Comptroller letterhead

To:      Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, Department Heads, 
            Security Officers and Chief Fiscal Officers
From:  Thomas G. Shack III, Comptroller
Date:   June 2, 2017
Re:      Department Head Annual Approval Statewide Enterprise Systems Security

Comptroller Memo FY2017-20


Executive Summary

Approval of transactions to "Final" status in the state financial systems serves as an affidavit from the Department Head to the Comptroller that transactions comply with State Finance Law and the documents are accurate and complete, the expenditures or other obligations are supported by sufficient legislatively authorized funds, are made in accordance with the Department's legislative mandates and funding authority, and comply with all applicable laws, regulations, policies and procedures.

Annually, Department Heads are asked to review and confirm: (1) the employees they have authorized to access, process and approve transactions in enterprise systems on their behalf and (2) any other individual who can approve obligations and expenditures (execute contracts, approve payroll, incur obligations, authorize payments, etc.) on behalf of a Department Head, even if said individuals do not directly access enterprise systems themselves.

Department Heads have legal spending authority for their appropriations and are responsible for assuring that employees' access to automated systems reflects their job duties and is not broader than necessary. New Department Heads must approve security roles within 30 days of their appointment. If you have reviewed and approved security for your Department and submitted a certification on or after April 1, 2017 either as a new Department Head or due to staffing changes you have satisfied the requirement set forth in this Fiscal Year Memo.

The Statewide Enterprise Systems Security Requirements document requires Department Heads to certify security access to enterprise systems annually in conjunction with Closing and Opening of the fiscal year. The document also requires Department Security Officers to certify security access at the end of the calendar year, thus a formal review is performed every six months. This review covers all enterprise systems listed below and should include any individual who can approve obligations and expenditures (execute contracts, signoff on payroll, incur obligations, authorize payments, etc.) on behalf of a Department Head even if that individual does not access these enterprise systems.

  • MMARS/LCM: The Massachusetts Management Accounting and Reporting System, including the Labor Cost Management sub-system, supports the financial functions performed by Commonwealth Departments. MMARS contains confidential data that is protected by both federal and state privacy laws. In no case should an employee have privileges beyond those necessary to complete their job duties.
  • HR/CMS: The Human Resource/Compensation Management System supports time and attendance, human resources and payroll. HR/CMS contains confidential data that is protected by both federal and state privacy laws. In no case should an employee have privileges beyond those necessary to complete their job duties.
  • CIW: The Commonwealth Information Warehouse provides access to financial, labor cost management, time and attendance, human resources and payroll data for MMARS, LCM, UMASS and HR/CMS as well as a variety of historical databases - Classic MMARS, PMIS and CAPS. CIW contains confidential data that is protected by both federal and state privacy laws. In no case should an employee have privileges beyond those necessary to complete their job duties.
  • InTempo: The online security system, managed by MassIT, through which your Department Security Officer and Security Administrators request access to these enterprise systems.

Security Reports to Facilitate Review & Ongoing Oversight

Four security reports are available in Luminist (formerly DocDirect) for department review and use. These reports are run monthly.
Report IDs:

  • SECMMARS (MMARS)
  • SECHRCMS (HR/CMS)
  • SECCIW (CIW)
  • SECINTEM (INTEMPO)

These reports display all active user profiles with their assigned security roles and signature authority. Access to these reports can be granted to Department Heads, Chief Fiscal Officers (CFOs), Internal Control Officers (ICOs) and Security Officers (DSOs).

Additional Security Reports

Department Heads, CFOs, and DSOs, as part of their Internal Controls, should review MMARS user activity using the following tools:
 

Luminist Reports:    

NMF580W: MMARS Monthly User Activity Report
NMF581W: MMARS Monthly Verification of Segregation of Duties: 
Encumbrances and Payments

CIW Views:

User Activity Details: M_USER_ACTIVITY_DETAILS
User Activity Report: M_USER_ACTIVITY_REPORT

 

Please review all security reports, process changes as appropriate and keep a record of those changes (mark up of reports is sufficient).  This documentation is the evidence for authorizing and monitoring user access to statewide enterprise systems. Certification must be received as a hard copy with the Department Head's signature on the Department Head Annual Approval of Statewide Enterprise Systems Security Form. The form can be scanned and e-mailed to securityrequest@massmail.state.ma.us no later than June 30, 2017. This date will assure that needed changes are completed prior to the June 30 year-end report used by the auditors. The latest enterprise security reports are available via Luminist as of June 1, 2017.

The Office of the Comptroller is available to answer any questions and assist you with MMARS and HR/CMS security issues. Contact the Comptroller’s Help Desk at (617) 973-2468.  MassIT is available to answer any questions and assist you with security for CIW and Intempo. Contact CommonHelp at (866) 888-2808.

Thank you for your prompt attention to this task.

Cc:  MMARS Liaisons       
       Payroll Directors       
       General Counsels       
       Internal Distribution