The Hartford
Retirement Plans Group
Report of Independent Auditors on
Controls Placed in Operation and
Tests of Operating Effectiveness
For the Period January 1, 2007 through
December 31, 2007
The Hartford
Retirement Plans Group
Report of Independent Auditors on Controls Placed in Operation and
Tests of Operating Effectiveness
Table of Contents
Page
I.
II.
Report of Independent Auditors............................................................................................... 1
Introduction
Purpose, Scope and Structure of Report.............................................................................. 3
Business Overview Prepared by The Hartford.................................................................... 3
Relevant Aspects of the Control Environment, Risk Assessment and Monitoring
Control Environment........................................................................................................... 5
Risk Assessment .............................................................................................................. 6
Monitoring ....................................................................................................................... 6
Internal Audit ...................................................................................................................... 7
Information and Communication
Description of Information Technology Environment........................................................ 7
Description of Transaction Processing ............................................................................. 10
Corporate Plan Installation........................................................................................... 10
Government Plan Transition ........................................................................................ 11
Plan Management......................................................................................................... 12
Call Center ................................................................................................................... 12
Plan Recordkeeping ..................................................................................................... 12
Financial Administration.............................................................................................. 12
SMART529 Collage Savings Plan and Prepaid Tuition Option .................................. 13
Data Submission........................................................................................................... 13
Cash Receipts ............................................................................................................... 14
Financial Processing..................................................................................................... 14
Suspense and Reconciliation........................................................................................ 15
Management Reporting ................................................................................................ 15
Statements .................................................................................................................... 16
Training ..................................................................................................................... 18
Compliance Reporting (Corporate Full-Service Plans Only)....................................... 18
Client Control Considerations................................................................................................ 20
Control Objectives, Controls Specified by the Retirement Plans Group and Tests of
Operating Effectiveness Performed and Results of Testing
Recordkeeping/Plan Administration ................................................................................. 21
Defined Contribution Benefit Payments ........................................................................... 32
Information Technology ...................................................................................................39
Page
III.
Information Provided by the Service Auditor
Objectives and Scope of Review ........................................................................................ 46
Control Environment Elements .......................................................................................... 46
Tests of Operating Effectiveness Performed ...................................................................... 47
IV.
Other Information Provided by the Retirement Plans Group of
The Hartford……… ........................................................................................................... 48
ƒ Ernst & Young LLP
200 Clarendon Street
Boston, Massachusetts 02116-5072
ƒ
Phone: (617) 266-2000
Fax: (617) 266-5843
www.ey.com
Report of Independent Auditors
Board of Directors
The Hartford
We have examined the accompanying description of controls of the Retirement Plans Group of The Hartford (“the
Retirement Plans Group”) and International Business Machines Corporation (“IBM”), an independent service
organization that provides certain IT support services to the Retirement Plans Group applicable to the processing of
defined contribution and college savings plan transactions for customers of the Retirement Plans Group. Our
examination included procedures to obtain reasonable assurance about whether (1) the accompanying description
presents fairly, in all material respects, the aspects of the Retirement Plans Group’s and IBM’s controls that may be
relevant to a user organization’s internal control as it relates to an audit of financial statements, (2) the controls
included in the description were suitably designed to achieve the control objectives specified in the description, if
those controls were complied with satisfactorily, and user organizations applied the controls contemplated in the
design of the Retirement Plans Group’s controls, and (3) such controls had been placed in operation as of
December 31, 2007. The control objectives were specified by management of the Retirement Plans Group. Our
examination was performed in accordance with standards established by the American Institute of Certified Public
Accountants and included those procedures we considered necessary in the circumstances to obtain a reasonable
basis for rendering our opinion.
In our opinion, the accompanying description of the aforementioned controls presents fairly, in all material
respects, the relevant aspects of the Retirement Plans Group’s and IBM’s controls that had been placed in operation
as of December 31, 2007. Also, in our opinion, the controls as described are suitably designed to provide
reasonable assurance that the specified control objectives would be achieved if the described controls were
complied with satisfactorily and user organizations applied the controls contemplated in the design of the
Retirement Plans Group’s controls,
In addition to the procedures we considered necessary to render our opinion as expressed in the previous
paragraph, we applied tests to specific controls listed in our description of the tests of operating effectiveness to
obtain evidence about their effectiveness in meeting the related control objectives, described in our description of
those tests, during the period from January 1, 2007 to December 31, 2007. The specific controls and the nature,
timing, extent, and results of the tests are listed in our description of the tests of operating effectiveness. This
information has been provided to user organizations of the Retirement Plans Group and to their auditors to be taken
into consideration, along with information about the internal control at user organizations, when making
assessments of control risk for user organizations. In our opinion the controls that were tested, as described in our
description of the tests of operating effectiveness, were operating with sufficient effectiveness to provide
reasonable but not absolute assurance that the control objectives specified in our description of those tests were
achieved during the period from January 1, 2007 to December 31, 2007.
A member firm of Ernst & Young Global Limited
1
The relative effectiveness and significance of specific controls the Retirement Plans Group and IBM and their
affect on assessments of control risk at user organizations are dependent upon their interaction with controls and
other factors present at individual user organizations. We have performed no procedures to evaluate the
effectiveness of internal controls at individual user organizations.
The description of the controls at the Retirement Plans Group and IBM is as of December 31, 2007 and
information about tests of the operating effectiveness of specific controls covers the period from January 1, 2007 to
December 31, 2007. Any projection of such information to the future is subject to the risk that, because of change,
the description may no longer portray the controls in existence. The potential effectiveness of specific controls at
the Retirement Plans Group and IBM is subject to inherent limitations and, accordingly, errors or fraud may occur
and not be detected. Furthermore, the projection of any conclusions (based on our findings) to future periods is
subject to the risk that changes made to the system or controls, or the failure to make needed changes to the system
or controls, may alter the validity of such conclusions.
The information in Section IV describing the Retirement Plans Group’s service levels within its customer service
team is presented by the Retirement Plans Group to provide additional information and is not part of the
Retirement Plans Group’s description of controls that may be relevant to a user organization’s internal control.
Such information has not been subjected to the procedures applied in the examination of the description of controls
applicable to the processing of transactions for user organizations, and accordingly we express no opinion on it.
This report is intended solely for the management of the Retirement Plans Group, its customers, and the
independent auditors of its customers.
April 30, 2008
2
SECTION II—INTRODUCTION
Purpose, Scope and Structure of Report
Purpose
This report describes the control structure of the Retirement Plans Group and the support
divisions and areas within The Hartford* that support its operations. It is designed to provide
information for use by customers of The Hartford and their auditors for use in planning an audit
of financial statements of an employee contribution plan that uses the Retirement Plans Group as
a service organization. This report was prepared in accordance with guidance contained in the
American Institute of Certified Public Accountants’ (AICPA) Statement on Auditing Standards
(SAS) 70, Service Organizations and its related interpretations and amendments.
Scope
This report encompasses only the Retirement Plans Group and selected activities performed by
Administrative and Recordkeeping Services, Participant Services, Plan Compliance, and
Document Services and Conversion Services within the Retirement Plans Group for defined
contribution and college savings plans administered on the OmniPlus and SCT Banner systems
and HartfordOnline.
Structure of Report
This section provides an overview of The Hartford and the Retirement Plans Group and an
overview of the operating procedures for each operating unit. Also included are the Retirement
Plans Group’s control objectives, key controls, and a description of the tests of operating
effectiveness performed by Ernst & Young LLP, the independent service auditor. Section III
contains information provided by the service auditor, and Section IV contains other information
provided by the Retirement Plans Group.
Business Overview Prepared by The Hartford
Retirement Plans Group
The Hartford has a long-term performance history, innovative product features, and a history of
strength and stability. The Hartford provides a wide variety of retirement plan services to a large
number of employer-sponsored retirement plans.
