Date post: | 25-Mar-2016 |
Category: |
Documents |
Upload: | the-payroll-company |
View: | 220 times |
Download: | 6 times |
Report on Payroll Associates, LLC’s (d/b/a
“PayChoice”) Description of its Information
Technology Support System and on the
Suitability of the Design of Controls
As of May 15, 2013
(Prepared pursuant to Statement on Standards for Attestation Engagements No. 16 –
Reporting on Controls at a Service Organization)
SOC 1 – Type I
Payroll Associates, LLC
IS Partners, LLC
SSAE 16 Type I - Confidential
This report is not to be copied or reproduced
in any manner without the expressed written
approval of Payroll Associates, LLC. The
report, including the title page, table of
contents, and exhibits, constitutes the entire
report and should be referred to only in its
entirety and not by its component parts. The
report contains proprietary information and
is considered confidential.
Payroll Associates, LLC
IS Partners, LLC
SSAE 16 Type I - Confidential
TABLE OF CONTENTS
I. INDEPENDENT SERVICE AUDITOR’S REPORT
II. SERVICE ORGANIZATION’S ASSERTION
II-A. SUBSERVICE ORGANIZATION’S ASSERTION
III. DESCRIPTION OF SERVICE ORGANIZATION’S SYSTEM
A) Overview of Operations
B) Description of Relevant Processes
10
16
C) Relevant Aspects of the Control Environment, Risk
Assessment Process, Information and Communication Systems,
and Monitoring Controls
24
D) Scope and Applicability of the Report 26
E) Complementary User Entity Controls 27
IV. INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF
CONTROLS
28
V. ADDITIONAL INFORMATION PROVIDED BY THE
INDEPENDENT SERVICE AUDITOR
A) Introduction 35
B) Responsibilities of the Independent Service Auditor 36
C) Consideration of Relevant Aspects of Internal Control 37
I. INDEPENDENT SERVICE AUDITOR’S REPORT
To Management of Payroll Associates, LLC:
We have examined Payroll Associates, LLC’s (“PAI” d/b/a “PayChoice”) description of the
information technology support system, and DBSi’s (“DBSi”) description of certain aspects
of the colocation services system for processing user entities’ transactions of Payroll
Associates, LLC as of May 15, 2013, and the suitability of the design of PAI’s and DBSi’s
controls to achieve the related control objectives stated in the description. DBSi is an
independent service organization that provides colocation services to PAI. PAI’s description
includes a description of DBSi’s colocation services used by PAI to process transactions for
its user entities, as well as relevant control objectives and controls of DBSi. The description
indicates that certain control objectives specified in the description can be achieved only if
complementary user entity controls contemplated in the design of PAI’s controls are suitably
designed and operating effectively, along with related controls at the service organization.
We have not evaluated the suitability of the design and operating effectiveness of such
complementary user entity controls.
In sections II and II-A of this report, PAI and DBSi, respectively, have provided their
assertions about the fairness of the presentation of the description and suitability of the
design of the controls to achieve the related control objectives stated in the description. PAI
and DBSi are responsible for preparing the description and for the assertion, including the
completeness, accuracy, and method of presentation of the description and the assertion,
providing the services covered by the description, specifying the control objectives and
stating them in the description, identifying the risks that threaten the achievement of the
control objectives, selecting the criteria, and designing, implementing, and documenting
controls to achieve the related control objectives stated in the description.
Our responsibility is to express an opinion on the fairness of the presentation of the
description and on the suitability of the design of the controls to achieve the related control
objectives stated in the description, based on our examination. We conducted our
examination in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform our
examination to obtain reasonable assurance about whether, in all material respects, the
description is fairly presented and the controls were suitably designed to achieve the related
control objectives stated in the description as of May 15, 2013.
An examination of a description of a service organization’s system and the suitability of the
design of the service organization’s controls to achieve the related control objectives stated in
the description involves performing procedures to obtain evidence about the fairness of the
presentation of the description of the system and the suitability of the design of those controls
to achieve the related control objectives stated in the description. Our procedures included
assessing the risks that the description is not fairly presented and that the controls were not
suitably designed to achieve the related control objectives stated in the description. An
examination engagement of this type also includes evaluating the overall presentation of the
description and the suitability of the control objectives stated therein, and the suitability of
the criteria specified by the service organization and described in PAI’s assertion and DBSi’s
assertion, in sections II and II-A, respectively, of this report.
We did not perform any procedures regarding the operating effectiveness of the controls
stated in the description and, accordingly, do not express an opinion thereon. We believe that
the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our
opinion.
Because of their nature, controls at a service organization or subservice organization may not
prevent, or detect and correct, all errors or omissions in processing or reporting transactions.
Also, the projection to the future of any evaluation of the fairness of the presentation of the
description, or any conclusions about the suitability of the design of the controls to achieve
the related control objectives, is subject to the risk that controls at a service organization or
subservice organization may become ineffective or fail.
In our opinion, in all material respects, based on the criteria described in PAI’s and DBSi’s
assertions in sections II and II-A, respectively, of this report,
a. the description fairly presents PAI’s and DBSi’s information technology
support system used by PAI to process transactions for its user entities that was
designed and implemented as of May 15, 2013, and
b. the controls related to the control objectives of PAI and DBSi stated in the
description were suitably designed to provide reasonable assurance that the
control objectives would be achieved if the controls operated effectively as of
May 15, 2013, and user entities applied the complementary user entity controls
contemplated in the design of PAI’s controls as of May 15, 2013.
This report is intended solely for the information and use of PAI, user entities of PAI’s
information technology support system as of May 15, 2013, and the independent auditors of
such user entities, who have a sufficient understanding to consider it, along with other
information, including information about the controls implemented by user entities
themselves, when obtaining an understanding of user entities information and
communication systems relevant to financial reporting. This report is not intended to be and
should not be used by anyone other than those specified parties.
May 30, 2013
IS Partners, LLC
Horsham, Pennsylvania
II. SERVICE ORGANIZATION'S ASSERTION
We have prepared the description of Payroll Associates, LLC’s (PAI) information technology
support system as of May 15, 2013, and their user auditors who have a sufficient understanding
to consider it, along with other information including information about controls implemented
by user entities themselves, when obtaining an understanding of user entities' information and
communication systems relevant to financial reporting. We confirm, to the best of our
knowledge and belief, that
a. the description fairly presents the information technology support system made
available to user entities of the system as of May 15, 2013 for processing their
transactions. PAI uses a service organization, DBSi, to provide colocation services
for certain aspects of its information technology support system. Section IV of the
description presents PAI’s control objectives and related controls, as well as DBSi’s
control objectives and related controls. DBSi’s assertion is presented in section II-
A. The criteria we used in making our assertion were that the description
i. presents how the system made available to user entities of the system was
designed and implemented to process relevant transactions, including:
1. the types of services provided, including as appropriate, the
classes of transactions processed.
