PayData Payroll Services, Inc.

Transcription

1 PayData Payroll Services, Inc. Report on PayData s Description of Its Payroll Processing System and on the Suitability of the Design and Operating Effectiveness of Its Controls (SOC 1) For the period of

2 T Table of Contents S REPORT... 1 MANAGEMENT'S ASSERTION..3 DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA..5 Organization and Management... 5 Management s Philosophy and Operating Style... 5 Assignment of Authority and Responsibility... 6 Organizational Structure... 6 Hiring Practices and Human Resource Policies... 7 Training... 7 Integrity and Ethics... 8 Confidentiality Agreement... 8 Code of Ethics... 8 Commitment to Competence... 8 Information and Communication... 9 Risk Assessment and Monitoring... 9 Transaction Processing New Client Conversion Payroll Processing Payroll Distribution Tax Payments and Compliance ACH Processing Finance and Administration Information Technology and Systems Security Description of IT Outsource Agreement Description of Computerized Information Systems Description of the Evolution Payroll Software Remote Access and Security General Computer Controls Building and Office Access Physical Access and Environmental Protection of Server Room Logical Access Software Change Management Information Safeguards Computer Operations Subservice Organizations Client Control Considerations PAYDATA'S CONTROL OBJECTIVES AND RELATED CONTROLS AND INDEPENDENT SERVICE AUDITOR'S TEST OF CONTROLS AND RESULTS OF TESTS 30 Purpose and Objectives of the Report PayData s Control Objectives and Related Controls and Independent Service Auditor s Tests of Controls and Results of Tests... 31

3 S REPORT Management of PayData Payroll Services, Inc. We have examined PayData Payroll Services, Inc. s ( PayData ) description of its payroll processing system for processing user entities transactions throughout the period October 1, 2010 to September 30, 2011 and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. The description indicates that certain control objectives in the description can be achieved only if complementary user entity controls contemplated in the design of PayData s controls are suitably designed and operating effectively, along with the related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. PayData uses a payroll software vendor, ACH processor, tax research software, and an IT outsource provider to supplement its processes in the performance of its payroll processing system. The description on pages 5-28 includes only the controls and related control objectives of PayData and excludes the control objectives and related controls of the subservice organizations. Our examination did not extend to controls of the subservice organizations. On pages 3-4 of the description, PayData has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. PayData is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and assertion, providing the services covered by the description, specifying the control objectives, selecting the criteria, and designing, implementing and documenting controls to achieve the related control objectives stated ion the description. Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitably of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period October 1, 2010 to September 30, An examination of a description of a service organization s system and the suitability of the design and operating effectiveness of the service organization s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the 1

4 presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described at pages 3-4. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing payroll transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail. In our opinion, in all material respects, based on the criteria described in PayData s assertion on pages 3-4, a) the description fairly presents the payroll processing system that was designed and implemented throughout the period of October 1, 2010 to September 30, b) the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period October 1, 2010 to September 30, 2011 and user entities applied the complementary user entity controls contemplated in the design of PayData s controls throughout the period October 1, 2010 to September 30, c) the controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period October 1, 2010 to September 30, The specific controls tested and the nature, timing and results of those tests are listed on pages This report, including the description of test of controls and results thereof on pages 30-71, is intended solely for the information and use of PayData, user entities of PayData s payroll processing system during some or all of the period of October 1, 2010 to September 30, 2011, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities financial statements. This report is not intended to be and should not be used by anyone other than these specified parties. Kansas City, Missouri September 30,

5

6

7 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Organization and Management PayData is a regional payroll processing and related payroll tax compliance service organization. PayData was formed in 1987 and is located in Colchester, Vermont. PayData serves approximately 1,550 clients and generates approximately 100,000 checks each month. PayData is an S-Corp and is owned by Michael J. Trahan who serves as CEO. The President and Vice President of Operations are responsible for the day to day operations of PayData. The CEO, President and Vice President of Operations makes up the executive management team. PayData consist of an Operations, Tax, Sales, and Accounting departments. In order to enhance controls, the business operations are segregated into functional departments. The President oversees the Sales Department which is responsible for new client sales, expanding services to current clients and obtaining the new client setup packet. The Vice President oversees each of the departments, which perform the following: Operations Department Responsible for internal training, receiving and processing payroll information, client service, new client setup or conversion, timeclock setup, and new client trainings. Tax Department Responsible for approval of new client tax setup, payment of taxes, and submission of filings. Accounting Department Responsible for the daily bank reconciliations and monitoring bank transactions. Each department employs a manager or supervisor who oversees the department operations and reports to the President or Vice President of Operations. Management s Philosophy and Operating Style PayData s mission statement summarizes their business objectives and overall philosophy on professional conduct: Dedicated to quality, personalized service surpassing every expectation. PayData s management communicates this mission statement during meetings and by their actions. PayData s management monitors the organization to ensure compliance with the mission statement and that the company operates effectively and efficiently while remaining industry and client focused. Personnel turnover has been minimal. Senior management and operating management have frequent interaction in both formal and informal settings. PayData s management continuously emphasizes the importance of the payroll and tax processing function and its role in ensuring the reliability of client data. The Vice President of Operations is actively involved in the day-to-day operations and activities of the company. The President and Vice President of Operations have an open door communication policy. Every employee has access to the President daily and the President is visible to all employees on a daily basis to provide an opportunity for the employees to inform him of issues or concerns. The Vice 5

8 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA President of Operations has weekly staff meetings where employee feedback and suggestions are encouraged. As applicable, departments maintain individual task schedules which outline the critical functions that must be completed throughout the day. The task schedules are reviewed daily by management to ensure that all required tasks have been performed. Assignment of Authority and Responsibility The Management Team, consisting of the President, Vice President and department managers, has the ultimate responsibility for all activities within the entity, including the internal control system. This also includes assignment of authority and responsibility for operating activities, and establishment of reporting relationships and authorization protocols. Organizational Structure An entity s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. Significant aspects of establishing an effective organizational structure include defining key areas of authority and responsibility and establishing appropriate lines of reporting. 6

9 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Each non-managerial employee s position has responsibilities outlined by published job descriptions that provide general functions and specific duties. Each employee is given written expectations of the position. It provides a basis for employee reviews and accountability. Hiring Practices and Human Resource Policies The formalized human resource policies include critical aspects of the employment process including: hiring, training and development, performance evaluations, advancement and termination. PayData is committed to hiring and retaining the best qualified personnel. The hiring practices are formalized and carefully performed. All candidates are interviewed and screened by at least two Management Team members. In addition, background and criminal checks are conducted and references are contacted before an offer of employment is extended. During the employee s first few days of employment, they meet with the a member of the Management Team who discuss the importance of the sensitivity of the information being managed by the company and the importance of the organization s role in protecting clients information. Performance evaluations are performed on a regular basis and provide employees with a tool to understand their job performance and areas for improvement. In addition, the evaluation process helps management in determining compensation, promotions and topics for upcoming training sessions. Training Training is an important part of management s commitment to excellence. Management encourages employees participation in outside continuing education and holds regular training sessions in-house to keep the employees skills fine-tuned. PayData has well documented operating procedure manuals to provide a reference to employees in the conduct of their daily responsibilities. The procedure documentation is maintained and includes: Procedures for marketing and sales, human resources, client services, tax services and general operations. Finance and Accounting Manual for billing, invoicing, accounts receivable and collection activities, commissions, purchasing, accounts payable and reporting activities. Training Manuals to provide initial and ongoing instruction to employees and serve as a reference tool for employees. Technical Manuals that range in subjects from the computer operation guides to tax-related documentation. The technical manuals serve as a valuable resource to many different positions within PayData. Departmental meetings are held regularly for a variety of purposes. The meetings are attended by the appropriate departmental staff members. Topics normally covered are company changes, new assignments, software changes, IRS pronouncements, new clients and other payroll related issues that affect the operation of the organization. Quarterly meetings are also conducted in which the President gives the entire staff an overview of budgetary goal items. At the end of the meeting, each employee is 7

10 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA given the opportunity to discuss items they feel are important and offer suggestions, which are encouraged throughout the meeting. All new employees undergo training and observe seasoned veterans for approximately one week and then are observed another week before they begin to work on their own. Once they begin working independently, their work is reviewed before it is released until it is deemed they have an adequate understanding of their job duties. Integrity and Ethics The organization and management of PayData establishes a control environment within which the employees must function. It is a framework for all aspects of internal control. This control environment includes such items as integrity and ethics, conflict of interest and commitment to excellence. Confidentiality Agreement All employees are required to review and sign PayData s confidentiality agreement prior to gaining access to client data. The agreement provides employees with clear guidelines of the employee s role in protecting client information. Management reviews the confidentiality guidelines at regularly scheduled staff meetings. Code of Ethics PayData s business conduct is governed by a standard code of ethics to provide guidance for employees and inform clients on the way PayData wishes to conduct business. As a member of Independent Payroll Provider s Association (IPPA), PayData has adopted their published code of ethics. Responsibilities covered are: avoiding misrepresentation, gifts, personal conduct, compliance, service standards, equitable practices, confidentiality, conflicts of interest, marketing, and financial reporting. New hires are instructed on these codes and they are reinforced through staff meetings. Commitment to Competence Competence should reflect the knowledge and skills required to accomplish tasks that define an individual s job. Through consideration of an entity s objectives and the strategies and plans for achievement of those objectives, management specifies the competence levels required for particular jobs and translates those levels into requisite knowledge and skills. PayData management has analyzed and defined the tasks and knowledge requirements that comprise the positions within the organization. They consider such factors to the extent to which individuals must exercise judgment and the extent of related supervision when making hiring decisions. PayData management communicates this to personnel through the interview process, job descriptions, the establishment of performance and development plans, and through periodic meetings with personnel. 8

