CheckPoint HR, LLC
Edison, New Jersey
Report on Controls Placed in Operation and Tests of
Operating Effectiveness
For the Period
February 1, 2011, to October 31, 2011
CHECKPOINT HR, LLC
TABLE OF CONTENTS
Independent Service Auditor’s Report ........................................... 1
CheckPoint HR, LLC’s Assertion .................................................... 4
Description of CheckPoint HR, LLC’s System ............................... 6
Overview of Operations.................................................................................................................... 6
Background................................................................................................................................ 6
Overview of Services Provided.................................................................................................. 6
Scope of Report ......................................................................................................................... 6
Relevant Aspects of the Control Environment, Risk Assessment Process, Information and
Communication Systems, and Monitoring Controls ......................................................................... 6
Control Environment .................................................................................................................. 6
Risk Assessment Process ......................................................................................................... 8
Information and Communication Systems ................................................................................. 8
Monitoring Controls ................................................................................................................. 10
Information Technology General Computer Controls .................................................................... 10
Payroll Processing Controls ........................................................................................................... 17
Subservice Organizations ........................................................................................................ 23
Complementary User Entity Controls ...................................................................................... 23
CheckPoint HR, LLC’s Control Objectives and Related Controls
and McGladrey & Pullen, LLP’s Tests of Controls and Results
of Tests ........................................................................................... 26
Control Environment, Risk Assessment and Monitoring ................................................................ 26
Computer Operations ..................................................................................................................... 28
Access Controls ............................................................................................................................. 31
System Development and Maintenance ........................................................................................ 35
Application Controls ....................................................................................................................... 36
Operational Controls ...................................................................................................................... 37
Other Information Provided by CheckPoint HR, LLC .................. 44
State of Massachusetts Data Protection Law (201 CMR 17.00) ................................................... 44
Business Continuity Planning ........................................................................................................ 44
Independent Service Auditor’s Report
CheckPoint HR, LLC
Edison, New Jersey
To the Management of CheckPoint HR, LLC
Scope
We have examined CheckPoint HR, LLC’s description of its payroll processing services for user entities’
transactions throughout the period February 1, 2011, to October 31, 2011 (“description”), and the
suitability of the design and operating effectiveness of controls to achieve the related control objectives
stated in the description. The description indicates that certain control objectives specified in the
description can be achieved only if complementary user entity controls contemplated in the design of
CheckPoint HR, LLC’s controls are suitably designed and operating effectively, along with related controls
at the service organization. We have not evaluated the suitability of the design or operating effectiveness
of such complementary user entity controls.
CheckPoint HR, LLC uses subservice providers for processing payroll taxes and for hosting the
production servers for the CheckPointHRMS application. CheckPoint HR, LLC uses Ceridian
Corporation and Empower Software Solutions, Inc. for the payment of payroll taxes on their clients’
behalf. CheckPoint HR, LLC also uses AT&T, Inc. to host the production servers for the
CheckPointHRMS application. The description indicates that certain control objectives specified in the
description can be achieved only if controls at the subservice organizations contemplated in the design of
CheckPoint HR, LLC’s controls are suitably designed and operating effectively, along with related controls
at the service organizations. We have not evaluated the suitability of the design or operating
effectiveness of such subservice organization controls.
Service Organization’s Responsibilities
In Section II of this report, CheckPoint HR, LLC has provided an assertion about the fairness of the
presentation of the description and suitability of the design and operating effectiveness of the controls to
achieve the related control objectives stated in the description. CheckPoint HR, LLC is responsible for
preparing the description and for the assertion, including the completeness, accuracy and method of
presentation of the description and the assertion, providing the services covered by the description,
specifying the control objectives and stating them in the description, identifying the risks that threaten the
achievement of the control objectives, selecting the criteria, and designing, implementing and
documenting controls to achieve the related control objectives stated in the description.
Service Auditors’ Responsibilities
Our responsibility is to express an opinion on the fairness of the presentation of the description and on
the suitability of the design and operating effectiveness of the controls to achieve the related control
objectives stated in the description, based on our examination. We conducted our examination in
accordance with attestation standards established by the American Institute of Certified Public
Accountants. Those standards require that we plan and perform our examination to obtain reasonable
assurance about whether, in all material respects, the description is fairly presented and the controls were
suitably designed and operating effectively to achieve the related control objectives stated in the
description throughout the period February 1, 2011, to October 31, 2011.
An examination of a description of a service organization’s system and the suitability of the design and
operating effectiveness of the service organization’s controls to achieve the related control objectives
stated in the description involves performing procedures to obtain evidence about the fairness of the
presentation of the description and the suitability of the design and operating effectiveness of those
controls to achieve the related control objectives stated in the description. Our procedures included
assessing the risks that the description is not fairly presented and that the controls were not suitably
designed or operating effectively to achieve the related control objectives stated in the description. Our
procedures also included testing the operating effectiveness of those controls that we consider necessary
to provide reasonable assurance that the related control objectives stated in the description were
achieved. An examination engagement of this type also includes evaluating the overall presentation of
the description and the suitability of the control objectives stated therein, and the suitability of the criteria
specified by the service organization and described in Section III of this report. We believe that the
evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
Inherent Limitations
Because of their nature, controls at a service organization may not prevent, or detect and correct, all
errors or omissions in processing or reporting. Also, the projection to the future of any evaluation of the
fairness of the presentation of the description, or conclusions about the suitability of the design or
operating effectiveness of the controls to achieve the related control objectives is subject to the risk that
controls at a service organization may become inadequate or fail.
Opinion
In our opinion, in all material respects, based on the criteria described in CheckPoint HR, LLC’s assertion
in Section II of this report:
a. The description fairly presents the payroll processing services that was designed and implemented
throughout the period February 1, 2011, to October 31, 2011.
b. The controls related to the control objectives stated in the description were suitably designed to
provide reasonable assurance that the control objectives would be achieved if the controls operated
effectively throughout the period February 1, 2011, to October 31, 2011, and user entities applied
the complementary user entity controls contemplated in the design of CheckPoint HR, LLC’s
controls throughout the period February 1, 2011, to October 31, 2011, and subservice organizations
applied the controls contemplated in the design of CheckPoint HR, LLC’s controls throughout the
period February 1, 2011, to October 31, 2011.
c. The controls tested, which, together with the complementary user entity controls referred to in the
scope paragraph of this report, and the subservice organization’s controls referred to in the scope
paragraph of this report, if operating effectively, were those necessary to provide reasonable
assurance that the control objectives stated in the description were achieved and operated
effectively throughout the period February 1, 2011, to October 31, 2011.
Description of Tests of Controls
The specific controls tested and the nature, timing and results of those tests are listed in Section IV of this
report.
CheckPoint HR, LLC has included information about its payroll processing services in Section V. Other
Information Provided by CheckPoint HR, LLC. This information has not been subjected to the procedures
applied in the examination of the payroll system, and accordingly, we express no opinion on it.
Restricted Use
This report, including the description of tests of controls and results thereof in Section IV of this report, is
intended solely for the information and use of CheckPoint HR, LLC, user entities of CheckPoint HR, LLC’s
CheckPointHRMS application during some or all of the period February 1, 2011, to October 31, 2011, and
the independent auditors of such user entities, who have a sufficient understanding to consider it, along
with other information, including information about controls implemented by user entities themselves,
when assessing the risks of material misstatements of user entities’ financial statements. This report is
not intended to be and should not be used by anyone other than these specified parties.
Schaumburg, Illinois
December 7, 2011
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
CheckPoint HR, LLC’s Assertion
We have prepared the description of CheckPoint HR, LLC’s payroll processing services for user entities
during some or all of the period February 1, 2011, to October 31, 2011, and their user auditors who have
a sufficient understanding to consider it, along with other information, including information about controls
implemented by user entities of the system themselves, when assessing the risks of material
misstatements of user entities’ financial statements. We confirm, to the best of our knowledge and belief,
that
a. The description fairly presents the payroll processing services made available to user entities of the
system during some or all of the period February 1, 2011, to October 31, 2011, for processing their
transactions. The criteria we used in making this assertion were that the description
i.
ii.
presents how the system made available to user entities of the system was designed and
implemented to process relevant transactions, including
1)
The classes of transactions processed.
2)
The procedures, within both automated and manual systems, by which those
transactions are initiated, authorized, recorded, processed, corrected, as necessary, and
transferred to the reports presented to user entities of the system.
3)
The related accounting records, supporting information, and specific accounts that are
used to initiate, authorize, record, process, and report transactions; this includes the
correction of incorrect information and how information is transferred to the reports
presented to user entities of the system.
4)
How the system captures and addresses significant events and conditions, other than
transactions.
5)
The process used to prepare reports or other information provided to user entities’ of the
system.
6)
Specified control objectives and controls designed to achieve those objectives.
7)
Other aspects of our control environment, risk assessment process, information and
communication systems (including the related business processes), control activities, and
monitoring controls that are relevant to processing and reporting transactions of user
entities of the system.
does not omit or distort information relevant to the scope of the payroll processing services,
while acknowledging that the description is prepared to meet the common needs of a broad
range of user entities of the system and the independent auditors of those user entities, and
may not, therefore, include every aspect of the payroll processing services that each individual
user entity of the system and its auditor may consider important in its own particular
environment.
b. The description includes relevant details of changes to the service organization’s system during the
period covered by the description when the description covers a period of time.
c.
The controls related to the control objectives stated in the description were suitably designed and
operated effectively throughout the period February 1, 2011, to October 31, 2011, to achieve those
control objectives. The criteria we used in making this assertion were that
Page 4
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
i.
the risks that threaten the achievement of the control objectives stated in the description have
been identified by the service organization;
ii.
the controls identified in the description would, if operating as described, provide reasonable
assurance that those risks would not prevent the control objectives stated in the description
from being achieved; and
iii.
the controls were consistently applied as designed, including whether manual controls were
applied by individuals who have the appropriate competence and authority.
Page 5
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Description of CheckPoint HR, LLC’s System
Overview of Operations
Background
CheckPoint HR, located in Edison, New Jersey, is a limited liability company formed in 2001. This entity
is owned by a holding company, CheckPoint HR Holdings Corp. As an administrative services
organization (ASO), it provides a Web-based human resources (HR) management system (HRMS) called
CheckPoint Human Resources Management System (CheckPointHRMS), which offers a solution to
manage payroll and benefits administration, as well as other HR processes. CheckPoint HR also offers
insurance through CheckPoint HR Benefits Group, an affiliate of CheckPoint HR, which offers clients
benefits procurement backed by a sales team of licensed insurance brokers. CheckPoint HR employs
approximately 60 full-time employees.
Overview of Services Provided
As an ASO, the CheckPointHRMS technology platform offers a solution to manage payroll and benefits
administration, as well as other business-critical HR processes. CheckPoint HR’s centralized platform
presents customers with a solution that offers employees HR self-service capabilities. CheckPointHRMS
integrates aspects of HR, from recruitment, skills validation, background checks and training, to employee
termination processes, such as COBRA administration.
CheckPoint HR partners with CheckPoint HR Benefits Group. As a licensed insurance agency,
CheckPoint HR Benefits Group’s benefits procurement complements CheckPoint HR’s payroll and
benefits administration.
CheckPointHRMS offers a platform that integrates the services it provides onto one portal, giving
customers access to the CheckPoint HR website with no hyperlinking to other service providers or
additional costs. CheckPointHRMS is the gateway to payroll and HR services in a single interface.
CheckPointHRMS offers HR and payroll capabilities and utilizes role-based security, provides both
manager and employee self-service, and has imaging and storage capabilities.
Scope of Report
The scope of the report includes the CheckPointHRMS technology platform, including the processing of
employee payroll. Tax processing and data center hosting are not in scope for this report and are
performed by subservice organizations.
Relevant Aspects of the Control Environment, Risk Assessment Process,
Information and Communication Systems, and Monitoring Controls
Control Environment
Organization
The key individuals responsible for the daily operations of CheckPoint HR include:
Individual
Position
Tim Padva
Neil Friedman
Mike Gorker
Douglas Booth
President, Chief Operations Officer, Chief Executive Officer (CEO)
Chief Financial Officer (CFO)
Chief Technology Officer, Chief Security Officer
Vice President, Operations
Page 6
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Management meets regularly to review and approve strategic planning and policies, and to monitor
CheckPoint HR’s daily activity. Management plans and budgets on an annual basis.
The CheckPoint HR organization is categorized into the following functional departments:

