Vertex Inc. 2019 SOC 1 Type 2 Report

Vertex, Inc.
c.
Cloud Indirect Tax and Premium Services, Hosted Online
Environment, Sales and Use Tax Returns Outsourcing
Services, and Indirect Tax Research System
In
– Report on Vertex’s Description of its Cloud Indirect Tax and Premium
Services, Hosted Online Environment, Sales and Use Tax Returns
Outsourcing Services, and Indirect Tax Research System and on the
x
Suitability of the Design and Operating Effectiveness of its Controls
te
– System and Organization Controls (SOC) – SOC 1 Type 2 Report
– For the period October 1, 2018 to September 30, 2019
er
lV
tia
en
fid
on
C
Confidential and Proprietary Information of Vertex, Inc.

c.
1. INDEPENDENT SERVICE AUDITOR'S REPORT................................... 1
In
2. VERTEX, INC.’S ASSERTION................................................................. 4
3. DESCRIPTION OF VERTEX, INC.’S CLOUD INDIRECT TAX AND
PREMIUM SERVICES, HOSTED ONLINE ENVIRONMENT, SALES
AND USE TAX RETURNS OUTSOURCING SERVICES, AND
INDIRECT TAX RESEARCH SYSTEM.................................................... 6
x
A. Overview of Vertex ........................................................................... 6
Contents B. Scope of the Description ................................................................... 6
te
C. Internal Control Framework .............................................................. 7
C1. Control Environment ................................................................ 8
C2. Risk Assessment ..................................................................... 9
er
C3. Monitoring Activities ................................................................ 9
C4. Information and Communication............................................ 10
C5. Control Activities .................................................................... 10
lV
D. Cloud Indirect Tax and Premium Services, Hosted Online
Environment, Sales and Use Tax Returns Outsourcing Services,
and Indirect Tax Research……….................................................. 10
E. Control Objectives and Related Controls ........................................ 15
F. Complementary Subservice Organization Controls ........................ 15
tia
G. Complementary User Entity Controls ............................................. 16

4. DESCRIPTION OF VERTEX INC.’S CONTROL OBJECTIVES AND
RELATED CONTROLS, AND BAKER TILLY’S DESCRIPTION OF
TESTS OF CONTROLS AND RESULTS............................................... 17
en
5. OTHER INFORMATION PROVIDED BY VERTEX, INC ....................... 43

fid
on
C

1. Independent Service Auditor's Report
To Vertex, Inc.:
Scope
c.
We have examined Vertex, Inc.'s (Vertex) description of its cloud indirect tax and premium services, hosted online
environment, sales and use tax returns outsourcing services, and indirect tax research system, entitled "Description
of Vertex, Inc.'s Cloud Indirect Tax and Premium Services, Hosted Online Environment, Sales and Use Tax Returns
Outsourcing Services, and Indirect Tax Research System" for processing user entities’ transactions throughout the
In
period October 1, 2018, to September 30, 2019 (description), and the suitability of the design and operating
effectiveness of controls included in the description to achieve the related control objectives stated in the description,
based on the criteria identified in "Vertex, Inc.'s Assertion" (assertion). The controls and control objectives included
in the description are those that management of Vertex believes are likely to be relevant to user entities' internal
control over financial reporting, and the description does not include those aspects of the cloud indirect tax and
x
premium services, hosted online environment, sales and use tax returns outsourcing services, and indirect tax
research system that are not likely to be relevant to user entities' internal control over financial reporting.
te
The information in Section 5, "Other Information Provided by Vertex, Inc.", is presented by management of Vertex to
provide additional information and is not a part of Vertex's description of its cloud indirect tax and premium services,
hosted online environment, sales and use tax returns outsourcing services, and indirect tax research system made
er
available to user entities during the period October 1, 2018, to September 30, 2019. Information about Vertex’s
Indirect and Payroll Tax products, bridge letter, business continuity program, third-party service provider’s data
center, and management’s response to exceptions identified in the report has not been subjected to procedures
applied in the examination of the description of the cloud indirect tax and premium services, hosted online
lV
environment, sales and use tax returns outsourcing services, and indirect tax research system and of the suitability
of the design and operating effectiveness of controls to achieve the related control objectives stated in the description
of the cloud indirect tax and premium services, hosted online environment, sales and use tax returns outsourcing
services, and indirect tax research system and, accordingly, we express no opinion on it.
tia
Vertex uses various subservice organizations to provide hosting services, network perimeter monitoring, and
connector development services. The description includes only the control objectives and related controls of Vertex
and excludes the control objectives and related controls of the subservice organizations. The description also
indicates that certain control objectives specified by Vertex can be achieved only if complementary subservice
organization controls assumed in the design of Vertex's controls are suitably designed and operating effectively,
en
along with the related controls at Vertex. Our examination did not extend to controls of the subservice organizations
and we have not evaluated the suitability of the design or operating effectiveness of such complementary subservice
organization controls.
The description indicates that certain control objectives specified in the description can be achieved only if
fid
complementary user entity controls assumed in the design of Vertex's controls are suitably designed and operating
effectively, along with related controls at the service organizations. Our examination did not extend to such
complementary user entity controls and we have not evaluated the suitability of the design or operating effectiveness
of such complementary user entity controls.
on
C

Service Organization's Responsibilities
In Section 2, Vertex has provided an assertion about the fairness of the presentation of the description and suitability
of the design and operating effectiveness of the controls to achieve the related control objectives stated in the
description. Vertex is responsible for preparing the description and its assertion, including the completeness,
accuracy, and method of presentation of the description and the assertion, providing the services covered by the
description, specifying the control objectives and stating them in the description, identifying the risks that threaten the
c.
achievement of the control objectives, selecting the criteria in the assertion, and designing, implementing, and
documenting controls that are suitably designed and operating effectively to achieve the related control objectives
stated in the description.
In
Service Auditor's Responsibilities
Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability
of the design and operating effectiveness of the controls to achieve the related control objectives stated in the
x
description, based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of
te
Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable
assurance about whether, in all material respects, based on the criteria in management’s assertion, the description
is fairly presented and the controls were suitably designed and operating effectively to achieve the related control
er
objectives stated in the description throughout the period October 1, 2018, to September 30, 2019. We believe that
the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
An examination of a description of a service organization's system and the suitability of the design and operating
effectiveness of controls involves:
lV
> Performing procedures to obtain evidence about the fairness of the presentation of the description and
the suitability of the design and operating effectiveness of the controls to achieve the related control
objectives stated in the description, based on the criteria in management’s assertion.
tia
> Assessing the risks that the description is not fairly presented and that the controls were not suitably
designed or operating effectively to achieve the related control objectives stated in the description.
> Testing the operating effectiveness of those controls that management considers necessary to provide
reasonable assurance that the related control objectives stated in the description were achieved.
en
> Evaluating the overall presentation of the description, suitability of the control objectives stated therein,
and suitability of the criteria specified by the service organization in its assertion.
fid
Inherent Limitations
The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit
and report on user entities’ financial statements and may not, therefore, include every aspect of the system that each
individual user entity may consider important in its own particular environment. Because of their nature, controls at a
on
service organization may not prevent, or detect and correct, all misstatements in processing or reporting transactions.
Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions
about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives,
is subject to the risk that controls at a service organization may become ineffective.
C
Description of Tests of Controls
The specific controls tested and the nature, timing, and results of those tests are listed in Section 4.

Opinion
In our opinion, in all material respects, based on the criteria described in Vertex's assertion,
> The description fairly presents the cloud indirect tax and premium services, hosted online environment,
c.
sales and use tax returns outsourcing services, and indirect tax research system that was designed and
implemented throughout the period October 1, 2018, to September 30, 2019.
> The controls related to the control objectives stated in the description were suitably designed to provide
In
reasonable assurance that the control objectives would be achieved if the controls operated effectively
throughout the period October 1, 2018, to September 30, 2019, and the subservice organizations and
user entities applied the complementary controls assumed in the design of Vertex's controls throughout
the period October 1, 2018, to September 30, 2019.
x
> The controls operated effectively to provide reasonable assurance that the control objectives stated in the
description were achieved throughout the period October 1, 2018, to September 30, 2019, if
te
complementary subservice organization and user entity controls assumed in the design of Vertex's
controls operated effectively throughout the period October 1, 2018, to September 30, 2019.
er
Restricted Use
This report, including the description of tests of controls and results thereof in Section 4, is intended solely for the
information and use of Vertex, user entities of Vertex's cloud indirect tax and premium services, hosted online
lV
environment, sales and use tax returns outsourcing services, and indirect tax research system during some or all of
the period October 1, 2018, to September 30, 2019, and their auditors who audit and report on such user entities’
financial statements or internal control over financial reporting and have a sufficient understanding to consider it,
along with other information, including information about controls implemented by user entities themselves, when
assessing the risks of material misstatements of user entities' financial statements. This report is not intended to be
and should not be used by anyone other than these specified parties.
tia
en
fid
Philadelphia, Pennsylvania
November 21, 2019
on
C

2. Vertex, Inc.’s Assertion
We have prepared the description of Vertex, Inc.’s (Vertex) cloud indirect tax and premium services, hosted online
environment, sales and use tax returns outsourcing services, and indirect tax research system entitled
c.
"Description of Vertex, Inc.'s Cloud Indirect Tax and Premium Services, Hosted Online Environment, Sales and
Use Tax Returns Outsourcing Services, and Indirect Tax Research System," for processing user entities'
transactions throughout the period of October 1, 2018, to September 30, 2019 (description) for user entities of
In
the system during some or all of the period October 1, 2018, to September 30, 2019, and their auditors who audit
and report on such user entities' financial statements or internal control over financial reporting and have a
sufficient understanding to consider it, along with other information, including information about controls
implemented by the subservice organizations and user entities of the system themselves, when assessing the
risks of material misstatements of user entities' financial statements.
x
Vertex uses various subservice organizations to provide hosting services, network perimeter monitoring, and
connector development services. The description includes only the control objectives and related controls of
te
Vertex and excludes the control objectives and related controls of the subservice organizations. The description
also indicates that certain control objectives specified by Vertex can be achieved only if complementary
subservice controls assumed in the design of Vertex’s controls are suitably designed and operating effectively,
along with the related controls at Vertex. The description does not extend to controls of the subservice
er
organizations.
The description indicates that certain control objectives specified in the description can be achieved only if
complementary user entity controls assumed in the design of Vertex's controls are suitably designed and
lV
operating effectively, along with related controls at Vertex. The description does not extend to controls of the user
entities.
We confirm, to the best of our knowledge and belief, that:

tia
a. The description fairly presents the cloud indirect tax and premium services, hosted online environment,
sales and use tax returns outsourcing services, and indirect tax research system made available to user
entities of the system during some or all of the period October 1, 2018, to September 30, 2019, for
processing user entities' transactions as it relates to controls that are likely to be relevant to user entities'
internal control over financial reporting.
en
The criteria we used in making this assertion were that the description:
i. Presents how the cloud indirect tax and premium services, hosted online environment, sales and
use tax returns outsourcing services, and indirect tax research system made available to user
entities of the system was designed and implemented to process relevant transactions, including,
fid
if applicable,
(1) The types of services provided, including, as appropriate, the classes of transactions
processed.
on
(2) The procedures, within both automated and manual systems, by which services are
provided, including, as appropriate, procedures by which transactions are initiated,
authorized, recorded, processed, corrected as necessary, and transferred to the reports
and other information prepared for user entities of the system.
C
(3) The information used in the performance of the procedures, including, if applicable, related
accounting records, whether electronic or manual, and supporting information involved
in initiating, authorizing, recording, processing, and reporting transactions; this includes
the correction of incorrect information and how information is transferred to the reports
and other information prepared for user entities.
4