11 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Information and Communication PayData utilizes various methods of communication to help ensure employees understand their individual roles and company controls, and to help ensure significant events are communicated timely. All new employees are provided with orientation and training programs. Time sensitive information is communicated verbally and by to all employees. The minutes from the weekly Management meeting are ed to the staff each week. PayData also communicates with their clients on a routine basis. Each client organization has a designated Client Service Representative who communicates via phone, fax, letter and Internet with the client organization regularly. In addition, flyers are added to processed payrolls or sent via Internet for important announcements or reminders. Periodic training classes are offered to client personnel. Risk Assessment and Monitoring PayData has placed into operation a process to identify and manage risks that could affect their ability to provide reliable payroll processing to clients. This process requires management to identify significant risks inherent in the processing of payroll data for clients and to implement appropriate measures to monitor and manage these risks. On a regular basis management meets to discuss the risks the business is facing. These include various aspects of financial and technological risks. In addition, the Vice President meets with the staff on a regular basis to discuss any outstanding issues pertaining to the functioning of the company. Internal controls are evaluated and monitored by the management team. The management team monitors and reports on department functions and compliance with laws and regulations. Standard reporting includes: Departmental Scorecards These reports are utilized to track the number of payrolls processed versus payrolls scheduled, client and internal errors, ACH returns and open and closed tax notices. The staff responsible for each scorecard updates the information daily. These reports are reviewed weekly during the regularly scheduled management meeting. Billing Transactions Report This report summarizes check count activity for each client and is run on a monthly basis and is reviewed at the monthly management and executive meetings. Budget Variance On a monthly basis, the financial statements are compared to the annual budget spreadsheet. Areas of concern are discussed during the monthly executive meeting. Sales Analysis Report This report is run on a monthly basis and compares sales and labor results by month and is discussed in the monthly executive meeting. Annual Budget Report- This annual spreadsheet is created as a benchmark as to where management expects to be at the end of a fiscal year and monthly comparisons are reviewed at the monthly executive meetings. 9

12 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Transaction Processing The primary control objective of PayData is to ensure that all transactions are properly initiated, authorized, recorded, processed, reported and maintained. These controls are evident in every aspect of the business. The core service areas of PayData are payroll conversion, payroll processing, payroll distribution, ACH processing, tax compliance, information technology and systems security. PayData provides its clients with various service level options in order to fit its client s needs. Clients are able to contract with PayData on a service-by-service basis, determined by the products they require. PayData provides all of its clients with a full service payroll solution that includes optional automatic payroll tax filing and depositing. There are many optional services that are available and are identified below: Positive Pay Checks, payroll checks are drawn on a PayData account Employee Direct Deposit New Hire Reporting Agency and Third Party Checks Delivery Additional State Tax Filing Jurisdictions General Ledger Check Reconciliation Spreadsheet 401K Process Reports/Transmission Quarterly 941s, Annual 940, and Year-end W-2s Timekeeping solution HR resources Customized interfaces New Client Conversion The Conversions Department exists to ensure: 1) that the transition of payroll services is smooth, efficient, and error free, 2) all year to date wages are reconciled with both tax returns and tax payments, 3) the balancing and payment of tax liabilities is properly reconciled and communicated to the client, and 4) responsibility is established for the filing of all payroll tax returns and communicated to the client. Procedures and checklists are followed to ensure the conversion of new clients is complete and accurate. The Conversion Department works with the client to ensure that all the information is received timely and is accurate and complete. The Conversion Department also works with the Client Service Representatives to familiarize them with the specifics of the client after the first live payroll. The Conversions Department follows specific procedures to ensure that all the client data is complete when received. Client Set-Up Forms are completed by the Sales Department in conjunction with the client to document all earnings and deduction taxability, tax agencies, filing frequencies, tax rates and any other special needs the client may have. 10

13 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Checklists and standard procedures are in place to review the accuracy of the data and balance key amounts, such as wages and tax amounts to the information provided by the client. All year-to-date payroll information must be balanced successfully prior to any payrolls being processed. A key control is a second person review of all the manually entered or imported data to ensure accuracy. The company setup and employee demographics are audited by the Client Service Department. The tax information is audited by the Tax Department. The billing services and bank accounts are audited by the Accounting Department. In addition, clients are required to sign a Bank Credit Reference Form authorizing their bank to release to PayData credit information about the client s account including credit lines, and payment history, which is reviewed by the Accounting Department to evaluate the new client s credit risk in relation to the services they have requested, such as direct deposit. All aspects of the new client setup are verified by someone other than the person entering the data into the payroll software, and primarily someone from a separate department to enhance the segregation of duties. Once the review and verification process is completed, the Conversions Department performs the first payroll run for the new client and then communicates client information to the assigned Client Service Representative. For remote entry clients, the Conversion Department works with the client to schedule the setup and training on Evolution and assist them with their first live payroll. Payroll Processing The Client Services Department consists of a dedicated team of Client Service Representatives to assist clients with their payroll. The Client Service Representatives are responsible for supporting clients, which includes keying payroll data, assisting remote clients, balancing and submitting payrolls for processing. They ensure that each and every payroll is processed according to the schedule with the highest degree of accuracy and that the data is received from authorized sources. Procedures have been implemented to ensure that payroll processing is scheduled and performed appropriately and deviations from the schedule are identified and resolved. Each Client Service Representative receives a list of their assigned scheduled payrolls, Scheduling Report, for the following week on Friday morning. The payrolls are marked off as processed and clients are called if the data is not received by 2:00 PM of the scheduled date. During the end of day procedures, the Client Service Representatives review the Payrolls Not Called In Report and notate the reason for not processing on the scheduled date and provide the report to the Client Services Manager for review. Every afternoon a Waiting Payrolls Report is reviewed to confirm that all payrolls that have been started are also added to the processing queue. PayData has a strict cut off policy for payroll processing, all payrolls due to be processed the same day have to be submitted by 3:00 PM. Payroll data received after 3:00 PM will not be processed until the next day unless authorized by Management. A 3pm List is created which includes all payrolls received which have not been submitted to the queue by that time. Only those payrolls already in the queue, reflected on the Waiting Payroll Report or on the 3pm List are processed that day; the rest are held until the next day. Clients can submit their payroll data by one of several methods: Fax, , Esheet, TimeClock Import or Remote Input. 11

14 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Fax Input Client Service Representatives input payroll data faxed from the clients. These clients are provided an Input Worksheet report with each payroll. The report contains the active employees, their rates (unless masking has been requested) and columns to record their hours for typical earnings and amounts for special deductions. The client records the payroll on the provided worksheets and sends to PayData for processing. The Client Service Representatives review the faxed pages received from the client for legibility and makes note of any questionable items. The client is contacted by the Client Service Representatives to resolve any of the noted items. In addition, the Client Service Representatives verify the client submission with the payroll processing schedule. If a change in client contact occurs, client must provide written approval of the new contact and, if needed, specify the security limitations or access for the new contact. This allows for the proper flow of information between the Client Service Representative and the client. After any issues are resolved, the payroll data is manually entered by the Client Service Representatives. After the input is complete, the Client Service Representatives compares the batch totals to the totals provided by the client on their cover sheet or worksheet. If the client does not provide control totals, the Client Service Representatives will calculate the totals for hours, earnings and deductions and compare to the batch totals provided by the software. All submitted data must agree with the entered data before the payroll can be processed. /Esheet/TimeClock Import The client submits , Esheet and TimeClock payroll data by and the Client Service Representatives verify the sender s address as well as the timing of the submission with the payroll processing schedule. If a change in client contact occurs, the client must provide written approval of the new contact and, if needed, specify the security limitations or access for the new contact. This allows for the proper flow of information between the Client Service Representative and the client. Esheet The Esheet clients submit their payroll data by an Evolution generated preformatted Excel spreadsheet, called Esheets. PayData provides with every payroll process an Excel spreadsheet that contains current payroll data to the client so they can enter the payroll data directly into the Esheet. The Esheet contains all current employees, pay rates and columns for the client to enter hours, deductions, salary amounts and bonuses. Esheets are then submitted directly to the Client Service Representative via once completed by the client. Upon receipt of the Esheet, the Client Service Representative reviews the data for questionable items and contacts the client to resolve any noted items. The data is then imported into Evolution and verified for accuracy. The Esheet totals and the Evolution on-screen batch totals must agree before the payroll is submitted. Any differences are researched and resolved prior to processing. 12

15 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Some clients will send the employee information regarding hours, payments and other payroll data by . The Client Service Representatives review the ed data received from the client and make note of any questionable items. The client is contacted by the Client Service Representative to resolve any of the noted items. After all issues are resolved, the payroll data is manually entered by the Client Service Representative. After the data entry is complete, the Client Service Representative compares the Evolution on-screen batch totals to the totals provided by the client. If the client does not provide control totals, the Client Service Representative will calculate the totals for hours and earnings and compare to the Evolution on-screen batch totals. All submitted data must agree with the entered data before the payroll can be processed. TimeClock Import Clients can also authorize the Client Service Representatives to access online timekeeping systems to import hours on behalf of the client. Once the client notifies the Client Service Representatives that the data in the timekeeping system is accurate and ready for download, the Client Service Representatives will access the timekeeping system and import the hours into the payroll system. A report from the timekeeping system is created which gives the summary of hours for the pay period. The hours from the summary report are verified with the hours in the payroll system to confirm accuracy of the imported data prior to processing. Remote Input Clients utilizing this option log into PayData s payroll software through the Remote Access Server (RAS) using a unique user ID and password. PayData manages the administration of the client s unique user ID and security access. Clients can also elect to utilize the remote input entry option. Once the client authenticates themselves using a user id and password, the client enters company data, employee information and payroll data into Evolution. Through this option, the client is responsible for the accuracy of the payroll data entered in the payroll software. The client is encouraged to run a Pre-Processing Payroll Register Report to verify the payroll data prior to submitting the payroll to PayData for processing. PayData assumes no responsibility for the accuracy of the payroll data for remote clients as it processes the data as it was entered by the client. All Clients Payrolls other than regular payrolls, such as supplemental payrolls, client corrections or service bureau correction runs must be approved by management prior to processing. The Evolution software, thru security features, requires these types of payrolls to appear on a queue which requires management approval in order to be processed. During payroll processing, the Evolution software calculates gross wages, taxable wages, employee and employer taxes, voluntary deductions and net pay. Checks, direct deposit vouchers and reports are 13

