1. Objective and Scope

The objective of this procedure is to describe purpose and process related to the BFC internal controls (users accesses management, customizing activities, sensitive actions from BFC Administration team…).

Both maintenance and customizing activities must be performed in compliance with internal controls designed with Data Compliance and Audit team and audited twice a year by Solvay external auditors (mid-year and year-end cycles).

2. BFC Internal Controls

Main risks to be covered are the following: 

• Uncontrolled activities from BFC Admin (having by definition 100% rights in the tool): non justified deletion of objects, piloting to production of non approved changes in customizing
• Modification of Financial data by unauthorized users
• Missing segregation of duties (i.e users able to unlock and resubmit data)
• Uncontrolled extended display rights (giving access to full set of Solvay Group results). This is also linked with quarterly review & update of Insider dealing’s list from Group General Secretary

BFC Administration team is the control owner of the following internal controls: Audit

•  SEC-01 Password Management
• SEC-03 Functional Profiles 
• SEC-04 Access Rights
• SEC-07 Access Requests 
• SEC-09 Review of sensitive accesses
• SEC-10 Audit Trails
• SEC-11 Users Deactivation
• SEC-12  Users Deactivation / temporary deactivation
• PPC MNT 01 05 06a 06b -Maintenance controls

2.1 SEC-01 Password Management

Purpose: Check the compliance of BFC users passwords with Solvay Security policy 

This Control is restricted to “Internal Users” (authentication type "internal") as “External Users” (authentication type "external") are using the Single Sign On.

Description: The BFC Administration team reconciles an extract of password settings from the BFC_Production system and the password guidelines included in the security policy: all the directives must be respected.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Completeness, Accuracy and Restricted Access

Frequency: from May 2022,"on flow" when Solvay’s password policy changes (before frequency was a yearly one)

Note: use of special characters (such as @ #) can not be forced as it prevents users to use retrieves of BFC figures in Excel

Control evidence: 

In “Action” menu / “Password Manager” option, the BFC Administration team defines length of Internal password as well as their validity duration. 

From May 2022 parameters adapted:

• After 90 days (before duration was 60 days) using the same password, BFC will automatically oblige the Internal user to change his / her password. Without this renewal, the Internal user cannot connect anymore to BFC
• Length of password set to 12 characters (before 8 characters)

• The Single Sign On enables users to use their Solvay personal login and password (the one used to connect to their computer) to connect also to BFC. 
• When they will change their Windows password, it will be automatically taken into account by BFC too.

Evidence stored in GDrive: https://drive.google.com/drive/folders/1GI_ZB6EsHhhHrVKSolXdjofT3ip0LFNI

2.2 SEC-03 Functional Profiles

Purpose: All the Functional Profiles creation/modification requests are formally validated by the GAR Consolidation Manager (appointed as KUF = Key User Function).

Description: The BFC Administration team, before updating the role into the system, checks manually the presence of incompatibilities in the role design, according to the matrix of incompatible actions. In case of some incompatibilities are found he/she informs the Consolidation Manager (KUF) who validates them.

A functional profile defines the types of rights to perform specific tasks in the application. For example, whether or not a user is authorized to create, change or delete data in schedules. 

The major risk to be managed is to avoid to introduce in Functional profiles (through creation / modification) incompatible rights without any authorization from KUF.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation, Accuracy

Frequency: On Flow, ie everytime there’s a need to change or create a functional profile

A) Functional Profiles created in BFC since its implementation in 2005

B) Functional Profiles currently used (31/05/2022)

C) Description of Functional Profiles currently used (31/05/2022)

Evidence stored in GDrive: https://drive.google.com/drive/folders/19Dc-vvsciksgLYn2UK4uYbuZbLyxGdw2

2.3 SEC-04 Access Rights

Purpose: Matrix of incompatible transactions by critical level is maintained and updated in order to include each new critical transaction.

