For the period of September 16, 2010 to September 15, 2011

SSAE 16 Type II SOC 1 Report on Pinnacle s Description of Its Payroll Processing System and on the Suitability of the Design and Operating Effectiveness of Its Controls For the period of September 16, 2010 to September 15, 2011

Table of Contents I. Independent Service Auditors Report 1 Page II. Management s Assertion 3 III. Description of System Provided by Pinnacle Organization and Management Information and Communication Risk Assessment and Monitoring Transaction Processing Information Technology and Systems Security General Computer Controls Subservice Organizations Client Control Considerations 5 8 8 9 18 24 29 30 IV. Pinnacle s Control Objectives and Related Controls and Independent Service Auditor s Test of Controls and Results of Tests Purpose and Objectives of the Report Pinnacle s Control Objectives and Related Controls and Independent Service Auditor s Tests of Controls and Results of Tests 32 33

INDEPENDENT SERVICE AUDITORS REPORT C&J Associates, Inc. d/b/a Pinnacle Payroll Solutions We have examined C&J Associates, Inc. d/b/a Pinnacle Payroll Solutions ( Pinnacle ) description of its payroll processing system for processing user entities transactions throughout the period September 16, 2010 to September 15, 2011 and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. The description indicates that certain control objectives in the description can be achieved only if complementary user entity controls contemplated in the design of Pinnacle s controls are suitably designed and operating effectively, along with the related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. Pinnacle uses a payroll software vendor, web payroll application provider, bank reconciliation application vendor, ACH processor, tax research software, and an online backup service to supplement its processes in the performance of its payroll processing system. The description on pages 5-35 includes only the controls and related control objectives of Pinnacle and excludes the control objectives and related controls of the subservice organizations. Our examination did not extend to controls of the subservice organizations. On pages 3-4 of the description, Pinnacle has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. Pinnacle is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and assertion, providing the services covered by the description, specifying the control objectives, selecting the criteria, and designing, implementing and documenting controls to achieve the related control objectives stated ion the description. Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitably of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period September 16, 2010 to September 15, 2011. An examination of a description of a service organization s system and the suitability of the design and operating effectiveness of the service organization s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those 1

controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described at pages 3-4. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing payroll transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail. In our opinion, in all material respects, based on the criteria described in Pinnacle s assertion on pages 3-4, a) the description fairly presents the payroll processing system that was designed and implemented throughout the period of September 16, 2010 to September 15, 2011. b) the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period September 16, 2010 to September 15, 2011 and user entities applied the complementary user entity controls contemplated in the design of Pinnacle s controls throughout the period September 16, 2010 to September 15, 2011. c) the controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period September 16, 2010 to September 15, 2011. The specific controls tested and the nature, timing and results of those tests are listed on pages 38-81. This report, including the description of test of controls and results thereof on pages 38-81, is intended solely for the information and use of Pinnacle, user entities of Pinnacle s payroll processing system during some or all of the period of September 16, 2010 to September 15, 2011, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities financial statements. This report is not intended to be and should not be used by anyone other than these specified parties. Kansas City, Missouri September 16, 2011 2

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE Organization and Management Pinnacle was formed in 1991 to provide outsourced payroll processing services. Pinnacle is located in Monterey, California. Pinnacle serves approximately 750 clients and pays over 35,000 client employees each month. Pinnacle is a Nevada Corporation and is owned by the President, who is active in the dayto-day operations. Collectively, the President and General Manager have approximately 37 years of Payroll and Accounting experience. The General Manager is an Enrolled Agent with the Internal Revenue Service. Pinnacle consists of the following Departments: Sales/Marketing Department Responsible for new client sales, client development, gathering initial new client information and marketing and sales materials. Payroll Operations Department Responsible for receiving and processing payroll information, packaging and distribution of payroll documents, client service and creation, submission and verification of ACH files and expanding services to current clients. Implementation Department Responsible for new client implementation and training. Tax/Accounting Department Responsible for reconciliation of trust accounts, payment of taxes, submission of filings and review of new client tax information and reconciliation of prior tax liabilities/deposits. IT Department Responsible for updating software and hardware, client installations, support for PC Input or Web clients and custom report writing and scripting. Management s Philosophy and Operating Style Pinnacle s management helps ensure that the company operates effectively and efficiently while remaining industry and client focused with special emphasis on Customer Service. The Owners and operating management have frequent interaction in both formal and informal settings. Pinnacle s management continuously emphasizes the importance of the payroll and tax processing function and its role in ensuring the reliability and confidentiality of client data. Organizational Structure An entity s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. Significant aspects of establishing an effective organizational structure include defining key areas of authority and responsibility and establishing appropriate lines of reporting. The following organizational chart illustrates Pinnacle s structure. 5