(4) How the system captures and addresses significant events and conditions, other than
transactions.
(5) The process used to prepare reports or other information provided to user entities.
c.
(6) Services performed by a subservice organization, if any, including whether the inclusive
method or the carve-out method has been used in relation to them.
(7) The specified control objectives and controls designed to achieve those objectives
In
including, as applicable, complementary user entity controls contemplated in the design
of the service organization's controls.
(8) Other aspects of our control environment, risk assessment process, information and
communications (including the related business processes), control activities, and
x
monitoring activities that are relevant to the services provided.
te
ii. Includes relevant details of changes to the service organization's system during the period
covered by the description.
iii. Does not omit or distort information relevant to the service organization's system, while
er
acknowledging that the description is prepared to meet the common needs of a broad range of
user entities of the system and their user auditors and may not, therefore, include every aspect
of the cloud indirect tax and premium services, hosted online environment, sales and use tax
returns outsourcing services, and indirect tax research system that each individual user entity of
lV
the system and its auditor may consider important in its own particular environment.
b. The controls related to the control objectives stated in the description were suitably designed and
operating effectively throughout the period October 1, 2018, to September 30, 2019, to achieve those
control objectives if the subservice organizations and user entities applied the complementary controls
assumed in the design of Vertex's controls throughout the period October 01, 2018, to September 30,
tia
2019. The criteria we used in making this assertion were that:
i. The risks that threaten the achievement of the control objectives stated in the description have
been identified by management of the service organization.
en
ii. The controls identified in the description would, if operating effectively, provide reasonable
assurance that those risks would not prevent the control objectives stated in the description from
being achieved.
iii. The controls were consistently applied as designed, including whether manual controls were
fid
applied by individuals who have the appropriate competence and authority.

on
C

3. Description of Vertex, Inc.’s Cloud Indirect Tax and Premium
Services, Hosted Online Environment, Sales and Use Tax Returns
Outsourcing Services, and Indirect Tax Research System
c.
A. Overview of Vertex
Founded in 1978, Vertex, Inc. (“Vertex” or “Company”) is a leading provider of tax technology and services to
In
automate and integrate tax processes while leveraging advanced and predictive analytics of tax data. Vertex
provides cloud-based and on-premise tax solutions that can be tailored to any size customer or specific industries
for most lines of business tax. Vertex also provides sales and use tax return outsourcing services which allow
companies to outsource sales and use tax return preparation and manage exemption certificates.
x
Vertex is a privately held company that employs over 1000 professionals across the globe. It is headquartered
in King of Prussia, Pennsylvania with additional offices in Sarasota, Florida, Naperville, Illinois, London, UK,
te
Amsterdam, The Netherlands, Frankfurt, Germany, Stockholm, Sweden, Chennai, India, Cork, Ireland and São
Paulo, Brazil.
er
B. Scope of the Description
This description addresses only Vertex’s cloud indirect tax and premium services, hosted online environment,
sales and use tax returns outsourcing services, and indirect tax research system provided to user entities and
lV
excludes other services provided by Vertex. The description is intended to provide information for user entities of
the cloud indirect tax and premium services hosted online environment, sales and use tax returns outsourcing
services, and indirect tax research system and their independent auditors who audit and report on such user
entities’ financial statements or internal control over financial reporting. It is to be used in obtaining an
understanding of the services and system, and the internal business and IT general controls over that system
tia
that are likely to be relevant to user entities.
Vertex uses subservice organizations, Amazon Web Services, Equinix, Flexential (for the period October 1, 2018
through August 30, 2019), Alert Logic, and various connector developers, to provide hosting services, network
perimeter monitoring, and connector development services, respectively. The description includes only the control
en
objectives and related controls of Vertex and excludes the control objectives and related controls of the subservice
organizations.
As of August 31, 2019, hosting of the Hosted Online Environment was moved from Flexential to Amazon Web
Services.
fid
on
C

The scope of products and services covered in this report includes:
• Vertex Cloud Indirect and Premium Services
• Vertex Indirect Tax O Series On-Demand
• Vertex Indirect Tax Returns On-Demand
•
c.
Vertex Payroll Tax On-Demand
• Vertex Reporting & Analysis On-Demand
• Vertex Sales & Use Tax Return Outsourcing Services
• Vertex Sales & Use Tax Returns Outsourcing Services Portal
In
• Vertex Indirect O Series On Premise Solutions
• Vertex Sales Tax Q Series On Premise Solutions
• Vertex Sales Tax L Series On Premise Solutions
• Vertex Indirect Tax Returns North America and Vertex Indirect Tax Returns Global On Premise Solution
• Vertex Communications Tax Q Series and Vertex Communications Tax L Series On Premise Solution
x
• Vertex Exemption Certificate Manager On Premise Solution
• Vertex Indirect Tax Reporting & Analysis On Premise Solution
te
• Vertex Sales Tax RateLocator
• Vertex Sales Tax Rate File
• Taxability Mapping Tool (“TMT”)
•
er
Vertex Payroll Tax Q Series On Premise Solution.
C. Internal Control Framework

lV
The interrelated components of control establish the foundation for sound internal control within the Company
through directed leadership, shared values and a culture that emphasizes accountability for control. Control
activities and other mechanisms are proactively designed to address and mitigate significant risks. Information
critical to identifying risks and meeting business objectives is communicated through established channels up,
down and across the company. The system of internal control is monitored continuously, and problems are
tia
addressed timely.
At Vertex, the internal control framework for financial reporting is based upon the standards identified by the
Committee on Sponsoring Organizations of the Treadway Commission (COSO) and is affected by Vertex’s Board
of Directors, executive management and other personnel. It consists of five components to support the
en
achievement of Vertex’s business objectives.
1. Control Environment – The control environment includes the Board of Directors, Audit Committee and
organizational structure. It also includes the governance structure, human resources policies and
fid
procedures, integrity and ethical values that establish the culture of Vertex and set the tone for how Vertex
operates.
2. Risk Assessment – The Risk Assessment process at Vertex consists of establishing business objectives,
risk identification and analysis, and planned remediation activities that are addressed through the Change
on
Management Process.
3. Monitoring Activities – The control processes implemented are monitored to evaluate the ongoing
effectiveness of the internal controls. Separate evaluations are made to identify reporting deficiencies.
C
4. Information and Communication – The information and communications standards are affected to protect
the integrity of the information and the effectiveness of communications that support the systems covered
by this report.

5. Control Activities – Control activities consist of the policies and procedures that guide financial reporting,
security activities that support applications, and the network, application change management, business
continuity and outsourcing. They are established and executed to support the achievement of business
objectives.
c.
C1. Control Environment
The control environment at Vertex is the foundation for the other components of the Internal Control Framework.
In
It embodies the tone at the top of the organization and the emphasis on integrity in establishing processes and
systems that support Vertex’s ability to provide the products and services to its customers. It incorporates a
governance structure designed to ensure appropriate oversight, an architecture focused on protecting customer
information and internal controls that provide standardized processes designed to protect business assets.
x
The following are the primary elements of Vertex’s control environment:
te
Tone at the Top
The control environment at Vertex begins at the highest level of the Company. Vertex’s Board of Directors and
er
senior management play an important role in setting the core values and tone at the top. The Company Standards
of Conduct establish the guiding principles which are based upon industry best practices, and are communicated
to employees upon hire and available at all times in the Employee Handbook. A structured onboarding process
is followed to provide new hires with the information necessary to be effective in Vertex’s established culture of
lV
strong values and high standards.
The Vertex Organizational Model
The Vertex Organizational Model consists of the Board of Directors that provide oversight to the Chief Executive
tia
Officer (CEO) and Executive Leadership Team. A Strategic Leadership Team develops the strategy and specific
business objectives for operational leadership who execute on those objectives. The Company is divided into
four divisions organized around the product to market life cycle. The executive and strategic leadership teams
provide corporate oversight and report to the Board of Directors.
en
The organizational structure assigns roles and responsibilities to promote adequate staffing, efficient operations
and segregation of duties. Senior management reflects the overall attitude which emphasizes the importance of
internal control and the policies, procedures, methods, and organization structure that support them. The control
environment influences the manner in which Vertex’s business activities are structured, objectives are
established, and risks are assessed and managed.
fid
Ethical Culture
Vertex employs a culture where business is conducted in compliance with all applicable laws and regulations and
on
operates under the fundamental principles of integrity and ethical behavior. The Board of Directors and senior
management believe there is no conflict or inconsistency between good business and good ethics. The Company
best serves its customers, its stakeholders and itself by adhering to the highest standards of ethical behavior and
maintaining an environment that is fair, open and honest. Integrity and ethical values are essential elements that
impact one of Vertex’s most valuable assets, its reputation. Vertex expects all its employees, contractors and
C
affiliates to adhere to its Standards of Conduct and reinforces this requirement through signed agreements,
training and implementing policies that address specific areas of potential conflict.

C2. Risk Assessment
Vertex maintains a formal risk assessment process to identify, assess, manage and report on key risks to the
provision of the products and services covered by this report. The process is affected by senior management in
conjunction with the strategic leadership team to confirm that key risks that have the potential to impede meeting
c.
its objectives are identified, thoroughly analyzed, managed, monitored and reported to all key stakeholders. The
following provides a description of each phase of the process.
In
1. Identification – key stakeholders provide input on the risks to the processes that support the
delivery and provision of services to user entities. This includes the definition of the risks that could
prevent achievement of the critical business objectives for the provision of products and services.
2. Assessment – key stakeholders evaluate the impact and likelihood of a risk occurring as well as
x
the effectiveness of the controls in place to mitigate the risk. This process allows for prioritization
of risks to be managed.
te
3. Management – the management phase of the risk assessment process allows for the evaluation
of acceptable levels of risk and for a determination of the appropriate response to the risk.
Remediation activities are determined, and ownership of the response is assigned with target
er
implementation dates established.
4. Monitoring – identified risks are periodically reviewed to ensure they remain relevant and to
lV
reprioritize based upon operational and environmental factors.
5. Reporting – periodic reporting of risks is provided to operational and executive management for
visibility and to inform the decision-making process.
tia
C3. Monitoring Activities
Vertex’s management and supervisory personnel are responsible for monitoring the functioning of the internal
controls that support the products and services covered by this report. The assignment of these responsibilities
is segregated from the performance of the controls for independence and to preserve the integrity of the controls.
en
Monitoring of Subservice Organizations
Third party service providers are also monitored for compliance with contracted service provisions and
fid
consistency with Vertex control standards. This monitoring includes obtaining audited reports on System and
Organization Controls, as applicable, review of financial viability, identification of pending legal action and other
procedures as deemed necessary for adequate supervision of the provided services.
Vertex uses subservice organizations to provide hosting services, network perimeter monitoring, and connector
on
development services. Vertex reviews the SOC 1® type 2 and/or SOC 2® type 2 report of Amazon Web Services,
Equinix, Flexential, and Alert Logic on an annual basis. Through its daily operational activities, management of
Vertex monitors services performed by the subservice providers to help determine that operations and controls
expected to be implemented at the subservice organizations are functioning effectively.
C

C4. Information and Communication
Vertex is committed to maintaining effective communication of expectations and responsibilities to all personnel
to help align business goals with operating performance. Information from both inside and outside the
organization is used to guide strategic and tactical decision-making and to measure performance. Company
c.
management has focused on establishing multiple formats and channels of internal and external communications
to help employees understand their individual roles and responsibilities and to communicate significant events in
a timely manner. These methods include orientation and training programs for newly hired employees; regular All
In
Hands meetings for updates on business performance and other matters, and electronic messages such as
videos, electronic mail messages, and the posting of information via Vertex’s intranet. Vertex’s company intranet
provides a resource for the Standards of Conduct Handbook, Human Resources policies and procedures,
operational policies and procedures, product information and contracts, and information on how to report issues
of concern.
x
C5. Control Activities
te
Vertex has developed control objectives and corresponding control activities to define how risks are mitigated in
meeting the objectives. These control activities help provide assurance that Vertex products and services are
administered in accordance with established policies and procedures.
er
The control activities are performed at a variety of levels throughout the Company and at various stages during
the relevant business process. Controls may be preventive or detective in nature and may encompass a range
of manual and automated controls, including authorizations, reconciliations, and IT controls.
lV
A formal program is in place to review and update Vertex’s policies and procedures on a periodic basis. Any
changes to the policies and procedures are reviewed and approved by management and communicated to
employees.
tia
Vertex maintains physically and logically separate environments for its corporate and customer networks as the
backbone for building effective controls.
D. Cloud Indirect Tax and Premium Services, Hosted Online Environment, Sales and Use
en
Tax Returns Outsourcing Services, and Indirect Tax Research

