global compliance across the adp portfolio

Compliancein ADP Streamline

Contents

1. Introduction – the compliance environment in globalized markets 1

2. Compliance governance 2

2.1 Global compliance oversight 22.2 ADP Streamline’s compliance structure 22.3 Roles and responsibilities within ADP Streamline 32.4 Compliance management lifecycle & risk assessments 42.5 ADP Streamline’s service compliance: SOC 1 ISAE 3402 report 5

3. Partner management lifecycle 6

3.1 Partner selection & onboarding 73.1.1 Partner selection 73.1.2 Partner onboarding 9

3.2 Ongoing partner management 93.2.1 Regular service reviews & Key Performance Indicators 103.2.2 Executive business reviews 103.2.3 Training and support 103.2.4 Payroll Legislative Updates 113.2.5 Partner Anti-Bribery Compliance Program 11

3.3 Monitoring and audit 123.3.1 Financial Assessments 123.3.2 On-site Partner Audits 12

4. Our certifications and awards 15

ConfidentialityThe information contained in this document is confidential, and remains the intellectual property of Automatic Data Processing, Inc. and/or its affiliates (“ADP Group”). This document must not be reproduced, stored in a retrieval system, or transmitted in any form by means electronic, mechanical, optical, photocopying, recording or otherwise, without the prior consent of the ADP Group.

This document must be kept strictly confidential at all times. It must not be disclosed to any person without the prior written consent of the ADP Group.

1Compliance in ADP Streamline - January 2016

1. Introduction - the compliance environment in globalized markets

Global payroll executives state concerns over how to comply with mounting legal and regulatory requirements in a multijurisdictional environment as their single biggest worry1.

Consider the complexity of global legislation, the vast differences in policies of individual countries’ governing bodies and the constantly evolving nature of the payroll-related regulatory landscape, and you can perhaps understand their apprehension. Without a doubt, the risks of non-compliance in today’s globalized marketplace have never been greater due to the increasing regulatory oversight. Breach an anti-bribery regulation or break a payroll-related law, and your company could face financial penalties, reputational damage, increased regulatory scrutiny and even criminal charges – the impact of which can imperil even the most sophisticated global business.

To be able to provide compliant HCM services and solutions to our clients, ADP must have an effective compliance program built on sound foundations and standards. The quality of our internal compliance controls directly affects the value of the services we deliver for our clients, as well as the engagement of our own associates.

Read on to learn more about how we manage compliance across the HCM products, services and solutions we deliver to our multinational clients.

1 Global Payroll Survey 2014: One year on and closer to reality? Ernst & Young, 2014

Global footprint, local expertiseFrance DSNDeclarations to public social intitutions have to be submitted electronically on a monthly basis

Russia Data Protection LawPersonal data have to be hosted in Russia

Brazil eSocialEvents resulting in tax obligations need to be notified electronically

Japan ‘My Number ’Employers have to collect employees’ personal ID numbers

(2015)

2 Compliance in ADP Streamline - January 2016

A strong compliance program, built on an organization’s values and principles, is the bedrock for creating a culture that is focused on outstanding quality and business outcomes.

2. Compliance governance

ADP’s ‘Code of Business Conduct and Ethics’ is the foundation upon which our compliance program is built. We review this Code on a regular basis and make it available in 18 languages so that ADP employees around the world can read it, understand it and put it into action. Complementing the Code of Business Conduct and Ethics are other company policies and procedures that outline responsibilities for compliance, including our Anti-Bribery Policy, Antitrust (Anti-Monopoly) Compliance Guide, and Global Privacy Policy among others.

Continuously reinforcing a compliance culture is an important aspect of our Compliance Program. We raise awareness across ADP through regular training and relevant publications to drive changes in behavior, reduce instances of wrongdoing and encourage open communication.