Specifically, The Hartford offers plan sponsors the latest technology and paperless
processing to help streamline plan administration:
• E-Enroll – Eliminates paper enrollment forms and improve accuracy
3
•
•
•
•
E-Remittance (for smaller plans) and E-File Submission (for larger plans) – Plan sponsors
can submit contribution data any time via the Internet
E-Payment – Securely transfers assets to improve the cash flow process
E-Compliance – Sponsors can view, edit, validate, and submit year-end census data via the
Internet for annual compliance testing and Form 5500 reporting
Sponsor Tool Box – Online resources and materials are available via HartfordOnline
(retire.hartfordlife.com) to assist with administration functions
In addition to the above online capabilities, the following can be provided to plan sponsors:
• Dedicated plan managers (on most plans)
• Sample installation timelines and notification letters
• Welcome packages and reference materials
• Product and service updates via the Sponsor Insight newsletter
Plan compliance assistance and document services (Corporate Full Service Plans only):
• Annual compliance reporting
• Prototype plan document and plan amendment services
• Periodic legislative updates via the Capitol Correspondent® newsletter
• IRS and DOL filing support
Conversion services:
• A step-by-step Corporate Installation or Government Plan Transition Guide
• Assigned, dedicated installation specialists
• Sample conversion notices and forms
Participants can use the HartfordOnline (retire.hartfordlife.com) website to access their
retirement account information:
• Quarterly statement and newsletter links
• Monthly and annual (if applicable) personalized rate of return
• Educational tools and resources
• Transaction capabilities, including deferrals, elections, transfers, and loans
• Loan information, including early payoff date/amount
• Monthly investment option performance history with benchmark indices
• Asset rebalancing options, if available by plan
• Address verification and change capability
The Hartford also offers to participants:
• 24-hour toll-free telephone support with voice recognition
• Home delivery of their quarterly statement of account and an educational newsletter
• Group enrollment meetings (Corporate plans) or access to education through individual
appointments with Hartford Representatives (Governmental plans)
• Customized enrollment kits
4
The Hartford is the only retirement plan provider to be awarded the prestigious DALBAR*
Retirement Plan Service Award for five consecutive years (2003-2007). The Hartford’s
Retirement Plans Group Call Center Team is recognized for their outstanding commitment to
service excellence. The award, which symbolizes the achievement of the highest tier of service to
customers within the financial services industry, is bestowed only to those firms that exceed
industry norms in key service areas: Accommodation, Attitude, Expertise, Exceeding
Expectations and Call Interrupts.
*DALBAR is an independent, investment industry research firm.
College Savings Plans
The Hartford provides program management services for the West Virginia Prepaid Tuition
Option and the SMART529 College Savings Plan. Services include:
•
•
•
•
•
Professional plan maintenance from experienced service specialists
Online capabilities including enrollment via the Internet, daily valuation, monthly
investment option performance reports, and participant/owner-level reports for the State
Sponsor (WV)
Quarterly account statements for the College Savings product, Quarterly account
statements for the Prepaid product if there has been financial activity, and annual account
statements for both products
Confirmation statements for financial and non-financial activity (excluding electronic
subsequent payments)
Tax reporting (Form 1099-Q)
Please refer to Section IV for a detailed listing of The Hartford’s service standards.
* On October 5, 2007, the servicing of the SMART529 College Savings Program was moved
from the OmniPlus recordkeeping system to TA2000 platform and is not included in the scope of
this report. Management obtained DST SAS 70 report which is available upon request.
Relevant Aspects of the Control Environment, Risk Assessment and
Monitoring
Control Environment
The Hartford’s management philosophy is to create a proper control environment that provides a
high level of confidence to clients that transactions are processed in a timely and accurate
manner. The Company’s control environment reflects the overall attitude and awareness of the
importance of controls to the satisfaction of the customers’ needs and the success of the business.
5
Following is a description of several key elements of the control environment that demonstrates
management’s commitment to financial integrity:
•
The management organization as a whole considers it a top priority to establish a proper
control environment. Appropriate levels of reporting and accountability are created, with
an emphasis on ensuring that each customer transaction is processed in a controlled
manner.
•
Authority and responsibility are assigned to be sure that the proper checks and balances
are in place throughout the organization.
•
Human Resources policies and procedures are established and monitored. Employees are
provided with written job descriptions, explaining responsibilities and duties.
Requirements are established for each position, and the appropriate research is done on
each prospective employee before he or she is offered employment with the organization.
•
Budgets are prepared annually. Variance reports are created on a monthly basis, with
explanations for the variances documented by each manager.
•
Customer satisfaction and service are critical elements to the success of the business.
Plan Managers are assigned to work directly with the clients, addressing any questions or
special requests that may arise.
Risk Assessment
•
Management continually monitors the operating environment to be aware of any changes to
functions or procedures resulting from new workflows, enhancements to existing products or
changes in regulatory requirements. Working closely with the legal and compliance
departments, management is kept advised of any changes and reacts appropriately by
establishing project teams to develop and implement the necessary enhancements in a timely
and efficient manner.
•
System Management representatives participate in various User Group meetings to work with
the system vendors and other users. This interaction allows management to stay current on
new system enhancements and obtain feedback from other users on potential system
efficiencies.
•
Contingency plans are in place to reduce financial risk as the result of unusual events.
Monitoring
Monitoring procedures and reporting are key components that management employs to ensure the
financial integrity of the organization:
6
•
Daily control reports are used to monitor work queues, financial transactions; Suspense
inventories and backdated financial transactions.
•
Cash receipts and disbursement financial transactions are reconciled and balanced on a daily
basis.
•
Error reports are reviewed daily and items are researched and cleared in a timely manner.
•
The organization performs an extensive Sarbanes-Oxley Financial Controls Self-Assessment.
This process includes the documentation and testing of each of the business process controls
and helps to attest to the completeness and accuracy of these controls, which may be
subsequently reviewed by the Internal Audit department.
Internal Audit
The Hartford’s Internal Audit (IA) department consists of experienced personnel with varied
backgrounds, including public accounting, information systems and business unit expertise. The
IA department reports independently to the Audit Committee of the Board of Directors and also
to senior management. Internal auditors have unrestricted access to all areas of the Company.
The activities of IA are conducted in accordance with a formal audit plan, which is developed
with appropriate consideration given to risk exposures, regulatory factors, prior audit results,
external audit findings, and input from management. Audits are conducted using a risk-based
approach. Based on the risk analysis, key objectives are identified and information is gathered on
how management controls risk. Written reports are issued at the conclusion of each audit
summarizing results, including any control issues and related management action plans.
Information and Communication
Description of Information Technology Environment
Hardware/Software Platforms
Retirement plan recordkeeping for allocated plans is performed on the OmniPlus client/server
administration system. OmniPlus was also utilized to recordkeep the detail associated with
College Savings contracts through October 5, 2007. OmniPlus is an industry-standard software
system that is licensed from SunGard Data Systems, Inc.’s Employee Benefits Systems division
(SunGard). The Hartford has implemented the Hewlett Packard (HP) Unix (HP-UX) version of
the SunGard system which supports both the application and the proprietary database. The two
servers used are HP’s high-performance Superdome systems. One server is reserved for
application development and testing and the other server is used for production.
7
The Hartford has recurring responsibility for the State of West Virginia Prepaid Savings Program
that began in 2002. This defined benefit plan required unique systems and recordkeeping
capabilities. The SCT Banner System was installed in The Hartford environment to perform this
recordkeeping. SCT Banner is an industry-standard software system that is licensed from
SunGard Data Systems, Inc.’s Higher Education Division (SunGard). The Hartford has
implemented the Sun Solaris version of the of the SunGuard system. There are two UNIX
Database servers supporting this application; one is reserved for application development and
testing; the other is used for production. Online access to development, test and production
occurs through the ORACLE Forms front-end application. Security is enforced through role
based access at the database level.
The Internet application provides account balance, monthly performance, daily unit values and
news information as well as a means to perform fund transfers, investment allocation changes,
enrollment, deferral changes, and address changes. This functionality is offered to authenticated
participants, plan sponsors, third party administrators, brokers/agents and firms depending on
their level of authorization. Role based authentication is performed through the use of a user id
and personal identification number. By clustering redundant sets of servers in multiple data
centers, each with a separate Internet presence, The Hartford is able to make HartfordOnline
available 24/7. The technology platform is comprised of clusters of Sun Solaris servers, running:
iPlanet Web and Weblogic application, and Oracle database servers. There are four separate
environments: Development, Test, QA-Customer-Acceptance and Production. The production
environment is on its own dedicated set of servers.
The production servers supporting OmniPlus, SCT Banner and Internet applications are located in
the secured data center in Simsbury, CT.
Information Technology Organization and Controls
Organization: The information technology department of The Hartford, although a separate
organizational entity, reports directly into the business line and indirectly to the corporate
Information Technology Group. This model is designed to align business priorities with system
resources and maintain conformance to corporate technology standards.
Within the Information Technology Department for retirement plans, separate teams have been
formed to support the following functions: applications development, quality assurance testing,
data security, project management and production support. This ensures that the appropriate focus
is given to each phase of the project life cycle and that the availability of the system receives
dedicated support.
A consultant resource pool to increase development capacity on an as-needed basis supplements
the information technology staff of The Hartford employees.
8
In April 2007, The Hartford outsourced some of its IT operations such as backups and job
scheduling and monitoring to International Business Machines (“IBM”).
System Development and Maintenance: The Hartford employs a standardized project
methodology that enables consistency of deliverables across all development and maintenance
efforts. Standardized testing methods are used to ensure quality and stability of implementations.
All system changes follow a rigorous release management process, which consists of a controlled
migration through separate test and quality assurance environments prior to production
implementation.
Security: A security administrator appointed by the business line approves and monitors the
security authorization process to ensure that appropriate access rights are granted to all OmniPlus
and SCT Banner users via a secured log-on application. All users of OmniPlus and SCT Banner
must have an appropriate access request form detailing the access rights to be assigned to a user.
This form must be approved by appropriate personnel. Access for terminated employees or
employees who no longer need access to the applications is removed upon notification of
termination or transfer. Data Security and Department Managers within the Retirement Plans
Group perform periodic reviews of Omni and Banner access rights to applications within the
defined contribution processing units.
