Yardi User Group Change Management
Control Description
S22 - User access reviews are performed over in-scope application systems functions considered as relevant for financial reporting.
Control Performance Guidance
- User Group & Reviewer Identification. Identifying the list of user groups will be the responsibility of the Financial Reporting Team and Internal Audit (see below chart for your assigned user groups). If new user groups are identified during the review period, then the Financial Reporting Team and Internal Audit will determine the individuals responsible for reviewing any new user groups. For those reviewers who are already performing Yardi user access review, please continue your current review and include any new user groups that you initiated or approved and communicate those to the Financial Reporting Team and Internal Audit so we can add them to your reports.
- Report Generation & Distribution. The Financial Reporting Team will generate all necessary user group reports from Yardi and will be responsible for distributing them to the various reviewers without exception.
- Review Period. The reports will typically be generated and distributed on or near the 15th day of the last month of each quarter (i.e. 3/15, 6/15, 9/15, and 12/15) so it doesn’t interrupt the quarterly close period. Reviewers will typically receive approximately 1 week to review their reports but this time could be extended to a maximum of 30 days if issues or questions arise during the review process. This should allow adequate time to resolve any issues but please resolve any issues as quickly as possible.
- Reviewer Succession Planning. If a current reviewer leaves the Company, transfers departments, or is out of the office during the review period, please have a backup person identified so there are no disruption during the review period.
- Report Review. Please review the Yardi reports you receive from the Financial Reporting Team for validity and appropriateness.
- Report Activity. If you have any issues or questions about the activity within your user group reports, please follow up as soon as possible with IT to resolve any issues or concerns you might have.
- Action Items. If your report activity shows users or functions that should not be on your user group, this would be considered an action item that needs to be resolved by you and communicated to IT for resolution. Please include any correspondences you have with IT to confirm resolution of your issues and send those to the Financial Reporting Team along with your final approved documents. Depending on your issues and resolution, this might result in the Financial Reporting Team having to re-run your reports so you can review and approve the clean reports.
- Approval. Affix an electronic signature and date to the report to document completion of your review and approval. The electronic signature is proof of your review. If you have problems with the electronic signature, then please physically sign and scan your reports and return the approved documents to the Financial Reporting Team. As a last resort, email approval would be considered evidence of your review.
- Documentation. Once your review is completed, please email the approved reports and all IT correspondences regarding action items to the Financial Reporting Team. In addition, you should retain a copy of the reports that you reviewed and approved with any comments or notes for your own records.
Yardi Report | Report Details | Timing / Frequency |
|
This is a comprehensive listing of all the permissions associated to the group. Reviewer reviews this report to confirm that read/write permissions associated with the group are valid and appropriate. Some information included in this report are technical (not descriptive enough) and will require some assistance from IT. | One-time review in Q1 2017 (baseline review, afterwards only changes to group permission will be covered by the review). |
|
Summarizes read/write permissions changes associated to Yardi groups. This is normally generated to cover to the quarter under review (i.e. Q1, Q2, Q3 or Q4). Verify that there is continuity in the period from the last the time the review was performed (e.g. if the cut-off for the last review is 9/20, then the next review should cover the period starting 9/20). Reviewer validates changes to group permissions and confirms that these are valid and appropriate. | Reviewed every quarter. |
|
This is a list all users associated to the group under review. Reviewer validates that group assignment is appropriate for each user in the group. Verify that all groups for review are included in the report. | Review performed once a year (every Q3) |
|
Summarizes Yardi groups assignment changes to users. This is normally generated to cover to the quarter under review (i.e. Q1, Q2, Q3 or Q4). Verify that there is continuity in the period from the last the time the review was performed (e.g. if the cut-off for the last review is 9/20, then the next review should cover the period starting 9/20). Reviewer validates changes to group assignments and confirms that these are valid and appropriate. | Reviewed every quarter. |
- o_asst Operations Assistant Manager
- o_cm Operations Community Manager
- o_cmtemp Operations Temp Community Manager
- o_maint Operations Maintenance
- o_rpm Operations Regional Manager
Therefore, no quarterly Permission History or User Change Audit and no annual User audit reports are generated for these user groups; instead, the responsibility of each of the three parties listed above covering these user groups are as follows:
Responsibility of the Senior Accounts Payable Manager
The Senior Accounts Payable Manager will perform a review of PAYscan approvers only, which will include a review of the dollar limits on Operations workflows and a review of the role contacts for DMs, SVP Ops and Sr EVP. The latter will ensure that users are assigned to the correct groups.
Responsibility of the Operations Team
Each RPM and DM on the Operations Team will perform an annual review of the properties and the role contacts of the associates under his or her supervision.