2.1 Global compliance oversight

ADP’s Global Compliance Office is responsible for the governance, strategies and initiatives of our company-wide Compliance Program. The Chief Compliance Officer and central team support risk assessment activities, provide tools, deliver corporate compliance communications and work to identify key risks across the entire ADP corporation.

2.2 ADP Streamline’s compliance structure

ADP teams, wherever they’re based in the world, know that from initial contact with clients through to implementation and then ongoing operations, compliance and integrity are embedded in all aspects of the work we do for the benefit of our global clients.

Each business unit within ADP has a formal compliance program and dedicated Compliance Leader. ADP Streamline’s compliance program, on which we collaborate closely with ADP’s Global Compliance Office, is tailored to business-specific compliance requirements, aligned with ADP’s global policies and practices.

2.3 Roles and responsibilities within ADP Streamline

ADP Streamline is part of ‘Global Enterprise Solutions’ – the part of ADP dedicated to serving multinational (MNC) clients’ HCM needs .

The Compliance Leader oversees a program that covers all of our global products, services and operations. Responsible for engraining compliance standards into all aspects of our daily work, the Compliance Leader advises senior management on how to mitigate compliance risks as well as designing and monitoring the processes we need in place across our business worldwide.

Our Compliance Leader also chairs the Compliance Committee, which meets monthly and is staffed by senior ADP professionals, including the General Manager. Overseeing compliance initiatives, committee members review the impact of regulatory developments and ensure that the adequate internal policies, processes and controls are in place. They are also responsible for allocating the resources required to comply with the laws and regulations applicable to all ADP Streamline operations.

Compliance Committee members are not alone in this responsibility. They tap into the collective experience of subject matter experts from across the whole ADP organization, who work in sub-committees or working groups and develop and implement the compliance initiatives as directed by the Compliance Committee.

ADP Streamline has a dedicated Global Partner Network Department consisting of more than 40 professionals responsible for our network of local payroll partners. This team is based in our main hub offices in Barcelona, Singapore, São Paulo and Miami.

The Client Experience and Continuous Improvement team manages the framework for on-site audits as part of the Partner Assurance Program.

ADP’s Global Security Organization carries out on-site partner audits covering business governance, payroll and IT & security controls. These experts are responsible for the management of security incidents and other security-related areas.


2.4 Compliance management lifecycle & risk assessments

We carry out regular as well as ad hoc risk assessments of the ADP Streamline business in order to meet the requirements of the ever-evolving regulatory landscape. This is a formal process that leverages the experience and expertise of internal leaders and subject matter experts. Taking into account input from across the business, we then define a Compliance Enhancement Plan to be approved by the Compliance Committee based on the likelihood and magnitude of the potential impact on our business.

The Committee also monitors the progress of our compliance initiatives, reviews business escalations and new regulatory developments and allocates the required resources.

Top compliance priorities:


2.5 ADP Streamline’s service compliance: SOC 1 ISAE 3402 report

ADP Streamline has designed and implemented controls in order to ensure our central services are compliant with requirements set out by the US Sarbanes–Oxley Act (SOX) in order to prevent the risks associated with payroll management.

The main areas covered by our controls

Our internal controls are audited on an annual basis by one of the ‘Big Four’ audit firms, who assess the suitability of the design and operating effectiveness of the controls described in our control matrix and policies. The auditors review and certify our organization’s compliance with international assurance standard SOC 1-ISAE 3402 Type II, which includes how we execute our Partner Assurance Program.

The external auditor provides a report according to SOC 1 ISAE 3402 standards that is made available to clients upon request.

Applicationschange

management

Usermanagement

Payroll production

controls

Network controls (Vendor

Management)

Physical access

IT infrastructure (IPC report)


3. Partner management lifecycle

ADP’s obligation to ensure ethical and legal behavior doesn’t only apply to our own employees – it also extends to the activities of our agents, consultants and business partners who act on our behalf.

