Yardi User Group Change Management
Control Description
S22 - User access reviews are performed over in-scope application systems functions considered as relevant for financial reporting.
 
Control Performance Guidance

1. User Group & Reviewer Identification. Identifying the list of user groups will be the responsibility of the Financial Reporting Team and Internal Audit (see below chart for your assigned user groups). If new user groups are identified during the review period, then the Financial Reporting Team and Internal Audit will determine the individuals responsible for reviewing any new user groups. For those reviewers who are already performing Yardi user access review, please continue your current review and include any new user groups that you initiated or approved and communicate those to the Financial Reporting Team and Internal Audit so we can add them to your reports.
2. Report Generation & Distribution. The Financial Reporting Team will generate all necessary user group reports from Yardi and will be responsible for distributing them to the various reviewers without exception.
3. Review Period. The reports will typically be generated and distributed on or near the 15^th day of the last month of each quarter (i.e. 3/15, 6/15, 9/15, and 12/15) so it doesn’t interrupt the quarterly close period. Reviewers will typically receive approximately 1 week to review their reports but this time could be extended to a maximum of 30 days if issues or questions arise during the review process. This should allow adequate time to resolve any issues but please resolve any issues as quickly as possible.
4. Reviewer Succession Planning. If a current reviewer leaves the Company, transfers departments, or is out of the office during the review period, please have a backup person identified so there are no disruption during the review period.
5. Report Review. Please review the Yardi reports you receive from the Financial Reporting Team for validity and appropriateness.
6. Report Activity. If you have any issues or questions about the activity within your user group reports, please follow up as soon as possible with IT to resolve any issues or concerns you might have. 
7. Action Items. If your report activity shows users or functions that should not be on your user group, this would be considered an action item that needs to be resolved by you and communicated to IT for resolution. Please include any correspondences you have with IT to confirm resolution of your issues and send those to the Financial Reporting Team along with your final approved documents. Depending on your issues and resolution, this might result in the Financial Reporting Team having to re-run your reports so you can review and approve the clean reports. 
8. Approval. Affix an electronic signature and date to the report to document completion of your review and approval. The electronic signature is proof of your review. If you have problems with the electronic signature, then please physically sign and scan your reports and return the approved documents to the Financial Reporting Team. As a last resort, email approval would be considered evidence of your review.
9. Documentation. Once your review is completed, please email the approved reports and all IT correspondences regarding action items to the Financial Reporting Team. In addition, you should retain a copy of the reports that you reviewed and approved with any comments or notes for your own records.

For the following user groups, Role Contacts drives the PAYScan approvers so coverage on these groups will be a joint effort among the Senior Accounts Payable Manager, the Operations Team, and the Chief Accounting Officer:

1. o_asst                    Operations Assistant Manager
2. o_cm                     Operations Community Manager
3. o_cmtemp             Operations Temp Community Manager
4. o_maint                 Operations Maintenance
5. o_rpm                   Operations Regional Manager

Therefore, no quarterly Permission History or User Change Audit and no annual User audit reports are generated for these user groups; instead, the responsibility of each of the three parties listed above covering these user groups are as follows:
 
Responsibility of the Senior Accounts Payable Manager
The Senior Accounts Payable Manager will perform a review of PAYscan approvers only, which will include a review of the dollar limits on Operations workflows and a review of the role contacts for DMs, SVP Ops and Sr EVP. The latter will ensure that users are assigned to the correct groups.
 
Responsibility of the Operations Team
Each RPM and DM on the Operations Team will perform an annual review of the properties and the role contacts of the associates under his or her supervision.
 
Responsibility of the Chief Accounting Officer
The Chief Accounting Officer, with assistance from the Financial Reporting Team, will perform an annual review of the properties and the role contacts of the respective DM managing each property at the SVP Ops level; the Chief Accounting Officer will also perform an annual review of the properties and the role contact of the SVP Ops managing each property at the Sr. EVP level.
 
See further details in below section titled Yardi PayScan Role/Contact Change Management.

Yardi PAYScan Role/Contact Change Management
 
Due to the PAYScan access that Operations Associates have, and for the company to be SOX compliant annual reviews of the Yardi Role Contacts Report is required.
 
Role Contacts Report Review:

• A review was performed at the time of the Yardi 7S upgrade in February 2017. Starting FY2019, the performance of all future reviews of this report was reset to Quarter 3 of each year.
• The Role Contacts Report must be reviewed to verify:

• Associates are assigned to the correct roles
• Associates are assigned to the appropriate communities

(The Role Contacts approval limit for each role is reviewed by the Accounts Payable Manager. See above section titled Control Performance Guidance).
 