Description: The file “IT FC SEC-04 Access Rights 2022” is a validation of the updated matrix of incompatibilities by the Key User Function (Consolidation manager):

• The "Responsibilities Matrix" tab is a Description of the Functional Profiles that are used in BFC highlighting the incompatibilities existing in some of them. Main incompatibilities existing:

 - Functional profile ADMINISTRATION: "full power" users authorized to modify (creation and deletion) all of the objects and data in SAP Financial Consolidation.

 - Functional profile RTR BO-COR:  the combination of rights to 1) unlock packages + 2) modify data inside + 3) publish packages modified should be considered conflicting duties. 

• From May 2022, the incompatibilities will be controlled each time there is a change in an existing / creation of a new Functional Profile content (link with SEC03) to ensure that those actions do not generate any incompatibility
• This matrix is signed by the Consolidation Manager (KUF), scanned and published in Google Drive each time there's an update (change or creation of a functional profile) generating a new version.

The "Functional Profiles Definitions" tab is a detailed description of the Functional Profiles.

Control type (Completeness, Accuracy, Validation, and Restricted Access): Validation

Evidence stored in GDrive: https://drive.google.com/drive/folders/1cZ5Dm7QTzifrxoy6yjRXabrdURMwPlo2

Frequency: From May 2022, "On Flow", each time we change or create a functional profile (consistent with SEC-03)

2.4 SEC-07 Access Requests 

Purpose: Access rights given to users are formally validated by the BFC Administration team. 

Description: Access requests are sent by e-mail or via Service One ticket (transferred by IS BFC Admin) to the BFC-Admin mailbox, normally the request is performed by the user with his/her manager in copy (manager as defined in Solvay One Organizational chart).

Important Notes:

• If the manager is not in copy (it happens often with the transferred tickets), the BFC Administration team must request his/her approval before communicating the access given. 
• To check the user's manager or missing details like User ID, email, BFC Admin can use SuccessFactors (Solvay HR) application / "Org Chart" section through this link https://performancemanager.successfactors.eu/:

• Any request requiring access to critical data (Administrators and users requiring access to owner groups CONSO or CONSO+) or critical actions (Administrators and users requiring access to functional profile CONSOLIDEUR) must be approved by the Consolidation Manager (KUF) => SEC-03 & SEC-04.
• Since the implementation of the Single Sign On, before creating a new user, the BFC Administration team must request IT team through ticket in Service One to add this new user to the Active directory (AD)  - “BFC User Group”  - refer to the following procedure Users access Management in BFC-6.REQUEST TO ADD THE USER IN THE ACTIVE DIRECTORY GROUP. 
• Active directory (AD) is a list of all Solvay users’ accounts (but also computers, servers, printers, shared directories…). It authenticates and authorizes all users and computers by assigning and enforcing security polices, installing and updating software... For example:  when user logs into a computer, AD checks the submitted password and determinates whether the users is a system administrator or a regular user.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation and Restricted Access

Frequency: On demand @ each user access request

Evidence stored in GDrive: https://drive.google.com/drive/folders/1eGfCz_979YQ-M4EW3KDpFNCXKugxZuls

2.5 SEC-09 Review of sensitive accesses

Purpose:  Users list with sensitive accesses is reviewed by Consolidation manager (KUF) before each quarterly closing

Description:

• Although accesses are granted upon managers approval (in case of sensitive accesses upon Consolidation manager approval as well) and users deactivation occurs on a regular basis the list of users with sensitive accesses (rights to change data at conso level) is reviewed by Consolidation manager before each quarterly closing. The risk to be covered is to avoid keeping sensitive accesses no longer needed (users who have changed job positions)
• Note that the exhaustive access review not covered here (only sensitive accesses) is compensated by SEC 11 Users deactivation related to Leavers & Movers 

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation and Restricted Access

Frequency: Quarterly in March - June - September - December, before quarterly closing process

Validation process:

1. BFC Administration team sends a screen copy of users granted with functional profiles "CONSOLIDEUR"" or ""CONSO-SAISIE" or "ADMIN" by e-mail to GAR Consolidation manager requesting his review and approval 
2. GAR Consolidation manager's answer with validation and/or request for necessary authorization updates, is sent back to BFC Administration
3. BFC Administration team proceeds with updates, when needed, in the system and resent the print screen with new updated list of users to Consolidation manager

Evidence stored in GDrive: https://drive.google.com/drive/folders/14oLPoNU-cUuCIE6a0fxK5XPsgr1JHQPD

ADDITIONAL QUARTERLY PROCESS - INSIDER'S DEALING (FSMA)

• The Insider dealing list (requested by FSMA authorities in Belgium) is requested by GROUP GENERAL SECRETARY to the BFC Administration team.
•  BFC Admin team is not the owner of this control but has to provide, each quarter, the information regarding BFC users having privileged access to Financial data.
• BFC Administrator has to extract users having access to full Solvay Group data (access groups = CONSO / CONSO+ / ADMINISTRATORS) and update this GSheet file shared by Corporate Secretary adding the new users and removing the old ones (people who have changed position or left the group), informing the date on which data access was added/removed and to which organizational department belongs to. 

2.6 SEC-11 Users Deactivation 

Purpose 1: Deactivation done on a regular basis for leavers and movers.

Description: The Solvay Group members who have access to BFC should be compliant with their status and their position on HR tools. The objective of this Internal Control is to reconcile the users status on BFC according to their HR status and identify the users that should be deactivated from BFC. 

Deactivation is done based on the lists provided by IT Internal Control team (Risk and Compliance):

• every week for leavers
• every month for movers

Leavers process (Internals & Externals) - weekly

• BFC leavers lists are produced every week by robot, reviewed and sent by the IT Internal Controls team  to BFC Administration team by email. 
• In addition to the identification of users to be deactivated the list includes verification of last logon date versus separation date. 
• BFC Admin proceeds with the user's deactivation as soon as possible within a week.

Email sent from IT Internal Controls team:

BFC Admin should make a copy of the file sent in the email to BFC internal controls GDrive folder   (or download it to excel and upload it in the GDrive afterwards).

In the new file (just copied from the file received), the following changes have to be made: 

• rename the file adding the date when it was received - Leavers Report dd.mm.yyyy

• remove the tabs concerning other applications: Quantum, Google, SAP IDM8

• add tab BFC Deactivation where the evidence will be saved

In tab BFC deactivation copy/paste the print screen from BFC showing that users have been blocked.

Movers - monthly

• List is sent by IT Internal Controls team to BFC Admin on a monthly basis.
• BFC Admin analyses the list to identify which users should be subject to access updates. Some may have already requested the update.
• Following the analysis BFC Admin sends an email to the user with his/her manager in cc asking if the BFC access could be deactivated or not. 

Email sent from IT Internal Controls team:

BFC Admin should make a copy of the file sent in the email to BFC internal controls GDrive folder   (or download it to excel and upload it in the GDrive afterwards).

Unlike in leavers file, in the movers file we receive all leavers since Jan.1st until Dec.31st.

Therefore, as some users have been already treated by BFC Admin in previous months, we need to start by filtering the file by the new movers.

Filtering by Calendar Day and selecting the new dates not present in previous month file will give the new movers:

Each case must be analyzed in a different tab as different comments need to be provided.

The users in the file have had a change either in Business Unit, or Job Function or Job Classification. 

Below are the examples of the emails sent to users (and their managers in cc) who have changed

1) Business Unit 

2) Job Function

3) Job classification

Not all the cases may require an email sending from BFC Admin because the access rights may have already been updated.

And not all the cases may require an access update despite the change in job function or job classification.