ADP Streamline has built a network of payroll partners covering more than 100 countries and territories (partnering with both ADP affiliates and external subcontractors). Each has been carefully selected as expert providers in the local country, possessing a proven track record and normally at least 10 years’ payroll experience.

Our international network of payroll partners is crucial in helping to attain strategic business objectives while allowing us to offer our clients an enhanced service and in-depth knowledge of local payroll laws, rules and regulations.

However, the use of third parties also increases exposure to certain risks that can damage businesses – even those with the most sophisticated and carefully maintained processes. Some of these risks are inherent to the payroll processing itself, similar to the risks that would arise from ADP conducting this activity directly.

Naturally, many of our clients want to know exactly how we manage these risks.

ADP Streamline’s network of professional payroll partners must deliver payroll services of the highest standards, as defined in our subcontracting service agreement. Strong, centralized governance is at the heart of our relationship with our partners, with the objective that both parties benefit from a mutually successful, long-term business relationship.

Our Partner Assurance Program acts as a frame of reference for compliance with international standards and regulations such as the previously mentioned SOX, ISAE 3402 and information security standards ISO/IEC 27001:2013.

This program is positively received by our partner community; motivating and guiding them on how to reduce their level of risk when it comes to IT and security, payroll processing and business governance.

We apply this framework from the first moment that we begin to work with third-party vendors.


3.1 Partner selection and onboarding process

3.1.1 Partner Selection

Selecting ADP Streamline partners is a joint effort among the Global Partner Network Department, Global Security Organization and Compliance teams.

The initial phase of our partner selection process is carried out by ADP Streamline’s Global Partner Network Department, who identify and then vet prospective partners by means of an evaluation form. This questionnaire covers business characteristics (such as annual turnover, number of employees and total client base size) as well as detailed information on the firm’s experience in the payroll sector. At this stage, we also establish:

what accreditation the company has, its geographic coverage, market position.

We also review country risk (such as political, economic, criminal aspects, among others) to help make strategic business decisions regarding our payroll services.

Secondly, as part of this preliminary assessment, certified security experts from our Global Security Organization review the shortlist of candidates, evaluating the maturity of the companies’ IT and security.

Members of our Global Partner Network Department then visit the company’s offices, to evaluate whether the organization is suitable to be included on our selection shortlist.

Once a final candidate is selected, the Global Security Organization completes an on-site audit independently to further assess IT & security and issue an audit findings report, based on established scoring criteria.


Thirdly, in today’s tight regulatory environment, businesses must be able to demonstrate to clients and regulators that we know who we’re dealing with. We must know the true background of all of our business associates - current and prospective – in order to meet compliance requirements, avoid regulatory fines and protect our reputation. To this end, our Compliance Leader carries out Due Diligence Screening on the company and its key personnel in order to manage reputational and regulatory counterparty risk in relation to:

Anti-Money Laundering (AML) Organized Crime Countering the Financing of Terrorism (CFT) Corruption (Bribery) War Crimes Sanctions Politically Exposed Persons (PEPs)

We use a risk intelligence tool which is considered the gold standard in PEPs monitoring, AML screening and financial crime control. Through its extensive negative media research it acts as an early warning system for hidden risk in business relationships – risk that compliance regulations could be breached or threaten our reputation.

Financial stability assessments are another core component of our initial screening and ongoing monitoring process. We source reports from a trusted global credit reporting agency, which include analysis of the following areas (where available):

Financial statements Bankruptcy probability factor Company corporate data Directorships and management team Share capital structure, major shareholders Check on bankruptcy filings, court judgments, debts collections, tax liens Payment history.

Based on all of the selection criteria described above, ADP Streamline’s senior leadership will take the final decision on whether an individual third-party vendor is ultimately selected as an ADP Streamline partner.

Our Legal team then finalizes the contract, making sure that the standard clauses are in place, including provisions for anti-bribery, data privacy and security. Once the contract is signed, the partner onboarding process begins.