16 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA created during the payroll process. The Evolution software detects if certain items are not set up properly, such as employee state data, and creates a log of these items. If there are any corrections to be made, the Client Service Representative to makes these corrections prior to completing the processing. Payroll Distribution The Processing Department is responsible for the distribution of each payroll. Procedures have been established for the production and distribution of payroll checks and reports. These procedures ensure that the checks and reports are produced and distributed completely, accurately and in accordance with client specifications. Checks and vouchers are printed on blank check stock that is specifically designed and printed with industry standard security protection. Some of the security features include an artificial watermark on the back of the check that can only be viewed at an angle to protect the document from scanner duplication and a micro-printed border that becomes distorted when duplicated. Each client receives a report package for each processed payroll based on their initial conversion setup. Some of the standard reports available are: 1. Delivery Label 2. Cover Letter 3. Payroll Register 4. Check Reconciliation 5. Payroll Tax Report 6. Input Worksheet Once the payroll has been processed, the reports and checks are printed. Delivery instructions print as each payroll processes. All checks are counted and the count compared to the total checks on the Payroll Cover Letter report. The payroll is then packaged according to instructions from the client and ready for distribution via pickup, mail, Federal Express or courier service. A Security Seal sticker is applied to the package when complete. The Processing Department is also responsible for confirming that outside delivery services have retrieved all packages and for communication as to special delivery and tracking of packages. Payrolls which have been processed but not delivered by the end of the day are stored in a secure location. Clients sign for payrolls which are delivered via courier, Federal Express or if they pick them up from PayData s office. Tax Payments and Compliance PayData has a full service tax-filing department that generates agency approved federal, state and local tax returns and payments. Formalized procedures are followed to ensure the appropriate tax filings are complete, accurate and timely. Payments for Federal, State and Local taxes are remitted electronically for many agencies supporting electronic funds transfer. Checklists are prepared by tax type and client and utilized to ensure that all monthly, quarterly and annual tax returns are filed, even if no payments were made. In addition, the Tax Specialists keep a spreadsheet of clients who require zero returns to be filed. The following reports are created by the tax staff to manage the tax payments and returns: 14

17 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Due Date Report (Federal, State and local) is generated each day for tax liabilities that are due within a specified date range which corresponds to the current days federal deposit period. In addition a separate 100k Due Date Report is run to ensure that all accelerated deposits are accounted for. The Tax Specialist completes a Deposit Check List that summarizes the various payment methods and reconciles any differences, such as clients that are on hold or negative payment amounts that are included on the Due Date Report but are not remitted to the taxing agency. The report is utilized to select clients to include in the EFTPS file and submitted electronically. The Tax Specialist will compare the totals of the EFTPS file with the Due Date Report to ensure that the file is complete and accurate. The Tax Specialist will use the EFTPS software to confirm the receipt of the submitted payments and then export that data and import it into Evolution to update the database and indicate the payments were made. The next day, the EFTPS software is reviewed to confirm that the funds submitted the previous day settled. The report is also utilized to select clients to generate an ACH file or checks to send to the appropriate taxing agency for state and local taxes. The Tax Specialist will print the checks and then compare each check to the Due Date Report to ensure that all the required tax payments have been submitted. The amounts on the tax checks and the return or coupon are verified and then packaged and mailed to the appropriate taxing agency. This report also reflects the taxes which need to be paid electronically to the state and local agencies. The totals for the ACH file created for the electronic payments are compared to the Due Date Report to ensure that all payments are timely and correctly paid. Balancing Report - Weekly shows the difference in the taxes calculated and taxes collected for each client, any differences are researched and resolved by the Tax Manager as necessary. The above reports are reviewed by the Tax Specialist and appropriate action taken according to the data on the reports. The Deposit Check List with backup documentation is given to the Tax Manager daily for audit of the daily tax payments. The quarterly and annual return process has several phases to ensure the accuracy, completeness and timeliness of the returns using the following procedures: A master quarterly control is created to ensure all quarterly processes are completed. Checklists are prepared by tax type and client. The lists are utilized to ensure that all monthly, quarterly and annual tax returns are filed, even if no payments were made. Quarterly all companies are subjected to a preprocess function, which tests all tax liabilities against calculated taxes for the quarter. A payroll is automatically created in the system to correct for these discrepancies such as over/under collection of state unemployment 15

18 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA insurance (SUI) resulting from a rate change and Vermont HealthCare Assessments due quarterly. Quarterly and annual returns are created and are subjected to a review process to ensure the accuracy of the returns. Delivery envelopes are created for each taxing agency and the returns sent to the taxing agency are compared to checklist to ensure all returns are properly submitted. For returns sent electronically, the clients contained in the file are also compared to the checklist. PayData contracts the maintenance of the source code and tax tables in the Evolution system to isystems, however updates to the source code or tax tables are reviewed prior to implementation, see further discussion in the Software Change Management section. PayData maintains memberships in a payroll industry trade association that keeps their members up to date on tax related issues. PayData will notify isystems of any changes received from external sources that are not reflected in the documentation sent with their latest software update. In addition, PayData utilizes BNA, which provides a library of research information related to payroll and taxation. ACH Processing Automated Clearing House (ACH) files are created twice a day (once on Friday); one at approximately 3pm and the second one at the end of each day to capture all remaining payroll processing. The ACH files collect billing, taxes, direct deposit and net check \trust account funds (as applicable based on service offering) from each client that has processed that day. PayData and its clients contract with Cachet Banq, Inc. (Cachet Banq) to perform the preparation and transmission of ACH entries, subject to the National Automated Clearing House Association (NACHA) rules. During the new client implementation process, all clients must sign an Employer Electronic Debit Agreement which authorizes PayData to electronically debit the client s bank account(s) for payroll transactions. PayData has also designed an Employee Direct Deposit Authorization form for the use of its clients employees. The form gives authorization for the deposit of credit transactions to accounts listed on the form. It also gives permission to withdraw any credits mistakenly sent by debiting the same account. Clients are advised to retain copies of these forms in the employee s personnel file and fax or copies to PayData. Clients are instructed to receive voided checks from the employee to verify the transit and account number of the account receiving the payroll funds. If the client is a Remote Input client, they are trained as to the proper setup of the direct deposit accounts. The Processing Department uses the Cash Management module in Evolution to generate the ACH file. The Processing Department selects all companies that are reflected on the queue at the time of ACH creation. The Processing Department logs into Cachet Banq s secure website using a unique user ID and password to upload the ACH file. The website displays a confirmation page with control totals for verification by the Processing Department with the detail ACH Transaction Report. Once all procedures for submitting an ACH file to Cachet Banq are completed, the Processing Department logs the ACH file and totals on the ACH Total Excel file. Once Cachet Banq has processed the file, they send an confirmation to PayData, which is reviewed by the Vice President or Operations for verification and is documented in the ACH Total Excel file. Cachet Banq then warehouses and sends the NACHA transmission to the appropriate banks on the clients behalf. 16

19 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Cachet Banq also generates a daily Returns and Notifications of Changes report. The information is accessed through Cachet Banq s secure website daily. Pre-note direct deposit changes are distributed to the assigned Client Service Representatives to contact the client and correct the information. The Client Service Representatives contacts the client if any employee monies are returned. The returns may be caused by an employee closing an account and failing to notify the payroll contact or by invalid routing or account numbers. A member of the Accounting Department contacts the client when a notification of a return due to insufficient funds is received. Depending on the dollar amount of the return, the debit is either resubmitted or the client is instructed to wire the funds. The tax liabilities are marked NSF until PayData has received the funds. Finance and Administration All payroll transaction funds are collected via Automated Clearing House (ACH). Separate withdrawals are sent to collect billing, tax, direct deposit and netcheck\trust funds from the client. Billing transactions post to PayData s operation account. The direct deposit funds are maintained in an account held by Cachet Banq and all the reconciliation process is performed by Cachet Banq, PayData does not have control of those funds. The Daily Funds Reconciliation Report is automatically run each night and then reviewed the next morning by the Accounting Manager for any exceptions from the previous day s payroll processing and ACH files. This report compares the payroll amounts transmitted in the banking file for the previous day to the transactions posted in the bank account register for each client, any exceptions are reviewed for appropriateness and resolved in a timely manner. Transactions for the ACH account are reconciled by Cachet Banq. For clients that choose to be a full service tax client, funds are impounded for taxes withheld and employer taxes collected each pay period and are held in escrow in a separate tax account until they are due. Transactions are downloaded daily from the bank and imported into Evolution to facilitate the reconciliation process. An exception report is printed showing any discrepancy and researched. Any items not automatically cleared are matched up manually or by manual entry. Another option for clients is the netcheck\trust account services. Clients who utilize this service are debited for the full amount of net payroll and then the individual net payroll checks are drawn on PayData s trust account. The NetCheck\Trust account is a separate Positive Pay bank account. Transactions are downloaded daily from the bank and imported into Evolution to facilitate the reconciliation process At the end of each day the Processing Department creates a Positive Pay file containing Payee, Amount, Serial Number, and Check date and uploads this file to the bank. Each item that is presented on the trust account is validated by the bank to the daily Positive Pay files. PayData is notified of any exceptions at which time they can Approve or Deny the item. Formalized procedures are used to reconcile the bank accounts. All bank accounts are reconciled to the bank balance monthly by the Accounting Manager. Various audits are performed to validate that all tax, 17

20 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA billing and client funds have been collected and paid accurately. The Vice President of Operations reviews the bank reconciliations tie-outs on a monthly basis. In addition, the Accounting Manager reconciles the total tax liabilities in Evolution to the tax impound bank account balance on a monthly basis. Information Technology and Systems Security PayData provides technological solutions to its clients and understands the critical and sensitive nature of the data transmitted on a daily basis. Physical access to computer equipment and storage media is restricted to properly authorized individuals. Current technology is employed to ensure that data is secure and that appropriate access to information is given only to authorized users. Access to the Evolution payroll software is restricted based on job function. isystems IT Department implements the Evolution updates, but the process is coordinated by the Vice President of Operations. The network and operating system updates are also outsourced to isystems IT Department which functions as PayData s IT Department. The President and Vice President of Operations oversee the services provided by isystems IT Department. Procedures are in place to review, test, approve and properly implement the software vendor supplied changes to existing software. PayData is a payroll service bureau. As such, the critical computer related tasks consist of the following: collecting and processing client company payroll data creating electronic banking transactions to: collect funds from client company accounts make direct deposit payments into client employee accounts make payments to federal, state and local tax collection agencies make payments to designated third parties, including PayData print checks and direct deposit vouchers print and/or reports Description of IT Outsource Agreement PayData does not maintain a full time IT employee. isystems provides the following services either onsite or remotely: Network and System Management, Desktop Support, Virus Protection Service, Patch Monitoring and Distribution, Terminal Services, Security Services and Firewall maintenance and monitoring. The President and Vice President of Operations are very active in monitoring the activities related to information technology. The President, Vice President of Operations and isystems IT Department provides appropriate resources and control to meet the needs of PayData. The President, Vice President of Operations and the IT Department, assess the needs of each department and user to plan the proper hardware and software necessary for each area to efficiently complete required duties. Resources are planned, allocated, and implemented as needed. The Vice President of Operations has primary responsibility for implementing the plans. 18