Overview of Services Provided
1. Vertex® Cloud Indirect Tax and Premium Services Tax Solution (Control Objective 1, Control
fid
Objective 2, Control Objective 4, and Control Objective 5) and Premium Services (Control
Objective 7 and Control Objective 8)
Vertex Cloud Indirect Tax and Premium Services is a software as a service (SaaS) sales and use tax automation
solution including calculation and returns. Vertex Cloud offers multiple service levels and flexible pricing models,
on
meeting the needs of businesses of all sizes. The solution is built upon Vertex Inc.’s more than 35 years of tax
expertise and position as a leading provider of corporate tax software and services. With Vertex Cloud Indirect
Tax and Premium Services, businesses can realize the benefits of performing sales and use tax processes on
an advanced calculation and returns software platform. The solution is available for use as a stand-alone solution
or integrated directly with ERPs and ecommerce platforms. From tax calculations, and signature-ready PDF
C
returns to outsourcing services that include returns filing and payment processing, Vertex Cloud Indirect Tax and
Premium Services provides a proven and reliable solution for businesses looking to save time, effort, and risk
associated with sales and use tax calculation, returns, remittance, and compliance.
10

Vertex Cloud Indirect Tax and Premium Services uses a cloud- based subservice provider to provide
infrastructure for the Vertex Cloud Indirect Tax and Premium Services system. The primary infrastructure is
Windows-based with Linux-based load balancing and SQL databases.
In addition, customers can build “connectors” to electronically interface with the Vertex Cloud Indirect Tax and
c.
Premium Services system. Integrations with widely used applications and ERP systems are available as follows:
- Oracle applications including NetSuite and Oracle Cloud
In
- SAP applications including Business by Design, S/4 HANA Cloud and Hybris
- Microsoft applications including Microsoft Dynamics AC and GP
- Salesforce products
- Workday
- Magento
x
Vertex Cloud Indirect Tax and Premium Services offers three levels of service: Standard, Professional, and
Premium
te
• Standard: The Standard service offering provides basic rates and tax calculations (Control Objective 1,
Control Objective 2, Control Objective 4, and Control Objective 5).
•
er
Professional: The Professional service offering performs tax calculations and optionally provides
signature ready PDF returns (Control Objective 1, Control Objective 2, Control Objective 4, and Control
Objective 5).
• Premium: The Premium level of Vertex Cloud Indirect Tax and Premium Services offers all of the
lV
services included in the Professional level, as well as the benefit of return filing and payment remittance
services, providing users with a complete sales and use tax management system, from tax calculation
to payment remittance (Control Objective 1, Control Objective 2, Control Objective 4, Control Objective
5, Control Objective 7, and Control Objective 8).
tia
2. Hosted Online Environment (Control Objective 1, Control Objective 2, Control Objective 4, and
Control Objective 5)
Vertex provides hosted solutions and services that are made available to customers to access through the Internet
with operations located in Sarasota, Florida (Sarasota) and King of Prussia, Pennsylvania (King of Prussia).
en
The hosted online operations are managed and administered by two teams; 1) the Online Technical team in
Sarasota, and 2) the IT Infrastructure team in King of Prussia. The Hosted Online Environment is divided between
Sarasota operations support and the off-site, data center hosting site (the “Data Center”), owned and operated
by an independent service provider under contract to Vertex. The online environment includes the Vertex-hosted
fid
services for all the On-Demand Products.
The Online Technical team provides full system administration support for the Hosted Online Environment. The
team is comprised of IT engineering administrators and reports to the Cloud Technical Director. The team is
responsible for application and server security administration, backup and recovery, application updates, system
on
performance monitoring, system availability monitoring, and issue resolution.
The IT Infrastructure team, comprised of information technology and data-center engineers, supports the
infrastructure of the Hosted Online Environment. They perform hardware and software installations and upgrades
relating to the online infrastructure including network layer management and security. The majority of the working
C
hardware for the online environment is physically housed at the data center. This includes the Vertex-owned and
maintained application servers, database servers and web servers. The data center host provides physical
security for the site, Internet access, power supply services, environmental control services, and data retention
services.
11

Workstations for systems administration, maintenance, and monitoring are located in Sarasota and King of
Prussia and are connected to the online environment. Additionally, Sarasota houses the staging area for systems
and applications testing.
The following products and portals (collectively the “Hosted Products”) are covered by the Hosted and Online
c.
Operations:
Vertex® Indirect Tax O Series® On- The Vertex Indirect Tax O Series On-Demand product provides
In
Demand anytime/anywhere access to the Vertex sales and use tax
system without an extensive on premise installation. Vertex
handles all the ongoing data updates, system upgrades, and
patches. Vertex O Series On-Demand addresses user, system,
and data security requirements with isolated databases for each
customer.
x
Vertex® Indirect Tax Returns On-Demand The Vertex Indirect Tax Returns On-Demand product provides
anytime/anywhere access to Vertex’s North America and Global
te
tax returns system without an extensive on premise installation.
Vertex handles all the ongoing data updates, system upgrades,
back-ups and patches. Vertex Indirect Tax Returns On-
Demand addresses user, system, and data security
er
requirements with isolated databases for each customer.
Vertex® Sales & Use Tax Returns The Vertex Sales & Use Tax Returns Outsourcing Services
Outsourcing Services Portal Portal (“Returns Portal”) offers a set of secured, web-based
transmission and storage services that provide a single point of
lV
contact for managing the activities related to interacting with
Vertex’s Sales and Use Tax Returns Outsourcing Services
clients. These services include receiving client tax transaction
data, preparing returns, posting electronic versions of sales and
use tax returns for review and approval by the client, and the
tia
posting of tax notices received from taxing authorities and

processing reports from Vertex. The Returns Portal is available
to registered Vertex Sales and Use Tax Returns Outsourcing
Services customers via the Internet on a secured website
hosted and managed by Vertex.
en
Vertex Payroll Tax On-Demand Vertex Payroll Tax On-Demand is a hosted, SaaS based
solution offering an alternative to the Payroll Tax Q Series on
premise solution. Gross to net tax calculation is available for the
US and Canada, without the need to host the application or
apply program and data updates.
fid
Vertex Indirect Tax Reporting & Analysis This product provides standard and customer reporting to
support compliance, audit, reconciliations, and tax strategy
planning.
on
3. Vertex® Sales & Use Tax Returns Outsourcing Services (Control Objective 7 and Control
Objective 8)
Vertex ® Sales & Use Tax Returns Outsourcing Services provides full-service outsourcing of the compliance
tasks, which includes returns preparation and filling, payments to taxing jurisdictions, and management of notices
C
and registrations. The work is completed in the United States. Each client is assigned a dedicated tax processing
specialist who serves as the single point of contact. These tax processing specialists handle tax compliance tasks
as well as necessary communication with taxing authorities.
12

Vertex accepts tax data in various formats from multiple tax calculation and/or host financial systems. Each
client’s data is segregated and protected, and every client has 24/7 access to their data via the Vertex Sales &
Use Tax Returns Outsourcing Services Portal (“Returns Portal”). The Returns Portal allows for secure data and
document transfer each month. An easy-to-use interface provides clients anytime/anywhere visibility into the
status of their returns (including approvals), and complete visibility into their tax data, filing confirmations, reports,
c.
notices, and all communications with tax authorities associated with their fillings and registrations.
Along with returns processing, Vertex offers complete payment services. Each client has a separate (domestic)
bank account so client funds are not co-mingled. Detailed reports are posted monthly to the Returns Portal to
In
support the tax liability funding requests. Funds can be transferred via wire, ACH debit, or ACH credit. Vertex
provides a monthly reconciliation of all funds requested and received. From the Returns Portal, users can access
monthly reports to help stay in control of the tax compliance process.
• The Tax Calendar Report provides a breakdown by filing entity and jurisdiction of the returns filed for that
x
given period. It also details net tax due and the amount of funds to be transferred.
• The Reconciliation Report breaks down by filing entity and jurisdiction the data being used to file the
te
returns, including discounts, rounding, credits, and carryforward amounts.
• The 13-Month Trend Analysis Report gives a high-level look at the gross tax broken out by filing entity
and jurisdiction.
er
4. Indirect Tax Research (Control Objective 6)
Vertex’s Tax Research Center maintains global operations that supplies tax data for the U.S. and Canadian sales
lV
tax, use tax, communications tax, payroll tax products and for the value-added tax product which support, in full
or part of 120+ countries and territories, including Latin America, Brazil, China, the European Union, and India.
The Tax Research Center has a variety of processes in place to provide reasonable assurance that Vertex
reviews and monitors information sources for changes in tax rates, regulations, and interpretation, and identifies
or implements the corresponding system changes, through system changes and monthly updates, accurately,
completely, and timely.
tia
This data includes tax rates, tax jurisdiction information, tax jurisdiction identification, taxability determinations,
and tax forms. The Tax Research Center consists of approximately 80 individuals who monitor legislation for
changes and update the Vertex tax databases with these changes. These tax databases are consistently updated
en
on a monthly basis, or more frequently when necessary.
The Tax Research Center is arranged into three distinct groups. The groups consist of the following: North
America Indirect Tax, Global Returns and International Indirect Tax and Payroll. Each group has deep subject
matter expertise to support key content or data verticals. These groups oversee the acquisition and updates of
rates, taxing/boundaries/jurisdictions, domestic and international transaction tax research, domestic and
fid
international tax returns, communications tax, and payroll tax.
Summarized below are the products covered by the Vertex’s Indirect Tax Research Controls:
on
Vertex Indirect Tax Solutions (On Premise)
Vertex solutions for corporate indirect tax consist of calculation and compliance software to manage U.S. sales
and use tax, value-added tax, communications tax, leasing tax, and payroll tax. Various versions of these
solutions are available to meet the needs of customers’ IT environments. These products include:
C
13

Vertex® Indirect Tax O Series® This product enables a customer to license content for U.S. sales tax,
consumer use tax, value added tax, and/or communications tax according
to their needs. There is also a product for retail, hospitality and leasing tax
management.
Vertex® Sales Tax Q Series® and Vertex® These two products enable a customer to license content for U.S. sales
c.
Sales Tax L Series® tax and consumer use tax.
Vertex® Indirect Tax Returns North America These products enable a customer to license content for U.S. sales tax
and Vertex® Indirect Tax Returns Global returns, U.S. consumer use tax returns, and/or value added tax returns for
In
a specific list of countries.
Vertex® Communications Tax Q Series® and These two products provide rules, rates, and calculation of U.S.
Vertex® Communications Tax L Series® communication taxes.
Vertex Indirect Tax Reporting & Analysis This product provides standard and custom reporting to support
compliance, audit, reconciliations, and tax strategy planning.
x
Vertex® Sales Tax RateLocator This product provides rates, rules, and other information. There is no
(“RateLocator”) Reference Product calculation component of this product.
te
Vertex Exemption Certificate Manager This product provides a digital repository for sales and use tax exemption,
resale, and direct pay certificates.
The Sales Tax Rate File Product This product provides rates, rules and other jurisdictional information.
er
There is no calculation component of this product.
Taxability Mapping Tool (“TMT”) Provides pre-defined taxability rules that map product and/or material
codes for taxability determination by jurisdiction used in conjunction with
the Q series solution.
lV
Vertex® Payroll Tax Q Series® This product provides content and calculation for payroll tax.
5. Key Reports Provided to User Entities (Control Objective 4, Control Objective 6, Control
Objective 7, and Control Objective 8)
tia
Vertex provides a variety of key reports related to user entities internal controls over financial reporting. These
key reports include:
Vertex® Cloud Indirect Tax and Premium Services Tax Solution

• Funding Report
en
Vertex® Indirect Tax O Series® On-Demand and Vertex® Indirect Tax O Series®
• Summary of Change (SOC) Reports- Includes every change made in that month’s update.
fid
Vertex® Indirect Tax Returns On-Demand, Vertex® Indirect Tax Returns North America and Vertex® Indirect
Tax Returns Global
• Unassigned Tax Data Import Report
• Tax Summary Report by State
on
• Credit History Report
Vertex® Sales & Use Tax Returns Outsourcing Services

• Client Tax Calendar Report
C
• Client Tax Reconciliation Report

• The 13-Month Trend Analysis Report
Vertex Payroll Tax On-Demand and Vertex® Payroll Tax Q Series®

