Confidential This report is intended solely for use by management of CTP, its user entities, and the independent auditors of such user entities. 1 INDEPENDENT SERVICE AUDITORS' REPORT Cardinals Ticket Processing, Inc. St. Louis, Missouri Scope We have examined Cardinals Ticket Processing, Inc.'s (\"CTP\") description of its TICKIT Application and related general computer controls at the St. Louis, MO, and Toronto, Canada processing centers throughout the period July 1, 2014 to June 30, 2015 (\"description\") and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of CTP' controls are suitably designed and operating effectively, along with related controls at CTP. We have not evaluated the suitability of the design and operating effectiveness of such complementary user entity controls. CTP uses a record management service organization for its off-site tape storage. The description in Section II includes only the controls and related control objectives of CTP and excludes the control objectives and related controls of the record management service organization. Our examination did not extend to controls of the record management service organization. Service Organization's Responsibilities On pages 8-9 of the description, CTP has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. CTP is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Service Auditor's Responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with Statement on Standards for Attestation Engagements No. 16 (\"SSAE 16\") established by the American Institute of Certified Public Accountants (\"AICPA\") and International Standard on Assurance Engagements No. 3402 (\"ISAE 3402\") established by the International Auditing and Assurance Standards Board (\"IAASB\"). Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period July 1, 2014 to June 30, 2015. 2 An examination of a description of a service organization's system and the suitability of the design and operating effectiveness of the service organization's controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Inherent Limitations Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail. Basis for qualified opinion CTP states in its description that it has controls to support that access to administrative and elevated functions within the TICKIT application had been limited to authorized personnel. However, as noted on pages 33-36 of the description of tests of controls and results thereof, these controls were not operating effectively throughout the period July 1, 2014 to June 30, 2015. This resulted in the non-achievement of the control objective, \"Controls provide reasonable assurance that application and system software programs and data are restricted from unauthorized access or change\" throughout the period of July 1, 2014 to June 30, 2015. The information in Section IV, \"Other Information Provided by Cardinals Ticket Processing, Inc.,\" that describes CTP' management comments to observations, business continuity planning, disaster recovery, and privacy is presented by management of CTP to provide additional information and is not a part of CTP' description of its TICKIT systems made available to user entities during the period July 1, 2014, to June 30, 2015. Information about CTP' management comments to observations, business continuity planning, disaster recovery, privacy, compliance, and organization charts has not been subjected to the procedures applied in the examination of the Description and of the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description of the TICKIT systems, and accordingly, we express no opinion on it. Opinion In our opinion, except for the matter described in the preceding paragraph, in all material respects, based on the criteria described in CTP' assertion on pages 9 - 10, a. the description fairly presents the TICKIT Application and related general computer controls at the St. Louis, MO, and Toronto, Canada processing centers that was designed and implemented throughout the period July 1, 2014 to June 30, 2015. 3 b. the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period July 1, 2014 to June 30, 2015 and user entities applied the complementary user entity controls contemplated in the design of CTP' controls throughout the period July 1, 2014 to June 30, 2015. c. the controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period July 1, 2014 to June 30, 2015. Description of Tests of Controls The specific controls tested and the nature, timing, and results of those tests are listed in Section III. Restricted Use This report, including the description of tests of controls and results thereof in Section III, is intended solely for the information and use of CTP, user entities of CTP' services during some or all of the period July 1, 2014 to June 30, 2015, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities' financial statements. This report is not intended to be and should not be used by anyone other than these specified parties. 