Report on Paychex, Inc.’s Description of its … in the design of Paychex, Inc.’s controls are suitably designed and ... XE.com is used to obtain currency conversion rates,

Report on Paychex, Inc.’s Description of its

ExpenseWire® Online Expense Management System and on the Suitability of the Design and Operating

Effectiveness of Its Controls Throughout the Period November 1, 2015 to October 31, 2016

81752:DP4305_Bon&Co.Ltr 9/23/08 12:42 PM Page 3

REPORT ON PAYCHEX, INC.’S DESCRIPTION OF ITS EXPENSEWIRE® ONLINE EXPENSE MANAGEMENT SYSTEM AND ON THE SUITABILITY OF THE DESIGN AND OPERATING EFFECTIVENESS OF ITS CONTROLS THROUGHOUT THE PERIOD NOVEMBER 1, 2015 TO OCTOBER 31, 2016 Table of Contents

SECTION ONE………………………………………………………………………….. . 1 Independent Service Auditor’s Report ............................................................... 2

SECTION TWO………………………………………………………………………….. 5 Assertion of the Management of Paychex, Inc. ................................................. 6 SECTION THREE………………………………………………………………………… 8 ExpenseWire® Online Expense Management System’s Description Introduction……………………………………………………………………. 9

Company and System Overview ........................................................... 9 Purpose ................................................................................................. 10 Objectives .............................................................................................. 10 Subservice Organizations ..................................................................... 10

Relevant Aspects of Paychex Inc.’s Control Environment ................... 11 Control Environment .............................................................................. 11 Integrity and Ethics…………………………………………………………. 11 Organization………………………………………………………………… 12 Administration………………………………………………………………. 14 Enterprise Support ................................................................................ 15 Internal Audit Function .......................................................................... 15 Monitoring Subservice Organizations .................................................... 15 Relevant Aspects of Paychex Inc.’s Information Technology Controls ........................................................... 16 General Information Technology Controls ............................................. 16 Change Management………………………………………………………. 16 Network Security, Operational Monitoring and Problem Management . 18 Logical Access……………………………………………………………… 19 Physical Access……………………………………………………………. . 20 Environmental Systems…………………………………………………… . 20 Data Backups ........................................................................................ 21 Scheduling………………………………………………………………….. . 21 Relevant Aspects of Paychex Inc.’s ExpenseWire® System Controls ............................................................. 22 User Organization Implementation ............................................................. 22 Organization Account Maintenance ............................................................ 23 Reporting Output ........................................................................................ 24 Communication………………………………………………………………….. 24 Complementary User Control Considerations…………………………… 25 User Control Considerations ................................................................. 25

SECTION FOUR……………………………………………………………………….. .. 26 Control Objectives, Related Controls and Tests of Controls .............................. 27

1

SECTION ONE

Independent Service Auditor’s Report

(Continued) 2

INDEPENDENT SERVICE AUDITOR’S REPORT To the Board of Directors of Paychex, Inc.: Scope We have examined Paychex, Inc.’s description of its ExpenseWire® Online Expense Management System for expense reporting and providing its user entity’s visibility and analytics to more easily enforce company policy and manage costly expenses like travel and entertainment throughout the period November 1, 2015 to October 31, 2016 (description) and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of Paychex, Inc.’s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. As indicated in the description, Paychex, Inc. uses subservice organizations for all of its user entity credit card transaction display and customer relationship management system and services. The description in Section 3 of this report includes only the control objectives and related controls of Paychex, Inc. and excludes the control objectives and related controls of the subservice organization. Our examination did not extend to controls of the subservice organizations and we have not evaluated suitability of the design or operating effectiveness of such subservice organization controls. Service organization’s responsibilities In Section 2 of this report, Paychex, Inc. has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. Paychex, Inc. is responsible for preparing the description and assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Service auditor’s responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period November 1, 2015 to October 31, 2016.

171 Sully’s Trail, Suite 201

Pittsford, New York 14534

p (585) 381-1000

f (585) 381-3131

ALBANY • BATAVIA • BUFFALO • EAST AURORA • GENEVA • NYC • ROCHESTER • RUTLAND, VT • SYRACUSE • UTICA

www.bonadio.com

3

INDEPENDENT SERVICE AUDITOR’S REPORT (Continued) An examination of a description of a service organization’s system and the suitability of the design and operating effectiveness of the service organization’s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description of the system and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described at page 6. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Inherent limitations Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail. Opinion In our opinion, in all material respects, based on the criteria described in Paychex Inc.’s assertion on page 6, a. the description fairly presents the ExpenseWire® Online Expense Management system that was

designed and implemented throughout the period November 1, 2015 to October 31, 2016.

b. the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period November 1, 2015 to October 31, 2016 and user entities applied the complementary user entity controls contemplated in the design of Paychex Inc.’s controls throughout the period November 1, 2015 to October 31, 2016.

c. the controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period November 1, 2015, to October 31, 2016.

Description of tests of controls The specific controls tested and the nature, timing, and results of those tests are included in Section 4 of this report. (Continued)

4

INDEPENDENT SERVICE AUDITOR’S REPORT (Continued) Restricted Use This report, including the description of tests of controls and results thereof in Section 4 of the report, is intended solely for the information and use of Paychex, Inc., user entities of Paychex Inc.’s ExpenseWire® Online Expense Management system during some or all of the period November 1, 2015, to October 31, 2016, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities’ financial statements. This report is not intended to be and should not be used by anyone other than those specified parties. Pittsford, New York January 3, 2017

5

SECTION TWO

Assertion of the Management of Paychex, Inc.

6

Bonadio & Co., LLP 171 Sully’s Trail Pittsford, New York, 14534 We have prepared the description of Paychex, Inc.’s ExpenseWire® Online Expense Management system (description) for user entities of the system during some or all of the period November 1, 2016 to October 31, 2016, and their user auditors who have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves when assessing the risks of material misstatements of user entities’ financial statements. We confirm, to the best of our knowledge and belief, that:

1) The description fairly presents the ExpenseWire® Online Expense Management system made available to user entities of the system during some or all of the period November 1, 2015 to October 31, 2016 for expense reporting and providing its user entity’s visibility and analytics to more easily enforce company policy and manage costly expenses like travel and entertainment. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of Paychex, Inc.’s controls are suitably designed and operating effectively, along with related controls at Paychex, Inc.

The description also indicated that Paychex, Inc. uses the following subservice organizations to perform aspects of its ExpenseWire® Online Expense Management System:

Yodlee to perform aspects of its user entity credit card transaction display system,

Salesforce.com to assist in customer relationship management systems and services,

XE.com is used to obtain currency conversion rates,

Hipaaspace.com is a registry of data leveraged to gather national healthcare provider index (NPI) information,

OpenText performs faxed receipt processing functions for the Company, and

Orbitz, Egencia, and GetThere to manage user entity travel itinerary.

