Shift4 Payments
2016 Audit Findings

Presented February 28, 2017

Prepared by:
[Redacted - Names and Contact Information of Auditors]

This report is intended solely for the information and use of the management of Shift4 Payments and is not intended to be and should not be used by anyone other than these specified parties
Private and Confidential

1

Shift4 Payments
Table of Contents
Executive Summary................................................................... 3
Summary of 2016 Audit Findings................................................ 4
Detailed 2015 Audit Findings........................................................5
Prior Year Recommendations................................................................6
Summary of the 2016 IT Audit By: Moss Adams.......................10
Appendix-Management’s Response.............................................11

Private and Confidential

2

Shift4 Payments
Executive Summary
As part of our audit of the financial statements of Shift4 Payments (the Company) as of and for the year ended December 31, 2016, we are providing this summary of the findings from the 2016 audit.
•   Overall, the audit process went well, and we would classify the intemal control environment as good
•   There was one material weakness, 3 significant deficiencies, and 5 minor control deficiencies noted over various transaction cycles as described in the report below. The material weakness noted related to deficiencies in the process for establishing the allowance for doubtful accounts and related provision.
•   We are recommending ways to improve internal controls that should assist the Company in establishing a more robust system of Internal controls.
•   We would like to recognize the efforts of the accounting staff in working with us over the fast few weeks, the Company has shown a great effort in implementing new controls and in helping us during the audit.

Private and Confidential

3

Shift4 Payments
Summary of 2016 Audit Findings

Number | Category | Risk | Brief Description
------- | -------- | -------- | --------
1 | Material Weakness | Financial Statement Close and Reporting|Deficiencies were identified in the Company’s process for establishing an allowance for doubtful accounts and related provision.
2 | Significant Deficiency | Revenue and Cash Receipts | We noted that the Company does not have a sufficient process in place to prevent a merchant from being set up multiple times within various systems.
3 | Significant Deficiency | Human Resource-Payroll | We noted that payroll changes (increases to salaries, new hires and fires) are all done verbally.
4 | Significant Deficiency | Financial Statement Close and Reporting |Deficiencies were noted in the reconciliation process of certain balance sheet accounts.
5 | Minor Control Deficiency | Information Technology| The disaster recovery plan has not been tested recently.
6 | Minor Control Deficiency | Information Technology|The Company does not have sufficient controls in place to monitor when the last time a backup was completed and if the backup was successful.
7 | Minor Control Deficiency | Accounts Payable and Cash Disbursements| We noted that a large population of invoices were matched with checks using information entered to the bank reconciliation; however, there was no indication of who performed the matching or when that task was performed.
8 | Minor Control Deficiencies | Accounts Payable and Cash Disbursements | We noted instances where invoices did not have proof of authorization prior to payment of the invoice.
9 | Minor Control Deficiencies | Entity level Controls | The Company does not have formal meetings to discuss strategic plans as a collective unit.

Private and Confidential
4

Shift4 Payments
Detailed 2015 Audit Findings

1.  **Material Weakness: Deficiencies were identified in the Company’s process for establishing an allowance for doubtful accounts and related provision.**
    *   During our audit procedures, we noted that management's estimate of the required allowance and related provision was not accurate. Further, we noted a lack of formalized intemal controls that would have prevented or detected this material error.
    *   We recommend that management develop a robust process, including relevant preventative or detective internal controls, over establishing this accounting estimate.

2.  **Significant Deficiency: We noted that the Company does not have a sufficient process in place to prevent a merchant from being set up multiple times within various systems.**
    *   During our testing, we noted instances where merchants had multiple ID’s in the Company’s system.
    *   We recommend that the Company consider implementing unique identifiers to restrict duplicate entries of the same vendor.

3.  **Significant Deficiency: We noted that payroll changes (increases to salaries, new hires and fires) are all done verbally.**
    *   During our testing, we noted that requests and authorization of updates/changes to payroll information that impact payroll processing is done verbally, versus in writing.
    *   We recommend that all changes to payroll records be done via the authorized form and with signature approval to ensure that no unauthorized changes are made to payroll data.

4.  **Significant Deficiency: Deficiencies were noted in the reconciliation process of certain balance sheet accounts.**
    *   During our testing of balance sheet reconciliations, we noted that not all balance sheet accounts were reconciled at year end, and some reconciliations did not include sufficient support or adequate explanation of reconciling items.
    *   We recommend that the Company perform and document reconciliations for all balance sheet accounts at the balance sheet date.

5.  **Minor Control Deficiency: The disaster recovery plan has not been tested recently.**
    *   During our testing, we noted the Company had not performed a test of the DR plan in the last year. The test should include testing restoration from backup and failover to the secondary environment.
    *   We recommend that the Company test the DR plan annually at a minimum.

6.  **Minor Control Deficiency: The Company does not have sufficient controls in place to monitor when the last time a backup was completed and if the backup was successful.**
    *   During our testing, we noted that there is not a sufficient procedure to test the data recovery.
    *   We recommend that the Company make sure that the backup is working and that it gets done properly and on time.

