paychoice report 2013

Report on Payroll Associates, LLC’s (d/b/a

“PayChoice”) Description of its Information

Technology Support System and on the

Suitability of the Design of Controls

As of May 15, 2013

(Prepared pursuant to Statement on Standards for Attestation Engagements No. 16 –

Reporting on Controls at a Service Organization)

SOC 1 – Type I

Payroll Associates, LLC

IS Partners, LLC

SSAE 16 Type I - Confidential

This report is not to be copied or reproduced

in any manner without the expressed written

approval of Payroll Associates, LLC. The

report, including the title page, table of

contents, and exhibits, constitutes the entire

report and should be referred to only in its

entirety and not by its component parts. The

report contains proprietary information and

is considered confidential.


IS Partners, LLC


TABLE OF CONTENTS

I. INDEPENDENT SERVICE AUDITOR’S REPORT

II. SERVICE ORGANIZATION’S ASSERTION

II-A. SUBSERVICE ORGANIZATION’S ASSERTION

III. DESCRIPTION OF SERVICE ORGANIZATION’S SYSTEM

A) Overview of Operations

B) Description of Relevant Processes

10

16

C) Relevant Aspects of the Control Environment, Risk

Assessment Process, Information and Communication Systems,

and Monitoring Controls

24

D) Scope and Applicability of the Report 26

E) Complementary User Entity Controls 27

IV. INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF

CONTROLS

28

V. ADDITIONAL INFORMATION PROVIDED BY THE

INDEPENDENT SERVICE AUDITOR

A) Introduction 35

B) Responsibilities of the Independent Service Auditor 36

C) Consideration of Relevant Aspects of Internal Control 37

I. INDEPENDENT SERVICE AUDITOR’S REPORT

To Management of Payroll Associates, LLC:

We have examined Payroll Associates, LLC’s (“PAI” d/b/a “PayChoice”) description of the

information technology support system, and DBSi’s (“DBSi”) description of certain aspects

of the colocation services system for processing user entities’ transactions of Payroll

Associates, LLC as of May 15, 2013, and the suitability of the design of PAI’s and DBSi’s

controls to achieve the related control objectives stated in the description. DBSi is an

independent service organization that provides colocation services to PAI. PAI’s description

includes a description of DBSi’s colocation services used by PAI to process transactions for

its user entities, as well as relevant control objectives and controls of DBSi. The description

indicates that certain control objectives specified in the description can be achieved only if

complementary user entity controls contemplated in the design of PAI’s controls are suitably

designed and operating effectively, along with related controls at the service organization.

We have not evaluated the suitability of the design and operating effectiveness of such

complementary user entity controls.

In sections II and II-A of this report, PAI and DBSi, respectively, have provided their

assertions about the fairness of the presentation of the description and suitability of the

design of the controls to achieve the related control objectives stated in the description. PAI

and DBSi are responsible for preparing the description and for the assertion, including the

completeness, accuracy, and method of presentation of the description and the assertion,

providing the services covered by the description, specifying the control objectives and

stating them in the description, identifying the risks that threaten the achievement of the

control objectives, selecting the criteria, and designing, implementing, and documenting

controls to achieve the related control objectives stated in the description.

Our responsibility is to express an opinion on the fairness of the presentation of the

description and on the suitability of the design of the controls to achieve the related control

objectives stated in the description, based on our examination. We conducted our

examination in accordance with attestation standards established by the American Institute of

Certified Public Accountants. Those standards require that we plan and perform our

examination to obtain reasonable assurance about whether, in all material respects, the

description is fairly presented and the controls were suitably designed to achieve the related

control objectives stated in the description as of May 15, 2013.

An examination of a description of a service organization’s system and the suitability of the

design of the service organization’s controls to achieve the related control objectives stated in

the description involves performing procedures to obtain evidence about the fairness of the

presentation of the description of the system and the suitability of the design of those controls

to achieve the related control objectives stated in the description. Our procedures included

assessing the risks that the description is not fairly presented and that the controls were not

suitably designed to achieve the related control objectives stated in the description. An

examination engagement of this type also includes evaluating the overall presentation of the

description and the suitability of the control objectives stated therein, and the suitability of

the criteria specified by the service organization and described in PAI’s assertion and DBSi’s

assertion, in sections II and II-A, respectively, of this report.

We did not perform any procedures regarding the operating effectiveness of the controls

stated in the description and, accordingly, do not express an opinion thereon. We believe that

the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our

opinion.

Because of their nature, controls at a service organization or subservice organization may not

prevent, or detect and correct, all errors or omissions in processing or reporting transactions.

Also, the projection to the future of any evaluation of the fairness of the presentation of the

description, or any conclusions about the suitability of the design of the controls to achieve

the related control objectives, is subject to the risk that controls at a service organization or

subservice organization may become ineffective or fail.

In our opinion, in all material respects, based on the criteria described in PAI’s and DBSi’s

assertions in sections II and II-A, respectively, of this report,

a. the description fairly presents PAI’s and DBSi’s information technology

support system used by PAI to process transactions for its user entities that was

designed and implemented as of May 15, 2013, and

b. the controls related to the control objectives of PAI and DBSi stated in the

description were suitably designed to provide reasonable assurance that the

control objectives would be achieved if the controls operated effectively as of

May 15, 2013, and user entities applied the complementary user entity controls

contemplated in the design of PAI’s controls as of May 15, 2013.

This report is intended solely for the information and use of PAI, user entities of PAI’s

information technology support system as of May 15, 2013, and the independent auditors of

such user entities, who have a sufficient understanding to consider it, along with other

information, including information about the controls implemented by user entities

themselves, when obtaining an understanding of user entities information and

communication systems relevant to financial reporting. This report is not intended to be and

should not be used by anyone other than those specified parties.