Physical access to the Simsbury, CT data center is restricted by a card key system controlled by
technical operations.
IT Operations: Production jobs are controlled by Computer Associates’ AutoSys scheduling
product. All scheduling changes are tested and approved according to the standardized release
process prior to implementation. Production support monitors the execution of the scheduled job
flows based on established service levels. Job failures are detected, escalated and appropriate
remediation is performed. In April 2007, job scheduling and monitoring was outsourced to IBM.
The processes and controls around job scheduling and monitoring remained the same, however
certain process and control documentation for job monitoring changed as a result of a transfer of
these functions to IBM’s Brazil unit in September 2007.
All software and data on the client/server systems are backed up daily and stored off-site
periodically. The Hartford uses EMC’s Business Contingency Volume architecture that allows for
real-time backup and recovery capability. Backup failures are monitored, and escalation and
remediation processes and controls are the same as those for production job failures After
software and data have been backed up, back up tapes are logged and maintained in the tape
management system which details the unique tape ID and tape retention schedule, prior to being
shipped to an off-site facility. In April 2007, the tape backup function was outsourced to IBM.
The related processes and controls remained the same. The Company uses Iron Mountain
Incorporated, an external tape storage vendor, for off-site tape storage.
9
Description of Transaction Processing
Corporate Plan Installation
The Plan Installation Team works closely with Hartford Sales Representatives, Pre-sale
Consultants, Brokers and all internal areas to ensure accurate and timely plan set up for both new
start-up plans and conversion business.
Plan Proposal: Plan proposals are initiated by a Sales Representative of The Hartford, who works
closely with a Home Office Pre-sales Consultant to meet client needs. Once the client accepts the
proposal, a New Business Consultant on the Installation Team coordinates all plan set-up and
conversion activities. This includes review of the Application and Sold Case Paperwork for
suitability and accuracy.
Plan Installation: The New Business Consultant works closely with the Regional Sales Director,
Regional Sales Consultant, Financial Advisor(s), Third Party Administrator (if applicable), Plan
Sponsor, and the Installation Specialist to create the project plan for converting the plan and
participant data to the recordkeeping system. The internal team continues to communicate with
the plan’s current provider(s) to ensure that the account records and investment instructions are
transferred accurately. All plan data is tested and quality checked by an independent review team
at several critical points during the transition process.
The Installation Specialist establishes all plan and participant data on the recordkeeping system.
The plan transition is complete once the participant data has received written sign-off from the
Plan Sponsor, has undergone a successful final audit, and with participants having received their
transition confirmation and Welcome letters. The Welcome letters contain a PIN number which
participants may use to introduce themselves to the services offered through The Hartford. At
this time, the plan is passed from the New Business Transition Team to an Ongoing Plan
Manager who is responsible for the ongoing administrative needs of the plan.
Plan Documents: Plan Drafting Specialists prepare all plan documents under the full-service
program. Prototype plans follow either the Ascensus document, formerly BISYS Retirement
Services or the Plan Document Systems (PDS) document from Thompson Hine. Volume
submitter plans follow the Plan Document Systems document. The Plan Drafting Specialist also
creates and modifies the Summary Plan Description and the IRS Form 5307 filing package.
Plan Amendment: The Plan Administrator is responsible for the submission of Amendments to
the Plan Manager. The Plan Manager will then request the plan to be amended by the Plan
Drafting Specialists and ensure that the recordkeeping system is updated appropriately.
10
Government Plan Transition
The Government Plan Transition Team employs a process designed to transition a plan
seamlessly with minimal disruption to the plan sponsor and participants. The Team works
closely with The Hartford Sales Representatives, Sales Support Consultants and all internal areas
to ensure accurate and timely plan set up for both new start-up plans and conversion business.
Plan Proposal: A Sales Representative of The Hartford, who works closely with the Home Office
Proposal Team to meet client needs, initiates Plan proposals. Once the client accepts the
proposal, the Plan Transition Team begins to coordinate all plan set-up and conversion activities.
Transition Project Plan: The Transition Team works with the current provider(s) to understand
their recordkeeping structure and to develop a mutually acceptable transition process and time
table. This way, ongoing payroll contributions are processed timely and liquidation and reinvestment activities are handled efficiently. Once this step has been completed, the team
develops a detailed project plan outlining all the account record transition activities.
Transition Communication Program: The Marketing and Sales Staff designs a communication
program to ensure that participants understand what will happen to their account both during and
immediately following the transition and fund mapping process. A presentation is provided for
participants, either a power point or onsite presentation, to provide a better understanding of both
the transition itself and the ongoing services available to them from The Hartford.
Plan Transition: The New Business Consultant works closely with the Sales Representatives,
National Accounts/Sales Support Consultants, Compliance, Information Technology, Marketing,
Installation Specialist and Plan Management staff to enact the project plan establishing plan and
participant data on the recordkeeping system. The team continues to communicate with the
plan’s current provider(s) to ensure that the account records and investment instructions are
transferred accurately. All plan data for mapped transitions is tested and quality checked at
several critical points during the transition process.
The plan transition is completed once the participant data has undergone a successful final audit
and the participants have received their transition confirmation and Welcome letters. The
Welcome letters contain a PIN number which, upon completion of the transition, participants may
use to avail themselves of all the services available through The Hartford. At this time, the plan
leaves the Transition Team to be serviced by a Plan Manager who is responsible for the ongoing
administrative needs of the plan.
Plan Documents: Plan Drafting Specialists prepare all plan documents at the request of the client.
Custom government plan documents are prepared utilizing the Plan Document System (PDS)
document. The Plan Drafting Specialist also creates and modifies the Summary Plan Description.
11
Plan Amendment: The Plan Administrator is responsible for the submission of Amendments to
the Plan Manager. The Plan Manager will then request the plan to be amended by the Plan
Drafting Specialists and ensure that the recordkeeping system is updated appropriately.
Plan Management
Once the plan has been installed and quality checked, a Plan Manager handles the ongoing
administration. The Plan Manager is a specialist who serves as the primary point of contact with
Plan Sponsors. The Plan Manager is responsible for the overall integrity of the plan’s
recordkeeping and service levels, and is accountable for providing plan service expertise to the
Plan Sponsors. Plan Managers are trained using both internal and external resources and are
encouraged to obtain certain industry certifications.
Call Center
A call center specializing in retirement plans, Hartford World Advantage and The West Virginia
Prepaid Tuition plan is located within the Service Center. The representatives are Series 6
licensed, and all phone calls are recorded to ensure quality, accuracy of information and
exceptional customer service. Participant surveys are conducted on a weekly basis to ensure a
high level of service. The Call center hours for all lines, except Government are 8:00 a.m-7:00
p.m. Eastern Standard Time Monday through Thursday, and Friday, 8:00 a.m.-6:00 p.m. Eastern
Standard Time. The Government call center hours are Monday through Friday 8:00 a.m-8:00pm
Eastern Time.
Plan Recordkeeping
Hartford Life maintains individual accounts for each participant and alternate payee under a
defined contribution plan, tracking employer and employee contributions, withdrawals, loans,
interest earned in fixed-income accounts, investment gain/loss earned under Separate Accounts
and interest paid on participant loans. The Hartford records all transfers between funds and
maintains the contribution allocation percentages chosen by participants or the employer. Policies
and procedures detailing each of these processes, including the crediting of interest and
investment gain/loss, are maintained. The Hartford also maintains individual accounts for each
participant for 529 College Savings Program (through October 5, 2007) and Prepaid Plans,
tracking contributions, withdrawals, rollovers and earnings.
Financial Administration
The Hartford establishes and maintains financial records in accordance with generally accepted
accounting practices and principles, including federal and state income tax withholding. Daily
reconciliation of account balances in accordance with the valuation procedures of each
investment fund is provided. Investment gain/loss is calculated using separate applications within
the recordkeeping system. The participant’s share of the investment experience for each Separate
12
Account in which the participant is invested is calculated using the net asset value of the
appropriate Separate Account. Fixed income account interest is calculated using the fixed rate of
return specified under the contract. Loan interest income is calculated using the outstanding loan
balance and the loan interest rate.
SMART529 College Savings Plan and Prepaid Tuition Option
The Hartford functions as a program manager and works in conjunction with the state sponsor,
West Virginia, to support and maintain the Prepaid and College Savings Plans. The Hartford
maintains individual accounts for each owner and beneficiary by tracking contributions,
distributions, rollovers and earnings. The SMART 529 Savings and 529 Prepaid processing team
focuses on providing superior customer service to our clients by providing efficient and accurate
processing for financial and non-financial transactions. All financial transactions received by The
Hartford that are considered to be in good order by 4:00 PM ET are processed the day of receipt.
The 529 processing team performs all functions related to the receipt, handling, balancing and
reconciliation of incoming funds.
