PayData Payroll Services, Inc.

Transcription

PayData Payroll Services, Inc.
Report on PayData’s Description of Its
Payroll Processing System and on the
Suitability of the Design and Operating
Effectiveness of Its Controls (SOC 1)
For the period of
October1, 2011 to September 30, 2012
T
Table of Contents
INDEPENDENT SERVICE AUDITORS’ REPORT ......................................................................... 1
Management’s Assertion Letter ....................................................................................................... 3
Organization and Management.................................................................................................... 5
Management’s Philosophy and Operating Style ...................................................................... 5
Assignment of Authority and Responsibility ............................................................................. 6
Organizational Structure........................................................................................................... 6
Hiring Practices and Human Resource Policies....................................................................... 7
Training..................................................................................................................................... 7
Integrity and Ethics ................................................................................................................... 8
Confidentiality Agreement ........................................................................................................ 8
Code of Ethics .......................................................................................................................... 8
Commitment to Competence.................................................................................................... 8
Information and Communication .................................................................................................. 9
Risk Assessment and Monitoring ................................................................................................ 9
Transaction Processing ............................................................................................................. 10
New Client Conversion ........................................................................................................... 10
Payroll Processing .................................................................................................................. 11
Payroll Distribution ................................................................................................................. 14
Tax Payments and Compliance ............................................................................................. 15
ACH Processing ..................................................................................................................... 16
Finance and Administration .................................................................................................... 17
Information Technology and Systems Security ......................................................................... 18
Description of IT Outsource Agreement ................................................................................. 19
Description of Computerized Information Systems ................................................................ 19
General Computer Controls ....................................................................................................... 20
Building and Office Access..................................................................................................... 20
Physical Access and Environmental Protection of Server Room........................................... 20
Logical Access ....................................................................................................................... 21
Software Change Management ............................................................................................. 22
Information Safeguards .......................................................................................................... 22
Computer Operations ............................................................................................................. 23
Subservice Organizations .......................................................................................................... 25
Client Control Considerations .................................................................................................... 26
Purpose and Objectives of the Report ....................................................................................... 28
PayData’s Control Objectives and Related Controls and .......................................................... 29
Independent Service Auditor’s Tests of Controls and Results of Tests..................................... 29
Additional Information Provided by PayData ............................................................................. 74
Description of the Evolution Payroll Software ........................................................................ 74
Remote Access and Security ................................................................................................. 76
INDEPENDENT SERVICE AUDITORS’ REPORT
Management of PayData Payroll Services, Inc.
We have examined PayData Payroll Services, Inc.’s (“PayData”) description of its payroll processing system for
processing user entities’ transactions throughout the period October 1, 2011 to September 30, 2012 and the
suitability of the design and operating effectiveness of controls to achieve the related control objectives stated
in the description. The description indicates that certain control objectives in the description can be achieved
only if complementary user entity controls contemplated in the design of PayData’s controls are suitably
designed and operating effectively, along with the related controls at the service organization. We have not
evaluated the suitability of the design or operating effectiveness of such complementary user entity controls.
PayData uses a payroll software vendor, ACH processor, tax research software, and an IT outsource provider to
supplement its processes in the performance of its payroll processing system. The description in Section III
includes only the controls and related control objectives of PayData and excludes the control objectives and
related controls of the subservice organizations. Our examination did not extend to controls of the subservice
organizations.
The information in section V, “Additional Information Provided by PayData,” describes PayData’s payroll
software and web application. This information is presented by management of PayData to provide additional
information and is not a part of PayData’s description of its payroll system made available to user entities during
the period October 1, 2011 to September 30, 2012. Information about PayData’s payroll software and web
application has not been subjected to the procedures applied in the examination of the description of the
payroll system and of the suitability of the design and operating effectiveness of controls to achieve the related
control objectives stated in the description of the payroll system and accordingly, we express no opinion on it.
In Section II of the description, PayData has provided an assertion about the fairness of the presentation of the
description and suitability of the design and operating effectiveness of the controls to achieve the related
control objectives stated in the description. PayData is responsible for preparing the description and for the
assertion, including the completeness, accuracy, and method of presentation of the description and assertion,
providing the services covered by the description, specifying the control objectives, selecting the criteria, and
designing, implementing and documenting controls to achieve the related control objectives stated in the
description.
Our responsibility is to express an opinion on the fairness of the presentation of the description and on the
suitably of the design and operating effectiveness of the controls to achieve the related control objectives stated
in the description, based on our examination. We conducted our examination in accordance with attestation
standards established by the American Institute of Certified Public Accountants. Those standards require that
we plan and perform our examination to obtain reasonable assurance about whether, in all material respects,
the description is fairly presented and the controls were suitably designed and operating effectively to achieve
the related control objectives stated in the description throughout the period October 1, 2011 to September 30,
2012.
1
An examination of a description of a service organization’s system and the suitability of the design and operating
effectiveness of the service organization’s controls to achieve the related control objectives stated in the
description involves performing procedures to obtain evidence about the fairness of the presentation of the
description and the suitability of the design and operating effectiveness of those controls to achieve the related
control objectives stated in the description. Our procedures included assessing the risks that the description is
not fairly presented and that the controls were not suitably designed or operating effectively to achieve the
related control objectives stated in the description. Our procedures also included testing the operating
effectiveness of those controls that we consider necessary to provide reasonable assurance that the related
control objectives stated in the description were achieved. An examination engagement of this type also
includes evaluating the overall presentation of the description and the suitability of the control objectives stated
therein, and the suitability of the criteria specified by the service organization and described in Section II. We
believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our
opinion.
Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or
omissions in processing payroll transactions. Also, the projection to the future of any evaluation of the fairness
of the presentation of the description, or conclusions about the suitability of the design or operating
effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a
service organization may become inadequate or fail.
In our opinion, in all material respects, based on the criteria described in PayData’s assertion in Section II,
a) the description fairly presents the payroll processing system that was designed and implemented
throughout the period of October 1, 2011 to September 30, 2012.
b) the controls related to the control objectives stated in the description were suitably designed to provide
reasonable assurance that the control objectives would be achieved if the controls operated effectively
throughout the period October 1, 2011 to September 30, 2012 and user entities applied the
complementary user entity controls contemplated in the design of PayData’s controls throughout the
period October 1, 2011 to September 30, 2012.
c) the controls tested, which together with the complementary user entity controls referred to in the
scope paragraph of this report, if operating effectively, were those necessary to provide reasonable
assurance that the control objectives stated in the description were achieved, operated effectively
throughout the period October 1, 2011 to September 30, 2012.
The specific controls tested and the nature, timing and results of those tests are listed in Section IV.
This report, including the description of test of controls and results thereof in Section IV, is intended solely for
the information and use of PayData, user entities of PayData’s payroll processing system during some or all of
the period of October 1, 2011 to September 30, 2012, and the independent auditors of such user entities, who
have a sufficient understanding to consider it, along with other information including information about controls
implemented by user entities themselves, when assessing the risks of material misstatements of user entities’
financial statements. This report is not intended to be and should not be used by anyone other than these
specified parties.
Kansas City, Missouri
October 5, 2012
2
PAYDATA PAYROLL SERVICES, INC.
SECTION III. DESCRIPTION OF SYSTEM PROVIDED BY PAYDATA
Organization and Management
PayData is a regional payroll processing and related payroll tax compliance service organization.
PayData was formed in 1987 and is located in Colchester, Vermont. PayData serves approximately 1,800
clients and generates approximately 120,000 checks each month. PayData is an S-Corp and is owned by
Michael J. Trahan who serves as CEO. The President and Vice President of Operations are responsible
for the day to day operations of PayData. The CEO, President and Vice President of Operations makes
up the executive management team.
PayData consist of an Operations, Tax, Sales, and Accounting departments. In order to enhance controls,
the business operations are segregated into functional departments.
The President oversees the Sales Department which is responsible for new client sales, expanding
services to current clients and obtaining the new client setup packet.
The Vice President oversees each of the departments, which perform the following:
Operations Department – Responsible for internal training, receiving and processing payroll
information, client service, new client setup or conversion, timeclock setup, and new client
trainings.
Tax Department – Responsible for approval of new client tax setup, payment of taxes,
submission of filings and resolution of tax notices.
Accounting Department – Responsible for the daily bank reconciliations and monitoring bank
transactions.
Each department employs a manager or supervisor who oversees the department operations and
reports to the President or Vice President of Operations.
Management’s Philosophy and Operating Style
PayData’s mission statement summarizes their business objectives and overall philosophy on
professional conduct: “Dedicated to quality, personalized service surpassing every expectation.”
PayData’s management communicates this mission statement during meetings and by their actions.
PayData’s management monitors the organization to ensure compliance with the mission statement and
that the company operates effectively and efficiently while remaining industry and client focused.
Personnel turnover has been minimal. Senior management and operating management have frequent
interaction in both formal and informal settings. PayData’s management continuously emphasizes the
importance of the payroll and tax processing function and its role in ensuring the reliability of client
data.
The Vice President of Operations is actively involved in the day-to-day operations and activities of the
company. The President and Vice President of Operations have an open door communication policy.
Every employee has access to the President daily and the President is visible to all employees on a daily
basis to provide an opportunity for the employees to inform him of issues or concerns. The Vice
5
President of Operations has weekly staff meetings where employee feedback and suggestions are
encouraged. As applicable, departments maintain individual task schedules which outline the critical
functions that must be completed throughout the day. The task schedules are reviewed daily by
management to ensure that all required tasks have been performed.
Assignment of Authority and Responsibility
The Management Team, consisting of the President, Vice President and department managers, has the
ultimate responsibility for all activities within the entity, including the internal control system. This also
includes assignment of authority and responsibility for operating activities, and establishment of
reporting relationships and authorization protocols.
Organizational Structure
An entity’s organizational structure provides the framework within which its activities for achieving
entity-wide objectives are planned, executed, controlled, and monitored. Significant aspects of
establishing an effective organizational structure include defining key areas of authority and
responsibility and establishing appropriate lines of reporting.
6
Each non-managerial employee’s position has responsibilities outlined by published job descriptions that
provide general functions and specific duties. Each employee is given written expectations of the
position. It provides a basis for employee reviews and accountability.
Hiring Practices and Human Resource Policies
The formalized human resource policies include critical aspects of the employment process including:
hiring, training and development, performance evaluations, advancement and termination. PayData is
committed to hiring and retaining the best qualified personnel. The hiring practices are formalized and
carefully performed. All candidates are interviewed and screened by at least two Management Team
members. In addition, background and criminal checks are conducted and references are contacted
before an offer of employment is extended. During the employee’s first few days of employment, they
meet with the a member of the Management Team who discuss the importance of the sensitivity of the
information being managed by the company and the importance of the organization’s role in protecting
clients’ information.
Performance evaluations are performed on a regular basis and provide employees with a tool to
understand their job performance and areas for improvement. In addition, the evaluation process helps
management in determining compensation, promotions and topics for upcoming training sessions.
Training
Training is an important part of management’s commitment to excellence. Management encourages