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE Pinnacle s managers and staff have many years of payroll experience. The General Manager is an Enrolled Agent with the Internal Revenue Service. The Operations Manager is deeply involved in the daily operations of the Payroll, Tax, Accounting, and IT departments and works closely with each employee. The General Manager provides counsel and oversight to the Operations Manager and independently monitors activities of all departments. Each employee s position has responsibilities outlined by published job descriptions that provide general functions and specific duties. Each employee is given written expectations of the position. It provides a basis for employee reviews and accountability. Integrity and Ethics As an organization, Pinnacle is committed to acting ethically, responsibly and in compliance with the law. This commitment extends to all areas of the organization including service standards, confidentiality of client information and conflict of interest. The company depends not only on the skills, abilities and commitment of all its employees but also on their integrity and collective common sense. 6

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE Pinnacle is a long-standing member of the American Payroll Association and the Independent Payroll Providers Association. Commitment to Competence Competence should reflect the knowledge and skills required to accomplish tasks that define an individual s job. Through consideration of an entity s objectives and the strategies and plans for achievement of those objectives, management specifies the competence levels required for particular jobs and translates those levels into requisite knowledge and skills. The General and Operations Managers have analyzed and defined the tasks and knowledge requirements that comprise the positions within the organization. They consider such factors to the extent to which individuals must exercise judgment and the extent of related supervision when making hiring decisions. Pinnacle management communicates this to personnel through the interview process, the establishment of performance and development plans, and through periodic meetings with personnel. Hiring Practices and Human Resource Policies The hiring process is formalized and documented on a new employee checklist. Candidates for employment are interviewed thoroughly by the Operations, Payroll, and IT managers. The General Manager interviews sales candidates and candidates for senior level positions; the President interviews all vetted candidates for senior positions within the organization. Personal reference checks, background checks, and credit checks are part of the hiring process. New Hires will participate in a New Hire Orientation which will cover paperwork, benefits, job duties, and facilities. The candidate is given a 90-day introductory period, after which they are evaluated to determine whether their employment should be extended. Performance evaluations are given annually between August and September and are completed by September 30. Performance evaluations may be completed more often as needed. Efforts are made by the managers to observe and reward appropriate employee actions and give immediate correction where needed. These rewards and corrections are recorded and used during the employee evaluations. Internal Training MPAY, SwipeClock, the Independent Payroll Providers Association and the American Payroll Association offer courses that are relevant to Pinnacle s operations. Pinnacle s managers and staff attend conferences and webinars for continuing education. Staff is well trained with many years of professional experience in their respective fields. Training is an ongoing process; managers regularly schedule classes, demos, and discussions for their employees. Information is exchanged internally through emails, impromptu and regular managers meetings and on a one-to-one basis between staff on a daily basis. Information sharing enhances the training of our staff and of our clients. Confidentiality Agreement All employees are required to review and sign Pinnacle s confidentiality statement prior to gaining access to client data. The statement provides staff with clear guidelines of their role in protecting client 7

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE information. Neither Pinnacle nor its staff will share the information it possesses about its clients with any person or organization outside of Pinnacle without prior written permission of the parties involved. Management reviews the confidentiality guidelines with the staff regularly. Information and Communication Pinnacle utilizes various methods of communication to help ensure employees understand their individual roles and company controls, and to ensure significant events are communicated timely. Policy amendments, additions and/or changes are updated and distributed to each employee. Time sensitive information is communicated verbally and by email to all employees. Pinnacle status meetings are held each week for a variety of purposes. A formal staff meeting is held monthly. The meetings are attended by management. Topics normally covered are company changes, new assignments, software changes, new clients and other payroll related issues that affect the operation of the organization. Employees are encouraged to discuss items they feel are important and offer suggestions. Pinnacle communicates with clients by phone/email on a regular basis. In addition, notices are added to payroll package or sent through e-mail for important announcements or reminders. Where requested, clients are notified by email when a payroll process has been completed. Risk Assessment and Monitoring Pinnacle has placed into operation a process to identify and manage risks that could affect their ability to provide reliable payroll processing to clients. This process requires management to identify significant risks inherent in the processing of payroll data for clients and to implement appropriate measures to monitor and manage these risks. On a monthly basis management meets to discuss the risks the business is facing. These include various aspects of financial and technological risks. In addition, the General Manager meets with the staff on a regular basis to discuss any outstanding issues pertaining to the functioning of the company. All Pinnacle managers are responsible for monitoring the quality of internal control performance as part of their daily job functions. To assist them, a system of procedures, policies, checklists, logs and processes have been developed and implemented. Reviews are done at various levels to ensure accuracy. Standard reporting includes: Monthly Revenue and Statistics The General Manager reviews this report monthly which analyzes monthly revenue, client count, check count, and various metrics such as revenue per check, average checks per client, etc and variances by month. Financial Statements The President and General Manager team reviews the financial statements on a monthly basis in comparison to prior year and annual prepared budget. End of Day Scheduling Reports The Payroll Manager and Distribution Specialists review the payroll processing schedule exceptions each afternoon before the ACH file is submitted and the processed payrolls are compared to the schedule and delivery manifests to verify all clients are processed according to the mutually agreed upon schedule. Any exceptions are reviewed and resolved in a timely manner. Daily Audits and Monitoring Pinnacle monitors the processing job queue for failures and warnings throughout the processing day. Appropriate personnel are notified to research and 8

