For use w i t h Ne w Y ork S tat e a gen c y staf - PowerPoint Presentation

For use with New York State agency staff1 and SFS users. Contents subject to change. Agency Roles and Responsibilities for SFS Administration Internal Control Officer Resources For use with New York State agency staff and SFS users. Contents subject to change. 3/23/2017

AgendaFor use with New York State agency staff and SFS users. Contents subject to change . 2 Objectives ICO Role & ResponsibilitiesCoordination with Administrators ICO ResourcesQuestions

Provide an overview of SFS areas where internal control monitoring is critical for success and data protectionKnow where to go for resources and tools to assist Internal Control OfficersFor use with New York State agency staff a nd SFS users. Contents subject t o change.3Objectives

Internal Controls over Security access relates to the OSC Advisory 28 and the Certification of Internal Controls over the Payment Process.The recent updates to the SFS Security policy, the recent Internal Control Officer training, and the new Internal Control Officer resource page are meant to help Agencies more easily achieve the goals outlined in the OSC advisory and certification.For use with New York State agency staff and SFS users. Content s sub ject to change.4Internal Controls

Each Agency works to comply with OSC Advisory 28 and the related Certification requirements. The SFS Security policy referenced in the Certification is stored on SFS Secure.Starting on page 11 of the SFS Security Policy, the roles and res ponsibiliti es o f the Agency Security Administrator (ASA) are explai ned.Starting on page 13 of the SFS Security Policy, the roles and responsibilities of the Agency Internal Control Officer (ICO) are expla i n ed . For use w i t h Ne w York State agency staff and SFS users. Contents subject to change. 5 SFS Secur i ty Policy

Statewide Financial System (Internal Use Only).9 Contents subject to change. || 6 S tatewide Financial Syste m (Internal Use Only).Contents subject to change.ICO Role & ResponsibilitiesKristen Pelcher3/23/2017

Understand potential SFS risk scenarios for your agency and available tools to monitor data integrity Validate that your agency business processes reflect:The communication required to keep SFS data up to date The ongoing internal control monitoring of data maintenance Confirm with your ASA that you have the appropriate data access to view agency administrator queries Upon finding a gap in SFS data maintenance, update internal agency business processes accordinglyNote: ICOs are not responsible for maintaining SFS data; ICOs are responsible for periodically monitoring that SFS data is being maintained appropriately.ICO SFS Responsibilities

Monitoring should include an internal agency review to ensure that youhave the below processes documented:HR office commun ication pr ocedure as it re late s to:SFS account creation for Employee Onboard ingSFS account locking/removal for Employee SeparationSFS account changes for both Employee Internal and External Transfers. S u p e rvis o ry ch e ckl i st for new or changed SFS users to receive trainingRegular review and associated SFS sign off submission for: SFS Qu a rterly acc e ss re p orts & A d mi n istrator activitiesOSC Advisory 28 Guideline Alignment and ICO Certification of Payables For use with New York State agency staff and SFS users. Contents subject to change. 8 Monitoring Explained

ICO View Role Request ProcessAgency Head/Chief Financial Officer should follow the Agency internal process to request the ICO View role be assign ed in SFS to the Int ernal Con trol Officer.Recommended Action for ComplianceAll Internal Control Officers and any internal auditors responsible for monitoring Agency Administrator activity should have SFS access and have the Internal Control Officer View role assigned.For use wit h Ne w Y ork S tat e a gen c y staff and SFS users. Contents subject to change.9SFS Securi ty Po li c y – Key ICO Ite m

Quarterly ReviewQuarterly review and yearly return of periodic user access and role assignment audits.Recommended Actions for ComplianceDocument an agency process around their monitoring pro cedures that ensures a Quarterly review, and that:The A gency is returning the requested SFS Quarterly signoff form at least once each fiscal year in July.Those who sign are checking the boxes on the form based on the monitoring performed. If not rec e i v ing the email, confirm ICO designation form has been submitted on your behalfFor use with New York State agency staff and SFS use r s . C ont e n t s s ub j ec t to change.10SFS Security Policy – Key ICO Item

For use with New York State agency staff and SFS users. Contents subject to change. 11 SFS delivers provisioned access reports, once per quarter, in April, July,October, and January, for review by ASAs, ICOs, and Agency Coordinators.SFS requires a g e n ci e s to va l i d ate a nd sign-off on their agency users and their role mapping in the SFS system at least once every fiscal year. Thi s valid ati o n sh o u l d e n sure th a t only active users are maintained in New York State’s enterprise Financial System. As part of OSC’s Annual Financial Audit over SFS, r esponses provided by each agency are reviewed and are subject to audit.Failure to submit an annual sign off will result in an escalation to the AgencyCFO and if n ecessar y , the A gen cy H e ad . If no sign off submission is received after this escalation, the SFS Joint Governance Board (JGB) will be notified of the non-compliance with Internal Controls StandardsAt the time of the October quarterly report distribution, SFS Security will reach out to all non-compliant agencies to ensure that they have time to act on the yearly sign off requirement. SFS Quarterly Re p orts