21 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Description of Computerized Information Systems PayData s processing network is comprised of 5 Windows 2003 Servers and 3 CentOS 5.4 Linux Database Servers. The servers are IBM models x3550, x3655 and HP DL180G6. PayData s infrastructure is supported by the Sonicwall NSA 2400 Firewall and a Catalyst 3560 switches. As noted previously, Evolution is the payroll software used by PayData. The Evolution application resides on a Firebird v2.04 database server and is supported by the Linux operating system. Firebird is an open source Relational Database Management System (RDBMS). Firebird offers most of the ANSI SQL Standard suite of functions and is supported by the Linux operating system. The status of the application server and database are monitored on a real time basis to ensure availability and the integrity of customer information. isystems IT Department monitors the network system performance, reviews security reports, log problems and resolves processing interruptions on a daily basis. An Intrusion Prevention System is in place that blocks the access of an intruder or, based on the type of intrusion, gives a warning in the logs which are reviewed by the IT Department daily. In addition, a the Sonicwall NSA 2400 Firewall is used in conjunction with Windows 2003 domain controllers to block access of an intruder. The detection definitions are updated at least weekly or when new definitions become available. Description of the Evolution Payroll Software Overview Evolution payroll software is a fully integrated payroll processing and tax management system designed to provide fast, accurate and secure payroll transaction processing for PayData. Evolution is an advanced and full-featured service bureau solution, including a complete tax management component, an integrated report writer, ACH processing and multiple account reconciliation capabilities. Technology Evolution is a multiple tier application which consists of nearly one million lines of code written in the Delphi language. The application and middle tier runs in a Windows environment. The database tier uses the Firebird SQL database and runs in the Linux operating system. The tiers that make up the Evolution application are as follows; Client (first tier), Remote Relay, Request Broker, Request Processor (second/middle tier) and the Data Store (third tier). A full description of these tiers and their functionality are as follows: 1. The client tier (tier 1) is a thin client or web browser client, running Evolution Client for service bureau staff and payroll customers. These run on the user s Windows desktop. 19

22 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Messages are transmitted between the client and server using a custom protocol based on a proprietary format over TCP/IP. The client caches the credentials of the user in memory. If the connection to the Evolution server/s fails, or otherwise becomes unavailable, the client will resubmit the credentials when the connection revives. This provides a transparent user experience when the Request Broker is unavailable. 2. Remote Relay (access) Server is a proxy in the middle tier (2) that encrypts and compresses Evolution Client communications over public networks (internet). Communications sent over private networks (LAN) can connect directly to the Request Broker and bypass the Remote Relay service avoiding compression or encryption. The encryption protocol found in the Client to Remote Relay service proxy transports the encryption key. SSL is used to create the encryption key dynamically. The algorithm used is Blowfish with a 128-bit key. 3. The Request Broker (RB) is a server in tier 2 that performs the duties of routing and controlling the distributed application. The role of this tier is to manage the load on the Request Processors (RP) maintain work queues from each user session and provide a central point of contact for the clients to connect to. The RB is the nerve center of the application. Asynchronous Replication is a separate program that makes a near current database mirror of the client databases. This process replicates the Client database(s) on another set of servers which can be used to enable a hotsite for processing payroll in the case of a disaster at the primary processing center. 4. The Request Processor module includes a security layer that ensures users can only access data that they are authorized to access by appending the appropriate tests to all where clauses of SQL statements that access data. This same layer safely handles all user-supplied data, ensuring that SQL attacks cannot occur. 5. The data store is spread between a minimum of two databases. The system global database is maintained by isystems through an update process and contains static data such as tax rates, forms and base reports. The second type of database is a service bureau database that will contain data relevant to all clients, companies and users associated with that service bureau. Each service bureau will have its own instance of the database. This database contains the credentials and entitlements of each system user. The third type of database is a temp database used for caching data to improve performance. Each service bureau will have its own instance of the temp database. The last type of database is the client database. This database will contain all data pertaining to a client s business such as the actual payroll data. Clients will have their own instance of this database. This database structure has two significant benefits security and scalability. It is scalable because these databases can be collocated or distributed across servers. It enhances security by physically separating data making it almost impossible for 20

23 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA a user to access data from another client even if they were able to beat the other safeguards in the application. A client in the database is not to be confused with the client tier. The client tier refers to an individual instance of the thin client that is used to access the system. A client in the database refers to a customer that consists of one or more companies with one or more users. A service bureau would have one or more clients. The database is comprised of over 350 tables, with each table containing at least one trigger to enforce constraints and history. The databases also contain Stored Procedures that implement business logic. The triggers and stored procedures contain approximately 78,800 lines of code. Each table contains its own history. As rows are changed, a new row with the updated values is inserted and the old row is marked as history. One of the purposes of the Stored Procedures is to return data as of a point-in-time to reflect the status of the data at that time. The Evolution report writer is a custom built reporting utility. The user creates reports and can run them from within the application. These reports run under the privileges of the authenticated user. The reporting function in Evolution also supports an option. The report writer supports file encryption to protect report definition and result files. The encryption uses a natively implemented Blowfish algorithm and uses a 128-bit key. System Functionality The Evolution system is a complete payroll service bureau management system, enabling payroll service providers to process payroll, manage tax payments and filing, and manage ach transactions for their clients. Taxes - Federal, state and local taxes are maintained by the software and are viewable by the service bureau. All taxes are table based and all calculations originate from a single point. The system is fully integrated with EFTPS so that enrollments and payments can be automated by the service bureau through a single point of entry. Employees can have an unlimited number of taxing entities associated with their pay. The taxable wages accrue independently for each tax, and tax amounts can be withheld or blocked as necessary. If the employee is working in more than one state or locality, multiple state or local taxes can be withheld per the reciprocal agreements between those entities. The employee's filing status for each taxing entity is recorded independently, allowing for different withholdings for each. Additional tax amounts can automatically be withheld, if desired, and can automatically be suppressed on supplemental checks. Because a client may not know the state specific allowance or exemption information, a tax information window is shown which indicates important information about each tax. Tax return processing The software allows for tax returns to be processed in any order or sequence chosen by the user. The system uses a proprietary snapshot reporting feature, which stores an encrypted facsimile of each tax return so that users can be certain that they are 21

24 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA viewing an actual return which was processed and filed by the system and not a reprocessed return which may have changed due to systems changes. Bank Accounts and ACH The systems allows for unlimited ACH transactions from multiple banks and bank accounts. Banking transactions are created and tracked by the system, which also automatically populates the bank account register to facilitate the reconciliation process. Remote Access and Security In Evolution, each user ID can be set up with specific permissions to limit a user s access to only the windows, buttons, functions and data that they need for performing their jobs. Before displaying any window, Evolution checks access rights of the user. In addition, Evolution tracks the history of the changes made to most data fields. This history allows a review of who made changes to the data and when they were made. Finally, Evolution stores all security information in protected files in the main database instead of in the application or the user's workstation. The Conversion Department and the Vice President of Operations manages the security administration for the Remote Evolution users. The Evolution software maintains a client database. The database is only accessible through the software application and is protected from unauthorized access. Evolution uses Firebird, an open source relational DB engine as its database back end. The design of Evolution is such that the client software never communicates directly with the database server. In addition, Evolution uses a custom SQL parser to limit user access to protected information. This information includes pay rates, salary amounts, clients, companies, divisions, branches, departments, and teams, etc. Passwords within the Evolution system must be a minimum of six characters, meet complexity requirements and are required to change every 90 days. Clients who utilize the Remote option enter their own payroll information by logging into PayData s servers remotely using individually assigned user IDs and passwords. Safeguarding controls are in place to ensure that only authorized users gain access to their specific company payroll data. PayData uses the security role features of Evolution to allow authorized client users to gain access to only their specific company payroll data. The client does not have the capability to access or modify the username, password or open any databases not assigned to them. The client connection to Evolution is secured by 128-bit Blowfish encryption. General Computer Controls Building and Office Access PayData s offices are located in a stand-alone brick building shared with isystems. The office building is divided into two separate office suites with a common area; one suite is dedicated and secured to PayData and the other to isystems. The entire building is protected by key locks, an alarm system and Paxton Access Limited Net2 Access Control card readers on all exterior entrances. Physical keys are only provided to Senior Management and building maintenance personnel. Entrance to the building and PayData s suite by staff members is controlled by the Net2 Access Cards. PayData s staff members are 22

25 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA only granted access to the PayData suite and most staff are further restricted to business hours during weekdays. The level of building access granted to the staff member is based on business needs. When an employee is terminated the Net2 Access card is retrieved and the Net2 Access control system is updated to reflect that the card is no longer valid and the access level permissions are removed. The Vice President of Operations is responsible for assigning and terminating the Net2 Access cards to the employees. The Net2 Access Control system tracks events which can be reviewed to monitor building access. The main entrance to the office suite is designed with two doors with the outer door opening to a vestibule. The outer door is protected by a key lock and an electronic lock system with a Net2 Access Control card reader. After normal working hours the outer door is locked. The inner office door is protected by an electronic lock and is locked at all times. Visitors ring a door bell and are screened by PayData personnel. All visitors are logged in and out on a visitor log and are given a visitor badge. In addition, the visitors are escorted by PayData s personnel during their visit. The office space is divided into several functional areas; lobby, operations, finance, tax, processing, management offices, training rooms, staff break room, storage room and the server room. The Processing Room is kept locked and secured by a five-digit heavy duty mechanical keypad lock. Only Senior Management and the Processing Department personnel have access to the Processing Room. All check printing equipment, check stock and micr toners are stored in this room. Physical Access and Environmental Protection of Server Room The office suites are protected by an electronic security system with each suite having its own alarm code. Life Safety \ Home Security has been contracted to monitor any alarms notifications and communicate directly with the Colchester Police Department and Colchester Fire Department as necessary. Senior Management is also notified by the alarm company. The computer system is located in a restricted area. The door to the server room has a five-digit heavy duty mechanical keypad lock and only authorized personnel have access. The server room is protected by the following environmental control systems: Raised flooring Water sensor monitoring device with emergency electrical shut-off Emergency electrical shut-off switches Fire and smoke detection devices, after hours off-site monitoring DuPont FE-36 hand-held fire extinguisher Temperature control device with two dedicated Liebert air conditioners and two portable air conditioners for redundancy Temperature monitoring devices with remote notification and auto shutdown Uninterruptible Power Supply (UPS) (battery backup) The UPS consists of an APC battery backup system. In the event of an electrical failure, the batterypowered electrical supply system provides approximately 10 minutes of power, which allows adequate time for the computer systems to be shut down to protect against the loss of data. In the event of 23