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE resolve each critical issue. In addition, automated system level monitoring is done at the database level. This includes monitoring for hourly rates that violate a maximum threshold. Critical level jobs are also monitored; specifically "Failed to Generate Tax Liabilities." Fraud Prevention Pinnacle has implemented a variety of fraud prevention controls to ensure the protection of its client s information and funds. These controls are discussed throughout this report. The principal fraud prevention controls are: Restrictions are placed on user access to the payroll system, through user ID and password controls and system permissions, which restrict only authorized users to client information and permit processing of data directly related to the employee job function. The use of pressure sealed check stock, which is kept under physical security at all times and access restricted to authorized personnel. Secure HTTP connection and the use of a firewall to prevent unauthorized access to the file servers from outside the organization. Client documents are shredded after use or stored in secured areas to prevent unauthorized access to sensitive payroll information. Daily monitoring of service bureau bank accounts as well as the Positive Pay system to protect accounts from fraudulent banking activity. Credit checks completed on all new accounts that will have ACH transactions as part of their service. Transaction Processing The primary control objective of Pinnacle is to ensure that all transactions are properly initiated, authorized, recorded, processed, reported and maintained. These controls are evident in every aspect of the business. The core service areas of Pinnacle are payroll conversion, payroll processing, payroll distribution, ACH processing, tax compliance, information technology and systems security. Pinnacle provides the majority of its clients with a full service payroll solution that includes Tax, Pay & File Service. A Tax Mini service level for client s electing to remit and file their payroll taxes directly is also offered. There are many optional services that are available and are identified in the below: Single Check Service, payroll checks are drawn on a Pinnacle trust account, Pinnacle handles all reconciliations. Employee Direct Deposit New Hire Reporting Agency and Third Party Check processing Delivery Additional State Tax Filing Jurisdictions General Ledger 401K Process Reports/Transmission Quarterly 941 s, Annual 944, Annual 943, Annual 940, and Year-end W-2 s 9