May 30, 2013

IS Partners, LLC

Horsham, Pennsylvania

II. SERVICE ORGANIZATION'S ASSERTION

We have prepared the description of Payroll Associates, LLC’s (PAI) information technology

support system as of May 15, 2013, and their user auditors who have a sufficient understanding

to consider it, along with other information including information about controls implemented

by user entities themselves, when obtaining an understanding of user entities' information and

communication systems relevant to financial reporting. We confirm, to the best of our

knowledge and belief, that

a. the description fairly presents the information technology support system made

available to user entities of the system as of May 15, 2013 for processing their

transactions. PAI uses a service organization, DBSi, to provide colocation services

for certain aspects of its information technology support system. Section IV of the

description presents PAI’s control objectives and related controls, as well as DBSi’s

control objectives and related controls. DBSi’s assertion is presented in section II-

A. The criteria we used in making our assertion were that the description

i. presents how the system made available to user entities of the system was

designed and implemented to process relevant transactions, including:

1. the types of services provided, including as appropriate, the

classes of transactions processed.

2. the procedures, within both automated and manual systems, by

which those transactions are initiated, authorized, recorded,

processed, corrected as necessary, and transferred to the reports

presented to user entities of the system.

3. the related accounting records, supporting information, and

specific accounts that are used to initiate, authorize, record,

process, and report transactions; this includes the correction of

incorrect information and how information is transferred to the

reports provided to user entities of the system.

4. how the system captures and addresses significant events and

conditions, other than transactions.

5. the process used to prepare reports or other information provided

to user entities of the system.

6. specified control objectives and controls designed to achieve those

objectives, including as applicable, complementary user entity

controls contemplated in the design of the service

organization’s controls.

7. other aspects of our control environment, risk assessment process,

information and communication systems (including related

business processes), control activities, and monitoring controls

that are relevant to processing and reporting transactions of user

entities of the system.

ii. does not omit or distort information relevant to the scope of the information

technology support system, while acknowledging that the description is

prepared to meet the common needs of a broad range of user entities of the

system and the independent auditors of those user entities, and may not,

therefore, include every aspect of the information technology support system

that each individual user entity of the system and its auditors may consider

important in its own particular environment.

b. the controls related to the control objectives stated in the description were

suitably designed as of May 15, 2013 to achieve those control objectives. The

criteria we used in making this assertion were that

i. the risks that threaten the achievement of the control objectives stated in the

description have been identified by the service organization.

ii. the controls identified in the description would, if operating as described,

provide reasonable assurance that those risks would not prevent the control

objectives stated in the description from being achieved.

Where Business Critical Technology Survives™

DBSi 3949 Schelden Circle Bethlehem, PA 18017 610.691.8811 www.dbsintl.com

II-A. SUBSERVICE ORGANIZATION’S ASSERTION

We have prepared the description of aspects of DBSi’s colocation services system for

Payroll Associates, LLC (PAI) and user entities of PAI’s information technology support

system as of May 15, 2013, and their user auditors who have a sufficient

understanding to consider it, along with other information including information

about controls implemented by user entities themselves, when obtaining an understanding

of user entities’ information and communication systems relevant to financial reporting.

We confirm, to the best of our knowledge and belief, that

a. the description fairly presents the aspects of DBSi’s colocation services system

made available to PAI and user entities of PAI’s system as of May 15, 2013

for processing their transactions. The criteria we used in making this assertion

were that the description

i. presents how the system made available to PAI and user entities of

PAI’s information technology support system was designed and

implemented to process relevant transactions, including

1. the types of services provided, including as appropriate, the

classes of transactions processed.

2. the procedures, within both automated and manual systems, by

which those transactions are initiated, authorized, recorded,

processed, corrected as necessary, and transferred to the reports

presented to user entities of the system.

3. the related accounting records, supporting information, and

specific accounts that are used to initiate, authorize, record,

process, and report transactions; this includes the correction of

incorrect information and how information is transferred to the

reports provided to user entities of the system.

4. how the system captures and addresses significant events and

conditions, other than transactions.

5. the process used to prepare reports or other information provided

to user entities of the system.

6. specified control objectives and controls designed to achieve

those objectives, including as applicable, complementary user

entity controls contemplated in the design of the service

organization’s controls.

7. other aspects of our control environment, risk assessment process,

information and communication systems (including related

business processes), control activities, and monitoring controls

that are relevant to processing and reporting transactions of user

entities of the system.

Where Business Critical Technology Survives™

DBSi 3949 Schelden Circle Bethlehem, PA 18017 610.691.8811 www.dbsintl.com

ii. does not omit or distort information relevant to the scope of the

information technology support system, while acknowledging that the

description is prepared to meet the common needs of a broad range of

user entities of the system and the independent auditors of those user

entities, and may not, therefore, include every aspect of the information

technology support system that each individual user entity of the

system and its auditors may consider important in its own particular

environment.

b. the controls related to the control objectives stated in the description that

relate to aspects of DBSi’s colocation services system made available to PAI

were suitably designed as of May 15, 2013 to achieve those control objectives.

The criteria we used in making this assertion were that

i. the risks that threaten the achievement of the control objectives stated in

the description have been identified by the service organization.

ii. the controls identified in the description would, if operating as described,

provide reasonable assurance that those risks would not prevent the control

objectives stated in the description from being achieved.


IS Partners, LLC 10


III. DESCRIPTION OF SERVICE ORGANIZATION’S SYSTEM

A) Overview of Operations

Company Profile and History

Payroll Associates, LLC (PAI), d/b/a “PayChoice”, is a wholly-owned subsidiary of PAI

Group, Inc., the holding company for Payroll Associates, LLC and PAI Services, LLC.

Payroll Associates, LLC provides payroll technology and related services to independent

payroll service providers (Licensees). PAI Services, LLC provides payroll processing,

tax administration, etc., to small and medium sized companies throughout the United

States.

PAI was founded in 1990 and is headquartered in Moorestown, New Jersey. It maintains

operational hubs in Boston, Massachusetts, Elkhart, Indiana, Charlotte, North Carolina

and Dallas, Texas. In addition, as outlined below, PAI supports 10 payroll branches and

approximately 180+ Licensees throughout the United States.

PAI provides its services to its customers through the following two complementary

business units:

The software division, Payroll Associates, LLC, which provides the payroll technology

and related services, and PAI Services, LLC which provides the payroll processing, tax

and related human resources services (collectively referred to herein as Payroll Services).


