Report on Payroll Associates, LLC’s (d/b/a “PayChoice”) Description of its Information Technology Support System and on the Suitability of the Design of Controls As of May 15, 2013 (Prepared pursuant to Statement on Standards for Attestation Engagements No. 16 – Reporting on Controls at a Service Organization) SOC 1 – Type I
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Report on Payroll Associates, LLC’s (d/b/a
“PayChoice”) Description of its Information
Technology Support System and on the
Suitability of the Design of Controls
As of May 15, 2013
(Prepared pursuant to Statement on Standards for Attestation Engagements No. 16 –
Reporting on Controls at a Service Organization)
SOC 1 – Type I
Payroll Associates, LLC
IS Partners, LLC
SSAE 16 Type I - Confidential
This report is not to be copied or reproduced
in any manner without the expressed written
approval of Payroll Associates, LLC. The
report, including the title page, table of
contents, and exhibits, constitutes the entire
report and should be referred to only in its
entirety and not by its component parts. The
report contains proprietary information and
is considered confidential.
Payroll Associates, LLC
IS Partners, LLC
SSAE 16 Type I - Confidential
TABLE OF CONTENTS
I. INDEPENDENT SERVICE AUDITOR’S REPORT
II. SERVICE ORGANIZATION’S ASSERTION
II-A. SUBSERVICE ORGANIZATION’S ASSERTION
III. DESCRIPTION OF SERVICE ORGANIZATION’S SYSTEM
A) Overview of Operations
B) Description of Relevant Processes
10
16
C) Relevant Aspects of the Control Environment, Risk
Assessment Process, Information and Communication Systems,
and Monitoring Controls
24
D) Scope and Applicability of the Report 26
E) Complementary User Entity Controls 27
IV. INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF
CONTROLS
28
V. ADDITIONAL INFORMATION PROVIDED BY THE
INDEPENDENT SERVICE AUDITOR
A) Introduction 35
B) Responsibilities of the Independent Service Auditor 36
C) Consideration of Relevant Aspects of Internal Control 37
I. INDEPENDENT SERVICE AUDITOR’S REPORT
To Management of Payroll Associates, LLC:
We have examined Payroll Associates, LLC’s (“PAI” d/b/a “PayChoice”) description of the
information technology support system, and DBSi’s (“DBSi”) description of certain aspects
of the colocation services system for processing user entities’ transactions of Payroll
Associates, LLC as of May 15, 2013, and the suitability of the design of PAI’s and DBSi’s
controls to achieve the related control objectives stated in the description. DBSi is an
independent service organization that provides colocation services to PAI. PAI’s description
includes a description of DBSi’s colocation services used by PAI to process transactions for
its user entities, as well as relevant control objectives and controls of DBSi. The description
indicates that certain control objectives specified in the description can be achieved only if
complementary user entity controls contemplated in the design of PAI’s controls are suitably
designed and operating effectively, along with related controls at the service organization.
We have not evaluated the suitability of the design and operating effectiveness of such
complementary user entity controls.
In sections II and II-A of this report, PAI and DBSi, respectively, have provided their
assertions about the fairness of the presentation of the description and suitability of the
design of the controls to achieve the related control objectives stated in the description. PAI
and DBSi are responsible for preparing the description and for the assertion, including the
completeness, accuracy, and method of presentation of the description and the assertion,
providing the services covered by the description, specifying the control objectives and
stating them in the description, identifying the risks that threaten the achievement of the
control objectives, selecting the criteria, and designing, implementing, and documenting
controls to achieve the related control objectives stated in the description.
Our responsibility is to express an opinion on the fairness of the presentation of the
description and on the suitability of the design of the controls to achieve the related control
objectives stated in the description, based on our examination. We conducted our
examination in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform our
examination to obtain reasonable assurance about whether, in all material respects, the
description is fairly presented and the controls were suitably designed to achieve the related
control objectives stated in the description as of May 15, 2013.
An examination of a description of a service organization’s system and the suitability of the
design of the service organization’s controls to achieve the related control objectives stated in
the description involves performing procedures to obtain evidence about the fairness of the
presentation of the description of the system and the suitability of the design of those controls
to achieve the related control objectives stated in the description. Our procedures included
assessing the risks that the description is not fairly presented and that the controls were not
suitably designed to achieve the related control objectives stated in the description. An
examination engagement of this type also includes evaluating the overall presentation of the
description and the suitability of the control objectives stated therein, and the suitability of
the criteria specified by the service organization and described in PAI’s assertion and DBSi’s
assertion, in sections II and II-A, respectively, of this report.