New Client Conversion PINNACLE PAYROLL SOLUTIONS SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE Pay-as-you-Go Work Comp services The Implementation Team is comprised of multiple departments including Implementation, Sales, Payroll Operations and Tax/Accounting. Beginning August 2011, all new client implementations are completed by the Implementation Team, which is comprised of the Client Implementation Manager, Client Implementation Coordinator, and the Client Implementation Specialist. The Implementation Team exists to ensure: 1) that the transition of payroll services is smooth, efficient, and error free, 2) all year to date wages are reconciled with both tax returns and tax payments, 3) the balancing and payment of tax liabilities is properly reconciled and communicated to the client, and 4) responsibility is established for the filing of all tax returns and communicated to the client. Procedures and checklists are followed to ensure the conversion of new clients is complete and accurate. The team works with the client to ensure that all the information is received timely and is accurate and complete. They also work with the Payroll Specialists to train them on the specifics of the client, once the conversion is complete. The Client Implementation Manager works with the Special Projects Manager for all custom reports, imports, exports, or special scripting. The Implementation Team follows specific procedures to ensure that all the client data is complete when received. A New Client Quick Profile Sheet and Client Analysis Form are completed by the Sales Department in conjunction with the client and provided to the Implementation Team with all signed agreements to facilitate the setup process. The Client Implementation Coordinator and then beginning in August 2011, the Client Implementation Manager reviews all client source documents to verify all earnings and deduction taxability, tax agencies, filing frequencies, tax rates and any other special needs the client may have. A credit risk analysis is performed on all new clients to determine eligibility for requested services before the implementation process is started. The New Client Checklist form is used to systematically ensure that the client has all the necessary parameters and information is in place to properly process their payroll. Electronic data conversion programs are used whenever possible to maximize efficiency and to provide a very high degree of data integrity in the data conversion process. Standard procedures are in place to review the accuracy of the data and balance amounts. The online CRMLink application is used to supplement the New Client Checklist to ensure that all implementation tasks assigned to IT, Special Projects, and Tax Department personnel are completed on schedule. Implementation Team members or members of the Payroll Operations Department complete a second person review of employee demographic and direct deposit information manually entered into Pinnacle s system against the source data provided by the client. Electronically imported employee demographic and direct deposit data are not subject to a second person review. The Implementation Team performs second person reviews on the quarter-to-date and year-to-date wage and tax amounts, tax service level and each taxing authority s filing frequency, account numbers, POA and EFT status against source data provided by the client. The Implementation Team members submit requests for tax EFT registrations for new clients to the Tax Department who follows up with the client regarding necessary registration forms, POAs, and filing authorizations. An Implementation Team member reviews the first payroll process and the output prior to packaging for distribution to the client, which is documented on the 1 st Live Payroll Audit form and the New Client Checklist. The Client Implementation Manager works with the IT Department to schedule the installation 10

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE and training of the M3 software and uploading the client database for the PC Input or Web Entry clients. The Operations Manager or Client Implementation Manager performs a final review of the setup documentation and checklists once the process is completed to verify accuracy and completeness. Payroll Processing The core operations at Pinnacle consist of a dedicated team of Payroll Specialists and a Payroll Manager to assist clients from 8:00 a.m. to 5:30 p.m. Pacific Standard Time, Monday through Friday. The Payroll Specialists are responsible for supporting clients, which includes keying payroll data, assisting PC input and web clients, balancing and submitting payrolls for processing. All payroll processing jobs are initiated according to a schedule that was developed in conjunction with the client. To ensure payrolls are processed according to schedule, all Payroll Specialists are provided a daily processing schedule. This provides the Payroll Manager with a checklist to utilize in ensuring all scheduled payrolls are processed according to the schedule and to ensure that ACH transactions are processed in accordance with deadlines. The Payroll Specialists and Payroll Manager ensure jobs are scheduled and processed in accordance with established procedures. Payroll schedule calendars listing the payroll check dates for the upcoming year are provided to the clients annually. The Payroll Manager or Operations Manager reviews the upcoming week s Schedule Report on Friday to verify appropriateness and determine staffing. The weekly review is documented on the Intranet Task scheduler. Daily Schedule Reports are printed and the weekly schedule is reviewed on the internal Intranet system that indicates the status of all scheduled payrolls for a given day. All clients are sent payroll processing reminder emails one day prior to their scheduled processing day. Payroll Specialists initial the Daily Schedule Report as each payroll is submitted for processing throughout the day. The Payroll Manager and the Payroll Specialist reviews the Daily Schedule Report periodically during the day to update it for payrolls submitted via the web and PC input methods. The Payroll Manager or the Payroll Specialist reviews the Daily Schedule Report again at 3:00 p.m. Processing delays and changes are addressed and resolved with the assistance of the Payroll Manager to ensure compliance with delivery and ACH deadlines. All payrolls must be submitted by 3:30 p.m. At 4:00 p.m. the Payroll Manager audits the Daily Schedule Report to ensure all scheduled payrolls are processed according to the schedule so that ACH transactions are processed in accordance with deadlines. Procedures are in place to ensure the payroll information is conveyed by an authorized representative of the client company. Clients submit their payroll data by PC Input (remote entry) or Web Input (payentry.com). 11