The description on pages 9–24 includes only the control objectives and related controls of Paychex, Inc. and excludes control objectives and related controls of Yodlee, Salesforce.com, XE.com, Hipaaspace.com, OpenText, Orbitz, Egencia, and GetThere. The criteria we used in making this assertion were that the description:

a) Presents how the system made available to user entities of the system was designed and implemented to process relevant transactions, including, if applicable: i) The types of services provided, including, as appropriate, the classes of transactions

processed. ii) The procedures, within both automated and manual systems, by which services are

provided, including, as appropriate, procedures by which transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to the reports and other information prepared for user entities of the system.

iii) The related accounting records, supporting information, and specific accounts that are used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports and other information prepared for user entities of the system.

iv) How the system captures and addresses significant events and conditions, other than transactions.

v) The process used to prepare reports and other information provided to user entities of the system.

vi) The specified control objectives and controls designed to achieve those objectives including, as applicable, complementary user entity controls contemplated in the design of those controls. (Continued)

7

vii) Other aspects of our control environment, risk assessment process, information and

communication systems (including the related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the system.

b) Does not omit or distort information relevant to the scope of the ExpenseWire® Online Expense Management system for expense reporting and providing its user entity’s visibility and analytics to more easily enforce company policy and manage costly expenses like travel and entertainment, while acknowledging that the description is prepared to meet the common needs of a broad range of user entities and their independent auditors and may not, therefore, include every aspect of the system that each individual user entity of the system and its auditor may consider important in its own particular environment.

2) The description includes relevant details of changes to the ExpenseWire® Online Expense

Management system during the period covered by the description.

3) The controls related to the control objectives stated in the description, which together with the complementary user entity controls referred to above if operating effectiverly, were suitably designed and operating effectively throughout the period November 1, 2015 through October 31, 2016 to achieve those control objectives. The criteria we used in making this assertion were that:

a) The risks that threaten the achievement of the control objectives stated in the description have been identified by us;

b) The controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved; and

c) The controls were consistently applied as designed, and manual controls were applied by

individuals who have the appropriate competence and authority.

Paychex, Inc. January 3, 2017

8

SECTION THREE

ExpenseWire® Online Expense Management System’s Description

9

EXPENSEWIRE® ONLINE EXPENSE MANAGEMENT SYSTEM’S DESCRIPTION INTRODUCTION

Company and System Overview Paychex, Inc. ("Paychex" or "the Company") is a leading provider of integrated human capital management (HCM) solutions for payroll, human resource, retirement and insurance for small- to medium-sized businesses. Paychex has more than 100 offices nationwide and serviced approximately 605,000 payroll clients as of May 31, 2016. In fiscal 2016, the Company reported over $2.9 billion in revenues. Payroll processing is a key aspect of the Paychex service portfolio. The Company’s payroll services include the calculation, preparation, and delivery of employee payroll checks; and production of internal accounting records and management reports. Payroll service also includes preparation of federal, state, and local payroll tax returns; and the collection and remittance of clients’ payroll obligations. The corporate headquarters, located in Rochester, NY, provide administrative and operational support to Paychex facilities throughout the United States. Staffing at most locations consists of Managers, who manage the operations; Supervisors, who oversee and supervise daily payroll system input and processing; Specialists, who manage the initial client relationship for the first few payrolls and facilitate the ongoing processing of client payroll information; Computer Operators, who process and print payrolls; Fulfillment Specialists, who pack and prepare payroll for delivery; and Sales Managers and Representatives who sell the Company’s products and services. All significant computer operation and data processing activities occur at the Corporate Data Centers (CDCs) located near Rochester, NY and Omaha, NE. Paychex offers a number of payroll services to address the different needs and levels of complexity of clients. The Company’s payroll processing services support the following markets: Small Business Payroll – small-size businesses – 1 to 49 employees

Mid Market Services (MMS) – medium to large businesses – 50+ employees The ExpenseWire® Online Expense Management System (“ExpenseWire®”) is an integrated online solution to streamline expense reporting for Paychex Inc.’s user entities. The product integrates with corporate and personal credit cards, and most banks. The system was designed to assist user entity employees with saving travel and entertainment cost on the fly while enforcing user entity spending policies. With ExpenseWire®, employees of user entities can:

File expense reports online.

Upload pictures of associated receipts as needed.

Managers can review and approve quickly, and Finance can process reimbursements all via the ExpenseWire® application. Expense reimbursements may be transferred directly to an employee’s account, paid through payroll processing or via the client’s current accounts payable processes. Paychex ExpenseWire® utilizes an automated approach to process plan activity. Plan activity includes implementation and account maintenance.

10

INTRODUCTION (Continued)

Purpose This report describes Paychex Inc.’s ExpenseWire® system. SSAE 16 defines “system” as the policies and procedures designed, implemented and documented by management of the service organization to provide user entities with the services covered by the service auditor’s report. Paychex Inc.’s description of its system identifies the product services covered, the period to which the description relates, the control objectives specified by management and related controls. This report features the services provided by Paychex Inc.’s ExpenseWire® system and focuses on control objectives as they may be relevant to the internal controls for Paychex Inc.’s client’s using the ExpenseWire® system. The scope of this report covers the business processes that Paychex has determined are significant to its clients using the ExpenseWire® system. Paychex management is responsible for the identification of the control objectives, risks and for the manual and automated controls placed into operation to achieve those objectives. This includes any and all applicable information technology structure for ExpenseWire®. Objectives This report provides user entities and their auditors with a description of the Company’s controls in place related to the ExpenseWire® System and confidence that these controls were in suitably designed and in operation as of October 31, 2016. Subservice Organizations Paychex Inc. utilizes subservice organizations to support the displaying of transactions and the documenting of client interactions for the ExpenseWire® system. The controls for the services provided by the following subservice organizations will not be included in the scope of this report.

Subservice Organization Name Service Provided

Yodlee User Entity Credit Card Transaction Display

Salesforce.com Customer Relationship Management System and Services

XE.com Currency Conversion Rates

Hipaaspace.com NPI (national healthcare provider index) Registry data

Orbitz, Egencia, GetThere User Entity Travel Itinerary Display

OpenText Faxed Receipt Processing

11

RELEVANT ASPECTS OF PAYCHEX, INC.’S CONTROL ENVIRONMENT

CONTROL ENVIRONMENT

Paychex provides its employees with the Company’s overall philosophy on professional conduct and operating style that establishes the framework for other aspects of internal control. The control environment at Paychex involves the following areas:

Integrity and Ethics

Organization

Administration

Integrity and Ethics

The Paychex Mission Statement

Paychex is guided by the following mission statement:

“We will be the leading provider of payroll, human resource, and employee benefit services by being an essential partner with America’s businesses.” Code of Business Ethics and Conduct