3.1.2 Partner Onboarding

Constructing a mutually compliant partnership starts by training our third-party payroll experts on ADP Streamline’s Service Definition. This document is the core of clients’ contractual relationship with ADP Streamline, in which we establish the terms of the service we deliver to clients in all countries for which they have contracted our global payroll solution.

We also invest a considerable amount of time training new partners on ADP’s standards and control requirements; making sure partners fully understand our governance model and service delivery framework before we move on to operational training and the technicalities of systems integration.

3.2 Ongoing Partner management

ADP Streamline’s dedicated Global Partner Network Department has overall responsibility for our partner network, ensuring compliance and continuous improvement through a number of activities such as regular reviews, training and workshops.

Additionally, each year we take the opportunity to nurture our relationships with our partners in person through operational regional workshops and a separate Executive Convention. Through plenary sessions and interactive workshops, we discuss compliance best practices in payroll processing, aiming to raise standards and ensure operational consistency.

These and other activities are described in more detail in the following sections.


3.2.1 Regular service reviews & Key Performance Indicators

Partners have a dedicated Partner Manager, who conducts monthly and bi-monthly service reviews, coveringthe 23 Key Performance Indicators (KPIs ) by which we assess our global payroll partners:

3.2.2 Executive business reviews

ADP Streamline Partner Executive Relationship Managers conduct semi-annual or annual executive business reviews with our partners’ senior leadership teams, covering topics such as:

Current business and the business growth forecast High-level operational reviews Compliance with our partner ‘pillars’ of service On-site audit results Service delivery performance Strategic updates

3.2.3 Training and support

We provide training to our partners on payroll control requirements based on the SOC 1- ISAE 3402 framework, support on payroll platform migrations, and assistance on high-impact legislative changes affecting payroll processing operations.

We also operate a ‘Service Delivery Framework’ to help our local payroll partners develop a service organization that mirrors ADP’s own service standards. All of our partners’ operational managers and payroll specialists are required to complete the training and implement its takeaways in order to create culture of high standards and continuous improvement.


3.2.4 Payroll Legislative Updates service

ADP Streamline’s network of local payroll experts possesses deep knowledge of fast-changing local laws, social security systems and tax regulations. At times, these can even differ by city and region, as well as by country.

Our partners around the world provide insights into new and changing payroll regulations in their particular territory, so that clients can stay abreast of breaking news on topics like employment tax, wage payments, working hours, tax credits, statutory leave and social security. Through the ‘MyStreamline’ portal, ADP Streamline clients can then access a centralized dashboard to filter the legislative updates by region, country and effective date.

This Payroll Legislative Updates service is a complementary service from ADP Streamline aimed at helping multinational clients achieve compliance.

3.2.5 Partner Anti-Bribery Compliance Program

Part of our partners’ contractual agreement with ADP Streamline relates to the Foreign Corrupt Practices Act. This is a US federal law that prohibits the bribery of foreign officials. Other countries around the world have similar legislation – the UK Bribery Act 2010, for example.

These laws extend beyond the act of bribery itself; making companies responsible for deliberately ignoring facts or circumstances that could make it likely for bribery to take place.

Our obligation to ensure ethical and legal behavior doesn’t only apply to our own associates – it also encompasses the activities of our agents, consultants and business partners who’re acting on our behalf.Our anti-bribery program is in place to ensure that we and our network of partners are fully compliant and conducting business to the highest ethical standards. The program comprises:


3.3 Monitoring & Audit

3.3.1 Financial assessments

As described earlier under the partner selection process (section 3.1.1) financial assessments of our partners are completed on a regular basis to ensure that our business partners are in sound financial health and that the continuity of our service to clients is not compromised.

3.3.2 On-site partner audits

Professional auditors carry out on-site audits of our payroll partners, providing us with a direct means of detecting and, if need be, correcting, any compliance deficiencies.