Pay attention to the SFS Quarterly Reports (distributed from SFS Security to ICOs, ASAs, and Agency Coordinators).Incorporate the available data integrity queries into y our a nnual Inter nalCo ntrols review.Job Aid: JAA-EDA205-008 Maintai ning Data Integrity Using QueriesNOTE: These real-time queries are available to Administrators in the SFS year- round.For use with New York State agency staf f a nd SFS us e r s . Contents subject to change.12It is recommended that multiple signatures (ASA, ICO, an d A g e n cy Co o rd i nator) be pr o vi ded on the Quarterly validation.Quarterly Reports and Validation

Submission ObservationsSometimes agencies are checking all the attestation boxesAs the statements contradict each other, you should only be checkingto align with the activities y ou have perfor med. It is important to read what you are attesting to, as these forms are subject to audit.In addition to checking the boxes, your agency should retain proof of monitoring activities such as periodic report results and evidence of follow ups.Some agencies are not returning forms ti m ely If w e don ’ t receive a timely response, your agency’s lack of a response is escalated to our Leadership, and then to the Joint Governance Board of SFS.For use with New York S tat e a gen c y staf f a nd SFS users. Contents subject to change.13Quarter ly Report Sign Off

ASA signs off, attesting that they processed requests based on approved Agency requests,per the Agencies internal business process.Quarterly Report Sign Off CF O signs off, attesting that they have validated that ASA designations and ICO designatio ns are up to date, and if not, that they are in the process of sending to SFS any required updates.For use with New York State agency staff a nd SFS us e r s . C ont e nts subject to change.14

ICO’s need to attest to their awareness of best practices, and that they are monitoring periodically.These forms are subject to audit and evidence of monitoring may be requested of y ou. Due diligence is needed to ensure that internal controls are in place via SFS role mapping and any external compensating controls where applicable.Quarterly Report Sign OffFor use with New York State agency staff and SFS us e r s . C ont e n t s subject to change.15

Authorized Access and Accountability MaintenanceEnsure authorized access to data and resources, and thatauthorized access accoun tabilit y is assigned and maintained.Recommended Actions for Compliance Document an agency procedure that provides an audit trail on howSFS Security access is granted, changed, and terminated. SFS is currently drafting a recommended procedure.Schedule periodic audits to ens ure Administrator a c ti v it i es are appropria t e.Internal auditors will randomly select ASA referenced activity from the ASA Activity query, and source the request back to the Agency internally documented procedure, to en s ure the reque s t was authorized. For use with New York State agency staff and SFS users. Conten ts subject to change.16SFS Security Policy – Key ICO and ASA Items

Agency approved SFS requests should align with Administrator activities generated through activity reporting.Every request in SFS should be able to be mapped back to an authorized agency request on audit.R equest authorizati ons shoul d be based on adh erence to Separation of Duties best practices for internal controls.For use wi th New York State agency staff and SFS users. Contents subject to change.17Age ncy Internal Process Form

Approved AgencyRequestEffective DateID Num berNy .gov id E mployee idRoles ASA RequestASA SelfService Request NumberASA request d e tai l s f or secur i ty chan g es Account locks/unlocks Process Improvements are needed if:Access is not upd ated at time of em p l o y ee mov e me n t A c count removal / locking requests should be sent at the time of user separation New employees don’t have functioning accounts when theystart employment or change positi ons. A s signed roles shou l d a l ign timely with authorized requests to avoid separation of duties concerns.EDA UpdatesSupervisorchangesDepartmentupdatesAudit Stampon recordmodificationsMonitoring QueryResults E f f ecti v e date For use w i t h Ne w Y ork S tat e a gen c y staf f a nd SFS us e r s . C ont e n t s s ub j ec t t o c hang e . 18 of chan g es al i g n w ith aut h or i zed request Roles on user align with authorized request Process Data Example

Statewide Financial System (Internal Use Only).37 Contents subject to change. 19 S tatewide Financial System (Internal Use Only).Contents subject to change.Coordination withAdministratorsMary Alber3/23/ 2 01 7

Within each Agency, there are several administrative and technical resources required to provide SFS user support.For use with New York State agency staff and SFS us ers . Contents subject to change .20SFS Agency Administrators are the first-level of support for the SFS.Agency AdministratorsAdministratorDescri p ti o n Agency Security Ad m inistra t or (ASA) C ontrols assignment of system roles, have the ability to reset user passwords, lock and unlock user accounts, and report on employee data and role data within SF S. Credit Card Ad m inistra t or ( CC A) Assigns Procurement (P-Card) / NET / Travel (T-Card) credit cards to usersand Reconcilers/Appr overs to cards.Employee Data Administrator (EDA)Maintains employee data such as default Chartfield string values, travel supervisors, and requestor and buyer defaults (such as default BU and ship to infor m atio n ), and assigns travel proxies.Workflow Administrator(WFA)Understands and troubleshoots workflow; provides first-level support fortransaction misroutes.Password Reset and UnlockAbility to unlock an employee’s SFS account, if the employee is locked out, lock an employee’s SFS account, and reset a password for an employee using the employee’s User ID.