26 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA excessive temperatures, the monitoring device will automatically contact the IT personnel by and is also configured to shut down the computer systems if over 90 degrees. Logical Access Access to resource and data are granted to individuals based on their job responsibilities. An approved request is required for a new user or a change to existing user access. isystems IT Department personnel serve as the network security administrator and are responsible for ensuring adherence to the IT Policy, which addresses logical access control procedures. User accounts and access rights are managed using Active Directory and the Primary Domain Controller employing the Internet-standard Kerberos network authentication protocol to authenticate both the client and the network and protect against the possibility of unauthorized users impersonating a server to enter the network. Unique user IDs and passwords are assigned to each individual user. Password rules are established according to PayData s IT Policy. Passwords require at least five characters and are systematically required to be changed at least every 90 days with the previous six passwords not allowed to be reused. The network administrator sets the user s initial password and upon initial login, the user is required to change their password. User accounts are locked out after five failed login attempts for 30 minutes. Individual access capabilities are removed immediately upon the IT Department being notified of the termination of employment or change of responsibilities. System security access levels are reviewed annually by the Management Team to ensure individual access rights are appropriate based on job information. Software Change Management The Management Team receives s from isystems notifying them that an update has been released and review the notes posted on isystems support website describing the details of the application update or system database update for the tax tables. The Vice President of Operations is responsible for coordinating the Evolution software changes and will an approval to the isystems IT Department to implement the update. Once the isystems IT Department receives an approval from the Vice President of Operations, the update is scheduled to be installed after business hours. Backups of files are verified prior to installing updates to software packages. The isystems IT Department personnel send the Vice President of Operations an upon the successful implementation of the update. The President and Vice President of Operations are responsible for authorizing the implementation of all Windows and Linux operating system changes and patches, which has been outsourced to isystems IT Department. Upon receipt of notification of the updates, Management coordinates with the isystems IT Department personnel regarding the changes included in the update. Once the implementation of the updates or patches is approved based on the recommendations from isystems IT Department personnel, the update is installed. If there are any concerns about the potential impact of the system update, it will initially be installed on a local workstation and tested prior to installing on the servers. Backups of files are made prior to installing updates to the operating systems. 24

27 PAYDATA PAYROLL SERVICES, INC. Information Safeguards SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA PayData has two backup processes performed daily and/or in real-time to ensure data is retained and backed-up. The first process is a backup and archive, with the backup ultimately on physical tapes stored off-site. The Evolution system and client database backups begin with a local backup to separate folders on each DB server. This step of the procedure transforms raw databases into transportable backup files. Next, the backup server (ArcServe) copies the transportable backups from each DB server and the file server which contains all the company and client files, to a virtual tape library in the Colchester server room. After the virtual tape has the backup files written to it another copy process puts those same backup files on a physical tape for the purposes of off-site vaulting. At the end of the process, the backup files are stored on each DB server, a virtual disk tape library and also on a physical tape at the end of each business day. Physical tapes are transported off-site daily and stored in a fireproof safe. The second process is accomplished with Evolution s Asynchronous Data Replication (ADR), provided by isystems, to continuously replicate the system and client databases to servers at an off-site location provided by isystems. The replication process is nearly instantaneous and occurs every time a file on the database has been changed. Virus protection software is installed and auto-updated regularly by the Symantec Endpoint Virus Protection Software. The Symantec Endpoint AutoUpdate policy will poll for new virus signatures and program updates every hour to ensure quick updates to newly discovered virus attacks. isystems IT Department personnel regularly reviews the virus protection software to ensure it is kept up-to-date. Users are trained to not open from unknown/foreign sources, perform downloads from the internet that are non-business related, or install any applications or software without permission or consent from their supervisor or management. Computer Operations The information systems are monitored 24x7x365 by Nagios, which is a system and network monitoring application. Nagios is configured to watch hosts and services that PayData has specified, alerting the isystems IT Department personnel when things go bad and when they get better. Some of the many features of Nagios include: monitoring of network services (SMTP, POP3, HTTP, NNTP, PING, etc.) monitoring of host resources (processor load, disk usage, etc.) simple plugin design that allows users to easily develop their own service checks parallelized service checks ability to define network host hierarchy using "parent" hosts, allowing detection of and distinction between hosts that are down and those that are unreachable contact notifications when service or host problems occur and get resolved (via , pager, or user-defined method) ability to define event handlers to be run during service or host events for proactive problem resolution automatic log file rotation 25

28 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA support for implementing redundant monitoring hosts web interface for viewing current network status, notification and problem history, log file, etc. PayData has Nagios configured to monitor many aspects of the system, which includes but not limited to: CPU utilization and disk space of all servers, devices (servers and printers) availability, internet connectivity, and temperature monitoring in the server room. The Nagios software is configured to automatically the isystems IT Department personnel in the case of any triggering event so that potential problems are resolved timely. The isystems IT Department personnel also serve as a help desk for internal users. PayData has implemented a formal procedure for logging network and systems related issues via a ticketing system (RT, Request Tracker). When an issue arises, the user s the helpdesk system and a ticket is generated. Both isystems IT personnel are notified via 24 hours a day with any new tickets. After reviewing the issue, the isystems IT personnel ascertain the priority level of the issue and respond appropriately. Upon resolution, the ticket number is closed. 26

29 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Subservice Organizations PayData uses several subservice organizations to outsource certain functions or supplement their services. The services provided are described below. Evolution is the payroll software vendor utilized by PayData. The Evolution payroll software and ADR software are supported by isystems. PayData contracts with isystems to provide software that processes payroll information completely and accurately. isystems also provides software and tax table updates to PayData. PayData does not have access to the source code. BNA is the payroll tax research vendor utilized by PayData. PayData has subscribed to BNA for researching payroll and tax related issues. Cachet Banq, Inc. (Cachet Banq) provides PayData with the processing of electronic funds transfers (EFT) through ACH for billing, tax escrow, trust and direct deposit funds. isystems and Symquest are service providers that contracts with PayData or isystems for the outsourcing of PayData s information technology management and support. isystems IT Department provides the following services as the primary service provider. Symquest augments and provides back up IT support either on-site or remotely as needed for the following areas: Network and System Management Desktop Support Virus Protection Service Patch Monitoring and Distribution Security Services Firewall maintenance and monitoring isystems, BNA, Cachet Banq, Symquest control objectives and related controls are omitted from the description of the control environment elements. The control objectives in the report include only objectives PayData s controls are intended to achieve. 27

30 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Client Control Considerations Processing of transactions for clients performed by PayData and the control policies and procedures of PayData cover only a portion of the overall internal control structure of each client. It is not feasible for the control objectives to be solely achieved by PayData. Therefore, each PayData client s internal control structure must be evaluated in conjunction with PayData s control policies and procedures summarized in the report. The following list describes certain controls that clients should consider to achieve the control objectives identified in this report. The client control considerations presented below should not be regarded as a comprehensive list of all controls that should be employed by clients. Client management is responsible for: Complementary User Control Considerations 1. Ensuring that only authorized and properly trained personnel are allowed logical access to PayData systems, fax input worksheets and coversheets. 2. Establishing proper controls over the use of user ids and passwords that are used to access and enter payroll information on Evolution. 3. Review of the annually prepared payroll processing schedule and notifying PayData of any changes in a timely manner. 4. The preparation of worksheets, faxes and control totals that are sent to PayData. 5. Notifying PayData of changes in the authorized contacts list. 6. Accuracy of the data entry when using remote client entry in Evolution. 7. Reviewing the Pre-Processing Payroll Register report before submitting on a timely basis to ensure that all payroll information has been recorded completely and accurately. 8. Reviewing the reports produced by PayData after initial account set-up. This is to ensure that employee-level and company-level information has been initially recorded completely and accurately. 9. Review of error messages that result from entering payroll data, addressing errors and resolution in a timely manner. 10. Submitting payroll data in accordance with the mutually agreed upon schedule. 28

31 PAYDATA PAYROLL SERVICES, INC. SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA Complementary User Control Considerations 11. The completeness and accuracy of client-specified deductions. 12. Submitting client-specific deduction changes to PayData in a timely manner. 13. Establishing procedures to notify PayData if employees report problems with checks. 14. Signing upon receipt of payroll reports, checks and vouchers. 15. Receiving and distributing checks. 16. Reconciling bank accounts used for payroll processing on a timely basis each month. 17. Retention of payroll reports and supporting documentation for the appropriate length of time to comply with all federal, state and local compliance agencies. 18. Submitting all relevant correspondence with tax agencies to PayData promptly. The fact that PayData is an entity separate from its clients provides a certain amount of inherent segregation of functions. PayData s employees are not authorized to initiate transactions or modify client files except through normal production procedures. 29