There are two distinct systems used to process financial transactions for 529 Savings and 529
Prepaid. All financial and non-financial transactions for 529 Savings are entered into the
SunGard OmniPlus recordkeeping system and the 529 Prepaid transactions are entered into the
SCT Banner record keeping system. All financial transactions received or distributed by the 529
processing department are reconciled through the 529 Suspense team. The processing team has a
commitment to quality while ensuring business transactions are processed in a timely manner. To
ensure accuracy, team members also conduct quality checks on various financial transactions.
Improvements in servicing our clients are continuously ongoing and communicated to the state
sponsor, West Virginia. Primary management of the accounts is conducted through customer
service representatives and a plan contact. The plan contact is also the liaison with the West
Virginia State Treasurer’s Office.
On October 5, 2007, the servicing of the SMART529 College Savings Program was moved from
Connecticut to Woodbury, Minnesota to better leverage the business and IT platforms. The
SMART529 College Savings Program was discontinued from the OMNI recordkeeping system
and was converted to the TA2000 platform and is not included in the scope of this report.
Management obtained DST SAS 70 report which is available upon request.
Data Submission
The Hartford offers customers multiple automated remittance methods for submitting financial
and nonfinancial data. These options include the Internet and File Transfer Protocol (FTP) with
PGP encryption. Contribution and loan data may be submitted by using our secure website
(http://retire.hartfordlife.com). Clients may choose “E-Remittance” and simply enter the
participants’ dollar amounts on a system-generated template, or choose “File Submit” and upload
13
an MS Excel spreadsheet. Additionally, our on-line “E-Payment” service provides our clients
with a quick and secure way to request an ACH debit from their bank account.
When the client elects to use “File Submit”, The Hartford’s Data Automation Team performs
several tests until both parties are comfortable with the process and format. At that time, the
customer’s contribution file will be released to the ongoing production platform. The application
used in both the testing and production process for “File Submit” files is MigratorPlus. This
system interrogates the data received from the customer for format and validity using certain
edits. This allows The Hartford to immediately identify and react to important issues concerning
the timely processing of data. The E-Remittance process has several built in edits which also
validate data. E-Remittance data is sent directly to OMNI eliminating the use of MigratorPlus.
Following this procedure and the receipt of the customer’s cash remittance, the data file is
released to the record-keeping system’s nightly batch cycle.
Cash Receipts
The Cash Unit performs all functions related to the receipt, handling, balancing and reconciliation
of incoming funds. The operation mirrors many of the functions within a commercial bank’s
lockbox facility and wire transfer unit. The Cash Unit employs many professionals with banking
and accounting backgrounds.
The Document Control Services Unit of the Retirement Plans Group is responsible for the daily
receipt, balancing and control of over $9 billion of annual cash receipts. With the use of an
imaging system, cash system, control batches and management reporting, this team is able to
capture and control incoming work, secure all cash receipts and create the necessary work items
to be processed within the service teams.
Financial Processing
Another team focusing on financial integrity is the Financial Processing Team. The Financial
Processing Team’s primary service responsibility is timely and accurate processing of financial
transactions. Focusing on financial transactions alone allows this team to maintain a processing
discipline resulting in complete and accurate input to the SunGard OmniPlus and SCT Banner
recordkeeping systems.
The financial processing work is segregated in a cumulative work queue. Although centralized,
the team works closely with the Plan Managers to handle each financial transaction individually.
The Service Specialists on the Financial Processing Team take great pride in knowing the plans
they service and their role in satisfying the end customer.
Contributions sent to The Hartford “in good order” before the close of the New York Stock
Exchange (usually 4 p.m. EST) are processed the same day of receipt. Each contribution file
must pass numerous system edits before being accepted. Any request requiring additional
14
information can be routed to the Plan Manager via the Imaging/Workflow system and they will
track the request from original receipt to final completion. Transactions meeting predetermined
thresholds are then quality checked before the system commits them in the evening batch cycle.
Quality checking is completed by an independent team within the Financial Processing unit.
Each contribution posting is confirmed to the Plan Administrator. The confirmation notices
contain the dollar amount posted, date and allocations by source.
Distribution requests are processed through a similar set of edits and quality checks before being
accepted into the recordkeeping system. Signature verification, tax amounts and specific
underwriting checks are performed for each request. Any request requiring additional
information can be routed to the Plan Manager via the Imaging/Workflow system and they will
track the request from original receipt to final completion. The system tracks a request’s path
from original receipt to final completion.
Distributions are processed in the form of a check or wire transfer. Disbursement Approval
Authority procedures require each disbursement to be reviewed and signed off by varying levels
of management dependent on dollar amount. Check-printing and mailing functions are
completely controlled and balanced to ensure quality.
The Financial Processing Team consists of specialists who have obtained internal training on cash
and disbursement processing.
Suspense and Reconciliation
The Suspense and Reconciliation team maintains the inventory of the Premium and Disbursement
Suspense accounts. An automated accounting and reconciliation system (RECON) provides the
tools necessary to ensure financial integrity is maintained. RECON also provides the Service
Center inquiry and reporting capabilities to track Suspense transaction history by plan. Each
transaction related to “money in” or “money out” of a plan is reconciled through Suspense to the
record keeping and banking systems to ensure soundness.
The Suspense team in conjunction with the Plan Managers, NIGO, and Financial Processing
Teams review suspense items daily. Management’s daily review of outstanding balances
emphasizes the top-down commitment made to financial integrity.
Management Reporting
Ensuring financial integrity of the plan assets we service is a paramount order at The Hartford.
The financial systems, workflows and teams we have assembled are secured to a solid foundation
built on the principles of accounting and financial control.
15
Daily reports of cash receipts, financial transactions and Suspense are some of the tools used by
The Hartford’s senior management to ensure we are maintaining the service standards which
make us a leading service provider.
Work Imaging Queues: The imaging technology allows for the efficient processing of
transactions. The Company maintains a same-day turnaround time for all incoming mail. The
imaging and workflow system allows us to monitor work queues for productivity and produce
statistical reports used in measuring results. Each day a voicemail is sent to the Service Center’s
management staff providing summary of the outstanding queue items and their status.
Suspense Reports: All incoming and outgoing financial transactions run through the Suspense
system. The system serves as an excellent tool to track open items, status comments and history
of cleared items. Each day, the Suspense inventories are reported in scorecard format.
Supporting detail reports are also distributed daily for continuous working.
Gain/Loss: Any backdated financial transaction is captured in the Gain/Loss tracking process.
This daily effort includes identifying the cause for backdate. Causes are trended and researched
for improvements we can make towards eliminating the causes. Performance is measured and
tracked towards a continuous improvement of previous results.
Cash Receipts: The internal lockbox operation prides itself on same-day balancing. The Cash
Unit provides very valuable information of the day’s receipts and how it trends over time. A
daily voicemail to management and supporting e-mail breaks down receipts from the various
product lines.
Error Reports: Various error reports are used within the Service Center to ensure the financial
integrity of the transaction processing. System logic identifies items that fall outside certain edits
and/or are deleted for processing. Each item is reviewed and investigated for resolution.
Statements
As part of the service offerings to plan sponsors, The Hartford mails statements on a quarterly
basis directly to participants. The statement includes detailed information such as participant
account balances by source and investment, performance, informational plan messages, allocation
analysis and relevant newsworthy information. The Hartford utilizes the services of a vendor in
each of the business lines, to provide these statement services. Additionally, the plan sponsor is
provided with a summary of all their participant accounts on a quarterly basis. These summaries
are produced and displayed on the Internet for plan sponsors. A copy will be mailed to plan
sponsors. The Hartford’s service standards dictate that participant statements and plan summaries
are provided within ten business days after quarter end.
In order to assure that the process is timely and accurate, a number of internal controls are
maintained to support the process. A full time statement coordinator facilitates the process. The
16
statement coordinator works in tandem with the plan managers, technology counterparts and
vendors to execute the processes.
The statement process is fluid with many of the necessary activities occurring throughout the
quarter. Plan Managers begin to retrieve specific informational messages from plan sponsors and
the statement coordinator begins to retrieve standard messages that will appear on all statements.
Before messages appear on a statement, they are reviewed and approved by a committee at The
Hartford that is comprised of business, marketing and legal representation. The Message Board
file is transmitted to the vendor during the last week of the quarter-end and a Message Board
proof is returned for sign-off. For the Government line of business the Message Board Program
is downloaded to the mainframe in order to be incorporated with the quarter end feeds for
statements. The Performance file of our funds is sent electronically to the vendor on the next day
following quarter end. The vendor merges all files and an intense quality assurance process is
undertaken prior to The Hartford’s sign off which initiates the production of the participant
statements.
In our Corporate area, plan managers ensure that each plan is in good order. There are system
generated reports produced prior to quarter end to validate accurate information on the participant
and plan sponsor statements such as the last statement run date report as well as multiple
statement “test runs” consisting of total reports and error reports for all active plans. It is the
responsibility of the plan managers to review and correct any errors. The statement coordinator
validates that all errors have been addressed. For Government, the statement coordinator quality
checks specific output and signs off at quarter end before the statement files are sent to be printed
and mailed.