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE PC Input The PC input method allows a client to enter payroll data into a client/server version of the M3 software that runs on the client s computer systems. The clients who use this method are responsible for all controls relating to the input, balancing, and submission of payroll data for processing. With the PC input method, the M3 desktop application (the client portion of the M3 client/server application) is installed on one or more personal computer workstations at the client s site. The PC Input client logs into the M3 desktop application on the client s personal computer workstation using a unique user ID, and an associated user password. Once authenticated, the client enters company data, employee information and payroll data into the M3 desktop application. As the data is entered, it is stored in the client s M3 database. All changes to any data are logged along with the identity of the user who changed the data, the old and new values and the time the change was made. When the client has entered all data for a payroll cycle, the client uses the M3 desktop application to submit the payroll for processing. After Pinnacle has received the payroll data, it processes the payroll for the client. Pinnacle does not perform any review of the data, unless there is an error during the processing, which is resolved with the client s assistance. After processing is complete, the results are returned to the client using the secure synchronization protocol developed by MPAY. After the processing results are returned to the client, the client can view payroll processing data using the M3 desktop application. Web Input The Web Input method allows a client to enter payroll data via a secure web interface, payentry.com, to the M3 software system and submit the payroll batch for processing. The clients who use this method are responsible for all controls relating to the input, balancing, and submission of payroll data for processing. The client logs into to the payentry.com website using the client s company ID, a unique user ID, and an associated user password. After the client has logged in, the client then enters company data, employee information and payroll data using a browser interface to the M3 web application that runs on the payentry.com computer system. As the data is entered, it is stored in the payentry.com s M3 database server. All changes to any data are logged along with the identity of the user who changed the data, the old and new values, and the time the change was made. When the client has entered all data for a payroll cycle, the client uses the M3 web application to submit the payroll for processing. The payroll data is transmitted from payentry.com to Pinnacle. After Pinnacle has received the payroll data, it processes the payroll for the client. Pinnacle does not perform any review of the data, unless there is an error during the processing, which is resolved with the client s assistance. After processing is complete, the results are returned to payentry.com using the secure synchronization protocol developed by MPay. After the processing results are returned to payentry.com, the client can view payroll processing data at payentry.com using the M3 web interface. During payroll processing, the M3 software calculates gross wages, taxable wages, employee and employer taxes, deductions and net pay. These calculations are based upon information provided by the client and their employee. Checks, direct deposit vouchers and reports are created at the end of the 12

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE payroll processing. Clients have the option of receiving FICA variance reports with each payroll for internal auditing purposes. The Payroll Manager continuously monitors the payroll process for errors and will work to resolve the issue in a timely manner. All errors must be resolved to complete the processing. Discrepancies are discussed with the Payroll Specialists and used for future training purposes. Payroll Distribution All reports, checks and direct deposit vouchers are printed in a dedicated Packout Room. Access is limited to authorized Pinnacle personnel only. The Distribution Specialist is responsible for the distribution of each payroll. Procedures have been established for the production and distribution of payroll checks and reports. These procedures ensure that the checks and reports are produced and distributed completely, accurately and in accordance with client specifications. The Distribution Specialist verifies that all scheduled payrolls were processed and packed out using the Daily Scheduling Report and the Processed Payrolls Report during the end of the day procedures. Late payroll transmissions are discussed with the Payroll Manager to determine if the processing and delivery of the payroll can be accomplished within the processing deadline. Payrolls that have been printed and not packaged and payrolls that have been packaged but not picked up by close of business are placed in a locked room overnight. Checks and vouchers are printed on blank check stock that is specifically designed and printed with industry standard security protection. Some of the security features include an artificial watermark on the back of the check that can only be viewed at an angle to protect the document from scanner duplication and a micro-printed border that becomes distorted when duplicated. Once the payroll has been processed, the reports and checks are printed. Packout Notes print as the first page of each processed payroll that provides the Distribution Specialist with client specific packaging or delivery instructions. Each client receives a report package for each processed payroll and includes the following standard reports (unless the client requests no reports or another form of electronic delivery): 1. Delivery Label 2. Payroll Summary Report 3. Check Register 4. Direct Deposit Report 5. Payroll Register 6. Fax Coversheet (if applicable) 7. Input Worksheet (if applicable) 8. 401k Report (if applicable) 9. General Ledger Report (if applicable) 10. Labor Distribution Report (if applicable) The Distribution Specialist verifies the check count and prepares the package for delivery. The payroll is packaged according to the client s instructions and prepared for client pick-up, mailing, shipping or delivery. At the end of the day, the Distribution Specialist verifies the number of payroll packages by 13

