions by critical level is maintained and updated in order to include each new critical transaction.
Description: The file “IT FC SEC-04 Access Rights 2021” is a validation of the updated matrix of incompatibilities by the Key User Function (Consolidation manager):
- The "Responsibilities Matrix" tab is a Description of the Functional Profiles that are used in BFC.
- This matrix is approved before each Audit Sprint by the Consolidation Manager (KUF).
- The content in BFC is validated at each Audit Sprint to check if the Functional Profiles are correctly implemented in the system.
- This matrix is signed by the Consolidation Manager (KUF), scanned and published in Google Drive.
The "Functional Profiles Definitions" tab is a detailed description of the Functional Profiles.
Control type (Completeness, Accuracy, Validation, and Restricted Access): Validation
Evidence stored in GDrive: https://drive.google.com/drive/folders/1cZ5Dm7QTzifrxoy6yjRXabrdURMwPlo2
2.4 SEC-07 (APP.01) Access Requests
Purpose: Access rights given to users are formally validated by the BFC Administration team.
Description: Access requests are sent by e-mail or BMC Helix ticket (transferred by IS BFC Admin) to the BFC-Admin mailbox, normally the request is performed by the user with his/her manager in copy (manager as defined in Solvay One Organizational chart).
Important Notes:
If the manager is not in copy (it happens often with the transferred tickets), BFCAdmin must request his/her approval before communicating the access given.
To check the user's manager or missing details like User ID, email, BFC Admin can use SuccessFactors application trough this link https://performancemanager.successfactors.eu/:
Any request requiring access to critical data (Administrators and users requiring access to owner groups CONSO or CONSO+) or critical actions (Administrators and users requiring access to functional profile CONSOLIDEUR) must be approved by the Consolidation Manager (KUF) => SEC-03 & SEC-04.
Since the implementation of the Single Sign On, before creating a new user, the BFC Administration team must request IS Adagio Wintel team to add this new user to the Active directory (AD) - “BFC User Group” - list by creating a Solman Ticket.
Active directory (AD) is a list of all Solvay users’ accounts (but also computers, servers, printers, shared directories…). It authenticates and authorizes all users and computers by assigning and enforcing security polices, installing and updating software... For example: when user logs into a computer, AD checks the submitted password and determinates whether the users is a system administrator or a regular user.
Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation and Restricted Access
Frequency: on demand @ each user access request
Evidence stored in GDrive: https://drive.google.com/drive/folders/1eGfCz_979YQ-M4EW3KDpFNCXKugxZuls
INSIDER DEALING (FSMA)
The Insider dealing list (requested by FSMA authorities in Belgium) is requested by CORPORATE SECRETARY to the BFC Administration team.
BFC Admin team is not the owner of this control but has to provide, each quarter, the information regarding BFC users having privileged access to financial data.
BFC Administrator has to extract users having access to full Solvay Group data (access groups = CONSO / CONSO+ / ADMINISTRATORS) and update the GSheet file shared by Corporate Secretary adding the new users and removing the old ones (people who have changed position or left the group), informing the date on which data access was added/removed and to which organizational department belongs to.
2.5 SEC-09 Authorization contact
Purpose: Authorization Contacts review on a regular basis role assigned to users
This control is covered by SEC-03 and SEC-10
Description: As of June 2020, following Deloitte recommendation, for users with functional profiles “CONSOLIDEUR” or “CONSO-SAISIE” the Consolidation Manager performs a periodic review of these users in order to validate they still need this role.
Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation and Restricted Access
Frequency: Quarterly
Validation process:
- BFC Administration team sends a screen copy of users granted role ""CONSOLIDEUR"" or ""CONSO-SAISIE"" by e-mail to Consolidation manager requesting his review and approval
- Consolidation manager's answer with validation and/or request for necessary authorization updates, is sent back to BFC Administration
- BFC Administration team proceeds with updates, when needed, in the system and resent the print screen with new updated list of users to Consolidation manager
Evidence stored in GDrive: https://drive.google.com/drive/folders/14oLPoNU-cUuCIE6a0fxK5XPsgr1JHQPD
2.6 SEC-11 (APP.02) Users Deactivation
Purpose: 1) Deactivation done on a regular basis for internals, externals and movers.
Description: The Solvay Group members who have access to BFC should be compliant with their status and their position on HR tools. The objective of this Internal Control is to reconcile the users status on BFC according to their status and identify the users that should be deactivated from BFC.
Deactivation is done based on the lists provided by IT internal control team (J.ABREU) , every week for leavers and every month for movers.
Leavers process (Internals & Externals)
BFC leavers lists are produced every week by robot, reviewed by the IT internal control team (J.ABREU) and sent by J.ABREU to BFCAdmin by email.
In addition to the identification of users to be deactivated the list includes verification of last logon date versus separation date.
BFCAdmin proceeds with the user's deactivation as soon as possible within a week.
Movers
List is sent by J.ABREU to BFCAdmin on a monthly basis.
BFCAdmin analyses the list to identify which users should be subjected to access updates. Some may have already requested the update.
Following the analysis BFCAdmin sends an email to the user with his/her manager in cc asking if the BFC access could be deactivated or not.
Evidence stored in GDrive: https://drive.google.com/drive/folders/1-rNxb171Sv2R7VsMEJV1K8r4QevYZLlf
In BFC “Security/Users” module, deactivation will be proceeded the following in the user profile:
- Owner Group: PARTI
- Functional Profile: DESACTIVE
- Data Access Group: RIEN
and the user must be blocked in order to be prevented from accessing BFC.
Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation and Restricted Access
Frequency: Weekly (leavers) / Monthly (movers)
Purpose: 2) Temporarily deactivation on BFC when the user has not connected during the last 6 months