employees’ participation in outside continuing education and holds regular training sessions in-house to
keep the employees’ skills fine-tuned.
PayData has well documented operating procedure manuals to provide a reference to employees in the
conduct of their daily responsibilities. The procedure documentation is maintained and includes:
Procedures for marketing and sales, human resources, client services, tax services and general
operations.
Finance and Accounting Manual for billing, invoicing, accounts receivable and collection
activities, commissions, purchasing, accounts payable and reporting activities.
Training Manuals to provide initial and ongoing instruction to employees and serve as a
reference tool for employees.
Technical Manuals that range in subjects from the computer operation guides to tax-related
documentation. The technical manuals serve as a valuable resource to many different positions
within PayData.
Departmental meetings are held regularly for a variety of purposes. The meetings are attended by the
appropriate departmental staff members. Topics normally covered are company changes, new
assignments, software changes, IRS pronouncements, new clients and other payroll related issues that
affect the operation of the organization. Quarterly meetings are also conducted in which the President
gives the entire staff an overview of budgetary goal items. At the end of the meeting, each employee is
7
given the opportunity to discuss items they feel are important and offer suggestions, which are
encouraged throughout the meeting.
All new employees undergo training and observe seasoned veterans for approximately one week and
then are observed another week before they begin to work on their own. Once they begin working
independently, their work is reviewed before it is released until it is deemed they have an adequate
understanding of their job duties.
Integrity and Ethics
The organization and management of PayData establishes a control environment within which the
employees must function. It is a framework for all aspects of internal control. This control environment
includes such items as integrity and ethics, conflict of interest and commitment to excellence.
Confidentiality Agreement
All employees are required to review and sign PayData’s confidentiality agreement prior to gaining
access to client data. The agreement provides employees with clear guidelines of the employee’s role in
protecting client information. Management reviews the confidentiality guidelines at regularly scheduled
staff meetings.
Code of Ethics
PayData’s business conduct is governed by a standard code of ethics to provide guidance for employees
and inform clients on the way PayData wishes to conduct business. As a member of Independent Payroll
Provider’s Association (IPPA), PayData has adopted their published code of ethics. Responsibilities
covered are: avoiding misrepresentation, gifts, personal conduct, compliance, service standards,
equitable practices, confidentiality, conflicts of interest, marketing, and financial reporting. New hires
are instructed on these codes and they are reinforced through staff meetings.
Commitment to Competence
Competence should reflect the knowledge and skills required to accomplish tasks that define an
individual’s job. Through consideration of an entity’s objectives and the strategies and plans for
achievement of those objectives, management specifies the competence levels required for particular
jobs and translates those levels into requisite knowledge and skills. PayData management has analyzed
and defined the tasks and knowledge requirements that comprise the positions within the organization.
They consider such factors to the extent to which individuals must exercise judgment and the extent of
related supervision when making hiring decisions. PayData management communicates this to
personnel through the interview process, job descriptions, the establishment of performance and
development plans, and through periodic meetings with personnel.
8
Information and Communication
PayData utilizes various methods of communication to help ensure employees understand their
individual roles and company controls, and to help ensure significant events are communicated timely.
All new employees are provided with orientation and training programs. Time sensitive information is
communicated verbally and by email to all employees. The minutes from the weekly Management
meeting are emailed to the staff each week.
PayData also communicates with their clients on a routine basis. Each client organization has a
designated Client Service Representative who communicates via phone, fax, letter and Internet e-mail
with the client organization regularly. In addition, flyers are added to processed payrolls or sent via
Internet e-mail for important announcements or reminders. Periodic training classes are offered to
client personnel.
Risk Assessment and Monitoring
PayData has placed into operation a process to identify and manage risks that could affect their ability
to provide reliable payroll processing to clients. This process requires management to identify
significant risks inherent in the processing of payroll data for clients and to implement appropriate
measures to monitor and manage these risks. On a regular basis management meets to discuss the risks
the business is facing. These include various aspects of financial and technological risks. In addition, the
Vice President meets with the staff on a regular basis to discuss any outstanding issues pertaining to the
functioning of the company.
Internal controls are evaluated and monitored by the management team. The management team
monitors and reports on department functions and compliance with laws and regulations. Standard
reporting includes:
Departmental Scorecards – These reports are utilized to track the number of payrolls processed
versus payrolls scheduled, client and internal errors, ACH returns and open and closed tax
notices. The staff responsible for each scorecard updates the information daily. These reports
are reviewed weekly during the regularly scheduled management meeting.
Billing Transactions Report – This report summarizes check count activity for each client and is
run on a monthly basis and is reviewed at the monthly management and executive meetings.
Budget Variance – On a monthly basis, the financial statements are compared to the annual
budget spreadsheet. Areas of concern are discussed during the monthly executive meeting.
Sales Analysis Report – This report is run on a monthly basis and compares sales and labor
results by month and is discussed in the monthly executive meeting.
Annual Budget Report- This annual spreadsheet is created as a benchmark as to where
management expects to be at the end of a fiscal year and monthly comparisons are reviewed at
the monthly executive meetings.
9
Transaction Processing
The primary control objective of PayData is to ensure that all transactions are properly initiated,
authorized, recorded, processed, reported and maintained. These controls are evident in every aspect
of the business. The core service areas of PayData are payroll conversion, payroll processing, payroll
distribution, ACH processing, tax compliance, information technology and systems security.
PayData provides its clients with various service level options in order to fit its client’s needs. Clients are
able to contract with PayData on a service-by-service basis, determined by the products they require.
PayData provides all of its clients with a full service payroll solution that includes optional automatic
payroll tax filing and depositing. There are many optional services that are available and are identified
below:
Positive Pay Checks, payroll checks are drawn on a PayData account
Employee Direct Deposit
New Hire Reporting
Agency and Third Party Checks
Delivery
Additional State Tax Filing Jurisdictions
General Ledger
Check Reconciliation Spreadsheet
401K Process Reports/Transmission
Quarterly 941s, Annual 940, and Year-end W-2s
Timekeeping solution
HR resources
Customized interfaces
New Client Conversion
The Conversions Department exists to ensure: 1) that the transition of payroll services is smooth,
efficient, and error free, 2) all year to date wages are reconciled with both tax returns and tax payments,
3) the balancing and payment of tax liabilities is properly reconciled and communicated to the client,
and 4) responsibility is established for the filing of all payroll tax returns and communicated to the client.
Procedures and checklists are followed to ensure the conversion of new clients is complete and
accurate. The Conversion Department works with the client to ensure that all the information is
received timely and is accurate and complete. The Conversion Department also works with the Client
Service Representatives to familiarize them with the specifics of the client after the first live payroll.
The Conversions Department follows specific procedures to ensure that all the client data is complete
when received. Client Set-Up Forms are completed by the Sales Department in conjunction with the
client to document all earnings and deduction taxability, tax agencies, filing frequencies, tax rates and
any other special needs the client may have.
10
Checklists and standard procedures are in place to review the accuracy of the data and balance key
amounts, such as wages and tax amounts to the information provided by the client. All year-to-date
payroll information must be balanced successfully prior to any payrolls being processed. A key control is
a second person review of all the manually entered or imported data to ensure accuracy. The company
setup and employee demographics are audited by the Client Service Department. The tax information is
audited by the Tax Department. The billing services and bank accounts are audited by the Accounting
Department. In addition, clients are required to sign a Bank Credit Reference Form authorizing their
bank to release to PayData credit information about the client’s account including credit lines, and
payment history, which is reviewed by the Accounting Department to evaluate the new client’s credit
risk in relation to the services they have requested, such as direct deposit. All aspects of the new client
setup are verified by someone other than the person entering the data into the payroll software, and
primarily someone from a separate department to enhance the segregation of duties.
Once the review and verification process is completed, the Conversions Department performs the first
payroll run for the new client and then communicates client information to the assigned Client Service
Representative. For remote entry clients, the Conversion Department works with the client to schedule
the setup and training on Evolution and assist them with their first live payroll.
Payroll Processing
The Client Services Department consists of a dedicated team of Client Service Representatives to assist
clients with their payroll. The Client Service Representatives are responsible for supporting clients,
which includes keying payroll data, assisting remote clients, balancing and submitting payrolls for
processing. They ensure that each and every payroll is processed according to the schedule with the
highest degree of accuracy and that the data is received from authorized sources.
Procedures have been implemented to ensure that payroll processing is scheduled and performed
appropriately and deviations from the schedule are identified and resolved. Each Client Service
Representative receives a list of their assigned scheduled payrolls, Scheduling Report, for the following
week on Friday morning. The payrolls are marked off as processed and clients are called as a courtesy if
the data is not received by 1:00 PM of the scheduled date if the Client Service Representative has time.
During the end of day procedures, the Client Service Representatives review the Payrolls Not Called In
Report and notate the reason for the client not processing on the scheduled date and provide the report
to the Client Services Manager for review. Every afternoon a Waiting Payrolls Report is reviewed by the
Client Service Representatives to confirm that all payrolls that have been started are also added to the
processing queue and given to the Team Leader for review.
PayData has a strict cut off policy for payroll processing, all payrolls due to be processed the same day
have to be submitted by 1:00 PM. Payroll data received after 3:00 PM will not be processed until the
next day unless authorized by a manager. The 3pm List is created which includes all payrolls received
which have not been submitted to the queue by that time. Only those payrolls already in the queue,
reflected on the Waiting Payroll Report or on the 3pm List are processed that day; the rest are held until
the next day.
11
Clients can submit their payroll data by one of several methods: Fax, Email, Esheet, TimeClock Import or
Remote Input.
Fax Input
Client Service Representatives input payroll data faxed from the clients. These clients are provided an
Input Worksheet report with each payroll. The report contains the active employees, their rates (unless
masking has been requested) and columns to record their hours for typical earnings and amounts for
special deductions. The client records the payroll on the provided worksheets and sends to PayData for
processing. The Client Service Representatives review the faxed pages received from the client for
legibility and makes note of any questionable items. The client is contacted by the Client Service
Representatives to resolve any of the noted items.
In addition, the Client Service Representatives verify the client submission with the payroll processing
schedule. If a change in client contact occurs, client must provide written approval of the new contact
and, if needed, specify the security limitations or access for the new contact. This allows for the proper
flow of information between the Client Service Representative and the client.
After any issues are resolved, the payroll data is manually entered by the Client Service Representatives.
After the input is complete, the Client Service Representatives compares the batch totals to the totals
provided by the client on their cover sheet or worksheet. If the client does not provide control totals,
the Client Service Representatives will calculate the totals for hours, earnings and deductions and
compare to the batch totals provided by the software. All submitted data must agree with the entered
data before the payroll can be processed.
Email/Esheet/TimeClock Import
The client submits email, Esheet and TimeClock payroll data by email and the Client Service
Representatives verify the sender’s email address as well as the timing of the submission with the
payroll processing schedule. If a change in client contact occurs, the client must provide written
approval of the new contact and, if needed, specify the security limitations or access for the new
contact. This allows for the proper flow of information between the Client Service Representative and
the client.
Esheet
The Esheet clients submit their payroll data by an Evolution generated preformatted Excel spreadsheet,
called Esheets. PayData provides with every payroll process an Excel spreadsheet that contains current
payroll data to the client so they can enter the payroll data directly into the Esheet. The Esheet contains
all current employees, pay rates and columns for the client to enter hours, deductions, salary amounts
and bonuses. Esheets are then submitted directly to the Client Service Representative via email once
completed by the client. Upon receipt of the Esheet, the Client Service Representative reviews the data
for questionable items and contacts the client to resolve any noted items. The data is then imported into
12
Evolution and verified for accuracy. The Esheet totals and the Evolution on-screen batch totals must
agree before the payroll is submitted. Any differences are researched and resolved prior to processing.
Email
Some clients will send the employee information regarding hours, payments and other payroll data by
email. The Client Service Representatives review the emailed data received from the client and make
note of any questionable items. The client is contacted by the Client Service Representative to resolve
any of the noted items. After all issues are resolved, the payroll data is manually entered by the Client
Service Representative. After the data entry is complete, the Client Service Representative compares
the Evolution on-screen batch totals to the totals provided by the client. If the client does not provide
control totals, the Client Service Representative will calculate the totals for hours and earnings and
compare to the Evolution on-screen batch totals. All submitted data must agree with the entered data
before the payroll can be processed.
TimeClock Import
Clients can also authorize the Client Service Representatives to access online timekeeping systems to
import hours on behalf of the client. Once the client notifies the Client Service Representatives that the
data in the timekeeping system is accurate and ready for download, the Client Service Representatives
will access the timekeeping system and import the hours into the payroll system. A report from the
timekeeping system is created which gives the summary of hours for the pay period. The hours from
the summary report are verified with the hours in the payroll system to confirm accuracy of the
imported data prior to processing.
Remote Input
Clients can also elect to utilize the remote input entry option, in which they log into PayData’s payroll
software through the Remote Access Server (RAS) using a unique user ID and password. PayData
manages the administration of the client’s unique user ID and security access.
Once the client authenticates themselves using a user id and password, the client enters company data,