2. the procedures, within both automated and manual systems, by
which those transactions are initiated, authorized, recorded,
processed, corrected as necessary, and transferred to the reports
presented to user entities of the system.
3. the related accounting records, supporting information, and
specific accounts that are used to initiate, authorize, record,
process, and report transactions; this includes the correction of
incorrect information and how information is transferred to the
reports provided to user entities of the system.
4. how the system captures and addresses significant events and
conditions, other than transactions.
5. the process used to prepare reports or other information provided
to user entities of the system.
6. specified control objectives and controls designed to achieve those
objectives, including as applicable, complementary user entity
controls contemplated in the design of the service
organization’s controls.
7. other aspects of our control environment, risk assessment process,
information and communication systems (including related
business processes), control activities, and monitoring controls
that are relevant to processing and reporting transactions of user
entities of the system.
ii. does not omit or distort information relevant to the scope of the information
technology support system, while acknowledging that the description is
prepared to meet the common needs of a broad range of user entities of the
system and the independent auditors of those user entities, and may not,
therefore, include every aspect of the information technology support system
that each individual user entity of the system and its auditors may consider
important in its own particular environment.
b. the controls related to the control objectives stated in the description were
suitably designed as of May 15, 2013 to achieve those control objectives. The
criteria we used in making this assertion were that
i. the risks that threaten the achievement of the control objectives stated in the
description have been identified by the service organization.
ii. the controls identified in the description would, if operating as described,
provide reasonable assurance that those risks would not prevent the control
objectives stated in the description from being achieved.
Where Business Critical Technology Survives™
DBSi 3949 Schelden Circle Bethlehem, PA 18017 610.691.8811 www.dbsintl.com
II-A. SUBSERVICE ORGANIZATION’S ASSERTION
We have prepared the description of aspects of DBSi’s colocation services system for
Payroll Associates, LLC (PAI) and user entities of PAI’s information technology support
system as of May 15, 2013, and their user auditors who have a sufficient
understanding to consider it, along with other information including information
about controls implemented by user entities themselves, when obtaining an understanding
of user entities’ information and communication systems relevant to financial reporting.
We confirm, to the best of our knowledge and belief, that
a. the description fairly presents the aspects of DBSi’s colocation services system
made available to PAI and user entities of PAI’s system as of May 15, 2013
for processing their transactions. The criteria we used in making this assertion
were that the description
i. presents how the system made available to PAI and user entities of
PAI’s information technology support system was designed and
implemented to process relevant transactions, including
1. the types of services provided, including as appropriate, the
classes of transactions processed.
2. the procedures, within both automated and manual systems, by
which those transactions are initiated, authorized, recorded,
processed, corrected as necessary, and transferred to the reports
presented to user entities of the system.
3. the related accounting records, supporting information, and
specific accounts that are used to initiate, authorize, record,
process, and report transactions; this includes the correction of
incorrect information and how information is transferred to the
reports provided to user entities of the system.
4. how the system captures and addresses significant events and
conditions, other than transactions.
5. the process used to prepare reports or other information provided
to user entities of the system.
6. specified control objectives and controls designed to achieve
those objectives, including as applicable, complementary user
entity controls contemplated in the design of the service
organization’s controls.
7. other aspects of our control environment, risk assessment process,
information and communication systems (including related
business processes), control activities, and monitoring controls
that are relevant to processing and reporting transactions of user
entities of the system.
Where Business Critical Technology Survives™
DBSi 3949 Schelden Circle Bethlehem, PA 18017 610.691.8811 www.dbsintl.com
ii. does not omit or distort information relevant to the scope of the
information technology support system, while acknowledging that the
description is prepared to meet the common needs of a broad range of
user entities of the system and the independent auditors of those user
entities, and may not, therefore, include every aspect of the information
technology support system that each individual user entity of the
system and its auditors may consider important in its own particular
environment.
b. the controls related to the control objectives stated in the description that
relate to aspects of DBSi’s colocation services system made available to PAI
were suitably designed as of May 15, 2013 to achieve those control objectives.
The criteria we used in making this assertion were that
i. the risks that threaten the achievement of the control objectives stated in
the description have been identified by the service organization.
ii. the controls identified in the description would, if operating as described,
provide reasonable assurance that those risks would not prevent the control
objectives stated in the description from being achieved.
Payroll Associates, LLC
IS Partners, LLC 10
SSAE 16 Type I - Confidential
III. DESCRIPTION OF SERVICE ORGANIZATION’S SYSTEM
A) Overview of Operations
Company Profile and History
Payroll Associates, LLC (PAI), d/b/a “PayChoice”, is a wholly-owned subsidiary of PAI
Group, Inc., the holding company for Payroll Associates, LLC and PAI Services, LLC.
Payroll Associates, LLC provides payroll technology and related services to independent
payroll service providers (Licensees). PAI Services, LLC provides payroll processing,
tax administration, etc., to small and medium sized companies throughout the United
States.
PAI was founded in 1990 and is headquartered in Moorestown, New Jersey. It maintains
operational hubs in Boston, Massachusetts, Elkhart, Indiana, Charlotte, North Carolina
and Dallas, Texas. In addition, as outlined below, PAI supports 10 payroll branches and
approximately 180+ Licensees throughout the United States.
PAI provides its services to its customers through the following two complementary
business units:
The software division, Payroll Associates, LLC, which provides the payroll technology
and related services, and PAI Services, LLC which provides the payroll processing, tax
and related human resources services (collectively referred to herein as Payroll Services).