We did not perform any procedures regarding the operating effectiveness of the controls
stated in the description and, accordingly, do not express an opinion thereon. We believe that
the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our
opinion.
Because of their nature, controls at a service organization or subservice organization may not
prevent, or detect and correct, all errors or omissions in processing or reporting transactions.
Also, the projection to the future of any evaluation of the fairness of the presentation of the
description, or any conclusions about the suitability of the design of the controls to achieve
the related control objectives, is subject to the risk that controls at a service organization or
subservice organization may become ineffective or fail.
In our opinion, in all material respects, based on the criteria described in PAI’s and DBSi’s
assertions in sections II and II-A, respectively, of this report,
a. the description fairly presents PAI’s and DBSi’s information technology
support system used by PAI to process transactions for its user entities that was
designed and implemented as of May 15, 2013, and
b. the controls related to the control objectives of PAI and DBSi stated in the
description were suitably designed to provide reasonable assurance that the
control objectives would be achieved if the controls operated effectively as of
May 15, 2013, and user entities applied the complementary user entity controls
contemplated in the design of PAI’s controls as of May 15, 2013.
This report is intended solely for the information and use of PAI, user entities of PAI’s
information technology support system as of May 15, 2013, and the independent auditors of
such user entities, who have a sufficient understanding to consider it, along with other
information, including information about the controls implemented by user entities
themselves, when obtaining an understanding of user entities information and
communication systems relevant to financial reporting. This report is not intended to be and
should not be used by anyone other than those specified parties.
May 30, 2013
IS Partners, LLC
Horsham, Pennsylvania
II. SERVICE ORGANIZATION'S ASSERTION
We have prepared the description of Payroll Associates, LLC’s (PAI) information technology
support system as of May 15, 2013, and their user auditors who have a sufficient understanding
to consider it, along with other information including information about controls implemented
by user entities themselves, when obtaining an understanding of user entities' information and
communication systems relevant to financial reporting. We confirm, to the best of our
knowledge and belief, that
a. the description fairly presents the information technology support system made
available to user entities of the system as of May 15, 2013 for processing their
transactions. PAI uses a service organization, DBSi, to provide colocation services
for certain aspects of its information technology support system. Section IV of the
description presents PAI’s control objectives and related controls, as well as DBSi’s
control objectives and related controls. DBSi’s assertion is presented in section II-
A. The criteria we used in making our assertion were that the description
i. presents how the system made available to user entities of the system was
designed and implemented to process relevant transactions, including:
1. the types of services provided, including as appropriate, the
classes of transactions processed.
2. the procedures, within both automated and manual systems, by
which those transactions are initiated, authorized, recorded,
processed, corrected as necessary, and transferred to the reports
presented to user entities of the system.
3. the related accounting records, supporting information, and
specific accounts that are used to initiate, authorize, record,
process, and report transactions; this includes the correction of
incorrect information and how information is transferred to the
reports provided to user entities of the system.
4. how the system captures and addresses significant events and
conditions, other than transactions.
5. the process used to prepare reports or other information provided
to user entities of the system.
6. specified control objectives and controls designed to achieve those
objectives, including as applicable, complementary user entity
controls contemplated in the design of the service
organization’s controls.
7. other aspects of our control environment, risk assessment process,
information and communication systems (including related
business processes), control activities, and monitoring controls
that are relevant to processing and reporting transactions of user
entities of the system.
ii. does not omit or distort information relevant to the scope of the information
technology support system, while acknowledging that the description is
prepared to meet the common needs of a broad range of user entities of the
system and the independent auditors of those user entities, and may not,
therefore, include every aspect of the information technology support system
that each individual user entity of the system and its auditors may consider
important in its own particular environment.
b. the controls related to the control objectives stated in the description were
suitably designed as of May 15, 2013 to achieve those control objectives. The
criteria we used in making this assertion were that
i. the risks that threaten the achievement of the control objectives stated in the
description have been identified by the service organization.
ii. the controls identified in the description would, if operating as described,
provide reasonable assurance that those risks would not prevent the control
objectives stated in the description from being achieved.
Where Business Critical Technology Survives™
DBSi 3949 Schelden Circle Bethlehem, PA 18017 610.691.8811 www.dbsintl.com
II-A. SUBSERVICE ORGANIZATION’S ASSERTION
We have prepared the description of aspects of DBSi’s colocation services system for
Payroll Associates, LLC (PAI) and user entities of PAI’s information technology support
system as of May 15, 2013, and their user auditors who have a sufficient
understanding to consider it, along with other information including information
about controls implemented by user entities themselves, when obtaining an understanding
of user entities’ information and communication systems relevant to financial reporting.