Administrator CoordinationSecurity Request (ASA)Supervisor Update (EDA) Cr ed it Card Assignment (CCA) Transaction Monitoring (WFA)Internal Control Off i c e r (ICO) For use w i t h Ne w York State agency staff and SFS users. Contents subject to change . 21 I C Os are at the center of administration monitoring in SFS, and need to be informed about ASA, WFA, EDA, and CCA duties, at each agency, to ensure appropriate coordination of activities, and enable successful use of the SFS.

Risk: IF SFS Administrators (ASAs, CCAs, EDAs, WFAs) are not informed timely by Agency HR units of ALL employee movements (including employees who will and will not login to SFS) TH EN SFS transactions created or routed to those employees are at risk for workflow failureor misroute.Mitigation: Agency’s implementation of a procedure between the HR and their SFS Agency Security Administration unit for timely com m unicati o n of em p lo y ee movement.SFS Tools:Agency Administrator queries for real-time reporting of employee and security data in SFSMain M enu > Report i ng T ools > Query > Q u ery ViewerSFS Quarterly Report distribution and responseASA Self-Service to maintain provisioning and lock and unlock user accounts.Main Menu > PeopleTools > SecurityFor use with New York State agency staff and SFS users. Conte n t s s ub j ec t t o c hange.22Coordination between SFS Administrators

Risk: IF the regular review of roles and data security is not part of your Agency’s internal control processes:THEN data vulnerability may exist.Mitigation: Agency’s Internal Control process incl udes review of SFS ro les against Agency business processes. An Agency’s understanding of data access provided by each SFS role when coupled with other internal information can increase the potential for damage.SFS Tools:Agency Role Guide on SFS Secure SFSSecure > Access to SFS (Se c urity & Roles) > Agency Role Guide OSC Guide to Financial OperationsFor use with New York State agency staff and SFS users . C ont e n t s s ub j ec t to change.23Regular Review

Statewide Financial System (Internal Use Only).61 Contents subject to change. 24 S tatewide Financial System (Internal Use Only).Contents subject to change.Kristen PelcherICO Resources3/23/2017

SFS TrainingSFS Training Opportunities announced via email and web communications.The last ICO training was held on 2/27/17 via webex.SFS SecureAccessible from your ny.gov accountIncludes access to:SFS Key Role Mapping DocumentationSFS job aids for all roles in the systemSLMSIncludes training courses for all modules in SFSFor use with New York State agency staff and SFS users. Contents subject to change 25

Se p arati o n of Duties MatrixMatrix which lists roles subject to separation of duties or internal control considerations. The fol l o w ing documents are intended to be used by Agencies to effectively update andmanage role mapping assignments going forward:Documen t Descri p ti o n S n a p s ho t For use w ith New York State agency staff and SFS users. Cont ents subject to change.26Overview of SFS SecurityPresentation which discusses the approach to security and data access within the SFS. A g e n c y Ro le Guide E x cel w orkbook which provides the list of Agency roles, describes the purpose and function of each role, explains how roles relate to other roles, and how to assign users to accommodate approval workflow routing and separation of duty considerations.Crosswalk of Roles from PeopleSoft 9.0to 9.2Excel workbook which provides a crosswalk of 9.0 and 9.2 roles, and includes the list of roles retired for EE1.Key Role Mapping Documentation

Demo of Training ResourcesSFS SecureAccess to SFS (Security and Roles)Internal Control Officer Information CenterJob Aids Administrator QueriesSFS Query User GuideAdministrator Query GuidesNY_SEC_SOD_CONCERNSNY_SEC_ADMIN_ACTIVITYNY_SUPERVISOR_DIRECT_REPORTSFor use with New York State agency staff and SFS users. Contents subj ect to change . 27

Contains information for the coming week, and a run down of the most recent announcements from the SFS mailbox, along with helpful links.Distribution Date, Audience, and summary of previous communica tions provided for referenceWeekly Communications Digest For use with New York State agency staff and SFS users. Contents subject to chang e . 28

Distribution list for key SFS communications, including theWeekly Communications DigestUsers can self-subscribe/unsubscribeSFS Info Email Distribution List T o subscribe: SFSS ecure > User Community > Subscribe to SFS Communications For use with New York State agency staff and SFS users. Contents subject to change. 29

Does anyone have a best practice they are willing to share?Does anyone have a particular area that you strugglewith?If you are having a particular issue that you need help with, please open an incident with SFS Hel pdesk. For use with New York State agen cy staff and SFS users. Contents subject to change.30Questions?