Payroll Associates, LLC
IS Partners, LLC 11
SSAE 16 Type I - Confidential
Management Team
PayChoice understands the importance of having the right people in the right roles. The
Senior Management Team provides the foundation from which leadership, direction and
passion are built. The Senior Management Team is comprised of the following
individuals:
Executive Leadership
Bill Scott, Chairman
Mr. Scott led the effort to acquire Payroll Associates, LLC, and to purchase the
Payroll Associates’ software licensees who desired to join in the creation of
PayChoice. Under his leadership, PayChoice grew from 40 employees to more than
350 and was recognized by the Inc. 5000 as one of the fastest growing companies in
America. Bill is also the former Chief Executive Officer of InterPay, Inc. From 1987
to 2000, Bill grew InterPay from 70 employees and 2,000 clients to more than 685
employees and nearly 30,000 clients. At the time of its ultimate sale to Fleet Bank
(purchased by Bank of America), InterPay was the fifth largest payroll processing
company in the US. In 2003, InterPay was sold to Paychex for $185 million.
Robert Digby, Chief Executive Officer
As CEO of PayChoice, Robert is responsible for the overall leadership of the software
and service bureau divisions. He brings to the position more than 20 years of payroll,
HR and benefits industry expertise, with proven operational success in leading high-
performance organizations and customer centric service organizations. He is the
former President of RSM McGladrey Employer Services, the payroll, HR and benefit
service company of RSM McGladrey / H&R Block. Robert also held senior
leadership roles during his 15 year career at Ceridian, including President of
PowerPay Internet small business payroll division, Senior VP of Marketing and
Senior VP of Sales / Client Services for Ceridian Corporation. While at Ceridian, he
also directed a national sales organization of 480 sales representatives. A Captain in
the U.S. Army, Robert received his B.A. in Economics from the Virginia Military
Institute (VMI) where he graduated as a distinguished military and honor graduate.
Joanne Guerriero, Sr. Vice President of Client Services
Joanne is responsible for managing all Client Service operations and payroll services
for PayChoice. These payroll services consist of payroll processing, client care
centers, tax filing operations and online support services and training. Additionally,
Joanne provides product development input for the design and enhancement of
ENCORE – PayChoice’s newest payroll application. Prior to joining PayChoice,
Joanne was with Ceridian, a global product and services company, delivering trusted
results and transformative Human Capital Management technology. She has over 20
years of progressive leadership experience within the Small Business segment of
Service Bureau operations. Joanne’s former positions and background include
District Vice President of Client Services, Tax Filing Management, Strategic
Planning & Initiatives; Product Development and Senior Project management. She is
a graduate of Katherine Gibbs and has earned certifications in both Six Sigma and
Certified Payroll Practice (CPP).
Payroll Associates, LLC
IS Partners, LLC 12
SSAE 16 Type I - Confidential
Phil McLaughlin, President, Software Licensing Division & Chief Information Officer
Phil is responsible for all IT efforts including application development as well as
infrastructure. Additionally, Phil provides overall leadership for sales and operations
for the software division of PayChoice. Prior to joining PayChoice, Phil was CIO at
CheckFree Investment Services, where he led multiple teams and managed
application development, quality assurance, systems architecture and strategic
planning for multiple products. While at CheckFree, Phil created a strategic systems
strategy to yield significant savings by eliminating redundant applications and notably
improved customer satisfaction. Phil also improved application delivery by
establishing best practices for software development and project management. Prior
to this, Phil held the role of Business Line Chief Information Officer for PFPC, A
division of PNC Bank, overseeing all aspects of their Managed Account Services
information technology efforts, including application development, production
support, operations and IT financial management. Phil received a B.S. in Electrical
Engineering from Villanova University.
Joseph Martino, Vice President of Finance
Joseph Martino is responsible for all of PayChoice’s financial and accounting
activities including treasury and cash management, reporting, budgeting, planning,
and analysis. Mr. Martino spent several years in public accounting, including a stint
with Ernst and Young, a Big Four accounting firm. The majority of Mr. Martino’s
career was spent with Trigen Energy Corporation, an independent energy company
and public utility, where he was Vice President and Controller. Mr. Martino earned a
B.B.A in Accounting from Temple University and is a Certified Public Accountant.
He joined PayChoice in June, 2006.
Products and Services
The following is a list of the products and services provided by PayChoice to its
customers and Licensees:
Products:
PayChoice
PayChoice is the Company’s core payroll engine which is utilized by Licensees
and internal service bureau users to perform all aspects of payroll processing,
including data entry, calculation of gross pay, deductions, taxes, net pay, funds
transfer, and reporting.
PayChoice Online
PayChoice Online is the online product offered by PayChoice. Often integrated
with other modules under the moniker of Online Employer, PayChoice Online
provides 24/7 payroll and tax management tools.
Payroll Associates, LLC
IS Partners, LLC 13
SSAE 16 Type I - Confidential
ViewChoice
ViewChoice is PayChoice’s report viewer and archive system allowing a business
to view, store and share their payroll management records electronically.
Employee Self-Service (ESS)
ESS is a self-service, web-based product providing employers and their
employees online access to personnel data, check stubs, time sheets, time off
information and more. This web-based solution enables employees to access their
information anywhere via a web browser.
General Ledger Integration
G/L Interface for QuickBooks allows a client to post payroll information to their
QuickBooks accounting package. Accessed via Online Employer, clients have
the online capability to post payroll data to their G/L.
Encore
Encore is PayChoice’s next generation payroll software platform. Built on
Microsoft .NET and SQL Server database technology, Encore provides a wide
array of payroll, reporting, Employee Self Service, and HR Information System
(HRIS) capabilities.
WriteChoice
WriteChoice is a stand-alone, query based report writer (licensed from Cizer) that
is integrated with the Online Employer suite of products. Via single sign on from
Online Employer, it allows licensees, internal service bureau users and end client
administrators to create reports from the data stored in PayChoice Online and
Employee Self-Service in a variety of formats.
Services:
Payroll
Each pay period, a client submits payroll data to PayChoice in the manner they
choose. PayChoice generates calculations, makes direct deposits, creates
paychecks, produces garnishment checks and makes savings deposits for
employees. In addition, PayChoice provides clients with detailed payroll journals
and management reports.
Tax Pay and File
On a payroll by payroll basis, PayChoice calculates payroll taxes owed and takes
responsibility for paying all federal, state and local taxes and filing the required
quarterly and annual returns on a client’s behalf.
Automated Clearing House (ACH)
With direct deposit, employees designate the accounts into which they want their
pay deposited. Then, each period's pay is automatically deposited into their choice
of one or more checking, savings or retirement accounts. Employees receive a
Payroll Associates, LLC
IS Partners, LLC 14
SSAE 16 Type I - Confidential
pay voucher showing the amounts deposited, and the employer receives a detail of
transactions each pay period.