employee information and payroll data into Evolution. Through this option, the client is responsible for
the accuracy of the payroll data entered in the payroll software. The client is encouraged to run a PreProcessing Payroll Register Report to verify the payroll data prior to submitting the payroll to PayData
for processing. PayData assumes no responsibility for the accuracy of the payroll data for remote clients
as it processes the data as it was entered by the client.
All Clients
Payrolls other than regular payrolls, such as supplemental payrolls, client corrections or service bureau
correction runs must be approved by management prior to processing. The Evolution software, through
security features, requires these types of payrolls to appear on a queue which requires management
approval in order to be processed.
13
During payroll processing, the Evolution software calculates gross wages, taxable wages, employee and
employer taxes, voluntary deductions and net pay. Checks, direct deposit vouchers and reports are
created during the payroll process. The Evolution software detects if certain items are not set up
properly, such as employee state data, and creates a log of these items. If there are any corrections to
be made, the Client Service Representative to makes these corrections prior to completing the
processing.
Payroll Distribution
The Processing Department is responsible for the distribution of each payroll. Procedures have been
established for the production and distribution of payroll checks and reports. These procedures ensure
that the checks and reports are produced and distributed completely, accurately and in accordance with
client specifications.
Checks and vouchers are printed on blank check stock that is specifically designed and printed with
industry standard security protection. Some of the security features include an artificial watermark on
the back of the check that can only be viewed at an angle to protect the document from scanner
duplication and a micro-printed border that becomes distorted when duplicated.
Each client receives a report package for each processed payroll based on their initial conversion setup.
Some of the standard reports available are:
1. Delivery Label
2. Cover Letter
3. Payroll Register
4. Check Reconciliation
5. Payroll Tax Report
6. Input Worksheet
Clients can elect a paperless payroll option in which they receive payroll reports and check stubs
electronically. They may also choose to receive reports electronically, but have checks/vouchers
available for delivery or pick up. If the client elects to electronically receive the payroll reports – the
transmission of that information is handled by the Evolution software and is sent automatically via
email when the payroll is processed. PayData configures Evolution for the electronic delivery of clients’
payroll reports during the new client implementation process or at the client’s request. The client
specifies the email addresses to which the information is sent. Only direct deposit vouchers are sent
electronically; all live checks are automatically printed. To enhance security, confidential information,
such as Social Security Numbers and bank accounts are masked and not included on the electronic
version of the reports. If the client wishes, the reports can be sent in a PDF format. Regardless of which
option the client chooses, the reports are password protected.
For those clients preferring to receive physical reports, once the payroll has been processed the reports
and checks are printed. Once the payroll has been processed, the reports and checks are printed.
Delivery instructions print as each payroll processes. All checks are counted and the count compared to
the total checks on the Payroll Cover Letter report. The payroll is then packaged according to
14
instructions from the client and ready for distribution via pickup, mail, Federal Express or courier
service. A Security Seal sticker is applied to the package when complete. The Processing Department is
also responsible for confirming that outside delivery services have retrieved all packages and for
communication as to special delivery and tracking of packages. Payrolls which have been processed but
not delivered by the end of the day are stored in a secure location. Clients sign for payrolls which are
delivered via courier, Federal Express or if they pick them up from PayData’s office.
Tax Payments and Compliance
PayData has a full service tax-filing department that generates agency approved federal, state and local
tax returns and payments. Formalized procedures are followed to ensure the appropriate tax filings are
complete, accurate and timely. Payments for Federal, State and Local taxes are remitted electronically
for many agencies supporting electronic funds transfer. Checklists are prepared by tax type and client
and utilized to ensure that all monthly, quarterly and annual tax returns are filed, even if no payments
were made. In addition, the Tax Specialists keep a spreadsheet of clients who require zero returns to be
filed. The following reports are created by the tax staff to manage the tax payments and returns:
Due Date Report (Federal, State and local) – is generated each day for tax liabilities that are
due within a specified date range which corresponds to the current days federal deposit
period. In addition a separate 100k Due Date Report is run to ensure that all accelerated
deposits are accounted for. The Tax Specialist completes a Deposit Check List that
summarizes the various payment methods and reconciles any differences, such as clients
that are on hold or negative payment amounts that are included on the Due Date Report
but are not remitted to the taxing agency.
The report is utilized to select clients to include in the EFTPS file and submitted
electronically. The Tax Specialist will compare the totals of the EFTPS file with the Due Date
Report to ensure that the file is complete and accurate. The Tax Specialist will use the EFTPS
software to confirm the receipt of the submitted payments and then export that data and
import it into Evolution to update the database and indicate the payments were made. The
next day, the EFTPS software is reviewed to confirm that the funds submitted the previous
day settled.
The report is also utilized to select clients to generate an ACH file or checks to send to the
appropriate taxing agency for state and local taxes. The Tax Specialist will print the checks
and then compare each check to the Due Date Report to ensure that all the required tax
payments have been submitted. The amounts on the tax checks and the return or coupon
are verified and then packaged and mailed to the appropriate taxing agency. This report
also reflects the taxes which need to be paid electronically to the state and local agencies.
The totals for the ACH file created for the electronic payments are compared to the Due
Date Report to ensure that all payments are timely and correctly paid.
Balancing Report - Weekly shows the difference in the taxes calculated and taxes collected
for each client, any differences are researched and resolved by the Tax Manager as
necessary.
15
The above reports are reviewed by the Tax Specialist and appropriate action taken according to the data
on the reports. The Deposit Check List with backup documentation is given to the Tax Manager daily for
audit of the daily tax payments.
The quarterly and annual return process has several phases to ensure the accuracy, completeness and
timeliness of the returns using the following procedures:
A master quarterly control is created to ensure all quarterly processes are completed.
Checklists are prepared by tax type and client. The lists are utilized to ensure that all monthly,
quarterly and annual tax returns are filed, even if no payments were made.
Quarterly all companies are subjected to a “preprocess” function, which tests all tax liabilities
against calculated taxes for the quarter. A payroll is automatically created in the system to
correct for these discrepancies – such as over/under collection of state unemployment
insurance (SUI) resulting from a rate change and Vermont HealthCare Assessments due
quarterly.
Quarterly and annual returns are created and are subjected to a review process to ensure the
accuracy of the returns.
Delivery envelopes are created for each taxing agency and the returns sent to the taxing agency
are compared to checklist to ensure all returns are properly submitted. For returns sent
electronically, the clients contained in the file are also compared to the checklist.
PayData contracts the maintenance of the source code and tax tables in the Evolution system to
iSystems, however updates to the source code or tax tables are reviewed prior to implementation, see
further discussion in the Software Change Management section. PayData maintains memberships in a
payroll industry trade association that keeps their members up to date on tax related issues. PayData
will notify iSystems of any changes received from external sources that are not reflected in the
documentation sent with their latest software update. In addition, PayData utilizes BNA, which
provides a library of research information related to payroll and taxation and CCH/Intelliconnect for tax
research.
ACH Processing
Automated Clearing House (ACH) files are created twice a day (once on Friday); one at approximately
3pm and the second one at the end of each day to capture all remaining payroll processing. The ACH
files collect billing, taxes, direct deposit and net check \trust account funds (as applicable based on
service offering) from each client that has processed that day. PayData and its clients contract with
Cachet Banq, Inc. (Cachet Banq) to perform the preparation and transmission of ACH entries, subject to
the National Automated Clearing House Association (NACHA) rules.
During the new client implementation process, all clients must sign an Employer Electronic Debit
Agreement which authorizes PayData to electronically debit the client’s bank account(s) for payroll
transactions. PayData has also designed an Employee Direct Deposit Authorization form for the use of
its clients’ employees. The form gives authorization for the deposit of credit transactions to accounts
listed on the form. It also gives permission to withdraw any credits mistakenly sent by debiting the same
16
account. Clients are advised to retain copies of these forms in the employee’s personnel file and fax or
email copies to PayData. Clients are instructed to receive voided checks from the employee to verify the
transit and account number of the account receiving the payroll funds. If the client is a Remote Input
client, they are trained as to the proper setup of the direct deposit accounts.
The Processing Department uses the Cash Management module in Evolution to generate the ACH file.
The Processing Department selects all companies that are reflected on the queue at the time of ACH
creation. The Processing Department logs into Cachet Banq’s secure website using a unique user ID and
password to upload the ACH file. The website displays a confirmation page with control totals for
verification by the Processing Department with the detail ACH Transaction Report. Once all procedures
for submitting an ACH file to Cachet Banq are completed, the Processing Department logs the ACH file
and totals on the ACH Total Excel file. Once Cachet Banq has processed the file, they send an email
confirmation to PayData, which is reviewed by the Vice President or Operations for verification and is
documented in the ACH Total Excel file. Cachet Banq then warehouses and sends the NACHA
transmission to the appropriate banks on the clients’ behalf.
Cachet Banq also generates a daily Returns and Notifications of Changes report. The information is
accessed through Cachet Banq’s secure website daily. Pre-note direct deposit changes are distributed to
the assigned Client Service Representatives to contact the client and correct the information. The Client
Service Representatives contacts the client if any employee monies are returned. The returns may be
caused by an employee closing an account and failing to notify the payroll contact or by invalid routing
or account numbers. A member of the Accounting Department contacts the client when a notification
of a return due to insufficient funds is received. Depending on the dollar amount of the return, the
debit is either resubmitted or the client is instructed to wire the funds. The tax liabilities are marked NSF
until PayData has received the funds.
Finance and Administration
All payroll transaction funds are collected via Automated Clearing House (ACH). Separate withdrawals
are sent to collect billing, tax, direct deposit and netcheck\trust funds from the client. Billing
transactions post to PayData’s operation account. The direct deposit funds are maintained in an account
held by Cachet Banq and all the reconciliation process is performed by Cachet Banq, PayData does not
have control of those funds.
The Daily Funds Reconciliation Report is automatically run each night and then reviewed the next
morning by the Accounting Manager for any exceptions from the previous day’s payroll processing and
ACH files. This report compares the payroll amounts transmitted in the banking file for the previous day
to the transactions posted in the bank account register for each client, any exceptions are reviewed for
appropriateness and resolved in a timely manner. Transactions for the ACH account are reconciled by
Cachet Banq.
For clients that choose to be a full service tax client, funds are impounded for taxes withheld and
employer taxes collected each pay period and are held in escrow in a separate tax account until they are
due. Transactions are downloaded daily from the bank and imported into Evolution to facilitate the
17
reconciliation process. An exception report is printed showing any discrepancy and researched. Any
items not automatically cleared are matched up manually or by manual entry.
Another option for clients is the netcheck\trust account services. Clients who utilize this service are
debited for the full amount of net payroll and then the individual net payroll checks are drawn on
PayData’s trust account. The NetCheck\Trust account is a separate Positive Pay bank account.
Transactions are downloaded daily from the bank and imported into Evolution to facilitate the
reconciliation process
At the end of each day the Processing Department creates a Positive Pay file containing Payee, Amount,
Serial Number, and Check date and uploads this file to the bank. Each item that is presented on the
trust account is validated by the bank to the daily Positive Pay files. PayData is notified of any exceptions
at which time they can Approve or Deny the item.
Formalized procedures are used to reconcile the bank accounts. All bank accounts are reconciled to the
bank balance monthly by the Accounting Manager. Various audits are performed to validate that all tax,
billing and client funds have been collected and paid accurately. The Vice President of Operations
reviews the bank reconciliations tie-outs on a monthly basis. In addition, the Accounting Manager
reconciles the total tax liabilities in Evolution to the tax impound bank account balance on a monthly
basis.
Information Technology and Systems Security
PayData provides technological solutions to its clients and understands the critical and sensitive nature
of the data transmitted on a daily basis. Physical access to computer equipment and storage media is
restricted to properly authorized individuals. Current technology is employed to ensure that data is
secure and that appropriate access to information is given only to authorized users. Access to the
Evolution payroll software is restricted based on job function. iSystems’ IT Department implements the
Evolution updates, but the process is coordinated by the Vice President of Operations. The network and
operating system updates are also outsourced to iSystems’ IT Department which functions as PayData’s
IT Department. The President and Vice President of Operations oversee the services provided by
iSystems’ IT Department. Procedures are in place to review, test, approve and properly implement the
software vendor supplied changes to existing software.
PayData is a payroll service bureau. As such, the critical computer related tasks consist of the following:
collecting and processing client company payroll data
creating electronic banking transactions to:
collect funds from client company accounts
make direct deposit payments into client employee accounts
make payments to federal, state and local tax collection agencies
make payments to designated third parties, including PayData
print checks and direct deposit vouchers
print and/or email reports
18
Description of IT Outsource Agreement
PayData does not maintain a full time IT employee. iSystems provides the following services either onsite or remotely: Network and System Management, Desktop Support, Virus Protection Service, Patch
Monitoring and Distribution, Terminal Services, Email Security Services and Firewall maintenance and
monitoring.
The President and Vice President of Operations are very active in monitoring the activities related to
information technology. The President, Vice President of Operations and iSystems’ IT Department
provides appropriate resources and control to meet the needs of PayData. The President, Vice President
of Operations and the IT Department, assess the needs of each department and user to plan the proper
hardware and software necessary for each area to efficiently complete required duties. Resources are
planned, allocated, and implemented as needed. The Vice President of Operations has primary
responsibility for implementing the plans.
Description of Computerized Information Systems
PayData’s processing network is comprised of 3 Windows 2003 Servers and 2 CentOS Linux Database