We confirm, to the best of our knowledge and belief, that
a. the description fairly presents the aspects of DBSi’s colocation services system
made available to PAI and user entities of PAI’s system as of May 15, 2013
for processing their transactions. The criteria we used in making this assertion
were that the description
i. presents how the system made available to PAI and user entities of
PAI’s information technology support system was designed and
implemented to process relevant transactions, including
1. the types of services provided, including as appropriate, the
classes of transactions processed.
2. the procedures, within both automated and manual systems, by
which those transactions are initiated, authorized, recorded,
processed, corrected as necessary, and transferred to the reports
presented to user entities of the system.
3. the related accounting records, supporting information, and
specific accounts that are used to initiate, authorize, record,
process, and report transactions; this includes the correction of
incorrect information and how information is transferred to the
reports provided to user entities of the system.
4. how the system captures and addresses significant events and
conditions, other than transactions.
5. the process used to prepare reports or other information provided
to user entities of the system.
6. specified control objectives and controls designed to achieve
those objectives, including as applicable, complementary user
entity controls contemplated in the design of the service
organization’s controls.
7. other aspects of our control environment, risk assessment process,
information and communication systems (including related
business processes), control activities, and monitoring controls
that are relevant to processing and reporting transactions of user
entities of the system.
Where Business Critical Technology Survives™
DBSi 3949 Schelden Circle Bethlehem, PA 18017 610.691.8811 www.dbsintl.com
ii. does not omit or distort information relevant to the scope of the
information technology support system, while acknowledging that the
description is prepared to meet the common needs of a broad range of
user entities of the system and the independent auditors of those user
entities, and may not, therefore, include every aspect of the information
technology support system that each individual user entity of the
system and its auditors may consider important in its own particular
environment.
b. the controls related to the control objectives stated in the description that
relate to aspects of DBSi’s colocation services system made available to PAI
were suitably designed as of May 15, 2013 to achieve those control objectives.
The criteria we used in making this assertion were that
i. the risks that threaten the achievement of the control objectives stated in
the description have been identified by the service organization.
ii. the controls identified in the description would, if operating as described,
provide reasonable assurance that those risks would not prevent the control
objectives stated in the description from being achieved.
Payroll Associates, LLC
IS Partners, LLC 10
SSAE 16 Type I - Confidential
III. DESCRIPTION OF SERVICE ORGANIZATION’S SYSTEM
A) Overview of Operations
Company Profile and History
Payroll Associates, LLC (PAI), d/b/a “PayChoice”, is a wholly-owned subsidiary of PAI
Group, Inc., the holding company for Payroll Associates, LLC and PAI Services, LLC.
Payroll Associates, LLC provides payroll technology and related services to independent
payroll service providers (Licensees). PAI Services, LLC provides payroll processing,
tax administration, etc., to small and medium sized companies throughout the United
States.
PAI was founded in 1990 and is headquartered in Moorestown, New Jersey. It maintains
operational hubs in Boston, Massachusetts, Elkhart, Indiana, Charlotte, North Carolina
and Dallas, Texas. In addition, as outlined below, PAI supports 10 payroll branches and
approximately 180+ Licensees throughout the United States.
PAI provides its services to its customers through the following two complementary
business units:
The software division, Payroll Associates, LLC, which provides the payroll technology
and related services, and PAI Services, LLC which provides the payroll processing, tax
and related human resources services (collectively referred to herein as Payroll Services).
Payroll Associates, LLC
IS Partners, LLC 11
SSAE 16 Type I - Confidential
Management Team
PayChoice understands the importance of having the right people in the right roles. The
Senior Management Team provides the foundation from which leadership, direction and
passion are built. The Senior Management Team is comprised of the following
individuals:
Executive Leadership
Bill Scott, Chairman
Mr. Scott led the effort to acquire Payroll Associates, LLC, and to purchase the
Payroll Associates’ software licensees who desired to join in the creation of
PayChoice. Under his leadership, PayChoice grew from 40 employees to more than
350 and was recognized by the Inc. 5000 as one of the fastest growing companies in
America. Bill is also the former Chief Executive Officer of InterPay, Inc. From 1987
to 2000, Bill grew InterPay from 70 employees and 2,000 clients to more than 685
employees and nearly 30,000 clients. At the time of its ultimate sale to Fleet Bank
(purchased by Bank of America), InterPay was the fifth largest payroll processing
company in the US. In 2003, InterPay was sold to Paychex for $185 million.