Examples of the situations that may occur: 

1) The access rights are already according to new position - Sometimes the user or his/her manager have already requested the access rights update 

2) Access rights should be kept - It has to be the user (with manager in CC) or the manager to inform it

3) Access rights need to be adapted - It has to be the user (with manager in CC) or the manager to inform it

4) Access rights should be cancelled - It has to be the user (with manager in CC) or the manager to inform it

In BFC “Security/Users” module, deactivation will be proceeded the following in the user profile:

• Owner Group: PARTI or INTER-MOVERS
• Functional Profile: DESACTIVE 
• Data Access Group: RIEN

and the user must be blocked in order to be prevented from accessing BFC.

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Validation and Restricted Access

Frequency: Weekly (leavers) / Monthly (movers)

2.7 SEC-12  Users Deactivation / temporary deactivation

Purpose: Temporarily deactivation on BFC when the user has not connected during the last 6 months

• When the user has not connected during the last 6 months his/her access has to be temporarily deactivated on BFC. Note that on GUDSIS the status may be still ACTIVE, but the user can have a new position that doesn´t request the access to BFC so frequently; temporary leave (maternity, sickness) can also justify those cases. Before deactivating a user without any connection during the last 6 months, BFC Administration team sends an email to those users asking them to logon to BFC within the next 7 days in order to retain their accounts.
• Frequency : early June / early December
• Message sent to users prior to deactivation:

Dear Colleague,

Please note that your account for accessing the BFC application has been inactive for more than 6 months. If you have lost the access link, you may connect to BFC by copying and opening this URL https://financialconsolidation.solvay.com/FCPROD/

To avoid disruption of your account, kindly login to BFC within the next 7 days to retain your account. Account will be suspended without further notice thereafter. If your account is being suspended, you may re-submit your access request to $SBS FinanceSL Fin Acc SU BFC Admin  

  *Please ignore this message if you have connected to BFC before receiving it  

• In BFC “User” module, if the user has still not connected 7 days after the reception of the above message, his/her profile will be updated as follows:
  • Owner Group: NET
  • Functional Profile: No change
  • Data Access Group: No change
  • and the user must be blocked in order to be prevented from accessing BFC.

Exceptions

 “TINSTALL user”: 

The user TINSTALL must remain always active: 

• This user ID is the one used by SBS IS Infra teams to test that the technical installation of BFC application on users’ PC is correct.

• Note that this user only contains rights to connect to BFC application, without any other rights to modify any objects or to display any data. 

“ADMIN user”: 

The user ADMIN must remain always active: 

• Admin is a special, technical user, it is created automatically when BFC application is installed and database created. Some administrative tasks can be performed only by Admin User, mostly related to application installation and upgrade

Evidence stored in GDrive: https://drive.google.com/drive/folders/1DEdG-9J_pkeEQPJtxv4jFv_lklcX49Kk

2.8 SEC-10 Audit Trails 

Purpose: Audit trails on critical activities (deletion of objects) on a regular basis to ensure that all the actions made are justified.

Description: This control traces the sensitives actions in the PRODUCTION environment performed by:

• Users with ADMINISTRATION functional profiles (full rights & restricted rights): ADMIN / ADM-xxx / ADM-LEGER
• Users with IT functional profiles
• Users having double accesses to BFC (2 logins)
• Users ID starting with TESTxx and user TINSTALL

From May 2022: As  several controls are already in place to control users accesses (SEC07 Access requests /  SEC 09 Review of sensitive accesses / SEC 11 and 12 Users deactivation) and already covering the control of sensitive actions (unlocking, publication by special permission...), critical actions to be monitored through SEC 10 Audit trails are restricted to the deletion of objects.

Note that IT/TEST/TINSTALL profiles don’t have a significant impact in terms of modifications in BFC:

• The IT profile has access to all the data, however only in consulting mode;
• TINSTALL user has no access to change any objects or to access to any data;
• TESTxx users are only activated on demand by BFC Administration to solve issues raised by BFC end users (eg “I can not see packages”, “I can not see this x company in my list”…). TESTxx user is temporarily activated with the same rights than the requestor to experience/see the same. Once issue solved, the TEST user is deactivated.

