F&I Administration Processing Controls – An SSAE 16 Perspective

Tim RoncevichPartner, SSAE 16 Professionals

Kelvin WalkerDirector, SSAE 16 Professionals

Session Speakers

• Tim Roncevich– Co-founder of SSAE 16 Professionals – Spearheaded SAS 70/SSAE 16/SOC 2 methodology

and for monitoring and testing information technology environments to ensure compliance

– Performed over 200 SAS 70/SSAE 16/SOC 2 audits around the world

– Expert belly flopper as ranked by his kids

Session Speakers

• Kelvin Walker– Results-oriented IT risk management, information security

and technology professional with over 20 years of experience – Senior Manager reinforced with a strong background of

Information Technology and security strategies across a wide array of information systems and platforms

– Provides compliance and technology risk consulting services for U.S. and International organizations including SSAE 16, SOC 2, and SOC 3 Type I & II audits

– Avid College and SEC Football Fan - Bleeds Orange & White

SSAE 16 & SOC 2 OVERVIEW

SSAE 16 Overview

• SSAE 16 – Audit of Internal Controls Over Financial Reporting (ICFR’s)– NOT a Financial Statement Audit– IT Controls Tested– Business Process Controls Tested– Risk-Based Approach– Industry Specific Controls

SOC 2 Overview

• SOC 2 – Audit of the Trust Services Principles (TSP’s) & Criteria– Security– Availability– Processing Integrity– Confidentiality– Privacy

SSAE 16 Audit Key Considerations

• Internal Controls Are A Major Component & Make The Process Simpler

• Not All Internal Control Areas Included– Client Facing Focus

• Three Major SOC Process Phases– Readiness Assessment– Type I– Type II (Annual Audit Thereafter)

INTERNAL CONTROLS EMPLOYED IN F&I PRACTICES

Internal Control Requirements -Not Always In the Past!

A.J. Mueller

Bryan Dyer

F&I Industry & Internal Controls

• Internal Management & Training Processes• Products and Channel Management Controls• Client Contract And Processing Areas• Claims Processing Management• Financial & Accounting Processes• Technology Interfaces (Portals) & Vendors• Information Technology General Controls

Internal Management & Training Processes

• Focus on General Operational Areas as Related to Client’s SOC Scope– Typical Areas• Initial Hiring Processes• Internal Training Procedures• Key Business Operations Controls• Typically Apply Across Industry Segments

• Day to Day Business Controls

Internal Management & Training Processes

• Practical Examples– Upon employment all employees sign and acknowledge a Non-

Disclosure and Assignment Agreement, which includes sections on Access to Confidential Information, Safeguarding Non-Public Personal Information, Copyrights, Inventions, and Ownership of Material created during their employment.

– On an annual basis, management reviews the complementary user entity control considerations contained within the Service Organization Control (SOC) audit reports for applicable subservice providers and verifies the controls are satisfactorily implemented and in place within their environment.

Program & Channel Management

• Controls Related to On-going Risks & Reporting– Product Development Activities– Reporting of Controls to Specific Clients & Partners

(i.e. insurance providers & finance providers)• Different Channels Within the Same Business

Process

Program & Channel Management

• Practical Example– Legal/Compliance reviews and approves all new products to insure

compliance with various national, state and local governmental statutes and regulations prior to the product being established within the SCS system.

– All new products and programs developed by Product Management require Executive Management review and written approval prior to integration into the service offering.

Client Contract & Processing Management

• Key Focus Points– Actual Contracts & Income Management– Partner Management (Internal and External)

• Processing Controls– High Volume Key Transactional Control Areas

• Reconciliations• Establishment of New Client Contracts • Management of Client Processing Payments• Portal & Client Interfaces

• Access & Authorization to Data & Capabilities

Client Contract & Processing Management

• Practical Example– A Dealer setup is not complete within the core contract application

until the Contract Management team completes a test of the quote process for the new and / or modified product set. Such test is evidenced via manual sign off on the dealer commission rate worksheet.

– Cancelled contracts are reconciled and residual value is extracted and reimbursed to the dealer or applied to the dealer periodic statement or the vehicle lienholder / customer as necessary.

Claims Processing Management

• Controls Focused on Approval and Payment of Claims – Key Areas• Inbound Data Accuracy (From the Claimant, Selling

Dealer and Repair Organization)• Outbound Data Accuracy (To the Claimant & Vendor)• Internal – Client Contract and Processing Controls• Internal – Financial Teams & Process Linkage• Information Portals• Access and Authorization to Data & Capabilities

Claims Processing Management

• Automation & Mobile Integration Concepts– Ability to Integrate Into the Mobile Space• Use of a Paper Airline Ticket vs a Mobile Device

– Linkage to the Payment Processes in the Back-End Financial Processes• Payments to Vendors• Payments to Clients & Service Partners

Claims Processing Management

• Practical Example– Mechanical "Large Value Claims" (LVC) in excess of $2,500 must be

inspected by an independent third party resource. Once the inspection is complete, a written report review is completed prior to claim payment issuance.

– The claims processing system calculates the correct claim total based on key claim information (deductible, claim amount(s), associated claim contract terms) contained in the system and the information supplied by the claim team in the specific claim entries.

Financial & Accounting Processes

• Internal Controls Related the Client Facing Processes– Client Contract & Processing (Inbound Fund

Management)– Claims Management (Outbound Fund

Management)– Reconciliation Processes• Various Programs & Vendor Payments• Integration of Various System Reconciliations

Financial & Accounting Processes

• Practical Example– On a daily basis the credit merchant service provider disbursement

transactions are reconciled to bank activity.

– Monthly net premiums are reconciled for each insurance carrier between the core processing system and the financial management application.

Technology Interfaces

• Portals to Integration Partner Controls• Portals to Other Programs and Systems• Mobile Technology Impact

Technology Interfaces

• Practical Example– Systems are in place to monitor and log critical integration portals and

provide automated e-mail notification of Operational IT Management upon portal functionality and data transfer failures.

– Data Transfers initiated via Mobile Devices (phones, tablet and other similar systems) are filtered to ensure the expected data is being transferred to the core processing environment.

IT General Controls

• Broad Based Controls– Security (Logical, Physical, & Technical)– Computer Operations– Change Management– Governance

• Foundation to the Internal Control Environment• IT Control Linkage to Business Processes

Benefits of an SSAE 16 Audit

• Increased Awareness on Internal Controls Related to Client Requirements

• Investment– Marketing + Compliance = ROI

• Competitive Advantage– Ability to Differentiate Your Services

Benefits of an SSAE 16 Audit (cont.)

• Contractual Requirement of Service Providers• Audit Requirement of Service Providers

– SOX Impact– One-time Audit

• Provides Clients and Prospective Clients Increased Confidence in your Services– Not the Customer in the Dealer– Your Partners & Service Providers

• Annual Audit & Report After Completion of Initial Type II

F&I Administration Processing Controls – An SSAE 16 Perspective

• Enhanced Credibility within Your Industry– Internal Controls are Part of Your Organization– SSAE 16 Audit Provides Independent Validation of

Internal Controls – Increased Marketability to Your Industry

• Choose the Right Service Partners and Providers for Your Firm

Questions / Comments