7.  **Minor Control Deficiency: We noted that a large population of invoices were matched with checks using information entered to the bank reconciliation; however, there was no indication of who performed the matching or when that task was performed.**

 Private and Confidential
5
*   *During our testwork, we noted that there was a large population of items that were reconciled on the bank reconciliation (primarily on one bank account), and the supporting document for our testing of cash disbursements was a screen shot referencing that the item had been entered on the bank reconciliation. We noted no indication of who matched the item with the vendor invoice or when that person matched it. Further, we noted no indication of supervisory review. We recommend a formal policy that requires, at minimum, the initials of the person who is performing that task and initials of a reviewer.*

  8.  **Minor Control Deficiencies: We noted instances where invoices did not have proof of authorization prior to payment of the invoice.**
      *   During our testing, we noted instances where there was no initial or signature on the check to show the authorization of the payment.
      *   We recommend that the company policy be that all invoices have an approval signature, and then that the company adhere to that policy.

  9. **Minor Control Deficiencies: The Company does not have formal meetings to discuss strategic plans as a collective unit.**
      *   We noted the Company does not have reoccurring formal meetings.
      *   We recommend that the Company implement a regular meeting to discuss issues that may be present.
***Prior Year Audit Recommendations***

The items below were noted during the 2015 audit performed by the previous auditor. We noted that all of these deficiencies are still present in 2016.
***Revenue Recognition***
Currently the Company recognizes revenue when cash is received.
It is recommended that the Company implement procedures and controls to recognize revenue when it is earned.

***Accounting Close Process***
Currently the Company is closing the books annually.
It is recommended the Company close the books monthly or at least quarterly, review account reconciliations and roll forwards and make any necessary adjustments.

***Bank Reconciliations***
Currently the Company is not performing timely bank/merchant statements reconciliations. The bank reconciliations are being performed only annually when preparing the annual financial statements. The Company has a bank/merchant statement reconciliation process. It is recommended that the Company consider improving upon the current process to perform account reconciliations for each operating account, credit card account, and merchant account.

***Accounts Receivable***
Currently the Company is not closing the accounts receivable sub-ledger timely, reconciling the sub-ledger to the general ledger, or performing an analysis for the allowance for doubtful accounts. It is recommended that the Company perform an aged accounts receivable report monthly and reconcile it monthly. We also, as mentioned above, recommend an analysis of the allowance for doubtful accounts.

***Merchant Portfolio***
Currently the Company has not developed a process to evaluate the purchase of a merchant portfolio. If/when the Company purchases a merchant portfolio, it is recommended that the Company develop a consistent process to evaluate the purchase to ensure the purchase price does not exceed fair value.

***Fixed Asset Listing***
Currently the Company does not maintain a comprehensive and detailed listing of all fixed assets. We recommend that the Company prepare and maintain a detail fixed asset listing including date acquired, cost accumulated depreciation, depreciation method and useful life.

***Accrued Expenses***
Currently the Company does not reconcile their accrued liability accounts on a regular basis.
We recommend that the Company perform regular reconciliations of all accrued liability accounts.

***Software Development Costs***
Currently the Company does not appear to have a policy to determine if internally generated software costs should be capitalized.
It is recommended that the Company develop and implement a thoughtful process for determining which internally developed costs should be capitalized, and which should be expensed.

***Payroll***
Currently management uses a verbal system for all authorization of pay, new hires, terminated employees and status changes.
  We recommend implemented a written/electronic payroll system.

Private and Confidential

6
***Summary of the 2016 IT Audit By: Moss Adams***

Finding 1
Condition: Access to the UTG application, which includes Lighthouse, is not integrated with Active Directory.

Cause
User accounts are not disabled in a timely manner when employees leave the company or no longer require access.
Recommendation
Integrate user access for the UTG application with Active Directory.

Finding 2
Condition: Generic user accounts are leveraged for access to the UTG application and database.
Cause
Not enough control over user access and no tracking
Recommendation
Discontinue the user of generic user accounts. Rather, assign users to accounts that uniquely identify each individual.

Finding 3
Condition: Security patching of end user workstations and server infrastructure is not formally governed by policies and procedures.
Cause
No formal patch management.
Recommendation
Implement a monthly patch management process and ensure updates are installed in a timely manner.

Finding 4
Condition: Backups are performed; however, a complete restore test of the backup data has not been performed.
Cause
No validation of the backup data or process.
Recommendation
Perform, document, and store the results of a full restore test of the backup environment on at least an annual basis to verify backup data validation and process.

Finding 5
Condition: Shift4 does not have compensating control documentation around user access reviews
Cause
Unaware of proper documentation
Recommendation
Shift 4 should include a review of the terminated user list compared to the Active Directory.

Private and Confidential

7

**Appendix: Management's Response (Exhibit 7970)**

The entire management response is inside this exhibit.