A set of standards for proper business conduct is published to allow Paychex employees, clients and suppliers to gain a better understanding of how Paychex wishes to conduct business. The areas addressed include gifts and amenities limits, avoiding misrepresentation, personal conduct, equitable practices, conflicts of interest, and proprietary information. Paychex also has a process for anyone to report corporate misconduct or communicate complaints and concerns. Anyone who has a concern about the conduct of a Paychex executive or other officer, or about the Company’s accounting, internal accounting controls or auditing matters, may communicate that concern directly to the Audit Committee Chairman of the Paychex Board of Directors. Employees may use a toll-free number published on the Company’s website to initiate this communication. The Code of Business Ethics and Conduct is documented in the Employee Handbook and updates are communicated to employees annually. New employees receive the Code of Business Ethics and Conduct with their welcome package and must formally acknowledge its receipt, which is monitored and tracked by Human Resources. In addition, all employees are required to complete an online training class on the Code of Business Ethics and Conduct annually. Conflict of Interest Statement

In general terms, a conflict of interest can be considered to exist if personal interests and activities would damage Paychex business interests and activities. Typical conflicts of interest are outlined in the Code of Business Ethics and Conduct. This communication to employees provides clear guidelines of circumstances that may interfere with an employee’s role at Paychex. Privacy Statement

Paychex is committed to providing cost-effective payroll, payroll tax preparation, human resources, and employee benefits for any size business. In an effort to meet that commitment, clients may have to provide Paychex with business, financial and/or personal information about their organization and their employees. Clients privacy and the privacy of the information provided are extremely important to Paychex. Paychex protects the security of the client’s business, financial, and/or personal information. Paychex uses reasonable care to protect data from loss, misuse, unauthorized access, disclosure, alteration, and ultimately destruction. Paychex grants access to personal client information only to its employees, agents, and service providers so they can provide products or services, process and service client accounts and administer their business.

12

RELEVANT ASPECTS OF PAYCHEX, INC.’S CONTROL ENVIRONMENT (Continued)

CONTROL ENVIRONMENT (Continued)

Additionally, Paychex does not sell or disseminate client information to any third parties under any circumstances, except to fulfill legal and regulatory requirements, and to facilitate client requested transactions. Organization Information Technology Environment Paychex has two production Corporate Data Centers (CDCs) located near Rochester, NY and a third located near Omaha, NE. These CDCs house all significant computer operations and data processing activities and maintain identical data for all in-scope applications. ExpenseWire® applications spanning multiple systems reside in multiple data centers. Systems are comprised of enterprise class servers using a variety of operating systems. Each data center includes temperature controlled areas, fire suppression systems, an uninterruptible power supply and a raised floor. The management of the data centers, including the environmental controls, is owned by Product Development & Information Technology (PD&IT). The data centers contain redundant equipment for air conditioning, power, and fire suppression systems. This equipment is tested through a series of preventative maintenance procedures and planned test procedures. Product Development & Information Technology (PD&IT) Function The Paychex PD&IT function reports to the Senior Vice President of Information Technology, Product Management and Development. The Paychex PD&IT function manages the CDC facilities near Rochester, NY and Omaha, NE and supports the information technology services for various Paychex business units. The Paychex PD&IT function is responsible for the charter creation, prioritization, backlog management, design, analysis, construction, testing and deployment of both internal and external facing applications and websites. They are also responsible for infrastructure planning, server maintenance, web engineering, database administration, architecture, release management, performance testing and internal support call center. The PD&IT department runs an Agile software development life cycle that consists of Agile teams of five to nine software developers and test engineers managed jointly by a product owner, a scrum master, and a solution lead.

13


The PD&IT function at Paychex consists of the following four areas responsible for the availability, security, and integrity of Paychex systems and applications. 1 Product Development – responsible for using the charter and daily collaborating with the product

owner in an Agile software development life cycle to define, design, plan, build and test user stories from a prioritized backlog in a series of two to three week sprints. Each Agile team participates in defining user stories in conjunction with the Product Owner, designing the solution in conjunction with the solution lead, building the solution, creating automated test scripts, and performing manual testing through both defined test cases and exploratory testing. The Product Development teams include the Systems Development and Test Engineering teams, which are responsible for software, as well as testing and implementing software systems supporting the business units. The Systems Development and Test Engineering team members are organized by product and role. Developers and Testers are assigned to project teams based on project needs and priorities.

2 IT Operations – responsible for providing the physical and logical computing and network infrastructure to help ensure the availability, reliability and flexibility of the CDCs and the corporate facilities. This group encompasses Enterprise Support, Enterprise Operations and Production Services, Architecture, Performance and Tools, and Corporate Business Applications. Enterprise Support is responsible for problem resolution, education, and project representation. Enterprise Support also serves as the Lead Contact during business continuity scenarios.

3 Product and Program Management – responsible for managing business and technology projects using industry accepted project management practices, standards and techniques. This group identifies, communicates and manages multiple projects and their impact on achieving future business or technology programs. This group encompasses Product Management and the Program Office.

4 Enterprise Data and Systems Security – responsible for developing and managing best practice

methods, procedures and technologies necessary for the life cycle protection of information assets. This group is responsible for risk management, architecture, engineering, assessment, incident response, transmission, administration and compliance management functions that monitor and defend data from inception through destruction.

Training Center Paychex is committed to training as an essential part of the success of each employee. Employees require training to gain the product knowledge and professional skills necessary to maintain the Company’s standard of service excellence. To this end, the training center provides the necessary classroom training to employees. Initial training courses offered include:

Product Training;

Computer Systems Training;

Sales Training;

Human Resource Services Training; and,

Management Training. Ongoing training courses are also conducted. Examples include branch personnel training, advanced payroll certification training, and computer operations training. Training center staff consists of personnel skilled in training techniques, as well as the technical aspects of the courses they are instructing.

14


Administration Policies Personnel policies document the principles that guide the conduct of all employees. Periodic revisions and updates are released each year. All policies are available to employees in the Employee Handbook. The handbook includes policies on the security of information and assets, non-disclosure, conflict of interest, and standards of behavior. Published Job Descriptions Formal job descriptions communicate the general function and specific duties of a position. Job descriptions above a certain grade level are evaluated, graded, and approved by the Job Evaluation Committee. The Committee includes representatives from senior management and the Human Resources Department. The manager responsible for a position is included in the process. Any employee hired is provided his/her respective job description, which includes written expectations of the position. Hiring Practices and Performance Evaluations The objectives of personnel recruitment are to place qualified persons in respective positions and reduce operating costs by minimizing turnover. To meet these objectives, standard procedures are documented in the procedures manual and are followed when filling any vacancies or new positions.

The objective of a performance appraisal is to measure the performance of an individual against the objective standards established for a specific job. The Company’s performance appraisal program provides an equitable method to assess an employee’s job performance, discuss performance and actions to improve job performance, identify an employee’s development needs, and discuss salary.

Specific procedures dictate the timing of performance evaluations for all employees on an annual basis. A standard form, designed to implement the management by objectives appraisal system, is used. The Human Resources Department sends monthly reminders and continues to forward additional reminders until the review is complete.