Operations

HR

Finance

New business implementation

Marketing

Benefits operations

Sales

Corporate training
Administration
CheckPoint HR has a policy charter that defines the requirements for approval and enforcement of entitylevel policies and departmental procedures. Company policies are utilized by the organization to
communicate management’s decisions throughout the organization. Written procedures are used to
document the processes used by individual departments for day-to-day activities. Policies are maintained
in a change-controlled database.
Human Resources
CheckPoint HR believes that hiring the best-qualified individuals contributes to the overall strategic
success of CheckPoint HR. Employees are hired to make significant contributions to CheckPoint HR.
CheckPoint HR maintains personnel policies and procedures in the Employee Handbook. The handbook
is available to employees on CheckPoint HR’s intranet. CheckPoint HR has documented a code of
business ethics and conduct as part of the Employee Handbook. The Employee Handbook is approved
by management, and employees sign an acknowledgement of the policies when they are hired and when
the handbook is revised by management.
Current job descriptions exist that describe primary job functions and responsibilities. CheckPoint HR
attempts to attract and retain highly skilled business professionals specializing in the fields of finance,
business administration and information technology (IT). Employee job descriptions, which include a
position summary and describe major duties and responsibilities, are developed by the department
managers. CheckPoint HR performs employment screening and new employee orientation. The new
hire orientation reviews the policies in the orientation. Information security and client data confidentiality
are covered in the orientation training.
Reference and criminal background checks are performed on prospective employees prior to employment
for CheckPoint HR positions. A policy regarding confidentiality is included in the Employee Handbook.
Employees are cross-trained, where practical, to provide sufficient backup in the event of unexpected
illness, termination, resignation or promotion.
Page 7
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Employees are removed from their positions when terminated or discharged. Passwords, physical
access keys and electronic access devices are obtained from terminated employees. An employee
profile sheet is given to information systems upon termination.
CheckPoint HR has developed a Use of Technology Policy, which communicates to employees their
responsibilities for maintaining the security of confidential information and customer data. Employees are
required to sign the policy when they are hired and on an annual basis thereafter.
Risk Assessment Process
The principal partners of CheckPoint HR assess the business risks facing the organization on a
continuous basis. Regular meetings are held to informally assess risks and to develop business
strategies to mitigate risks faced by the organization.
Information and Communication Systems
CheckPoint HR provides companies with cost-effective HR outsourcing and payroll outsourcing solutions
to help them better manage their human capital. The centerpiece of this system is CheckPointHRMS,
based on Ultimate Software, Inc.’s UltiPro software, which is an application service provider/SQL serverbased system. CheckPoint HR extends the functionality by hosting the application and processing payroll
and HR data entered into the system by clients.
Page 8
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
The following diagram depicts a summary of the flow of transactions:
Page 9
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Monitoring Controls
Management Monitoring
Senior management meets regularly with the employees of the CheckPoint HR business units to assess
the performance of the organization and to monitor the general activities of the departments. The
financial statements are prepared by the controller and reviewed by the CFO. Journal entries and
maintenance of the financials are executed by the finance department and activity is reviewed regularly
by the controller and CFO. Monthly reports are prepared and the reports are reviewed by the board of
directors six times per year (i.e., every two months).
Client Monitoring
CheckPoint HR has a client advisory board that consists of client representatives, selected annually, to
provide feedback and guidance on how CheckPoint HR can better serve their clients’ interests and take
an active role in the future development of the CheckPointHRMS application and the services provided by
CheckPoint HR. The advisory board meets annually in the fall at CheckPoint HR’s headquarters in
Edison. An annual survey is presented to the members of the client advisory board, and the results are
published to assist in determining new services and application functionality.
Service Provider Oversight
CheckPoint HR has a Vendor Management Policy and a Vendor Management Program in place. The
CFO reviews third-party relationships annually and obtains service auditor reports from critical service
providers.
External Audit
CheckPoint HR undergoes an annual financial statement audit by a public accounting firm.
Information Technology General Computer Controls
Computer Operations
The IT department’s operational tasks are performed during normal business hours, Monday through
Friday, from 9:00 a.m. to 5:30 p.m. Members of the IT department are responsible for the completion of
nightly processing and preparation of backup tapes for off-site storage. Environmental controls have
been implemented at the Edison offices and computer room to protect CheckPoint HR’s computer
systems and data.
Problem Management
CheckPoint HR has put problem management processes in place to escalate repeat or high-severity
incidents to the attention of management. CheckPoint HR uses the Epicor Information Technology
Service Management (Clientele) tool to track incoming client-reported and internally reported incidents.
Clients may report technical problems by contacting the customer service department. The customer
service department will complete an incident report and will escalate the issue to the IT department if
necessary. The customer service department phones are answered from 8:00 a.m. to 6:00 p.m., Monday
through Friday. The IT department also maintains an on-call list with mobile phone numbers (available on
the Company’s intranet) in the event that an issue needs to be escalated after hours.
Recurring incidents or incidents that have an impact on the hosted CheckPointHRMS application are
escalated and a Problem Report is completed. The IT department is responsible for Problem Reports.
The chief information officer (CIO) reviews Problem Reports on a weekly basis. A biweekly meeting is
held with the IT department to review closed problems that have occurred since the last meeting.
Page 10
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
System Monitoring
CheckPoint HR uses several tools to monitor the network components, operating systems and
applications that make up CheckPointHRMS. Custom scripts and reports are used to measure the
processing time for the CheckPointHRMS application on a weekly basis and to track metrics of system
performance on an ongoing basis. The IPSwitch application is used to monitor internal systems, and the
SiteScope service is used for monitoring systems from the Internet. Monitoring applications are
configured to automatically notify the IT department via email of technical failures detected by the
systems. WhatsUp Gold is also used to monitor general network connectivity to servers and network
infrastructure components. A member of the IT department remains on-call after hours to respond to
alarms received after business hours.
Operations Schedules
CheckPoint HR utilizes scheduled process checklists to control daily operational procedures performed
by the IT department. Normal periodic operations (such as system backups, periodic backup testing,
manual system log monitoring and antivirus updates) are scheduled through the use of the process
checklists. Management monitors the successful completion of computer operations tasks on a weekly
basis and keeps ongoing metrics on internal operations and system uptime.
Operations Documentation
Written operating instructions are prepared and used for major applications processed. These
instructions cover normal operations, error message response actions and restart/recovery instructions.
An operations manual provides instructions for the processing of systems and processes, including run
instructions and error response procedures.
Data Backup
CheckPoint HR has a management-approved policy that governs the backup of production data and the
rotation of media off-site for storage. Data from the AT&T-hosted data center is backed up on a daily
basis. Data from the Edison computer room is stored on a disk drive and is backed up to tape on a
weekly basis. On the weekend, two full backups are run. One is retained locally for quick recovery, and
one is rotated to off-site storage. Every morning, the IT department verifies that backup jobs were
completed successfully.
A log is retained for tape drives, indicating job detail, success or failure, time taken to complete the
backup, amount of data backed up, etc. A tape inventory is maintained to show the age and current
location of backup tapes.
Daily backups are stored locally and are not rotated off-site. Backup tapes are stored inside the Edison
computer room and inside the locked cage at the AT&T hosted data center. Weekly backup tapes are
rotated to off-site storage. The off-site storage location is located in a bank vault. Access to backup
tapes is restricted to personnel who have access to the computer room.
Environmental Controls
CheckPoint HR’s primary systems (including the Web servers and the CheckPointHRMS application
servers) are hosted by AT&T. CheckPoint HR’s Edison offices house backup data and internal financial
processing systems for the application. The Edison facility has environmental controls in place to protect
the computer room and the check processing room. A dry chemical fire extinguisher is present in the
computer room and the check processing room. Servers are connected to a local uninterruptible power
supply system, and the facility has smoke detectors throughout the building, which are monitored by the
building’s facilities management department.
Page 11
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Access Controls
A security administrator has been designated to administer security, verify compliance with established
security standards and routinely review Security Violation Reports. The CIO acts as CheckPoint HR’s
security officer and oversees the activity of the security administrator.
CheckPoint HR’s primary method of controlling user access is through Active Directory group policies.
Access to databases and programs used in the processing of the CheckPointHRMS application are
controlled through Active Directory group policies and security groups. The security administrator sets up
user profiles for employees. Network administrators are responsible for setting up access to the network
and applications for employees.
Access Authorization
Employees are granted access to computer systems and data in accordance with management’s specific
authorization. The security administrator is responsible for validating that the user profiles for terminated
employees are disabled in a timely manner. CheckPoint HR employees are promptly removed from the
systems upon notice of a termination. The HR department initiates the termination process for
employees. HR will coordinate with the manager who reports an employee transition and determine
when their access will be removed (in the event of a termination or abrupt resignation, access is
terminated upon notification).
The IT department receives the Termination Form, and the system accounts are removed or scheduled
for removal. These forms are also reviewed by the CIO and retained indefinitely.
CheckPoint HR documents management’s authorization for access to systems through the use of an
Access Request Form. This form is created by the HR department when an employee starts with the
Company. The IT department is responsible for creating new employees’ accounts. Employees are
assigned to an appropriate Active Directory group based on their role at the organization. Once the IT
department has set up the new user, the Access Request Form is sent to the CIO for review and is
retained indefinitely.
Administrative and superuser access to computer systems and data is appropriately restricted to
authorized personnel. Administrative rights are restricted to IT department personnel for network devices,
operating systems and databases. Customer service department personnel have the ability to administer
client accounts to provide support for CheckPoint HR’s clients.
CheckPointHRMS
The core of CheckPointHRMS is Ultimate Software, Inc.’s UltiPro system, run in a unique, hosted
environment, licensed by Ultimate Software, Inc. Access to CheckPointHRMS is controlled through a
role-based security system within the UltiPro application. The Web-based version of the application
commonly used by clients is through an independent security module (also part of the UltiPro package).
Access to the Citrix version of the application (primarily used by CheckPoint HR employees and a small
group of clients) is through Active Directory authentication.
Web-Based Access Control
Web-based access is controlled within the UltiPro application. CheckPoint HR initially sets up an
administrative user account for clients. After the initial setup, clients have the ability to do their own
maintenance on the users who access their database.
The Oasis system is an internal support system and reference database that has the ability to run reports
on data replicated from UltiPro and is used in the back-end processing of payroll files and customer
support. Access to Oasis is controlled through Active Directory authentication.
Page 12
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
CheckPoint HR Traffic Automation System Access
CheckPoint HR Traffic Automation System (CTAS) is a production control system utilized for batchprinting payroll checks and pay stubs. CTAS authentication is managed through Active Directory and
through Windows folder permissions. In addition, there are two levels of security within the application
that separate some of the duties that may be performed by the system.
Operating System Access
Active Directory is used for access control to the back-office pieces of CheckPointHRMS (including Oasis
and CTAS) and for accessing the Citrix version of the UltiPro system. Users have a unique Active
Directory account and are assigned to a specific security group. This group determines the level of
operating system access and also determines which applications an individual will be able to access
(UltiPro, CTAS, Oasis, Microsoft Dynamics and other internal applications). Access to Active Directory
and to UltiPro is controlled through the use of password authentication. The global password policy in
Active Directory is set as follows:

A minimum length of eight characters is required.

Password changes are forced by the system every 90 days.

Complex passwords are required.

A password history of 10 iterations is retained to prevent the reuse of passwords.

User accounts are locked out of the system after five invalid login attempts.
System Logs and Log Reviews
CheckPoint HR is currently logging database access and monitoring the logs for unusual activity. Logs
from the Active Directory domain controller, the SQL servers for UltiPro and other critical servers are
collected and stored by the GFI Event Manager system. Logs are retained for at least 180 days. The
system is also used to automatically notify the IT department of certain types of security-related events.
The CheckPointHRMS application also has the ability to log user activity.
The CIO reviews a list of individuals and clients who accessed the UltiPro application directly (through the
locally installed application client or Citrix) on a weekly basis. The review is documented on the Weekly
Security Checklist.
Access Rights Reviews
CheckPoint HR performs systems access reviews semiannually. Active Directory access and the UltiPro
SQL database access rights are reviewed. A Security Review Worksheet is used to track changes that
are made or issues identified during the review. Microsoft SharePoint is being used for a policy library
and also stores completed Security Review Worksheets.
Database Administration
Database systems are secured from unauthorized access through the use of authentication mechanisms.
Application accounts for database access use 12-character complex passwords. Database
administrative passwords are maintained by the CIO and security administrator. Developers and other IT
department personnel may automatically request read-only access (which is logged). Write access to the
database for other personnel is restricted and is permitted when required by a scheduled or emergency
change. Write access to databases is enabled by the CIO or security administrator.
Page 13
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Remote Access
Remote access is given to employees through Citrix. Dial-up access is not available. Citrix sessions are
encrypted. A Web interface is used to log into Citrix. The Web interface utilizes Active Directory
password parameters. No other remote access is available.
Offline Programs and Data
Access to the computer room protects tapes stored in Edison through the use of a magnetic lock. Tape
rotations are handled by CheckPoint HR employees.
Network Infrastructure
CheckPoint HR has implemented security features on network infrastructure devices, including routers,
switches and firewalls, to verify that authorized personnel are able to access the devices. Access to
network infrastructure systems is restricted to members of the IT department. Routers, switches and
firewalls are kept up to date with the latest vendor releases. Network systems logs are retained on a
syslog server and the logs are reviewed daily by the IT department.
Firewalls and Intrusion Prevention Systems
CheckPoint HR has implemented firewalls to separate their systems from publicly accessible networks.
Firewalls are in place at the Edison computer room and hosted data center to control access to computer
systems at these locations. The firewalls have intrusion prevention systems enabled to reduce the risk of
attacks on hosted systems from the Internet.
Internal Vulnerability Assessment
CheckPoint HR’s systems engineers perform regular scans of the internal network to verify that systems
are appropriately secured and have the latest security patches installed. The results of the testing are
reviewed by the CIO and necessary fixes are documented and implemented as soon as possible.
External Vulnerability Assessment
CheckPoint HR has a third party perform quarterly external vulnerability assessments to confirm that
external-facing computer systems and network components are appropriately secured and have the latest
security patches installed. External vulnerability assessments are also run after changes affecting the
configuration of Internet-facing systems or the network infrastructure. The results of testing are reviewed
by the CIO and security administrator; required changes are applied and then the test is rerun.
Data Transmissions and Secure E-Mail
Access to CheckPointHRMS is allowed over an encrypted connection, Hypertext Transfer Protocol
Secure (HTTPS) or an encrypted Citrix session. A secure mail portal hosted by Postini is available for
employees to encrypt emails. Employees are required to use encryption whenever personally identifiable
information or other confidential information is transmitted over untrusted networks.
Physical Security
CheckPoint HR occupies a multistory building in Edison. Physical access to the facility and computer
room is controlled through the use of a magnetic card-key entry system. Card readers are installed at the
main entrance, employee entrances, the computer room and the rear exterior door. Physical access to
the facility includes three exterior doors. The main door is locked throughout the day and after hours.
Visitors are required to sign a visitor log located at the main desk of the reception area.
Page 14
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Individuals are given a separate card-key to access the magnetically locked doors within CheckPoint HR.
Other personnel are escorted throughout restricted areas of the facility and sign in and out on a visitor
log. The keys and card-keys to CheckPoint HR’s facilities are retrieved from terminated employees prior
to their departure. The CIO reviews physical access on a weekly basis and logs off-hours access to the
premises.
Information Disposal
Shredders are placed throughout the facility, and paper documents and computer media containing
confidential information or customer data are shredded and disposed of by a third-party service provider.
The shred bins are kept locked and are opened by the service provider for disposal.
Systems Development and Maintenance
Programming resources are used for evaluating existing software or modifying and enhancing existing
systems. The core of CheckPointHRMS, UltiPro, is not developed or modified by CheckPoint HR; it is a
purchased application. The back-office processing features of CheckPointHRMS were developed
in-house, but no new systems were developed during the opinion period. CheckPoint HR has change
management policies and procedures in place to govern changes to applications and infrastructure
systems. There are also acquisition procedures to govern the process for introducing new systems into
CheckPoint HR’s infrastructure.
CheckPoint HR uses standard operating software without modification. The programming staff at
CheckPoint HR does not modify operating software, but IT support analysts apply new releases and fixes
to the operating system as they become available and are needed.
The core application software of CheckPointHRMS (UltiPro) is not modified by CheckPoint HR. The IT
department applies new release and fixes to the application as they become available and are needed.
CheckPoint HR develops applications that interface with UltiPro. These applications are developed
in-house, and releases are controlled. Releases are tested and approved by management prior to
implementation.
CheckPoint HR has procedures in place defining the requirements for change control that document new
systems requests, require approval by an authorized user and are reviewed by programming
management and prioritized by a management committee.
Project Management
CheckPoint HR uses a Project Request Form for programming changes requiring more than four hours of
developer time. Project requests are reviewed by the CIO, and, if approved, a Clientele Request for
Change (RFC) is completed to document the specific actions required for the project.
Program Change Management
The Clientele system is used to track the IT project that is approved for development. Changes requiring
less than four hours of labor are entered directly into Clientele. After program changes are tested, the
CIO documents his approval in the Clientele system. The Clientele RFC form documents the following:

Date opened

Date closed

Approver

Owner/implementer
Page 15
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Infrastructure Change Management
Changes to the network infrastructure or operating systems are also tracked using an RFC form and a
Microsoft SharePoint workflow system. These changes do not necessarily have an initiator on the
business side, but they are approved by the security administrator or CIO prior to implementation. If
impact to the application functionality is possible, clients will be notified of the activity.
Emergency Changes
When an emergency change is required, it may be executed without the completion of an RFC form. The
documentation will be completed after the change is completed. A verbal approval is required from the
CIO before the emergency change is performed by the IT department staff. An incident report in Clientele
may also be completed if a production issue was the reason for the performance of the emergency
change.
Source and Object Code
A dedicated development environment is used for development activities. There is also a test
environment for the quality assurance (QA) process and CheckPoint HR’s production environment. Once
the testing is completed, the change is approved and a deployment is scheduled, a separate team within
the IT department is responsible for moving source code from the test environment to the production
environment.
Program Testing
Program changes are tested prior to the deployment to production. Testing is executed by the developer
and the initiator of the change. CheckPoint HR does not have a dedicated QA team. A test script is
developed based on the program change request. The programmer performs unit testing. The next level
of testing is user acceptance testing. Changes are implemented after testing activities are completed.
Controls Over Production Programs
The IT department moves new and revised program modules to the production libraries when authorized.
Once testing is completed and the requestor has signed off on the change, the IT department moves the
modified program(s) to the production libraries. Notifications of changes are conveyed to clients when the
change could potentially impact the clients.
Documentation
CheckPoint HR does not produce or maintain hardware or operating system documentation. Standard
documentation related to hardware and operating systems is prepared by the vendors of the systems or
equipment and maintained by CheckPoint HR for reference purposes. Internal technical documentation
is prepared for the support of CheckPointHRMS and is available to authorized personnel.
Risk Ratings
A risk assessment is performed for proposed changes. The risk assessment is performed through
discussion at the change control meeting, where the IT department and management discuss the
potential impact of proposed changes. The conclusion is documented on the RFC form. The risk
assessment is used to determine what degree of testing and postimplementation review is required for
changes.
Page 16
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Payroll Processing Controls
Application Controls
Payroll information is received by CheckPoint HR directly from clients through CheckPointHRMS. Clients
use a Web browser to access CheckPointHRMS and log in using a user ID and password that connects
securely utilizing HTTPS. The system locks users out after six invalid access attempts. Users are also
required to change their passwords upon their first login to the system. Payroll submissions and other
input also use HTTPS throughout the duration of the session. Input to the CheckPointHRMS payroll
consists of payroll data pertaining to an employee’s hours or earnings for the current period and master
file maintenance, including input related to new hires, updates to existing employees’ data or changes to
the Company’s master data.
Authorized client users can upload timesheets and make changes to the employee master file. Access to
CheckPointHRMS is controlled by a role-based security system. Security access levels are set up within
CheckPointHRMS using predefined security classes for different job functions. Configurations of job
functions for client users are provided to CheckPoint HR by clients in the initial implementation process.
The security function setup is available for CheckPoint HR clients to review before their first payroll cycle.
Individual user accounts are set up for client users according to client requests. Client users are
assigned a unique user ID, password and rule set that governs access to the different facets of the
CheckPointHRMS payroll system. User IDs with appropriate security access levels can upload
timesheets, change employee master files and process payroll transactions within their access limit.
Authorized client users download the payroll timesheet template from CheckPointHRMS, input
employees’ hours or earnings for the current period and upload the payroll timesheets for processing.
The files uploaded and downloaded in the input process are encrypted for additional security.
The ability to make changes to the employee master file through the Web interface is controlled by the
role-based security system in CheckPointHRMS. Clients can communicate changes in their employee
master file to CheckPoint HR customer service representatives over the phone or via emails. CheckPoint
HR customer service representatives verify the identity of the caller and authenticate them against the list
of authorized contacts maintained in the Oasis/Clientele systems. Change requests from authorized
clients are input into the CheckPointHRMS payroll system. A client can review those changes made in
the CheckPointHRMS payroll system, and it is the client’s responsibility to review changes in personnel
made by CheckPoint HR and report errors.
Changes to client employee payroll deductions are applied through the CheckPointHRMS Web interface
by authorized client contacts. The ability to make changes in client employee payroll deductions is
controlled by the role-based security system in CheckPointHRMS according to user roles defined by the
clients.
Payroll Processing Controls
CheckPointHRMS is designed to process payroll-related transactions and to generate output that is used
to produce employees’ paychecks, direct deposits, client invoices and related payroll reports.
Payroll processing activities include:

Processing payroll transactions, including payroll deduction and payroll tax

Monitoring of customer payroll transactions

Generating client invoices and transferring funds between client accounts, CheckPoint HR and the
payroll tax third-party service provider
Page 17
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Client Management
Written procedures are in place for the setup and implementation of new clients and the maintenance and
servicing of existing clients. New client setups are tracked and managed using the new client analysis
spreadsheet.
The CheckPoint HR New Business Development (NBD) Team obtains relevant client employee deduction
information from CheckPoint HR’s clients and sets up the clients on CheckPointHRMS. Clients are
responsible for reviewing the deduction setups in CheckPointHRMS for accuracy and completeness.
CheckPoint HR client service representatives also process requests to add, modify or delete
client-specified deductions when communicated by authorized client contacts. Authorized client contacts
are recorded in CheckPoint HR’s internal Customer Relationship Management (CRM) database
according to client specifications in the implementation phase. CheckPoint HR customer service checks
the caller against a list of authorized contacts in the CRM system for changes to client employee payroll
deductions made via telephone. It is CheckPoint HR’s clients’ responsibility to review the Master Control
Report and Personnel Change Report, which are distributed upon payroll processing, to determine
whether deduction information is complete and accurate and to notify CheckPoint HR when there is a
change.
Before a payroll transaction is committed to CheckPointHRMS, the system runs a Precheck Report. This
process calculates gross pay and net pay based on client-defined deductions, showing what the entire
check run will look like before the records are committed. It is the responsibility of CheckPoint HR’s
clients to have proper controls for reviewing the Precheck Report and confirm the completeness and
accuracy of client-specified deductions before committing the payroll transaction.
Payroll Tax Processing
The CheckPoint HR NBD Team obtains relevant tax information from clients and sets the clients up on
the system and CheckPointHRMS. Setup is reviewed by the NBD Team, and the client’s existing payroll
output is compared with the output from CheckPointHRMS. The NBD Team also reviews and observes
the first month of processing to verify that the setup is complete and accurate.
After the client setup process is complete, the client receives a company Tax Verification Report from
CheckPoint HR, reviews the data, reports discrepancies and is then made responsible for authorization of
the data contained in subsequent pay cycles.
Changes to existing client tax setups are initiated through a phone call to CheckPoint HR’s customer
service. Changes in the tax code for clients in CheckPointHRMS made by a customer service
representative triggers a notification to CheckPoint HR’s finance department to review the change. A
weekly review is performed to compare client tax code changes initiated by clients and client account
changes in the tax system to verify the accuracy and completeness of client tax code changes.
Tax Processing
Once a client approves payroll records and commits those records, the system generates an invoice that
creates the tax liability for the client’s current pay period. Once the tax application confirms the presence
of an invoice/liability, a tax transmission file is generated and made available to the tax operator. The tax
operator then utilizes the CheckPoint HR tax console to identify the files that need to be transmitted from
CheckPointHRMS. The listing from the application is reconciled to the report of expected payrolls;
variances are reviewed.
Page 18
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Tax Reconciliation
CheckPoint HR’s accounting staff finalizes the control by analyzing the general ledger. CheckPoint HR
maintains a tax clearing account in its general ledger and reconciles tax drafts with tax billings to its
clients on a daily basis. Variances are investigated and documented. At the end of the calendar quarter,
CheckPoint HR’s tax staff generates a Quarterly Tax Balance Report for clients and sends the reports to
the clients for their review. Tax updates are regularly applied to the payroll system. These updates are
applied as part of the regular major/minor releases for the system.
Calculation of Customer Invoices
CheckPointHRMS calculates the invoice and produces direct deposit files and transmits the direct deposit
information directly to ACH through CheckPoint HR’s National Automated Clearing House Association
(NACHA) interface application.
When a client submits a payroll transaction, the application creates a payroll invoice for the customer’s
submission and populates the records into the invoice table of the Oasis database. The calculation of
invoices is performed by a stored procedure according to predefined rules. The invoices include the
client’s payroll tax liability, direct deposits (which are paid through CheckPoint HR’s cash management
account), fees and other applicable charges. Invoices may also include the following: delivery, insurance
premiums, 401(k) deductions, workers’ compensation premiums and garnishments.
Clients agree to pay items on the CheckPoint HR invoice each pay period. Invoices are available in
CheckPointHRMS to clients a few minutes after their payroll transactions are submitted. The invoice
shows the detail on net pay, tax, deduction and fees. Customers can verify the amount of the invoice and
report discrepancies to CheckPoint HR.
Reconciliation of Invoices and Funds Transfers
CheckPoint HR’s billing console generates the ACH file at night from invoices generated during the day.
The treasury operator batches the ACH files for customer invoices and uploads them to the bank on their
secure website via the NACHA console.
In the morning, the bank provides online CheckPoint HR Bank Treasury Reports that detail the nightly
processing results of the ACH files uploaded by CheckPoint HR during the previous day.
Every morning, the CheckPoint HR finance department imports ACH files generated during the nightly job
into Dynamics (CheckPoint HR’s financial reporting system). The CheckPoint HR finance department
also imports invoices from the previous day into Dynamics. The invoice application automatically
reconciles the UltiPro database figures generated by the client with the invoice prepared by CheckPoint
HR. Any mismatches in the files generate an automated alert.
The CheckPoint HR finance group performs a three-way reconciliation among the customer invoices, the
ACH Files Reports and the Bank Treasury Reports to verify completeness and accuracy of client billing,
as follows:

The CheckPoint HR finance group performs a daily reconciliation of Invoice Reports (invoices
generated during the previous day) and ACH File Reports in Dynamics to verify that the correct ACH
files are generated completely and accurately based on customer invoices from the previous day.

The CheckPoint HR finance group also performs a daily reconciliation of ACH reports and the Bank
Treasury Report on the processing of ACH files from the previous day to verify that the bank has
processed the previous day’s ACH transactions completely and accurately.
Page 19
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Direct Deposit
During payroll processing, the direct deposit payment information for the clients using the regular direct
deposit service is written to a database in CheckPointHRMS and stored for transmission to the
appropriate recipient. Regular direct deposit information is transmitted primarily to banks using
CheckPoint HR’s NACHA interface system.
Once a client approves payroll records and posts those records, the system generates an invoice that
creates the direct deposit liability for the client’s current pay period. Once the direct deposit application
confirms the presence of an invoice/liability, the NACHA interface generates a NACHA file and makes it
available to the treasury operator.
CheckPoint HR treasury staff utilize the direct deposit application to identify the NACHA files that need to
be transmitted to the bank. Based on the pay date, the treasury operator batches the NACHA files and
uploads them to the bank via their secure website.
The treasury operator prints the Files Sent Report from the direct deposit application that details the
individual files that have been transmitted to the bank, the amount of direct deposits to be paid and pay
by date and client.
Once the bank ACH validator verifies that the files are properly formatted, the NACHA file is batched and
a Batch Summary Report is available to the treasury operator. The treasury operator reconciles the Bank
Batch Summary Report to the Files Sent Report, and differences are investigated and documented. The
reconciliation is signed off on by the treasury operator and submitted to the CFO for approval. The CFO
verifies the totals and then signs off on the report, giving the treasury operator authorization to release the
batches from the bank’s website for processing.
Payroll Reports
Upon completion of payroll, CheckPoint HR’s CTAS disburses the output to printers located in the
distribution area. The output is divided into the following four categories: invoices, direct deposit
vouchers, live checks and payroll reports. There is one printer designated for the category.
Customers can request printing and delivery of the following payroll reports according to their preference:

Accruals

Check Register

Check Register ALL PayGroups

Dept Summary

Dept Summary ALL PayGroups

Draft Pay Master

Invoice By Pay Group

Invoice Draft

Invoice Posted

Pay Master

Pay Master ALL PayGroups

Pay Sheet
Page 20
CHECKPOINT HR, LLC

Tax Liability

Tax Liability ALL PayGroups

CPHR Invoice

Detail Deductions by DedCode

Detail Deductions by Employee

Detail Pay Reg—MultiSort

Earnings Detail for Balancing

Employee PTO Balances
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
During the print process, counters are used to verify that the reports are printed and that they contain the
correct number of pages. If errors in the printing process are detected in the CTAS console, the errors
are assigned to be investigated and resolved.
Shipping instructions are collected during the implementation period. Shipping instructions for clients are
stored in CheckPoint HR’s data repository. Shipping rules are stored in the CRM system, where they are
built into a bar code that is generated at the end of the payroll transaction. The representative scans the
bar code, which generates the FedEx label to ship the payroll package. Clients may make permanent or
temporary changes to their shipping instructions, but the changes are supplied in writing by an authorized
company representative.
For clients who are paperless, the distribution representative places the printed invoice and payroll
reports in a stack that is dropped in one of the locked shred bins within the Edison facility. The bins are
emptied periodically by a third party and taken back to their shredding facility.
The payroll reports generated are also available online through CheckPointHRMS. Customers can
review these payroll reports a few minutes after they commit their payroll transaction through
CheckPointHRMS for accuracy and completeness.
Electronic Payment Systems
CheckPoint HR utilizes an online banking system to process ACH and wire transfers. Access to the
electronic payment system is restricted to authorized personnel. Wire transfers and drawdowns (reverse
wires) require dual control for processing. ACH transactions are submitted through the online banking
website, and then the totals for the ACH files are validated separately with the bank via telephone before
the file is processed. These procedures apply to both ACH debits, where payroll funds are collected from
clients, and credits where payroll is actually transmitted to clients’ employees.
Monitoring of Payroll Transactions
CheckPoint HR uses multiple tools to monitor the status of payroll transactions to verify the completeness
and accuracy of customers’ payroll transactions. The following two primary tools used are the Process
Automation Center (PAC) and CTAS: PAC is an integrated component of CheckPointHRMS used to
monitor the customer’s input process, and CTAS is CheckPoint HR’s homegrown system that is used to
monitor payroll processing and report generation.
Monitoring of client input phases is performed by PAC, and the input steps of a customer creates an entry
in the PAC monitoring console. If a step fails, an email notification is generated and sent to the initiator of
the payroll transaction. PAC also monitors the precheck process. The operations group and customer
service group can check the PAC monitoring console to investigate errors. A transaction log of submitted
payroll transactions is kept in the PAC for investigation purposes.
Page 21
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
CTAS processes and monitors invoice calculations, payroll report generation, and payroll checks and
report prints. Customers’ payroll submissions create an entry in a log file that is displayed in the CTAS
monitoring console in real time. The submission status, invoice printing status, checking printing status
and status of other critical processing steps of the submission are written to related fields of the entry in
the log and are displayed in the CTAS monitoring console in real time. A distribution representative
working in the mailroom monitors the CTAS console and reports failed items to the IT department, who
investigates the problem and documents the issue in the incident reporting system. Once the issue is
resolved, the job is released and the status of the submission is updated to “complete” in the log file and
the CTAS monitoring console. The billing console monitors payroll submissions by customer to verify the
accurate generation of invoices.
When a payroll transaction is completed and the payroll reports/checks are printed, a bar code is
generated and printed on the cover of the package by CTAS. The distribution representative scans the
bar code, which generates a FedEx label for shipping of the package. That usually means the completion
of a payroll transaction, so the status of the transaction is updated as “completed” in the system. On a
daily basis, a distribution representative reviews the database to check outstanding transactions that have
been submitted but have not been completed to confirm that submissions are processed completely and
successfully. The distribution representative also checks whether special requirements that are triggered
by the various rules in the system are satisfied to confirm the completion of processing.
Payroll Disbursement
CheckPointHRMS is designed to process payroll and related transactions and to generate payments to
employees in the form of paychecks or direct deposits. Checks or direct deposit advices are printed and
delivered to clients or to the client’s employees directly.
Upon completion of a payroll run, CTAS disburses the output to printers located in the distribution area.
The output is divided into the following four categories: invoices, direct deposit vouchers, live checks and
payroll reports. There is one printer designated for a category.
The output is then collated based on the company code and pay group. If clients want the checks and
direct deposits advise to be stuffed in the package, checks are run through the folding machine. The
machine folds and inserts the stubs into the envelopes. Once the stubs are run through the machine, the
counts are reviewed for accuracy. The pay stubs are batched, totaled and then reverified against the
totals from the folding machine’s counter to confirm an accurate package. If counts are accurate, the
distribution representative signs off on the header sheet.
CheckPoint HR has controls in place to reduce the risk of theft and check fraud. The distribution area,
where the checks are printed, is kept secured. A magnetic card-key is used to enter. Essential personnel
have access to this room. The card-key reader system keeps an audit trail of individuals who access the
check printing room. In addition, the room is under 24-hour surveillance. There are two security cameras
that monitor the entrance and exit. The CIO is also in charge of physical security and verifies that
physical security is maintained.
Along with the physical security in the distribution area, CheckPoint HR has implemented security controls
to protect the check stock. Live checks are printed with magnetic ink character recognition (MICR) toner
on blank check stock.
Checks have the following seven security features:

Toner grip paper

Micro print border (with CheckPoint HR)

Fluorescent fibers
Page 22
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC

Solvent-based ink eradicator reaction black dye

Solvent-based ink eradicator reaction blue dye

Bleach reactive brown stain multilanguage void (front)

Fluorescent watermark
Check stock and MICR toner are housed in the secured distribution area. CheckPoint HR monitors the
use of MICR toner cartridges and ordering of new MICR toner cartridges.
Shipping instructions are collected during the implementation period. Shipping instructions for clients are
stored in CheckPoint HR’s data repository. Shipping rules are stored in the CRM system, where they are
built into a bar code that is generated at the end of the payroll transaction. The distribution representative
will scan the bar code, which generates the FedEx label to ship the payroll package. Clients may make
permanent or temporary changes to their shipping instructions, but the changes are supplied in writing by
an authorized company representative.
CheckPoint HR uses FedEx for delivery of payroll packages. Once CheckPoint HR ships a package,
FedEx sends an automated email to the client contact with the tracking number. Upon receipt, the
contents become the sole responsibility of the client. Clients are expected to review the contents of the
delivery and report variances when received. Variances are investigated. FedEx requires and keeps
signatures of who signed for the package. Clients who elect to have their payrolls shipped via U.S. Postal
Service follow a similar procedure.
CheckPoint HR has elected to use the positive-pay security feature on the primary checking account used
to issue payroll checks on behalf of its clients. Positive pay is the process of matching items on the
company’s check issuance file against items presented for payment against its account. This matching
process is performed daily to maintain control of possible fraudulent items presented on CheckPoint HR’s
bank account. CheckPoint HR also offers the check writing service without the positive-pay feature. If a
client elects to use one of the alternative banks, the possibility for fraudulent activity is accepted at the
client’s own risk.
Subservice Organizations
CheckPoint HR uses subservice organizations to perform various functions to support the delivery of
services. The scope of this report does not include the controls and related control objectives at the
subservice organizations. The following is a description of services the subservice organizations
provided:
Subservice Organization
Service Provided
AT&T
Data center hosting for the production environment
Ceridian
Tax processing for payroll taxes
Empower
Tax processing for payroll taxes
Complementary User Entity Controls
CheckPoint HR’s processing of transactions and the controls over the processing were designed with the
assumption that certain controls would be placed in operation by user entities. This section describes
some of the controls that should be in operation at user entities to complement the controls at CheckPoint
HR. User auditors should determine whether user entities have established controls to provide
reasonable assurance that:
Page 23
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Contingency procedures are in place.
If the services of CheckPoint HR were unavailable or inoperative due to system or communications
failure, the user could expect some delay before the backup site used by CheckPoint HR is established.
User organizations should establish procedures to verify continued operations during this interim period.
Access control procedures are in place.
CheckPoint HR’s user organizations are responsible for the following access controls:

Granting and revoking appropriate payroll roles to their employees and notifying CheckPoint HR in
the event of a change in administrative user roles

Periodically reviewing the assigned login profiles of their employees for the payroll input systems

Reviewing changes in personnel made by CheckPoint HR customer representatives and reporting
any errors to CheckPoint HR in a timely manner

Establishing proper controls over the use of IDs and passwords that are used to access and transmit
payroll information

Establishing strong password parameters for access to CheckPointHRMS (The system is capable of
supporting minimum password lengths, password complexity and mandatory password changes.
Clients are responsible for requiring strong password controls to protect the confidentiality and
integrity of their data housed on the system.)
Payroll data is transmitted accurately and is reviewed prior to submission to CheckPoint HR.
CheckPoint HR’s user organizations are responsible for the following controls over the transmission and
review of payroll data:

Uploading or inputting payroll timesheets in accordance with the predefined CheckPointHRMS format

Reviewing error messages that result from entering payroll data, addressing errors and resubmitting
payrolls in a timely manner

Reviewing the CheckPointHRMS Precheck Report on a timely basis to confirm that the payroll
information has been recorded completely and accurately

Reviewing the CheckPointHRMS Precheck Report in a timely manner to verify that the calculation of
gross pay; withholding for federal, state, social security and local taxes; and net pay based on clientdefined deductions are complete and accurate

Reviewing the email notification about payroll submission status

Reviewing the reports available in CheckPointHRMS to verify the completeness and accuracy of the
payroll transaction
Page 24
CHECKPOINT HR, LLC
INFORMATION PROVIDED BY CHECKPOINT HR, LLC
Information submitted during the new client setup process is reviewed prior to submission to
CheckPoint HR.
The following controls over the setup of a new account with CheckPoint HR are the responsibility of the
user organization:

Reviewing the Master Control Form produced by CheckPointHRMS after the initial account setup
(The Master Control Form provides a listing of the employees’ master records to verify that the
employee-level and company-level information has been recorded completely and accurately.)

Updating CheckPoint HR of changes to a user organization’s contact information in a timely manner

Defining the distribution method for payroll packages and reports and communicating any required
changes to CheckPoint HR in a timely manner
Tax deductions are other tax processing information is reviewed for accuracy.
The following controls over tax processing are the responsibility of the user organization:

Completeness and accuracy of client-specified deductions

Submitting client-specified deduction changes to CheckPoint HR in a timely manner

Reviewing deduction and tax withholding information when previewing the Precheck Report before
committing the payroll for processing

Reviewing the Personnel Change Report (The Personnel Change Report is distributed upon payroll
processing to determine whether deduction and tax withholding information is complete and accurate
and to notify CheckPoint HR when there is a change.)
Invoices, payroll data, and payroll packages are reviewed during each pay period.
The following controls over the receipt of payroll packages and invoices are the responsibilities of user
organizations:

Reviewing the payroll invoice after submitting payroll transactions and reporting any errors to
CheckPoint HR in a timely manner

Reviewing the payroll invoice and reconciling the invoice with their bank statement to verify that the
right amount of funds has been transferred to CheckPoint HR

Reviewing the completeness and accuracy of the reports that are produced by CheckPointHRMS

Reviewing the payroll package and reporting any variances when noted

Defining and reviewing the accuracy of setup of direct deposit information provided to CheckPoint HR
Page 25
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
CheckPoint HR, LLC’s Control Objectives and Related Controls
and McGladrey & Pullen, LLP’s Tests of Controls and Results of
Tests
CheckPoint HR’s control objectives and related controls are an integral part of management’s description
and are included in this section for presentation purposes. McGladrey & Pullen, LLP included the
description of the tests performed to determine whether the controls were operating with sufficient
effectiveness to achieve the specified control objectives and the results of tests of controls, as specified
below.
Tests of the control environment, risk assessment, information and communication, and monitoring
included inquiries of appropriate management, supervisory and staff personnel, observation of
CheckPoint HR’s activities and operations, and inspection of CheckPoint HR documents and records.
The results of those tests were considered in the planning the nature, timing and extent of McGladrey &
Pullen, LLP’s testing of the controls designed to achieve control objectives. As inquiries were performed
for substantially all of CheckPoint HR’s controls, the tests were not listed individually for every control
listed in the tables below.
Control Environment, Risk Assessment and Monitoring
Control Objective 1: Controls provide reasonable assurance that HR policies are in place to manage the hiring of
employees.
Provided by
CheckPoint HR, LLC
Control
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Test Results
1.1
Checkpoint HR employees are
provided a copy of the Employee
Handbook upon hiring and when
the Handbook is updated and are
required to sign written
acknowledge as evidence of
handbook receipt.
Inspected a sample of employee files to verify
that employees signed an agreement to comply
with the policies documented in the handbook.
No exceptions noted.
1.2
Checkpoint HR employees are
required to sign an employee
confidentiality agreement (which is
part of the handbook) upon
employment.
Inspected the nondisclosure agreement in the
Employee Handbook to verify that the
agreement included the confidentiality
agreement language.
No exceptions noted.
Checkpoint HR performs
background checks for
perspective employees in
sensitive positions (e.g., finance,
IT) prior to employment.
Inspected the personnel policies and procedures No exceptions noted.
in the Employee Handbook to verify that
background check procedures were
documented.
1.3
Inspected a sample of employee files to verify a
signed confidentiality agreement was on file.
Inspected a sample of employee files to verify
that a background check was on file for
employees in sensitive positions.
No exceptions noted.
Page 26
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Control Objective 1: Controls provide reasonable assurance that HR policies are in place to manage the hiring of
employees.
Provided by
CheckPoint HR, LLC
Control
1.4
The Use of Technology Policy is
distributed to employees, and
employees sign a statement of
compliance with the information
security policies annually.
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Test Results
Selected a sample of employees and requested
the signed statements of compliance with the IT
policy; verified that the statements were
completed upon hiring.
No exceptions noted.
Page 27
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Computer Operations
Control Objective 2: Controls provide reasonable assurance that procedures are in place to detect hardware and
software malfunctions and to notify management when they occur.
Provided by
CheckPoint HR, LLC
Control
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Test Results
2.1
Problem management processes
are in place to escalate repeat or
high-severity incidents to the
attention of management.
Inspected CheckPoint HR’s Incident
Management Policy and Procedures to verify
that processes were in place for identifying the
root cause of incidents (problem management)
and escalating the incidents to management.
2.2
Management uses custom scripts
and reports to measure the
processing time for the application
on a weekly basis and to track
metrics of system performance on
an ongoing basis.
Inspected a sample of weekly metrics reports
No exceptions noted.
prepared during the opinion period and verified
that they tracked the performance of CheckPoint
HR systems and applications throughout the
period.
2.3
CheckPoint HR uses IPSwitch to
monitor operating systems and
servers internally and the
SiteScope utility to monitor
systems from the Internet for
uptime, availability and system
health.
Observed CheckPoint HR network engineers
accessing the console for the SiteScope and
IPSwitch applications to verify that they were
monitoring CheckPoint HR servers and
applications.
No exceptions noted.
2.4
CheckPoint HR has monitoring
systems in place to notify IT
personnel of any incidents after
hours.
Inspected the application configuration for
WhatsUp Gold and IPSwitch to validate that it
was configured to notify IT department
personnel of incidents that occur after hours.
No exceptions noted.
No exceptions noted.
Page 28
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
CHECKPOINT HR, LLC
Control Objective 3: Controls provide reasonable assurance that backups are performed on a regular basis and
that storage media is regularly rotated off-site.
Provided by
CheckPoint HR, LLC
Procedures Performed by
McGladrey & Pullen, LLP
Control
3.1
A written backup policy is in place
that defines the requirements for
the following:
Test Performed
Inspected the backup policy and verified that it
included the following elements:


Process for backing up data
Process for backing up data


Frequency of backups
Frequency of backups


Monitoring of backup jobs
Monitoring of backup jobs


Rotation of tapes off-site
Rotation of tapes off-site


Maintenance of a tape inventory
Maintenance of a tape
inventory
Test Results
No exceptions noted.
3.2
Client data is backed up on a daily Inspected a sample of backup logs and verified
basis.
that backups were performed daily and the jobs
were completed successfully.
No exceptions noted.
3.3
Backup tapes from both the
Edison and third-party-hosted data
centers are rotated to a secure
off-site storage location on a
weekly basis.
Observed network administrators performing
weekly tape backup rotations and preparing
tapes for shipment to the off-site storage
location.
No exceptions noted.
Inspected a sample of backup tapes in the
off-site bank vault and compared it to the tape
inventory to verify that that tapes that were
marked as rotated off-site were stored in the
bank vault.
No exceptions noted.
A tape inventory is maintained to
show the age and current location
of backup tapes.
Inspected a sample of backup tapes in the
off-site bank vault and compared it to the tape
inventory to verify that the tapes that were
marked as rotated off-site were stored in the
bank vault and that the tapes were labeled with
the date that they were originally run.
No exceptions noted.
3.4
Page 29
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
CHECKPOINT HR, LLC
Control Objective 4: Controls provide reasonable assurance that the data centers are adequately protected by
environmental controls.
Provided by
CheckPoint HR, LLC
Procedures Performed by
McGladrey & Pullen, LLP
Control
4.1
4.2
The Edison computer room has
environmental controls in place to
protect the computer system and
data stored at the facility.
The check processing area has a
dry chemical fire extinguisher and
smoke detectors to protect the
facility.
Test Performed
Observed the following environmental controls
at the Edison computer room and noted that
CheckPoint HR’s systems were protected by
these controls:

Temperature and humidity controls

Dry chemical handheld fire extinguishers

Local uninterruptible power supply systems
connected to servers
Observed that a dry chemical fire extinguisher
and smoke detector were present in the check
processing room.
Test Results
No exceptions noted.
No exceptions noted.
Page 30
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
CHECKPOINT HR, LLC
Access Controls
Control Objective 5: Controls provide reasonable assurance that logical access to computer systems and data is
granted and reviewed in accordance with management’s authorization.
Provided by
CheckPoint HR, LLC
Procedures Performed by
McGladrey & Pullen, LLP
Control
5.1
5.2
Employees are granted access to
computer systems and data in
accordance with management’s
specific authorization.
Access to computer systems and
data is removed upon notification
when employees are terminated
or leave the organization.
Test Performed
Test Results
Selected a sample of new employees and
inspected their Access Request Forms to verify
that the access granted was approved by
management.
No exceptions noted.
Inspected a sample of IDs from Active Directory
and verified that they were authorized by
management.
No exceptions noted.
Selected a sample of terminated employees and No exceptions noted.
requested a copy of their Termination
Checklists. Inspected the checklists and verified
that access to computer systems and facilities
was removed.
Inspected the user lists for Microsoft Windows
and verified that terminated employee accounts
were removed from the system and that remote
access was disabled.
No exceptions noted.
5.3
Administrative access to computer Inspected the administrative accounts in Active No exceptions noted.
systems and data is appropriately Directory and verified that they were assigned to
restricted to authorized personnel. authorized personnel or were documented as
service or application accounts.
5.4
Access rights to computer
systems are reviewed
semiannually to verify that
authorized personnel are able to
access the systems and
applications.
5.5
5.6
Inspected a sample of semiannual access rights No exceptions noted.
reviews performed by the CIO and verified that
the following items were reviewed:

List of Active Directory users

SQL user accounts

Penetration test results
Server and firewall logs from the
production environment are
forwarded to a separate system
for retention and are retained for a
period of at least 60 days.
Inspected the configuration of the log retention
systems and verified that they were storing logs
for at least 60 days.
No exceptions noted.
Inspected the Active Directory domain settings
and verified that auditing was enabled on the
domain.
No exceptions noted.
The CIO reviews a list of
individuals and clients who
accessed the UltiPro application
directly (through the locally
installed application client or
Citrix) on a weekly basis. The
review is documented on the
Weekly Security Checklist.
Selected a sample of Weekly Security
Checklists and inspected the checklists to verify
that the review of the UltiPro logs was
completed by the CIO.
No exceptions noted.
Page 31
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
CHECKPOINT HR, LLC
Control Objective 5: Controls provide reasonable assurance that logical access to computer systems and data is
granted and reviewed in accordance with management’s authorization.
Provided by
CheckPoint HR, LLC
Procedures Performed by
McGladrey & Pullen, LLP
Control
5.7
Access to computer systems is
controlled through the use of
authentication mechanisms.
Test Performed
Inspected the password parameters for
Microsoft Active Directory and noted the
following requirements:

Minimum length: eight characters

Maximum age: 90 days

Minimum age: zero days

Require complexity: yes

Password history: 24 iterations
Test Results
No exceptions noted.
Page 32
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Control Objective 6: Controls provide reasonable assurance that infrastructure systems, including databases,
firewalls and network components, are protected from unauthorized access.
Provided by
CheckPoint HR, LLC
Control
6.1
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Test Results
Firewalls are in place at the
Edison and Piscataway data
centers to control access to
computer systems at these
locations.
Inspected a network diagram to verify that
firewalls were in place in both the Edison
computer room and the third-party-hosted data
center.
No exceptions noted.
6.2
The firewalls have intrusion
prevention systems enabled to
reduce the risk of attacks on
hosted systems from the Internet.
Inspected the configuration of the Cisco ASA
No exceptions noted.
firewalls at the Edison and Piscataway data
centers and verified that the intrusion prevention
system features were enabled and that the
signature databases were up to date.
6.3
CheckPoint HR systems
engineers perform regular scans
of the internal network to verify
that systems are appropriately
secured and have the latest
security patches installed.
Inspected a report from the GFI LANguard
system and verified that it was configured to
monitor internal computer systems for the latest
patches and software updates.
No exceptions noted.
6.4
CheckPoint HR performs quarterly
internal and external vulnerability
assessments to verify that
computer systems and network
components are appropriately
secured and have the latest
security patches installed.
Inspected a sample of quarterly internal
vulnerability scans to verify they were
completed.
No exceptions noted.
Inspected a sample of quarterly external
vulnerability scans to verify they were
completed.
No exceptions noted.
6.5
Database systems are secured
from unauthorized access through
the use of authentication
mechanisms. Users must
authenticate through Active
Directory and application
accounts.
Inspected the configuration of the databases for
CheckPointHRMS (including the UltiPro
database and the Oasis database for back-end
processing) to verify that access was controlled
through the use of Active Directory and was
restricted to IT department personnel.
No exceptions noted.
6.6
CheckPoint HR has a secure mail
system in place so that employees
can send encrypted emails to
protect personally identifiable
information.
Inspected a test email sent by a systems
engineer and verified that the email was
delivered through an SSL-secured Web
interface.
No exceptions noted.
Observed senior systems engineers log onto the No exceptions noted.
firewalls at both locations and verified that they
were operational and placed in accordance with
the diagram.
Page 33
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Control Objective 7: Controls provide reasonable assurance that physical access to the Edison facility and
computer room is granted in accordance with management’s authorization.
Provided by
CheckPoint HR, LLC
Control
7.1
Physical access to the Edison
offices is restricted to authorized
personnel.
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Test Results
Observed the physical security controls in place
at the Edison facility to verify that an electronic
card-key is required to enter the business
area/server room and a monitoring security
camera is installed in the server room.
No exceptions noted.
Inspected the list of individuals with access to
No exceptions noted.
the computer room and verified that access was
restricted to authorized personnel.
7.2
Entrances and exits to the Edison
facility and data center are
protected by magnetic card-key
readers.
Toured the Edison facility and data center and
observed that entrances and exits to the facility
had magnetic card-key readers installed and
that the readers were active and functioning.
No exceptions noted.
7.3
Visitors are granted access into
the front entrance by a
receptionist, are authorized by an
employee when visiting the facility
and sign a visitor log.
Observed the receptionist at the front entrance
of the facility during business hours.
No exceptions noted.
Observed that a visitor log was maintained at
the reception desk and that visitors had to be
granted access by an authorized employee.
No exceptions noted.
7.4
The CIO reviews physical access
on a weekly basis and logs any
off-hours access to the premises.
Inspected a sample of weekly physical access
review checklists and verified that physical
access and off-hours access was reviewed.
No exceptions noted.
7.5
Shred bins are placed throughout Observed the presence of shred bins throughout No exceptions noted.
the facility to provide a way for
the Edison office facility and attempted to open
employees to dispose of
the bins to verify that the bins were locked.
confidential paper information and
electronic media. A third-party
service provider empties the bins
and shreds the materials on a
regular basis.
Page 34
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
CHECKPOINT HR, LLC
System Development and Maintenance
Control Objective 8: Controls provide reasonable assurance that changes to applications and infrastructure
systems are documented, tested, approved and properly implemented.
Provided by
CheckPoint HR, LLC
Procedures Performed by
McGladrey & Pullen, LLP
Control
Test Performed
Inspected the Vendor Selection Process to
verify that it identified the requirements for
selecting new systems, applications and
vendors.
Test Results
8.1
The Vendor Selection Process
identifies the requirements for
acquiring new systems and
applications.
8.2
The Change Management Policy Inspected the Change Management Policy and
governs modifications to computer verified that the policy governed changes to the
systems and applications.
computer systems and applications.
No exceptions noted.
8.3
Changes to the computer systems
and applications are documented
using the Clientele system. The
following elements are
documented:
Selected a sample of RFC forms and inspected
them to verify that the documentation included:
No exceptions noted.

Date opened

Date closed

Approver

Owner/implementer

Date opened

Date closed

Approver

Owner/implementer
Inspected a sample of RFC forms and verified
that testing was performed prior to
implementation.
No exceptions noted.
8.4
Program changes are tested prior
to implementation.
No exceptions noted.
8.5
After program changes are tested, Inspected a sample of RFC forms and verified
the CIO documents his approval in that deployment to production was approved by
the Clientele system.
the CIO.
8.6
RFC forms are completed for
infrastructure changes.
Inspected a sample of RFC forms to verify that
No exceptions noted.
the infrastructure and operating systems follow a
formal change management procedure.
8.7
A risk assessment is conducted
for change requests that are
completed.
Inspected a sample of RFC forms and verified
that a risk assessment was performed to
determine the potential impact of the change on
the operating environment.
No exceptions noted.
No exceptions noted.
Page 35
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Application Controls
Control Objective 9: Controls provide reasonable assurance that application security features are in place to reduce
the risk of unauthorized access to the system.
Provided by
CheckPoint HR, LLC
Control
9.1
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Test Results
Users enter a user name to
identify themselves when
accessing the system and
authenticate with a password
when logging into the system.
Logged on to the system and inspected the
logon screen to verify that the system required
the entry of a user name for access.
No exceptions noted.
9.2
Passwords are masked when
displayed on-screen by the
system.
Logged on to the system and inspected the login No exceptions noted.
screen to verify that the password credential
was masked when displayed on-screen.
9.3
When incorrect credentials (user
name or password) are entered in
the system, the rejection message
does not identify which credential
was invalid.
Attempted to log on to the system using an
invalid user name and inspected the system
output to verify that the rejection message did
not identify which credential was invalid.
No exceptions noted.
Attempted to log on to the system using an
invalid password and inspected the system
output to verify that the rejection message did
not identify which credential was invalid.
No exceptions noted.
9.4
The system locks out users after a
six unauthorized access attempts,
which constitute entering an
invalid user name or password.
Logged on to the system using an invalid user
name and/or password and inspected the
system output; verified that after six access
attempts, the account was locked out.
No exceptions noted.
9.5
After their first logon to the
system, users are required to
change their passwords.
Logged on to the system using a newly created No exceptions noted.
user account and inspected the system output to
confirm that the system required that the
password for the account be changed.
9.6
The system uses a role-based
security system. Privileges are
assigned at the group or global
level and once configured cannot
be modified at the individual level.
Logged on to the system using a test user
account and a test administrator account to
verify that role-based security prevented users
from accessing administrative functions.
9.7
Client payroll time sheets
uploaded and downloaded in the
payroll input process are
encrypted for additional security.
Observed the Web server settings to verify that No exceptions noted.
SSL encryption software was in place during the
upload and download process.
Logged on to the system and inspected the login No exceptions noted.
screen to verify that the system required a
password for access.
No exceptions noted.
Page 36
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Operational Controls
Control Objective 10: Controls provide reasonable assurance that policies and procedures are in place for the
setup of new clients and the management of existing clients in the system.
Provided by
CheckPoint HR, LLC
Control
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Test Results
10.1
Written procedures are in place for
the setup and implementation of
new clients and the maintenance
and servicing of existing clients.
Inspected a checklist and verified that the client
setup, implementation and maintenance
procedures were in place and approved by
management.
No exceptions noted.
10.2
New client setups are tracked and For a sample of new clients, inspected that the
managed using the new client
client analysis was performed and documented
analysis spreadsheet.
on the client analysis spreadsheet.
No exceptions noted.
10.3
Changes to the employee master
file made via telephone are
authenticated against a list of
authorized contacts.
Observed that the customer service
No exceptions noted.
representatives can access the predefined client
contact information from the internal CRM
system to authenticate the identity of the caller.
For a sample of client employee master files
changes by customer service representatives
recorded in CheckPointHRMS, inspected the
customer service tracking system records to
determine whether they had been documented
and were communicated by authorized client
contacts.
No exceptions noted.
Page 37
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Control Objective 11: Controls provide reasonable assurance that payroll deductions and payroll taxes are
processed completely and received from authorized sources.
Provided by
CheckPoint HR, LLC
Control
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Test Results
11.1
A Tax Verification Report is sent
to new clients as part of the new
client setup process.
Inspected a sample of new clients to verify that
CheckPoint HR sent the companies a Tax
Verification Report for their review after the
client setup process was complete.
No exceptions noted.
11.2
Ceridian processes the tax
transmission files and faxes back
a report of tax drafts that will occur
the next day for the taxes Ceridian
will be paying. The report is
reconciled to the CTS Files Sent
Report. Differences are
investigated, reconciled and
documented.
Inspected a sample of records to verify that the
CheckPoint HR tax operator reviews the tax
transmission file faxed from Ceridian on a daily
basis.
No exceptions noted.
Inspected a sample of the CTS Files Sent
Reports and Ceridian’s faxed tax transmission
files to verify that differences in the two reports
are investigated and documented.
No exceptions noted.
Page 38
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Control Objective 12: Controls provide reasonable assurance that funds transfer activities from clients to
CheckPoint HR are complete and accurate.
Provided by
CheckPoint HR, LLC
Control
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Test Results
12.1
The finance department reconciles
funds transfer activities on a daily
basis, including Invoice Reports
(invoices generated during
previous day) and ACH File
Reports in Dynamics to verify that
the correct ACH files were
generated based on customer
invoices from the previous day.
Inspected a sample of the daily reconciliation of No exceptions noted.
Invoice Reports and ACH File Reports and
verified that the reports were reconciled and that
the correct ACH files were generated based on
customer invoices from the previous day.
12.2
The CheckPoint HR finance
department performs a daily
reconciliation of ACH File Reports
and the Bank Treasury Report.
Inspected a sample of ACH File Reports and
Bank Treasury Reports to verify that ACH
reconciliations were performed accurately.
No exceptions noted.
Page 39
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Control Objective 13: Controls provide reasonable assurance that activity reports are available to clients through
the application and are distributed on a quarterly basis.
Provided by
CheckPoint HR, LLC
Control
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Observed payroll reports produced by the
UltiPro system.
Test Results
13.1
The system-generated payroll
reports are available online
through CheckPointHRMS.
No exceptions noted.
13.2
Invoice and payroll reports printed Observed the locked shred bins throughout the
to hard copy during processing
CheckPoint HR Edison facility and in the
that are not delivered to clients for distribution and processing areas.
review (e.g., for clients who elect
to have electronic delivery of
reports) are disposed of in a
secure manner.
No exceptions noted.
13.3
At the end of the calendar quarter, Inspected a sample of Quarterly Tax Balance
CheckPoint HR’s tax staff
Reports to determine the availability of these
generates a Quarterly Tax
reports to CheckPoint HR’s clients.
Balance Report for clients from
CTS and sends the reports to the
clients for their review.
No exceptions noted.
Page 40
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Control Objective 14: Controls provide reasonable assurance that access to the electronic payment systems is
restricted to authorized personnel.
Provided by
CheckPoint HR, LLC
Control
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Test Results
14.1
Management has developed
written procedures for treasury
management, including the
processing of ACH transactions,
wires and reverse wire
transactions.
Inspected written procedures to verify that
formal processes were in place for ACH, wire
and reverse wire transactions.
No exceptions noted.
14.2
The banking system used to
process ACH and wire transfer
payments is restricted to
authorized personnel.
Inspected the user listing of the banking system
to verify that access is restricted to current
CheckPoint HR employees.
No exceptions noted.
14.3
The banking system requires dual
control for the approval of wire
transfer.
Inspected the configuration of the banking
system and the Wire Transfer Policy to verify
that dual control is required for the approval of
wires.
No exceptions noted.
Observed the treasury manager attempt to
No exceptions noted.
initiate a wire transfer to a previously unused
bank account to verify that the system would not
allow it.
14.4
New accounts added to the wire
Inspected the configuration of the online banking No exceptions noted.
transfer system must be approved system and verified that new accounts added to
by the CFO.
the system for funds transfer required approval
by the CFO.
14.5
Transmitted ACH files must be
validated by telephone with the
bank before they are processed.
Observed operations personnel upload an ACH
transaction to the banking website and verified
that a telephone verification of the totals was
required before the file was processed.
No exceptions noted.
Inspected output from the online banking
No exceptions noted.
application and verified that the file was
processed only after the telephone verification of
the ACH totals was performed.
Page 41
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Control Objective 15: Controls provide reasonable assurance that payments to customer employees are processed
completely and accurately and that security features are included on the physical checks used for payment.
Provided by
CheckPoint HR, LLC
Control
15.1
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Test Results
Live checks are printed with MICR Observed a check to verify that the seven
No exceptions noted.
toner on blank check stock.
security features were present.
Checks have seven security
features:
Observed the security features noted on
No exceptions noted.
CheckPoint
HR
payroll
checks
in
the
processing