4 Assertion by Management of CTP We have prepared the description of CTP's TICKIT Application and related general computer controls at the St. Louis, MO, and Toronto, Canada processing centers for user entities of the system during some or all of the period July 1, 2014 to June 30, 2015, and their user auditors who have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities' financial statements. Except as noted in paragraph d. below, we confirm, to the best of our knowledge and belief, that a. the description fairly presents TICKIT Application and related general computer controls at the St. Louis, MO, and Toronto, Canada processing centers made available to user entities of the system during some or all of the period July 1, 2014 to June 30, 2015 for processing their transactions. The criteria we used in making this assertion were that the description i. presents how the system made available to user entities of the system was designed and implemented to process relevant transactions, including 1) 2) 3) 4) 5) 6) 7) ii. the classes of transactions processed. the procedures, within both automated and manual systems, by which those transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to the reports presented to user entities of the system. the related accounting records, supporting information, and specific accounts that are used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports presented to user entities of the system. how the system captures and addresses significant events and conditions, other than transactions. the process used to prepare reports or other information provided to user entities' of the system. specified control objectives and controls designed to achieve those objectives. other aspects of our control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the system. does not omit or distort information relevant to the scope of the TICKIT Application and related general computer controls at the St. Louis, MO, and Toronto, Canada processing centers, while acknowledging that the description is presented to meet the common needs of a broad range of user entities of the system and their financial statement auditors, and may not, therefore, include every aspect of the TICKIT Application and related general computer controls at the St. Louis, MO, and Toronto, Canada processing centers that each individual user entity of the system and its auditor may consider important in its own particular environment. b. the description includes relevant details of changes to the CTP system during the period covered by the description when the description covers a period of time. Confidential This report is intended solely for use by management of CTP, its user entities, and the independent auditors of such user entities. 5 except for the matter described in paragraph d., the controls related to the control objectives stated in the description were suitably designed and operated effectively throughout the period July 1, 2014 to June 30, 2015 to achieve those control objectives. The criteria we used in making this assertion were that i. ii. iii. the risks that threaten the achievement of the control objectives stated in the description have been identified by CTP; the controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved; and the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority. c. As noted on pages 34-35, controls related to access to administrative and elevated authorities within the application were not restricted to authorized individuals from July 1, 2014 to June 30, 2015. As a result, controls were not operating effectively to achieve the control objective, \"Controls provide reasonable assurance that application and system software programs and data are restricted from unauthorized access or change.\" Confidential This report is intended solely for use by management of CTP, its user entities, and the independent auditors of such user entities. 6 Confidential This report is intended solely for use by management of CTP, its user entities, and the independent auditors of such user entities. 7 General Computer Controls General computer controls include controls over computer operations, access, and systems development and maintenance. General computer controls, if suitably designed and operating effectively, provide an environment for the development and processing of applications to achieve specific application control objectives. Logical Security Control Objective 6: Controls provide reasonable assurance that application and system software programs and data are restricted from unauthorized access or change. Windows & TICKIT Specific: Security policies and procedures have been documented, are signed by newly hired employees, and are made available on the CTP intranet for employees (6.1). A companywide security policy is issued and endorsed by the management, which documents the security policies and procedures to be followed to ensure the confidentiality and protection of subscriber and customer records. Unauthorized use or distribution of client data is strictly prohibited. Policies and procedures are also delineated in the CTP Employee Handbook. Policies are available for review by employees on the corporate intranet. An annual security awareness program is conducted to heighten employee awareness of CTP information security policies. Failure to comply with the security policies and procedures is grounds for termination. User access to systems and applications is required to be requested and approved within the System Access Manager (SAM) tool prior to access being created, changed or removed (6.2). Users are required to have unique user IDs and valid passwords. Computer access is disabled for employees that are terminated. Access to the system is revoked by authorized personnel following notification from an employee's manager through use of the automated Lotus Notes database that the employee has left the company or moved to a different department. The HR department obtains the key access card from terminated employees. Managers may request access only for people in their areas and only for their department's resources. Technical support establishes user IDs and assigns them to pre-established user groups based on job responsibilities. The group ID's are based on work area and defined access authorities. The group profiles, coupled with access rules established for specific files or groups of files, determine the access accorded to users. If the user ID and password are entered correctly, the security system displays a menu based or transaction on the group the user has