14

E. Control Objectives and Related Controls
Vertex has specified the controls objectives and identified the controls that are designed to achieve the related
control objectives. The specified control objectives, related controls, and complementary user entity controls are
c.
presented in Section 4, and are an integral component of Vertex’s description of its Cloud Indirect Tax and
Premium Services, Hosted Online Environment, Sales and Use Tax Returns Outsourcing Services, and Indirect
Tax Research System.
In
F. Complementary Subservice Organization Controls
Vertex’s controls related to the cloud indirect tax and premium services, hosted online environment, sales and
use tax returns outsourcing services, and indirect tax research system cover only a portion of overall internal
x
control for each user entity of Vertex. It is not feasible for the control objectives related to Vertex’s cloud indirect
tax and premium services, hosted online environment, sales and use tax returns outsourcing services, and
indirect tax research system to be achieved solely by Vertex. Therefore, each user entity’s internal control over
te
financial reporting must be evaluated in conjunction with Vertex’s controls and the related tests and results
described in Section 4 of this report, taking into account the related complementary subservice organization
controls expected to be implemented at the subservice organizations as described below.
er
Complementary Subservice Organization Controls Related Control Objective (CO)
Flexential, Inc. (for the period October 1, 2018 through August 30, 2019) is CO1, CO3, and CO4
lV
responsible for providing a physical data center for hosted systems to reside in,
systems hosting, physical security over hosted infrastructure within the data
center, data storage, and business continuity solutions in the event of an
outage, all in conjunction with the hosted online environment and sales and use
tax returns outsourcing services.
tia
Amazon Web Services is responsible for cloud and infrastructure for logical and CO1, CO3, and CO4
physical hosting of systems upon which the Vertex cloud indirect tax and
premium services are hosted, and for the period September 1, 2019 through
September 30, 2019 Amazon Web Services is responsible for hosting the Vertex
Hosted Online Environment.
en
Equinix, Inc is responsible for providing colocation, power, the intranet transport CO3
and housing of network infrastructure/connectivity.
fid
AlertLogic, Inc. is responsible for monitoring the Vertex network perimeter for CO2
unusual activity.
Various connector developers are responsible for providing connector CO4

development to the extent that the Vertex cloud indirect tax and premium
on
services utilizes connectors within the platform.

C
15

G. Complementary User Entity Controls
Vertex’s controls related to the cloud indirect tax and premium services, hosted online environment, sales and
use tax returns outsourcing services, and indirect tax research system cover only a portion of internal control for
c.
each user entity of Vertex. It is not feasible for the control objectives related to cloud indirect tax and premium
services, hosted online environment, sales and use tax returns outsourcing services, and indirect tax research
system to be achieved solely by Vertex. Therefore, each user entity’s internal control over financial reporting
should be evaluated in conjunction with Vertex’s controls and the related tests and results described in Section 4
In
of this report, taking into account the related complementary user entity controls identified under each control
objective, where applicable. In order for user entities to rely on the controls reported on herein, each user entity
must evaluate its own internal control to determine whether the identified complementary user entity controls have
been implemented and are operating effectively.
x
te
er
lV
tia
en
fid
on
C
16

c.
4. Description of Vertex, Inc.’s Control Objectives and Related Controls, and Baker Tilly’s
In
Description of Tests of Controls and Results
Information Provided by Baker Tilly
x
This report, when combined with an understanding of the controls at user entities, is intended to assist auditors in planning the audit of user
entities’ financial statements or user entities’ internal control over financial reporting and in assessing control risk for assertions in user
entities’ financial statements that may be affected by controls at Vertex.
te
Our examination was limited to the control objectives and related controls specified by Vertex in sections 3 and 4 of the report, and did not
extend to controls in effect at user entities or subservice providers.
er
It is the responsibility of each user entity and its independent auditor to evaluate the information in conjunction with the evaluation of internal
control over financial reporting at the user entity in order to assess total internal control. If internal control is not effective at user entities,
Vertex’s controls may not compensate for such weaknesses.
lV
Vertex’s internal control represents the collective effect of various factors on establishing or enhancing the effectiveness of the controls
specified by Vertex. In planning the nature, timing, and extent of our testing of the controls to achieve the control objectives specified by
Vertex, we considered aspects of Vertex’s control environment, risk assessment process, monitoring activities, and information and
communications.
tia
The following table clarifies certain terms used in this section to describe the nature of the tests performed:
Type of Test Description

en
Inquiry Inquiry of appropriate personnel and corroboration with management
Observation Observation of the application, performance, or existence of the
control
fid
Inspection Inspection of documents and reports indicating performance of the

control
Re-performance Reperformance of the control
on
In addition, as required by paragraph .35 of AT-C section 205, Examination Engagements (AICPA, Professional Standards), and paragraph
.30 of AT-C section 320, when using information produced (or provided) by the service organization, we evaluated whether the information
was sufficiently reliable for our purposes by obtaining evidence about the accuracy and completeness of such information and evaluating
whether the information was sufficiently precise and detailed for our purposes.
C
17
c.
In
Control Objective 1: Logical Access – Controls provide reasonable assurance that logical access to applications and data is restricted to authorized personnel.
Description of Controls Tests Performed by Baker Tilly Results of Tests

1.1 - Access to Active Directory, the Inspected documented security policies and procedures to determine that security No exceptions noted.
Hosted Online Environment, the Vertex policies addressed the approval and quarterly recertification of domain administrator
x
Cloud Indirect Tax and Premium Services access rights.
solution, and the Returns Portal security
administration functions is restricted to
te
authorized individuals based upon job role. Selected a sample of quarters and inspected quarterly authorization forms to determine No exceptions noted.
that recertification of users with domain administrator access was performed quarterly
and that, for all quarters, Network Administrators with domain access were approved by
management.
er
Selected a sample of users with security administration functions and inspected job No exceptions noted.
descriptions to determine that security administration privileges were commensurate with
job responsibilities.
lV
1.2 - Application and system access Inspected the Procedure for Network User Provisioning to determine that policies and No exceptions noted.
requests (establish, change or remove) for procedures addressed restricting the ability to open personnel change orders in the
Active Directory, the Hosted Online service desk application system to members of the Human Resources department.
Environment, the Vertex Cloud Indirect
Tax and Premium Services solution, and
the Returns Portal are documented and
are approved by authorized individuals.
tia Inspected the listing of users with access to validate service desk requests in the service
desk application and inquired with management to determine that the users were
appropriate.
No exceptions noted.
en
Selected a sample of new users and inspected tickets to determine that a service desk No exceptions noted.
request was facilitated in the service desk application and that the access request was
approved by an authorized individual.
Selected a sample of terminated and disabled users and inspected documentation to No exceptions noted.
fid
determine that termination orders were completed for terminated users on a timely basis
and that terminated users were removed from the listing of active users.
Selected a sample of new accounts and inspected tickets to determine that a service No exceptions noted.
desk request was facilitated in the service desk application and that the access request
on
was approved by an authorized individual.

C
18
c.
In
Selected a sample of terminated and disabled accounts and inspected tickets to Exception noted.
determine that a service desk request was facilitated in the service desk application and
that the access request was approved by an authorized individual.
During the period October 1,
x
2018 through September 30,
2019 for 2 of 25 terminated and
te
disabled accounts sampled out of
a population of 383 terminated
and disabled accounts, account
access was not removed on a
timely basis.
er
Selected a sample of transfers and inspected tickets to determine that a service desk No exceptions noted.
request was facilitated in the service desk application and that the access request was
lV
approved by an authorized individual.
1.3 - System and application level access Inspected security policies and procedures to determine that the generation of an active No exceptions noted.
is reviewed quarterly to verify user access user account report by authorized Network Administrators for review by HR on a
is authorized and all terminated users have quarterly basis was documented.
been removed.
tia Selected a sample of quarters and inspected quarterly user access reviews to determine
that user access reviews were completed for the active user accounts on a quarterly
basis.
Exception noted.

en
2019 for 2 of 8 quarterly access
reviews sampled out of a
population of 16 in-scope
quarterly access reviews,
evidence was unavailable to
determine that the quarterly
fid
review was completed on a timely

basis.
Inspected the annual user access review of authorized users with access to database No exceptions noted.
on
backups to determine that authorized users had been reviewed by the Director of
Information Security on an annual basis.
C
19
c.
In
1.4 - A formal Security Assurance Inspected the formal Security Assurance procedure to determine that the procedure No exceptions noted.
procedure exists for granting access to the addressed the granting of access to the data manager tools so that access was restricted
Indirect Tax data manager tool(s) so that to authorized individuals.
x
only proper personnel have access to
those tool(s). A user access review of the
data management tools is performed by Selected a sample of quarters and inspected quarterly user access reviews for each No exceptions noted.
te
management on a quarterly basis. indirect tax research group to determine that quarterly user access reviews were
performed for users with access to the data management tool.
1.5 - An excel tracking spreadsheet is Inspected the excel tracking sheet to determine that a process was in place to determine No exceptions noted.
er
used to determine which users can request which users could request access, as well as which users could grant or provide access
access, as well as which users can grant to each indirect tax research data management tool.
or provide access to each indirect tax
research data management tool. The
lV
tracking sheet requires approval by the Selected a sample of quarters and inspected the quarterly access review of the tracking No exceptions noted.
access grantors and is reviewed on tool authorizations to determine that the tracking sheet required approval by the access
a quarterly basis. grantors and was reviewed on a quarterly basis.
1.6 - Password restrictions and automatic Inspected security policies and procedures to determine that application and network No exceptions noted.
time-out features are documented in
security policies and are enforced by the
logical access configurations.
tia password requirements were in place for the following: minimum password length,
periodic password expiration, password complexity, and automatic lockout after a
prescribed number of unsuccessful logon attempts.
Observed application and network password configurations to determine that the No exceptions noted.
en
following security settings were activated: minimum password length, periodic password
expiration, password complexity, and automatic lockout after a prescribed number of
unsuccessful logon attempts.
1.7 - Vertex Cloud Indirect Tax and Observed that a customer account could not be provisioned in the Cloud Portal without No exceptions noted.
fid
Premium Services customer accounts are accepting the customer agreement to determine that customer accounts could not be
provisioned through the Cloud Portal. activated prior to the agreement execution.
Access is not granted until the customer
agreement has been executed.
on
C
20
c.
In
Complementary User Entity Controls
x
Hosted On-Demand Products (as part of the Hosted Online environment):
1. User entities identify and validate users granted access to Hosted On-Demand Products. If users cannot administer user access themselves, they should
te
identify and communicate any changes to the appropriate Vertex Product Support Team. All requests for changes must be delivered to the Online Technical
team via an Oracle task from the Vertex product support team.
Vertex Cloud Indirect Tax and Premium Services:
er
2. User entities grant access only to authorized users of the application and remove terminated users on a timely basis.
3. User entities verify that access for their personnel is appropriate and commensurate with job responsibilities.
4. User entities should not share user IDs and / or passwords.
5. User entities provide Vertex with all necessary information with respect to all relevant user taxing authority registrations and update the information as
lV
appropriate for Premium Services.
Sales and Use Tax Returns Outsourcing Services:

appropriate.
7. User entities identify and validate users granted access to Returns Portal and communicate any changes to Vertex.
tia
en
fid
on
C
21
c.
Control Objective 2: Data Transmission – Controls provide reasonable assurance that data transmission with users are secured and from authorized sources.
In
2.1 - Firewalls are used to control access Inspected firewall settings to determine that firewall rules and configurations had been No exceptions noted.
to the network and are monitored for established to track connections made to online traffic.
suspicious activity on a periodic basis.
x
Note: Firewalls specific to the Vertex
Cloud Indirect Tax and Premium Services Inspected Hosted On-Demand Products security policies and procedures to determine No exceptions noted.
environment are monitored by a that the use of an online firewall to track and log all connections to online resources
te
subservice organization. was documented.
Inspected firewall settings to determine that alerting was enabled to monitor firewalls No exceptions noted.
for suspicious activity.
er
2.2 - An intrusion detection system (IDS) Selected a sample of weeks and inspected evidence to determine that weekly IDS No exceptions noted.
over Vertex Cloud Indirect Tax and activity had been logged and monitored.
lV
Premium Services production data is
logged for activity and monitored on a
weekly basis.
2.3 - A web application firewall is used to Observed the web application firewall to determine that a web application firewall was No exceptions noted.
block suspicious access to the Vertex used to block suspicious access to the Vertex Cloud and Indirect Tax and Premium
Cloud and Indirect Tax and Premium
Services and Online hosted
environments.
tia Services and Online hosted environments.
en
2.4 - Antivirus has been deployed across Observed antivirus configurations to determine that the antivirus distribution servers in No exceptions noted.
the environment and updates have been the vertexinc and vertex.local domains were configured to receive virus definition
applied. updates and distribute them to production servers and clients within the domain, and
that production servers and clients were configured to request the updates.
fid
Selected a sample of production servers in the vertexinc and vertex.local domains and No exceptions noted.
inspected evidence to determine that the devices were configured to perform on-
access scanning with a current version of a commercial scanning utility.
Inspected the On-Demand Products and the Vertex Cloud and Indirect Tax and No exceptions noted.
on
Premium Services hosted environment security policies and procedures to determine