32 SECTION IV. PAYDATA S CONTROL OBJECTIVES AND RELATED CONTROLS AND INFORMATION PROVIDED BY THE Purpose and Objectives of the Report This report is intended to provide users of PayData s activities with information about controls at PayData that may affect the processing of user organizations transactions and also to provide users with information about the controls implemented for payroll processing. This report, when combined with an understanding and assessment of the internal controls at user organizations, is intended to assist the user auditor in (1) planning the audit of the user s financial statements and in (2) understanding control risk for assertions in the user s financial statements that may be affected by controls at PayData. There were no significant changes to controls since the previous SAS 70 Type II report dated September 30, Our examination was restricted to the control objectives and the related control procedures specified in Section IV by PayData s management and was not extended to procedures described elsewhere in this report but not listed, or to procedures that may be in effect at the user organization. The examination was conducted in accordance with the Statement of Standards of Attestation Engagements, Reporting on Controls at a Service Organization (SOC1), of the American Institute of Certified Public Accountants. It is each user auditor s responsibility to evaluate this information in relation to the controls in place at each user organization. If certain complementary controls are not in place at the user organization, PayData s controls may not compensate for such weaknesses. Tests of Operating Effectiveness Our tests of effectiveness of the controls included such tests as we considered necessary in the circumstances to evaluate whether those controls, and the extent of compliance with them, was sufficient to provide reasonable, but not absolute, assurance that the specified control objectives were achieved during the period from October 1, 2010 to September 30, Our tests of the operational effectiveness of controls were designed to cover a representative number of transactions throughout the period of October 1, 2010 to September 30, 2011, for each of the controls listed in Section II, which are designed to achieve the specific control objectives. In selecting particular tests of the operational effectiveness of controls, we considered (a) the nature of the items being tested, (b) the types of available evidential matter, (c) the nature of the audit objectives to be achieved, (d) the assessed level of control risk and (e) the expected efficiency and effectiveness of the test. Test Corroborative Inquiry Observation Inspection Reperformance Description Made inquiries of appropriate personnel responsible for the performance of the control activity and corroborated responses with management. Observed the application of a specific control activity. Inspected documents and reports indicating the performance of the control activity. Reperformed the control or processing application of the control to ensure the accuracy of its operation. This includes among other things, reperforming the agreement of control totals by independently comparing the control totals to supporting documents. 30

33 PayData s Control Objectives and Related Controls and Independent Service Auditor s Tests of Controls and Results of Tests Control Objective #1: Controls provide reasonable assurance that senior management provides planning and oversight of the organization s activities. 1.1 The organizational structure provides segregation of duties between operations, tax, accounting and operating systems maintenance. 1.2 Responsibilities over PayData s business operations have been segregated into functional areas in order to enhance controls. determine that PayData s key functions within its business operations have been segregated between personnel. Inspected the organization chart and job descriptions to validate the segregation of key duties. determine that operations have been segregated. Inspected the organization chart and job descriptions to validate the segregation of key functional responsibilities. 31

34 1.3 The Vice President of Operations holds weekly Department Manager meetings to review each department s scorecard and discuss other company information. 1.4 The CEO, President and Vice President of Operations review financial statements compared to the prior year on a monthly basis. In addition, a budget is utilized and comparisons are made monthly. 1.5 The CEO, President and Vice President of Operations review monthly production statistics, new client revenue and other performance metrics. determine that the Vice President of Operations meets with the Department Managers weekly to review activities and each department s performance. For a selection of weeks, inspected the departmental scorecards and management meeting minutes for evidence of review. determine that management reviews productivity, error rates, and other financial information. For a selection of months, inspected the management reports, financial statements and executive meeting minutes for evidence of review. determine that management reviews productivity, error rates, and other financial information. For a selection of months, inspected the management reports, and production statistics and management meeting minutes for evidence of review. 32

35 1.6 The CEO, President and Vice President of Operations hold monthly meetings to discuss the technology, financial and business risks. determine that the officers meet monthly to discuss risks. For a selection of months, inspected the monthly management meeting minutes. 33

36 Control Objective #2: Controls provide reasonable assurance that senior management provides planning and oversight of the organization s activities. 2.1 The hiring process is formalized and documented by a checklist. All candidates for employment are interviewed by at least two members of management. Background and checks are required for all new employees. 2.2 The organization maintains an Employee Handbook that outlines key business practices and employee responsibilities. 2.3 New employees are required to sign-off a form indicating they have read and understand the Employee Handbook. determine that PayData s policy requires background checks. Inspected a selection of new employees personnel files for evidence of the hiring procedures. determine that the organization has an Employee Handbook. Inspected the Employee Handbook. determine that all new employees must sign a form acknowledging their understanding of the content of the Employee Handbook. Inspected a selection of new employees personnel files for evidence of the signed forms. 34

37 2.4 All employees must sign a Confidentiality Agreement prior to gaining access to client data. 2.5 Job descriptions exist for all non-managerial positions which provide employees with management s expectations and their responsibilities. 2.6 Procedure Manuals are maintained and available for use by all staff members. 2.7 Company policy requires that a performance review be completed for all staff members on at least an annual basis. determine that all new employees must sign a confidentiality agreement as a condition of employment. Inspected a selection of new employees personnel files for evidence of the signed forms. determine that job descriptions are utilized. Inspected the job descriptions for all nonmanagerial positions within the organization. determine that proper documentation is available to all staff members for reference and training. Observed the procedure manuals. determine that annual performance reviews are performed. Inspected the annual review for a selection of employees. 35

38 Control Objective #3: Controls provide reasonable assurance that physical access to computer equipment is restricted to properly authorized individuals. 3.1 Access to the office building and office suite is restricted to authorized personnel by key locks and electronic locks at all times. The main entrance is unlocked during normal working hours and opens to a vestibule, however the inner door to the office suite is secured at all times by an electronic lock. 3.2 All office suite access points are controlled by the Net2 Access card system. Most employees access is limited by the Net2 Access card system to the hours of 7:45AM to 5:30PM. Only limited personnel with a business need have unlimited access. Corroboratively inquired of management to verify the building security and limited access after normal working hours. Observed the office location and security access points of the building and office suite. Inspected the list of employees with keys and Net2 Access cards and reviewed for appropriateness. Corroboratively inquired of management to verify the office suite security and limited access after normal working hours. Observed the office suite security access points. Inspected the list of employees with Net2 Access cards, reviewed for appropriateness and verified the time based access restrictions. 36

39 3.3 A security system is utilized to restrict access to all unauthorized individuals to PayData s office after normal business hours. A thirdparty security company monitors access 24x7x Visitors are screened and greeted in the vestibule, logged on the visitor log and escorted by PayData personnel at all times. 3.5 The Processing Room is secured by a heavy duty mechanical keypad lock and access is restricted to authorized personnel. Corroboratively inquired of management to verify the office suite has an electronic alarm system and appropriate employees are given the access code. Observed the office suite and security system devices. Corroboratively inquired of management to verify access to the office suite is limited to appropriate personnel. Observed the office space and procedures in place to limit access. Corroboratively inquired of management to determine the methods for restricting access to the Processing Room. Observed the mechanical keypad lock device on the Processing Room door and inspected a list of employees with access for appropriateness. 37

40 3.6 The server room is secured by a heavy duty mechanical keypad lock at all times and access is restricted to authorized personnel. 3.7 All keys and Net2 Access cards are retrieved and security codes are changed after the termination of an employee with access as part of the normal out processing procedures and documented on a checklist. Corroboratively inquired of management to determine the methods for restricting access to the server room. Observed the mechanical keypad lock on the server room door and verified critical hardware is kept locked in the room. Inspected the list of employees with access and reviewed for appropriateness. Corroboratively inquired of management to determine the policies for disabling terminated employee s access. Inspected a selection of terminated employees and verified their access was disabled and noted the termination checklist was completed. 38

41 Control Objective #4: Controls provide reasonable assurance that the data center and server room are adequately protected from environmental threats. 4.1 The server room is protected by the following systems: Raised flooring Water sensor monitoring device with emergency electrical shut-off Emergency electrical shut-off switches Fire and smoke detection devices, after hours off-site monitoring DuPont FE-36 hand-held fire extinguisher Temperature control device with two dedicated Liebert air conditioners and two portable air conditioners for redundancy Temperature monitoring devices with remote notification and auto shutdown Uninterruptible Power Supply (UPS) (battery backup) Corroboratively inquired of management to verify environmental control devices are in place and monitored. Observed the environmental control devices were in place during a tour of the server room. 39

42 4.2 The UPS (battery backup) provides approximately 10 minutes of power for the servers to perform a graceful shutdown to reduce the risk of data loss. 4.3 Temperature, water and fire/smoke are monitored 24/7/365 by devices which automatically notifies the IT personnel or management upon environmental failures. Corroboratively inquired of management to verify a UPS system is in place. Observed the UPS devices were in place during a tour of the server room and noted operational status. Inspected the configuration of the UPS management software for evidence of the automated shutdown settings. Corroboratively inquired of management to verify environmental control devices are in place and monitored. Observed the environment monitoring devices in place during a tour of the server room. Inspected the configuration and notification settings for the temperature monitor and reviewed for appropriateness. 40

43 Control Objective #5: Controls provide reasonable assurance that logical access to programs and data files is restricted to properly authorized individuals. 5.1 Users are granted access to network resources, using a combination of active directory and application level access (individual tabs or screens) based on their job function and responsibilities. 5.2 User s access to the system must be authorized by a Management Team member prior to the network administrator granting access to the systems. Corroboratively inquired of management to verify that current user access to the network and application is based on job responsibilities. Inspected a selection of accounts with access to the network and the application and verified the appropriateness of the assigned logical access rights. Corroborative inquiry with management to determine the procedures in place for authorizing access for new users. Inspected a selection of new employees personnel file for evidence of the proper authorization of a new user s access to the system. 41

44 5.3 The computer system will automatically prompt the users to change their passwords every 90 days. The passwords must be five characters in length. 5.4 User accounts are locked out after five failed attempts by the computer system and are locked out for thirty minutes. Corroboratively inquired of management to verify the password policies established for the network. Inspected the system policy settings for the network operating system and confirmed the following password parameters: Min password length: five characters Max password age: 90 days Corroboratively inquired of management to determine the system parameters established for the network. Inspected the system policy settings for the network operating system to confirm user accounts are locked out after five failed attempts for thirty minutes. 42

45 5.5 A user s access to the network is immediately disabled by the network administrator, upon termination of the user s employment using formalized procedures and documented on a checklist. 5.6 If a user changes roles or responsibilities, the user s access will be modified by the network administrator or Evolution administrator to be consistent with the new position. Corroborative inquiry with management to determine the procedures in place for removing terminated users from the system. Inspected the form used to document the termination process. Inspected a selection of terminated employees personnel file for evidence of the disabling of logical access. Corroboratively inquired of management to determine the procedures in place for modifying a transferred employee s system access. Inspected the form used to document the process. Inspected a selection of employees personnel files that changed roles for evidence of the modification of access. Unable to test as there were no employees that changed roles during the period under review. 43