IS Partners, LLC 11


Management Team

PayChoice understands the importance of having the right people in the right roles. The

Senior Management Team provides the foundation from which leadership, direction and

passion are built. The Senior Management Team is comprised of the following

individuals:

Executive Leadership

Bill Scott, Chairman

Mr. Scott led the effort to acquire Payroll Associates, LLC, and to purchase the

Payroll Associates’ software licensees who desired to join in the creation of

PayChoice. Under his leadership, PayChoice grew from 40 employees to more than

350 and was recognized by the Inc. 5000 as one of the fastest growing companies in

America. Bill is also the former Chief Executive Officer of InterPay, Inc. From 1987

to 2000, Bill grew InterPay from 70 employees and 2,000 clients to more than 685

employees and nearly 30,000 clients. At the time of its ultimate sale to Fleet Bank

(purchased by Bank of America), InterPay was the fifth largest payroll processing

company in the US. In 2003, InterPay was sold to Paychex for $185 million.

Robert Digby, Chief Executive Officer

As CEO of PayChoice, Robert is responsible for the overall leadership of the software

and service bureau divisions. He brings to the position more than 20 years of payroll,

HR and benefits industry expertise, with proven operational success in leading high-

performance organizations and customer centric service organizations. He is the

former President of RSM McGladrey Employer Services, the payroll, HR and benefit

service company of RSM McGladrey / H&R Block. Robert also held senior

leadership roles during his 15 year career at Ceridian, including President of

PowerPay Internet small business payroll division, Senior VP of Marketing and

Senior VP of Sales / Client Services for Ceridian Corporation. While at Ceridian, he

also directed a national sales organization of 480 sales representatives. A Captain in

the U.S. Army, Robert received his B.A. in Economics from the Virginia Military

Institute (VMI) where he graduated as a distinguished military and honor graduate.

Joanne Guerriero, Sr. Vice President of Client Services

Joanne is responsible for managing all Client Service operations and payroll services

for PayChoice. These payroll services consist of payroll processing, client care

centers, tax filing operations and online support services and training. Additionally,

Joanne provides product development input for the design and enhancement of

ENCORE – PayChoice’s newest payroll application. Prior to joining PayChoice,

Joanne was with Ceridian, a global product and services company, delivering trusted

results and transformative Human Capital Management technology. She has over 20

years of progressive leadership experience within the Small Business segment of

Service Bureau operations. Joanne’s former positions and background include

District Vice President of Client Services, Tax Filing Management, Strategic

Planning & Initiatives; Product Development and Senior Project management. She is

a graduate of Katherine Gibbs and has earned certifications in both Six Sigma and

Certified Payroll Practice (CPP).


IS Partners, LLC 12


Phil McLaughlin, President, Software Licensing Division & Chief Information Officer

Phil is responsible for all IT efforts including application development as well as

infrastructure. Additionally, Phil provides overall leadership for sales and operations

for the software division of PayChoice. Prior to joining PayChoice, Phil was CIO at

CheckFree Investment Services, where he led multiple teams and managed

application development, quality assurance, systems architecture and strategic

planning for multiple products. While at CheckFree, Phil created a strategic systems

strategy to yield significant savings by eliminating redundant applications and notably

improved customer satisfaction. Phil also improved application delivery by

establishing best practices for software development and project management. Prior

to this, Phil held the role of Business Line Chief Information Officer for PFPC, A

division of PNC Bank, overseeing all aspects of their Managed Account Services

information technology efforts, including application development, production

support, operations and IT financial management. Phil received a B.S. in Electrical

Engineering from Villanova University.

Joseph Martino, Vice President of Finance

Joseph Martino is responsible for all of PayChoice’s financial and accounting

activities including treasury and cash management, reporting, budgeting, planning,

and analysis. Mr. Martino spent several years in public accounting, including a stint

with Ernst and Young, a Big Four accounting firm. The majority of Mr. Martino’s

career was spent with Trigen Energy Corporation, an independent energy company

and public utility, where he was Vice President and Controller. Mr. Martino earned a

B.B.A in Accounting from Temple University and is a Certified Public Accountant.

He joined PayChoice in June, 2006.

Products and Services

The following is a list of the products and services provided by PayChoice to its

customers and Licensees:

Products:

PayChoice

PayChoice is the Company’s core payroll engine which is utilized by Licensees

and internal service bureau users to perform all aspects of payroll processing,

including data entry, calculation of gross pay, deductions, taxes, net pay, funds

transfer, and reporting.

PayChoice Online

PayChoice Online is the online product offered by PayChoice. Often integrated

with other modules under the moniker of Online Employer, PayChoice Online

provides 24/7 payroll and tax management tools.


IS Partners, LLC 13


ViewChoice

ViewChoice is PayChoice’s report viewer and archive system allowing a business

to view, store and share their payroll management records electronically.

Employee Self-Service (ESS)

ESS is a self-service, web-based product providing employers and their

employees online access to personnel data, check stubs, time sheets, time off

information and more. This web-based solution enables employees to access their

information anywhere via a web browser.

General Ledger Integration

G/L Interface for QuickBooks allows a client to post payroll information to their

QuickBooks accounting package. Accessed via Online Employer, clients have

the online capability to post payroll data to their G/L.

Encore

Encore is PayChoice’s next generation payroll software platform. Built on

Microsoft .NET and SQL Server database technology, Encore provides a wide

array of payroll, reporting, Employee Self Service, and HR Information System

(HRIS) capabilities.

WriteChoice

WriteChoice is a stand-alone, query based report writer (licensed from Cizer) that

is integrated with the Online Employer suite of products. Via single sign on from

Online Employer, it allows licensees, internal service bureau users and end client

administrators to create reports from the data stored in PayChoice Online and

Employee Self-Service in a variety of formats.

Services:

Payroll

Each pay period, a client submits payroll data to PayChoice in the manner they

choose. PayChoice generates calculations, makes direct deposits, creates

paychecks, produces garnishment checks and makes savings deposits for

employees. In addition, PayChoice provides clients with detailed payroll journals

and management reports.

Tax Pay and File

On a payroll by payroll basis, PayChoice calculates payroll taxes owed and takes

responsibility for paying all federal, state and local taxes and filing the required

quarterly and annual returns on a client’s behalf.