been assigned to. The menus and transactions are designed to limit users to authorized functions. User IDs are appended to transactions to facilitate investigation and correction of unusual or erroneous transactions. Firewalls and routers are used to prevent unauthorized traffic on the CTP network. The operating systems of desktops and servers have been updated with the recent patches available from the vendor to protect against known vulnerabilities. Remote access to the CTP network is limited to authorized users and requires a valid user ID and password (6.3). Antivirus software has been installed on servers and desktops to protect the CTP network and business systems from disruption. Network support personnel monitor connectivity between remote production sites and the imaging group production environment. Monitoring procedures of routers, servers, sites, and communication lines are in place to support availability of customer access to the system. The network communications equipment is located in the computer room and is limited to network and operations personnel. Administration personnel are responsible for ensuring the security of the system. Windows administrator privileges are limited to authorized CTP administration personnel (6.4). TICKIT application Confidential This report is intended solely for use by management of CTP, its user entities, and the independent auditors of such user entities. 8 administrators are established for the satellite locations (Toronto,) and are limited to authorized personnel. (6.5). TICKIT administrators, within the OPSET role, have access to create new user access to the TICKIT application. Access to elevated functions within the TICKIT application is limited to authorized personnel (6.6). Password security for Windows and TICKIT meet the minimum standards of the CTP Information Systems Security Policies. Windows and TICKIT password parameters are established to require a minimum length, enforce complexity, and enforce periodic password changes (6.7). Designated personnel are authorized to move code changes into the production environment (6.8). To access TICKIT source code and make application changes, programmers utilize librarian software called PVCS. PVCS is utilized as a code repository. The PVCS tool restricts the development of program changes only to authorized personnel. Access to production source and object code directories are limited by access control software to authorized personnel. Programmers are assigned a user ID that the application uses to track changes made by that user. Once changes have been developed, they are moved to a staging location by the programming personnel. Application Change Management Control Objective 7: Controls provide reasonable assurance that new or changed programs in the system are approved, tracked, tested, and documented. TICKIT Specific: TICKIT application development policies and procedures are in place to guide the development of programs (7.1). Documentation standards exist for program and operations documentation. Programmers are responsible for updating operations and systems documentation. Clerical procedures are documented by information systems personnel when new programs are written. When clerical procedures for existing systems are changed, Information Systems informs the affected user departments of the changes and the user departments are responsible for updating the clerical procedures documentation and training their personnel. Semiannually, the technical writing staff reviews user documentation to ensure it is current, complete, and accurate. Changes are tracked via an online tracking tool to facilitate the change management process, including retaining necessary approvals and change documentation (7.2). Change management is achieved through the use of an internally developed online project task tracking system, which is used for monitoring the status of changes, and noting programs and changes are implemented according to established installation standards. This request tracking system is online and is known as Track-It!. Requests for program changes are created by a business user and submitted electronically to a programming manager. Management monitors program changes from the requirements phase through completion. The priority of programming projects is determined by the operations, which meets monthly to determine the need for program changes. Requests by the user groups are assigned a priority ranking, which determines the timing of programming. Programmers and management also meet once a month to discuss the status of open projects. Release meetings are held prior to the weekly release of programs to production. The requestor, programmer, and testing personnel discuss testing results of completed program changes, any significant effects on system processing and whether a program is ready to be released into production. Authorizations to release programs into production are electronic from Track-It!, with date/time stamps, and include the Manager and Business Owner. Changes are installed on the test system and tested before being moved to production. Prior versions are retained for reinstallation if necessary. Program changes are tested and the results are documented in program change documentation. After coding changes are completed, programmers test the programs in Confidential This report is intended solely for use by management of CTP, its user entities, and the independent auditors of such user entities. 