Robert Digby, Chief Executive Officer
As CEO of PayChoice, Robert is responsible for the overall leadership of the software
and service bureau divisions. He brings to the position more than 20 years of payroll,
HR and benefits industry expertise, with proven operational success in leading high-
performance organizations and customer centric service organizations. He is the
former President of RSM McGladrey Employer Services, the payroll, HR and benefit
service company of RSM McGladrey / H&R Block. Robert also held senior
leadership roles during his 15 year career at Ceridian, including President of
PowerPay Internet small business payroll division, Senior VP of Marketing and
Senior VP of Sales / Client Services for Ceridian Corporation. While at Ceridian, he
also directed a national sales organization of 480 sales representatives. A Captain in
the U.S. Army, Robert received his B.A. in Economics from the Virginia Military
Institute (VMI) where he graduated as a distinguished military and honor graduate.
Joanne Guerriero, Sr. Vice President of Client Services
Joanne is responsible for managing all Client Service operations and payroll services
for PayChoice. These payroll services consist of payroll processing, client care
centers, tax filing operations and online support services and training. Additionally,
Joanne provides product development input for the design and enhancement of
ENCORE – PayChoice’s newest payroll application. Prior to joining PayChoice,
Joanne was with Ceridian, a global product and services company, delivering trusted
results and transformative Human Capital Management technology. She has over 20
years of progressive leadership experience within the Small Business segment of
Service Bureau operations. Joanne’s former positions and background include
District Vice President of Client Services, Tax Filing Management, Strategic
Planning & Initiatives; Product Development and Senior Project management. She is
a graduate of Katherine Gibbs and has earned certifications in both Six Sigma and
Certified Payroll Practice (CPP).
Payroll Associates, LLC
IS Partners, LLC 12
SSAE 16 Type I - Confidential
Phil McLaughlin, President, Software Licensing Division & Chief Information Officer
Phil is responsible for all IT efforts including application development as well as
infrastructure. Additionally, Phil provides overall leadership for sales and operations
for the software division of PayChoice. Prior to joining PayChoice, Phil was CIO at
CheckFree Investment Services, where he led multiple teams and managed
application development, quality assurance, systems architecture and strategic
planning for multiple products. While at CheckFree, Phil created a strategic systems
strategy to yield significant savings by eliminating redundant applications and notably
improved customer satisfaction. Phil also improved application delivery by
establishing best practices for software development and project management. Prior
to this, Phil held the role of Business Line Chief Information Officer for PFPC, A
division of PNC Bank, overseeing all aspects of their Managed Account Services
information technology efforts, including application development, production
support, operations and IT financial management. Phil received a B.S. in Electrical
Engineering from Villanova University.
Joseph Martino, Vice President of Finance
Joseph Martino is responsible for all of PayChoice’s financial and accounting
activities including treasury and cash management, reporting, budgeting, planning,
and analysis. Mr. Martino spent several years in public accounting, including a stint
with Ernst and Young, a Big Four accounting firm. The majority of Mr. Martino’s
career was spent with Trigen Energy Corporation, an independent energy company
and public utility, where he was Vice President and Controller. Mr. Martino earned a
B.B.A in Accounting from Temple University and is a Certified Public Accountant.
He joined PayChoice in June, 2006.
Products and Services
The following is a list of the products and services provided by PayChoice to its
customers and Licensees:
Products:
PayChoice
PayChoice is the Company’s core payroll engine which is utilized by Licensees
and internal service bureau users to perform all aspects of payroll processing,
including data entry, calculation of gross pay, deductions, taxes, net pay, funds
transfer, and reporting.
PayChoice Online
PayChoice Online is the online product offered by PayChoice. Often integrated
with other modules under the moniker of Online Employer, PayChoice Online
provides 24/7 payroll and tax management tools.
Payroll Associates, LLC
IS Partners, LLC 13
SSAE 16 Type I - Confidential
ViewChoice
ViewChoice is PayChoice’s report viewer and archive system allowing a business
to view, store and share their payroll management records electronically.
Employee Self-Service (ESS)
ESS is a self-service, web-based product providing employers and their
employees online access to personnel data, check stubs, time sheets, time off
information and more. This web-based solution enables employees to access their
information anywhere via a web browser.
General Ledger Integration
G/L Interface for QuickBooks allows a client to post payroll information to their
QuickBooks accounting package. Accessed via Online Employer, clients have
the online capability to post payroll data to their G/L.
Encore
Encore is PayChoice’s next generation payroll software platform. Built on
Microsoft .NET and SQL Server database technology, Encore provides a wide
array of payroll, reporting, Employee Self Service, and HR Information System
(HRIS) capabilities.