Servers. The servers are IBM Blade models HS22 (3app + 1 DB) and Dell r710 (on-site Data Replication).
PayData’s infrastructure is supported by the Sonicwall NSA 4500 Firewall and two Catalyst 3560
switches.
As noted previously, Evolution is the payroll software used by PayData. The Evolution application resides
on a Firebird database server and is supported by the Linux operating system. Firebird is an open source
Relational Database Management System (RDBMS) that offers most of the ANSI SQL Standard suite of
functions and is supported by the Linux operating system. The status of the application server and
database are monitored on a real time basis to ensure availability and the integrity of customer
information. iSystems’ IT Department monitors the network system performance, reviews security
reports, logs problems and resolves processing interruptions on a daily basis.
An Intrusion Prevention System is in place that blocks the access of an intruder or, based on the type of
intrusion, gives a warning in the logs which are reviewed by the IT Department. In addition, the stateful
inspection Sonicwall NSA 4500 Firewall is used in conjunction with Windows 2008 domain controllers to
block access of an intruder. The detection definitions are updated at least weekly or when new
definitions become available. The firewall system is configured to deny any type of network connection
that is not explicitly authorized by a firewall rule. Network address translation (NAT) is enabled on the
firewall to translate internally routable IP addresses. Inbound Internet traffic terminates at a host in the
demilitarized zone (DMZ) which is separate from the production network to further limit the ability of an
outside attack. Remote connections to the production network is secured via encrypted virtual private
network (VPN) connections and limited user accounts have access based on a business need.
Administrative access within the firewall system is restricted to the iSystems IT Department personnel.
19
General Computer Controls
Building and Office Access
PayData’s offices are located in a stand-alone brick building shared with iSystems. The office building is
divided into two separate office suites with a common area; one suite is dedicated and secured to
PayData and the other to iSystems. The entire building is protected by key locks, an alarm system and
Paxton Access Limited Net2 Access Control card readers on all exterior entrances. Physical keys are only
provided to Senior Management and building maintenance personnel. Entrance to the building and
PayData’s suite by staff members is controlled by the Net2 Access Cards. PayData’s staff members are
only granted access to the PayData suite and most staff are further restricted to business hours during
weekdays. The level of building access granted to the staff member is based on business needs. When
an employee is terminated the Net2 Access card is retrieved and the Net2 Access control system is
updated to reflect that the card is no longer valid and the access level permissions are removed. The
Vice President of Operations is responsible for assigning and terminating the Net2 Access cards to the
employees. The Net2 Access Control system tracks events which can be reviewed to monitor building
access.
The main entrance to the office suite is designed with two doors with the outer door opening to a
vestibule. The outer door is protected by a key lock and an electronic lock system with a Net2 Access
Control card reader. After normal working hours the outer door is locked. The inner office door is
protected by an electronic lock and is locked at all times. Visitors ring a door bell and are screened by
PayData personnel. All visitors are logged in and out on a visitor log and are given a visitor badge. In
addition, the visitors are escorted by PayData’s personnel during their visit. The office space is divided
into several functional areas; lobby, operations, finance, tax, processing, management offices, training
rooms, staff break room, storage room and the server room. The Processing Room is kept locked and
secured by a five-digit heavy duty mechanical keypad lock. Only Senior Management and the Processing
Department personnel have access to the Processing Room. All check printing equipment, check stock
and micr toners are stored in this room.
Physical Access and Environmental Protection of Server Room
The office suites are protected by an electronic security system with each suite having its own alarm
code. Life Safety \ Home Security has been contracted to monitor any alarms notifications and
communicate directly with the Colchester Police Department and Colchester Fire Department as
necessary. Senior Management is also notified by the alarm company.
The computer system is located in a restricted area. The door to the server room has a five-digit heavy
duty mechanical keypad lock and only authorized personnel have access.
The server room is protected by the following environmental control systems:
Raised flooring
Water sensor monitoring device with emergency electrical shut-off
Emergency electrical shut-off switches
20
Fire and smoke detection devices, after hours off-site monitoring
DuPont FE-36 hand-held fire extinguisher
Temperature control device with two dedicated Liebert air conditioners and two
portable air conditioners for redundancy
Temperature monitoring devices with remote notification and auto shutdown
Uninterruptible Power Supply (UPS) (battery backup)
The UPS consists of an APC battery backup system. In the event of an electrical failure, the batterypowered electrical supply system provides approximately 10 minutes of power, which allows adequate
time for the computer systems to be shut down to protect against the loss of data. In the event of
excessive temperatures, the monitoring device will automatically contact the IT personnel by email and
is also configured to shut down the computer systems if over 90 degrees.
Logical Access
Access to resource and data are granted to individuals based on their job responsibilities. An approved
request is required for a new user or a change to existing user access. iSystems’ IT Department
personnel serve as the network security administrator and are responsible for ensuring adherence to
the IT Policy, which addresses logical access control procedures. User accounts and access rights are
managed using Active Directory and the Primary Domain Controller employing the Internet-standard
Kerberos network authentication protocol to authenticate both the client and the network and protect
against the possibility of unauthorized users impersonating a server to enter the network.
Unique user IDs and passwords are assigned to each individual user. Password rules are established
according to PayData’s IT Policy. Passwords require at least five characters and are systematically
required to be changed at least every 90 days with the previous six passwords not allowed to be reused.
The network administrator sets the user’s initial password and upon initial login, the user is required to
change their password. User accounts are locked out after five failed login attempts for 30 minutes.
Individual access capabilities are removed immediately upon the IT Department being notified of the
termination of employment or change of responsibilities. System security access levels are reviewed
annually by the Management Team to ensure individual access rights are appropriate based on job
information.
In Evolution, each user ID can be set up with specific permissions to limit a user’s access to only the
windows, buttons, functions and data that they need for performing their jobs. Before displaying any
window, Evolution checks access rights of the user. In addition, Evolution tracks the history of the
changes made to most data fields. This history allows a review of who made changes to the data and
when they were made. Finally, Evolution stores all security information in protected files in the main
database instead of in the application or the user's workstation. The Conversion Department and the
Vice President of Operations manages the security administration for the Remote Evolution users.
The Evolution software maintains a client database. The database is only accessible through the
software application and is protected from unauthorized access. Evolution uses Firebird, an open
source relational DB engine as its database back end. The design of Evolution is such that the client
21
software never communicates directly with the database server. In addition, Evolution uses a custom
SQL parser to limit user access to protected information. This information includes pay rates, salary
amounts, clients, companies, divisions, branches, departments, and teams, etc. Passwords within the
Evolution system must be a minimum of six characters, meet complexity requirements and are required
to change every 90 days.
Software Change Management
The Management Team receives emails from iSystems notifying them that an update has been released
and review the notes posted on iSystems’ support website describing the details of the application
update or system database update for the tax tables. The Vice President of Operations is responsible for
coordinating the Evolution software changes and will email an approval to the iSystems’ IT Department
to implement the update.
Once the iSystems’ IT Department receives an approval from the Vice
President of Operations, the update is scheduled to be installed after business hours. Backups of files
are verified prior to installing updates to software packages. The iSystems’ IT Department personnel
send the Vice President of Operations an email upon the successful implementation of the update.
The President and Vice President of Operations are responsible for authorizing the implementation of all
Windows and Linux operating system changes and patches, which has been outsourced to iSystems’ IT
Department. Upon receipt of notification of the updates, Management coordinates with the iSystems’
IT Department personnel regarding the changes included in the update. Once the implementation of
the updates or patches is approved based on the recommendations from iSystems’ IT Department
personnel, the update is installed. If there are any concerns about the potential impact of the system
update, it will initially be installed on a local workstation and tested prior to installing on the servers.
Backups of files are made prior to installing updates to the operating systems.
Information Safeguards
From October 1, 2011 until June 14, 2012, PayData utilized two backup processes performed daily
and/or in real-time to ensure data is retained and backed-up. The first process is a backup and archive,
with the backup ultimately on physical tapes stored off-site. The Evolution system and client database
backups begin with a local backup to separate folders on each DB server. This step of the procedure
transforms raw databases into transportable backup files. Next, the backup server (ArcServe) copies the
transportable backups from each DB server and the file server which contains all the company and client
files, to a virtual tape library in the Colchester server room. After the virtual tape has the backup files
written to it another copy process puts those same backup files on a physical tape for the purposes of
off-site vaulting. At the end of the process, the backup files are stored on each DB server, a virtual disk
tape library and also on a physical tape at the end of each business day. Physical tapes are transported
off-site daily and stored in a fireproof safe. The second process is accomplished with Evolution’s
Asynchronous Data Replication (ADR), provided by iSystems, to continuously replicate the system and
client databases to servers at an off-site location provided by iSystems. The replication process is nearly
instantaneous and occurs every time a file on the database has been changed.
As of June 15, 2012 the backup processes were upgraded with the addition of two Symantec Backup
Exec 3600 appliances, one local and one off-site. The Symantec Backup Exec 3600 Appliances replaced
22
the virtual tape library and physical tape media. The Symantec Backup Exec 3600 Appliances have 5.5TB
raided hard drives and utilize Backup Exec 2012 software. The Evolution system and client database
backups begin with a local backup to separate folders on the DB server. This step of the procedure
transforms raw databases into transportable backup files. Next, Backup Exec manages the backup
process and copies the transportable backups from the DB server and the file server which contains all
the company and client files, to the local Symantec Backup Exec 3600 appliance. After the backup has
completed, the backup files are written to an identical device located off-site in a data center for the
purposes of off-site vaulting. At the end of the process, the backup files are stored on the local DB
server, and the local and off-site Symantec Backup Exec 3600 Appliances. These automated routines are
performed nightly using an incremental methodology and a full backup is performed weekly. The second
process is accomplished with Evolution’s Hot-Site Service (ADR), provided by iSystems, to continuously
replicate databases to a backup server on-site and also to servers at an off-site data center. The
replication process is nearly instantaneous and occurs every time a file on the database has been
changed.
Virus protection software is installed and auto-updated regularly by the Symantec Endpoint Virus
Protection Software. The Symantec Endpoint AutoUpdate policy will poll for new virus signatures and
program updates every four hours to ensure quick updates to newly discovered virus attacks. iSystems’
IT Department personnel regularly reviews the virus protection software to verify it is kept up-to-date.
Users are trained to not open email from unknown/foreign sources, perform downloads from the
internet that are non-business related, or install any applications or software without permission or
consent from their supervisor or management.
Computer Operations
The information systems are monitored 24x7x365 by Nagios®, which is a system and network
monitoring application. Nagios® is configured to watch hosts and services that PayData has specified,
alerting the iSystems’ IT Department personnel when things go bad and when they get better. Some of
the many features of Nagios® include:
• monitoring of network services (SMTP, POP3, HTTP, NNTP, PING, etc.)
• monitoring of host resources (processor load, disk usage, etc.)
• simple plugin design that allows users to easily develop their own service checks
• parallelized service checks
• ability to define network host hierarchy using "parent" hosts, allowing detection of and distinction
between hosts that are down and those that are unreachable
• contact notifications when service or host problems occur and get resolved (via email, pager, or
user-defined method)
• ability to define event handlers to be run during service or host events for proactive problem
resolution
• automatic log file rotation
• support for implementing redundant monitoring hosts
• web interface for viewing current network status, notification and problem history, log file, etc.
PayData has Nagios® configured to monitor many aspects of the system, which includes but not limited
to: CPU utilization and disk space of all servers, devices (servers and printers) availability, internet
23
connectivity, and temperature monitoring in the server room. The Nagios® software is configured to
automatically email the iSystems’ IT Department personnel in the case of any triggering event so that
potential problems are resolved timely. The iSystems’ IT Department personnel also serve as a help
desk for internal users. PayData has implemented a formal procedure for logging network and systems
related issues via a ticketing system (RT, Request Tracker). When an issue arises, the user emails the
helpdesk system and a ticket is generated. Both iSystems’ IT personnel are notified via email 24 hours a
day with any new tickets. After reviewing the issue, the iSystems’ IT personnel ascertain the priority
level of the issue and respond appropriately. Upon resolution, the ticket number is closed.
24
Subservice Organizations
PayData uses several subservice organizations to outsource certain functions or supplement their
services. The services provided are described below.
Evolution is the payroll software vendor utilized by PayData. The Evolution payroll software and ADR
software are supported by iSystems. PayData contracts with iSystems to provide software that
processes payroll information completely and accurately. iSystems also provides software and tax table
updates to PayData. PayData does not have access to the source code.
BNA and CCH/Intelliconnect are the payroll tax research vendor utilized by PayData. PayData has
subscribed to BNA for researching payroll and tax related issues.
Cachet Banq, Inc. (Cachet Banq) provides PayData with the processing of electronic funds transfers (EFT)
through ACH for billing, tax escrow, trust and direct deposit funds.
iSystems is service providers that contracts with PayData or iSystems for the outsourcing of PayData’s
information technology management and support. iSystems’ IT Department provides the following
services as the primary service provider. Symquest augments and provides back up IT support either onsite or remotely as needed for the following areas:
Network and System Management
Desktop Support
Virus Protection Service
Patch Monitoring and Distribution
Security Services
Firewall maintenance and monitoring
iSystems, BNA, CCH/Intelliconnect, and Cachet Banq control objectives and related controls are omitted
from the description of the control environment elements. The control objectives in the report include
only objectives PayData’s controls are intended to achieve.