Control Report Process

1) On WD1 of each month, BFC Admin asks DT BFC Admin to extract the audit trail file from Log module;

Below is the email template to be send to DT colleagues:

2) This list contains all deletion actions performed (who and when);

Evidence stored in GDrive: https://drive.google.com/drive/folders/18WARFfNuvQhiqYi3RE8qAxi903Ey8QY4

3) BFC Admin creates tab BFC Admin review (copy from Actions by User profile tab)

Arrange the layout as below in order to be more legible:

4) Finally it should be analyzed for possible anomalies – BFC Administration team Comments - and the file should be sent/shared for BFC Admin manager review;

Control type: (Completeness, Accuracy, Validation, and Restricted Access): Completeness, Accuracy and Validation

Frequency: From May 2022 monthly and focused on deletion of objects (before quarterly frequency was not appropriate as too late to react in case of risky actions taken)

2.9  PPC MNT 01 05 06a 06b - Maintenance controls 

Purpose:

The BFC Administration team is responsible to manage the maintenance of BFC. 

1. The customizing and the main changes in BFC should be duly documented and justified; 
2. The control shall be carried out in relation with the requestor;
3. The control is sized according to the risks.

The following risks will be covered by the Internal Control framework:

• PPC MNT 01 : Any request for customizing change is validated (or directly submitted) by an authorized KU (Key User)
• PPC MNT 05 :  Acceptance is given by an authorized KU (key User) prior to piloting changes into Production
• PPC MNT 06a : Backward traceability is ensured - consistency between changes piloted to Production and initial request
• PPC MNT 06b : Authorization for Production upgrade is given by an authorized KU (Key User) before piloting changes into Production

Types of modifications:

The maintenance categories can be grouped in 4 types :

• [A] Recurring reporting set-up (Basic Customizing) M (monthly)/ Q (quarterly) / Y (yearly)
• [B] Correction of errors
• [C] Improvements 
• [D] Medium to complex Customizing (changes in Chart of Headings, New Business Structures, changes in Reporting content....) represent critical / sensitive maintenances on BFC. 

"Recurring maintenances" – Customizing (creation of new objects) with no impact in the data already in the Production environment:

• Monthly recurring activities: creation of scopes, exchange rates tables, new companies
• Creation and/or Modification of schedules;
• Creation in the Structure: New dimension member; new characteristic member; Filters creation;
• Creation in the Set of Rules: Creation of new consolidation rules
• Creations in the Category Scenario: New controls/new headings/new formulas...

“Critical / sensitive maintenances ” – Customizing (modification of existing objects) with impact in the data already in the Production environment: 

• Changes in the Structure: Creation of new objects (Dimensions; Characteristics, Reference table...); Changes in existing filters;
• Changes in the Set of Rules: Changes in the existing consolidation rules;
• Changes in the Category Scenario: controls / headings & analysis schemes / formulas/ account Families …
• Complex Projects: new IFRS norms as example;

A BFC project can be defined as: 

• A formal request from a BFC Key User (belonging to the “Authorized requestors” list defined below) expressed through a functional specification; 
• A complex request requiring the modification of the Dimension Builder and Category Scenario objects, with the corresponding technical specifications; 
• A request whose implementation in Production passes through tests in the Test environment and formalized validations. The concept of BFC projects obviously does not cover version migrations ( supported under IT project);

• It´s the combination of those 3 criteria that determines whether we are in a recurring maintenance or in a project.