Risk Assessment Process Paychex has placed into operation a risk assessment process to identify and manage risks that could affect the Company’s ability to provide reliable ExpenseWire® service processing to its customers. This process requires the Company to identify significant risks based on management’s knowledge of its operations, and input received from the Internal Audit group and the Company’s external auditors. For any significant risks identified, management is responsible for implementing appropriate measures to monitor and manage these risks. Monitoring Controls Paychex has an Audit Committee that oversees risk assessment and monitoring. Paychex management and supervisory personnel are responsible for monitoring the quality of internal control performance as a routine part of their activities. To assist them in this monitoring, the Company has developed management reports that measure the results of various processes involved in processing their business units’ transactions.

15


Enterprise Support Enterprise Support is the technical support link between ExpenseWire® services and the support departments of Information Technology. Enterprise Support’s primary function is to monitor ExpenseWire® system operations and availability and to resolve application issues. Monitoring and support is conducted 24 hours per day, seven days a week. Internal Audit Function The Internal Audit Department acts as an independent appraiser of the internal control system of Paychex. The primary objective of the Department is to assist management with the effective execution of their responsibilities to customers and shareholders by providing management with assessments on internal control design and operating effectiveness as well as recommendations to enhance internal controls. The Internal Audit Department reports directly to the Company’s Audit Committee who oversees the Company’s internal control structure. The Department has been granted the authority to examine all Company records, reports, and documentation, and to use whatever audit procedures are deemed necessary to accomplish its objectives. Internal Audit has unrestricted access to the Audit Committee of the Board of Directors and senior management. Senior management is responsible for ensuring operating management gives adequate consideration to the findings and recommendations included in audit reports. The Director of Internal Audit is a member of the Security Governance Council (described below on pg. 22) and considers the subject matter discussed during those quarterly meetings when determining the nature, timing and extent of testing related to Information Technology and Information Security. Monitoring Subservice Organizations Paychex Inc.’s relationship with each subservice organization is managed via a named contact, through which service concerns and expectations may be discussed. Additionally, each subservice organization provides email and on-line support channels, through which contact may be made. Additional opportunities for service quality feedback are provided via the vendor management processes common to all Paychex Inc. vendors.

16

RELEVANT ASPECTS OF PAYCHEX INC.’S INFORMATION TECHNOLOGY CONTROLS

General Information Technology Controls Paychex has implemented a series of controls related to their information systems environment. The control structure has been designed to ensure appropriate controls, including preventative and detective controls as well as manual and automated controls, functioning from the entity level through the transaction level. The following section describes the information systems control environment of Paychex. General information technology controls establish the environment in which applications are developed and operated. Therefore, the general information systems control environment has an impact on the effectiveness of controls in all applications. General information system controls are described under the following categories:

Change Management

Network Security, Operational Monitoring and Problem Management

Logical Access

Physical Access

Environmental Systems

Data Backup

Scheduling Change Management

All changes to the production system (application, hardware, operating system software, and database changes) are controlled through a formal Change Management Process to ensure that necessary review and approval occur. All significant modifications to the application infrastructure are managed within a project, using a defined Paychex Project Process. Product and Program Management is responsible for identifying significant initiatives and aligning them with the appropriate project management methodology and standards. Changes are documented and tracked in a Change Request (CHG). Typical change profiles include:

Development of new software applications

Installation of purchased software packages

Deployment of technology infrastructure

Periodic release of minor enhancements, bug fixes, maintenance and regulatory changes The Paychex Project Process is aligned with the formal Change Management Process at key checkpoints throughout the project, with a Project Manager having responsibility for ensuring that changes are properly communicated and approved before implementation. The Project Manager has ultimate responsibility for the delivery of the change. Projects follow an Agile software development life cycle model, which allows for customization depending on the needs of the project. There is a defined set of minimum Project Management Standards that includes a project definition, defined requirements, testing strategy, and a project work plan. The Project Office, part of the Product and Program Management group described above, regularly monitors that all projects adhere to the defined set of minimum standards and a periodic review of compliance to the standards is performed by the Director of the Enterprise Program Office.

17

RELEVANT ASPECTS OF PAYCHEX INC.’S INFORMATION TECHNOLOGY CONTROLS (Continued)

Change Management (Continued) Projects are initiated by the respective business unit or by Product Management. They are then prioritized by a cross-functional group with input from executive management, Product Management, Sales, Operations, and Information Technology. Business units are represented throughout the project and participate in requirements sessions, requirements walkthroughs, project status updates, and user acceptance testing, as needed. Regular project status is provided to the business units by the Project Manager and through the monthly Portfolio Review, conducted by the Enterprise Program Office. Product Development is responsible for the design, development, and testing of software applications that support the Paychex business units. They follow a defined Software Development Process (SDP) that provides guidelines for making and testing program changes and allows for customization, depending on project need. This process documentation is accessible to all via the Paychex Intranet. Additionally, Product Development uses version control tools to manage software development at Paychex. Managers within Product Development are responsible for reviewing projects within their applications areas to confirm adherence to this process. In addition, there are published standards for developing systems and applications that can be referenced on the Paychex Intranet. The Manager/Solution Lead is responsible for monitoring compliance with these standards; their approval within the Change Management process confirms that program changes comply with these standards. Members of Product Development also lead and participate in publishing and implementing standards related to software development. Product Development follows a defined testing process for all changes to application and operating systems. The Managers and Leads for each application area are responsible for reviewing and monitoring compliance to the testing process. Signoff on completion of testing is monitored via the Change Management Process. Test Engineering is responsible for producing test scripts. The Test Engineering team members verify that the new functionality is working as documented in the requirements and all known defects are identified and resolved. During this phase any applicable system, conversion or regression testing is completed. The Test Engineering tests are performed using a test environment that is representative of the production environment. Program application changes are checked for errors and modified as needed through the formal change management process. The business unit determines whether user acceptance testing is warranted. If so, the business unit is responsible for defining the test plan and performing the tests. The business unit is responsible for maintaining their test documentation for an appropriate period of time. For projects where performance is critical or there is a high volume of transactions, load and stress testing is performed. The testing evaluates the compliance of a system or component with specified performance requirements. Often this is performed using an automated test tool to simulate a large number of users. These tests are performed according to a test plan and are most often performed by the Architecture, Performance and Tools team within IT Operations.