Quarterly participant and plan statement of account files are generated when the quarterly
statement process is executed on the night of the last business day of each quarter. Several files
and reports are created from the process: the Plan and Participant files, the Master Statement
extract report, Plan and Participant Common Error Reports and the Plan and Participant Common
Control Reports citing quantities produced. These reports are used to verify the accuracy of the
quarterly statement run. The statement coordinator reviews these reports and distributes the error
reports to the plan managers for error resolution.
The Participant Statement file is transmitted to the vendor after the statement process executes.
The vendor creates statements by combining data from the Participant Statement file, the
Message Board file and the Performance file. The vendor mails statements directly to
participants and plan sponsors within 10 business days after quarter-end.
Currently, participant statements are produced in hard copy. The vendor also produces a PDF file
for each statement run, which The Hartford uploads to the Internet site. This process allows
participants, plan sponsors, and Service Center staff to access statements once the appropriate
security clearance has been achieved.
17
Training
The Training Team is responsible for all department new hire training and most existing staff
training. The team is made up of a group of extremely experienced people in the qualified
retirement services industry.
The new hire training program is six weeks in duration and includes qualified plan administration
training, product training, high-level systems training, customer service/call center training and
guest presenters. Assessments are held throughout the training program. Progress report meetings
are conducted with the new staff and area management during and at the conclusion of the
program.
The team holds training modules on a variety of topics for existing staff throughout the year.
These classes are designed to provide more in-depth product and plan knowledge, updates to
product/system enhancements, and skills and competency building.
The Training Team also has multiple resources dedicated to maintaining an on-line reference
application that houses procedures, reference material, forms, letters, and training
communications. They ensure that procedures and documentation are consistent in format, easily
accessible and updated for the department by a review board made up of training team and
business personnel.
Compliance Reporting (Corporate full service plans only)
Compliance with Internal Revenue Service (IRS), United States Department of Labor (USDOL)
rules and regulations, and reporting and disclosure requirements of the Employee Retirement
Income Security Act (ERISA) is necessary to maintain the tax-exempt status of a retirement plan.
Plan Sponsors are encouraged to obtain a Letter of Determination that demonstrates the plan
document, as written, complies with all applicable requirements of the Internal Revenue Code
(IRC). Tax-exempt status further depends upon compliance with the IRC in the administration of
the retirement plan’s written provisions. As a service to clients, The Hartford will prepare IRS
Form 5500, Return/Report of Employee Benefit Plan, and provide testing support services.
As a plan’s reporting anniversary approaches, The Hartford provides the Plan Sponsor a data
collection package either in printed form or via an on-line facility through a secured website on
the Internet. This process enables participant census information to be updated. Once this data is
verified and the plan’s provisions are reviewed, the data is loaded onto Hartford’s recordkeeping
system.
Testing is performed demonstrating activity of the plan subject to the limits imposed by IRC
§401(k), §401(m), §402(g), §415, §401(a)(17), §401(a)(26), §410(b) and §416. Testing is
completed using the optimal approach, as permitted by regulation, which may produce the most
18
favorable results. Those results are posted to the Plan Sponsor’s website and are available to be
printed or are printed and mailed to those Plan Sponsors not using the web. Details of failures are
provided to Plan Sponsors not using the Internet, for authorization of any corrective measures that
may be necessary and for maintaining as part of official plan records. Plan Sponsors using the
Internet authorize corrective action on-line. Copies of their test results may be printed, and are
also archived on-line for future reference.
The same data collection package requests information from the Plan Sponsor for the completion
of Form 5500. This data is combined with financial activity reported by Hartford’s
recordkeeping system. This information is entered into a PC-based software program licensed
from SunGard Corbel. The software produces the actual IRS form. The forms, including
applicable attachments, are checked for accuracy before they are assembled with financial reports
and sent to Plan Sponsors. The Hartford provides a signature-ready Form 5500 to the Plan
Sponsors; however, the Plan Sponsor is ultimately responsible for the accurate and timely filing
of Form 5500 with the IRS.
19
Client Control Considerations
The Retirement Plans Group’s processing of transactions for client’s plans and its controls cover
only a segment of the overall control structure. The Hartford’s clients perform other controls. It is
not feasible for all of the control objectives relating to the processing of retirement plan
transactions to be completely achieved solely by the Retirement Plans Group. Therefore, each
Sponsor’s controls must be evaluated in conjunction with The Hartford’s controls and testing
thereof, as summarized in Sections II and III of this report.
Accordingly, the following information should be considered by defined contribution retirement
plan sponsors and their auditors when making assessments of control risk. Certain other control
objectives applicable to the retirement plan processing system may be defined by individual plan
sponsors and must be achieved solely by the sponsor:
•
Each retirement plan sponsor is responsible for establishing control procedures to ensure that
the following information sent to the Retirement Plans Group is complete, properly
authorized and in accordance with their specific plan’s requirements/criteria:
•
•
•
•
Initial enrollment data
Modifications to participant data
Contribution and loan repayment information
Disbursement requests
•
The modification of participant investment option data automatically generates a printed
confirmation that is sent to the participant. The participants are responsible for reviewing, and
for communicating any discrepancies noted to The Hartford.
•
On a quarterly basis (unless otherwise directed), participant-level and plan-level statements of
account are generated. The plan sponsor is responsible for (1) reviewing the plan-level
reports for completeness and accuracy, and (2) communicating any discrepancies to the
Retirement Plans Group. The Retirement Plans Group mails statements directly to the plan
participants, and plan-level reports are put on the Internet unless otherwise requested by the
Plan Administrator.
20
Control Objectives, Controls Specified by the Retirement Plans Group
and Tests of Operating Effectiveness Performed and Results of Testing
Recordkeeping/Plan Administration
Control Objectives
Controls provide reasonable assurance that:
1. plan and participant/owner and beneficiary records are accurately and timely established and
appropriately authorized (includes new client installation);
2. employee benefit plan accounts are administered in accordance with the plan document and
ERISA, USDOL and IRS regulations, and participant records are maintained in accordance
with applicable laws and regulations;
3. changes to plan and participant records are properly authorized, accurate and processed
timely (allocation percentages, address changes, etc.);
4. cash movements (e.g., contributions, loans, terminations, etc.) are authorized, accurate and
timely reconciled to recordkeeping and custodial records;
5. investment activities (including trades, dividend, income distributions, short-term
investments, gains, losses and expenses, etc.) are authorized, processed accurately, allocated
in accordance with plan documents, and timely reconciled to cash and custodial records;
6. plan sponsor and participant reports are timely generated in accordance with predetermined
schedules.
21
Control Objective 1:
Controls provide reasonable assurance that plan and participant/owner and beneficiary
records are accurately and timely established and appropriately authorized (includes new
client installation).
Controls Specified by
The Hartford
The installation teams work to create
the plan and participant-level records
according to the plan document and
the agreed-upon plan implementation
schedule. Once established, testing
is performed, and any differences are
identified and resolved.
Ernst & Young LLP Tests
Results of Testing
Made inquiries of Installation No exceptions noted.
personnel
to
ascertain
their
understanding of, and compliance
with, the controls followed to
establish
participant
records
accurately and timely.
For a sample of plans implemented No exceptions noted.
during the examination period,
inspected supporting documentation
and correspondence to determine that
the plan was established accurately
and timely, and that the plan
implementation was authorized by
the plan sponsoring organization.
22
Control Objective 2:
Controls provide reasonable assurance that employee benefit plan accounts are
administered in accordance with the plan document and ERISA, USDOL and IRS
regulations, and that participant records are maintained in accordance with applicable
laws and regulations.
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
Upon plan setup, the plan sponsor,
based upon their plan agreement,
chooses certain options within the
participant recordkeeping system.
These key options may include
(among
others):
investments
elections, availability of loans, and
withdrawal options.
Made inquiries of Compliance No exceptions noted.
personnel
to
ascertain
their
understanding of, and compliance
with, the controls followed relating to
certain
regulatory
or
plan
requirements.
Certain plan, ERISA, USDOL and
IRS regulations are built into The
Hartford’s “prototype” plan. Plan
sponsors that do not utilize the
“prototype” plan must obtain IRS
qualification
before
the
plan
completes the installation process.
(Corporate programs only)
For a sample of plans implemented No exceptions noted.
during the examination period,
inspected supporting documentation
and correspondence to determine that
the plan was adopted as a Hartford
“prototype” plan, or if not, that
appropriate IRS approval was
obtained.
A quality review is performed to
ensure that plan and regulatory
requirements are properly reflected in
the OmniPlus and SCT Banner
applications.
For a sample of plans implemented No exceptions noted.
during the examination period,
inspected supporting documentation
and correspondence to determine that
the selected plan options and
regulatory
requirements
were
properly reflected in the OmniPlus or
SCT Banner application and quality
reviews were performed.
23
Control Objective 3:
Controls provide reasonable assurance that changes to plan and participant records
(e.g., allocation percentages, address changes, etc.) are properly authorized, accurate
and processed timely.
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
File
Maintenance
transactions
(including enrollments, allocation
percentages, address changes and
other nonfinancial changes) are
appropriately authorized by the plan
sponsor or participant.