WriteChoice
WriteChoice is a stand-alone, query based report writer (licensed from Cizer) that
is integrated with the Online Employer suite of products. Via single sign on from
Online Employer, it allows licensees, internal service bureau users and end client
administrators to create reports from the data stored in PayChoice Online and
Employee Self-Service in a variety of formats.
Services:
Payroll
Each pay period, a client submits payroll data to PayChoice in the manner they
choose. PayChoice generates calculations, makes direct deposits, creates
paychecks, produces garnishment checks and makes savings deposits for
employees. In addition, PayChoice provides clients with detailed payroll journals
and management reports.
Tax Pay and File
On a payroll by payroll basis, PayChoice calculates payroll taxes owed and takes
responsibility for paying all federal, state and local taxes and filing the required
quarterly and annual returns on a client’s behalf.
Automated Clearing House (ACH)
With direct deposit, employees designate the accounts into which they want their
pay deposited. Then, each period's pay is automatically deposited into their choice
of one or more checking, savings or retirement accounts. Employees receive a
Payroll Associates, LLC
IS Partners, LLC 14
SSAE 16 Type I - Confidential
pay voucher showing the amounts deposited, and the employer receives a detail of
transactions each pay period.
HR Online
In conjunction with its partner HR Answerlink, PayChoice offers a 24/7 email and
phone human resources (HR) answer hotline. Clients also have access to an HR
center that provides Employee Handbooks, an HR forms and letters library,
standardized job descriptions, a Q&A database and an HR law library.
Custom Reporting
PayChoice offers a complete list of management reports covering cash
scanners and multi-factor (2-factor) authentication. Access through the primary door
requires an access / key card. Access through the second door requires 2-factor
authentication; a retinal scan biometric device and an access / key card. Access through
the final door requires an access / key card.
Access to the computer equipment, systems, and storage media is segregated in a
dedicated cage controlled by security mechanisms and restricted to appropriate personnel.
An access card scanner is used to restrict access to the cage within the data center.
Payroll Associates, LLC
IS Partners, LLC 22
SSAE 16 Type I - Confidential
Access to the facility and data center is disabled upon notification when an employee is
terminated. PayChoice authorized personnel must notify DBSi for the removal of access.
Access to the data center is periodically reviewed by appropriate personnel to detect
unauthorized access.
Environmental Controls
Automated systems are configured to prevent and minimize hardware/software loss from
an environmental hazard (such as fire, flood, power failures, excessive heat and
humidity) to the data center facility.
Onsite DBSi network technicians oversee the data center environmental safeguards and
back-up power management systems. These safeguards and systems include fire
suppression, power management, heating, ventilation and air conditioning (HVAC). The
safeguards by location are as follows:
The Bethlehem facility is equipped with the following environment protection
control mechanisms:
o All network infrastructure and technology assets are supplied by
conditioned power from uninterruptible power systems installed in an N+1
configuration.
o All computer rooms are equipped with CRAC units in an N+1
configuration.
o Two generators, with an onsite fuel supply of approximately 48-60 hours,
are in place to provide power to the building in the event of a long-term
power outage. Bi-weekly testing is completed.
o Customer work spaces are equipped with either an FE25 fire suppression
system or a CO2 preaction dry pipe system. A third party provider
inspects the system.
o Water sensors have been installed below the raised floor.
The Valley Forge facility is equipped with the following environment protection
mechanisms:
o An automated building management system is in place to monitor all
environmental elements in the facility and report abnormal patterns to
management in real time.
o All network infrastructure and technology assets are supplied by
conditioned power from uninterruptible power systems installed in an N+1
configuration.
o All computer rooms are equipped with CRAC units in an N+1
configuration.
o Four generators, with an onsite fuel supply of approximately 32-40 hours,
are in place to provide power to the building in the event of a long-term
power outage. Bi-weekly testing is completed.
o All computer rooms are equipped with an FM 200 fire suppression system.
A third party provider inspects the system.
Payroll Associates, LLC
IS Partners, LLC 23
SSAE 16 Type I - Confidential
o Water sensors have been installed below the raised floors.
The Breinigsville facility is equipped with the following environment protection
mechanisms:
o An automated building management system is in place to monitor all
environmental elements in the facility and report abnormal patterns to
management in real time.
o All network infrastructure and technology assets are supplied by
conditioned power from uninterruptible power systems installed in an N+1
configuration.
o All computer rooms are equipped with CRAC units in an N+1
configuration.
o Six generators, with an onsite fuel supply of approximately 45 hours, are
in place to provide power to the building in the event of a long-term power
outage. Bi-weekly testing is completed.
o All computer rooms are equipped with an FM 200 fire suppression system.
A third party provider inspects the system.