Automated Clearing House (ACH)

With direct deposit, employees designate the accounts into which they want their

pay deposited. Then, each period's pay is automatically deposited into their choice

of one or more checking, savings or retirement accounts. Employees receive a


IS Partners, LLC 14


pay voucher showing the amounts deposited, and the employer receives a detail of

transactions each pay period.

HR Online

In conjunction with its partner HR Answerlink, PayChoice offers a 24/7 email and

phone human resources (HR) answer hotline. Clients also have access to an HR

center that provides Employee Handbooks, an HR forms and letters library,

standardized job descriptions, a Q&A database and an HR law library.

Custom Reporting

PayChoice offers a complete list of management reports covering cash

disbursements, tax liabilities, departmental allocations, employee demographics

and more. In addition, should a customer require custom reports based on the

data within its payroll and HR systems, PayChoice can create custom reports.

Corporate Structure

PAI is a registered corporation under the laws of the State of Delaware. The Company is

parent to three wholly owned subsidiaries, all of which are domiciled in Delaware.

Management and Organizational Structure

PAI’s operations are under the direction of the Chief Executive Officer. PAI employs a

staff of approximately 260 in the following key functional units:

a) Conversions

The Conversion Department is responsible for setting up new clients and ensuring

that all employee, wage and tax information is accurately captured.

b) Customer Support

Customer Support is responsible for addressing customer inquiries, inputting

hours, rate changes and new hires for existing clients, and assisting clients with

their periodic processing of payrolls.

c) National Tax Services

The National Tax Services is a centralized function that is responsible for tax

payment and filing, tax notice resolution, ACH file transmissions, and client funds

reconciliations.


IS Partners, LLC 15


d) Finance The Finance Department is responsible for the financial management of the

company and preparation of the financial statements.

e) Human Resources

The Human Resources Department is responsible for recruiting, retaining and

developing employees to ensure that the company is able to meet its current and

future business goals.

f) Information Technology

The Information Technology Department is responsible for computer hardware,

operating software, networks, data security and system backups.

g) Legal Services

Legal Services provides risk management services to the Company by providing

legal advice, ensuring compliance with state and federal laws and regulations,

fostering an ethical corporate culture, and ensuring that appropriate safeguards are

in place to protect corporate assets.

h) Sales

The Sales Department focuses on selling payroll and other employer services to

the small and medium-size business community throughout the United States.

i) Communication and Marketing

Communication and Marketing is responsible for strengthening the PayChoice

brand, facilitating various marketing and promotional campaigns, and improving

awareness of ancillary services.

j) Software Support

Software support is responsible for responding to questions and issues raised by

users of PayChoice’s software products.

k) Development

The Development Group is responsible for maintaining, updating and enhancing

the various software platforms developed and used by PayChoice.


IS Partners, LLC 16


B) Description of Relevant Processes

The following process descriptions outline the key functions within Payroll Associates,

LLC’s information technology operations that are relevant to the scope of this SSAE 16

report.

INFORMATION TECHNOLOGY

Logical Security

Logical Security consists of software safeguards for an organization’s systems including

user ID and password access, authentication, access rights and authority levels. These

measures are implemented to ensure that only authorized users are able to perform

actions or access information in a network or workstation.

User Access Controls

User accounts are created in the system based on proper approvals and the following

processes are followed for new hire access, terminations, database/system administrator/

super user access and account recertification (job changes).

New User Access

For network, system and application access, the Human Resource department initiates the

new hire process by submitting a user request via an electronically generated “IT

Employee Change Form”. The completed password protected form is scanned and

attached to a ticket created within the internal ticketing system. Once approved, network,

system and application user account/passwords and network share access are assigned by

the IT department in accordance to the approvals documented in the submitted form.

Terminations

An electronically generated “IT Employee Change Form” is distributed to the IT

Department when access to the network, systems and applications needs to be revoked

for a terminated employee. The Human Resource department will authorize the removal

of access to the network, user groups/permissions associated with the account, and

application access by submitting the IT Employee Change Form to the PayChoice IT

Department. The form is completed and emailed to IT no later than the date that the

termination takes place. Additionally, the form is scanned and attached to a ticket created

within the internal ticketing system. System Administrators receive the termination

request and immediately disable the Windows network and system accounts indefinitely

for historical purposes.

Administrative/Privileged User Access

System Administrator, super user and direct update access to the systems and databases is

restricted based on role-based access controls (RBAC). This framework is configured for

operating system access control policies, in which users are assigned to roles, and roles

are assigned permissions to perform system-specific operations. The administrative roles

are segregated by Network Administrators, System Administrators, Desktop

Administrators and Telecom Engineers.


IS Partners, LLC 17


Network Account Recertification

A formal process of reviewing network access is performed on a quarterly basis. IT

personnel exports a system generated list of all workforce members from the domain and

validates against a list of active employees provided by Human Resources. The lists are

compared to identify all terminated employees network access is disabled.

Password Controls

Network user passwords are required to be a minimum length of eight alphanumeric

characters. Passwords must consist of upper and lower case letters and at least one

symbol or punctuation character. All user level passwords are required to be changed

every 45 days. A password history file is implemented to prevent the reuse of passwords

from the last generation. The Account Lockout Policy has a lockout threshold after 5

consecutive unsuccessful password attempts. Locked accounts are automatically re-

enabled after 15 minutes or users can contact the PayChoice technology department to

unlock the account in Active Directory after verifying the employee’s identification.

Remote Access

Employee-owned computers are prohibited from being connected to the PayChoice

network, whether by local connection or Virtual Private Networking (VPN). Remote

access is protected by security mechanisms and appropriately restricted to authorized

employees. All employee remote access to the network requires the use of the company

standard issued laptop configured with Sophos disk encryption and Cisco IPSec VPN

technology. Users are authenticated by two separate and distinct methodologies to ensure

secure communications and identity verification. Secure communications are established

by the VPN security device through specific “client” software and their Windows Active

Directory user ID and passwords. The IPSec VPN client utilizes 3DES or AES

encryption to maintain the confidentiality of private data. Identity verification occurs

through the Multi-factor Authentication (MFA) System which is designed to call the

company-issued mobile phone of the user requesting remote access approval (during the

Login Process) and request the entry of the user’s unique PIN before granting access.