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE delivery method with the Processed Payroll report to ensure accuracy. Once all packages are accounted for they are mailed, shipped or placed in a secure location for pick-up or delivery at the designated pickup time respective to each delivery method. Beginning October 2010, Pinnacle utilizes OnTrac, Peninsula Messenger Service, Federal Express, UPS and the U.S. Mail delivery services. Packages that are held for client pickup are stored in a secure location, until such time as an authorized person signs for the package. The Payroll Operations Department personnel have all been cross trained in the functions of the Packout Room and can assist should the need arise due to the absence of the Distribution Specialist or Payroll Manager and on excessively busy days. Tax Deposits, Filings and Compliance Pinnacle has a full service tax-filing department that generates agency approved federal, state and local tax returns and payments. Formalized procedures are in place to provide reasonable assurance that the appropriate tax filings are complete, accurate and timely. Pinnacle does not remit client tax depositories when the client fails to fully fund ACH debit transfers. The following reports are generated to manage the tax payment process: Tax Deposit by Due Date Report is used in conjunction with Pinnacle s Intranet monitoring system to show all pending tax payments due for a specific day. The Intranet system is monitored daily and the Tax Deposit by Due Date Report is run on a semi-weekly schedule. The report is generated by the Tax Manager and is compared against the actual M3 created EFT transaction files that have been processed by the EFTPS and Metavante tax payment systems for accuracy. The Accounting Manager reviews the Tax Department s daily payments that cleared the bank with the Tax Deposit by Due Date report to ensure accuracy. Any discrepancies are resolved immediately. 100,000 Deposit Threshold this report identifies any clients that have exceeded the next day $100,000 filing requirement. This report is run on a daily basis by the Tax and Operations Managers. The report covers the Federal semi-weekly filing schedule. Monday and Tuesday are combined, as well as Wednesday, Thursday, and Friday due dates. The report also provides the Tax Department the opportunity to identify Parent/Child client organizational scenarios and verify that next day payments are made. Negative Taxable Wage Report and FICA Audit Reports quarterly the Tax Department generates these reports for all clients to ensure the accuracy of the data on the tax returns. All variances and discrepancies are researched and resolved. Tax Analysis Report generated in VeriFund after the quarterly payments are made, the Accounting Department uses this report to identify any negative or positive balances in each client s account. This process ensures that all liabilities have been paid and collected. In addition, the VeriFund Tax Variance Reports are generated for each client verifying tax liabilities impounds and tax payments made. Missing FITW Deposits Report this report, developed in November 2010, identifies any clients with outstanding liabilities for a semi-weekly or monthly deposit period where a corresponding tax deposit was not generated by M3. This report is automatically run and emailed to the Tax Manager and Operations Manager on a semi-weekly and monthly basis to identify clients that 14

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE must have manual tax deposits generated and remitted. Any discrepancies are researched and resolved immediately. Payments for Federal, State and Local taxes are remitted electronically for most agencies supporting electronic funds transfer via ACH debit. The transactions files are generated from M3 s EFT Debit Warehouse by the Tax Manager two business days prior to the settlement due date. Any payments that are not able to be remitted via EFT are paid by check. Checks and coupons are mailed one business day prior to the due date. Copies of tax checks and coupons are stored electronically. The quarterly reporting process is tracked and monitored through the use of the Quarterly Checklist which is initialed and dated each step of the process to ensure all returns have been completed accurately and filed. A Quarterly Completion log is generated based on the current Tax Jurisdiction Report and is used to ensure all quarterly returns are accounted for. The Operations Manager does a final review and signoff of the Quarterly Checklist to ensure that all steps have been completed. Several reports are generated in M3 and VeriFund to ensure the accuracy and completeness of the quarterly and annual returns prior to processing, such as the FICA Audit Reports, Negative Taxable Wage Reports, Tax Analysis Report, Tax Variance Reports, and Employer SUI Liability Audit Reports. Quarterly and annual return processes are performed after data integrity testing. The quarter end procedures also include the tax audits built into the M3 software. M3 performs audits on all Annual Reconciliations, all SUI returns, and the 941 returns. These audits are programmed into M3 and Pinnacle does not have the ability to modify the process. For the annual reconciliations, if a company does not balance (i.e. liabilities do not equal deposits) an error is generated and the form will not print until the company is in balance. For the SUI returns, if a difference greater than $0.05 is found between the calculated amount due on a return and the liability amount from the actual processed payrolls from the quarter in the M3 Payroll Manager a warning is issued but the return will still print. For the 941, if lines 7a or 7c contain any amounts, a warning will appear but the form will still print allowing the user to troubleshoot the issue. The 941 audit will also look to see if the Schedule B contains any negative dollar amounts. M3 will also determine whether there is a proper EIN number stored in the company setup. These audits generally return errors and prevent forms from printing because there are either scan lines or barcodes on the form that rely on having a valid EIN in the system for that tax code. The M3 audits will always run prior to running any copy of a return even if the Tax Department fails to initiate the audits in M3. The quarter end process produces the quarterly tax returns as required by government agencies at the federal, state and local level, such as the 941. Annual processing and verification procedures produce additional annual tax reports as required by government agencies at the federal, state, and local level. These reports include employer and employee forms W-2, employer forms W-3 and forms 940, 943, and 944. In addition, files are generated that contain employer W-2 and W-3 information for transmission to the Social Security Administration for subsequent processing. During the new client implementation process, client specific tax rates, such as state unemployment insurance rates, are entered into the M3 payroll software for each client based on client provided information. Clients are required to provide unemployment tax rates during the implementation process and to provide any changes to those rates on an ongoing basis since taxing authorities notify 15