Auditors periodically evaluate our partners’ practices, processes and policies to ensure compliance with the three modules of our comprehensive Partner Assurance Program: business governance, payroll process management and security, IT and data privacy. Partners must meet a minimum compliance maturity level within each one of these modules.


Partner Assurance Program - Modules


Within the business governance module, auditors will be looking for proof of partners’ Code of Ethics and Anti-bribery Policy, delivery of employees’ training & development, capacity management, insurance cover.

Assessing how partners manage the payroll process itself, auditors probe partners’ controls in implementing new ADP Streamline clients, and payroll processing in line with our Service Definition. They will also assess controls regarding partners’ timeliness in applying local legislative changes that impact payroll data and the accuracy of partners’ declarations to statutory authorities (such as tax and social security bodies).

Finally, partners must demonstrate the effectiveness of their information security procedures, in terms of organizational, technical and physical components. These checks are based on selection of relevant controls from the ISO/IEC 27001:2013 framework.

For additional details on our Partner Assurance Program please ask your ADP Representative.

Remediation plans for real risk reduction

Partners’ senior management teams receive the audit report with agreed action plan assessed against the required controls defined in our Partner Assurance Program. Over the ensuing months, ADP then follows up on all open findings to ensure that relevant remediation actions have been implemented, in order to reduce or eliminate identified weaknesses, improve and align key processes and reduce potential risk.

The MNC Senior Leadership has oversight of all audit results and with periodic reporting, and can use these insights as a strategic decision tool if required.

4. Our certifications and awards

In 2015, for the fifth year in a row, service auditors Ernst & Young certified ADP Streamline with the rigorous service control standard ‘Annual SOC 1 ISAE 3402 Type II (SAS 70)’. This endorsement of the control integrity of our payroll processing environment includes an independent assessment of our Partner Assurance Program, giving you confidence in ADP Streamline as a trustworthy and secure payroll provider.

Our Partner Assurance Program have also been recognized by two high-profile US security organizations. Firstly, it was named as one of the 50 prestigious CSO50 winners in the 2015 awards; an annual event that honors 50 organizations for security projects and initiatives that demonstrate outstanding business value and thought leadership.

This accolade was seconded by ISE Northeast, a well-known security organization in the US, nominated the ADP Partner Assurance Program as being one of the best security projects delivering value to the business. This award recognizes the information security executives for demonstrating outstanding leadership in risk management, data asset protection, regulatory compliance, privacy, and network security.

We hope that this document has given you a thorough understanding of the myriad aspects of compliance within ADP Streamline’s global payroll operations.

For further details on any of the information included here, please contact your Implementation Coordinator or Service Relationship Manager.

Disclaimer

The information provided in this document is for informational purposes. ADP reserves all proprietary rights to the information within this document. ADP assumes no responsibility for any technical or operational inaccuracies or typographical errors that may be contained herein. In no event will ADP be held responsible for direct, indirect, special, incidental, consequential or any other loss or damage caused by errors, omissions, misprints or misinterpretation of the information found in this publication.

ADP expressly disclaims any and all liability to any person, in respect of anything done or omitted, and the consequences if anything done or omitted, by any such person in reliance on the contents of this publication.The contents published herein are subject to change at any time without notice. Photos and illustrations are for illustration purpose only.

Nothing here in shall constitute any representation by ADP of any affiliation between ADP and any company whose names, marks, products or icons are referred to or displayed herein.

About ADP

Employers around the world rely on ADP® (Nasdaq: ADP) for cloud-based solutions and services to help manage their most important asset – their people. From human resources and payroll to talent management and benefits administration, ADP brings unmatched depth and expertise in helping clients build a better workforce. A pioneer in Human Capital Management (HCM) and business process outsourcing, ADP serves more than 630,000 clients in more than 100 countries. ADP.com

To learn more about how ADP Streamline can help your company transform global payroll and HR, visit www.adp.com/streamline