Frequency of Review:

• In prior periods, the IT Team assisted the Operations Team to generate and extract the reports directly from Yardi. Starting in Q3 2019, The Financial Reporting Team will assist the Operations team to do so.
• The Financial Reporting Team will schedule the reports to be created and extracted around the 15^th of the last month of Quarter 3.
• Operations must complete its final review of the reports around late Quarter 3/early Quarter 4.

Revisions to Role Contacts:

• Revisions must be documented on the reports and these revisions must be appropriately approved.
• A copy of the Essex Helpline communication must be retained.
• Confirmation of the resolution from the Essex Helpline must also be retained.
• Changes made to role contacts should be confirmed by the original reviewer.

Documentation of Review:

• The reports must be signed and dated (either wet or electronically) as evidence of review.
• The reports together with the supporting documentation for revisions must be sent to the respective Senior Group Operations Administrator of each region for retention.

Audit:
The review of the Role Contacts reports will be audited annually during our SOX audit.
Instructions for extracting reports from Yardi
 
Role Contacts – Review of users assigned to approve in PAYScan, the communities users are assigned to and the dollar limit of the approver
 
Complete the following fields:
Object Type              Select Property
Object Code              Select the desired property or property lists
Role                           Select the approver roles that is being reviewed
                                        (Approval role lists are listed below. Copy the blue italicized list below and paste into the Role field)

This report lists the property and the PAYScan workflow approvers that are assigned.
*The Assistant Manager and Maintenance Tech Roles are only assigned at properties where it has been requested that these users have access to move items through the PAYScan PO workflows.
Each workflow approver reflects the approver role they are assigned to.
 
Export the report to Excel and add a “Remarks” column, which is to be used for Reviewer’s comments.
The “Excel” option is available after the report is requested - see sample below.
 

RPMs will be responsible for reviewing the following roles:
Res_Assistant Manager
Res_Maintenance Tech
Res_MS OBR
Res_SR MS OBR
Res_CM OBR
Res_SR CM OBR
 
DMs will be responsible for reviewing the following roles:
Res_Regional Portfolio Manager
Sr RPM/DM
 
The Chief Accounting Officer, with assistance from the Financial Reporting Team, will be responsible for reviewing the following roles:
Sr RPM/DM
Res_SVP Operations

Accounts Payable (AP) Manager will be responsible for reviewing the following roles:
Res_Division Manager
Res_SVP Operations
Res_SR EVP
Sr RPM/DM
 
The AP Manager is also responsible for reviewing the approval limits by role. See above section titled Control Performance Guidance.

Sample Role Contacts Report

Procedures for Role Contacts and Corporate Workflows Review by Accounts Payable
 
(Corporate and Construction AP)
2017
 
Due to the Payscan access that Corporate Associates have, and for the company to be SOX compliant quarterly reviews of the Yardi Role Contacts Report and Corporate Workflows is required.
 
Role Contacts Report and Corporate Workflows Review:

• Since a review was perfor
• med at the time of the Yardi 7S upgrade in February 2017, the next review of this report will be as of June 2017 and quarterly thereafter.
• The Role Contacts Report must be reviewed to verify:

• Associates are assigned to the correct roles
• Associates are assigned to the appropriate departments

(The Role Contacts approval limit for each role is reviewed by the Senior Accounts Payable Manager for Corporate AP and Construction Accounting).

• The Corporate Workflows must be reviewed to verify that the correct dollar limits are assigned to the roles/user groups.

 
 
Frequency of Review:

• The Senior Accounts Payable Manager must run the report for the roles they are responsible for reviewing by the 2nd of the month following the quarter-end.
• The reports should be reviewed by the15^th of the month following the quarter-end.

 
 
Revisions to Role Contacts and Corporate Workflows:

• Revisions must be documented on the reports and these revisions must be appropriately approved.
• A copy of the Essex Helpline communication must be retained.
• Confirmation of the resolution from the Essex Helpline must also be retained.
• Changes made to role contacts and/or workflows should be confirmed by the original reviewer.

 
 
Documentation of Review:

• The reports must be signed and dated (either wet or electronically) as evidence of review.
• The reports together with the supporting documentation for revisions must be sent to the VP, Controller of Corporate Accounting.

 
Audit:
The review of the Role Contacts and Corporate Workflow reports will be audited annually during our SOX audit.
 
 
  
Instructions for extracting reports from Yardi
 
Role Contacts – Review of users assigned to approve in Payscan,
 
Complete the following fields:
Object Type               Select Property
Role                            leave blank
Property                     select all 900 entities
 
This report lists the entity and the Payscan workflow approvers that are assigned.
Each workflow approver reflects the approver role they are assigned to.
 
Export the report to Excel and add a “Remarks” column, which is to be used for Reviewer’s comments.
The “Excel” option is available after the report is requested
 
The roles are reviewed in the Role Contact Report and the Dollar limits are reviewed in the Corporate Workflows
The Senior Accounts Payable Manager is responsible for reviewing the following roles and their dollar limits: