Review the highlights from Tim Roncevich and Kelvin Walker's presentation at the P & A Leadership Summit where they discussed Internal Controls Employed in F&I Practices.

2. F&I Administration Processing
Controls – An SSAE 16 Perspective
Tim Roncevich
Partner, SSAE 16 Professionals
Kelvin Walker
Director, SSAE 16 Professionals

3. Session Speakers
• Tim Roncevich
– Co-founder of SSAE 16 Professionals
– Spearheaded SAS 70/SSAE 16/SOC 2 methodology
and for monitoring and testing information
technology environments to ensure compliance
– Performed over 200 SAS 70/SSAE 16/SOC 2 audits
around the world
– Expert belly flopper as ranked by his kids

4. Session Speakers
• Kelvin Walker
– Results-oriented IT risk management, information security
and technology professional with over 20 years of
experience
– Senior Manager reinforced with a strong background of
Information Technology and security strategies across a
wide array of information systems and platforms
– Provides compliance and technology risk consulting
services for U.S. and International organizations including
SSAE 16, SOC 2, and SOC 3 Type I & II audits
– Avid College and SEC Football Fan - Bleeds Orange & White

5. SSAE 16 & SOC 2 OVERVIEW

6. SSAE 16 Overview
• SSAE 16 – Audit of Internal Controls Over
Financial Reporting (ICFR’s)
– NOT a Financial Statement Audit
– IT Controls Tested
– Business Process Controls Tested
– Risk-Based Approach
– Industry Specific Controls

7. SOC 2 Overview
• SOC 2 – Audit of the Trust Services Principles
(TSP’s) & Criteria
– Security
– Availability
– Processing Integrity
– Confidentiality
– Privacy

8. SSAE 16 Audit Key Considerations
• Internal Controls Are A Major Component &
Make The Process Simpler
• Not All Internal Control Areas Included
– Client Facing Focus
• Three Major SOC Process Phases
– Readiness Assessment
– Type I
– Type II (Annual Audit Thereafter)

9. INTERNAL CONTROLS EMPLOYED
IN F&I PRACTICES

10. Internal Control Requirements -
Not Always In the Past!
A.J. Mueller
Bryan Dyer

11. F&I Industry & Internal Controls
• Internal Management & Training Processes
• Products and Channel Management Controls
• Client Contract And Processing Areas
• Claims Processing Management
• Financial & Accounting Processes
• Technology Interfaces (Portals) & Vendors
• Information Technology General Controls

12. Internal Management & Training
Processes
• Focus on General Operational Areas as
Related to Client’s SOC Scope
– Typical Areas
• Initial Hiring Processes
• Internal Training Procedures
• Key Business Operations Controls
• Typically Apply Across Industry Segments
• Day to Day Business Controls

13. Internal Management & Training
Processes
• Practical Examples
– Upon employment all employees sign and acknowledge a Non-
Disclosure and Assignment Agreement, which includes sections on
Access to Confidential Information, Safeguarding Non-Public Personal
Information, Copyrights, Inventions, and Ownership of Material
created during their employment.
– On an annual basis, management reviews the complementary user
entity control considerations contained within the Service
Organization Control (SOC) audit reports for applicable subservice
providers and verifies the controls are satisfactorily implemented and
in place within their environment.

14. Program & Channel Management
• Controls Related to On-going Risks &
Reporting
– Product Development Activities
– Reporting of Controls to Specific Clients &
Partners (i.e. insurance providers & finance
providers)
• Different Channels Within the Same Business
Process

15. Program & Channel Management
• Practical Example
– Legal/Compliance reviews and approves all new products to insure
compliance with various national, state and local governmental
statutes and regulations prior to the product being established within
the SCS system.
– All new products and programs developed by Product Management
require Executive Management review and written approval prior to
integration into the service offering.