that the use of enterprise virus protection was documented.
C
22
c.
Control Objective 2: Data Transmission – Controls provide reasonable assurance that data transmission with users are secured and from authorized sources.
In
Observed antivirus configurations to determine that virus scanning software was No exceptions noted.
installed and configured on Online Production and the Vertex Cloud and Indirect Tax
and Premium Services hosted environment servers.
x
2.5 - Encryption is used during external Inspected the On-Demand Products security policies and procedures and the Vertex No exceptions noted.
te
data transmission. Cloud and Indirect Tax and Premium Services hosted environment security policies
and procedures to determine that protection of the environment from Internet threats
was addressed.
er
Observed the On-Demand Products and Vertex Cloud and Indirect Tax and Premium No exceptions noted.
Services hosted environment server communication connections to determine that
communications between the client and the applications and databases in the online
environment utilized encryption algorithms.
lV
2.6 - The IP Monitor application is used to Observed the IP Monitor monitoring system to determine that systems and services No exceptions noted.
monitor systems and services activity. monitoring was in place for the hosted online environment.

tia
1. User entities download all proper Connectors from MyVertex.
en
fid
on
C
23
c.
Control Objective 3: Physical Access– Controls provide reasonable assurance that physical access to computing resources is restricted to authorized
In
personnel and the data center is protected from environmental threats.

3.1 - Physical controls are in place Observed the Vertex data center to determine that the data center was restricted via No exceptions noted.
surrounding the network equipment to key card access.
x
restrict access to only authorized
individuals.
te
3.2 - Access to the data center is Inspected the listing of users and their roles with access to the restricted data center No exceptions noted.
controlled by a card access system and and management approvals to determine that all users had appropriate job roles and
requires approval by management based had been approved by management.
er
on an employee’s job functions.
3.3 - Users with access to the restricted Inspected the annual review of users with access to the restricted data center to No exceptions noted.
data center are reviewed by management determine that user access was reviewed annually by an appropriate level of
lV
on an annual basis. management.
3.4 - All buildings are equipped with card Inspected the Security Policy to determine that access to all facilities required an active No exceptions noted.
readers to restrict access to Vertex security badge.
facilities.
tia Observed that the building was equipped with card readers at the entrances to restrict
access to Vertex facilities.
3.5 - Vendors and other persons not Inspected the visitor’s log for the period to determine that the visitor’s log was No exceptions noted.
en
having a security access card to the maintained.
corporate facility are required to register
on an electronic visitor’s log in the main
reception area. Logged information
includes the visitor’s name, company,
fid
destination, time in, and time out.
3.6 - All buildings are equipped with Observed the security building alarms to determine that security alarms were installed. No exceptions noted.
security alarms that automatically send a
signal to a central station monitor through
on
a third party if a building intrusion occurs

outside of normal business hours.
C
24
c.
Control Objective 3: Physical Access– Controls provide reasonable assurance that physical access to computing resources is restricted to authorized
In
personnel and the data center is protected from environmental threats.

3.7 - Vertex Inc. is contracted with a third Inspected the contract between Vertex Inc. and the third party monitoring service to No exceptions noted.
party to perform automated building determine that automated building monitoring services were in place.
x
monitoring services.
te
3.8 - The data center is equipped with a Observed the Vertex data center to determine that the data center contained Novec No exceptions noted.
fire suppression system, temperature and 1230 fire suppression, temperature and humidity controls, raised flooring, 2
humidity controls, raised flooring, uninterruptible power supply (UPS) devices and 2 power distributions units.
uninterruptible power supplies (UPS), and
er
power distribution units.
lV
None
tia
en
fid
on
C
25
c.
Control Objective 4: Change Management – Controls provide reasonable assurance that new implementations, updates, program releases, and changes to
In
applications and infrastructure are documented, tested, authorized and approved prior to promoting into the production environment.

4.1 - New implementations, updates, Inspected the change management policies and procedures to determine that they No exceptions noted.
program releases, and changes to addressed the recording of planned changes in a change control request system which
x
applications and infrastructure are required review and approval prior to closing.
tracked, documented, and stored in
central repositories.
te
Observed that a central repository was maintained that tracked, documented, and stored No exceptions noted.
new implementations, updates, program releases, and changes to applications and
infrastructure.
er
4.2 - New implementations, updates, Inspected documented procedures to determine that procedures and criteria for the No exceptions noted.
program releases, and changes to testing of approved operating system software changes in the online environment were
applications and infrastructure are documented.
authorized, tested, and approved prior to
lV
being promoted to production.
Selected a sample of new implementations, updates, program releases, and changes to No exceptions noted.
applications and infrastructure for the Hosted Online Environment and Vertex Cloud
Indirect Tax and Premium Services solution approved during the period and inspected
change records to determine that the changes were authorized, tested in a staging area
by authorized personnel per the established testing procedures and criteria, and
tia
approved prior to being promoted to production.
Inspected documented procedures to determine that the process of testing application

changes and updates for all in-scope products were documented.
en
4.3 - Where appropriate, separate Inspected documented procedures to determine that the Systems Development Life No exceptions noted.
environments are utilized to separate Cycle (SDLC) process for the Vertex Cloud and Indirect Tax and Premium Services
development, test, and production hosted environment included procedures for testing changes and included separate
activities. environments for development, testing, and production.
fid
Observed that separate environments for development, testing, and production activities No exceptions noted.
were in place for changes to the operating system, online environment, and the Vertex
Cloud and Indirect Tax and Premium Services hosted environment.
on
C
26
c.
In

4.4 - The ability to promote changes to Inspected the listing of users with the ability to promote changes to production to No exceptions noted.
production is restricted to authorized determine that access was restricted to authorized individuals.
x
individuals.
Selected a sample of operating system and online environment changes and inspected No exceptions noted.
te
change documentation to determine that changes were promoted to production by
authorized individuals.
4.5 - Emergency changes to the Vertex Inspected change management policies and procedures to determine that they No exceptions noted.
er
Cloud and Indirect Tax and Premium addressed the recording of emergency changes in a change control request system and
Services hosted environment require the weekly review of emergency change requests.
Change Control Board (CCB) processes
and the Hosted Online Environment
lV
systems require verbal approval with Selected a sample of Hosted Online Environment emergency changes and inspected No exceptions noted.
follow up documentation of the event. change records to determine that each change was processed in accordance with the
established procedures.
Selected a sample of Vertex Cloud and Indirect Tax and Premium Services hosted No exceptions noted.
environment emergency changes and inspected JIRA tickets to determine that changes
4.6 - A formal change management policy

has been developed, communicated to
tia
were authorized, tested, and approved prior to being promoted to production.
Inspected the Global Change Management Policy, Hosted Online Environment Change
Management Policies and Procedures, and Vertex Cloud and Indirect Tax and Premium
en
affected users, and approved by Services hosted environment Change Management Policy to determine that a change
management. management policy had been developed and approved by management.
Inspected evidence to determine that the Global Change Management Policy, Hosted No exceptions noted.
Online Environment Change Management Policies and Procedures, and Vertex Cloud
fid
and Indirect Tax and Premium Services hosted environment Change Management
Policy had been communicated to affected users.
on
C
27
c.
In

4.7 - The Change Control Team meets Selected a sample of weeks and inspected weekly meeting documentation to determine Exception noted.
weekly to review Louts Notes based that the Change Control Team met on a weekly basis to assess changes affecting the
x
change requests affecting the enterprise enterprise environment.
During the period October 1, 2018
production environment.
through September 30, 2019 for 1
te
of 8 weeks sampled out of a
population of 52 weeks, the
change control team did not meet
to assess changes affecting the
enterprise environment.
er
lV
Indirect and Payroll Tax Products:
1. User entities are responsible for properly implementing the licensed product and using the current version of the licensed product in accordance with its
documentation.
2. User entities incorporate the data updates, such as jurisdiction, tax rate and taxability updates to the Vertex database, into the licensed product within the
timelines communicated and distributed by Vertex with the data update programs.
3.
4.
5.
tia
User entities read and acknowledge the Vertex Software License Agreement.
User entities properly integrate the licensed product with their general ledger or enterprise resource planning system.

User entities properly integrate the licensed product with their general ledger or enterprise resource planning system as applicable.
en
6. User entities read and acknowledge the Vertex Software License Agreement.

7. User entities read and acknowledge information published by Vertex Cloud Indirect Tax and Premium Services concerning the use, maintenance, and
applicability of the Cloud Portal.
fid
8. User entities do not resell, lease, timeshare, rent, sell or otherwise provide any third party with the benefit of the Cloud Portal or the Services except as
specifically permitted.
9. User entities enable computing systems to utilize the Cloud Portal via the Internet and to receive alerts, notifications and information from Vertex, manage all
username and passwords in a secure manner and not disclose credentials to others.
on
C
28
c.
Control Objective 5: Backups – Controls provide reasonable assurance that data is backed up regularly and available for restoration in the event of
In
processing errors and or unexpected processing interruptions.

5.1 - Backups of On-Demand Products Inspected the On-Demand Products Backup Policy to determine that policies and No exceptions noted.
customer databases are performed by procedures for the backup of On-Demand Products customer databases were
x
authorized personnel according to documented.
documented procedures on a nightly
basis.
te
Selected a sample of servers and inspected server backup schedules to determine that No exceptions noted.
customer databases were configured to be backed up on a nightly basis according to
documented procedures.
er
5.2 - The On-Demand Products customer Selected a sample of months and inspected monthly backup log reviews to determine No exceptions noted.
backup logs are reviewed by the systems that backup logs were reviewed by the systems administrator daily and by management
administrator on a daily basis and on a monthly basis according to documented procedures.
reviewed by management monthly.
lV
5.3 - The nightly On-Demand Products Inspected the Backup Software Policy to determine that the policy parameters were No exceptions noted.
database backups are copied to an offsite configured to copy backups to the offsite location.
storage location on a daily basis.
Selected a sample of servers and inspected evidence to determine that On-Demand No exceptions noted.
5.4 - Daily backups of On-Demand

tia Products database backups were transferred to an offsite storage location daily for 31
consecutive days.
Selected a sample of servers and inspected the automated backup software retention No exceptions noted.
en
Products data are retained for 31 settings to determine that On-Demand Products database backups were retained at the
consecutive days. offsite location for 31 consecutive days.
Inspected the Software Backup Policy to determine that daily backups were required to No exceptions noted.
be maintained for 31 days.
fid
5.5 - Monthly On-Demand Products Selected a sample of servers and inspected evidence to determine that monthly On- No exceptions noted.
database backups are copied to an offsite Demand Products database backup files were present on the offsite backup servers.
storage location.
on
C
29
c.
In

5.6 - Monthly backups of On-Demand Inspected the On-Demand Products Backup Policy retention settings to determine that No exceptions noted.
Products data are retained for 13 the policy required backups to be retained monthly for a backup period of 13 consecutive
x
consecutive months. months.
te
Selected a sample of servers and inspected the automated backup software retention No exceptions noted.
settings to determine that the On-Demand Products database backup files present were
configured to be retained for 13 consecutive months.
er
5.7 - Monthly database restore tests are Inspected backup policies and procedures to determine that they addressed the testing No exceptions noted.
requested by Hosted Online environment of backup data less than 31 days old as well as the testing of backup data greater than
personnel and performed by authorized 31 days old.
personnel using database backups.
lV
Selected a sample of months and inspected monthly restore tests to determine that No exceptions noted.
database restore tests were performed using data backups on a monthly basis.
Selected a sample of months and inspected monthly evidence to determine that No exceptions noted.
database backups were tested by authorized personnel according to documented
tia procedures on a monthly basis.
Vertex Cloud Indirect Tax and Premium Services System

en
5.8 - Backups of Vertex Cloud and Selected a sample of days and inspected the daily backup logs to determine that Vertex No exceptions noted.
Indirect Tax and Premium Services Cloud and Indirect Tax and Premium Services hosted environment data had been
hosted environment data are performed backed up on a daily basis.
by a third party on a daily basis.
fid
5.9 - The Vertex Cloud and Indirect Tax Selected a sample of months and inspected monthly backup log reviews to determine No exceptions noted.
and Premium Services hosted customer that backup logs were reviewed by the systems administrator weekly and by
backup logs are reviewed by the systems management on a monthly basis.
administrator on a weekly basis and
reviewed by management monthly.
on
C
30
c.
In

5.10 - Daily backups of Vertex Cloud and Inspected the Data Backup and Recovery Policy to determine that daily backups were No exceptions noted.
Indirect Tax and Premium Services required to be maintained for 30 days.
x
hosted environment data are retained for
30 consecutive days.
Observed the backup configurations to determine that daily backups of the Vertex Cloud No exceptions noted.
te
and Indirect Tax and Premium Services hosted environment data were retained for 30
consecutive days.
er
None
lV
tia
en
fid
on
C
31
c.
Control Objective 6: Indirect Tax Research – Controls provide reasonable assurance that information sources are reviewed and monitored for changes in tax
In
rates, taxability rules, jurisdictional information, regulations, and interpretation, and the corresponding system changes are implemented accurately and
completely.