18


Change Management (Continued) Infrastructure changes, which include operating system and database changes, are managed by the respective IT Operations functional teams. Testing by IT Operations is performed and signoff of testing activities is captured within the related ServiceNow change record. IT Operations Management is responsible for reviewing and monitoring compliance with testing requirements. After testing is complete, the software is ready for turnover to the ExpenseWire® IT Operations team. This team is responsible for releasing ExpenseWire® services application changes into the production environment. Changes are then migrated from the test environment to the ExpenseWire® production environment. For all changes, after a period of time to monitor the change in the production environment, the change request is updated to indicate completion status, either complete or without incident. This is performed by Change Management or Release Management, and is typically done within a week of implementation. All changes to the production environment follow the normal change management process, with the exception of emergency changes. Emergency Changes are changes that require an immediate change within the same business day or prior to the next business day and which is required to either restore an interruption in service or prevent an imminent interruption in service, and no sustainable work around is in place. For all emergency changes, given the urgency of the situation, verbal, rather than written authorization and approvals may be granted prior to the change being implemented. After the change has been implemented, a formal Change Request is completed and signed off. Network Security, Operational Monitoring and Problem Management Firewalls, Intrusion Detection Systems (IDS), and Network Address Translation (NAT) are deployed to control and monitor the network and critical networking equipment. These are maintained and monitored by the Security Engineering team, part of Enterprise Data and Systems Security noted above. The Paychex firewall architecture encompasses multiple tiers of firewalls for defense-in-depth and defense-in-diversity. Configuration control of the firewall architecture is performed by the Security Engineering team. Rule sets (firewalls) are developed and maintained for each device to explicitly control traffic. Authorized traffic is permitted and unauthorized traffic is denied. Requests to change rule sets are reviewed by the Enterprise Change Team and when approved, executed by the Security Engineering team. Security Analysts monitor the operating system and database level alerts, and the network-based IDS that are used at the data centers and at selected nodes of the Paychex WAN. Security Engineering reports all identified security violations to management.

19


Network Security, Operational Monitoring and Problem Management (Continued) PD&IT has defined and implemented an incident management system to ensure that operational issues (incidents, problems and errors) are recorded, analyzed, and resolved in a timely manner. An Incident Management methodology is used to help PD&IT provide support for Information Technology products and services. All business unit personnel use a centralized single point of contact (incident management system) to report issues that are outside of standard operation. Responses to incidents are guided by priorities defined based on urgency and impact. These are negotiated with business units as part of a service level agreement for service call management between IT and the associated business unit. Logical Access System security, administration, and monitoring include those controls that prevent and detect unauthorized access to Paychex information systems and data. The Paychex Information Security Policy, approved by Executive Management, defines the fundamental principles for the protection of Paychex information resources and identifies the proper controls necessary to meet or exceed the requirements for regulatory compliance. The Board of Directors and the Executive Management team endorses and enforces the Paychex Information Security Policy. In addition, a framework of security standards has been developed to support the objectives of the security policy. These standards have been implemented throughout the Company and address security issues such as logical access to applications and data, physical access to computing facilities, and monitoring activities. Logical access controls are designed so that only known, authorized users are permitted access to systems and applications based on job responsibilities. Formal processes and procedures exist to ensure system access requests are fulfilled based on the appropriate approvals by system and data owners. Privileged activities are approved by authorized IT management and performed by appropriate individuals. All privileged activities are logged in the system and are available for review as required.

20


Physical Access Paychex has two production CDCs located near Rochester, New York and a third located near Omaha, NE. The CDCs house all significant computer operations and data processing activities and maintain identical data for all in-scope applications. ExpenseWire® applications spanning multiple systems reside in multiple data centers. Systems are comprised of enterprise class servers using a variety of operating systems. Physical access to the CDC facilities is limited to employees with a business need and is controlled by security badges and a biometric scanner. During business hours, visitors are screened by a security guard or a receptionist located at the main entrance and escorted by an employee during the visit. Upon termination, employee access to the CDC is removed. Access to the badge access control system used to grant and revoke badge access is restricted to authorized users in the Facilities Department. The Facilities Department at Paychex reports up through the Senior Vice President (VP) of Service and is responsible for maintaining all of the buildings throughout Paychex. This includes granting and removing physical access to buildings and the CDCs for new and terminated employees as well as vendors and visitors to Paychex. Video cameras are present outside all CDC facilities and are used by Security personnel to monitor access to the computer rooms. In addition, access to the storage location within each of the CDCs is also controlled through security badges and a biometric scanner, and assigned to employees according to their business function. Other distributed computing facility rooms, including print rooms and communication closets, are secured by keypad locks or electronic card readers. Environmental Systems Each CDC includes temperature-controlled areas, fire suppression systems, an uninterruptible power supply and a raised floor. The management of the CDCs, including the environmental controls, is the responsibility of PD&IT. An environmental monitoring system is used to detect issues with the air conditioning, fire suppression, leak detection, and power systems. The monitoring system is configured to capture alarms, threshold, and maintenance alerts within the environment. If an alert occurs, a technician is automatically paged. The CDC acts as a backup to this process. The CDC monitors environmental alerts 24 hours a day, seven days a week. If a technician does not acknowledge an alert within 15 minutes, the CDC follows an escalation procedure to contact the necessary personnel. The CDCs contain redundant equipment for air conditioning, power, and fire suppression systems. This equipment is tested through a series of preventative maintenance procedures and planned test procedures.

21


Data Backup Backups are executed using Veritas NetBackup Software. NetBackup has an automatic scheduler that is used to set up and launch backups that are run with this application. Requests for new backups are submitted to the Storage team, which is part of the Enterprise Operations and Production Services group. The Storage team sets up the backup process and schedule using NetBackup. All backups are monitored by the IT Operations Center (ITOC) team within the Enterprise Operations and Production Services group. NetBackups are monitored using the NetBackup Activity Monitor. The Activity Monitor shows all active backups and the completion status for all backups. All production system backup issues are escalated, per documented procedures, to the appropriate support organization. A data protection tool, NetBackup is used to duplicate Paychex backup data from one CDC location to a secondary CDC location. In the event a system restore is needed, the ITOC team will recall the duplicated data from the secondary CDC location. All NetBackup stores use EMC Data Domain Replicator technology which ensures the quality and effectiveness of backup media. With Data Domain Replicator technology, the replication of data occurs much faster than tape, without the risk inherent to tracking and handling tapes. Replication is more secure than physical tape and also allows for tertiary copies. Data restorations are performed on a regular basis as part of the problem resolution process, during system upgrades or the creation of development and test environments, or to rebuild business continuity plan environments. The successful completion of these restores on a regular basis provides verification that the backup is a valid source for recovery. Scheduling ITOC conducts production processing for all Paychex organizational units 24 hours a day, seven days a week. The organizational unit defines their production processing requirements, including specific instructions, dependencies, time frames and frequency. The organizational unit authorizes the ITOC to perform these operations as specified on an on-going basis. On a daily basis, the Data Center Scheduling Team uses the processing requirements from the organizational unit to build a processing schedule. The processing schedule is maintained by the Data Center Scheduling Team 24 hours a day, seven days a week. A limited number of trained IT personnel have access to modify or cancel scheduled jobs. ITOC Technicians continually monitor processing jobs and in the event of a failure, follow documented escalation procedures. Enterprise Support works with the ITOC and other necessary resources to resolve the issue.

22

RELEVANT ASPECTS OF PAYCHEX INC.’S EXPENSEWIRE SYSTEM CONTROLS

Paychex has established a Security Governance Council (SGC) whose mission is:

To develop, coordinate and sustain the organization’s enterprise security program;

To coordinate and respond to security risks and incidents; and

To develop, implement and maintain the organization’s enterprise security strategy in alignment or support of business goals and objectives.