List of Authorized requestors (BFC Key Users):

• GAR CONSOLIDATION team Brussels: Mario Tondo / Nicolas Donck / Elisa Canova / Bernard Marechal  / temporary mission in GAR team for "PO2 Combined FS" Stephane Collignon
• GAR TAX Luxembourg - Tax reporting: Anne Calicis
• GAR CONTROLLING : Lorenzo Roncoroni (successor of Farid Guenfoud on June 1st 2022)
• CONTROLLING Business: Nicolas Bourgois

Operating mode for each maintenance category of the BFC Administration team

[A] Reporting set-up Monthly / Quarterly / Yearly

•  [A1] ACTUAL’s (IFRS purposes) M/ Q / Y – Monthly Process
  • The BFC Admin team is responsible for preparing the Reporting set-up required for each reporting cycle:
    •  Opening of reporting periods on WD-4 – Done directly in Production
    •  Reporting packages creation and generation on WD-2 – Done directly in Production
    •  Creation of exchange rates table on WD-1
    •  Creation of consolidation scopes on WD1
    •  Creation of Consolidation/ Intercos Reconciliation definitions on WD1 – Done directly in Production
    •  Creation/update of objects in the Dimension builder: Companies, Sites, Business activities
    • Note that the Risks related to the management of a monthly / quarterly and yearly reporting sessions are low impact. Any errors detected can be easily corrected.

• [A2] RSB (Controlling purposes) – Quarterly Process / [A3] PREV(Controlling purposes) – Yearly Process
  • The formalization of the modifications done to these two types of reporting sessions are managed by the Corporate Controlling (KUF: Nicolas Bourgois);
  • The BFC Administration team is responsible to perform the necessary changes;
  • Once the changes are made, Corporate Controlling validates that the changes are in line with expectations and gives the GO for piloting to Production;
  • Evidence: Controlling agreement (KUF: Nicolas Bourgois) to pilot to Production;

[B] Correction of errors / [C] Improvements (with no impact in the Reporting Content)

• Error corrections and improvements are usually based on the feedback from the Reporting cycles. For example, a control to be modified, a data collection to be improved in the reporting packages, a new report to be created, corrections of existing descriptions. 
• These corrections / improvements are safe from both BFC settings and data integrity point of view. Otherwise, it is no longer a question of corrections / improvements but of a BFC project.
• The associated controls must be minimal and not heavy to ensure fast services to requestors.
• As a general principle, the piloting actions for [B] Corrections and [C] Improvement  are carried out in the same way as the type [A] Reporting Set-up.

[D] Structure Update and Customizing

• The changes linked to the Structure Update and Customizing are expressed by an authorized Key User from Consolidation / Tax / Financial Controlling / Corporate Controlling
• The implementations are more complex but generally not risky as: 
  • The updates are made outside of the closing periods with a compulsory testing part
  • Consequent updates are never implemented over a quarterly reporting period
  • A reversal / step back is always possible
• The changes are managed by the BFC Administration, documenting the changes with:

1. 1. Definition of the need, expressed and completed with the requestor
   2. Functional analysis (impacts of changes in reporting framework)
   3. Functional specifications (changes needed in BFC modules and objects)
   4. Testing plan (to be performed by both Administrator and Requestor)
   5. Evidences obtained from tests
   6. List of objects to be piloted to Production (once final validation and authorization to pilot are obtained)

Internal Controls :

In order to simplify the process, several types of tasks have been created in BFC according to the related process and to the requester: 

• EXPL-ADMIN: for the reporting set-up or other recurring tasks / corrections and improvements (type A1 / B / C) -  no approval required from KUF as linked to recurring activities)
• EXPL-CONSO: for requests (type D) expressed by the Consolidation team (KUF : Mario Tondo / Nicolas Donck / Bernard Marechal / Elisa Canova);
• EXPL-CTRLFIN: for requests (type D) linked to the Financial controlling (KUF : Lorenzo Roncoroni); 
• EXPL-GESTION: for requests (type A2 / A3 / D) linked to the Corporate controlling (KUF : Nicolas Bourgois);
• EXPL-TAXES: for requests (type D) linked to the Taxes (KUF : Anne Calicis);
• For ALL types, periodic and retroactive review of all pilotings is done to validate appropriateness using four eyes principles (validator not being the one having piloted the changes into Production)

The BFC Administration team uses always these tasks and their content is transferred to Production. Any piloting from BFC Customizing database (FC_TOP) to BFC production database (FC_PROD) is logged/archived and can be extracted.