Authorization to receive remote access is granted through the same ticketing and

approval process for new users. If a new user is approved for a company issued laptop,

approval is implied for them to have remote access. In addition to laptop users, remote

access is authorized and limited to the individuals within the IT department responsible

for providing administration support for the company network and IT equipment.

Firewall Administration

Cisco firewall hardware appliances are strategically placed and configured to protect and

prevent unauthorized access to the production network and systems. Access lists/rules

are configured on the firewalls to block unwanted intrusions and access to the internal

network. Systems and devices located behind the firewalls are secured from

unauthorized users and potential internet attacks. Daily, security logs are informally

reviewed by Systems Engineers to identify any potential breach of security.


IS Partners, LLC 18


Intrusion Prevention Administration (Provided by 3rd

Party Vendor)

PayChoice has contracted with SecureWorks, an information security vendor, to provide

a managed Intrusion Prevention and Detection Service (IPS/IDS) to safeguard the

internal resources from unauthorized access. The SecureWorks security experts perform

all management and maintenance of the IPS/IDS devices including:

Signature tuning

Signature updates

Configuration changes

Security Event Monitoring

Performance and availability management

The IPS/IDS devices are strategically placed and configured to detect, log, and report

potential security breaches. All alerts generated from across the IPS/IDS infrastructure

are aggregated and correlated in real-time. The SecureWorks Security Analysts monitors

these alerts to eliminate false positives and escalate true threats to the PayChoice

infrastructure.

The SecureWorks' Network Intrusion Prevention and Detection Service provides

comprehensive reports for immediate and transparent access to the current security status.

All reports are based on real-time information and can be accessed on-demand through

the secure, web-based SecureWorks Portal. The Portal provides asset-based views,

trending and comparative analyses and technical reports.

Data Transmittal

The distribution of sensitive information by PayChoice is handled in two different

methodologies and the specific methodology is determined by the nature of the data

and/or the systems in which it resides;

Data that is produced and exists within proprietary PayChoice Application Software

Systems and requiring review or transmittal to clients or licensees is presented through

the Online Employee and/or ViewChoice Application Portals. Data can be viewed or

downloaded in Standard Reporting or PDF Document Format through the application

portals using Secured HTTP Communication (HTTPS) Encryption Algorithms

maintained through the use of SSL Security Certificates issued by either EnTrust or

VeriSign. The communication channel created between the Client Browser and the

Application Portals is an encrypted tunnel which prevents access to or duplication of data

by third parties.

Ad-hoc data that is not produced by or maintained within the PayChoice Application

Software Systems but is created in the course of business and deemed sensitive in nature

is communicated to clients and licensees through the use of an external Secure File

Transfer Service (File Guardian). PayChoice licenses this Secure File Transfer Service

from Shugo. Shugo acts as a trusted intermediary that provides secure communication

channels between PayChoice and the designated client or licensee through the hosting of


IS Partners, LLC 19


a commercial website/portal designed specifically for the secure transmission of sensitive

data.

The website/portal uses Secured HTTP Communication Encryption Algorithms

maintained through the use of SSL Security Certificates issued by either EnTrust or

VeriSign. The communication channel created between Web Browsers (utilized by

PayChoice Staff and their designated clients) and the Application Portals is an encrypted

tunnel which prevents access to or duplication of data by third parties.

Application Change Control

A Formal Change Management and Systems Development Lifecycle (SDLC)

methodology policy exists for PayChoice, PayChoice Online, and Encore, is properly

documented, approved and updated regularly by management. These policies are in

place to ensure a standardized process for any application changes that are made.

Change requests are recorded and tracked through their final disposition. The tracking is

done by the requesting manager responsible for the system. Requests for changes or

enhancements to existing applications, or development of new applications, are approved

by authorized Business Owners before work commences.

The changes are requested by the business area, thus the Business Owners are involved

from the point of the initial request. Functional requirements are approved by the

authorized Business Owners. This is part of the initial request which is sent to the

outside vendor. Once the vendor makes the requested changes, they are loaded into a test

database and to a test front end.

The Business Owners are responsible for developing and executing a test plan on the

changes. User acceptance level testing is completed and approved by the Business

Owners. Since the Business Owners are responsible for performing the testing, there is

an automatic approval once they are satisfied the changes are working as expected.

Upon satisfactory completion of the testing plan, Business Owners approve the

implementation of the application change or enhancements and the changes are migrated

to the production environment. All changes take place in the same manner with the

exception of changes to the Time and Attendance Application.

EasyChoice Time and Attendance is a user of a time and attendance system called Web-

Apps (a.k.a. SaaShr.com) and is private labeled TimeVantage. The software resides on

PayChoice’s servers and Web-Apps is responsible for updating the software to keep it

current with their hosted solution.

As the product vendor/owner, Web-Apps conducts all product development,

integration/regression testing and production code escalation activities in accordance with

their own internal SDLC and Change Management Processes. Web-Apps coordinates

their Production Code Escalation Activities with the designated internal PayChoice

TimeVantage Product Development Manager.


IS Partners, LLC 20


Network Software Change Control

Formal system software and supporting infrastructure change management policies and

procedures exist and are reviewed and approved by the appropriate personnel on a regular

basis. These policies are in place to ensure a standardized process for any software

modifications that are made.

Change requests are approved by the appropriate IT management to ensure that the

requested changes will not adversely affect the production environment. The request is

made one of three ways; 1) via an e-mail to the outside vendor responsible for making the

changes, 2) via an e-mail to the internal team / department responsible for making the

changes or 3) in response the notifications received from external vendors responsible for

product platforms utilized by PayChoice. The manager responsible for the affected

system sends the email. This email details the change that is required and/or the error

that was discovered.

At least one prior version of the production program is maintained for back-out purposes.

The prior versions are maintained via the backup process, which is detailed in the

Computer Operations area. Should there be a problem with a change, it can be backed

out via a restore from the backup of the system from a prior date.