The success of the SGC depends upon an objective understanding of the Company’s asset protection issues. The SGC meets on a quarterly basis and is chaired by the Chief Information Security Officer. The SGC is comprised of members who understand the business operations, including individuals from Information Technology, Internal Audit, Legal, Human Resources and Organizational Development, and business unit executives. The recommendations of the SGC are considered when updating the information security policies, procedures and standards at Paychex. User Organization Implementation The Company follows a comprehensive onboarding process to manage user organization implementation, which summarizes key implementation steps and required information necessary for going live. The ExpenseWire® Onboarding process begins with sales. The sales rep will complete all the necessary paperwork with the client. The sales rep will then complete the PHR006 form or use the Mid-Market Sales Tool (MMST) which will require that the sales rep attaches the service agreement. In addition the sales rep is required to attach the following documents:

The Major Market Service Agreement

Electronic Funds Transfer Information (Estimated Fee Schedule)

Copy of Voided Check (Billing Purposes Only) Upon receipt of this information, an On-Boarding case is created in SalesForce.com. This case will then be received by the ExpenseWire® team and the user entities system instance will be created. Once the instance has been created, an Implementation Coordinator (IC) or Major Account Advisor (MAA) will be assigned. The IC or MAA will contact the user entities sales rep to review the Business Requirements Document. This document will be used to assist the IC or MAA with determining the client’s need for the ExpenseWire® system. The Implementation Coordinator will personally contact the clients to determine the best time to complete the kickoff call. Once time is established to complete the kickoff call, the client receives a formal welcome email from IC. During the kickoff call, the IC, Client and Sales rep will review the scope of the project as well as setup a weekly call schedule. The IC will attach various documents based on the user entity needs. The following documents will be attached based on the Business Requirements:

Project Plan

Bulk Upload Spreadsheet

Test Plan

23

RELEVANT ASPECTS OF PAYCHEX INC.’S EXPENSEWIRE SYSTEM CONTROLS

User Organization Implementation (continued)

Project Plan The company follows a Milestone and Project Plan that details the steps and requirements of user organizations. The company requires user organization approval at various points along implementation as it progresses to go live. Bulk Upload Spreadsheet The IC will discuss how upon completion of the Bulk Upload Spreadsheet, it will be used to upload information into the user organizations instance (site). User organization information loaded into the site is compared against the bulk upload spreadsheet completed by the user organization. Test Plan Paychex Inc. offers a customizable test plan used to ensure the information received from the user organization is correct and the site has been configured according to this information. The Company generates profile reports, which are offered to user organizations to ensure that information provided by the user organization has been loaded correctly before the first expenses are processed. Upon completion of the test plan, the Company obtains approval from the user organization prior to moving the application into production. The Company offers direct feed functionality for user organizations utilizing certain corporate credit cards. Upon obtaining all required forms and authorization, the Company tests the information feed and obtains approval from the user organization prior to the feed being put into production. Organization Account Maintenance Paychex Inc. works closely with the user entity administrator to assist and advise clients as well as technical troubleshooting. If there is a need for any changes, the support advisor works closely with the client to determine the best approach to a solution. Once determined, requests for changes to ExpenseWire® made by Paychex on behalf of user organizations are submitted using pre-approved forms or transmission methods. All user entity interactions are documents using Salesforce.com. This allows anyone in the company with the proper access to view these interactions. These interactions can also be reported on to assist in change management request. These requests are subject to the same approval hierarchy established by the user organization application administrator and that credentialing utilized by Paychex. Only those changes submitted by authorized individuals based on job responsibilities are made. All changes made to user organization information are documented by a ticketing system and available upon request.

24

RELEVANT ASPECTS OF PAYCHEX INC.’S EXPENSEWIRE SYSTEM CONTROLS (Continued)

Reporting and File Output The ExpenseWire® system offers an analytical piece that allows user organizations to create and generate reports. These reports can be used to monitor expense reporting as well as ensuring accuracy of results. The user entity administrator will work with their assigned Implementation Coordinator to determine all business needs when it comes to reporting. Communication Information Flow from Senior Management to Operations Management The communication system between senior and operations management includes updates when written communication is appropriate, periodic department meetings between each executive and their direct reporting managers, and other discussions as needed. Communication is encouraged at all levels of Paychex. Operating Procedures Manuals Manuals help maintain consistent operating procedures and provide a reference to employees in the conduct of their daily responsibilities. Procedures and documentation are maintained and updated online. Communication with Clients As part of the Company’s commitment to providing quality customer service, Paychex has regular communication between clients and specialists. Paychex uses and provides an array of communication methods including technical help desks, regular written and email updates, client surveys, and access to www.paychex.com.

25

COMPLEMENTARY USER CONTROL CONSIDERATIONS

The Paychex, Inc. ExpenseWire® Online Expense Management System was designed with the assumption that certain controls would be implemented by user organizations. In certain situations, the application of specific controls at user organizations is necessary to achieve certain control objectives included in this report. The following complementary user control considerations should not be regarded as a comprehensive list of all controls that should be employed by user organizations. There may be additional controls that would be appropriate for the security of the system which are not identified in this report. Other controls may be required at user organizations.

Usernames and passwords allowing access into user organization data are maintained by user organizations. Controls should exist at user organizations to limit logical access to properly authorized individuals.

User organization application and terminals should have appropriate levels of network monitoring and security protection controls.

User organizations supply all necessary information for loading into the application. Controls should exist to ensure that the information provided to ExpenseWire® is complete and accurate.

User organizations should have controls to verify that data entered during the set-up process is complete and accurate before authorizing live production.

User organizations should have controls to ensure that changes are initiated at the appropriate level and have security measures over the procedures for requesting changes.

User organizations should have controls to ensure that changes made on the user organization’s behalf are complete and accurate.

User organizations should have controls to ensure that only those changes authorized by the user organization have been made.

User organizations should have controls to ensure timely review of all reporting output generated and notification of any reported problems with checks or deposits to ExpenseWire®.

User organizations should review and reconcile all reporting information generated prior to utilizing such reports for direct feeds to payroll providers other than Paychex.

User organizations electing to manually process reimbursement should have controls in place to ensure completeness and accuracy of amounts disbursed.

User organizations should have controls to ensure that only authorized individuals have access to required output reports.

26

SECTION FOUR

Control Objectives, Related Controls and Tests of Controls

27

CONTROL OBJECTIVES, RELATED CONTROLS, AND TESTS OF CONTROLS

Control Objective 1 Change Management: Controls provide reasonable assurance that application, hardware, operating system software and database changes are authorized, tested, approved, implemented and documented.