Payroll Associates, LLC
IS Partners, LLC 24
SSAE 16 Type I - Confidential
C) Relevant Aspects of the Control Environment, Risk Assessment Process, Information and
Communication Systems, and Monitoring Controls
PAI’s management has established a system of internal controls aligned with the
integrated framework established by the Committee of Sponsoring Organizations
(COSO). The framework consists of several interrelated components as follows:
1) Control Environment
PAI is committed to maintaining an organizational structure that supports an effective
control environment. The control environment is comprised of various elements,
including the proper segregation of job responsibilities, assignment of job functions
commensurate with skill, properly defined roles and responsibilities, hiring of
experienced staff, internal quality control processes, management oversight, and
proactive fraud detection and risk mitigation strategies, established to facilitate the
effectiveness and integrity of PAI’s operations.
To facilitate the continued presence of an effective control environment, PAI has
incorporated a series of internal and external oversight and management functions
within their operations as follows:
Board of Directors’ oversight
Audit Committee participation
Independent financial statement audits
Monthly budget monitoring
Monthly financial reporting
2) Risk Assessment Process
PAI conducts ongoing risk assessments which are facilitated by a formal Risk
Committee which is led by the Vice President of Finance. The Risk Committee
meets on a quarterly basis to ensure that existing risks are being properly addressed
and managed, and to identify potential future risks and business impediments. The
Risk Committee fosters an awareness of risk at every level of the organization
through regular interaction between management and operations personnel.
The primary risk areas identified by PAI include: a) data security, b) data integrity
and reliability, c) client credit risk, and d) client funds control.
3) Information and Communication Systems
Information is a part of PAI’s processes and integrated systems. PAI maintains an
information process that allows pertinent information and data to be identified,
captured and communicated in a timely fashion thus enabling employees to
efficiently fulfill their job responsibilities and functions. The information process
utilizes data from both inside and outside the organization which is used to guide
PAI’s strategic and tactical decision making, as well as to measure performance.
Payroll Associates, LLC
IS Partners, LLC 25
SSAE 16 Type I - Confidential
In addition, a communication process also exists within PAI’s current operating
environment. The communication process facilitates a clear dialogue between PAI’s
management and staff personnel. The overall communication process consists of
individual tasks including:
Weekly Operations Calls – where management personnel from each operating
branch and the Shared Services Department discuss existing and potential
issues affecting the payroll group.
Quarterly Town Hall Meetings – where senior management personnel present
a high-level update pertaining to PAI’s mission statement progress on major
initiatives and metrics.
Annual Operations summit – where participants in the Weekly Operations
Calls meet to address major issues and initiatives.
4) Monitoring Controls
PAI management monitors their internal processes and control activities as part of
their routine operations. The monitoring function is conducted by PAI management
through the preparation and review of a series of management reports designed to
illustrate the success of PAI’s internal control functions and delivery of customer
services. The management reports consist of Board of Director packages, financial
analyses, business performance metrics and customer service metrics.
PAI monitors the performance of its personnel by conducting annual performance
reviews for all of its management and support staff. In addition, PAI maintains an
outsourced internal audit function that routinely monitors the integrity of selected
function and operations.
Payroll Associates, LLC
IS Partners, LLC 26
SSAE 16 Type I - Confidential
D) Scope and Applicability of the Report
This report has been prepared in accordance with the American Institute of Certified
Public Accountants’ Statement on Standards for Attestation Engagements No. 16 –
Reporting on Controls at a Service Organization (SSAE 16). The report is intended to
provide the user organizations and their independent auditors with an understanding of
the controls related to PayChoice’s services in the areas of:
Information Technology General Controls (related to all business processes)
a) Logical Security
b) Application Change Control
c) Network Software Change Control
d) Computer Operations
e) Physical Access
in order for user organizations’ independent auditors to plan their audits. This report
describes these controls as of May 15, 2013.
This report is intended to focus on features relevant to control; it does not encompass all
aspects of the procedures followed by PAI. If a user organization does not have an
effective internal control structure in place, the controls and related control objectives
presented in this report may not compensate for such a weakness.
The control objectives, process descriptions and supporting control activities for each of
the key processes and functions included in the scope of this report are presented in
section IV.
Payroll Associates, LLC
IS Partners, LLC 27
SSAE 16 Type I - Confidential
E) Complementary User Entity Controls
PAI’s controls were designed with the assumption that certain controls would be placed
in operation at user organizations. In certain instances, the application of specific
controls at user organizations is necessary to achieve certain control objectives included
in this report.
The following list outlines controls that should be in operation at user organizations to
complement the controls listed in section IV. The list does not represent a
comprehensive set of all of the controls that should be employed by user organizations.