HR Online
In conjunction with its partner HR Answerlink, PayChoice offers a 24/7 email and
phone human resources (HR) answer hotline. Clients also have access to an HR
center that provides Employee Handbooks, an HR forms and letters library,
standardized job descriptions, a Q&A database and an HR law library.
Custom Reporting
PayChoice offers a complete list of management reports covering cash
disbursements, tax liabilities, departmental allocations, employee demographics
and more. In addition, should a customer require custom reports based on the
data within its payroll and HR systems, PayChoice can create custom reports.
Corporate Structure
PAI is a registered corporation under the laws of the State of Delaware. The Company is
parent to three wholly owned subsidiaries, all of which are domiciled in Delaware.
Management and Organizational Structure
PAI’s operations are under the direction of the Chief Executive Officer. PAI employs a
staff of approximately 260 in the following key functional units:
a) Conversions
The Conversion Department is responsible for setting up new clients and ensuring
that all employee, wage and tax information is accurately captured.
b) Customer Support
Customer Support is responsible for addressing customer inquiries, inputting
hours, rate changes and new hires for existing clients, and assisting clients with
their periodic processing of payrolls.
c) National Tax Services
The National Tax Services is a centralized function that is responsible for tax
payment and filing, tax notice resolution, ACH file transmissions, and client funds
reconciliations.
Payroll Associates, LLC
IS Partners, LLC 15
SSAE 16 Type I - Confidential
d) Finance The Finance Department is responsible for the financial management of the
company and preparation of the financial statements.
e) Human Resources
The Human Resources Department is responsible for recruiting, retaining and
developing employees to ensure that the company is able to meet its current and
future business goals.
f) Information Technology
The Information Technology Department is responsible for computer hardware,
operating software, networks, data security and system backups.
g) Legal Services
Legal Services provides risk management services to the Company by providing
legal advice, ensuring compliance with state and federal laws and regulations,
fostering an ethical corporate culture, and ensuring that appropriate safeguards are
in place to protect corporate assets.
h) Sales
The Sales Department focuses on selling payroll and other employer services to
the small and medium-size business community throughout the United States.
i) Communication and Marketing
Communication and Marketing is responsible for strengthening the PayChoice
brand, facilitating various marketing and promotional campaigns, and improving
awareness of ancillary services.
j) Software Support
Software support is responsible for responding to questions and issues raised by
users of PayChoice’s software products.
k) Development
The Development Group is responsible for maintaining, updating and enhancing
the various software platforms developed and used by PayChoice.
Payroll Associates, LLC
IS Partners, LLC 16
SSAE 16 Type I - Confidential
B) Description of Relevant Processes
The following process descriptions outline the key functions within Payroll Associates,
LLC’s information technology operations that are relevant to the scope of this SSAE 16
report.
INFORMATION TECHNOLOGY
Logical Security
Logical Security consists of software safeguards for an organization’s systems including
user ID and password access, authentication, access rights and authority levels. These
measures are implemented to ensure that only authorized users are able to perform
actions or access information in a network or workstation.
User Access Controls
User accounts are created in the system based on proper approvals and the following
processes are followed for new hire access, terminations, database/system administrator/
super user access and account recertification (job changes).
New User Access
For network, system and application access, the Human Resource department initiates the
new hire process by submitting a user request via an electronically generated “IT
Employee Change Form”. The completed password protected form is scanned and
attached to a ticket created within the internal ticketing system. Once approved, network,
system and application user account/passwords and network share access are assigned by
the IT department in accordance to the approvals documented in the submitted form.
Terminations
An electronically generated “IT Employee Change Form” is distributed to the IT
Department when access to the network, systems and applications needs to be revoked
for a terminated employee. The Human Resource department will authorize the removal
of access to the network, user groups/permissions associated with the account, and
application access by submitting the IT Employee Change Form to the PayChoice IT
Department. The form is completed and emailed to IT no later than the date that the
termination takes place. Additionally, the form is scanned and attached to a ticket created
within the internal ticketing system. System Administrators receive the termination
request and immediately disable the Windows network and system accounts indefinitely
for historical purposes.
Administrative/Privileged User Access
System Administrator, super user and direct update access to the systems and databases is
restricted based on role-based access controls (RBAC). This framework is configured for
operating system access control policies, in which users are assigned to roles, and roles
are assigned permissions to perform system-specific operations. The administrative roles
are segregated by Network Administrators, System Administrators, Desktop
Administrators and Telecom Engineers.
Payroll Associates, LLC
IS Partners, LLC 17
SSAE 16 Type I - Confidential
Network Account Recertification
A formal process of reviewing network access is performed on a quarterly basis. IT
personnel exports a system generated list of all workforce members from the domain and
validates against a list of active employees provided by Human Resources. The lists are
compared to identify all terminated employees network access is disabled.
Password Controls
Network user passwords are required to be a minimum length of eight alphanumeric
characters. Passwords must consist of upper and lower case letters and at least one
symbol or punctuation character. All user level passwords are required to be changed
every 45 days. A password history file is implemented to prevent the reuse of passwords
from the last generation. The Account Lockout Policy has a lockout threshold after 5
consecutive unsuccessful password attempts. Locked accounts are automatically re-
enabled after 15 minutes or users can contact the PayChoice technology department to
unlock the account in Active Directory after verifying the employee’s identification.
Remote Access
Employee-owned computers are prohibited from being connected to the PayChoice
network, whether by local connection or Virtual Private Networking (VPN). Remote
access is protected by security mechanisms and appropriately restricted to authorized
employees. All employee remote access to the network requires the use of the company
standard issued laptop configured with Sophos disk encryption and Cisco IPSec VPN
technology. Users are authenticated by two separate and distinct methodologies to ensure
secure communications and identity verification. Secure communications are established
by the VPN security device through specific “client” software and their Windows Active
Directory user ID and passwords. The IPSec VPN client utilizes 3DES or AES
encryption to maintain the confidentiality of private data. Identity verification occurs
through the Multi-factor Authentication (MFA) System which is designed to call the
company-issued mobile phone of the user requesting remote access approval (during the
Login Process) and request the entry of the user’s unique PIN before granting access.
Authorization to receive remote access is granted through the same ticketing and
approval process for new users. If a new user is approved for a company issued laptop,
approval is implied for them to have remote access. In addition to laptop users, remote
access is authorized and limited to the individuals within the IT department responsible
for providing administration support for the company network and IT equipment.