These
transactions are input, edited,
independently checked for accuracy
and restrictions with respect to the
plan rules, and then posted to
participant accounts.
Made inquiries of recordkeeping No exceptions noted.
personnel
to
ascertain
their
understanding of, and compliance
with, the controls followed to
authorize and process participant
transactions timely.
Daily participant transactions, as
recorded in the OmniPlus system,
are confirmed directly with the
participant by written confirmation
that is automatically generated after
the daily processing. Discrepancies
are timely resolved.
For a sample of participants, plans No exceptions noted.
and days, selected a variety of
transactions
and
inspected
supporting
documentation
for
authorization, accuracy and timely
processing. Also, inspected the
confirmation sent to participants for
agreement with OmniPlus.
PINs are used to ensure that VRU Tested the VRU and Internet by No exceptions noted.
and Internet transactions can only be attempting access without a valid
and
attempting
invalid
processed by authorized individuals. PIN
transactions,
noting
that
unauthorized attempts and invalid
transactions were appropriately
denied.
For a sample of authorized, valid No exceptions noted.
transactions, noted that OmniPlus
appropriately
reflected
each
transaction processed through the
VRU, and that a confirmation for
each transaction was produced.
24
Control Objective 3
(continued):
Controls provide reasonable assurance that changes to plan and participant records (e.g.,
allocation percentages, address changes, etc.) are properly authorized, accurate and
processed timely.
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
(See control on previous page)
For a sample of authorized, valid No exceptions noted.
transactions, noted that OmniPlus
appropriately
reflected
each
transaction processed through the
Internet, and that a confirmation for
each transaction was produced.
An independent third party performs
a monthly quality review by
randomly selecting a sample of calls.
These calls are measured against the
standards that are set by the
independent third party. The quality
team and managers review the
independent report each month with
the
Customer
Service
Representatives
and
provide
coaching based on the results.
For a sample of months, inspected No exceptions noted.
the report provided by a third party
service provider to determine the
calls
were
consistent
with
management’s procedures.
An internal quality check is
performed monthly where a sample
of calls, for each call center
representative is randomly selected
using a QA tool and reviewed for
consistency with management’s
policies and procedures. The number
of calls selected for service quality
monitoring is done based on the
respective call center representative’s
historical average over a three month
period. A financial quality review is
performed during the internal quality
check for those calls where trades
were performed to evaluate the
accuracy of the information entered
For a sample of monthly reviews, No exceptions noted.
inspected documentation evidencing
that Management performed the
internal quality review.
25
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
into the system.
Reports (including confirmation
letters, statements of account, etc.)
are generated timely using the
applicable participant recordkeeping
system and mailed to the plan
administrator and/or participant.
Discrepancies are resolved timely.
Inspected the production of quarterly No exceptions noted.
statements of accounts (at both plan
and participant levels) on a test basis,
noting that they were generated
timely, and any potential errors were
resolved timely.
26
Control Objective 4:
Controls provide reasonable assurance that cash movements (e.g., contributions, loan
repayments, etc.) are authorized, accurate and timely reconciled to recordkeeping and
custodial records.
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
Contributions and Loan Repayments
are received from, and authorized by,
the plan administrator or participants.
These transactions are input, edited,
independently checked for accuracy
and restrictions with respect to plan
rules, and then posted to participant
accounts.
A reconciliation of investment values
(dollars and units) is performed
between
the
participant
recordkeeping system, and the
investments system on a daily basis.
Made inquiries of recordkeeping No exceptions noted.
personnel
to
ascertain
their
understanding of, and compliance
with, the controls followed to
authorize and process participant
transactions timely.
A reconciliation of investment values
(dollars and units) is performed
between
the
participant
recordkeeping system and external
trustee investment information on a
daily basis.
For a sample of days during the No exceptions noted.
examination period, inspected the
reconciliation of the total assets per
the OmniPlus system to the bank
accounts, noting that all reconciling
items were resolved and cleared
timely.
All cash and premiums received are
reconciled automatically between the
participant recordkeeping system and
the general ledger. Any items not
reconciling are captured as Suspense
items, and are cleared accordingly
and timely.
Selected a sample of external trustee No exceptions noted.
cases for a sample of days, and
inspected the asset reconciliations,
noting that differences were resolved
timely.
For a sample of contributions and No exceptions noted.
loan
repayments,
inspected
supporting
documentation
to
determine that transactions were
authorized and posted accurately and
timely.
Also,
inspected
confirmations sent to participants for
agreement to OmniPlus.
Reports (including confirmation Inspected a sample of daily and For two of 60 items sampled, the
letters, statements of account, etc.) monthly premium Suspense reports, items were not cleared timely as
27
Controls Specified by
The Hartford
Ernst & Young LLP Tests
are generated timely using the
applicable participant recordkeeping
system and mailed to the plan
administrator and/or participant.
Discrepancies are resolved timely.
noting fluctuations and overall
reasonableness of items in Suspense.
For a sample of items in premium
Suspense, determined that Suspense
items were cleared in a timely
manner.
Inspected the production of quarterly
statements of account on a test basis,
noting that they were generated
timely, and any potential errors were
resolved timely.
28
Results of Testing
established
guidelines
by
The
Hartford’s
Management’s Response:
The failure to clear two suspense
items, one (1) from Premium
suspense and one (1) from
Disbursement suspense, were the
result of a gap in workflow. To
prevent situations like this from
occurring in the future, the following
control has been put into place. Once
the processing of refund tasks has
been completed by the cash team, an
additional step has been added to
send an e-mail confirmation from the
Cash team to the Suspense Mailbox.
This e-mail will document which
items were refunded which items
were applied, and identify any items
that require further research. This
additional step will serve as a
reconciling tool for suspense staff
members allowing them to track
transactions through the entire
workflow ensuring timely closure.
Control Objective 5:
Controls provide reasonable assurance that investment activities (including trades,
dividend and income distributions, short-term investments, gains, losses and expenses,
etc.) are authorized, processed accurately, allocated in accordance with plan
documents, and timely reconciled to cash and custodial records.
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
Daily asset valuations, including the
investment return and expenses for
that plan, are received from the
appropriate Hartford department.
The investment returns and expenses
are allocated to participant records
by the participant recordkeeping
system according to the plan
document.
Made inquiries of participant No exceptions noted.
services personnel to ascertain their
understanding of, and compliance
with, the controls followed to
accurately process and allocate
investment returns and expenses
timely.
A reconciliation of investment
values (dollars and units) is
performed between the participant
recordkeeping system, and the
investments system on a daily basis.
For a sample of days during the No exceptions noted.
examination period, inspected the
reconciliation of invested assets
(dollars and units) per OmniPlus to
the investment subsidiary system,
including error reports, noting that
potential errors were resolved in a
timely fashion.
A reconciliation of investment
values (dollars and units) is
performed between the participant
recordkeeping system and external
trustee investment information on a
daily basis.
For a sample of plans and periods, No exceptions noted.
inspected the roll-forwards of assets
(dollars and units) performed by
case management personnel.
A reconciliation/comparison of
subaccount shares and rates versus
investment objects is performed on a
daily basis.
For a sample of days during the No exceptions noted.
examination
period,
inspected
investment object reconciliations
noting resolution of any variances.
the
production
of No exceptions noted.
Reports (including confirmation Inspected
letters, statements of account, etc.) quarterly statements of account on a
are timely generated using the test basis, noting that they were
29
Controls Specified by
The Hartford
Ernst & Young LLP Tests
applicable participant recordkeeping generated timely, and any potential
system and mailed to the plan errors were resolved timely.
administrator and/or participant for
review. Discrepancies are resolved
timely.
30
Results of Testing
Control Objective 6:
Controls provide reasonable assurance that plan sponsor and participant reports are
timely generated in accordance with predetermined schedules.
Controls Specified by
The Hartford
Quarterly statements of account
reports are timely generated and
mailed to the plan administrator and
participants. Plan managers review
error reports to ensure statement
completeness
and
accuracy.
Discrepancies are timely resolved.
Ernst & Young LLP Tests
Results of Testing
Inspected the production of quarterly No exceptions noted.
statements of account on a test basis
to determine they were timely
generated, any errors identified were
resolved timely and statements
mailed to the plan administrator and
participants timely.
31
Defined Contribution Benefit Payments
Control Objectives
Controls provide reasonable assurance that:
1. defined contribution benefit plan payments are properly authorized, accurate and timely
processed in accordance with plan documents and plan sponsor and participant instructions;
2. access to a participant’s benefit plan payment records, cash disbursement records and
unissued check stock is controlled to prevent or timely detect unauthorized or duplicate
payments;
3. applicable withholding taxes are accurately processed and reported.
32
Control Objective 1:
Controls provide reasonable assurance that defined contribution benefit plan payments
are properly authorized, accurate and timely processed in accordance with plan
documents and plan sponsor and participant instructions.
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
When the plan is installed on
OmniPlus,
specific
benefit
provisions are coded into the
system, which determines that
benefit payments are processed in
accordance with the Plan provisions.