Responsibility of the Chief Accounting Officer
The Chief Accounting Officer, with assistance from the Financial Reporting Team, will perform an annual review of the properties and the role contacts of the respective DM managing each property at the SVP Ops level; the Chief Accounting Officer will also perform an annual review of the properties and the role contact of the SVP Ops managing each property at the Sr. EVP level.
See further details in below section titled Yardi PayScan Role/Contact Change Management.
Yardi PAYScan Role/Contact Change Management
Due to the PAYScan access that Operations Associates have, and for the company to be SOX compliant annual reviews of the Yardi Role Contacts Report is required.
Role Contacts Report Review:
- A review was performed at the time of the Yardi 7S upgrade in February 2017. Starting FY2019, the performance of all future reviews of this report was reset to Quarter 3 of each year.
- The Role Contacts Report must be reviewed to verify:
- Associates are assigned to the correct roles
- Associates are assigned to the appropriate communities
(The Role Contacts approval limit for each role is reviewed by the Accounts Payable Manager. See above section titled Control Performance Guidance).
Frequency of Review:
- In prior periods, the IT Team assisted the Operations Team to generate and extract the reports directly from Yardi. Starting in Q3 2019, The Financial Reporting Team will assist the Operations team to do so.
- The Financial Reporting Team will schedule the reports to be created and extracted around the 15th of the last month of Quarter 3.
- Operations must complete its final review of the reports around late Quarter 3/early Quarter 4.
Revisions to Role Contacts:
- Revisions must be documented on the reports and these revisions must be appropriately approved.
- A copy of the Essex Helpline communication must be retained.
- Confirmation of the resolution from the Essex Helpline must also be retained.
- Changes made to role contacts should be confirmed by the original reviewer.
Documentation of Review:
- The reports must be signed and dated (either wet or electronically) as evidence of review.
- The reports together with the supporting documentation for revisions must be sent to the respective Senior Group Operations Administrator of each region for retention.
Audit:
The review of the Role Contacts reports will be audited annually during our SOX audit.
Instructions for extracting reports from Yardi
Role Contacts – Review of users assigned to approve in PAYScan, the communities users are assigned to and the dollar limit of the approver
Complete the following fields:
Object Type Select Property
Object Code Select the desired property or property lists
Role Select the approver roles that is being reviewed
(Approval role lists are listed below. Copy the blue italicized list below and paste into the Role field)
This report lists the property and the PAYScan workflow approvers that are assigned.
*The Assistant Manager and Maintenance Tech Roles are only assigned at properties where it has been requested that these users have access to move items through the PAYScan PO workflows.
Each workflow approver reflects the approver role they are assigned to.
Export the report to Excel and add a “Remarks” column, which is to be used for Reviewer’s comments.
The “Excel” option is available after the report is requested - see sample below.
RPMs will be responsible for reviewing the following roles:
Res_Assistant Manager
Res_Maintenance Tech
Res_MS OBR
Res_SR MS OBR
Res_CM OBR
Res_SR CM OBR
DMs will be responsible for reviewing the following roles:
Res_Regional Portfolio Manager
Sr RPM/DM
The Chief Accounting Officer, with assistance from the Financial Reporting Team, will be responsible for reviewing the following roles:
Sr RPM/DM
Res_SVP Operations
Accounts Payable (AP) Manager will be responsible for reviewing the following roles:
Res_Division Manager
Res_SVP Operations
Res_SR EVP
Sr RPM/DM
The AP Manager is also responsible for reviewing the approval limits by role. See above section titled Control Performance Guidance.
Sample Role Contacts Report
Procedures for Role Contacts and Corporate Workflows Review by Accounts Payable
(Corporate and Construction AP)
2017
Due to the Payscan access that Corporate Associates have, and for the company to be SOX compliant quarterly reviews of the Yardi Role Contacts Report and Corporate Workflows is required.
Role Contacts Report and Corporate Workflows Review:
- Since a review was perfor
- med at the time of the Yardi 7S upgrade in February 2017, the next review of this report will be as of June 2017 and quarterly thereafter.
- The Role Contacts Report must be reviewed to verify:
- Associates are assigned to the correct roles
- Associates are assigned to the appropriate departments
(The Role Contacts approval limit for each role is reviewed by the Senior Accounts Payable Manager for Corporate AP and Construction Accounting).
- The Corporate Workflows must be reviewed to verify that the correct dollar limits are assigned to the roles/user groups.
Frequency of Review:
- The Senior Accounts Payable Manager must run the report for the roles they are responsible for reviewing by the 2nd of the month following the quarter-end.
- The reports should be reviewed by the15th of the month following the quarter-end.
Revisions to Role Contacts and Corporate Workflows:
- Revisions must be documented on the reports and these revisions must be appropriately approved.
- A copy of the Essex Helpline communication must be retained.
- Confirmation of the resolution from the Essex Helpline must also be retained.
- Changes made to role contacts and/or workflows should be confirmed by the original reviewer.