User organizations’ auditors should consider whether the following controls have been
placed in operation at user organizations:
Controls should be established to ensure that all data transmitted by the user
organizations to PAI is complete, accurate, timely, and protected.
Controls should be established to ensure that access to user organizations’
systems and applications is adequately restricted to authorized personnel.
Controls should be established to ensure that output data generated by PAI is
reviewed by the user organizations for accuracy.
Controls should be established to ensure that the PAI’s controls included in the
scope of this report are relevant to the services being utilized by the user
organizations.
Payroll Associates, LLC
IS Partners, LLC 28
SSAE 16 Type I - Confidential
IV. INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF CONTROLS
Information Technology
Control Objective: Logical Security Controls provide reasonable assurance that access to system resources (i.e., programs, data, tables and parameters) is restricted to
properly authorized individuals.
Control
Owner
Control No. Control Activity
PAI 1.1
New hire, temporary, contractor or managed account access to the network, systems and applications
requires approval from the appropriate management personnel prior to being granted.
PAI 1.2
Access to the network, systems, and applications for PayChoice personnel and managed customer
accounts is disabled/removed for terminated employees upon notification.
PAI 1.3
Network user accounts and profiles are reviewed and reauthorized on a periodic basis by appropriate
personnel.
PAI 1.4
Password controls such as change frequency, complexity, user lockout, length and password history
are configured to prevent unauthorized access to logical network resources.
PAI 1.5
System Administrator, super user and direct update access to the systems and databases is restricted to
appropriate personnel.
PAI 1.6
Remote access is protected by security mechanisms and appropriately restricted to authorized
employees.
Payroll Associates, LLC
IS Partners, LLC 29
SSAE 16 Type I - Confidential
Control
Owner
Control No. Control Activity
PAI 1.7
Firewalls are properly configured to prevent unauthorized access to the network and critical systems
and logs are reviewed periodically by appropriate personnel.
Payroll Associates, LLC
IS Partners, LLC 30
SSAE 16 Type I - Confidential
Control Objective: Application Change Control
Controls provide reasonable assurance that the changes to existing applications and the development of new applications are
authorized, tested, approved, properly implemented and documented.
Control
Owner
Control No. Control Activity
PAI 2.1
A Formal Change Management and Systems Development Lifecycle methodology policy exists, is
properly documented, approved and updated regularly by management.
PAI 2.2 Change requests are recorded and tracked through their final disposition.
PAI 2.3
Requests for changes or enhancements to existing applications, or development of new applications,
are approved by authorized Business Owners before work commences.
PAI 2.4 Functional requirements are approved by the authorized Business Owners.
PAI 2.5 The Business Owners are responsible for developing and executing a test plan on the changes.
PAI 2.6 User acceptance level testing is completed and approved by the Business Owner.
PAI 2.7
Business Owners approve the implementation of the application change or enhancements and the
changes are migrated to the production environment.
Payroll Associates, LLC
IS Partners, LLC 31
SSAE 16 Type I - Confidential
Control Objective: Network Software Change Control Controls provide reasonable assurance that the changes to existing system software and the development of new System Software
are authorized, tested, approved, properly implemented and documented.
Control
Owner
Control No. Control Activity
PAI 3.1
Formal system software and supporting infrastructure change management policies and procedures
exist and are reviewed and approved by the appropriate personnel on a regular basis.
PAI 3.2
Change requests are approved by the appropriate IT management to ensure that the requested changes
will not adversely affect the production environment.
PAI 3.3 At least one prior version of the production program is maintained for back-out purposes.
PAI 3.4
System software and supporting infrastructure changes are adequately tested and approved, by
appropriate personnel, prior to being migrated into the production environment.
PAI 3.5
Patches to system software and/or information technology infrastructure are authorized and approved
by the appropriate personnel.
Payroll Associates, LLC
IS Partners, LLC 32
SSAE 16 Type I - Confidential
Control Objective: Computer Operations Controls provide reasonable assurance that data is retained, backed up completely, stored offsite and deviations are identified and
resolved in a timely manner.
Control
Owner
Control No. Control Activity
PAI
4.1
Access to make changes to the backup software is restricted to appropriate personnel.
PAI 4.2
Backups are monitored on a daily basis by authorized IT personnel and failed backups are resolved in
a timely manner and in accordance with the formalized backup procedures.
PAI 4.3
Daily, weekly, and quarterly production systems data backups are stored at a secured offsite facility
sufficiently remote from the data center.
PAI 4.4
Periodically, data backup restores are performed to confirm the integrity of the data and viability of
the backup media.