6.1 - A documented indirect tax research Inspected indirect tax research policies to determine that indirect tax research policies No exceptions noted.
x
procedure is used for the capturing of and procedures were documented and addressed content completeness and accuracy,
pertinent content, the reporting and the separation of duties, and were approved by management.
correcting of data errors and the
te
separation of duties in a controlled
manner.
er
6.2 - Tax researchers are required to Inspected the General Research procedures to determine that formal procedures were No exceptions noted.
complete a monthly jurisdiction checklist documented, and the procedures addressed the completion of a monthly jurisdiction
documenting that all applicable checklist.
jurisdictions have been contacted to
obtain changes to supported data.
lV
Selected a sample of months and indirect tax research groups and inspected monthly No exceptions noted.
jurisdiction checklists to determine that the checklists were completed by tax researchers
and documented on a monthly basis and that all applicable jurisdictions were contacted
to obtain changes to supported data.
6.3 - Tax researchers are required to

complete a monthly update checklist
documenting that all data collection
procedures have been performed.
tia Selected a sample of months and indirect tax research groups and inspected monthly
update checklists to determine that the checklists were completed by tax researchers
and documented that data collection procedures were performed for the month.
en
6.4 - Data per the source documents is Selected a sample of data changes and inspected verifications to determine that the No exceptions noted.
visually verified to the data placed on an data input forms (or equivalent) were visually verified to supporting source documents by
input form (or equivalent) by a tax a tax researcher independent of the tax researcher who gathered the information.
researcher independent of the tax
researcher who gathered the information.
fid
6.5 - Data per the input form (or Selected a sample of data changes and inspected verifications to determine that the No exceptions noted.
equivalent) is visually verified to the data data input forms (or equivalent) were verified to data entered into the data manager tool
entered into the data manager tool(s) by a by a tax researcher independent of the tax researcher who entered the data into the tool.
tax researcher independent of the tax
on
researcher who entered the data into the

data manager tool(s).
C
32
c.
Control Objective 6: Indirect Tax Research – Controls provide reasonable assurance that information sources are reviewed and monitored for changes in tax
In
rates, taxability rules, jurisdictional information, regulations, and interpretation, and the corresponding system changes are implemented accurately and
completely.

6.6 - Tax researchers are required to Selected a sample of months and indirect tax research groups and inspected monthly No exceptions noted.
x
validate that there are no errors or update checklists to determine that tax researchers validated the detection, reporting
irregularities submitted for output. and correction of errors, and irregularities submitted for output.
te
6.7 - Tax researchers are required to test Selected a sample of months and indirect tax research groups and inspected monthly No exceptions noted.
a sample of the changes for proper tax update checklists and data input forms (or equivalent) to determine that tax researchers
calculation results within the appropriate tested a sample of changes for proper tax calculation results on a monthly basis.
er
product.
lV
Indirect and Payroll Tax Products:
1. User entities update their customer records according to the timelines provided by Vertex for annual maintenance update of the Jurisdiction Identification
Systems (GeoCodes and Tax Area ID’s).
2. User entities subscribe to the Critical Tax Change notices within myVertex, https://my.vertexinc.com/critical-tax-changes to provide customers with up-to-
the-minute information on tax-related data changes that Vertex becomes aware of after the monthly update had been delivered. By using this pro-active
3.
4.
tia
approach, King of Prussia alerts the user, so the user can review the tax change notice(s) and determine if there are any potential impacts to their business.
User entities verify expected results produced by calculation engines.
User entities institute mechanisms in their internal processes with respect to the use of the Indirect and Payroll Tax Products which provide reasonable
assurance that any data entered into and reported out of the Indirect and Payroll Tax Products are accurate, complete and subject to a level of review
appropriate to their organization.
en
5. User entities read and acknowledge information published by Vertex concerning the use, maintenance, and applicability of the Hosted On-Demand
Products.
6. User entities subscribe to the Critical Tax Change notices within myVertex, https://my.vertexinc.com/critical-tax-changes to provide customers with up-to-
fid
the-minute information on tax-related data changes that Vertex becomes aware of after the monthly update had been delivered. By using this pro-active
approach, King of Prussia alerts the user, so the user can review the tax change notice(s) and determine if there are any potential impacts to their business.
7. User entities institute mechanisms in their internal processes with respect to the use of the Hosted On-Demand Products which provide reasonable
assurance that any data entered into and reported out of the Hosted On-Demand Products are accurate, complete and subject to a level of review
appropriate to their organization.
on
C
33
c.
Control Objective 7: Tax Returns Processing – Controls provide reasonable assurance that tax returns are processed accurately, completely and in a timely
In
manner.

7.1 - The tax preparation software used, Inspected Sales & Use Tax Returns Outsourcing Services policies and procedures to No exceptions noted.
by design, will not produce tax returns for determine that the monthly updating of tax preparation software to provide new and
x
periods where the tax rates and forms updated tax rates, rules, and forms was documented.
data has not been loaded.
te
While in the online tax preparation production environment, via re-performance, No exceptions noted.
attempted to input tax data into multiple tax return forms, print tax returns for multiple
states and import tax data for a future period that did not have tax rates and forms data
loaded to determine that the software prevented the ability to do so.
er
7.2 - Vertex Sales & Use Tax Returns Inspected documented policies and procedures to determine that the policies and No exceptions noted.
Outsourcing Services Organization procedures addressed the notification of Sales & Use Tax Returns Outsourcing Services
personnel are notified when the returns Organization personnel as to the availability of updates to the tax returns preparation
lV
preparation software and data have been software and data.
updated.
Selected a sample of months and inspected the monthly software update logs to No exceptions noted.
determine that Vertex Sales & Use Tax Returns Outsourcing Services Organization
personnel were properly notified when the returns preparation software and data was
7.3 - Vertex Cloud and Indirect Tax and

Premium Services updates the returns
preparation software at least monthly. A
tiaupdated.
Selected a sample of months and inspected the monthly software updates and the
monthly returns preparation checklists to determine that updates were performed on at
least a monthly basis and were complete and accurate.
en
checklist is completed to determine that
the updates have been performed
completely and accurately.
7.4 - Vertex Sales & Use Tax Returns Inspected Tax Return Outsourcing policies and procedures to determine that the No exceptions noted.
fid
Outsourcing Services Organization completion and posting on the Vertex Sales & Use Tax Returns Outsourcing Services
personnel are required to complete a Portal of a Monthly Tax Calendar by Sales & Use Tax Returns Outsourcing Services
monthly Tax Calendar for each client Organization personnel for each client was required and documented.
entity documenting the client’s tax filing
obligations and tax liabilities which is
Selected a sample of months and client entities for which returns were processed and No exceptions noted.
on
posted on the client's Returns Portal

account. inspected monthly Tax Calendars to determine the calendars were completed by Vertex
Sales & Use Tax Returns Outsourcing Services Organization personnel and posted on
the client’s Vertex Sales & Use Tax Returns Outsourcing Services account.
C
34
c.
In
manner.

7.5 - Vertex Sales & Use Tax Returns Inspected Tax Return Outsourcing policies and procedures to determine that the No exceptions noted.
Outsourcing Services Organization completion and posting on the Vertex Sales & Use Tax Returns Outsourcing Services
x
personnel are required to complete a Portal of a Monthly Tax Reconciliation Report by Vertex Sales & Use Tax Returns
monthly Tax Reconciliation Report for Outsourcing personnel was required.
each client, reconciling the client’s source
te
data with the net tax due for each return
prepared for the reporting period, which is Selected a sample of months and client entities for which returns were processed and No exceptions noted.
posted to the client's Returns Portal inspected monthly Tax Reconciliation Reports to determine the reports were completed
account. by Vertex Sales & Use Tax Returns Outsourcing Services Organization personnel and
er
posted to the client's Sales & Use Tax Returns Outsourcing Services Portal account.
Selected a sample of months and client entities and inspected monthly Tax No exceptions noted.
Reconciliation Reports to determine that the monthly net tax due reconciled to the
lV
client’s source data for a return prepared for that period.
7.6 - Electronic copies of prepared returns Inspected Tax Return Outsourcing policies and procedures to determine that procedures No exceptions noted.
are posted to the client's Returns Portal for the posting of prepared returns to the client’s Vertex Sales & Use Tax Returns
for the client's representatives to indicate Outsourcing Services Portal for clients to indicate their acceptance or rejection of each
their acceptance (or rejection) of each
tia
prepared tax return and the tax obligation.
prepared return and their tax obligation were documented.
Selected a sample of months and client entities for which returns were processed and
inspected the client portal to determine that electronic copies of prepared returns were
posted to the client’s Vertex Sales & Use Tax Returns Outsourcing Services Portal and
en
that the client’s representative indicated their acceptance or rejection of each prepared
return and associated tax obligation.
7.7 - Vertex Cloud Indirect Tax and Selected a sample of months and client entities and inspected the client’s Cloud Portal to No exceptions noted.
Premium Services posts client’s tax determine that the client’s tax return was posted on a monthly basis.
fid
returns to the client’s Cloud Portal on a

monthly basis.
7.8 - A monthly alert is sent through the Selected a sample of months and client entities and observed the monthly client portal No exceptions noted.
Returns Portal to identify the amount of notification to determine that an alert was sent through the Vertex Sales & Use Tax
on
tax liability due. Returns Outsourcing Services Portal to identify the amount of tax liability due.
C
35
c.
In
manner.

7.9 - Returns rejected by a client are Inspected policies and procedures to determine that they addressed processing rejected No exceptions noted.
investigated and corrected by the tax returns.
x
preparer. The corrected return(s) are
posted to the client's Returns Portal for
the client representatives to indicate their Selected a sample of months and rejected returns and inspected the client portals and Exception noted.
te
acceptance (or rejection) of each client correspondence to determine that monthly client-rejected returns were investigated
prepared tax return and the tax obligation. and corrected by the tax preparer, the corrected return(s) were posted to the client’s
Returns Portal, and that Vertex Sales & Use Tax Returns Outsourcing acknowledged
that the client accepted or rejected the return that was initially rejected along with the
2019 for 1 of 25 rejected returns
er
associated tax obligation.
selected out of a population of
1,192 rejected returns, evidence
was unavailable to evidence
that the corrected return was
lV
posted to the client’s Returns
Portal and that acceptance by
the client was acknowledged.
7.10 - A Tracking Checklist is signed off Inspected Tax Return Outsourcing policies and procedures to determine that the use of No exceptions noted.
on by Vertex Sales & Use Tax Returns a Tracking Checklist was required and documented.
Outsourcing Services Organization
personnel and Treasury personnel to
record that checks have been generated,
tax returns have been assembled, the
correct number of mailings have been
tia Selected a sample of months and client entities and inspected the related monthly
Tracking Checklist to determine that a Tracking Checklist was signed by Sales & Use
Tax Returns Outsourcing Services Organization personnel and Treasury personnel to
en
prepared, and the check matches the record the generation of checks, assembly of returns, number of mailings and amount of
return. the check.
7.11 - A Mail Checklist is completed and Inspected Tax Return Outsourcing policies and procedures to determine that the review No exceptions noted.
signed off by management to confirm that and approval of Mail Checklists was required and documented.
fid
all returns have been processed and filed

on a monthly basis.
Selected a sample of months and client entities and inspected monthly Mail Checklists to No exceptions noted.
determine that the checklists were completed and signed by Sales & Use Tax Returns
Outsourcing Services Organization management on a monthly basis.
on
C
36
c.
In
manner.

