1. OBJECTIVE AND SCOPE

The objective of this procedure is to describe the BFC internal controls (users access, customizing activities, sensitive Admin actions…).

Both maintenance and customizing activities must be performed in compliance with internal controls designed with Data Compliance and Audit team and audited twice a year by Deloitte (mid-year and year-end cycles).

2. BFC INTERNAL CONTROLS

BFC Administration team is the control owner of the following internal controls: Audit

SEC-01 (APP.05) Password Management

SEC-03 (APP.01) Functional Profiles

SEC-04 (APP.10) Access Rights

SEC-07 (APP.01) Access Requests

SEC-09 Authorization contact

SEC-10 (APP.03) Audit Trails

SEC-11 (APP.02) Users Deactivation

2.1 SEC-01 (APP.05) Password Management

Purpose: Check the compliance of the password guidelines implementation

This Control is restricted to “Internal Users” (authentication type internal) as “External Users” (authentication type external) are using the Single Sign On.

Description: The Administration Manager reconciles an extract of password settings from the Financial Consolidation system and the password guidelines included in the security policy: all the directives must be respected.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Completeness, Accuracy and Restricted Access

Frequency: Yearly

Control evidence:

In “Action” menu / “Password Manager” option, the BFC Administration team defines length of Internal password as well as their validity duration.

After 60 days using the same password, BFC will automatically oblige the Internal user to change his / her password. Without this renewal, the Internal user cannot connect anymore to BFC.

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_12-47-58.png

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_12-48-36.png

The Single Sign On enables users to use their personal login and password (the one used to connect to their computer) to connect also to BFC.

When they will change their Windows password, it will be automatically taken into account by BFC too.

Evidence stored in GDrive: https://drive.google.com/drive/folders/1GI_ZB6EsHhhHrVKSolXdjofT3ip0LFNI

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_14-37-45.png

2.2 SEC-03 (APP.01) Functional Profiles

Purpose: All the Functional Profiles creation/modification requests are formally validated by the Consolidation Manager (KUF = Key User Function).

Description: The BFC Administration Manager, before updating the role into the system, checks manually the presence of incompatibilities in the role design, according to the matrix of incompatible actions. In case of some incompatibilities are found he/she informs the Consolidation Manager (KUF) who validates them.

A functional profile defines the types of rights to perform specific tasks in the application. For example, whether or not a user is authorized to create, change or delete data in schedules.

The major risk to be managed is to avoid uncontrolled data modification in BFC due to the allocation of an inappropriate Functional Profile.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation, Accuracy

Frequency: On Flow

A) Functional Profiles created in BFC since its implementation in 2005

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_14-28-8.png

B) Functional Profiles currently used (10/11/2021)

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_14-30-18.png

C) Description of Functional Profiles currently used (10/11/2021)

Evidence stored in GDrive: https://drive.google.com/drive/folders/19Dc-vvsciksgLYn2UK4uYbuZbLyxGdw2

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_14-37-2.png

2.3 SEC-04 (APP.10) Access Rights

Purpose: Matrix of incompatible transactions by critical level is maintained and updated in order to include each new critical transaction.

Description: The file “IT FC SEC-04 Access Rights 2021” is a validation of the updated matrix of incompatibilities by the Key User Function (Consolidation manager):

The "Responsibilities Matrix" tab is a Description of the Functional Profiles that are used in BFC.
This matrix is approved before each Audit Sprint by the Consolidation Manager (KUF).
The content in BFC is validated at each Audit Sprint to check if the Functional Profiles are correctly implemented in the system.
This matrix is signed by the Consolidation Manager (KUF), scanned and published in Google Drive.

The "Functional Profiles Definitions" tab is a detailed description of the Functional Profiles.

Control type (Completeness, Accuracy, Validation, and Restricted Access): Validation

Evidence stored in GDrive: https://drive.google.com/drive/folders/1cZ5Dm7QTzifrxoy6yjRXabrdURMwPlo2

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_15-0-54.png

2.4 SEC-07 (APP.01) Access Requests

Purpose: Access rights given to users are formally validated by the BFC Administration team.

Description: Access requests are sent by e-mail or BMC Helix ticket (transferred by IS BFC Admin) to the BFC-Admin mailbox, normally the request is performed by the user with his/her manager in copy (manager as defined in Solvay One Organizational chart).

Important Notes:

If the manager is not in copy (it happens often with the transferred tickets), BFCAdmin must request his/her approval before communicating the access given.

To check the user's manager or missing details like User ID, email, BFC Admin can use SuccessFactors application trough this link https://performancemanager.successfactors.eu/:

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_15-23-48.png

Any request requiring access to critical data (Administrators and users requiring access to owner groups CONSO or CONSO+) or critical actions (Administrators and users requiring access to functional profile CONSOLIDEUR) must be approved by the Consolidation Manager (KUF) => SEC-03 & SEC-04.

Since the implementation of the Single Sign On, before creating a new user, the BFC Administration team must request IS Adagio Wintel team to add this new user to the Active directory (AD) - “BFC User Group” - list by creating a Solman Ticket.