46 5.7 The Evolution software will automatically prompt the users to change their passwords every 90 days. The passwords must be six characters in length and meet complexity rules. 5.8 The ability to administer security on the Evolution software is limited to appropriate personnel. Corroboratively inquired of management to verify the password policies established for Evolution. Inspected the Evolution security settings and confirmed the following password parameters: Min password length: six characters Max password age: 90 days Complexity requirements enabled Corroborative inquiry with management to determine the individuals with privileged accounts on the system. Inspected the Evolution security settings to ensure access is limited to appropriate individuals. 44

47 Control Objective #6: Controls provide reasonable assurance that changes to the existing system software and implementation of new software are authorized, tested, approved, properly implemented and documented. 6.1 The Management Team is notified of all Evolution software updates via by the software vendor and reviews the release notes for appropriateness prior to implementation. 6.2 The Vice President of Operations approves the implementation prior to the isystems IT Department personnel installing the update. Corroborative inquiry with management to determine procedures in place for performing software updates. Inspected a selection of the software updates performed for review by management and approval. Corroborative inquiry with management to determine procedures in place for approval of the software update. Inspected a selection of application software updates performed for evidence of proper approval by the Vice President of Operations. 45

48 6.3 Full system backups are performed prior to updates being loaded into production. 6.4 The ability to implement software changes and version releases in Evolution is limited to authorized individuals. Access to the Evolution servers is limited to authorized personnel. 6.5 PayData personnel do not have access to make changes to the Evolution source code. Corroboratively inquired of management to verify that full system backups are performed prior to the implementation of application updates into the production environment. Inspected a selection of application updates and verified a backup was completed. Corroboratively inquired of management to verify the ability to implement software changes and version releases in Evolution is limited to authorized personnel. Inspected a list of authorized users for the Evolution server. Corroboratively inquired of management to verify PayData does not have access to make source code changes to the Evolution application. Inspected the Evolution License agreement to verify that the source code cannot be modified by PayData. 46

49 Control Objective #7: Controls provide reasonable assurance that data is retained and backed up completely and stored off-site. 7.1 The Evolution system and client database files are backed daily using automated routines to the following media: Separate folder on each DB server Virtual tape library Physical tape stored off-site 7.2 The file server, which contains all company and client files are backed up to the virtual tape library daily using an automated routine. Corroboratively inquired of management to determine the process for backing up the databases. Inspected the backup job routines to ensure production environments are included. Inspected the schedule of backups performed for appropriateness. Corroboratively inquired of management to determine the process for backing up the file server. Inspected the backup job routines to ensure production environments are included. Inspected the schedule of backups performed for appropriateness. 47

50 7.3 PayData utilizes the Asynchronous Data Replication (ADR) software to continuously replicate the system and client databases to servers at an off-site location provided by isystems. 7.4 The isystems IT Department personnel and the Vice President of Operations monitor the success of the nightly backup procedures. All backup routines automatically a success/failure report. Corroboratively inquired of management to determine the Evolution data files are replicated to an off-site server constantly. Inspected the ADR software to verify proper configuration and the replication process was active. Corroboratively inquired of management to determine the process for verifying the success of the previous night s backup. Inspected the backup job routines for the configuration of the notification for appropriateness. Inspected a selection of days for evidence of the Vice President of Operations review of the backup confirmations to determine the success of the previous night s backup. 48

51 Control Objective #8: Controls provide reasonable assurance that the remote input clients access to resources is restricted to authorized users. 8.1 The remote clients log into Evolution using a unique user ID and password. Evolution s security has the option to restrict user s access to the module, tab and even field levels. 8.2 PayData has configured Evolution security roles to restrict remote clients access to only their specific company payroll data. The clients are also restricted from various system and company level screens or fields. Corroborative inquiry with management to determine the security in place for the Evolution software. Inspected application documentation for evidence of the evolution software s security. Inspected the remote user listing for evidence that Evolution security rights are enabled for remote clients. Corroborative inquiry with management to determine how security settings in Evolution are used to restrict client access. Inspected application documentation for evidence of the remote user process and inspected the security settings for a client and noted the company level access restriction. 49

52 8.3 PayData s network is protected by a firewall and activity is monitored daily by isystems IT Department personnel. Corroborative inquiry with management to determine the procedures in place for monitoring firewall activity. Inspected the configuration and settings of the firewall. 50

53 Control Objective #9: Controls provide reasonable assurance that information systems are available for operation and use as committed, and that the likelihood and impact of system downtime is minimized. 9.1 The information systems are monitored 24x7x365 by an automated system that automatically alerts the IT personnel of any issues. Examples of monitored systems included: Servers availability Printers availability Fax system availability Phone system availability CPU utilization and disk space Internet connectivity UPS status and runtime Corroborative inquiry with management to determine the procedures for monitoring the IT systems and resolution of problems. Inspected the Nagios application for evidence of the configuration and monitoring of IT systems. 9.2 The Nagios application is configured to alert the isystems IT Department personnel by upon the triggering of any event threshold. Tickets are used to assign tasks and resolve issues. Corroborative inquiry with management to determine the procedures for monitoring the IT systems and resolution of problems. Inspected the Nagios application for evidence of the notification configuration and ticketing system. Inspected the ticketing system for evidence of open and closed tickets for IT system issues. 51

54 Control Objective #10: Controls provide reasonable assurance that conversion and setup of new clients is complete and accurate PayData utilizes standard checklists to guide and document the process and customized forms are used to gather the payroll information for the new client All clients sign a Scope of Services and Term & Conditions Agreement, Tax Agent Agreement and Employer Electronic Bank Transfer Agreement with PayData. determine the procedures performed to setup or convert a new client. Inspected a selection of new clients for evidence of the completed checklists and required documentation. determine the procedures performed to document the agreement of services provided to the new client. Inspected a selection of new clients for evidence of the signed agreements. 52

55 10.3 New clients banking relationship and banking history is confirmed with the clients bank and reviewed by a member of the Accounting Department to determine the client s credit risk in relation to the requested services The Conversion Supervisor reviews the conversion documentation submitted by the Sales Department for completeness and compliance with policy prior to assigning it to a Conversion Specialist A second person, normally from the Client Services Department, reviews all company information and employee demographics in the payroll software for accuracy and completeness prior to the first payroll run. A Client/Company Audit Checklist is used to document the review. determine the procedures performed to review the new clients credit risk. Inspected a selection of new clients for evidence of the banking relationship and history verification reviewed by the Accounting Department. determine the procedures performed to review the new client information prior to commencing the conversion and setup process. Inspected a selection of new clients for evidence of the Conversion Supervisor s review of the new client packet received from the Sales Department. determine the procedures performed to validate the new client data in the payroll software. Inspected a selection of new clients for evidence of the second person s review and completion of the Client/Company Audit Checklist. Exception Noted: For one out of 25 new clients tested, the Client/Company Audit Checklist was incomplete. No other exceptions noted. 53

56 10.6 The Accounting Department personnel review the bank account numbers, services provided and billing information in the payroll software with the EFT Agreement, Client Setup Forms and Proposal for completeness and accuracy prior to the first payroll run The tax setup information in Evolution, such as client specific tax rates, filing frequency and id numbers, and year to-date wages and tax liabilities are reviewed by a member of the Tax Department. determine the procedures performed to verify the bank account numbers and billing setup for a new client. Inspected a selection of new clients for evidence of the completed review by the Accounting Department. determine the procedures performed to validate the tax setup information. Inspected a selection of new clients for evidence of the Tax Department personnel s review. 54

57 Control Objective #11: Controls provide reasonable assurance that processing is scheduled and performed appropriately and deviations from the schedule are identified and resolved Scheduling Reports By Call In Date is printed every Friday, which lists clients to be processed the following week Each Client Service Representative is responsible for maintaining their Scheduling Report and will contact any client that has not processed their scheduled payroll on or before 2:00PM of the scheduled date. determine the procedures for verifying all scheduled payrolls were processed timely. Inspected a selection of days for evidence of the Client Services Department personnel s utilization of the Scheduling Reports. determine the procedures for managing the processing schedule. Observed, on a selection of dates, the Client Service Representatives managing their schedule and the resolution of exceptions. Inspected a selection of days for evidence of the Client Service Representatives utilization of the Scheduling Reports and processing of client payrolls. 55

58 11.3 During the end of day procedures, the Client Service Representatives review the Payroll Not Called In Report and document the reason for not processing and provide the report to the Client Service Manager for review The Waiting Payrolls Report is reviewed each afternoon to confirm that all payrolls that have been started are processed appropriately Any supplemental payroll processes (nonscheduled payrolls) are reviewed and approved by the Client Service Manager or other member of management prior to processing. determine the procedures for managing the processing schedule. Inspected a selection of days for evidence of the Client Service Representatives and the Client Service Manager review the Payroll Not Called In Report and the resolution of unprocessed payrolls. determine the procedures for managing the processing schedule. Inspected a selection of days for evidence of the Client Service Representatives and the Client Service Manager review of the Waiting Payrolls Report and the resolution of unprocessed payrolls. determine the procedures for verifying all unscheduled payrolls were approved for processing. Inspected the security settings in Evolution that require the non-scheduled payroll processes to be approved in a separate queue prior to processing by a member of management. 56

59 Control Objective #12: Controls provide reasonable assurance that payroll data is received from authorized sources Fax: A pre-printed fax cover sheet and input worksheet are included with each payroll and are to be used for the transmission of the client payroll data. If the client does not utilize the coversheet, the Client Service Representative will take the appropriate steps to confirm the source of the information , Esheet and TimeClock: The client submits payroll data by and the Client Service Representative verify the sender s address as well as the timing of the submission with the Payroll Schedule. determine the procedures for verifying source for fax clients. Inspected a selection of fax input payrolls to determine that the payrolls were received from authorized sources. determine the procedures for verifying the source of and Esheet clients. Inspected a selection of , Esheet and TimeClock submitted payrolls to determine that the payrolls were received from authorized sources. 57

60 12.3 Remote Input: Clients log into PayData s payroll software and the Remote Access Server using Thin Client technology with individually assigned user IDs and passwords. PayData manages the administration of user ids and passwords. determine the procedures for setting up new clients access to their payroll database by a unique user id and password. Inspected the application manual and noted the requirement of the user id and password to gain access to the company data. 58