Made inquires of Participant No exceptions noted.
Services and Case Management
personnel
to
ascertain
their
understanding of, and compliance
with, the controls followed to
properly determine, authorize and
post
benefit
payments
and
participants record changes.
Scheduled
disbursements
are
automatically generated by the
OmniPlus system from information
input at the time of account setup, or
through subsequent amendments.
For a sample of plans established No exceptions noted.
during the examination period, noted
that the coding of benefit provisions
on the OmniPlus system was in
accordance with the Plan.
Unscheduled disbursements require
a written request. Independent
review is performed to determine
that the disbursement is processed in
accordance with request.
For a sample of participants, No exceptions noted.
inspected appropriate supporting
documentation
for
selected
scheduled
and
unscheduled
disbursements, noting: (1) proper
authorization for plan payments; (2)
reconciliation of OmniPlus system
to participant supplied information;
(3)
independent
review
of
disbursement
information
was
performed; and (4) mailing of
confirmation letters to the plan
administrator for review.
All disbursements are reconciled
automatically
between
the
participant recordkeeping system
and general ledger. Any items that
do not reconcile are captured as
disbursement Suspense items, and
Inspected a sample of daily and
monthly disbursement Suspense
reports, noting fluctuations and
overall reasonableness of items in
Suspense. For a sample of items in
disbursement Suspense, determined
33
Refer to results of testing for
Recordkeeping Control Objective 4
(combined with testing performed
for premium Suspense).
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
are cleared accordingly and in a that Suspense items were cleared in
a timely manner.
timely fashion.
Participant Services representatives
review
participant
setup/modification forms, reject
unauthorized data entry forms and
notify participants if the form is not
acceptable due to the absence of an
authorized signature.
For a sample of participant benefit No exceptions noted.
transactions, inspected supporting
documentation,
indicating
appropriate signatures of plan
administrator and participant, and
indication of review and approval
before transaction was processed on
the OmniPlus system.
34
Control Objective 2:
Controls provide reasonable assurance that access to a participant’s benefit plan
payment records, cash disbursement records and unissued check stock is controlled to
prevent or timely detect unauthorized or duplicate payments.
Controls Specified by
The Hartford
A monthly inventory of unissued
checks
is
performed
and
independently
reviewed
by
designated personnel.
Unissued
checks are stored in the Computer
Operations vault that is accessed
under dual control, and access is
restricted to authorized personnel.
Ernst & Young LLP Tests
Results of Testing
Made inquiries of Participant No exceptions noted.
Services and Cash Disbursement
personnel
to
ascertain
their
understanding of, and compliance
with, the controls followed to
prevent or detect unauthorized or
duplicate payments.
Examined and observed procedures No exceptions noted.
over check security to determine that
physical controls were present and
operational. Inspected the periodic
check inventory documentation to
ascertain that check usage was
accounted
for
properly
and
independently reviewed.
Responsibilities for benefit payment Refer to testing performed for IT No exceptions noted.
reconciliation, recording of benefits Control Objectives 1 and 3.
and maintenance of participant files
are defined and segregated by
function.
35
Control Objective 3:
Controls provide reasonable assurance that applicable withholding taxes are accurately
processed and reported.
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
Using the OmniPlus system,
disbursements subject to tax
withholding are identified, and the
proper amount of taxes is withheld
in accordance with applicable laws
and
participant
withholding
instructions.
Made inquiries of Participant No exceptions noted.
Services personnel to ascertain their
understanding of, and compliance
with, the controls followed to
withhold taxes accurately and remit
them timely.
Individual disbursement transactions
are entered into the OmniPlus
system based upon participant
instructions,
and
subsequently
verified through independent review
for
accuracy,
including
taxwithholding
review.
Any
discrepancies are reversed and
identified on disbursement Suspense
reports, and cleared accordingly.
For a sample of participants and
days, inspected the appropriate
OmniPlus system’s supporting tax
withholding documentation for
scheduled systematic withdrawals
and
unscheduled
disbursement
requests, noting: (1) accurate
withholding and timely remittance
of taxes; (2) independent review of
disbursement information (including
tax withholding information) was
performed; (3) withholding taxes
were properly processed; and (4)
confirmations
sent
to
plan
administrators properly reflected
Federal and State withholding.
A reconciliation of total Federal and
State withholding is performed
between the ADS check system and
DISC tax reporting system at year
end prior to printing participant tax
statements (i.e., Form 1099R,
1099Q, W-2) and forms entered into
Inspected the year-end reconciliation No exceptions noted.
of withholding totals between the
ADS and DISC systems, including
error
reports,
noting
timely
resolution of potential errors, and
proper and timely generation of tax
statements.
36
For one of 40 sample items tested,
the
appropriate
amount
of
withholdings
was
not
taken
according to the disbursement
request.
Management’s Response:
The failure to process the
appropriate
amount
of
tax
withholdings on this request was an
oversight on the part of the
processor who completed the
transaction. The process followed to
complete this request aligns with
established processing procedures
and quality thresholds. To prevent a
situation like this from occurring in
the future, refresher training was
conducted with the processing
teams.
Controls Specified by
The Hartford
Ernst & Young LLP Tests
DISC are matched to total forms
printed/mailed.
37
Results of Testing
Control Objective 3
(continued):
Controls provide reasonable assurance that applicable withholding taxes are accurately
processed and reported.
Controls Specified by
The Hartford
Tax forms are mailed to the
necessary participants by January 31
following the year end, and to the
IRS throughout the year.
Ernst & Young LLP Tests
Results of Testing
For a sample of participants, traced No exceptions noted.
and substantiated information from
their year-end tax statement (Form
1099R, etc.) to the OmniPlus
system’s supporting tax withholding
documentation.
For a sample of remittance periods No exceptions noted.
(daily, weekly, monthly and
quarterly), inspected federal and
state withholding documentation for
proper and timely remittance of
withholding taxes in accordance
with
appropriate
remittance
schedules.
A reconciliation of non-W-2 tax Inspected the year-end reconciliation No exceptions noted.
withholding for Form 945 is for Form 945 tax withholding,
performed throughout the year, and noting its accuracy and timely filing
of Form 945.
tied to the final Form 945 filed.
Refer to controls specified for IT Refer to testing performed for IT No exceptions noted.
Control Objectives 1, 2 and 4.
Control Objectives 1, 2 and 4.
38
Information Technology
Control Objectives
Controls provide reasonable assurance that:
1. access to production programs and data files is restricted to appropriately authorized
personnel;
2. application software changes, are authorized, tested and approved prior to implementation,
using standard development processes;
3. applications and data have been periodically backed up and that information technology
equipment and media used for production processing and information storage are physically
secured from unauthorized access, and that environmental safeguards are in place to protect
the data centers from damage;
4. processing is appropriately scheduled, and deviations from scheduled processing are
identified and resolved timely.
39
Control Objective 1:
Controls provide reasonable assurance that access to production programs and data files
is restricted to appropriately authorized personnel.
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
The IT Department is organized to
provide effective segregation of
duties that is reinforced by security
access rights.
Inspected IT organizational charts to
ascertain they are maintained
current, properly reflect the actual
reporting structure and environment,
and reflect appropriate segregation
of duties.
Certain developers have update
access to the Internet application
production environment. Tests of
change management controls, which
included the Internet application
changes, did not indicate instances
of unauthorized production changes.
Made inquiries of appropriate IT
personnel
regarding
their Management’s Response:
understanding and effectiveness of Management acknowledges that
some Internet developers have
the segregation of duties within IT.
access to production.
Through
proper logging and controls it is
believed that the overall risk is
sufficiently mitigated.
Omni and Banner application access
rights are granted in accordance with
the
requested
access
rights
documented in the standard Security
Request Form, which is approved by
authorized personnel. Access rights
are removed upon notification to IS
Security of employee termination or
transfer.
.
For a sample of new users and users No exceptions noted.
that changed departments, inspected
applicable
documentation
to
ascertain that access was granted in
accordance with the requested
access rights documented in the
standard Security Request Form and
approved by authorized personnel.
For a sample of terminated
employees, inspected applicable
documentation to ascertain that
access rights were removed upon
notification of termination or
transfer
to
the
Security
Administration group.
40
Controls Specified by
The Hartford
Data Security and Department
Managers within the Retirement
Plans Group perform periodic
reviews of Omni and Banner access
rights to applications within the
defined contribution processing
units.
Ernst & Young LLP Tests
Results of Testing
Inspected the results of the periodic No exceptions noted.
reviews of access rights as well as
the resulting access change requests
and corresponding access rights to
ascertained that identified changes
had been made.
41
Control Objective 2:
Controls provide reasonable assurance that application software changes are authorized,
tested and approved prior to implementation, using standard development processes.
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
For application software, a standard
development process is used,
including
standard
testing
procedures and the movement of
changes
to
production
after
authorization by the business unit.
For operations systems software,
upgrades are discussed with the
application software support teams
to determine the impact on their
systems.