Firewall Administration
Cisco firewall hardware appliances are strategically placed and configured to protect and
prevent unauthorized access to the production network and systems. Access lists/rules
are configured on the firewalls to block unwanted intrusions and access to the internal
network. Systems and devices located behind the firewalls are secured from
unauthorized users and potential internet attacks. Daily, security logs are informally
reviewed by Systems Engineers to identify any potential breach of security.
Payroll Associates, LLC
IS Partners, LLC 18
SSAE 16 Type I - Confidential
Intrusion Prevention Administration (Provided by 3rd
Party Vendor)
PayChoice has contracted with SecureWorks, an information security vendor, to provide
a managed Intrusion Prevention and Detection Service (IPS/IDS) to safeguard the
internal resources from unauthorized access. The SecureWorks security experts perform
all management and maintenance of the IPS/IDS devices including:
Signature tuning
Signature updates
Configuration changes
Security Event Monitoring
Performance and availability management
The IPS/IDS devices are strategically placed and configured to detect, log, and report
potential security breaches. All alerts generated from across the IPS/IDS infrastructure
are aggregated and correlated in real-time. The SecureWorks Security Analysts monitors
these alerts to eliminate false positives and escalate true threats to the PayChoice
infrastructure.
The SecureWorks' Network Intrusion Prevention and Detection Service provides
comprehensive reports for immediate and transparent access to the current security status.
All reports are based on real-time information and can be accessed on-demand through
the secure, web-based SecureWorks Portal. The Portal provides asset-based views,
trending and comparative analyses and technical reports.
Data Transmittal
The distribution of sensitive information by PayChoice is handled in two different
methodologies and the specific methodology is determined by the nature of the data
and/or the systems in which it resides;
Data that is produced and exists within proprietary PayChoice Application Software
Systems and requiring review or transmittal to clients or licensees is presented through
the Online Employee and/or ViewChoice Application Portals. Data can be viewed or
downloaded in Standard Reporting or PDF Document Format through the application
portals using Secured HTTP Communication (HTTPS) Encryption Algorithms
maintained through the use of SSL Security Certificates issued by either EnTrust or
VeriSign. The communication channel created between the Client Browser and the
Application Portals is an encrypted tunnel which prevents access to or duplication of data
by third parties.
Ad-hoc data that is not produced by or maintained within the PayChoice Application
Software Systems but is created in the course of business and deemed sensitive in nature
is communicated to clients and licensees through the use of an external Secure File
Transfer Service (File Guardian). PayChoice licenses this Secure File Transfer Service
from Shugo. Shugo acts as a trusted intermediary that provides secure communication
channels between PayChoice and the designated client or licensee through the hosting of
Payroll Associates, LLC
IS Partners, LLC 19
SSAE 16 Type I - Confidential
a commercial website/portal designed specifically for the secure transmission of sensitive
data.
The website/portal uses Secured HTTP Communication Encryption Algorithms
maintained through the use of SSL Security Certificates issued by either EnTrust or
VeriSign. The communication channel created between Web Browsers (utilized by
PayChoice Staff and their designated clients) and the Application Portals is an encrypted
tunnel which prevents access to or duplication of data by third parties.
Application Change Control
A Formal Change Management and Systems Development Lifecycle (SDLC)
methodology policy exists for PayChoice, PayChoice Online, and Encore, is properly
documented, approved and updated regularly by management. These policies are in
place to ensure a standardized process for any application changes that are made.
Change requests are recorded and tracked through their final disposition. The tracking is
done by the requesting manager responsible for the system. Requests for changes or
enhancements to existing applications, or development of new applications, are approved
by authorized Business Owners before work commences.
The changes are requested by the business area, thus the Business Owners are involved
from the point of the initial request. Functional requirements are approved by the
authorized Business Owners. This is part of the initial request which is sent to the
outside vendor. Once the vendor makes the requested changes, they are loaded into a test
database and to a test front end.
The Business Owners are responsible for developing and executing a test plan on the
changes. User acceptance level testing is completed and approved by the Business
Owners. Since the Business Owners are responsible for performing the testing, there is
an automatic approval once they are satisfied the changes are working as expected.
Upon satisfactory completion of the testing plan, Business Owners approve the
implementation of the application change or enhancements and the changes are migrated
to the production environment. All changes take place in the same manner with the
exception of changes to the Time and Attendance Application.
EasyChoice Time and Attendance is a user of a time and attendance system called Web-
Apps (a.k.a. SaaShr.com) and is private labeled TimeVantage. The software resides on
PayChoice’s servers and Web-Apps is responsible for updating the software to keep it
current with their hosted solution.
As the product vendor/owner, Web-Apps conducts all product development,
integration/regression testing and production code escalation activities in accordance with
their own internal SDLC and Change Management Processes. Web-Apps coordinates
their Production Code Escalation Activities with the designated internal PayChoice
TimeVantage Product Development Manager.
Payroll Associates, LLC
IS Partners, LLC 20
SSAE 16 Type I - Confidential
Network Software Change Control
Formal system software and supporting infrastructure change management policies and
procedures exist and are reviewed and approved by the appropriate personnel on a regular
basis. These policies are in place to ensure a standardized process for any software
modifications that are made.
Change requests are approved by the appropriate IT management to ensure that the
requested changes will not adversely affect the production environment. The request is
made one of three ways; 1) via an e-mail to the outside vendor responsible for making the
changes, 2) via an e-mail to the internal team / department responsible for making the
changes or 3) in response the notifications received from external vendors responsible for
product platforms utilized by PayChoice. The manager responsible for the affected
system sends the email. This email details the change that is required and/or the error
that was discovered.
At least one prior version of the production program is maintained for back-out purposes.
The prior versions are maintained via the backup process, which is detailed in the
Computer Operations area. Should there be a problem with a change, it can be backed
out via a restore from the backup of the system from a prior date.
System software and supporting infrastructure changes are adequately tested and
approved, by appropriate personnel, prior to being migrated into the production
environment.
Patches to system software and/or information technology infrastructure are authorized
and approved by the appropriate personnel. Any patches are provided by the vendor with
the details as to the necessity of the patch. The patch will be migrated to the production
environment and appropriately tested by the business area responsible for the system.
The programming for all Commercial off the Shelf (COTS) products is completed by
outside vendors and not onsite programmers. As a result, there are no changes that would
be classified as emergency changes. Each change would follow the same process in
order for the outside vendor to make the changes.