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE clients, not Pinnacle, when rates change. The Tax Department is responsible for verifying account numbers, rates and frequencies for new clients during the implementation process. New Client Checklists are used for each new client that lists all the tax items that a second person must verify. An Implementation Team member logs tasks into the CRM system that the Tax Department must complete for all new client implementations. The Tax Department completes the items, updates the CRM system, which notifies the Implementation Team member who then updates the New Client Checklist. VeriFund is a reconciliation program licensed by Pinnacle from ECCA. VeriFund is designed to categorize, reconcile and analyze payroll, bank and EFTPS transactions. Pinnacle uses VeriFund to reconcile all debits and credits in all service bureau bank accounts used in processing clients payrolls. In addition, Pinnacle uses VeriFund to monitor and verify that all tax liabilities are paid by EFT or check by importing bank account activity and M3 transactions daily. Pinnacle does not have access to modify the source code of VeriFund and relies on ECCA to support and update the application. Pinnacle contracts the maintenance of the source code and tax tables in the Millennium system to MPAY. MPAY provides periodic updates to the M3 tax tables and rates from federal, state and local taxing authorities. In addition, Pinnacle maintains a subscription with the American Payroll Association (APA), an organization specializing in payroll compliance, which provides research information and electronic libraries. Management receives updates regarding the latest tax changes and disseminates them to all employees. ACH Processing Automated Clearing House (ACH) files are created each day after 4:00 p.m. by the Payroll Manager or the Operations Manager. The ACH files will collect and disperse billing, taxes, direct deposit and trust account funds resulting from payroll processes. Formalized procedures are in place for the creation, transmission and verification of ACH files. Pinnacle contracts with Cachet Banq to perform the warehousing and transmission of ACH entries, subject to the National Automated Clearing House Association (NACHA) rules. The following types of transactions are included in the ACH file creation process: Direct deposit to the individual bank accounts belonging to the client employees; Transfers from the client s bank account to Pinnacle s bank account to fund: payroll and agency checks not drawn on a client s bank account, direct deposits, payroll taxes, and fees charged to clients for payroll services; and Flexible benefits payments and child support payments. In order for Pinnacle to provide ACH services for a client, the client must sign agreements giving Pinnacle authorization to debit/credit client s bank account. Pinnacle has also designed a Direct Deposit Authorization form for the use of its clients employees. The form gives authorization for the deposit of credit transactions to accounts listed on the form. It also gives permission to withdraw any credits mistakenly sent by debiting the same account. Clients are advised to retain copies of these forms in the employee s personnel file. Clients are trained to receive voided checks from the employee to verify the transit and account number of the account receiving the payroll funds. If the client is a PC Input or web 16