System software and supporting infrastructure changes are adequately tested and

approved, by appropriate personnel, prior to being migrated into the production

environment.

Patches to system software and/or information technology infrastructure are authorized

and approved by the appropriate personnel. Any patches are provided by the vendor with

the details as to the necessity of the patch. The patch will be migrated to the production

environment and appropriately tested by the business area responsible for the system.

The programming for all Commercial off the Shelf (COTS) products is completed by

outside vendors and not onsite programmers. As a result, there are no changes that would

be classified as emergency changes. Each change would follow the same process in

order for the outside vendor to make the changes.

Computer Operations

Backup Process

PayChoice has implemented backup procedures to protect the confidentiality, integrity,

and availability of the electronically protected client information and systems.

For the PayChoice, PayChoice Online, Encore and Time & Attendance systems,

PayChoice has incorporated a Disk-Disk-Tape backup strategy as the solution for

safeguarding these systems and data. The two phase strategy utilizes an enterprise-level

backup architecture design that incorporates enterprise backup software products, disk

storage appliance(s) and high density tape libraries. Access to make changes to the

configuration of the backup software solution(s) is restricted to the Systems Engineers.

Daily and weekly, backup jobs are saved to disk storage appliance(s) located within the


IS Partners, LLC 21


data center. Weekly and monthly backup jobs are saved to tape within the high density

LTO tape libraries located at the data center. The enterprise backup software will verify

that the backup has completed and that all files were saved correctly. If a backup job

encounters an error, the system automatically generates an email notification to the

Systems Engineer distribution group. The alerts are reviewed and the failed jobs are

rescheduled.

PayChoice has not finalized contractual negotiations with an offsite storage provider to

store backup tapes. All tapes remain in the tape libraries except for the full monthly

backup tapes. The monthly tapes are pulled from the tape libraries by the PayChoice

Systems Engineers and stored for a minimum of 7 years in a fireproof safe within a

secured room.

Restoration Process

Periodically, data backup restores are performed to confirm the integrity of the data and

viability of the backup media.

Physical Access Controls

Responsibility for securing access to critical and sensitive areas is assigned to the Chief

Information Security Officer and Local Branch Manager. Access to the data center is

restricted to appropriate personnel and requires management authorization. A facility

access form must be completed to add and authorize access to the DBSi facility.

Building & Data Center Security

Access to the production data center facility is secured by physical restrictions such as

security systems and surveillance cameras to ensure that access is restricted to authorized

personnel. The building main entrance is monitored by security guards. Visitors are

required to sign the logbook and be escorted and monitored at all times during the visit.

Intrusion detection is monitored 24x7 by a security system and by surveillance cameras

located throughout the facilities. The cameras located on the data center floor are

monitored by the DBSi technicians’ onsite and by the technicians at two additional DBSi

data center facilities.

Access to the data center facility is controlled and restricted through the use of multiple

ingress / egress points that utilize security doors, access card readers, bio-metric device

scanners and multi-factor (2-factor) authentication. Access through the primary door

requires an access / key card. Access through the second door requires 2-factor

authentication; a retinal scan biometric device and an access / key card. Access through

the final door requires an access / key card.

Access to the computer equipment, systems, and storage media is segregated in a

dedicated cage controlled by security mechanisms and restricted to appropriate personnel.

An access card scanner is used to restrict access to the cage within the data center.


IS Partners, LLC 22


Access to the facility and data center is disabled upon notification when an employee is

terminated. PayChoice authorized personnel must notify DBSi for the removal of access.

Access to the data center is periodically reviewed by appropriate personnel to detect

unauthorized access.

Environmental Controls

Automated systems are configured to prevent and minimize hardware/software loss from

an environmental hazard (such as fire, flood, power failures, excessive heat and

humidity) to the data center facility.

Onsite DBSi network technicians oversee the data center environmental safeguards and

back-up power management systems. These safeguards and systems include fire

suppression, power management, heating, ventilation and air conditioning (HVAC). The

safeguards by location are as follows:

The Bethlehem facility is equipped with the following environment protection

control mechanisms:

o All network infrastructure and technology assets are supplied by

conditioned power from uninterruptible power systems installed in an N+1

configuration.

o All computer rooms are equipped with CRAC units in an N+1

configuration.

o Two generators, with an onsite fuel supply of approximately 48-60 hours,

are in place to provide power to the building in the event of a long-term

power outage. Bi-weekly testing is completed.

o Customer work spaces are equipped with either an FE25 fire suppression

system or a CO2 preaction dry pipe system. A third party provider

inspects the system.

o Water sensors have been installed below the raised floor.

The Valley Forge facility is equipped with the following environment protection

mechanisms:

o An automated building management system is in place to monitor all

environmental elements in the facility and report abnormal patterns to

management in real time.



configuration.


configuration.

o Four generators, with an onsite fuel supply of approximately 32-40 hours,

are in place to provide power to the building in the event of a long-term

power outage. Bi-weekly testing is completed.

o All computer rooms are equipped with an FM 200 fire suppression system.

A third party provider inspects the system.


IS Partners, LLC 23


o Water sensors have been installed below the raised floors.

The Breinigsville facility is equipped with the following environment protection

mechanisms:

o An automated building management system is in place to monitor all

environmental elements in the facility and report abnormal patterns to

management in real time.



configuration.


configuration.

o Six generators, with an onsite fuel supply of approximately 45 hours, are

in place to provide power to the building in the event of a long-term power

outage. Bi-weekly testing is completed.

o All computer rooms are equipped with an FM 200 fire suppression system.

A third party provider inspects the system.


IS Partners, LLC 24


C) Relevant Aspects of the Control Environment, Risk Assessment Process, Information and

Communication Systems, and Monitoring Controls

PAI’s management has established a system of internal controls aligned with the

integrated framework established by the Committee of Sponsoring Organizations

(COSO). The framework consists of several interrelated components as follows:

1) Control Environment

PAI is committed to maintaining an organizational structure that supports an effective

control environment. The control environment is comprised of various elements,

including the proper segregation of job responsibilities, assignment of job functions

commensurate with skill, properly defined roles and responsibilities, hiring of

experienced staff, internal quality control processes, management oversight, and

proactive fraud detection and risk mitigation strategies, established to facilitate the

effectiveness and integrity of PAI’s operations.