9 their individual test libraries. Program changes are tested in a test environment and test results are retained in the program change documentation (7.3). Program changes are tested using a test database or copies of production data files. An assessment is also performed of functions affected by the program change by operations. The programmer will be notified of any further required changes. After testing has been completed, the programmer who made the changes marks the program as ready for release to production using an online change control system. Electronic authorizations from Track-It! are used to record authorization to move programs from test to production. A report of programs to be released to production is produced by the system prior to the weekly implementation of changes and provided to management of operations, system software and application programming. Programmers promote program changes to a test library on the test system. When testing is completed, the programmer promotes the code to a staging level on the production system, where the TICKIT image support personnel then promote the changes to production. Authorized operations and systems administration personnel move program changes into production (7.4). TICKIT image support personnel release the changes into production weekly by initiating a release routine. If an error occurs within the TICKIT application, the previous version is restored to the production environment. The troubled version is removed from the production environment. A Trouble Ticket is opened to fix the error. Once the error is fixed, it will be incorporated with the next TICKIT build. The regular TICKIT application change management process is followed to fix errors. The previous three versions of TICKIT are retained on servers to ensure multiple versions are available to be restored in the event the current version becomes problematic. Confidential This report is intended solely for use by management of CTP, its user entities, and the independent auditors of such user entities. 10 Description of Complementary User Controls Controls at CTP cover only a portion of the overall internal control that would be of interest to the user entity. It is not feasible for the control objectives relating to transaction processing to be solely achieved by CTP. Rather, the user entity's internal controls are required to be evaluated in conjunction with the description of CTP' controls provided by management in Section II of this report, and the testing of specified controls summarized in Section III of this report. This section highlights certain internal control responsibilities that CTP believes should be present for user entities. CTP has considered these in developing its controls described in this report. In order for user entities to rely on the controls reported on herein, user entities are required to evaluate their own internal controls and determine if the following procedures are in place. Furthermore, the controls listed below are intended to address only those control objectives related to the processing by CTP. Accordingly, this list does not purport to be and is not a complete listing of the controls that provide a basis for the assertions underlying user entity's financial statements. Number 1. 2. Complementary User Controls Clients that are given access to CTP systems use unique user IDs and do not share passwords. Clients are responsible for validating the users with access to CTP systems have a business requirement for such access. Bank statements for the depository and refund accounts should be reviewed and reconciled to the cash reports provided by CTP. Confidential This report is intended solely for use by management of CTP, its user entities, and the independent auditors of such user entities. 11 Business Continuity and Disaster Recovery Planning The following provides brief descriptions of the business continuity plan (BCP) and disaster recovery plan (DRP) in place at CTP. The CTP internal audit department reviews the plans on a regular basis to confirm they remain up-to-date and contain necessary information and documentation. The BCP is used as a guideline for CTP' response to limited disruptions to the business processing cycle. The BCP is a summary of responses to situations that CTP may encounter at any given time. CTP managers are involved in these sorts of decisions on a daily basis as part of normal operations. The DRP is simply an extension of the BCP that would be implemented in the event of a significant disruption in CTP' ability to do business. However, the DRP is much more comprehensive in nature and includes information that would allow CTP to move an entire operation from one facility to another and begin processing in a timely manner. The DRP is a response to situations that might result in the cessation of operations at a facility, such as a direct strike of a CTP facility by a tornado. Business Continuity Plan Business continuity planning, as defined by CTP, addresses the core business processes of CTP. It should be noted that CTP' BCP implicitly refers to the CTP DRP when and where it is deemed necessary. As a normal course of business, CTP maintains and deploys contingency plans designed to address various potential business interruptions. An \"inventory\" of CTP's core business processes was identified during the development of the BCP and is continually reviewed for appropriateness. These core business processes are defined as \"the processes that CTP must accomplish in order to satisfy fulfillment contract obligations and remain a viable business.