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE entry client, they are trained as to the proper setup of the direct deposit accounts. M3 will warn the user of transit numbers that are incorrect according to the Federal Reserve Bank algorithms. The Payroll Manager verifies that all clients processed during the production day are accounted for on the day s ACH submission by reviewing the Daily Schedule Report against the ACH Warehouse in M3. All processed clients for the day are accounted for and any discrepancies are resolved prior to the creation or submission of ACH files. The Payroll Manager or Operations Manager generates ACH files by using the M3 ACH Warehouse Utility and prints a detail ACH Transaction Report. All M3 created ACH files are logged on the Daily ACH Transmission Log. The log entry for each ACH file includes the file name, total amount, transaction count, status of the file, and person submitting and confirming the file to Cachet Banq. File(s) are uploaded through the Cachet Banq secured internet site. Once the files are uploaded to the Cachet Banq site, transaction counts and batch totals are verified against the M3 ACH Transaction Report and are approved for processing by the Payroll Manager or Operations Manager. Effective September 1, 2011, Pinnacle configured the Cachet website so that the person uploading the file cannot approve the file and essentially release it for processing, thus requiring a two person approval process. Upon receipt of the files, Cachet Banq will notify the Payroll Manager, Accounting Manager, and Operations Manager via email of totals received by file. The Accounting Manager or Operations Manager as backup confirms the file totals per the M3 ACH Transaction Report and the totals per the Cachet Banq confirmation email for accuracy and completeness. Cachet Banq warehouses and sends the NACHA transmission to the appropriate banks on the clients behalf to ensure the funds are released in a timely manner. Cachet Banq also generates reports that provide notification of changes and returns. The Payroll Manager reviews the reports as received. Pre-note direct deposit changes are distributed to the assigned Payroll Specialist for resolution with the client. The Payroll Manager contacts the client in any case of monies being returned. The returns may be caused by an employee closing an account and failing to notify the payroll contact and by invalid routing or account numbers. In the case of an NSF, the risk is evaluated. The client is notified immediately of any NSF and payment arrangements are made. Steps are immediately taken by management to mitigate any potential loss to Pinnacle. Finance and Administration Procedures and checklists are used to ensure the direct deposit, tax impound and trust funds are properly accounted for and the bank accounts are reconciled daily using VeriFund. All payroll transaction funds are collected via Automated Clearing House (ACH). Separate withdrawals are sent to collect billing, tax, direct deposit and trust funds from the client. Billing transactions post to a separate operating account. The VeriFund application automates the reconciliation process by importing banking and M3 files and matching transactions to the processed payroll data. All bank accounts are reconciled daily by the Accounting Manager and reviewed by the President. The General Manager reviews the month end bank reconciliations. The Accounting Manager utilizes the VeriFund application to perform the reconciliation process. Transactions are downloaded daily from the bank and M3 and balanced once imported with the source documents. Any exceptions are corrected in 17

SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PINNACLE a timely manner. Several VeriFund reports are run on a routine basis during the tax account reconciliation process to ensure accuracy and completeness, such as: Tax Collection Report is run daily and shows liabilities and amounts collected per client. A review of this report insures that Pinnacle has collected adequate funds to pay the clients tax liabilities. Tax Payment Report run after the Wednesday and Friday federal tax deposits are made. A comparison of the liabilities and payments assists in determining if the proper payments were applied. Tax Analysis Report is run quarterly after the FUTA and SUI payments have been made. This shows all tax liabilities, payments and collections. The variances are investigated to determine the cause and if any action is needed. Balancing Sheet is run for all bank accounts. It shows the sweep account balance attributable to that account and the bank balance. The sum of these two added to the client variance total is compared to the sum of the outstanding checks and other items and they should be equal. Extended Variance Report shows liabilities, ACH transactions, total collected, uncollected, payments made, unpaid amounts, and amounts warehoused. These total the client variance and this detail should match the amount on the Balancing Sheet Report. Also the warehouse total should be the same as the outstanding other items total on the Balancing Sheet Report. The Outstanding Checks Report is simply a listing of all outstanding checks for that particular bank account and should match the amount on the balancing sheet for outstanding other. It is used to identify old stale dated checks that need to be investigated to determine if they should be refunded to client. Another option for clients is the Positive Pay trust account services ( Single Check Service ). Clients who utilize this service are debited for the full amount of net payroll checks and then the individual net payroll checks are drawn on Pinnacle s Positive Pay trust account. Each day a file containing Payee, Amount, Check Number, and Check date is uploaded to Rabobank s Metavante Positive Pay online system. Rabobank/Metavante validates each item at time of presentation. The Accounting Manager, Operations Manager and Payroll Manager are notified of any exceptions by email. All exceptions are researched. Pinnacle replies to Rabobank by 11:00 AM to either approve or deny the exception items. Several VeriFund reports are run on a routine basis during the Positive Pay trust account reconciliation process to ensure accuracy and completeness, such as: Outstanding Checks, Outstanding Other Items and the Balancing Sheet. Information Technology and Systems Security Pinnacle provides technological solutions to its clients and understands the critical and sensitive nature of the data transmitted on a daily basis. Physical access to computer equipment and storage media is restricted to properly authorized individuals. Current technology is employed to ensure that data is secure and that appropriate access to information is given only to authorized users. Access to the M3 payroll software is restricted based on job function. The Computer Systems Manager is responsible for initiating the implementation of all network changes and M3 updates. Procedures are in place to review, test, approve and properly implement the software vendor supplied changes to existing software. 18