7.12 - A Monthly Due Dates Checklist is Inspected Tax Return Outsourcing policies and procedures to determine that the review No exceptions noted.
completed and reviewed by Management of Monthly Due Dates Checklists by management was required and documented.
x
to track that returns preparation activities
have been performed.
Selected a sample of months and client entities and inspected Monthly Due Dates No exceptions noted.
te
Checklists and review checklists to determine that the checklists were completed by
Sales & Use Tax Returns Outsourcing Services Organization personnel and reviewed by
management.
er
7.13 - A funding notification is created Selected a sample of client entities and returns due dates and inspected the funding No exceptions noted.
from the Tax Calendar and sent to each notifications to determine that a funding notification was created from the Tax Calendar
Vertex Cloud and Indirect Tax and and sent to the Vertex Cloud and Indirect Tax and Premium Services client five business
Premium Services client five business days prior to the client’s return due date.
lV
days prior to the client’s return due date
to notify the client that funding is due and
to monitor that each due date is complied
with.
7.14 - Monthly e-Filing Checklists are

completed, reviewed and signed off by
management to track that all returns
required to be e-filed have been filed and
payments made in a timely manner.
tia Inspected Tax Return Outsourcing policies and procedures to determine that the review
and approval of monthly e-Filing Checklists was required and documented.
Selected a sample of months and client entities and inspected monthly e-Filing
Checklists and review checklists to determine that the checklists were completed by
en
Vertex Sales & Use Tax Returns Outsourcing personnel and reviewed by management.
fid
on
C
37
c.
In
manner.

7.15 - Vertex Sales & Use Tax Returns Inspected the Vertex Sales & Use Tax Returns Outsourcing Policy to determine that No exceptions noted.
Outsourcing Services personnel log procedures for processing and tracking tax notices received from taxing authorities and
x
notices received from taxing authority jurisdictions into a tracking system were documented.
jurisdictions into the Oracle Service
Request tracking system. The notice
te
record is available via the Returns Portal. Re-performed the process for logging jurisdiction notices to determine that a tracking No exceptions noted.
If data from the tracking system does not system was used to log tax notices received and that entered notice records were
flow to the Returns Portal correctly, an available in real time via the Vertex Sales & Use Tax Returns Outsourcing Services
alert is sent to Vertex Sales & Use Tax Portal.
er
Returns Outsourcing Services
management.
Inspected data service failure alerts to determine that an alert was sent to Vertex Sales No exceptions noted.
& Use Tax Returns Outsourcing management for remediation if data from the tracking
system failed to flow to the Vertex Managed Services Portal correctly.
lV
7.16 - Vertex Cloud and Indirect Tax and Selected a sample of notices logged by customers to the Cloud portal and inspected No exceptions noted.
Premium Services personnel log taxing Sales Force data to determine that the notice was logged to Sales Force by Vertex
authority and jurisdiction notices to Sales Cloud and Indirect Tax and Premium Services personnel.
Force which have been logged to the
Cloud Portal by customers.
7.17 - On a monthly basis, Vertex Sales &

Use Tax Returns Outsourcing Services
management and Vertex Cloud and
tia Selected a sample of months and inspected the monthly Vertex Sales & Use Tax
Returns Outsourcing Services Notice Report and Vertex Cloud and Indirect Tax and
Premium Services Notice Report to determine that unresolved jurisdiction notices were
en
Indirect Tax and Premium Services identified and reviewed by management.
management reviews the report of
unresolved jurisdiction notices.
7.18 - Vertex Cloud and Indirect Tax and Selected a sample of months and client entities and inspected the monthly reconciliation No exceptions noted.
fid
Premium Services Treasury performs a to determine that Vertex Cloud and Indirect Tax and Premium Services Treasury
monthly reconciliation report for Vertex performed a monthly reconciliation for Vertex Cloud Premium clients to reconcile
Cloud Premium clients to reconcile monthly tax liability, the number of returns, and that all electronic payments were
monthly tax liability, the number of processed through Vertex Cloud’s bank account for each client.
returns, and that all electronic payments
on
have processed through Vertex Cloud’s

bank account for each client.
C
38
c.
In
manner.
x
1. User entities institute mechanisms in their internal processes with respect to the use of the Vertex products which provide reasonable assurance that the
te
data entered into and reported out of the Vertex products is accurate, complete and subject to a level of review appropriate to their organization.
appropriate.
3. User entities determine that any tax returns generated are prepared and filed in accordance with applicable laws and regulations and make changes as
er
necessary to finalize the returns.
4. User entities provide Vertex with timely, accurate and complete information in a consistent format for use in compiling the tax returns.
5. Premium User entities should promptly review tax returns and promptly notify Vertex of incorrect returns that should not be filled.
6. User entities fund the applicable bank account, in accordance with the specific schedule communicated by Vertex to the user.
lV
appropriate.
8. User entities identify and validate administrator users granted access to Returns Portal and communicate any changes to Vertex. The User entity’s
administrator user manages and maintains all other Users entity users to the Portal.
9.
10.
11.
12.
tia
User entities read and acknowledge the Vertex Managed Tax Services Agreement and applicable Statement(s) of Work.
User entities determine that any tax returns generated are prepared and filed in accordance with applicable laws and regulations.
User entities provide Vertex with timely, accurate and complete information in a consistent format for use in compiling the tax returns.
User entities promptly review any draft tax returns uploaded to the Returns Portal by Vertex and promptly notify Vertex of any appropriate and/or necessary
changes to the tax returns.
en
13. User entities provide Vertex, via the Returns Portal, with final approval of tax returns.
14. User entities fund the applicable bank account, in accordance with the specific amount and date communicated by Vertex to the user.
fid
on
C
39
c.
Control Objective 8: Cash Receipts and Disbursements – Controls provide reasonable assurance that receipts and disbursements of client funds are
In
authorized, accurately and completely recorded, and only authorized personnel can access the funds.

8.1 - Separate Sales & Use Tax Returns Inspected documentation to determine that procedures for creating a separate bank No exceptions noted.
Outsourcing Services bank accounts are account per client were documented, and that separation of duties was defined therein.
x
created on an individual client basis per
Compliance guidelines. Only authorized
individuals can set up an account. Inspected the listing of individuals authorized to request the opening of a new client bank No exceptions noted.
te
account to determine that they were appropriate members of the Finance Department.
Selected a sample of new clients and inspected signature cards from the bank to No exceptions noted.
determine that new accounts were opened by authorized individuals.
er
8.2 - The activities to set up the client's Inspected the Sales & Use Tax Returns Outsourcing Services New Account Setup No exceptions noted.
bank account or cash management policies and procedures to determine that the tracking of activities associated with the
lV
module in Vertex's financial system are setup of client bank accounts in a request tracking system were documented.
logged, tracked, and managed through a
request tracking system.
Selected a sample of new Tax Return Outsourcing clients and inspected Service Desk No exceptions noted.
tickets to determine that a request tracking system was used to log, authorize, track and
manage the setup of client bank accounts.
tia Selected a sample of new Vertex Cloud Premium Processing clients and inspected the
premium onboarding ticket to determine that a request tracking system was used to log,
authorize, track, and manage the setup of client cash management modules.
en
8.3 - Vertex Sales & Use Tax Returns Inspected the Tax Return Outsourcing policies and procedures to determine that the No exceptions noted.
Outsourcing Services Organization process for requesting the setup of tax jurisdictions and authorities in Vertex’s Accounts
personnel request that the Accounts Payable system was documented.
Payable group set up tax jurisdictions and
authorities in Vertex's Accounts Payable
Selected a sample of tax jurisdictions and authorities added to the Vertex Accounts No exceptions noted.
fid
system using a Supplier Form.

Payable System during the period and inspected Supplier Forms to determine that a
Supplier Form was prepared and used to request setup in Vertex’s Accounts Payable
system.
on
C
40
c.
In

8.4 - A banking file of electronic payments Inspected procedures to determine that the procedures for completing a banking file of No exceptions noted.
is reviewed and signed off by electronic payments to verify that payments have cleared the client’s bank account were
x
Management to ensure that all electronic documented.
payments have processed through the
client's bank account.
te
Selected a sample of months and clients for which returns were processed and No exceptions noted.
inspected the monthly banking file to determine that the file was completed, reconciled,
and reviewed by management.
er
8.5 - Bank accounts are reconciled on a Inspected the Vertex Tax Return Processing Service Control Memo to determine that the No exceptions noted.
monthly basis by the Staff Accountant Finance Department’s documented policies and procedures addressed the monthly
and reviewed by the Assistant Controller. reconciliation of client bank accounts.
lV
Selected a sample of months and clients and inspected monthly bank reconciliations to No exceptions noted.
determine that a reconciliation of client bank accounts was performed and reviewed on a
monthly basis.
8.6 - A monthly Funding Request Selected a sample of months and client entities and inspected the monthly Funding No exceptions noted.
Schedule is completed by Sales & Use
Tax Returns Outsourcing Services
Treasury for Vertex Sales & Use Tax
Returns Outsourcing Services clients to
identify and reconcile the amount of
tia Request Schedule to determine that the amount of funding requested to the client was
reconciled to the amount received.
en
funding authorized from the client to the
amount received.
8.7 - ACH Credit transaction data is Observed the ACH origination process to determine that the website required the No exceptions noted.
transmitted to the bank through a secure authorized Sales & Use Tax Returns Outsourcing Services Treasury personnel to
fid
file transfer website operated by the bank. authenticate by logging in via a secure channel.
on
C
41
c.
In

8.8 - Check payments are produced via a Observed the Sales & Use Tax Returns Outsourcing Services Treasury dedicated printer No exceptions noted
Sales & Use Tax Returns Outsourcing to determine that printed check payments were confined to the Treasury department.
x
Services Treasury dedicated printer.
Users outside of the Treasury department
(and approved backup personnel) do not Observed a Sales & Use Tax Returns Outsourcing Services non-Treasury employee No exceptions noted
te
have access to map to the dedicated attempt to map to the Treasury dedicated printer to determine that the Treasury
check printer. dedicated printer was unavailable to outside personnel.
er