Computer Operations
Backup Process
PayChoice has implemented backup procedures to protect the confidentiality, integrity,
and availability of the electronically protected client information and systems.
For the PayChoice, PayChoice Online, Encore and Time & Attendance systems,
PayChoice has incorporated a Disk-Disk-Tape backup strategy as the solution for
safeguarding these systems and data. The two phase strategy utilizes an enterprise-level
backup architecture design that incorporates enterprise backup software products, disk
storage appliance(s) and high density tape libraries. Access to make changes to the
configuration of the backup software solution(s) is restricted to the Systems Engineers.
Daily and weekly, backup jobs are saved to disk storage appliance(s) located within the
Payroll Associates, LLC
IS Partners, LLC 21
SSAE 16 Type I - Confidential
data center. Weekly and monthly backup jobs are saved to tape within the high density
LTO tape libraries located at the data center. The enterprise backup software will verify
that the backup has completed and that all files were saved correctly. If a backup job
encounters an error, the system automatically generates an email notification to the
Systems Engineer distribution group. The alerts are reviewed and the failed jobs are
rescheduled.
PayChoice has not finalized contractual negotiations with an offsite storage provider to
store backup tapes. All tapes remain in the tape libraries except for the full monthly
backup tapes. The monthly tapes are pulled from the tape libraries by the PayChoice
Systems Engineers and stored for a minimum of 7 years in a fireproof safe within a
secured room.
Restoration Process
Periodically, data backup restores are performed to confirm the integrity of the data and
viability of the backup media.
Physical Access Controls
Responsibility for securing access to critical and sensitive areas is assigned to the Chief
Information Security Officer and Local Branch Manager. Access to the data center is
restricted to appropriate personnel and requires management authorization. A facility
access form must be completed to add and authorize access to the DBSi facility.
Building & Data Center Security
Access to the production data center facility is secured by physical restrictions such as
security systems and surveillance cameras to ensure that access is restricted to authorized
personnel. The building main entrance is monitored by security guards. Visitors are
required to sign the logbook and be escorted and monitored at all times during the visit.
Intrusion detection is monitored 24x7 by a security system and by surveillance cameras
located throughout the facilities. The cameras located on the data center floor are
monitored by the DBSi technicians’ onsite and by the technicians at two additional DBSi
data center facilities.
Access to the data center facility is controlled and restricted through the use of multiple
ingress / egress points that utilize security doors, access card readers, bio-metric device
scanners and multi-factor (2-factor) authentication. Access through the primary door
requires an access / key card. Access through the second door requires 2-factor
authentication; a retinal scan biometric device and an access / key card. Access through
the final door requires an access / key card.
Access to the computer equipment, systems, and storage media is segregated in a
dedicated cage controlled by security mechanisms and restricted to appropriate personnel.
An access card scanner is used to restrict access to the cage within the data center.
Payroll Associates, LLC
IS Partners, LLC 22
SSAE 16 Type I - Confidential
Access to the facility and data center is disabled upon notification when an employee is
terminated. PayChoice authorized personnel must notify DBSi for the removal of access.
Access to the data center is periodically reviewed by appropriate personnel to detect
unauthorized access.
Environmental Controls
Automated systems are configured to prevent and minimize hardware/software loss from
an environmental hazard (such as fire, flood, power failures, excessive heat and
humidity) to the data center facility.
Onsite DBSi network technicians oversee the data center environmental safeguards and
back-up power management systems. These safeguards and systems include fire
suppression, power management, heating, ventilation and air conditioning (HVAC). The
safeguards by location are as follows:
The Bethlehem facility is equipped with the following environment protection
control mechanisms:
o All network infrastructure and technology assets are supplied by
conditioned power from uninterruptible power systems installed in an N+1
configuration.
o All computer rooms are equipped with CRAC units in an N+1
configuration.
o Two generators, with an onsite fuel supply of approximately 48-60 hours,
are in place to provide power to the building in the event of a long-term
power outage. Bi-weekly testing is completed.
o Customer work spaces are equipped with either an FE25 fire suppression
system or a CO2 preaction dry pipe system. A third party provider
inspects the system.
o Water sensors have been installed below the raised floor.
The Valley Forge facility is equipped with the following environment protection
mechanisms:
o An automated building management system is in place to monitor all
environmental elements in the facility and report abnormal patterns to
management in real time.
o All network infrastructure and technology assets are supplied by
conditioned power from uninterruptible power systems installed in an N+1
configuration.
o All computer rooms are equipped with CRAC units in an N+1
configuration.
o Four generators, with an onsite fuel supply of approximately 32-40 hours,
are in place to provide power to the building in the event of a long-term
power outage. Bi-weekly testing is completed.
o All computer rooms are equipped with an FM 200 fire suppression system.
A third party provider inspects the system.
Payroll Associates, LLC
IS Partners, LLC 23
SSAE 16 Type I - Confidential
o Water sensors have been installed below the raised floors.
The Breinigsville facility is equipped with the following environment protection
mechanisms:
o An automated building management system is in place to monitor all
environmental elements in the facility and report abnormal patterns to
management in real time.
o All network infrastructure and technology assets are supplied by
conditioned power from uninterruptible power systems installed in an N+1
configuration.
o All computer rooms are equipped with CRAC units in an N+1
configuration.
o Six generators, with an onsite fuel supply of approximately 45 hours, are
in place to provide power to the building in the event of a long-term power
outage. Bi-weekly testing is completed.
o All computer rooms are equipped with an FM 200 fire suppression system.
A third party provider inspects the system.
Payroll Associates, LLC
IS Partners, LLC 24
SSAE 16 Type I - Confidential
C) Relevant Aspects of the Control Environment, Risk Assessment Process, Information and
Communication Systems, and Monitoring Controls
PAI’s management has established a system of internal controls aligned with the
integrated framework established by the Committee of Sponsoring Organizations
(COSO). The framework consists of several interrelated components as follows:
1) Control Environment
PAI is committed to maintaining an organizational structure that supports an effective
control environment. The control environment is comprised of various elements,
including the proper segregation of job responsibilities, assignment of job functions
commensurate with skill, properly defined roles and responsibilities, hiring of
experienced staff, internal quality control processes, management oversight, and
proactive fraud detection and risk mitigation strategies, established to facilitate the
effectiveness and integrity of PAI’s operations.
