Page 86 - NovDefComp
P. 86

MASSACHUSETTS MUTUAL LIFE INSURANCE COMPANY
                                   Defined Benefit and Defined Contribution

                                       Recordkeeping Operations System



               DC and DB Plan Administration: Participant and Plan
               Administration and Maintenance


                Control Objective 2

                Controls provide reasonable assurance that changes to participant and plan level
                indicative data are authorized, and processed completely, accurately and timely.




                      Controls Specified by
                      MassMutual Business             Testing Performed by KPMG LLP and Results of Tests

                2.1 Participant enrollments        Inspected enrollment documentation and AWD workflow status
                received by mail, e-mail, or fax are   for a selection of Participants and determined that they were
                reviewed by recordkeeping          processed within 10 business days and the data entered was
                operations associates prior to data   reviewed for authorization, completeness and accuracy by a
                entry to determine whether they    recordkeeping operations associate prior to processing.
                are in good order (e.g. complete   No Exceptions Noted.
                and authorized). The data entered
                is reviewed against the form or
                documentation received for
                accuracy prior to release to PRS. If
                received in good order they are
                processed with an internal goal of
                5 business days of receipt, not to
                exceed 10 business days. The
                review is evidenced by
                “Processed” or “Passed” status in
                AWD. (DC)

                2.2 For electronic enrollments,    Observed a member of the Production Support Team attempt
                Plan Sponsors must authenticate    a number of unsuccessful attempts to enter a User ID and
                to the TRC using a unique ID       noted that they were locked out.
                (member ID) and password in
                order to submit a data file or     Observed a member of the Production Support Team attempt
                                                   to modify their password to the TRC plan sponsor portal
                eligible file authorizing participants
                for enrollment. (DC)               several times using different password constructs and noted
                                                   that minimum password length and structure were required.
                                                   Observed an access attempt to TRC by a Production Support
                                                   Team member and noted that they were able to reset a
                                                   Password and/or User ID after first correctly answering several
                                                   participant knowledge security questions.
                                                   Inspected a system generated configuration for LDAP and
                                                   determined that LDAP was configured with specific password
                                                   settings including minimum password length, structure and
                                                   expiration, and user ID lockout after a specified number of
                                                   invalid logon attempts.
                                                   No Exceptions Noted.

               MassMutual Defined Benefit and Defined            Control Objectives, Related Controls and Tests of
               Contribution Recordkeeping Operations System                             Operating Effectiveness
                                                             38
   81   82   83   84   85   86   87   88   89   90   91