Paychex, Inc. Control Tests performed by Bonadio & Co., LLP Results Provided by Bonadio & Co., LLP

1.1 Paychex has a formal change management policy that outlines the requirements for making system changes (application, hardware, operating system software, and database). Changes are made in compliance with the process and appropriate documentation is maintained. The change management policy is updated and approved, as necessary, and updates are communicated.

Examined change management documentation to ensure that formal policies and procedures are in place. Examined a sample of changes to ensure that the changes were made in compliance with the process and that appropriate documentation was maintained. Examined the change management policy to ensure that the policy is reviewed, updated, approved, and communicated on a regular basis.

No relevant exceptions noted. No relevant exceptions noted. No relevant exceptions noted.

1.2 All significant application and system modifications and development activities follow a project plan that includes a project definition, project requirements, work plans, and progress monitoring procedures.

Examined a sample of changes to ensure that a detailed project plan was followed.

No relevant exceptions noted.

1.3 Requests for system changes are standardized, documented, and subject to formal change management procedures, including authorization.

Examined change management documentation to ensure that formal change management procedures have been defined. Inspected a sample of changes to ensure that changes were requested on a standard form and authorized as required.

No relevant exceptions noted. No relevant exceptions noted.

28



1.4 A testing strategy, that can include unit, system, integration, test engineering and user acceptance testing based on the nature of the change, is developed and followed for all changes in applications, systems and infrastructure technology, so that deployed systems operate as intended. Testing approval is documented.

Examined the Change Management Testing procedures to ensure that all significant system modifications and development activities are required to follow a defined testing process including signoff at the completion of testing. Inspected a sample of changes to determine whether testing was performed and documented in accordance with documented procedures.


1.5 All production migrations are approved prior to implementation.

Inquired with management to ensure that a formal process of approving changes for migration to production is in place and followed. Inspected a sample of changes to ensure that the request to migrate to the production environment was approved prior to implementation.


1.6 Version control tools are used for managing application source code. These tools are used for updating source code and tracking changes to source code. Changes to the source code are logged by the version control tools and can only be made by one developer at a time.

Examined the version control tool used for source code management to ensure that changes are tracked and that changes are only performed by one individual at a time. For a selection of program changes, inspected system records and documentation to ensure that the version control tool was used to manage application source codes and that a history of component changes are logged.


1.7 Emergency program changes (critical system fixes that are released on an as needed basis and are coded as emergency) are approved by PD&IT management and documented after implementation.

Examined a list of changes performed and determined that no emergency changes were made during the audit period. Inquired with personnel to ensure that a formal emergency change management process is in place.


29


Control Objective 2 Network Security, Operational Monitoring and Problem Management: Controls provide reasonable assurance that ExpenseWire®'s network is monitored, security mechanisms are deployed to protect it from external threats, and operational problems are identified and resolved in a timely manner.


2.1 Paychex personnel monitor system availability, performance, hardware issues, security issues, and backup equipment. Issues identified are documented, reported, and followed through to resolution in a timely manner.

Examined the Network Security Narrative to ensure that network architecture, configurations, and security have been addressed. Inspected a sample of incidents identified by the monitoring tools to ensure that issues were tracked, resolved timely, and that resolution was documented in the incident management system.


2.2 The network architecture is segregated into segments and security includes firewalls, network-based Intrusion Detection Systems (IDS) and Network Address Translation (NAT). The firewall rejects any unauthorized external connections requesting access to the internal network.

Examined network system settings to ensure that the network architecture has been segregated into segments and that appropriate IDS and NAT controls have been deployed. Examined the firewall ruleset to ensure that it has been configured appropriately.


2.3 Security Analysts monitor the network-based IDS that are used at the CDCs and at selected nodes of the Paychex WAN. Identified security violations are reported to IT management and violations are researched and resolved.

For a sample of days, inspected the security monitoring checklist to ensure that the IDS security events were monitored and that identified issues were reported to IT management, researched, and resolved, as needed.


2.4 Security Operations staff detect unauthorized operating system and database activity by monitoring system audit logs and following a monitoring checklist. Identified security violations are reported to IT Management and violations are researched and resolved.

For a sample of days, inspected the security monitoring checklist to ensure that operating system and database activity security events were monitored and that identified issues were reported to IT management, researched, and resolved, as needed.


30


Control Objective 3 Logical Access: Controls provide reasonable assurance that logical access to the network, application and hosted production environment is restricted to authorized individuals.


3.1 Information security standards are established and approved by IT management.

Examined the Paychex Security Policy to ensure that information security standards have been established and approved by IT management. Examined policies to ensure that they are reviewed at least annually and changes are documented and tracked.


3.2 To gain access to the network, operating systems, applications and databases, users are required to use a unique login identifier and passwords subject to length, expiration, history, and lockout requirements. Workstations are configured to automatically lock out after 15 minutes of inactivity.

Examined ExpenseWire®’s password parameters to ensure password security strength. Examined domain controller configuration settings to ensure that devices are configured to automatically lock out after a defined period of inactivity.


3.3 Access request forms are completed and authorized by data owners for establishing user accounts for access to the network, operating systems, applications and databases.

Examined logical access documentation for new hires, terminations, and transfers throughout the period to ensure a request form was used. Examined the ticket for application access to ensure that access was appropriately requested and authorized.


31


Paychex, Inc. Control Tests performed by Bonadio & Co., LLP Results Provided by

Bonadio & Co., LLP

3.4 For terminated or transferred users, HR and/or management submits a notification of the termination or transfer and access to the network, operating systems, applications and databases is removed or updated on a timely basis.

Based on examination of the logical access documentation for new hires, terminations, and transfers throughout the period, it was determined that no employees were terminated or transferred positions. Inquired of the termination and transfer process to ensure a formal process is in place for removing or modifying user access when needed.


3.5 Only authorized users have been granted administrator privileges for network and operating systems based upon job responsibilities.

Examined a list of all administrator accounts to ensure that administrator privileges were appropriately restricted based on job responsibilities.


3.6 Access to perform privileged activities is restricted to authorized individuals and additional approval is not required before privileged access activities may be performed. All privileged activities are logged and monitored on a monthly basis (see control 3.7 for privileged activity monitoring).

Examined a list of all administrator accounts to ensure that administrator privileges were appropriately restricted based on job responsibilities. Inspected activity reviews to ensure that reviews are being performed on a regular basis and formally approved by management.


3.7 Privileged activities (administrative or super user) are reviewed on a monthly basis, by IT management. Issues, if any, are followed up on and resolved.

Inspected activity reviews to ensure that reviews are being performed on a regular basis and formally approved by management.


3.8 On a periodic basis, access rights for the network, applications, operating systems, and databases are confirmed by assigned data owners to determine that access is commensurate with job responsibilities. Discrepancies are tracked, followed up on and resolved. Signoff and resolutions are documented on the review reports.

Examined a sample of access review reports to ensure that reviews are performed on a regular basis by an appropriate individual and that approval of review and any changes necessary were also documented.