25
Client Control Considerations
Processing of transactions for clients performed by PayData and the control policies and procedures of
PayData cover only a portion of the overall internal control structure of each client. It is not feasible for
the control objectives to be solely achieved by PayData. Therefore, each PayData client’s internal
control structure must be evaluated in conjunction with PayData’s control policies and procedures
summarized in the report.
The following list describes certain controls that clients should consider to achieve the control objectives
identified in this report. The client control considerations presented below should not be regarded as a
comprehensive list of all controls that should be employed by clients. Client management is responsible
for:
Complementary User Control Considerations
1. Ensuring that only authorized and properly trained personnel are allowed logical
access to PayData systems, fax input worksheets and coversheets.
2. Establishing proper controls over the use of user ids and passwords that are used to
access and enter payroll information on Evolution.
3. Review of the annually prepared payroll processing schedule and notifying PayData of
any changes in a timely manner.
4. The preparation of worksheets, faxes and control totals that are sent to PayData.
5. Notifying PayData of changes in the authorized contacts list.
6. Accuracy of the data entry when using remote client entry in Evolution.
7. Reviewing the Pre-Processing Payroll Register report before submitting on a timely
basis to ensure that all payroll information has been recorded completely and
accurately.
8. Reviewing the reports produced by PayData after initial account set-up. This is to
ensure that employee-level and company-level information has been initially
recorded completely and accurately.
9. Review of error messages that result from entering payroll data, addressing errors
and resolution in a timely manner.
10. Submitting payroll data in accordance with the mutually agreed upon schedule.
26
Complementary User Control Considerations
11. The completeness and accuracy of client-specified deductions.
12. Submitting client-specific deduction changes to PayData in a timely manner.
13. Establishing procedures to notify PayData if employees report problems with checks.
14. Signing upon receipt of payroll reports, checks and vouchers.
15. Receiving and distributing checks.
16. Reconciling bank accounts used for payroll processing on a timely basis each month.
17. Retention of payroll reports and supporting documentation for the appropriate length
of time to comply with all federal, state and local compliance agencies.
18. Submitting all relevant correspondence with tax agencies to PayData promptly.
The fact that PayData is an entity separate from its clients provides a certain amount of inherent
segregation of functions. PayData’s employees are not authorized to initiate transactions or modify
client files except through normal production procedures.
27
PAYDATA PAYROLLSERVICES, INC.
SECTION IV. PAYDATA’S CONTROL OBJECTIVES AND RELATED CONTROLS AND
INFORMATION PROVIDED BY THE INDEPENDENT SERVICE AUDITOR
Purpose and Objectives of the Report
This report is intended to provide users of PayData’s activities with information about controls at
PayData that may affect the processing of user organizations’ transactions and also to provide users
with information about the controls implemented for payroll processing. This report, when combined
with an understanding and assessment of the internal controls at user organizations, is intended to
assist the user auditor in (1) planning the audit of the user’s financial statements and in (2)
understanding control risk for assertions in the user’s financial statements that may be affected by
controls at PayData. There were no significant changes to controls since the previous SSAE 16 Type II
report dated September 30, 2011.
Our examination was restricted to the control objectives and the related control procedures specified in
Section IV by PayData’s management and was not extended to procedures described elsewhere in this
report but not listed, or to procedures that may be in effect at the user organization. The examination
was conducted in accordance with the Statement of Standards of Attestation Engagements, “Reporting
on Controls at a Service Organization (SOC1), of the American Institute of Certified Public Accountants.
It is each user auditor’s responsibility to evaluate this information in relation to the controls in place at
each user organization. If certain complementary controls are not in place at the user organization,
PayData’s controls may not compensate for such weaknesses.
Tests of Controls
Our tests of effectiveness of the controls included such tests as we considered necessary in the
circumstances to evaluate whether those controls, and the extent of compliance with them, was
sufficient to provide reasonable, but not absolute, assurance that the specified control objectives were
achieved during the period from October 1, 2011 to September 30, 2012. Our tests of the operational
effectiveness of controls were designed to cover a representative number of transactions throughout
the period of October 1, 2011 to September 30, 2012, for each of the controls listed in Section II, which
are designed to achieve the specific control objectives. In selecting particular tests of the operational
effectiveness of controls, we considered (a) the nature of the items being tested, (b) the types of
available evidential matter, (c) the nature of the audit objectives to be achieved, (d) the assessed level of
control risk and (e) the expected efficiency and effectiveness of the test.
Test
Corroborative Inquiry
Observation
Inspection
Reperformance
Description
Made inquiries of appropriate personnel responsible for the performance of the control
activity and corroborated responses with management.
Observed the application of a specific control activity.
Inspected documents and reports indicating the performance of the control activity.
Reperformed the control or processing application of the control to ensure the accuracy
of its operation. This includes among other things, reperforming the agreement of
control totals by independently comparing the control totals to supporting documents.
28
SECTION IV. PAYDATA’S CONTROL OBJECTIVES AND RELATED CONTROLS AND INFORMATION PROVIDED BY THE
INDEPENDENT SERVICE AUDITOR
PayData’s Control Objectives and Related Controls and
Independent Service Auditor’s Tests of Controls and Results of Tests
Control Objective #1:
Ref #
1.1
1.2
Control activities provide reasonable assurance that senior management provides planning and oversight of the
organization’s activities.
PayData’s Control Activities
The organizational structure provides
segregation of duties between operations,
tax, accounting and operating systems
maintenance.
Responsibilities over PayData’s business
operations have been segregated into
functional areas in order to enhance controls.
HA’s Tests of Controls
HA’s Testing Results
Corroboratively inquired with management to
determine that PayData’s key functions within its
business operations have been segregated
between personnel.
No exceptions noted.
Inspected the organization chart and job
descriptions to validate the segregation of key
duties.
determine that operations have been segregated.
Inspected the organization chart and job
descriptions to validate the segregation of key
functional responsibilities.
29
Ref #
1.3
1.4
1.5
determine that the Vice President of Operations
meets with the Department Managers weekly to
review activities and each department’s
performance.
For a selection of weeks, inspected the
departmental scorecards and management
meeting minutes for evidence of review.
The CEO, President and Vice President of
Operations review financial statements
compared to the prior year on a monthly
basis. In addition, a budget is utilized and
comparisons are made monthly.
determine that management reviews productivity,
error rates, and other financial information.
For a selection of months, inspected the
management reports, financial statements and
executive meeting minutes for evidence of review.
Operations review monthly production
statistics, new client revenue and other
performance metrics.
determine that management reviews productivity,
error rates, and other financial information.
For a selection of months, inspected the
management reports, and production statistics
and management meeting minutes for evidence of
review.
The Vice President of Operations holds
weekly Department Manager meetings to
review each department’s scorecard and
discuss other company information.
30
Ref #
1.6
Operations hold monthly meetings to discuss
the technology, financial and business risks.
determine that the officers meet monthly to
discuss risks.
For a selection of months, inspected the monthly
management meeting minutes.
31
Control activities provide reasonable assurance that senior management provides planning and oversight of the
organization’s activities.
Ref #
2.1
The hiring process is formalized and
documented by a checklist. All candidates for
employment are interviewed by at least two
members of management. Background and
checks are required for all new employees.
determine that PayData’s policy requires
background checks.
Inspected a selection of new employees’ personnel
files for evidence of the hiring procedures.
The organization maintains an Employee
Handbook that outlines key business
practices and employee responsibilities.
determine that the organization has an Employee
Handbook.
Inspected the Employee Handbook.
determine that all new employees must sign a form
acknowledging their understanding of the content
of the Employee Handbook.
files for evidence of the signed forms.
2.2
2.3
New employees are required to sign-off a
form indicating they have read and
understand the Employee Handbook.
32
Ref #
2.4
2.5
2.6
2.7
determine that all new employees must sign a
confidentiality agreement as a condition of
employment.
files for evidence of the signed forms.
Job descriptions exist for all non-managerial
positions which provide employees with
management’s expectations and their
responsibilities.
determine that job descriptions are utilized.
Inspected the job descriptions for all nonmanagerial positions within the organization.
Procedure Manuals are maintained and
available for use by all staff members.
determine that proper documentation is available
to all staff members for reference and training.
Observed the procedure manuals.
determine that annual performance reviews are
performed.
Inspected the annual review for a selection of
employees.
All employees must sign a Confidentiality
Agreement prior to gaining access to client
data.
Company policy requires that a performance
review be completed for all staff members on
at least an annual basis.
33
Control activities provide reasonable assurance that physical access to computer equipment is restricted to
properly authorized individuals.
Ref #
3.1
Access to the office building and office suite is
restricted to authorized personnel by key
locks and electronic locks at all times. The
main entrance is unlocked during normal
working hours and opens to a vestibule,
however the inner door to the office suite is
secured at all times by an electronic lock.
3.2
All office suite access points are controlled by
the Net2 Access card system. Most
employees’ access is limited by the Net2
Access card system to the hours of 7:45AM to
5:30PM. Only limited personnel with a
business need have unlimited access.
Corroboratively inquired of management to verify
the building security and limited access after
normal working hours.
Observed the office location and security access
points of the building and office suite.
Inspected the list of employees with keys and Net2
Access cards and reviewed for appropriateness.
the office suite security and limited access after
normal working hours.
Observed the office suite security access points.
Inspected the list of employees with Net2 Access
cards, reviewed for appropriateness and verified
the time based access restrictions.
34
Ref #
3.3
A security system is utilized to restrict access
to all unauthorized individuals to PayData’s
office after normal business hours. A thirdparty security company monitors access
24x7x365.
the office suite has an electronic alarm system and
appropriate employees are given the access code.
Observed the office suite and security system
devices.
Visitors are screened and greeted in the
vestibule, logged on the visitor log and
escorted by PayData personnel at all times.
access to the office suite is limited to appropriate
personnel.
Observed the office space and procedures in place
to limit access.
Corroboratively inquired of management to
determine the methods for restricting access to the
Processing Room.
Observed the mechanical keypad lock device on
the Processing Room door and inspected a list of
employees with access for appropriateness.
3.4
3.5
The Processing Room is secured by a heavy
duty mechanical keypad lock and access is
restricted to authorized personnel.
35
Ref #
3.6
3.7
The server room is secured by a heavy duty
mechanical keypad lock at all times and
access is restricted to authorized personnel.
All keys and Net2 Access cards are retrieved
and security codes are changed after the
termination of an employee with access as
part of the normal out processing procedures
and documented on a checklist.
determine the methods for restricting access to the
server room.
Observed the mechanical keypad lock on the server
room door and verified critical hardware is kept
locked in the room.
Inspected the list of employees with access and
reviewed for appropriateness.
determine the policies for disabling terminated
employee’s access.
Inspected a selection of terminated employees and
verified their access was disabled and noted the
termination checklist was completed.
36
Control activities provide reasonable assurance that the data center and server room are adequately protected
from environmental threats.
Ref #
4.1
The server room is protected by the following
systems:
Raised flooring
Water sensor monitoring device with
emergency electrical shut-off
Emergency electrical shut-off switches
Fire and smoke detection devices,
after hours off-site monitoring
DuPont
FE-36
hand-held
fire
extinguisher
Temperature control device with two
dedicated Liebert air conditioners and
two portable air conditioners for
redundancy
Temperature monitoring devices with
remote
notification
and
auto
shutdown
Uninterruptible Power Supply (UPS)
(battery backup)
environmental control devices are in place and
monitored.
Observed the environmental control devices were
in place during a tour of the server room.
37
Ref #
4.2
4.3
The UPS (battery backup) provides
approximately 10 minutes of power for the
servers to perform a graceful shutdown to
reduce the risk of data loss.
Temperature, water and fire/smoke are
monitored 24/7/365 by devices which
automatically notifies the IT personnel or
management upon environmental failures.
Corroboratively inquired of management to verify a
UPS system is in place.
Observed the UPS devices were in place during a
tour of the server room and noted operational
status.
Inspected the configuration of the UPS
management software for evidence of the
automated shutdown settings.
environmental control devices are in place and
monitored.
Observed the environment monitoring devices in
place during a tour of the server room.
Inspected the configuration and notification
settings for the temperature monitor and reviewed
for appropriateness.
38
Control activities provide reasonable assurance that logical access to programs and data files is restricted to
properly authorized individuals.
Ref #
5.1
Users are granted access to network
resources, using a combination of active
directory and application level access
(individual tabs or screens) based on their job
function and responsibilities.
that current user access to the network and
application is based on job responsibilities.
Inspected a selection of accounts with access to
the network and the application and verified the
appropriateness of the assigned logical access
rights.
User’s access to the network domain and
applications must be authorized by a
Management Team member prior to the
granting access to the systems.
Corroborative inquiry with management to
determine the procedures in place for authorizing
access for new users.
Inspected a selection of new employees for
evidence of the proper authorization of a new
user’s access to the systems.
5.2
39
Ref #
5.3
The network domain will automatically
prompt the users to change their passwords
every 90 days. The passwords must be five
characters in length.
the password policies established for the network
domain.
Inspected the group policy configuration for the
network domain and confirmed the following
password parameters:
Min password length: five characters
Max password age: 90 days
5.4
User accounts are locked out for thirty
minutes after five failed attempts by the
network domain.
determine the system parameters established for
the network domain.
Inspected the group policy configuration for the
network domain to confirm user accounts are
locked out after five failed attempts for thirty
minutes.
40
Ref #
5.5
5.6
Workstations that are left unattended are
either logged off or have Lock Workstation
activated after fifteen minutes.
A user’s access to the network domain is
immediately disabled by the network
administrator, upon termination of the user’s
employment using formalized procedures and
documented on a checklist.
determine the system policies that have been
established for unattended workstations.
Inspected the group policy configuration to verify
Lock Workstation is appropriately configured.
Observed, on a selection of dates, users’
workstations were locked when unattended.