61 Control Objective #13: Controls provide reasonable assurance that payroll data, transactions and maintenance items, are initially recorded completely and accurately All Clients: The Client Service Representative reviews the information received from the client and makes note of any questionable items. The client is contacted by the Client Service Representative to resolve any of the noted items Fax and The payroll data is manually entered by the Client Service Representatives. After the input is complete, the Client Service Representative compares the batch control totals in Evolution to the client submitted data. All submitted data must agree with the entered data before the payroll can be processed. Corroborative inquiry with management to determine the procedures for recording client payroll data. Observed the Client Service Representatives review client submitted data, contact the client with questions and input the client data. Corroborative inquiry with management to determine the procedures for recording client payroll data. Inspected a selection of fax and payroll clients for evidence of the balancing procedures. 59

62 13.3 TimeClock Import and Esheet: The payroll data is imported by the Client Service Representatives. After the import is complete, the Client Service Representative compares the batch control totals with the submitted totals. All submitted data must agree with the imported data before the payroll can be processed. Corroborative inquiry with management to determine the procedures for recording client payroll data. Inspected a selection of Esheet and TimeClock Import payroll clients for evidence of the balancing procedures. 60

63 Control Objective #14: Controls provide reasonable assurance that payroll checks, direct deposit vouchers and reports are produced and distributed completely, accurately and in accordance with client specifications Checks, vouchers and reports are generated in a secured and dedicated Processing Room. Access is limited to authorized personnel The Payroll Cover Letter report and Delivery Instructions are generated with each client s payroll package to notify the Processing personnel of client specified distribution and delivery instructions. If special (one-time) instructions are received from the client, the Client Services Department personnel will communicate it to the Processing personnel prior to processing. determine the location of the production of checks, vouchers and reports. Observed, during the office tour, the secured Processing Room and noted the location of the printers and sealing equipment. determine the procedures for printing the checks, vouchers and reports. Observed, on a selection of dates, the process of printing checks, vouchers and reports. 61

64 14.3 The Processing personnel monitor the status of the printers and resolve any paper jams or errors during printing. The Processing personnel will review the sequencing of checks or vouchers upon a printer error to ensure completeness. All unusable documents are destroyed Checks, vouchers and reports are then assembled and put into a sealed bag for delivery and sorted according to delivery method. A Security Seal sticker is applied to the package The Processing personnel s access in Evolution, through security features, is limited to the functions of processing and printing of payrolls and cannot enter any payroll data. determine the process in which errors are cleared. Observed, on a selection of dates, the process of printing checks, vouchers and reports. determine the process in which the payroll output is assembled and packaged for delivery. Observed, on a selection of dates, the Processing personnel assemble, package the payroll output and apply a Security Seal Sticker on the package. determine the procedures for limiting Processing personnel s access in Evolution. Inspected the Evolution security settings for Processing personnel to verify the limited access. 62

65 Control Objective #15: Controls provide reasonable assurance that appropriate federal, state and local specifications are used for tax calculations during processing PayData receives updates to the tax tables from their software provider (isystems) on at least a quarterly basis. Included with each update is documentation listing the tax types that have been updated or added. The updates are reviewed by management and installed in a timely manner PayData maintains memberships in a payroll industry trade association that keeps their members up to date on tax related issues. PayData will notify isystems of any changes received from external sources that are not reflected in the documentation sent with their latest software update PayData utilizes BNA, which provides a library of research information related to payroll and taxation. Corroborative inquiry with management to determine the procedures for updating the tax rates in Evolution. Inspected a selection of updates for evidence of review by management. Corroborative inquiry with management to determine the utilization of trade association membership for tax research purposes. Inspected membership invoices for trade associations for the period under review. Corroborative inquiry with management to determine the utilization of third party research tools for tax research purposes. Inspected the subscription invoices for the period under review. 63

66 Control Objective #16: Controls provide reasonable assurance that appropriate federal, state and local tax filings are complete, accurate and timely The Tax Department runs several reports on a daily basis to ensure that all tax filings for the selected filing period are complete, accurate and timely. Due Date Report (Federal, State and Local) Lists unpaid liabilities for a specified date. If the report reflects any payments due, they are made. 100k Due Date Report Lists any clients that have outstanding federal tax payments that exceed the 100,000 next day filing requirement and used to ensure the payments have been made appropriately. determine the process for verification of tax compliance for all clients. Inspected a selection of daily tax reports for evidence that the required payments were made by the due date. Inspected a selection of daily tax reports for evidence of the review by the Tax Specialist. 64

67 16.2 The Tax Department generates the daily tax payments for the next two business days using the EFTPS software or Evolution ACH module and compares to the Due Date report for completeness. The Tax Specialist verifies the payments with the confirmations from the EFT providers or taxing agencies website The tax payment process has multiple personnel involved to segregate the duties and provide supervision/review: Tax Specialist creates the tax payment files and submits to taxing agencies or bank Processing personnel submits the ACH transmission for processing Tax Manager reviews the tax payments made for accuracy determine the process for payment of tax liabilities. Inspected a selection of tax payments and agreed the payments to the EFTPS report, ACH Transaction Report, inclusion in the related confirmation from the EFT providers or taxing agencies websites and the payment clearing the bank statement. determine the process for payment of tax liabilities. Inspected a selection of tax payments and noted the segregation and review by the Tax Manager. 65

68 16.4 The Tax Department runs several reports on a weekly, monthly and quarterly basis to ensure that all tax filings for the selected filing period are complete, accurate and timely. The Balancing Report is generated and reviewed weekly by the Tax Manager that shows the difference in the taxes calculated and taxes collected for each client The monthly and quarterly return processes have several phases to ensure the accuracy, completeness and timeliness of the returns. Quarterly all companies are subjected to a preprocess function, which tests all tax liabilities against calculated taxes for the quarter. Quarterly and annual returns are created and are subjected to a review process to ensure the accuracy of the returns. Delivery envelopes are created for each taxing agency and the returns sent to the taxing agency are compared to checklist to ensure all returns are properly submitted. For returns sent electronically, the clients contained in the file are also compared to the checklist. determine the tax reports utilized to monitor the accuracy of the tax process. Inspected a selection of weeks for evidence of the generation and review of the reports for variances and resolution. determine the quarter end and year end reporting procedures. Inspected a selection of clients for evidence of the completion of the quarter ended June 30, 2011 Form 941, compliance with procedures and submission by the due date. Inspected the June 30, 2011 quarter end documentation for evidence of completion. 66

69 16.6 Checklists are utilized by tax code and client to ensure that all monthly, quarterly and annual tax returns are filed. determine the quarter end and year end reporting procedures. Inspected a selection of quarterly checklists for evidence of the completion of the quarter end process. 67

70 Control Objective #17: Controls provide reasonable assurance that the disbursement of direct deposit funds is authorized, complete and accurate Clients sign an Employer Electronic Transfer Agreement and the Conversion Team personnel input the client provided bank account number and bank routing number into the client s database. The Accounting Department personnel review the bank account numbers in the payroll software for all new clients The ACH file is created in Evolution and uploaded to Cachet Banq s secure website by the Processing Department personnel. The Processing Department personnel verify the ACH Transaction Report control totals with the confirmation page on the website after successful transmission of the ACH file. determine the process for client authorization of direct deposit. Inspected a selection of new clients for evidence of the executed authorization agreement. Inspected a selection of new clients for evidence of the Accounting Department s review of the bank account numbers. determine the procedures to confirm the ACH files submitted to Cachet Banq. Observed the Processing Supervisor submit the ACH file to Cachet Banq and the verification of the control totals with the website. Reperformed the verification of the control totals of the ACH Transaction Report and the Cachet Banq website uploaded file listing. 68

71 17.3 The Processing Department personnel log the submitted ACH file control totals on the ACH Total Excel file The Vice President of Operations verifies the submitted ACH files with the confirmation from Cachet Banq. determine the procedures to confirm the ACH files submitted to Cachet Banq. Observed the Processing Supervisor log the submitted ACH file on the ACH Total Excel file. Inspected a selection of ACH file submissions for evidence of being logged by the Processing Department personnel in the ACH Totals Excel file. determine the procedures to confirm the ACH files submitted to Cachet Banq. Inspected a selection of ACH file submissions for evidence of the verification of the submitted ACH file by the Vice President of Operations. 69

72 Control Objective #18: Controls provide reasonable assurance that the tax impound and client trust funds are properly accounted for and the bank accounts are reconciled in a complete, accurate and timely manner The tax impound and client trust (netcheck) funds are maintained in separate bank accounts The Daily Funds Reconciliation Report is reviewed daily by the Accounting Manager to review any exceptions from the previous day s payroll processing and ACH files, any exceptions are reviewed for appropriateness and resolved in a timely manner. Corroboratively inquired of management to determine the utilization of multiple bank accounts for different transaction types. Inspected bank statements to determine the tax impound and client trust (netcheck) funds are maintained in separate bank accounts. Corroboratively inquired of management to determine the procedures for monitoring the daily ACH process. Inspected a selection of Daily Funds Reconciliation Reports for evidence of review by the Accounting Manager and identification of any exceptions. 70

73 18.3 The bank account activity for the tax impound and netcheck\trust funds are cleared daily in Evolution by the Accounting Department personnel The Accounting Department personnel reconcile the tax impound and client trust (netcheck) accounts monthly The bank account reconciliations and all supporting documentation are reviewed by the Vice President of Operations monthly. Corroboratively inquired of management to determine the procedures for bank account reconciliation. Inspected a selection of the daily activity clearing reports from Evolution for evidence of completion by the Accounting Department personnel. Corroboratively inquired of management to determine the procedures for bank account reconciliation. Inspected a selection of monthly bank reconciliations to determine the tax impound and client trust fund accounts were reconciled by the Accounting Department personnel. Corroboratively inquired of management to determine the procedures for bank account reconciliation. Inspected a selection of monthly bank reconciliations for evidence of the Vice President of Operation s review of the reconciliations. 71

74 18.6 The Accounting Manager reconciles the total tax liabilities from Evolution to the tax impound bank account balance on a monthly basis. Corroboratively inquired of management to determine the procedures for the reconciliation of tax liabilities and tax impound funds. Inspected a selection of monthly tax liability reconciliations to determine the tax impound funds agreed to total tax liabilities and for evidence of the reconciliation performed by the Accounting Manager. 72