Page 60 - NovDefComp
P. 60
MASSACHUSETTS MUTUAL LIFE INSURANCE COMPANY
Defined Benefit and Defined Contribution
Recordkeeping Operations System
External
Subservice Services Provided Related Control Complementary Subservice
Objectives
Organization Controls
Organization
Matrix Matrix Trust Company Control Objective 1, Matrix should have controls
is used for trust and DB Plan Administration: in place to ensure plan
investment services and Plan Installation setup, distributions and
is fully integrated with Control Objective 4, payments, contributions and
the MassMutual collections and plan
systems for newly DC and DB Plan investment transfers are
Administration:
onboarded Qualified & authorized processed
Non-Qualified DB plans. Investment Asset completely, accurately and
Valuation
timely. Additionally, they
Control Objective 6, should have controls in place
DB Plan Administration: over completeness and
Distributions and accuracy of trading and
Payments settlement transactions.
Control Objective 7,
DB Plan Administration:
Contributions
Control Objective 8,
DB Plan Administration:
Transfers
All third party subservice organizations contracted by MassMutual undergo stringent review prior to
acceptance. Additionally, MassMutual obtains SOC 1 reports as available from subservice organizations
®
which are reviewed for control weaknesses that could potentially impact MassMutual’s business processing
and to identify any ‘complementary user entity’ controls identified by the subservice providers that
MassMutual may need to address to help ensure the successful achievement of the subservice provider’s
control objectives.
®
Where SOC 1 or similar attestations are not available, or the SOC 1 provided does not cover the
®
operations pertinent to MassMutual, MassMutual conducts appropriate periodic quality and due diligence
procedures.
Enterprise Technology and Experience (ETX) organization provides the General Information Technology
Controls (GITC) system in support of the DB and DC recordkeeping systems used to support MassMutual
business operations. ETX should have controls over: documenting, authorizing, testing, approving and
implementing application changes; documenting, authorizing, testing, approving and implementing system
software changes; physical security and environmental protection of computer equipment and storage
media; provisioning, termination, and recertification of user access based upon job responsibilities;; the
scheduling of production processing and system backups, and the identification and resolution of deviations
from the schedule; and the completion and security of data transmissions, and identification and resolution
of failures. While these GITCs are not addressed in this report, they may be found in the “Defined Benefit
and Defined Contribution Recordkeeping Operations General Information Technology Controls System
SOC 1 Report” for the period October 1, 2019 through September 30, 2020 which is available from
®
MassMutual. All control objectives in this report rely on ETX as a subservice provider as the application
controls within the business processes rely upon an effective GITC environment.
MassMutual Defined Benefit and Defined Description of the System Provided by
Contribution Recordkeeping Operations System MassMutual
12