determine the procedures in place for removing
terminated users from the system.
Inspected the list of network domain user accounts
and verified no terminated employees retained
access.
Inspected a selection of terminated employees and
reviewed the termination checklists for evidence of
the revocation of logical access.
41
Ref #
5.7
PayData and remote clients’ Evolution
application users are required to authenticate
via a unique user ID and password prior to
being granted access to the Evolution
application.
determine the security in place for the Evolution
software.
Inspected the Evolution application authentication
configurations to determine that users were
required to authenticate via a user account and
password before being granted access to Evolution.
Observed, on a selection of dates, PayData
employees providing their credentials prior to
gaining access to Evolution.
5.8
PayData has configured Evolution’s security
settings to require password of at least six
characters in length, meet complexity
requirements and expire every 90 days.
the password policies established for Evolution.
Inspected the Evolution security settings and
confirmed the following password parameters:
Min password length: six characters
Max password age: 90 days
Complexity requirements enabled
42
Ref #
5.9
PayData has configured Evolution security
roles to restrict remote clients’ access to only
their specific company payroll data. The
clients are also restricted from various system
and company level screens or fields.
determine how security settings in Evolution are
used to restrict client access.
Inspected application documentation for evidence
of the remote user process and inspected the
security settings for a client and noted the
company level access restriction.
The ability to access the database server and
administer security on the Evolution software
is limited to appropriate personnel.
determine the individuals with privileged accounts
on the system.
Inspected the database server user account and
the Evolution security settings to verify privileged
access is limited to appropriate individuals.
5.10
43
Ref #
6.1
6.2
Control activities provide reasonable assurance that changes to the existing system software and
implementation of new software are authorized, tested, approved, properly implemented and documented.
The Management Team is notified of all
Evolution software updates via email by the
software vendor and reviews the release
notes for appropriateness prior to
implementation.
determine procedures in place for performing
software updates.
Inspected a selection of the software updates
performed for review by management and
approval.
The Vice President of Operations approves
the implementation prior to the iSystems’ IT
Department personnel installing the update.
determine procedures in place for approval of the
software update.
Inspected a selection of application software
updates performed for evidence of proper
approval by the Vice President of Operations.
44
Ref #
6.3
6.4
6.5
Full system backups are performed prior to
updates being loaded into production.
The ability to implement software changes
and version releases in Evolution is limited to
authorized individuals. Access to the
Evolution servers is limited to authorized
personnel.
PayData personnel do not have access to
make changes to the Evolution source code.
that full system backups are performed prior to the
implementation of application updates into the
production environment.
Inspected a selection of application updates and
verified a backup was completed.
the ability to implement software changes and
version releases in Evolution is limited to
authorized personnel.
Inspected a list of authorized users for the
Evolution server.
PayData does not have access to make source code
changes to the Evolution application.
Inspected the Evolution License agreement to
verify that the source code cannot be modified by
PayData.
45
Control activities provide reasonable assurance that data is retained and backed up completely and stored off-site.
Ref #
7.1
The Evolution system and client database files
are backed daily using automated routines to
the following media:
Separate folder on each DB server
Virtual tape library, until June 14,
2012
Physical tape stored off-site, until
June 14, 2012
Symantec Backup Exec 3600
Appliances, one remote and one local
starting June 15, 2012
determine the process for backing up the
databases.
Inspected the backup job routines to verify
production environments are included.
Inspected the schedule of backups performed for
appropriateness.
The file server, which contains all company
and client files are backed up to the virtual
tape library until June 14, 2012 and the local
and remote Backup Exec 3600 Appliances as
of June 15, 2012 daily using an automated
routine.
determine the process for backing up the file
server.
Inspected the backup job routines to verify
production environments are included.
Inspected the schedule of backups performed for
appropriateness.
7.2
46
Ref #
7.3
7.4
PayData utilizes the Asynchronous Data
Replication (ADR) software to continuously
replicate the system and client databases to
servers at an off-site location provided by
iSystems. Starting June 15, 2012, a second
ADR process was added to a local backup
server.
determine the Evolution data files are replicated to
an off-site server constantly.
Inspected the ADR software to verify proper
configuration and that the replication process was
active.
The iSystems’ IT Department personnel and
the Vice President of Operations monitor the
success of the nightly backup procedures. All
backup routines automatically email a
success/failure report.
determine the process for verifying the success of
the previous night’s backup.
Inspected the backup job routines for the
configuration of the email notification for
appropriateness.
Inspected a selection of days for evidence of the
Vice President of Operations’ review of the backup
email confirmations to determine the success of
the previous night’s backup.
47
Ref #
8.1
8.2
Control activities provide reasonable assurance that the remote input clients’ access to resources is restricted to
authorized users.
PayData’s network is protected by a stateful
inspection firewall and activity is monitored
daily by iSystems IT Department personnel.
The firewall system is configured to deny any
type of network connection that is not
explicitly authorized by a firewall rule.
determine the procedures in place for monitoring
firewall activity.
Inspected the configuration and settings of the
firewall.
determine the procedures in place to deny
unauthorized network connections.
Inspected the firewall ruleset to determine that the
firewall system was configured to deny any type of
network connection that was not explicitly
authorized by a firewall rule.
48
Ref #
8.3
Network address translation (NAT) is enabled
on the firewall to translate internally routable
IP addresses.
8.4
8.5
Inbound Internet traffic terminates at a host
in the demilitarized zone (DMZ) which is
separate from the production network.
An intrusion protection system (IPS) is in
place to monitor the production network for
signatures recognized by the IPS.
determine the procedures in place for monitoring
firewall activity.
Inspected the listing of server IP addresses and the
firewall ruleset to determine that NAT was enabled
on the firewall to translate internally routable IP
addresses.
determine the procedures in place for limiting
internet traffic accessing PayData’s network.
Inspected the network diagram to determine that
inbound Internet traffic terminates at a host in the
DMZ which was separate from the production
network.
determine the procedures in place for limiting
access to PayData’s network.
Inspected the IPS configurations to determine that
an IPS was in place to monitor the production
network for signatures recognized by the IPS.
49
Control activities provide reasonable assurance that information systems are available for operation and use as
committed, and that the likelihood and impact of system downtime is minimized.
Ref #
9.1
The information systems are monitored
24x7x365 by an automated system that
automatically alerts the IT personnel of any
issues.
Examples of monitored systems
included:
Servers availability
Printers availability
Fax system availability
Phone system availability
CPU utilization and disk space
Internet connectivity
UPS status and runtime
determine the procedures for monitoring the IT
systems and resolution of problems.
Inspected the Nagios® application for evidence of
the configuration and monitoring of IT systems.
50
Ref #
9.2
The Nagios® application is configured to alert
the iSystems’ IT Department personnel by
email upon the triggering of any event
threshold. Tickets are used to assign tasks
and resolve issues.
determine the procedures for monitoring the IT
systems and resolution of problems.
Inspected the Nagios® application for evidence of
the notification configuration and ticketing system.
Inspected the ticketing system for evidence of
open and closed tickets for IT system issues.
51
Ref #
10.1
10.2
Control activities provide reasonable assurance that conversion and setup of new clients is complete and accurate.
PayData utilizes standard checklists to guide
and document the process and customized
forms are used to gather the payroll
information for the new client.
All clients sign a Scope of Services and Term &
Conditions Agreement, Tax Agent Agreement
and Employer Electronic Bank Transfer
Agreement with PayData.
determine the procedures performed to setup or
convert a new client.
Inspected a selection of new clients for evidence of
the completed checklists and required
documentation.
determine the procedures performed to document
the agreement of services provided to the new
client.
the signed agreements.
52
Ref #
10.3
New clients’ banking relationship and banking
history is confirmed with the clients’ bank
and reviewed by a member of the Accounting
Department to determine the client’s credit
risk in relation to the requested services.
determine the procedures performed to review the
new clients’ credit risk.
the banking relationship and history verification
reviewed by the Accounting Department.
The Conversion Supervisor reviews the
conversion documentation submitted by the
Sales Department for completeness and
compliance with policy prior to assigning it to
a Conversion Specialist.
determine the procedures performed to review the
new client information prior to commencing the
conversion and setup process.
the Conversion Supervisor’s review of the new
client packet received from the Sales Department.
determine the procedures performed to validate
the new client data in the payroll software.
the second person’s review and completion of the
Client/Company Audit Checklist.
Exception Noted: For one out of
25 new clients tested, the second
person review was completed but
not prior to the first payroll run.
No other exceptions noted.
10.4
10.5
A second person, normally from the Client
Services Department, reviews all company
information and employee demographics in
the payroll software for accuracy and
completeness prior to the first payroll run. A
Client/Company Audit Checklist is used to
document the review.
53
Ref #
10.6
The Accounting Department personnel
review the bank account numbers, services
provided and billing information in the payroll
software with the EFT Agreement, Client
Setup Forms and Proposal for completeness
and accuracy prior to the first payroll run.
determine the procedures performed to verify the
bank account numbers and billing setup for a new
client.
the completed review by the Accounting
Department.
The tax setup information in Evolution, such
as client specific tax rates, filing frequency
and id numbers, and year–to-date wages and
tax liabilities are reviewed by a member of
the Tax Department.
determine the procedures performed to validate
the tax setup information.
the Tax Department personnel’s review.
10.7
54
Control activities provide reasonable assurance that processing is scheduled and performed appropriately and
deviations from the schedule are identified and resolved.
Ref #
11.1
Scheduling Reports By Call In Date are printed
every Friday and distributed to the Client
Service Representatives, which lists clients to
be processed the following week.
11.2
Each Client Service Representative is
responsible for monitoring their Scheduling
Report and will contact any client that has
not processed their scheduled payroll on or
before 1:00PM of the scheduled date, if time
allows.
determine the procedures for verifying all
scheduled payrolls were processed timely.
Client Services Department personnel’s utilization
of the Scheduling Reports.
determine the procedures for managing the
processing schedule.
Observed, on a selection of dates, the Client
Service Representatives managing their schedule
and the resolution of exceptions.
Client Service Representatives utilization of the
Scheduling Reports and processing of client
payrolls.
55
Ref #
11.3
11.4
11.5
During the end of day procedures, the Client
Service Representatives review the Payroll
Not Called In Report and document the
reason for not processing and provide the
report to the Client Service Manager for
review.
Client Service Representatives and the Client
Service Manager review the Payroll Not Called In
Report and the resolution of unprocessed payrolls.
The Waiting Payrolls Report is reviewed by
the Client Service Representatives each
afternoon to confirm that all payrolls that
have been started are processed
appropriately. The report is given to the
Team Lead for review daily and the Client
Service Manager weekly.
Client Service Representatives and the Client
Service Manager review of the Waiting Payrolls
Report and the resolution of unprocessed payrolls.
Any supplemental payroll processes (nonscheduled payrolls) are reviewed and
approved by the Client Service Manager or
another member of management prior to
processing.
determine the procedures for verifying all
unscheduled payrolls were approved for
processing.
Inspected the security settings in Evolution that
require the non-scheduled payroll processes to be
approved in a separate queue prior to processing
by a member of management.
56
Ref #
12.1
12.2
Control activities provide reasonable assurance that payroll data is received from authorized sources.
Fax: A pre-printed fax cover sheet and input
worksheet are included with each payroll and
are to be used for the transmission of the
client payroll data. If the client does not
utilize the coversheet, the Client Service
Representative will take the appropriate
steps to confirm the source of the
information.
determine the procedures for verifying source for
fax clients.
Inspected a selection of fax input payrolls to
determine that the payrolls were received from
authorized sources.
Email, Esheet and TimeClock: The client
submits payroll data by email and the Client
Service Representative verify the sender’s
email address as well as the timing of the
submission with the Payroll Schedule.
determine the procedures for verifying the source
of email and Esheet clients.
Inspected a selection of email, Esheet and
TimeClock submitted payrolls to determine that
the payrolls were received from authorized
sources.
57
Ref #
12.3
Remote Input: Clients log into PayData’s
payroll software and the Remote Access
Server using Thin Client technology with
individually assigned user IDs and passwords.
PayData manages the administration of user
ids and passwords.
determine the procedures for setting up new
clients’ access to their payroll database by a unique
user id and password.
Inspected the application manual and noted the
requirement of the user id and password to gain
access to the company data.
58
Control activities provide reasonable assurance that payroll data, transactions and maintenance items, are initially
recorded completely and accurately.
Ref #
13.1
All Clients: The Client Service Representative
reviews the information received from the
client and makes note of any questionable
items. The client is contacted by the Client
Service Representative to resolve any of the
noted items.
determine the procedures for recording client
payroll data.
Observed the Client Service Representatives review
client submitted data, contact the client with
questions and input the client data.
Fax and Email: The payroll data is manually
entered by the Client Service
Representatives. After the input is complete,
the Client Service Representative compares
the batch control totals in Evolution to the
client submitted data. All submitted data
must agree with the entered data before the
payroll can be processed.
payroll data.
Inspected a selection of fax and email payroll
clients for evidence of the balancing procedures.
Reperformed the balancing of control totals for a
selection of fax and email payroll clients.
13.2
59
Ref #
13.3
TimeClock Import and Esheet: The payroll
data is imported by the Client Service
Representatives. After the import is
complete, the Client Service Representative
compares the batch control totals with the
submitted totals. All submitted data must
agree with the imported data before the
payroll can be processed.
payroll data.
Inspected a selection of Esheet and TimeClock
Import payroll clients for evidence of the balancing
procedures.
Reperformed the balancing of control totals for a
selection of TimeClock Import and Esheet payroll
clients.
60
Control activities provide reasonable assurance that payroll checks, direct deposit vouchers and reports are
produced and distributed completely, accurately and in accordance with client specifications.
Ref #
14.1
Checks, vouchers and reports are generated
in a secured and dedicated Processing Room.
Access is limited to authorized personnel.
determine the location of the production of checks,
vouchers and reports.
Observed, during the office tour, the secured
Processing Room and noted the location of the