To facilitate the continued presence of an effective control environment, PAI has

incorporated a series of internal and external oversight and management functions

within their operations as follows:

Board of Directors’ oversight

Audit Committee participation

Independent financial statement audits

Monthly budget monitoring

Monthly financial reporting

2) Risk Assessment Process

PAI conducts ongoing risk assessments which are facilitated by a formal Risk

Committee which is led by the Vice President of Finance. The Risk Committee

meets on a quarterly basis to ensure that existing risks are being properly addressed

and managed, and to identify potential future risks and business impediments. The

Risk Committee fosters an awareness of risk at every level of the organization

through regular interaction between management and operations personnel.

The primary risk areas identified by PAI include: a) data security, b) data integrity

and reliability, c) client credit risk, and d) client funds control.

3) Information and Communication Systems

Information is a part of PAI’s processes and integrated systems. PAI maintains an

information process that allows pertinent information and data to be identified,

captured and communicated in a timely fashion thus enabling employees to

efficiently fulfill their job responsibilities and functions. The information process

utilizes data from both inside and outside the organization which is used to guide

PAI’s strategic and tactical decision making, as well as to measure performance.


IS Partners, LLC 25


In addition, a communication process also exists within PAI’s current operating

environment. The communication process facilitates a clear dialogue between PAI’s

management and staff personnel. The overall communication process consists of

individual tasks including:

Weekly Operations Calls – where management personnel from each operating

branch and the Shared Services Department discuss existing and potential

issues affecting the payroll group.

Quarterly Town Hall Meetings – where senior management personnel present

a high-level update pertaining to PAI’s mission statement progress on major

initiatives and metrics.

Annual Operations summit – where participants in the Weekly Operations

Calls meet to address major issues and initiatives.

4) Monitoring Controls

PAI management monitors their internal processes and control activities as part of

their routine operations. The monitoring function is conducted by PAI management

through the preparation and review of a series of management reports designed to

illustrate the success of PAI’s internal control functions and delivery of customer

services. The management reports consist of Board of Director packages, financial

analyses, business performance metrics and customer service metrics.

PAI monitors the performance of its personnel by conducting annual performance

reviews for all of its management and support staff. In addition, PAI maintains an

outsourced internal audit function that routinely monitors the integrity of selected

function and operations.


IS Partners, LLC 26


D) Scope and Applicability of the Report

This report has been prepared in accordance with the American Institute of Certified

Public Accountants’ Statement on Standards for Attestation Engagements No. 16 –

Reporting on Controls at a Service Organization (SSAE 16). The report is intended to

provide the user organizations and their independent auditors with an understanding of

the controls related to PayChoice’s services in the areas of:

Information Technology General Controls (related to all business processes)

a) Logical Security

b) Application Change Control

c) Network Software Change Control

d) Computer Operations

e) Physical Access

in order for user organizations’ independent auditors to plan their audits. This report

describes these controls as of May 15, 2013.

This report is intended to focus on features relevant to control; it does not encompass all

aspects of the procedures followed by PAI. If a user organization does not have an

effective internal control structure in place, the controls and related control objectives

presented in this report may not compensate for such a weakness.

The control objectives, process descriptions and supporting control activities for each of

the key processes and functions included in the scope of this report are presented in

section IV.


IS Partners, LLC 27


E) Complementary User Entity Controls

PAI’s controls were designed with the assumption that certain controls would be placed

in operation at user organizations. In certain instances, the application of specific

controls at user organizations is necessary to achieve certain control objectives included

in this report.

The following list outlines controls that should be in operation at user organizations to

complement the controls listed in section IV. The list does not represent a

comprehensive set of all of the controls that should be employed by user organizations.

User organizations’ auditors should consider whether the following controls have been

placed in operation at user organizations:

Controls should be established to ensure that all data transmitted by the user

organizations to PAI is complete, accurate, timely, and protected.

Controls should be established to ensure that access to user organizations’

systems and applications is adequately restricted to authorized personnel.

Controls should be established to ensure that output data generated by PAI is

reviewed by the user organizations for accuracy.

Controls should be established to ensure that the PAI’s controls included in the

scope of this report are relevant to the services being utilized by the user

organizations.


IS Partners, LLC 28


IV. INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF CONTROLS

Information Technology

Control Objective: Logical Security Controls provide reasonable assurance that access to system resources (i.e., programs, data, tables and parameters) is restricted to

properly authorized individuals.

Control

Owner

Control No. Control Activity

PAI 1.1

New hire, temporary, contractor or managed account access to the network, systems and applications

requires approval from the appropriate management personnel prior to being granted.

PAI 1.2

Access to the network, systems, and applications for PayChoice personnel and managed customer

accounts is disabled/removed for terminated employees upon notification.

PAI 1.3

Network user accounts and profiles are reviewed and reauthorized on a periodic basis by appropriate

personnel.

PAI 1.4

Password controls such as change frequency, complexity, user lockout, length and password history

are configured to prevent unauthorized access to logical network resources.

PAI 1.5

System Administrator, super user and direct update access to the systems and databases is restricted to

appropriate personnel.

PAI 1.6

Remote access is protected by security mechanisms and appropriately restricted to authorized

employees.


IS Partners, LLC 29


Control

Owner


PAI 1.7

Firewalls are properly configured to prevent unauthorized access to the network and critical systems

and logs are reviewed periodically by appropriate personnel.


IS Partners, LLC 30


Control Objective: Application Change Control

Controls provide reasonable assurance that the changes to existing applications and the development of new applications are

authorized, tested, approved, properly implemented and documented.

Control

Owner


PAI 2.1

A Formal Change Management and Systems Development Lifecycle methodology policy exists, is

properly documented, approved and updated regularly by management.

PAI 2.2 Change requests are recorded and tracked through their final disposition.

PAI 2.3

Requests for changes or enhancements to existing applications, or development of new applications,

are approved by authorized Business Owners before work commences.

PAI 2.4 Functional requirements are approved by the authorized Business Owners.