16. Client Contract & Processing
Management
• Key Focus Points
– Actual Contracts & Income Management
– Partner Management (Internal and External)
• Processing Controls
– High Volume Key Transactional Control Areas
• Reconciliations
• Establishment of New Client Contracts
• Management of Client Processing Payments
• Portal & Client Interfaces
• Access & Authorization to Data & Capabilities

17. Client Contract & Processing
Management
• Practical Example
– A Dealer setup is not complete within the core contract application
until the Contract Management team completes a test of the quote
process for the new and / or modified product set. Such test is
evidenced via manual sign off on the dealer commission rate
worksheet.
– Cancelled contracts are reconciled and residual value is extracted and
reimbursed to the dealer or applied to the dealer periodic statement
or the vehicle lienholder / customer as necessary.

18. Claims Processing Management
• Controls Focused on Approval and Payment of
Claims
– Key Areas
• Inbound Data Accuracy (From the Claimant, Selling
Dealer and Repair Organization)
• Outbound Data Accuracy (To the Claimant & Vendor)
• Internal – Client Contract and Processing Controls
• Internal – Financial Teams & Process Linkage
• Information Portals
• Access and Authorization to Data & Capabilities

19. Claims Processing Management
• Automation & Mobile Integration Concepts
– Ability to Integrate Into the Mobile Space
• Use of a Paper Airline Ticket vs a Mobile Device
– Linkage to the Payment Processes in the Back-End
Financial Processes
• Payments to Vendors
• Payments to Clients & Service Partners

20. Claims Processing Management
• Practical Example
– Mechanical "Large Value Claims" (LVC) in excess of $2,500 must be
inspected by an independent third party resource. Once the
inspection is complete, a written report review is completed prior to
claim payment issuance.
– The claims processing system calculates the correct claim total based
on key claim information (deductible, claim amount(s), associated
claim contract terms) contained in the system and the information
supplied by the claim team in the specific claim entries.

21. Financial & Accounting Processes
• Internal Controls Related the Client Facing
Processes
– Client Contract & Processing (Inbound Fund
Management)
– Claims Management (Outbound Fund
Management)
– Reconciliation Processes
• Various Programs & Vendor Payments
• Integration of Various System Reconciliations

22. Financial & Accounting Processes
• Practical Example
– On a daily basis the credit merchant service provider disbursement
transactions are reconciled to bank activity.
– Monthly net premiums are reconciled for each insurance carrier
between the core processing system and the financial management
application.

23. Technology Interfaces
• Portals to Integration Partner Controls
• Portals to Other Programs and Systems
• Mobile Technology Impact

24. Technology Interfaces
• Practical Example
– Systems are in place to monitor and log critical integration portals and
provide automated e-mail notification of Operational IT Management
upon portal functionality and data transfer failures.
– Data Transfers initiated via Mobile Devices (phones, tablet and other
similar systems) are filtered to ensure the expected data is being
transferred to the core processing environment.

25. IT General Controls
• Broad Based Controls
– Security (Logical, Physical, & Technical)
– Computer Operations
– Change Management
– Governance
• Foundation to the Internal Control Environment
• IT Control Linkage to Business Processes

26. Benefits of an SSAE 16 Audit
• Increased Awareness on Internal Controls
Related to Client Requirements
• Investment
– Marketing + Compliance = ROI
• Competitive Advantage
– Ability to Differentiate Your Services

27. Benefits of an SSAE 16 Audit (cont.)
• Contractual Requirement of Service Providers
• Audit Requirement of Service Providers
– SOX Impact
– One-time Audit
• Provides Clients and Prospective Clients Increased
Confidence in your Services
– Not the Customer in the Dealer
– Your Partners & Service Providers
• Annual Audit & Report After Completion of Initial Type
II

28. F&I Administration Processing
Controls – An SSAE 16 Perspective
• Enhanced Credibility within Your Industry
– Internal Controls are Part of Your Organization
– SSAE 16 Audit Provides Independent Validation of
Internal Controls
– Increased Marketability to Your Industry
• Choose the Right Service Partners and
Providers for Your Firm

29. Questions / Comments