Made inquiries of appropriate IT No exceptions noted.
personnel
to
ascertain
their
understanding of, and compliance
with,
the
standard
systems
development processes and controls.
Testing and production
environments are segregated.
Made inquiries of appropriate IT No exceptions noted.
personnel and observed applicable
system evidence to ascertain that
testing and production environments
are segregated.
Authorization for movement to the
production environment is made by
the Operations Manager prior to
implementation.
For a sample of program changes No exceptions noted.
implemented during the examination
period,
inspected
applicable
documentation to ascertain that a
standard development process was
used, and that moves into production
were tested, accepted by business
users and authorized by the
Operations Manager prior to
implementation, in accordance with
established controls.
42
Control Objective 3:
Controls provide reasonable assurance that applications and data have been periodically
backed up and that information technology equipment and media used for production
processing and information storage are physically secured from unauthorized access,
and that environmental safeguards are in place to protect the data center from damage.
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
Daily backups are performed for
applications and data; the backup
tape volumes are logged in the tape
management
system
and
periodically rotated off-site.
Made inquiries of appropriate IT
personnel
regarding
backup
procedures to ascertain that daily
tape backups are performed for
application and data. For a selection
of dates and tapes, obtained and
inspected evidence to ascertain that
tapes are logged into the tape
management system.
Two of 31 tapes created from a
sample of 25 production dates were
not logged into the tape management
system and were not rotated off-site.
Data center access is controlled by
computerized card key access.
Card key access is granted only
upon receipt of a standard data
center request form, and revoked
upon receipt of a standard data
center access revocation form.
Management Response:
The failure to rotate the tapes
identified was the result of a
procedural error. The eMedia
transport team will work to issue a
communication that reinforces the
procedures that must be followed for
tape rotation. As a mitigating
control, the eMedia team will
require that QA measures will occur
on a regular basis to verify that tapes
are being rotated as expected.
Made inquiries of appropriate IT and No exceptions noted.
facilities personnel regarding their
understanding of, and compliance
with, physical access controls over
the data center.
Observed that card key readers were
in place and appropriately restricting
access to the data center.
For a sample of personnel with new
access to the data center, inspected
the access request forms to ascertain
that requests were appropriately
approved.
43
Controls Specified by
The Hartford
Ernst & Young LLP Tests
Results of Testing
For a sample of quarters, inspected
evidence to ascertain that a periodic
review of data center access was
completed and that the requested
actions were performed. Inspected a
sample of terminated IT personnel to
ascertain that they did not appear on
the quarterly active user report.
Environmental safeguards exist
within the data center to protect it
from damage that includes raised
flooring,
temperature/humidity
control, fire suppression, and smoke
and water detectors.
Made inquiries of appropriate IT No exceptions noted.
personnel
regarding
their
understanding of environmental
safeguards that exist within the data
center, and observed environmental
safeguards in place.
44
Control Objective 4:
Controls provide reasonable assurance that processing is appropriately scheduled, and
deviations from scheduled processing are identified and resolved timely.
Controls Specified by
The Hartford
Scheduling requests and changes are
added to the scheduler only upon
completion and approval of a
standard scheduling request form by
an authorized representative.
Ernst & Young LLP Tests
Results of Testing
Made inquiries of appropriate IT No exceptions noted.
personnel
regarding
their
understanding of, and compliance
with, procedures for handling
Autosys scheduling requests.
For a sample of schedule changes
during the examination period,
inspected applicable documentation
to
ascertain
that
proper
authorizations were appropriately
received.
Deviations from scheduling (e.g.,
production job errors, failed
backups) are identified by operators.
Appropriate production personnel
are notified of any problems for
resolution; corrective action is
performed and documented.
Made inquiries of appropriate IT No exceptions noted.
personnel
regarding
their
understanding of, and compliance
with, procedures for identifying and
resolving deviations to scheduled
processing.
For the period of January 1 through
September 16, 2007, inspected a
sample of daily shift turnover logs to
ascertain that the errors unresolved
during the shift were logged in the
shift turnover log and that the
corrective action was documented.
For the period of September 17
through December 31, 2007,
inspected a sample of scheduled job
failures
and
corresponding
corrective action documentation to
ascertain that errors were identified
and resolved.
45
III. Information Provided by the Independent Auditor
Objectives and Scope of the Examination
This report is intended to provide interested parties with information about controls that may
affect the processing of transactions, and to provide information about the operating effectiveness
of controls that were tested. This report, when combined with an understanding of the controls at
user clients, is intended to assist client auditors in planning the financial audit of clients, and in
assessing control risk for assertions in a client’s financial statements that may be affected by
controls at The Hartford’s Retirement Plans Group.
Ernst & Young LLP’s testing of the operating effectiveness of specific controls of the Retirement
Plans Group was restricted to the control objectives, and the related controls specified by the
Retirement Plans Group and supporting The Hartford functional areas in the matrix of controls
and testing in Section II. Testing was not extended to procedures in effect at clients of the
Retirement Plans Group, or other control procedures that may be described in Section II, but not
listed in the aforementioned matrix. It is the responsibility of the auditor for each client to
evaluate this information in relation to the internal controls in place at each customer. If certain
complementary controls are not in place at customer organizations, the Retirement Plans Group’s
controls may not compensate for such weaknesses.
Control Environment Elements
The control environment represents the collective affect of various elements in establishing,
enhancing or mitigating the effectiveness of specific controls described below. Ernst & Young
LLP’s procedures included tests of, or considered the relevant elements of the Retirement Plans
Group’s control environment, including:
•
•
•
•
•
•
The Retirement Plans Group’s organizational structure and approach to segregation of duties
The functioning of the Board of Directors and its committees, particularly the committees
which oversee the Retirement Plans Group’s trust activities
Management control methods
Personnel policies and practices
Internal audit
Regulation of the Retirement Plans Group by insurance and other authorities
Ernst & Young LLP’s tests of the control environment included the following procedures, to the
extent we considered necessary: (a) a review of the Retirement Plans Group’s organizational
structure, including the segregation of functional responsibilities, policy statements, accounting
and processing manuals, personnel policies and the Corporate Internal Audit policies, procedures
and reports, (b) discussions with management, operations, administrative and other personnel
who are responsible for developing, ensuring adherence to and applying controls, (c) observations
of personnel in the performance of their assigned duties and (d) a review of the Retirement Plans
46
Group’s actions taken in response to recommendations to improve controls made by the
Corporate Internal Audit, and regulators having supervisory oversight of The Retirement Plans
Group’s fiduciary activities.
The control environment was considered in determining the nature, timing and extent of the
testing of the operating effectiveness of the controls relevant to achievement of the control
objectives.
Tests of Operating Effectiveness Performed
Ernst & Young LLP’s tests of the operating effectiveness of controls included such tests as were
considered necessary in the circumstances to evaluate whether those controls, and the extent of
compliance with them, are sufficient to provide reasonable, but not absolute, assurance that the
specified control objectives were achieved during the period from January 1, 2007 to December
31, 2007. Ernst & Young LLP’s tests of the operating effectiveness of controls were designed to
cover the period January 1, 2007 to December 31, 2007, for each of the controls listed in the
control objectives matrix in Section II, which are designed to achieve the specified control
objectives. In selecting tests of the operating effectiveness of controls, the nature of the controls
being tested, the types and competence of available evidential matter and the control objectives to
be achieved were considered.
The matrices in Sections II A and B contain controls that are dependent on the Information
Technology Controls in Section II C. The results of our testing of those controls were considered
in the nature, timing and extent of our testing procedures outlined in Sections II A and B.
The tests of operating effectiveness, and results of those tests in Section II, are Ernst & Young
LLP’s responsibility and should be considered a part of Section III. Unless specifically noted by
the caption “Testing Result” in the column titled Ernst & Young LLP Tests, there were no
exceptions considered relevant to user auditors.
47
IV. Other Information Provided by the Retirement Plans Group of The Hartford
The Hartford’s service levels are tracked within each customer service team. Management
continually monitors service levels to ensure quality customer service.
Function
Service Standard*
Call Resolution
Communicate status same business day, resolve within
three business days.
Enrollments
Processed within two business days upon receipt of data.
PIN Numbers Issued
Processed same day; confirmation mailed by close of
next business day.
Change of Address
Processed by close of next business day.
Transfers Between Investment Options Processed same day if transfer request is received before
the close of the New York Stock Exchange (usually 4
p.m. EST).
Investment Election Change
Processed same day if transfer request is received before
the close of the New York Stock Exchange (usually 4
p.m. EST).
Contributions/Loan Payments
Processed same day if remittance is received before the
close of the New York Stock Exchange (usually 4 p.m.
EST).
Loans/Distributions
Processed, check mailed within three business days upon
receipt of data.
Participant VRU Confirmations
Mailed within 48 hours.
Participant Internet Confirmations
Mailed within 48 hours.
Plan Contribution Confirmations
Mailed within 24 hours.
Quarterly Participant Statements
Mailed to participants within ten business days after
each calendar quarter end. Available on the Internet
within seven business days.
*
Service standards apply to transactions received in “good order”
48