Specific Internal controls for tasks type EXPL-CONSO / EXPL-CTRLFIN / EXPL-GESTION / EXPL-TAXES (note: does not apply to EXPL-ADMIN tasks):

• BFC Admin team will archive as Internal Control evidences:
  • initial request submitted by an authorized Key User (PPC MNT 01) - channel can be e-mail / meeting minutes
  • formal acceptance of customizing done from the authorized Key User (PPC MNT 5)
  • fomal authorization to pilot customizing changes (objects) to production from the authorized Key User (PPC MNT 6b)
  • print screen of objects piloted to Production in link with the requested changes (PPC MNT 6a)
• Note that the 4 evidences can be sometimes collected in the single printing of a chain of mails

• Evidence stored in GDrive: https://drive.google.com/drive/folders/1G67YgvhE3tVvBJkyYUp6tLwHsLnOTf2c

Internal Control applicable to ALL tasks type (EXPL-ADMIN / EXPL-CONSO / EXPL-CTRLFIN / EXPL-GESTION / EXPL-TAXES):

Every month , BFC Admin team will:

• extract from the BFC Production database the full list of piloted tasks (since last day of review to date) - extraction will be stored in this folder Piloted tasks review and validation

• For each piloted tasks, BFC Admin team will complete the Extraction's file adding the Category type (A / B / C / D)  as well as the Transferred content (objects piloted)
• E-mail will be exchanged between BFC Admin team members requesting review and validation of each piloting applying the four eyes principle (validator not being the BFC Admin team member having done the piloting)
• Detailed review and validation will be formalized in a dedicated column in the Extraction's file: name of validator / note: for tasks EXPL-CONSO / EXPL-CTRLFIN / EXPL-GESTION / EXPL-TAXES, subject to a dedicated set of Internal Controls, a reference to the approval obtained from authorized Key User will be given by the validator
• Overall validation confirmed by e-mail will be stored in this folder Piloted tasks review and validation

Assessment of completeness and accuracy of customizing changes:

Every change (creation / update) in BFC customizing is driven by Corporate Consolidation and Controlling needs to perform monthly / quarterly / year end Consolidation and Reporting cycles. 

As explained above, piloting of changes to BFC Production can be done using different types of tasks:

• recurring needs (scopes, exchange rates, consolidation status of companies...) : managed autonomously (as part of his/her direct responsibilities) by BFC Admin using information collected on flow from various channels of communication (GAR closing calendar, GAR Structure file, GAR closing instructions, General Group Secretary, Quantum interfaces for Exc rates...) and from direct interactions with Corporate Consolidation and Controlling (phone call, mails, chat) - all recurring tasks being documented in BFC Admin Operating Procedures
• complex changes : managed by BFC Admin team following for Internal Control evidences (initial request / testing validation / authorization to pilot to production)

At each Consolidation & Reporting cycle, completeness and accuracy of customizing changes can be considered as achieved once the Consolidation and Reporting process of the period is finalized: meaning that consolidation work is finalized as well as analytical reviews and checks from the different stakeholders (Corporate, Accounting, Businesses) before disclosure.

It means as well as that every change on BFC customizing piloted before the beginning of the process has contributed to reach the Consolidation and Reporting needs without any deficiency.

This final - either monthly or quarterly or year end -"Consolidation End state" milestone is formalized by e-mail sent from BFC Admin team to Corporate GAR team requesting the green light to make a back up with locking of the last run IFRS Consolidation (special variant BKUP used) in BFC.  Evidences of Corporate GAR's green light to proceed back up and locking posted in this folder  GAR Green light for conso back ups

END OF THIS PROCEDURE