printers and sealing equipment.
determine the procedures for printing the checks,
vouchers and reports.
Observed, on a selection of dates, the process of
printing checks, vouchers and reports.
14.2
The Payroll Cover Letter report and Delivery
Instructions are generated with each client’s
payroll package to notify the Processing
personnel of client specified distribution and
delivery instructions. If special (one-time)
instructions are received from the client, the
Client Services Department personnel will
communicate it to the Processing personnel
prior to processing.
61
Ref #
14.3
The Processing personnel monitor the status
of the printers and resolve any paper jams or
errors during printing. The Processing
personnel will review the sequencing of
checks or vouchers upon a printer error to
ensure completeness. All unusable
documents are destroyed.
determine the process in which errors are cleared.
Observed, on a selection of dates, the process of
printing checks, vouchers and reports.
Checks, vouchers and reports are then
assembled and put into a sealed bag for
delivery and sorted according to delivery
method. A Security Seal sticker is applied to
the package.
determine the process in which the payroll output
is assembled and packaged for delivery.
Observed, on a selection of dates, the Processing
personnel assemble, package the payroll output
and apply a Security Seal Sticker on the package.
PayData has configured Evolution’s VMR
module to handle the electronic delivery of
the processed payroll reports and vouchers.
The password protected payroll reports are
sent to the client specified email address and
confidential information is also masked.
determine the process in which the payroll output
is delivered electronically.
Observed the VMR settings for a client that elected
paperless payroll in Evolution and the history of the
emailed reports for the testing period.
14.4
14.5
62
Ref #
14.6
The Processing personnel’s access in
Evolution, through security features, is
limited to the functions of processing and
printing of payrolls and cannot enter any
payroll data.
determine the procedures for limiting Processing
personnel’s access in Evolution.
Inspected the Evolution security settings for
Processing personnel to verify the limited access.
63
Control activities provide reasonable assurance that appropriate federal, state and local specifications are used for
tax calculations during processing.
Ref #
15.1
PayData receives updates to the tax tables
from their software provider (iSystems) on at
least a quarterly basis. Included with each
update is documentation listing the tax types
that have been updated or added. The
updates are reviewed by management and
installed in a timely manner.
determine the procedures for updating the tax
rates in Evolution.
Inspected a selection of updates for evidence of
review by management.
PayData maintains memberships in a payroll
industry trade association that keeps their
members up to date on tax related issues.
PayData will notify iSystems of any changes
received from external sources that are not
reflected in the documentation sent with
their latest software update.
determine the utilization of trade association
membership for tax research purposes.
Inspected membership invoices for trade
associations for the period under review.
PayData utilizes BNA and CCH/Intelliconnect
which provides a library of research
information related to payroll and taxation.
determine the utilization of third party research
tools for tax research purposes.
Inspected the subscription invoices for the period
under review.
15.2
15.3
64
Control activities provide reasonable assurance that appropriate federal, state and local tax filings are complete,
accurate and timely.
Ref #
16.1
The Tax Department runs several reports on a
daily basis to ensure that all tax filings for the
selected filing period are complete, accurate
and timely.
determine the process for verification of tax
compliance for all clients.
Inspected a selection of daily tax reports for
Due Date Report (Federal, State and evidence that the required payments were made
Local) – Lists unpaid liabilities for a by the due date.
specified date. If the report reflects
Inspected a selection of daily tax reports for
any payments due, they are made.
100k Due Date Report – Lists any evidence of the review by the Tax Specialist.
clients that have outstanding federal
tax payments that exceed the
100,000 next day filing requirement
and used to ensure the payments
have been made appropriately.
65
Ref #
16.2
The Tax Department generates the daily tax
payments for the next two business days
using the EFTPS software or Evolution ACH
module and compares to the Due Date report
for completeness. The Tax Specialist verifies
the payments with the confirmations from
the EFT providers or taxing agencies’ website.
determine the process for payment of tax
liabilities.
Inspected a selection of tax payments and agreed
the payments to the EFTPS report, ACH Transaction
Report, inclusion in the related confirmation from
the EFT providers or taxing agencies’ websites and
the payment clearing the bank statement.
The tax payment process has multiple
personnel involved to segregate the duties
and provide supervision/review:
determine the process for payment of tax
liabilities.
Inspected a selection of tax payments and noted
the segregation and review by the Tax Manager.
16.3
Tax Specialist creates the tax
payment files and submits to taxing
agencies or bank
Processing personnel submits the
ACH transmission for processing
Tax Manager reviews the tax
payments made for accuracy
66
Ref #
16.4
The Tax Department runs several reports on a
weekly, monthly and quarterly basis to
ensure that all tax filings for the selected
filing period are complete, accurate and
timely. The Balancing Report is generated
and reviewed weekly by the Tax Manager
that shows the difference in the taxes
calculated and taxes collected for each client.
determine the tax reports utilized to monitor the
accuracy of the tax process.
Inspected a selection of weeks for evidence of the
generation and review of the reports for variances
and resolution.
The monthly and quarterly return processes
have several phases to ensure the accuracy,
completeness and timeliness of the returns.
Quarterly all companies are subjected to
a “preprocess” function, which tests all
tax liabilities against calculated taxes for
the quarter.
Quarterly and annual returns are created
and are subjected to a review process to
ensure the accuracy of the returns.
Delivery envelopes are created for each
taxing agency and the returns sent to the
taxing agency are compared to checklist
to ensure all returns are properly
submitted. For returns sent
electronically, the clients contained in the
file are also compared to the checklist.
determine the quarter end and year end reporting
procedures.
Inspected a selection of clients for evidence of the
completion of the quarter ended June 30, 2012
Form 941, compliance with procedures and
submission by the due date.
Inspected the June 30, 2012 quarter end
documentation for evidence of completion.
16.5
67
Ref #
16.6
Checklists are utilized by tax code and client
to ensure that all monthly, quarterly and
annual tax returns are filed.
determine the quarter end and year end reporting
procedures.
Inspected a selection of quarterly checklists for
evidence of the completion of the quarter end
process.
68
Ref #
17.1
17.2
Control activities provide reasonable assurance that the disbursement of direct deposit funds is authorized,
complete and accurate.
Clients sign an Employer Electronic Transfer
Agreement and the Conversion Team
personnel input the client provided bank
account number and bank routing number
into the client’s database. The Accounting
Department personnel review the bank
account numbers in the payroll software for
all new clients.
determine the process for client authorization of
direct deposit.
the executed authorization agreement.
the Accounting Department’s review of the bank
account numbers.
The ACH file is created in Evolution and
uploaded to Cachet Banq’s secure website by
the Processing Department personnel. The
Processing Department personnel verify the
ACH Transaction Report control totals with
the confirmation page on the website after
successful transmission of the ACH file.
determine the procedures to confirm the ACH files
submitted to Cachet Banq.
Observed the Processing Supervisor submit the
ACH file to Cachet Banq and the verification of the
control totals with the website.
Reperformed the verification of the control totals
of the ACH Transaction Report and the Cachet
Banq website uploaded file listing.
69
Ref #
17.3
The Processing Department personnel log the
submitted ACH file control totals on the ACH
Total Excel file.
Observed the Processing Supervisor log the
submitted ACH file on the ACH Total Excel file.
Inspected a selection of ACH file submissions for
evidence of being logged by the Processing
Department personnel in the ACH Totals Excel file.
Inspected a selection of ACH file submissions for
evidence of the verification of the submitted ACH
file by the Vice President of Operations.
17.4
The Vice President of Operations verifies the
submitted ACH files with the email
confirmation from Cachet Banq.
70
Ref #
18.1
18.2
Control activities provide reasonable assurance that the tax impound and client trust funds are properly accounted
for and the bank accounts are reconciled in a complete, accurate and timely manner.
The tax impound and client trust (netcheck)
funds are maintained in separate bank
accounts.
The Daily Funds Reconciliation Report is
reviewed daily by the Accounting Manager to
review any exceptions from the previous
day’s payroll processing and ACH files, any
exceptions are reviewed for appropriateness
and resolved in a timely manner.
determine the utilization of multiple bank accounts
for different transaction types.
Inspected bank statements to determine the tax
impound and client trust (netcheck) funds are
maintained in separate bank accounts.
determine the procedures for monitoring the daily
ACH process.
Inspected a selection of Daily Funds Reconciliation
Reports for evidence of review by the Accounting
Manager and identification of any exceptions.
71
Ref #
18.3
The bank account activity for the tax impound
and netcheck\trust funds are cleared daily in
Evolution by the Accounting Department
personnel.
18.4
18.5
The Accounting Department personnel
reconcile the tax impound and client trust
(netcheck) accounts monthly.
The bank account reconciliations and all
supporting documentation are reviewed by
the Vice President of Operations monthly.
determine the procedures for bank account
reconciliation.
Inspected a selection of the daily activity clearing
reports from Evolution for evidence of completion
by the Accounting Department personnel.
reconciliation.
Inspected a selection of monthly bank
reconciliations to determine the tax impound and
client trust fund accounts were reconciled by the
Accounting Department personnel.
reconciliation.
Inspected a selection of monthly bank
reconciliations for evidence of the Vice President of
Operation’s review of the reconciliations.
72
Ref #
18.6
The Accounting Manager reconciles the total
tax liabilities from Evolution to the tax
impound bank account balance on a monthly
basis.
determine the procedures for the reconciliation of
tax liabilities and tax impound funds.
Inspected a selection of monthly tax liability
reconciliations to determine the tax impound funds
agreed to total tax liabilities and for evidence of
the reconciliation performed by the Accounting
Manager.
73
SECTION V. ADDITIONAL INFORMATION PROVIDED BY PAYDATA
Additional Information Provided by PayData
The following information is provided by management of PayData to assist the reader in gaining a
deeper understanding of the payroll software licensed by PayData and is not part of their description of
the payroll system. Accordingly, it is not covered under the auditor’s opinion.
Description of the Evolution Payroll Software
Overview
Evolution payroll software is a fully integrated payroll processing and tax management system designed
to provide fast, accurate and secure payroll transaction processing for PayData. Evolution is an
advanced and full-featured service bureau solution, including a complete tax management component,
an integrated report writer, ACH processing and multiple account reconciliation capabilities.
Technology
Evolution is a multiple tier application which consists of nearly one million lines of code written in the
Delphi language. The application and middle tier runs in a Windows environment. The database tier
uses the Firebird SQL database and runs in the Linux operating system.
The tiers that make up the Evolution application are as follows; Client (first tier), Remote Relay, Request
Broker, Request Processor (second/middle tier) and the Data Store (third tier). A full description of
these tiers and their functionality are as follows:
1. The client tier (tier 1) is a thin client or web browser client, running Evolution Client for service
bureau staff and payroll customers. These run on the user’s Windows desktop.
Messages are transmitted between the client and server using a custom protocol based on a
proprietary format over TCP/IP. The client caches the credentials of the user in memory. If
the connection to the Evolution server/s fails, or otherwise becomes unavailable, the client will
resubmit the credentials when the connection revives. This provides a transparent user
experience when the Request Broker is unavailable.
2. Remote Relay (access) Server is a proxy in the middle tier (2) that encrypts and compresses
Evolution Client communications over public networks (internet). Communications sent over
private networks (LAN) can connect directly to the Request Broker and bypass the Remote Relay
service avoiding compression or encryption.
The encryption protocol found in the Client to Remote Relay service proxy transports the
encryption key. SSL is used to create the encryption key dynamically. The algorithm used is
Blowfish with a 128-bit key.
74
3. The Request Broker (RB) is a server in tier 2 that performs the duties of routing and controlling
the distributed application. The role of this tier is to manage the load on the Request Processors
(RP) maintain work queues from each user session and provide a central point of contact for the
clients to connect to. The RB is the nerve center of the application.
Asynchronous Replication is a separate program that makes a near current database mirror of
the client databases. This process replicates the Client database(s) on another set of servers
which can be used to enable a “hotsite” for processing payroll in the case of a disaster at the
primary processing center.
4. The Request Processor module includes a security layer that ensures users can only access data
that they are authorized to access by appending the appropriate tests to all where clauses of
SQL statements that access data. This same layer safely handles all user-supplied data, ensuring
that SQL attacks cannot occur.
5. The data store is spread between a minimum of two databases. The system global database is
maintained by iSystems through an update process and contains static data such as tax rates,
forms and base reports. The second type of database is a service bureau database that will
contain data relevant to all clients, companies and users associated with that service bureau.
Each service bureau will have its own instance of the database. This database contains the
credentials and entitlements of each system user. The third type of database is a temp database
used for caching data to improve performance. Each service bureau will have its own instance
of the temp database. The last type of database is the client database. This database will
contain all data pertaining to a client’s business such as the actual payroll data. Clients will have
their own instance of this database. This database structure has two significant benefits –
security and scalability. It is scalable because these databases can be collocated or distributed
across servers. It enhances security by physically separating data making it almost impossible for
a user to access data from another client even if they were able to beat the other safeguards in
the application.
A client in the database is not to be confused with the client tier. The client tier refers to an
individual instance of the thin client that is used to access the system. A client in the database
refers to a customer that consists of one or more companies with one or more users. A service
bureau would have one or more clients.
The database is comprised of over 350 tables, with each table containing at least one trigger to
enforce constraints and history. The databases also contain Stored Procedures that implement
business logic. The triggers and stored procedures contain approximately 78,800 lines of code.
Each table contains its own history. As rows are changed, a new row with the updated values is
inserted and the old row is marked as history. One of the purposes of the Stored Procedures is
to return data as of a point-in-time to reflect the status of the data at that time.
75
The Evolution report writer is a custom built reporting utility. The user creates reports and can run
them from within the application. These reports run under the privileges of the authenticated user. The
reporting function in Evolution also supports an email option. The report writer supports file encryption
to protect report definition and result files. The encryption uses a natively implemented Blowfish
algorithm and uses a 128-bit key.
System Functionality
The Evolution system is a complete payroll service bureau management system, enabling payroll service
providers to process payroll, manage tax payments and filing, and manage ach transactions for their
clients.