32



Bonadio & Co., LLP

3.9 Employees working remotely authenticate to the network using two-factor authentication. Remote access is granted as part of the new hire access. Remote access is revoked during the termination process. Refer to controls 3.3 and 3.4 for User Management - Addition and User Management - Revocation.

Examined the remote authentication requirements for the network to ensure that two-factor authentication was required. As remote access is inherent to new users, examined logical access documentation to ensure that the access request form was completed and authorized by appropriate individuals. As there were no terminations during the audit period, inquired of the termination and transfer process to ensure a formal process is in place for removing or modifying user access when needed.

No relevant exceptions noted. No relevant exceptions noted. No relevant exceptions noted.

33


Control Objective 4 Physical Access: Controls provide reasonable assurance that physical access to the CDC facilities is restricted to authorized personnel.


4.1 Access to the CDC facilities is controlled through a biometric scanner and security badge.

Inspected access controls at the Webster Data Center to ensure that access requires two-factor authentication.


4.2 CDC facilities visitors are required to be accompanied by authorized personnel.

Inspected physical controls to ensure that all visitors are required to sign in and must be accompanied by Paychex personnel.


4.3 Access to the CDC facilities is granted based upon job function and upon approval by the Network Service Field Engineering Manager.

Inquired with Paychex personnel to ensure that access to the CDC facilities is limited based on job responsibility and examined new user access requests to ensure they are formally documented, approved, and maintained by appropriate personnel.


4.4 Access to the CDC facilities is removed on a timely basis.

Inquired with Paychex personnel to ensure that terminations and departures follow a formal de-provisioning process. Examined access reviews to ensure that reviews are performed on a quarterly basis.


34



Bonadio & Co., LLP

4.5 The Network Service Field Engineering Manager conducts a quarterly review of users with access to the CDC facilities and confirms that access is commensurate with job responsibilities. Discrepancies are resolved.

Examined access reviews to ensure that reviews are performed on a quarterly basis. Examined access reviews to ensure if a discrepancy was noted that it was resolved appropriately.


4.6 Cameras are present outside all CDC facilities entrances and are monitored by security guards.

Inspected or reviewed assurance reports on physical controls to ensure that facility entrances were appropriately monitored.


4.7 Access to the badge access control system used to

grant and revoke badges for physical access is restricted to appropriate personnel based on job responsibilities.

Examined the access control system to ensure that access is granted based on job responsibilities. Examined access reviews to ensure that reviews are performed on a quarterly basis.


35


Control Objective 5 Environmental Systems: Controls provide reasonable assurance that the CDC facilities' environmental systems are monitored and maintained to protect its physical assets.


5.1 Preventative maintenance is performed according to schedule on the CDC facilities' uninterruptible power supplies, generators and HVAC systems.

Inspected physical controls or reviewed assurance reports to ensure that environmental systems (i.e., generators and uninterruptible power supplies) were present. Examined testing documentation to ensure that testing and preventative maintenance was performed according to schedule on the facilities’ environmental systems.


5.2 Environmental systems are monitored and issues are tracked and resolved following established problem management procedures.

Inquired with management to ensure that a formal process for tracking environmental system issues has been defined. Environmental issues are tracked, resolved, and documented in the incident management system. Please refer to CO 2.0 for more information.


36


Control Objective 6 Data Backup: Controls provide reasonable assurance that production data backup is scheduled and processed completely and the backups are stored according to policy.


6.1 Data is automatically backed up on a scheduled basis and duplicated via the NetBackup tool to a secondary location.

For a sample of days, inspected backup system documentation to ensure that data was backed up according to schedule. Examined a sample of backups to ensure that duplicated backups were being made to a secondary location.


6.2 Computer operators monitor the success of backups through the use of system monitoring tools and report on the success or failure of the backup jobs. Failures are tracked, followed up on and resolution is documented.

Inspected monitoring controls relative to backup processing to ensure that all backups were monitored by the appropriate individuals. Examined the backup report to ensure that the report included all active backups and their completion status.


6.3 Data Restoration is performed using duplicated data. Identified problems are followed up on and resolved.

Examined the Recovery Narrative to ensure that data restoration testing is performed on a regular basis from routine production backups.


6.4 Access to the backup tool is restricted to appropriate personnel based on job responsibilities.

Examined access reviews and recertification to ensure that user access has been approved and is appropriately restricted and that user access reviews were performed on a monthly basis.


37


Control Objective 7 Scheduling: Controls provide reasonable assurance that programs are scheduled and executed, and that job failures are identified, tracked and resolved.


7.1 Logical access to initiate, modify or cancel scheduled application batch jobs is limited to appropriate personnel based on job responsibilities.

Examined the list of users with the ability to modify or cancel the batch scheduler to ensure that access is appropriately restricted based on job responsibilities.


7.2 Management has defined and implemented an incident management system to monitor jobs and identify, log, and resolve failed jobs (i.e., incidents, problems and errors).

Examined the Network Security Narrative to ensure that network architecture, configurations, and security have been addressed. Inspected a sample of incidents identified by the monitoring tools to ensure that issues were tracked, resolved timely, and that resolution was documented in the incident management system.


38


Control Objective 8 User Organization Account Maintenance: Controls provide reasonable assurance that changes to user organizations information made by ExpenseWire® on behalf of user organizations are authorized, complete, and documented.


8.1 Changes to user organization information are submitted by authorized individuals based on job responsibilities.

Examined a sample of change requests to ensure that the request was submitted by an authorized individual.


8.2 Changes made to user organization information are documented and available upon request.

Inspected the ticketing system in place to ensure that the all changes are tracked within system and are available upon request.


39


Control Objective 9 Reporting and File Output: Controls provide reasonable assurance that output reports and files are produced completely and accurately in accordance with user organization specifications and are securely maintained.


9.1 ACH payment details are entered by the user organization and are controlled by a user ID and password.

Examined activation procedures and login credentials to ensure that user organizations are required to set up their own banking information for ACH transaction processing and this is controlled by username and password.


9.2 System generated control totals are used to verify ACH file totals sent to financial institutions.

Examined a sample of ACH transactions for the period under review to ensure that system generated control totals were used to verify totals sent to financial institutions.


9.3 The Company receives electronic validation for all ACH transmissions from the originating financial institutions.

Examined a sample of ACH transactions for the period under review to ensure that electronic validation from the financial institution processing the transaction was received.


40


Control Objective 10 User Organization Implementation: Controls provide reasonable assurance that initial set-up of user organizations is complete and accurate.


10.1 The Company obtains user organization approval prior to or on the day the application is moved into live production.

Examined a sample of new customers to ensure that approval was obtained prior to being moved to live production.


10.2 The Company obtains user organization approval prior to or on the day the credit card direct feed functionality is moved into live production.

Examined a sample of user organizations with credit card direct feed functionality to ensure that the appropriate approval was received prior to or on the day the direct feed functionality was moved into production.


Documents

Report on Paychex, Inc.’s Description of its … in the design of Paychex, Inc.’s controls are suitably designed and ... XE.com is used to obtain currency conversion rates,