To facilitate the continued presence of an effective control environment, PAI has
incorporated a series of internal and external oversight and management functions
within their operations as follows:
Board of Directors’ oversight
Audit Committee participation
Independent financial statement audits
Monthly budget monitoring
Monthly financial reporting
2) Risk Assessment Process
PAI conducts ongoing risk assessments which are facilitated by a formal Risk
Committee which is led by the Vice President of Finance. The Risk Committee
meets on a quarterly basis to ensure that existing risks are being properly addressed
and managed, and to identify potential future risks and business impediments. The
Risk Committee fosters an awareness of risk at every level of the organization
through regular interaction between management and operations personnel.
The primary risk areas identified by PAI include: a) data security, b) data integrity
and reliability, c) client credit risk, and d) client funds control.
3) Information and Communication Systems
Information is a part of PAI’s processes and integrated systems. PAI maintains an
information process that allows pertinent information and data to be identified,
captured and communicated in a timely fashion thus enabling employees to
efficiently fulfill their job responsibilities and functions. The information process
utilizes data from both inside and outside the organization which is used to guide
PAI’s strategic and tactical decision making, as well as to measure performance.
Payroll Associates, LLC
IS Partners, LLC 25
SSAE 16 Type I - Confidential
In addition, a communication process also exists within PAI’s current operating
environment. The communication process facilitates a clear dialogue between PAI’s
management and staff personnel. The overall communication process consists of
individual tasks including:
Weekly Operations Calls – where management personnel from each operating
branch and the Shared Services Department discuss existing and potential
issues affecting the payroll group.
Quarterly Town Hall Meetings – where senior management personnel present
a high-level update pertaining to PAI’s mission statement progress on major
initiatives and metrics.
Annual Operations summit – where participants in the Weekly Operations
Calls meet to address major issues and initiatives.
4) Monitoring Controls
PAI management monitors their internal processes and control activities as part of
their routine operations. The monitoring function is conducted by PAI management
through the preparation and review of a series of management reports designed to
illustrate the success of PAI’s internal control functions and delivery of customer
services. The management reports consist of Board of Director packages, financial
analyses, business performance metrics and customer service metrics.
PAI monitors the performance of its personnel by conducting annual performance
reviews for all of its management and support staff. In addition, PAI maintains an
outsourced internal audit function that routinely monitors the integrity of selected
function and operations.
Payroll Associates, LLC
IS Partners, LLC 26
SSAE 16 Type I - Confidential
D) Scope and Applicability of the Report
This report has been prepared in accordance with the American Institute of Certified
Public Accountants’ Statement on Standards for Attestation Engagements No. 16 –
Reporting on Controls at a Service Organization (SSAE 16). The report is intended to
provide the user organizations and their independent auditors with an understanding of
the controls related to PayChoice’s services in the areas of:
Information Technology General Controls (related to all business processes)
a) Logical Security
b) Application Change Control
c) Network Software Change Control
d) Computer Operations
e) Physical Access
in order for user organizations’ independent auditors to plan their audits. This report
describes these controls as of May 15, 2013.
This report is intended to focus on features relevant to control; it does not encompass all
aspects of the procedures followed by PAI. If a user organization does not have an
effective internal control structure in place, the controls and related control objectives
presented in this report may not compensate for such a weakness.
The control objectives, process descriptions and supporting control activities for each of
the key processes and functions included in the scope of this report are presented in
section IV.
Payroll Associates, LLC
IS Partners, LLC 27
SSAE 16 Type I - Confidential
E) Complementary User Entity Controls
PAI’s controls were designed with the assumption that certain controls would be placed
in operation at user organizations. In certain instances, the application of specific
controls at user organizations is necessary to achieve certain control objectives included
in this report.
The following list outlines controls that should be in operation at user organizations to
complement the controls listed in section IV. The list does not represent a
comprehensive set of all of the controls that should be employed by user organizations.
User organizations’ auditors should consider whether the following controls have been
placed in operation at user organizations:
Controls should be established to ensure that all data transmitted by the user
organizations to PAI is complete, accurate, timely, and protected.
Controls should be established to ensure that access to user organizations’
systems and applications is adequately restricted to authorized personnel.
Controls should be established to ensure that output data generated by PAI is
reviewed by the user organizations for accuracy.
Controls should be established to ensure that the PAI’s controls included in the
scope of this report are relevant to the services being utilized by the user
organizations.
Payroll Associates, LLC
IS Partners, LLC 28
SSAE 16 Type I - Confidential
IV. INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF CONTROLS
Information Technology
Control Objective: Logical Security Controls provide reasonable assurance that access to system resources (i.e., programs, data, tables and parameters) is restricted to
properly authorized individuals.
Control
Owner
Control No. Control Activity
PAI 1.1
New hire, temporary, contractor or managed account access to the network, systems and applications
requires approval from the appropriate management personnel prior to being granted.
PAI 1.2
Access to the network, systems, and applications for PayChoice personnel and managed customer
accounts is disabled/removed for terminated employees upon notification.
PAI 1.3
Network user accounts and profiles are reviewed and reauthorized on a periodic basis by appropriate
personnel.
PAI 1.4
Password controls such as change frequency, complexity, user lockout, length and password history
are configured to prevent unauthorized access to logical network resources.
PAI 1.5
System Administrator, super user and direct update access to the systems and databases is restricted to
appropriate personnel.
PAI 1.6
Remote access is protected by security mechanisms and appropriately restricted to authorized
employees.
Payroll Associates, LLC
IS Partners, LLC 29
SSAE 16 Type I - Confidential
Control
Owner
Control No. Control Activity
PAI 1.7
Firewalls are properly configured to prevent unauthorized access to the network and critical systems
and logs are reviewed periodically by appropriate personnel.
Payroll Associates, LLC
IS Partners, LLC 30
SSAE 16 Type I - Confidential
Control Objective: Application Change Control
Controls provide reasonable assurance that the changes to existing applications and the development of new applications are
authorized, tested, approved, properly implemented and documented.
Control
Owner
Control No. Control Activity
PAI 2.1
A Formal Change Management and Systems Development Lifecycle methodology policy exists, is
properly documented, approved and updated regularly by management.
PAI 2.2 Change requests are recorded and tracked through their final disposition.
PAI 2.3
Requests for changes or enhancements to existing applications, or development of new applications,
are approved by authorized Business Owners before work commences.
PAI 2.4 Functional requirements are approved by the authorized Business Owners.
PAI 2.5 The Business Owners are responsible for developing and executing a test plan on the changes.
PAI 2.6 User acceptance level testing is completed and approved by the Business Owner.