PAI 2.5 The Business Owners are responsible for developing and executing a test plan on the changes.

PAI 2.6 User acceptance level testing is completed and approved by the Business Owner.

PAI 2.7

Business Owners approve the implementation of the application change or enhancements and the

changes are migrated to the production environment.


IS Partners, LLC 31


Control Objective: Network Software Change Control Controls provide reasonable assurance that the changes to existing system software and the development of new System Software

are authorized, tested, approved, properly implemented and documented.

Control

Owner


PAI 3.1

Formal system software and supporting infrastructure change management policies and procedures

exist and are reviewed and approved by the appropriate personnel on a regular basis.

PAI 3.2

Change requests are approved by the appropriate IT management to ensure that the requested changes

will not adversely affect the production environment.

PAI 3.3 At least one prior version of the production program is maintained for back-out purposes.

PAI 3.4

System software and supporting infrastructure changes are adequately tested and approved, by

appropriate personnel, prior to being migrated into the production environment.

PAI 3.5

Patches to system software and/or information technology infrastructure are authorized and approved

by the appropriate personnel.


IS Partners, LLC 32


Control Objective: Computer Operations Controls provide reasonable assurance that data is retained, backed up completely, stored offsite and deviations are identified and

resolved in a timely manner.

Control

Owner


PAI

4.1

Access to make changes to the backup software is restricted to appropriate personnel.

PAI 4.2

Backups are monitored on a daily basis by authorized IT personnel and failed backups are resolved in

a timely manner and in accordance with the formalized backup procedures.

PAI 4.3

Daily, weekly, and quarterly production systems data backups are stored at a secured offsite facility

sufficiently remote from the data center.

PAI 4.4

Periodically, data backup restores are performed to confirm the integrity of the data and viability of

the backup media.


IS Partners, LLC 33


Control Objective: Physical Access Controls provide reasonable assurance that access to computer equipment and storage media is restricted to properly authorized

individuals based on job responsibilities, and environmental controls are configured to protect systems from potential hazards.

Control

Owner


PAI

5.1

Responsibility for securing access to critical and sensitive areas is assigned to appropriate personnel.

DBSi 5.2 Access to the data center is restricted to appropriate personnel and requires management authorization.

DBSi 5.3

Access to the production data center facility is secured by physical restrictions such as security

systems and surveillance cameras to ensure that access is restricted to authorized personnel.

DBSi 5.4

Access to the computer equipment, systems, and storage media is segregated in dedicated cabinets

controlled by security mechanisms and restricted to appropriate personnel.

PAI / DBSi 5.5 Access to the facility and data center is disabled upon notification when an employee is terminated.

PAI 5.6

Access to the data center is periodically reviewed by appropriate personnel to detect unauthorized

access.

DBSi 5.7

Automated systems are configured to prevent and minimize hardware/software loss from an

environmental hazard (such as fire, flood, power failures, excessive heat and humidity) to the data

center facility.


IS Partners, LLC 34


Control

Owner


DBSi 5.8

Scheduled maintenance procedures are performed to test and validate the operation of the

environmental control devices.


IS Partners, LLC 35


V. ADDITIONAL INFORMATION PROVIDED BY THE INDEPENDENT SERVICE

AUDITOR

A) Introduction

This report is intended to provide PAI’s customers and the independent auditors of PAI’s

customers with information regarding the controls placed in operation at PAI as of May

15, 2013, related to its information technology support system that may be relevant to a

customer organization’s internal control as it relates to an audit of financial statements.

The information contained in this report should assist the independent auditors of PAI’s

customers in planning an audit of their own financial statements, in accordance with

guidance provided by Statement on Standards for Attestation Engagements No. 16 –

Reporting on Controls at a Service Organization. The report is not intended to provide

the independent auditors of PAI’s customers with a basis for reducing their assessment of

control risk.

Our examination was conducted in accordance with Statement on Standards for

Attestation Engagements No. 16 – Reporting on Controls at a Service Organization. Our

examination was restricted to those control objectives and related control activities

outlined by PAI’s management in section IV, which management believes are the

relevant key controls for the stated objectives.

Our responsibility is to express an opinion as to whether the controls, as described, are

suitably designed to provide reasonable assurance that the specified control objectives

would be achieved if the described controls were complied with satisfactorily. It is each

interested party’s responsibility to evaluate this information in relation to internal

controls in place at each user organization. If an effective internal control structure is not

in place at a user organization, the controls within PAI may not compensate for such a

weakness. It is each user organization’s responsibility to evaluate this information in

relation to internal control policies and procedures in place at their organization to obtain

an understanding of the internal controls and assess control risk.


IS Partners, LLC 36


B) Responsibilities of the Independent Service Auditor

As part of our review of PAI’s controls, we performed a variety of tests, each of which

provided different levels of audit satisfaction. The combined results of these tests

provided the basis for our understanding of the framework for control and whether the

controls represented in section IV were actually in place and suitably designed as of May

15, 2013.

The following test procedures were performed, all or in part, as deemed appropriate, in

making our determination:

Test Procedure

Description

Inquiry

Interviewed relevant personnel about the

details surrounding the controls to obtain

an understanding of the controls.

Observation

Visually observed the execution of the

controls.

Inspection

Physically reviewed/inspected

documentation/evidence utilized in

completing the controls, or supporting the

existence thereof.


IS Partners, LLC 37


C) Consideration of Relevant Aspects of Internal Control

PAI’s internal control environment is comprised of various elements designed to enhance

the effectiveness of its internal control system. These elements include:

Organizational structure

Tone at the top

Risk assessment

Management control and oversight

Information and communication

Human resource policies and procedures

Code of professional conduct

Monitoring

Our tests of the internal control environment included the completion, in part or in

combination, of various inquiry and observation procedures, as deemed necessary, to

provide the basis for our understanding of the design of the internal control system as of

May 15, 2013, and the rendering of our opinion in accordance with the requirements set

forth in Statement on Standards for Attestation Engagements No. 16 – Reporting on

Controls at a Service Organization.

paychoice report 2013

Documents

pais description

controls of dbsi

design of controls

dbsis controls

related controls

design of pais controls

monitoring controls

llcs dba paychoice description