Active directory (AD) is a list of all Solvay users’ accounts (but also computers, servers, printers, shared directories…). It authenticates and authorizes all users and computers by assigning and enforcing security polices, installing and updating software... For example: when user logs into a computer, AD checks the submitted password and determinates whether the users is a system administrator or a regular user.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation and Restricted Access

Frequency: on demand @ each user access request

Evidence stored in GDrive: https://drive.google.com/drive/folders/1eGfCz_979YQ-M4EW3KDpFNCXKugxZuls

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_15-27-26.png

INSIDER DEALING (FSMA)

The Insider dealing list (requested by FSMA authorities in Belgium) is requested by CORPORATE SECRETARY to the BFC Administration team.

BFC Admin team is not the owner of this control but has to provide, each quarter, the information regarding BFC users having privileged access to financial data.

BFC Administrator has to extract users having access to full Solvay Group data (access groups = CONSO / CONSO+ / ADMINISTRATORS) and update the GSheet file shared by Corporate Secretary adding the new users and removing the old ones (people who have changed position or left the group), informing the date on which data access was added/removed and to which organizational department belongs to.

2.5 SEC-09 Authorization contact

Purpose: Authorization Contacts review on a regular basis role assigned to users

This control is covered by SEC-03 and SEC-10

Description: As of June 2020, following Deloitte recommendation, for users with functional profiles “CONSOLIDEUR” or “CONSO-SAISIE” the Consolidation Manager performs a periodic review of these users in order to validate they still need this role.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation and Restricted Access

Frequency: Quarterly

Validation process:

BFC Administration team sends a screen copy of users granted role ""CONSOLIDEUR"" or ""CONSO-SAISIE"" by e-mail to Consolidation manager requesting his review and approval
Consolidation manager's answer with validation and/or request for necessary authorization updates, is sent back to BFC Administration
BFC Administration team proceeds with updates, when needed, in the system and resent the print screen with new updated list of users to Consolidation manager

Evidence stored in GDrive: https://drive.google.com/drive/folders/14oLPoNU-cUuCIE6a0fxK5XPsgr1JHQPD

2.6 SEC-11 (APP.02) Users Deactivation

Purpose: 1) Deactivation done on a regular basis for internals, externals and movers.

Description: The Solvay Group members who have access to BFC should be compliant with their status and their position on HR tools. The objective of this Internal Control is to reconcile the users status on BFC according to their status and identify the users that should be deactivated from BFC.

Deactivation is done based on the lists provided by IT internal control team (J.ABREU) , every week for leavers and every month for movers.

Leavers process (Internals & Externals)

BFC leavers lists are produced every week by robot, reviewed by the IT internal control team (J.ABREU) and sent by J.ABREU to BFCAdmin by email.

In addition to the identification of users to be deactivated the list includes verification of last logon date versus separation date.

BFCAdmin proceeds with the user's deactivation as soon as possible within a week.

Movers

List is sent by J.ABREU to BFCAdmin on a monthly basis.

BFCAdmin analyses the list to identify which users should be subjected to access updates. Some may have already requested the update.

Following the analysis BFCAdmin sends an email to the user with his/her manager in cc asking if the BFC access could be deactivated or not.

Evidence stored in GDrive: https://drive.google.com/drive/folders/1-rNxb171Sv2R7VsMEJV1K8r4QevYZLlf

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_16-12-59.png

In BFC “Security/Users” module, deactivation will be proceeded the following in the user profile:

Owner Group: PARTI
Functional Profile: DESACTIVE
Data Access Group: RIEN

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_16-22-10.png

and the user must be blocked in order to be prevented from accessing BFC.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation and Restricted Access

Frequency: Weekly (leavers) / Monthly (movers)

Purpose: 2) Temporarily deactivation on BFC when the user has not connected during the last 6 months

When the user has not connected during the last 6 months his/her access has to be temporarily deactivated on BFC. Note that on GUDSIS the status may be still ACTIVE, but the user can have a new position that doesn´t request the access to BFC so frequently; temporary leave (maternity, sickness) can also justify those cases. Before deactivating a user without any connection during the last 6 months, BFC Administration team sends an email to those users asking them to logon to BFC within the next 7 days in order to retain their accounts.

Message sent to users prior to deactivation:

Dear Colleague,

Please note that your account for accessing the BFC application has been inactive for more than 6 months. If you have lost the access link, you may connect to BFC by copying and opening this URL https://financialconsolidation.solvay.com/FCPROD/

To avoid disruption of your account, kindly login to BFC within the next 7 days to retain your account. Account will be suspended without further notice thereafter. If your account is being suspended, you may re-submit your access request to $SBS FinanceSL Fin Acc SU BFC Admin

*Please ignore this message if you have connected to BFC before receiving it

In BFC “User” module, if the user has still not connected 7 days after the reception of the above message, his/her profile will be updated as follows:

Owner Group: NET
Functional Profile: No change
Data Access Group:No change

and the user must be blocked in order to be prevented from accessing BFC.

Exceptions

“TINSTALL user”:

The user TINSTALL must remain always active:

This user ID is the one used by SBS IS Infra teams to test that the technical installation of BFC application on users’ PC is correct.

Note that this user only contains rights to connect to BFC application, without any other rights to modify any objects or to display any data.

“ADMIN user”:

The user ADMIN must remain always active:

Admin is a special, technical user, it is created automatically when BFC application is installed and database created. Some administrative tasks can be performed only by Admin User, mostly related to application installation and upgrade

Evidence stored in GDrive: https://drive.google.com/drive/folders/1-rNxb171Sv2R7VsMEJV1K8r4QevYZLlf

Finance Service Line > Internal Controls applicable to BFC SYENSQO > image2021-12-28_16-12-59.png