PAI 2.7
Business Owners approve the implementation of the application change or enhancements and the
changes are migrated to the production environment.
Payroll Associates, LLC
IS Partners, LLC 31
SSAE 16 Type I - Confidential
Control Objective: Network Software Change Control Controls provide reasonable assurance that the changes to existing system software and the development of new System Software
are authorized, tested, approved, properly implemented and documented.
Control
Owner
Control No. Control Activity
PAI 3.1
Formal system software and supporting infrastructure change management policies and procedures
exist and are reviewed and approved by the appropriate personnel on a regular basis.
PAI 3.2
Change requests are approved by the appropriate IT management to ensure that the requested changes
will not adversely affect the production environment.
PAI 3.3 At least one prior version of the production program is maintained for back-out purposes.
PAI 3.4
System software and supporting infrastructure changes are adequately tested and approved, by
appropriate personnel, prior to being migrated into the production environment.
PAI 3.5
Patches to system software and/or information technology infrastructure are authorized and approved
by the appropriate personnel.
Payroll Associates, LLC
IS Partners, LLC 32
SSAE 16 Type I - Confidential
Control Objective: Computer Operations Controls provide reasonable assurance that data is retained, backed up completely, stored offsite and deviations are identified and
resolved in a timely manner.
Control
Owner
Control No. Control Activity
PAI
4.1
Access to make changes to the backup software is restricted to appropriate personnel.
PAI 4.2
Backups are monitored on a daily basis by authorized IT personnel and failed backups are resolved in
a timely manner and in accordance with the formalized backup procedures.
PAI 4.3
Daily, weekly, and quarterly production systems data backups are stored at a secured offsite facility
sufficiently remote from the data center.
PAI 4.4
Periodically, data backup restores are performed to confirm the integrity of the data and viability of
the backup media.
Payroll Associates, LLC
IS Partners, LLC 33
SSAE 16 Type I - Confidential
Control Objective: Physical Access Controls provide reasonable assurance that access to computer equipment and storage media is restricted to properly authorized
individuals based on job responsibilities, and environmental controls are configured to protect systems from potential hazards.
Control
Owner
Control No. Control Activity
PAI
5.1
Responsibility for securing access to critical and sensitive areas is assigned to appropriate personnel.
DBSi 5.2 Access to the data center is restricted to appropriate personnel and requires management authorization.
DBSi 5.3
Access to the production data center facility is secured by physical restrictions such as security
systems and surveillance cameras to ensure that access is restricted to authorized personnel.
DBSi 5.4
Access to the computer equipment, systems, and storage media is segregated in dedicated cabinets
controlled by security mechanisms and restricted to appropriate personnel.
PAI / DBSi 5.5 Access to the facility and data center is disabled upon notification when an employee is terminated.
PAI 5.6
Access to the data center is periodically reviewed by appropriate personnel to detect unauthorized
access.
DBSi 5.7
Automated systems are configured to prevent and minimize hardware/software loss from an
environmental hazard (such as fire, flood, power failures, excessive heat and humidity) to the data
center facility.
Payroll Associates, LLC
IS Partners, LLC 34
SSAE 16 Type I - Confidential
Control
Owner
Control No. Control Activity
DBSi 5.8
Scheduled maintenance procedures are performed to test and validate the operation of the
environmental control devices.
Payroll Associates, LLC
IS Partners, LLC 35
SSAE 16 Type I - Confidential
V. ADDITIONAL INFORMATION PROVIDED BY THE INDEPENDENT SERVICE
AUDITOR
A) Introduction
This report is intended to provide PAI’s customers and the independent auditors of PAI’s
customers with information regarding the controls placed in operation at PAI as of May
15, 2013, related to its information technology support system that may be relevant to a
customer organization’s internal control as it relates to an audit of financial statements.
The information contained in this report should assist the independent auditors of PAI’s
customers in planning an audit of their own financial statements, in accordance with
guidance provided by Statement on Standards for Attestation Engagements No. 16 –
Reporting on Controls at a Service Organization. The report is not intended to provide
the independent auditors of PAI’s customers with a basis for reducing their assessment of
control risk.
Our examination was conducted in accordance with Statement on Standards for
Attestation Engagements No. 16 – Reporting on Controls at a Service Organization. Our
examination was restricted to those control objectives and related control activities
outlined by PAI’s management in section IV, which management believes are the
relevant key controls for the stated objectives.
Our responsibility is to express an opinion as to whether the controls, as described, are
suitably designed to provide reasonable assurance that the specified control objectives
would be achieved if the described controls were complied with satisfactorily. It is each
interested party’s responsibility to evaluate this information in relation to internal
controls in place at each user organization. If an effective internal control structure is not
in place at a user organization, the controls within PAI may not compensate for such a
weakness. It is each user organization’s responsibility to evaluate this information in
relation to internal control policies and procedures in place at their organization to obtain
an understanding of the internal controls and assess control risk.
Payroll Associates, LLC
IS Partners, LLC 36
SSAE 16 Type I - Confidential
B) Responsibilities of the Independent Service Auditor
As part of our review of PAI’s controls, we performed a variety of tests, each of which
provided different levels of audit satisfaction. The combined results of these tests
provided the basis for our understanding of the framework for control and whether the
controls represented in section IV were actually in place and suitably designed as of May
15, 2013.
The following test procedures were performed, all or in part, as deemed appropriate, in
making our determination:
Test Procedure
Description
Inquiry
Interviewed relevant personnel about the
details surrounding the controls to obtain
an understanding of the controls.
Observation
Visually observed the execution of the
controls.
Inspection
Physically reviewed/inspected
documentation/evidence utilized in
completing the controls, or supporting the
existence thereof.
Payroll Associates, LLC
IS Partners, LLC 37
SSAE 16 Type I - Confidential
C) Consideration of Relevant Aspects of Internal Control
PAI’s internal control environment is comprised of various elements designed to enhance
the effectiveness of its internal control system. These elements include:
Organizational structure
Tone at the top
Risk assessment
Management control and oversight
Information and communication
Human resource policies and procedures
Code of professional conduct
Monitoring
Our tests of the internal control environment included the completion, in part or in
combination, of various inquiry and observation procedures, as deemed necessary, to
provide the basis for our understanding of the design of the internal control system as of
May 15, 2013, and the rendering of our opinion in accordance with the requirements set
forth in Statement on Standards for Attestation Engagements No. 16 – Reporting on
Controls at a Service Organization.