Taxes - Federal, state and local taxes are maintained by the software and are viewable by the
service bureau. All taxes are table based and all calculations originate from a single point. The
system is fully integrated with EFTPS so that enrollments and payments can be automated by
the service bureau through a single point of entry.
Employees can have an unlimited number of taxing entities associated with their pay. The
taxable wages accrue independently for each tax, and tax amounts can be withheld or blocked
as necessary. If the employee is working in more than one state or locality, multiple state or
local taxes can be withheld per the reciprocal agreements between those entities. The
employee's filing status for each taxing entity is recorded independently, allowing for different
withholdings for each. Additional tax amounts can automatically be withheld, if desired, and can
automatically be suppressed on supplemental checks. Because a client may not know the state
specific allowance or exemption information, a tax information window is shown which
indicates important information about each tax.

Tax return processing – The software allows for tax returns to be processed in any order or
sequence chosen by the user. The system uses a proprietary ‘snapshot reporting’ feature, which
stores an encrypted facsimile of each tax return so that users can be certain that they are
viewing an actual return which was processed and filed by the system and not a reprocessed
return which may have changed due to systems changes.

Bank Accounts and ACH – The systems allows for unlimited ACH transactions from multiple
banks and bank accounts. Banking transactions are created and tracked by the system, which
also automatically populates the bank account register to facilitate the reconciliation process.
Remote Access and Security
In Evolution, each user ID can be set up with specific permissions to limit a user’s access to only the
windows, buttons, functions and data that they need for performing their jobs. Before displaying any
window, Evolution checks access rights of the user. In addition, Evolution tracks the history of the
changes made to most data fields. This history allows a review of who made changes to the data and
when they were made. Finally, Evolution stores all security information in protected files in the main
database instead of in the application or the user's workstation. The Conversion Department and the
Vice President of Operations manages the security administration for the Remote Evolution users.
76
The Evolution software maintains a client database. The database is only accessible through the
software application and is protected from unauthorized access. Evolution uses Firebird, an open
source relational DB engine as its database back end. The design of Evolution is such that the client
software never communicates directly with the database server. In addition, Evolution uses a custom
SQL parser to limit user access to protected information. This information includes pay rates, salary
amounts, clients, companies, divisions, branches, departments, and teams, etc. Passwords within the
Evolution system must be a minimum of six characters, meet complexity requirements and are required
to change every 90 days.
Clients who utilize the Remote option enter their own payroll information by logging into PayData’s
servers remotely using individually assigned user IDs and passwords. Safeguarding controls are in place
to ensure that only authorized users gain access to their specific company payroll data. PayData uses
the security role features of Evolution to allow authorized client users to gain access to only their
specific company payroll data. The client does not have the capability to access or modify the
username, password or open any databases not assigned to them. The client connection to Evolution is
secured by 128-bit Blowfish encryption.
77

PayData Payroll Services, Inc.

Transcription

Similar documents

Tax and Accounting Sites Directory

2.sided.primepoint.flyer.qxd (Page 1) - Center for Non

Mobile Payroll Providers - American Payroll Association

English

duke university federal credit union payroll deduction authorization

KSU Tri-Towers Rotunda All Subcontractor and Lower Tier

BP125 Time Recorder

Payroll - VersaCheck.com

Sentric Brochure

PAYROLL NEWSLETTER