\" Continuity planning is an ongoing process that includes the entire CTP. This initiative calls for the performance of a risk assessment, development of contingency plans for the most reasonably likely scenarios (possible multiple, simultaneous or unique business disruptions to core business processes) and monitoring the development, and, where necessary, the implementation of those plans. The plan is reviewed and updated semiannually at a minimum, by personnel responsible for the various departments throughout CTP. Additionally, these changes are reviewed by the CTP risk management department. On an annual basis, CTP tests the ability of the various sites to respond to business disruptions. The locations and their BCP are evaluated for efficiency and effectiveness. Modifications to the plan occur, as necessary, in response to identified weaknesses or deficiencies. Disaster Recovery Plan The DRP of CTP was developed by a certified disaster recovery planner with the aid of individuals from the various departments of CTP. The plan includes administrative, operational, and technological functions. A hard copy of the entire plan is maintained in three separate locations and an electronic copy is maintained online. Additionally, a copy of the applicable sections is maintained by the areas directly affected by said sections of the DRP. Executive management of CTP also maintains copies of the Emergency Operations Center Binders and CD-ROMs of the entire plan to ensure quick implementation of the plan in the event of a disaster. Confidential This report is intended solely for use by management of CTP, its user entities, and the independent auditors of such user entities. 12 Annually CTP conducts disaster drills (simulated tornado, fires, etc.) and implements the procedures outlined in the DRP. Additionally, on a semiannual basis, information services personnel implement disaster recovery procedures and perform an actual restoration of our fulfillment systems at our designated \"hot site.\" There is a rotation of the personnel sent to attend the hot site exercise. In the event a disaster requiring actual restoration of the fulfillment systems occurs, CTP will have staff available. At a minimum, on a semiannual basis the plans are reviewed and changes are forwarded to the director of facilities, office services, and risk management for inclusion in the master copies of the DRP and online. Payment Card Industry Security Program Compliance Efforts The Payment Card Industry (PCI) Data Security standard applies to payment channels, such as mail, telephone order, and internet. PCI is an established program accepted by the major credit card brands (Visa, Master Card, Discover, and American Express) to support the security of cardholder information as it is being processed and stored by vendors and merchants. PCI compliance is required of merchants and service providers that store, process, or transmit cardholder data. The PCI Data Security Standard offers a single approach to safeguarding sensitive data for payment card brands. The standard provides the tools and measurements needed to protect against cardholder data exposure and compromise. The PCI Data Security Standard consists of basic security requirements categorized as follows: Building and maintaining a secure network by: Installing and maintaining a firewall configuration to protect data Not allowing use of vendor-supplied defaults for system passwords and other security parameters. Protecting cardholder data by: Securing stored data Encrypting transmission of cardholder data and sensitive information across public networks. Maintaining a vulnerability management program by: Using and regularly updating antivirus software Developing and maintaining secure systems and applications. Implementing strong access control measures by: Restricting access to data by business need-to-know Assigning unique IDs to people with computer access Restricting physical access to cardholder data. Confidential This report is intended solely for use by management of CTP, its user entities, and the independent auditors of such user entities. 13 Regularly monitor and test networks by: Tracking and monitoring access to network resources and cardholder data Regularly testing security systems and processes. Maintaining an information security policy. CTP is defined as a Level 1 Service Provider per the PCI DSS. As a result of this designation CTP submits to an onsite PCI DSS assessment by an independent Qualified Assessor (QA) on an annual basis. Additionally, on a quarterly basis, CTP submits to a network scan conducted by an independent Approved Scanning Vendor (ASV). This scan is performed on their Internet-facing perimeter systems of CTP and checks for vulnerabilities. Management Responses to Observations Identified During the Tests of Internal Controls CTP' management has included responses and representations below to certain exceptions noted in Section III. Dewey, Cheatem & Howe takes no responsibility for the effective implementation of any corrective action or its sufficiency. This following section is intended to provide CTP users and their auditors with management responses to the exceptions identified in Section III of this report that pertain to the controls at CTP that may affect the processing of user entities' transactions. The responses, when combined with an understanding and assessment of the controls at user entities, are intended to assist users and their auditors in (1) assessing control risk for assertions in user entity's financial statements that may be affected by controls at CTP, and in (2) planning the audit of user entity's financial statements. The examination conducted by Dewey, Cheatem & Howe was restricted to the control objectives and related procedures specified by CTP in the Tests of Operating Effectiveness section of Section III of this report, and accordingly may not have extended to the management responses in the following section. It is each user entity's and user entity's auditors' responsibility to evaluate this information in relation to the controls in place at each user entity. Confidential This report is intended solely for use by management of CTP, its user entities, and the independent auditors of such user entities. 14