Payroll Associates, LLC
IS Partners, LLC 33
SSAE 16 Type I - Confidential
Control Objective: Physical Access Controls provide reasonable assurance that access to computer equipment and storage media is restricted to properly authorized
individuals based on job responsibilities, and environmental controls are configured to protect systems from potential hazards.
Control
Owner
Control No. Control Activity
PAI
5.1
Responsibility for securing access to critical and sensitive areas is assigned to appropriate personnel.
DBSi 5.2 Access to the data center is restricted to appropriate personnel and requires management authorization.
DBSi 5.3
Access to the production data center facility is secured by physical restrictions such as security
systems and surveillance cameras to ensure that access is restricted to authorized personnel.
DBSi 5.4
Access to the computer equipment, systems, and storage media is segregated in dedicated cabinets
controlled by security mechanisms and restricted to appropriate personnel.
PAI / DBSi 5.5 Access to the facility and data center is disabled upon notification when an employee is terminated.
PAI 5.6
Access to the data center is periodically reviewed by appropriate personnel to detect unauthorized
access.
DBSi 5.7
Automated systems are configured to prevent and minimize hardware/software loss from an
environmental hazard (such as fire, flood, power failures, excessive heat and humidity) to the data
center facility.
Payroll Associates, LLC
IS Partners, LLC 34
SSAE 16 Type I - Confidential
Control
Owner
Control No. Control Activity
DBSi 5.8
Scheduled maintenance procedures are performed to test and validate the operation of the
environmental control devices.
Payroll Associates, LLC
IS Partners, LLC 35
SSAE 16 Type I - Confidential
V. ADDITIONAL INFORMATION PROVIDED BY THE INDEPENDENT SERVICE
AUDITOR
A) Introduction
This report is intended to provide PAI’s customers and the independent auditors of PAI’s
customers with information regarding the controls placed in operation at PAI as of May
15, 2013, related to its information technology support system that may be relevant to a
customer organization’s internal control as it relates to an audit of financial statements.
The information contained in this report should assist the independent auditors of PAI’s
customers in planning an audit of their own financial statements, in accordance with
guidance provided by Statement on Standards for Attestation Engagements No. 16 –
Reporting on Controls at a Service Organization. The report is not intended to provide
the independent auditors of PAI’s customers with a basis for reducing their assessment of
control risk.
Our examination was conducted in accordance with Statement on Standards for
Attestation Engagements No. 16 – Reporting on Controls at a Service Organization. Our
examination was restricted to those control objectives and related control activities
outlined by PAI’s management in section IV, which management believes are the
relevant key controls for the stated objectives.
Our responsibility is to express an opinion as to whether the controls, as described, are
suitably designed to provide reasonable assurance that the specified control objectives
would be achieved if the described controls were complied with satisfactorily. It is each
interested party’s responsibility to evaluate this information in relation to internal
controls in place at each user organization. If an effective internal control structure is not
in place at a user organization, the controls within PAI may not compensate for such a
weakness. It is each user organization’s responsibility to evaluate this information in
relation to internal control policies and procedures in place at their organization to obtain
an understanding of the internal controls and assess control risk.
Payroll Associates, LLC
IS Partners, LLC 36
SSAE 16 Type I - Confidential
B) Responsibilities of the Independent Service Auditor
As part of our review of PAI’s controls, we performed a variety of tests, each of which
provided different levels of audit satisfaction. The combined results of these tests
provided the basis for our understanding of the framework for control and whether the
controls represented in section IV were actually in place and suitably designed as of May
15, 2013.
The following test procedures were performed, all or in part, as deemed appropriate, in
making our determination:
Test Procedure
Description
Inquiry
Interviewed relevant personnel about the
details surrounding the controls to obtain
an understanding of the controls.
Observation
Visually observed the execution of the
controls.
Inspection
Physically reviewed/inspected
documentation/evidence utilized in
completing the controls, or supporting the
existence thereof.
Payroll Associates, LLC
IS Partners, LLC 37
SSAE 16 Type I - Confidential
C) Consideration of Relevant Aspects of Internal Control
PAI’s internal control environment is comprised of various elements designed to enhance
the effectiveness of its internal control system. These elements include:
Organizational structure
Tone at the top
Risk assessment
Management control and oversight
Information and communication
Human resource policies and procedures
Code of professional conduct
Monitoring
Our tests of the internal control environment included the completion, in part or in
combination, of various inquiry and observation procedures, as deemed necessary, to
provide the basis for our understanding of the design of the internal control system as of
May 15, 2013, and the rendering of our opinion in accordance with the requirements set
forth in Statement on Standards for Attestation Engagements No. 16 – Reporting on