1. User entities fund the applicable bank account, in accordance with the specific amount and date communicated by Vertex to the user.
lV
2. User entities provide Vertex with electronic payment information for ACH Debit payment of all fees, taxes and other payment due by User to the taxing
authorities payable with the tax returns that User entities have approved and authorized Vertex to file.
tia
en
fid
on
C
42
c.
5. Other Information Provided by Vertex, Inc.
In
This information included in this Section 5 is presented by management of Vertex to provide information about Vertex’s Indirect and Payroll
Tax products, bridge letter, business continuity program, third-party service provider’s data center, and management’s response to
exceptions identified in the report and is not part of the description. Information included within Section 5 has not been subjected to the
x
procedures applied in the examination of the description and of the suitability of the design and operating effectiveness of the controls to
meet the control objectives
te
A. Indirect and Payroll Tax Products – Critical Tax Changes
Vertex maintains Critical Tax Change notices within the myVertex web interface to provide customers with information on tax and changes
er
to rates and/or rules that Vertex becomes aware of after the monthly update has been delivered. On myVertex, these important notices are
displayed under the 'For Immediate Attention' area of the home page -- https://my.vertexinc.com/home.
Vertex highly recommends that the customer subscribe to the Critical Tax Change notices, so that they receive e-mail notifications when
lV
Critical Tax Change notices become available for their product(s). To subscribe to these notices, customers should go to myVertex at
https://my.vertexinc.com/critical-tax-changes. Once logged into myVertex, a listing of the Vertex product(s) will be displayed on the right
side of the screen in ‘Manage Subscriptions’. Customers should check the box next to the product(s) they would like to subscribe to, then
click ‘Save’.
tia
By using this proactive approach, Vertex alerts customers, so that they can review the tax change notice(s) and determine if there are any
potential impacts to their business. In addition, they can subscribe multiple users to receive the Critical Tax Change notice emails.
Registering multiple users will assist in preventing any unforeseen issues in case a single contact was to miss a critical tax data update.
en
Customers can unsubscribe if needed. Vertex does not share customer e-mail addresses; they are used only for this subscription.
B. Bridge Letter
Bridge Letters are available to provide assurance that no material changes to the control environment have occurred since the date of the
fid
last Independent Service Auditor report (i.e. September 30, 2019) to the present time.
• Vertex Cloud Indirect Tax and Premium Services Systems Customers – a Bridge Letter can be downloaded from the
Settings menu on the Vertex Cloud Portal.
on
• To All other users – a Bridge Letter is available on myVertex through the Quick Link tabs.
C
43
c.
C. Business Continuity Program
In
Vertex, Inc. takes a proactive approach to providing consistent availability and delivery of its products by maintaining a Business Continuity
Program that prepares for all types of business disruptions. Continuity plans are developed by operational business area or team, and
address the potential loss of systems, facilities and/or personnel. Critical functions are coordinated with third party service providers to
ensure consistent efforts and to address hazards originating from third parties.
x
Environments have been designed to separate the systems and facilities that support Vertex customers from those that support corporate
functions.
te
Data centers used to host the OnDemand customer environment are equipped with state of the art physical and electronic security features
including full failover capabilities. Secondary sites are maintained in geographically diverse locations, allowing for quick transfer to
er
alternative locations if primary systems or facilities are not available. Full backups of customer applications and data are run on a nightly
basis and sent via secure transmission to the secondary site and periodic testing of the data is done to ensure recoverability.
Corporate systems are maintained in a primary data center in Center City Philadelphia and Vertex has contracted with a leading global
lV
service provider for an alternate site to be used in a disaster situation. Both the primary and alternate sites have extensive physical
security and redundant power feeds including industrial power generators. Physical backups are run on a nightly basis and are maintained
by a third-party tape vaulting service. Additionally, all employees have laptops and remote access that can accommodate Vertex weather
related emergencies.
tia
Vertex Cloud Indirect Tax and Premium Services has disaster recovery policies and procedures that allow the production system to failover
to an offsite facility. Secondary sites are maintained in geographically diverse locations, allowing for quick transfer to alternative locations if
primary systems or facilities are not available. The failover procedures are tested at least twice a year. Business continuity procedures exist
to ensure that Customer Support is available to respond to customer requests in the event of a disruption.
en
fid
on
C
44
c.
D. Third-party service provider’s data center
In
Vertex Hosted Online operations use two independent data center providers, Amazon Web Services (AWS) and Equinix, to perform
aspects of the computer processing. Vertex utilizes two autonomous data centers in AWS, one for primary production and one for
secondary production. These data centers are designed and engineered with multiple levels of security, redundant power and cooling
systems including diesel generators and multiple UPS and heating, ventilating, and air conditioning (“HVAC”) systems. These data centers
and their networks are monitored 24x7x365 and include multiple Internet carriers. This infrastructure is one of several levels that form
x
Vertex’s comprehensive solution for keeping our offerings available and secure.
te
Vertex Cloud Indirect Tax and Premium Services uses an independent data center provider, Amazon web Services, to perform aspects of
our computer processing. Vertex Cloud Indirect Tax and Premium Services utilizes multiple availability zones within our cloud infrastructure
to provide a highly available solution. We also leverage a second region within our cloud infrastructure that hosts our disaster recovery
environment to ensure business continuity. These data centers are designed and engineered with multiple levels of security, redundant
er
power and cooling systems including diesel generators and multiple UPS and heating, ventilating, and air conditioning (“HVAC”) systems.
These data centers and their networks are monitored 24x7x365 and include multiple Internet carriers. This infrastructure is one of several
levels that form Vertex’s comprehensive solution for keeping our offerings available and secure.
lV
Vertex Cloud Indirect Tax and Premium Services and Vertex Hosted Online Environment have incorporated these data center resources
into our disaster recovery and business continuity plan. Should a disruption occur in data processing capabilities at the primary Vertex
Cloud Indirect Tax and Premium Services site, our plan ensures that an orderly transition to the secondary processing location will occur
with minimum impact to day-to-day business activities.
tia
en
fid
on
C
45
c.
Both of the aforementioned plans accounts for:
In
• Maximizing the safety and well-being of all personnel involved
• Providing for the protection of company and customer assets
x
• Restoring critical applications/business operations in a timely manner
te
• Minimizing any disruptive effect encountered during the transition from normal processing to emergency processing
• Providing direction and organization for the restoration of data processing capabilities at the primary site, and ensure
er
prompt notification of those personnel needing to be aware of the emergency
• An annual review of the plan, including the assumptions contained in the plan
lV
• An annual test of the plan
Vertex has also incorporated these resources and processes into our incident response plan. This plan sets forth requirements and
procedures for reporting, responding to and managing incidents that take place in the Vertex Cloud Environment and the Hosted Online
Environment. In the event of an incident, Vertex is required to notify clients whose information is affected and/or affected individuals. This
tia
plan applies to all personnel accessing Vertex’s Online data centers.
AWS has an annual SOC 2 Type 2 audit performed at each of its data centers which is available to users of Vertex Cloud Indirect Tax
Premium Services and Vertex Hosted Online Environment Systems. To request a copy of the Data Center provider’s SOC 2 Type 2 audit
en
report, please access the AWS website at: https://aws.amazon.com/ and sign into the AWS Management Console using your account
information. If you do not already have an Amazon account, you can set one up free of charge. Once you access the Console, go to the
Documentation tab and access the Security, Identity and Compliance options. AWS Artifact will allow you to enter a request for the
applicable reports. Report requests require the user to sign a non-disclosure agreement before the SOC reports can be released.
fid
on
C
46
c.
Description of Control Results of Tests Management Response
In
1.2 - Application and system access requests During the period October 1, 2018 through September 30, It was found that two customer user accounts had their
(establish, change or remove) for Active 2019 for 2 of 25 terminated and disabled accounts sampled access to the applications disabled in a timely manner,
Directory, the Hosted Online Environment, the out of a population of 383 terminated and disabled accounts, but the corresponding external tracking database was
Vertex Cloud Indirect Tax and Premium account access was not removed on a timely basis. not updated. Management has reinforced the
Services solution, and the Returns Portal are importance of updating the tracking system with the
documented and are approved by authorized responsible parties and is implementing a new process
x
individuals. to routinely reconcile the access removal requests with
the access changes made in the application.
te
1.3 - System and application level access is During the period October 1, 2018 through September 30, As responsibilities were transitioned within Corporate
reviewed quarterly to verify user access is 2019 for 2 of 8 quarterly access reviews sampled out of a Technology, quarterly access reviews were overlooked
authorized and all terminated users have been population of 16 in-scope quarterly access reviews, evidence and not completed timely. Management has reiterated
er
removed. was unavailable to determine that the quarterly review was the importance of this process and has instituted an
completed on a timely basis. independent process to ensure the reviews are
completed in a timely manner in the future.
lV
4.7 - The Change Control Team meets weekly During the period October 1, 2018 through September 30, The weekly Change Control meeting is held to ensure
to review Louts Notes based change requests 2019 for 1 of 8 weeks sampled out of a population of 52 management has visibility to what changes are
affecting the enterprise production weeks, the change control team did not meet to assess outstanding and their criticality to the business. In the
environment. changes affecting the enterprise environment. instance noted, management made a business
decision to cancel the meeting and cover the updated
information during the next weekly meeting. Going
tia forward, Management will document any deviation in
the schedule for the Change Control meeting to
provide documented evidence of the rationale for not
following the predetermined schedule.
en
7.9 - Returns rejected by a client are During the period October 1, 2018 through September 30, A customer rejected a tax return prepared for by
investigated and corrected by the tax preparer. 2019 for 1 of 25 rejected returns selected out of a population Vertex in the Portal system. After discussion, the
The corrected return(s) are posted to the of 1,192 rejected returns, evidence was unavailable to customer agreed that the return was acceptable for
client's Returns Portal for the client evidence that the corrected return was posted to the client’s filing as it was originally prepared and should have
representatives to indicate their acceptance Returns Portal and that acceptance by the client was updated the status in the system to approve. The tax
fid
(or rejection) of each prepared tax return and acknowledged. preparer failed to ensure the status was updated in the
the tax obligation. system. Management has reiterated the importance of
confirming the accurate status of all tax returns is
reflected in the system. An additional review process
is being implemented to ensure rejected returns status
on
is updated once agreement is reached with the

customer.
C
47

Vertex Inc. 2019 SOC 1 Type 2 Report

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vertex Inc. 2019 SOC 1 Type 2 Report

Uploaded by

Copyright:

Available Formats

Vertex, Inc.

– For the period October 1, 2018 to September 30, 2019

Confidential and Proprietary Information of Vertex, Inc.

G. Complementary User Entity Controls ............................................. 16

5. OTHER INFORMATION PROVIDED BY VERTEX, INC ....................... 43

Confidential and Proprietary Information of Vertex, Inc.

Confidential and Proprietary Information of Vertex, Inc.

Description of Tests of Controls

Confidential and Proprietary Information of Vertex, Inc.

Confidential and Proprietary Information of Vertex, Inc.

We confirm, to the best of our knowledge and belief, that:

Confidential and Proprietary Information of Vertex, Inc.

2019. The criteria we used in making this assertion were that:

applied by individuals who have the appropriate competence and authority.

Confidential and Proprietary Information of Vertex, Inc.

that are likely to be relevant to user entities.

Confidential and Proprietary Information of Vertex, Inc.

C. Internal Control Framework

achievement of Vertex’s business objectives.

Confidential and Proprietary Information of Vertex, Inc.

The Vertex Organizational Model

Confidential and Proprietary Information of Vertex, Inc.

C3. Monitoring Activities

Monitoring of Subservice Organizations

Confidential and Proprietary Information of Vertex, Inc.

Tax Returns Outsourcing Services, and Indirect Tax Research

Confidential and Proprietary Information of Vertex, Inc.

- Oracle applications including NetSuite and Oracle Cloud

services for all the On-Demand Products.

performance monitoring, system availability monitoring, and issue resolution.

Confidential and Proprietary Information of Vertex, Inc.

posting of tax notices received from taxing authorities and

Confidential and Proprietary Information of Vertex, Inc.

on a monthly basis, or more frequently when necessary.

international tax returns, communications tax, and payroll tax.

Vertex Indirect Tax Solutions (On Premise)

Confidential and Proprietary Information of Vertex, Inc.

Vertex® Cloud Indirect Tax and Premium Services Tax Solution

• Credit History Report

Vertex® Sales & Use Tax Returns Outsourcing Services

• Client Tax Reconciliation Report

Vertex Payroll Tax On-Demand and Vertex® Payroll Tax Q Series®

Confidential and Proprietary Information of Vertex, Inc.

Various connector developers are responsible for providing connector CO4

services utilizes connectors within the platform.

Confidential and Proprietary Information of Vertex, Inc.

Confidential and Proprietary Information of Vertex, Inc.

Type of Test Description

Inspection Inspection of documents and reports indicating performance of the

Description of Controls Tests Performed by Baker Tilly Results of Tests

was approved by an authorized individual.

During the period October 1,

review was completed on a timely

Complementary User Entity Controls

Vertex Cloud Indirect Tax and Premium Services:

Sales and Use Tax Returns Outsourcing Services:

Premium Services hosted environment security policies and procedures to determine

Complementary User Entity Controls

Description of Controls Tests Performed by Baker Tilly Results of Tests

destination, time in, and time out.

a third party if a building intrusion occurs

Description of Controls Tests Performed by Baker Tilly Results of Tests

Complementary User Entity Controls

Description of Controls Tests Performed by Baker Tilly Results of Tests