Toner grip paper
and distribution room.

Microprint border (displaying
“CheckPoint”)

Fluorescent fibers

Solvent-based ink eradicator
reaction black dye

Solvent-based ink eradicator
reaction blue dye

Bleach reactive brown stain
multilanguage void

Fluorescent watermark
15.2
Check stock and MICR toner are
housed in the secured distribution
area. CheckPoint HR monitors
the use of MICR toner cartridges
and ordering of new MICR toner
cartridges.
Observed the security features of the check
printers and check printing process.
No exceptions noted.
15.3
The distribution room where the
checks are printed is secured. A
magnetic card-key entry system is
used to protect the area. Access
is limited to the Distribution Team,
technical support personnel,
senior management and the
accounts payable payer. The
distribution room is also under
24-hour surveillance by two
security cameras that monitor the
entrance and exit.
Observed the physical security features of the
distribution room, including the presence of
cameras monitoring the room and the magnetic
readers on the entrance and exit to the room.
No exceptions noted.
Inspected a list of the physical access
permissions for the distribution room and
verified that it was limited to the Distribution
Team, technical support personnel, senior
management and the accounts payable payer.
No exceptions noted.
Pay stubs are batched, totaled
and then reverified against the
totals from the folding machine
counter to produce the payroll
package.
Observed the distribution representative verify
the stuffing of checks and pay stubs to verify
that the production procedures were followed,
which included addressing out-of-sequence
issues.
No exceptions noted.
15.4
Page 42
CHECKPOINT HR, LLC
CHECKPOINT HR, LLC’S CONTROL OBJECTIVES AND
RELATED CONTROLS AND MCGLADREY & PULLEN, LLP’S
TESTS OF CONTROLS AND RESULTS OF TESTS
Control Objective 15: Controls provide reasonable assurance that payments to customer employees are processed
completely and accurately and that security features are included on the physical checks used for payment.
Provided by
CheckPoint HR, LLC
Control
15.5
15.6
Procedures Performed by
McGladrey & Pullen, LLP
Test Performed
Shipping instructions are collected
during the implementation period.
Shipping instructions for clients
are stored in CheckPoint HR’s
data repository. Clients may
make permanent or temporary
changes to their shipping
instructions, but the changes are
supplied in writing by an
authorized company
representative.
Observed a test payroll transaction and
documentation of distribution settings, such as
delivery address, delivery method and delivery
schedule, to verify that the delivery was
performed according to client specifications.
The treasury operator prints the
Files Sent Report from the direct
deposit application, which details
the individual files that have been
transmitted to the bank, the
amount of direct deposits to be
paid, and what pay date and client
they represent. The Bank Batch
Summary Report is reconciled to
the Files Sent Report. Differences
are investigated and documented.
This report is signed off on by the
treasury operator and submitted to
the CFO for approval. The CFO
verifies the totals and then signs
off on the report, giving the
treasury operator authorization to
release the batches from the
bank’s website for processing.
Inspected a sample of daily direct deposit
reconciliations to verify that the Files Sent
Report and the Bank Batch Summary Report
were reconciled completely and accurately.
Test Results
No exceptions noted.
Observe that a checklist of special shipping
No exceptions noted.
requirements exists in the system for the
distribution representative to complete on a daily
basis.
No exceptions noted.
Inspected a sample of daily direct deposit
No exceptions noted.
reconciliations and verified that the CFO
approved the forms before the operator released
the direct deposit batch for the bank to process.
Page 43
CHECKPOINT HR, LLC
OTHER INFORMATION PROVIDED BY
CHECKPOINT HR, LLC
Other Information Provided by CheckPoint HR, LLC
The information included in this section of the report is presented by CheckPoint HR to provide additional
information to user organizations and is not a part of CheckPoint HR’s description of controls placed in
operation. The information in this section has not been subjected to the procedures applied in the
examination of the description of controls related to the processing of transactions for user organizations
and, accordingly, we express no opinion on it.
State of Massachusetts Data Protection Law (201 CMR 17.00)
CheckPoint HR takes the confidentiality of customer information seriously and has instituted an
information security program to address the requirements of the Massachusetts data protection law
enacted on March 1, 2010 (Mass 201 CMR 17: Standards for the Protection of Personal Information of
Residents of the Commonwealth).
CheckPoint HR has appointed an information security officer to oversee data protection requirements at
the organization. The information security officer is responsible for maintaining the Information Security
Policy, keeping the policy up to date, reporting violations of the policy to senior management, maintaining
an incident response plan in case of a breach of security (as identified by Mass 201 CMR 17),
documenting security incidents and escalating high-risk incidents to the attention of management and the
board of directors.
CheckPoint HR has written security policies for employees to identify their responsibilities for handling
confidential information, including personally identifiable information. CheckPoint HR includes information
security controls testing as part of their annual SOC 1, Type 2 engagement to verify the operating
effectiveness of the security program in place at the organization. CheckPoint HR also conducts annual
information security and privacy training for employees and reports to the board of directors annually on
the status of the information security program.
Business Continuity Planning
The business continuity planning group is part of CheckPoint HR’s overall risk management process.
With the addition of the new vice president of operations, the business continuity planning group now
includes the Company’s CEO, CFO, CIO and vice president of operations. Risk management currently
rests with the office of the CFO with traditional recovery services residing with the office of the CIO.
Business continuity plans address the resumption of business processes and operational processing
functions. Plans typically include procedures concerning:

Notification of essential staff, vendors, clients, customers, etc.

Organizational recovery efforts

Relocation of operating functions

Priority of work to be performed

Protection of data

Lists of essential resources needed by the business unit
Page 44
CHECKPOINT HR, LLC

Interrelationships of critical functions

Restoration of records and files

Essential resources for recovery/backup processing
OTHER INFORMATION PROVIDED BY
CHECKPOINT HR, LLC
In order to maintain the readiness of the contingency plans, CheckPoint HR has the following
requirements for the business units:

Business units perform a validation of their business unit contingency plan at least annually. In
addition, the plans are submitted to the office of the CFO.

Business continuity plans for critical functions are validated in periodic recovery simulations. These
are reviewed by internal random audits.

The business continuity plans for key external service providers are examined periodically and where
appropriate. Responsibility for this evaluation is assigned to the office of vendor management.
Summary
CheckPoint HR takes its obligation to use financially reasonable means to assure business continuity for
the Company and its clients very seriously. However, the foregoing does not constitute a representation
or warranty that certain events will not affect CheckPoint HR’s systems or that CheckPoint HR can
achieve specific recovery times in the event of a disruption. This document is intended only to provide
guidance as to CheckPoint HR’s recovery plans.
Page 45