Documentation of Review:
- The reports must be signed and dated (either wet or electronically) as evidence of review.
- The reports together with the supporting documentation for revisions must be sent to the VP, Controller of Corporate Accounting.
Audit:
The review of the Role Contacts and Corporate Workflow reports will be audited annually during our SOX audit.
Instructions for extracting reports from Yardi
Role Contacts – Review of users assigned to approve in Payscan,
Complete the following fields:
Object Type Select Property
Role leave blank
Property select all 900 entities
This report lists the entity and the Payscan workflow approvers that are assigned.
Each workflow approver reflects the approver role they are assigned to.
Export the report to Excel and add a “Remarks” column, which is to be used for Reviewer’s comments.
The “Excel” option is available after the report is requested
The roles are reviewed in the Role Contact Report and the Dollar limits are reviewed in the Corporate Workflows
The Senior Accounts Payable Manager is responsible for reviewing the following roles and their dollar limits:
Corp _ Private Equity Controller |
Corp _ Private Equity VP |
Corp _ SD RPM |
Corp _ Treasury Manager |
Corp _HR Staffing Team |
Corp _Irvine Office Manager |
Corp _Irvine RPM |
Corp _IT Sr Manager Web Services |
Corp _SD Office Manager |
Corp AP Manager |
Corp Capt Mrkt Sr Vice President |
Corp Director of Comm Real Estate |
Corp Fixed Asset Accountant |
Corp HR Coordinator |
Corp Irvine Office Manager |
Corp Payroll Manager |
Corp_ Manager of Research |
Corp_ Service Desk Sr Manager |
Corp_Acct GroupVP |
Corp_acct Vice President |
Corp_Adv Visual Tech Lead |
Corp_Ancillary Income Manager |
Corp_AP Development Coordinator |
Corp_Asset Management Associate |
Corp_Assistant Controller |
Corp_Associate General Counsel |
Corp_Audit VP |
Corp_Business Intel_Director |
Corp_Business Intel_Manager |
Corp_Capital Markets Manager |
Corp_CEO |
Corp_CEO Exec Assistant |
Corp_CFO |
Corp_Chief Investment Officer |
Corp_Chief Technology Officer |
Corp_CIO Exec Assistant |
Corp_CMS Budget Analyst |
Corp_Commercial PM |
Corp_Content and Communications Mgr |
Corp_Corporate Accounting Manager |
Corp_Development Admin Manager |
Corp_Director Ancillary Income |
Corp_Director Facilities |
Corp_Director of Accounting |
Corp_Director of Benefits |
Corp_Director of Finance |
Corp_Director of Human Resources |
Corp_Director Revenue Mgmt |
Corp_Due Diligence Director |
Corp_Executive Assistant Acquisitions |
Corp_GVP Operational Services |
Corp_HR Benefit Coord |
Corp_Information Support Manager |
Corp_Inv Coord |
Corp_Inv Relations Manager |
Corp_Inv Relations VP |
Corp_Irvine DM |
Corp_IS_IT Support |
Corp_L&D Director |
Corp_Learning and Development Assistant |
Corp_Legal Sec |
Corp_Manager of Workers Comp |
Corp_Manager Special Projects |
Corp_Marketing Adm Assistant |
Corp_Marketing Mgr |
Corp_Marketing RMM |
Corp_NorthCal DM |
Corp_Operations Project Coordinator |
Corp_Paralegal |
Corp_PNW Admin Assistant |
Corp_PNW DM |
Corp_PNW Office Manager |
Corp_Procurement Manager |
Corp_Real Estate Attorney |
Corp_Risk Manager |
Corp_San Mateo/San Jose Office manager |
Corp_Sr Corporate Accountant |
Corp_SR Director of Financial Reporting |
Corp_Sr Director of Internal Reporting |
Corp_Sr Financial Analyst |
Corp_Sr Group Operations Administrator |
Corp_SR Manager of Accounting |
Corp_Sr Mgr, Digital Mktg |
Corp_SR Paralegal |
Corp_SVP Legal Department |
Corp_SVP of Asset Management |
Corp_SVP of Human Resources |
Corp_Tax Acct |
Corp_Tax Director |
Corp_Tax Manager |
Corp_Training Manager |
Corp_VP Legal Attorney |
Corp_VP of HR |
Corp_VP of Tax Department |
JC_CMS Admin |
JC_Const Acct Approver |
JC_Const Manager |
JC_Contract Admin |
JC_Dev Admin |
JC_Dev Contract Coord |
JC_Dev Coordinator |
JC_Dev Manager |
JC_Dev Manager First VP |
JC_Dev Manager VP |
JC_DM CMS |
JC_DM Redev |
JC_EVP Dev |
JC_PM CMS |
JC_RM PM |
JC_RM Supervisor |
JC_VP Asset Management |
JC_VP Const Acct |