F&I Administration Processing Controls An SSAE 16 Perspective
1y ago
21 Views
1 Downloads
927.66 KB
30 Pages
Report/dmca
Download PDF

Transcription

F&I Administration ProcessingControls – An SSAE 16 PerspectiveTim RoncevichPartner, SSAE 16 ProfessionalsKelvin WalkerDirector, SSAE 16 Professionals

Session Speakers Tim Roncevich– Co-founder of SSAE 16 Professionals– Spearheaded SAS 70/SSAE 16/SOC 2 methodologyand for monitoring and testing informationtechnology environments to ensure compliance– Performed over 200 SAS 70/SSAE 16/SOC 2 auditsaround the world– Expert belly flopper as ranked by his kids

Session Speakers Kelvin Walker– Results-oriented IT risk management, information securityand technology professional with over 20 years ofexperience– Senior Manager reinforced with a strong background ofInformation Technology and security strategies across awide array of information systems and platforms– Provides compliance and technology risk consultingservices for U.S. and International organizations includingSSAE 16, SOC 2, and SOC 3 Type I & II audits– Avid College and SEC Football Fan - Bleeds Orange & White

SSAE 16 & SOC 2 OVERVIEW

SSAE 16 Overview SSAE 16 – Audit of Internal Controls OverFinancial Reporting (ICFR’s)– NOT a Financial Statement Audit– IT Controls Tested– Business Process Controls Tested– Risk-Based Approach– Industry Specific Controls

SOC 2 Overview SOC 2 – Audit of the Trust Services Principles(TSP’s) & Criteria– Security– Availability– Processing Integrity– Confidentiality– Privacy

SSAE 16 Audit Key Considerations Internal Controls Are A Major Component &Make The Process Simpler Not All Internal Control Areas Included– Client Facing Focus Three Major SOC Process Phases– Readiness Assessment– Type I– Type II (Annual Audit Thereafter)

INTERNAL CONTROLS EMPLOYEDIN F&I PRACTICES

Internal Control Requirements Not Always In the Past!Bryan DyerA.J. Mueller

F&I Industry & Internal Controls Internal Management & Training ProcessesProducts and Channel Management ControlsClient Contract And Processing AreasClaims Processing ManagementFinancial & Accounting ProcessesTechnology Interfaces (Portals) & VendorsInformation Technology General Controls

Internal Management & TrainingProcesses Focus on General Operational Areas asRelated to Client’s SOC Scope– Typical Areas Initial Hiring ProcessesInternal Training ProceduresKey Business Operations ControlsTypically Apply Across Industry Segments Day to Day Business Controls

Internal Management & TrainingProcesses Practical Examples– Upon employment all employees sign and acknowledge a NonDisclosure and Assignment Agreement, which includes sections onAccess to Confidential Information, Safeguarding Non-Public PersonalInformation, Copyrights, Inventions, and Ownership of Materialcreated during their employment.– On an annual basis, management reviews the complementary userentity control considerations contained within the ServiceOrganization Control (SOC) audit reports for applicable subserviceproviders and verifies the controls are satisfactorily implemented andin place within their environment.

Program & Channel Management Controls Related to On-going Risks &Reporting– Product Development Activities– Reporting of Controls to Specific Clients &Partners (i.e. insurance providers & financeproviders) Different Channels Within the Same BusinessProcess

Program & Channel Management Practical Example– Legal/Compliance reviews and approves all new products to insurecompliance with various national, state and local governmentalstatutes and regulations prior to the product being established withinthe SCS system.– All new products and programs developed by Product Managementrequire Executive Management review and written approval prior tointegration into the service offering.

Client Contract & ProcessingManagement Key Focus Points– Actual Contracts & Income Management– Partner Management (Internal and External) Processing Controls– High Volume Key Transactional Control Areas ReconciliationsEstablishment of New Client ContractsManagement of Client Processing PaymentsPortal & Client Interfaces Access & Authorization to Data & Capabilities

Client Contract & ProcessingManagement Practical Example– A Dealer setup is not complete within the core contract applicationuntil the Contract Management team completes a test of the quoteprocess for the new and / or modified product set. Such test isevidenced via manual sign off on the dealer commission rateworksheet.– Cancelled contracts are reconciled and residual value is extracted andreimbursed to the dealer or applied to the dealer periodic statementor the vehicle lienholder / customer as necessary.

Claims Processing Management Controls Focused on Approval and Payment ofClaims– Key Areas Inbound Data Accuracy (From the Claimant, SellingDealer and Repair Organization) Outbound Data Accuracy (To the Claimant & Vendor) Internal – Client Contract and Processing Controls Internal – Financial Teams & Process Linkage Information Portals Access and Authorization to Data & Capabilities

Claims Processing Management Automation & Mobile Integration Concepts– Ability to Integrate Into the Mobile Space Use of a Paper Airline Ticket vs a Mobile Device– Linkage to the Payment Processes in the Back-EndFinancial Processes Payments to Vendors Payments to Clients & Service Partners

Claims Processing Management Practical Example– Mechanical "Large Value Claims" (LVC) in excess of 2,500 must beinspected by an independent third party resource. Once theinspection is complete, a written report review is completed prior toclaim payment issuance.– The claims processing system calculates the correct claim total basedon key claim information (deductible, claim amount(s), associatedclaim contract terms) contained in the system and the informationsupplied by the claim team in the specific claim entries.

Financial & Accounting Processes Internal Controls Related the Client FacingProcesses– Client Contract & Processing (Inbound FundManagement)– Claims Management (Outbound FundManagement)– Reconciliation Processes Various Programs & Vendor Payments Integration of Various System Reconciliations

Financial & Accounting Processes Practical Example– On a daily basis the credit merchant service provider disbursementtransactions are reconciled to bank activity.– Monthly net premiums are reconciled for each insurance carrierbetween the core processing system and the financial managementapplication.

Technology Interfaces Portals to Integration Partner Controls Portals to Other Programs and Systems Mobile Technology Impact

Technology Interfaces Practical Example– Systems are in place to monitor and log critical integration portals andprovide automated e-mail notification of Operational IT Managementupon portal functionality and data transfer failures.– Data Transfers initiated via Mobile Devices (phones, tablet and othersimilar systems) are filtered to ensure the expected data is beingtransferred to the core processing environment.

IT General Controls Broad Based Controls––––Security (Logical, Physical, & Technical)Computer OperationsChange ManagementGovernance Foundation to the Internal Control Environment IT Control Linkage to Business Processes

Benefits of an SSAE 16 Audit Increased Awareness on Internal ControlsRelated to Client Requirements Investment– Marketing Compliance ROI Competitive Advantage– Ability to Differentiate Your Services

Benefits of an SSAE 16 Audit (cont.) Contractual Requirement of Service Providers Audit Requirement of Service Providers– SOX Impact– One-time Audit Provides Clients and Prospective Clients IncreasedConfidence in your Services– Not the Customer in the Dealer– Your Partners & Service Providers Annual Audit & Report After Completion of Initial TypeII

F&I Administration ProcessingControls – An SSAE 16 Perspective Enhanced Credibility within Your Industry– Internal Controls are Part of Your Organization– SSAE 16 Audit Provides Independent Validation ofInternal Controls– Increased Marketability to Your Industry Choose the Right Service Partners andProviders for Your Firm

Questions / Comments

SSAE 16, SOC 2, and SOC 3 Type I & II audits -Avid College and SEC Football Fan - Bleeds Orange & White . SSAE 16 & SOC 2 OVERVIEW . SSAE 16 Overview SSAE 16 - Audit of Internal Controls Over Financial Reporting (ICFR's) -NOT a Financial Statement Audit -IT Controls Tested

Related Books

An&Evaluation&and&Comparison&of&Clinical&Judgment& in&Junior&and&Senior .

p;Clinical&Judgment& in&Junior&and&Senior .

Abu EID,&ISSA&R.& TMOBILE&USA& & Akcin,&Mehmet& Yahoo& AS10310& - NANOG

Abu EID,&ISSA&R.& TMOBILE&USA& & Akcin,&Mehmet& Yahoo& AS10310& - NANOG

2016 Table of Drugs - Centers for Medicare & Medicaid Services

2016 Table of Drugs - Centers for Medicare & Medicaid Services

Running&head:&PROFESSION&AND&PERSONAL&FINANCIAL&PLANNING& & 1&

NAL&FINANCIAL&PLANNING& & 1&

Dairy Processing Guidebook - Focus on Energy

Dairy Processing Guidebook - Focus on Energy

OTCnet Integrated Solution for Card Processing FAQs

OTCnet Integrated Solution for Card Processing FAQs

iSolved Payroll Processing User Guide - PayPros, Inc

iSolved Payroll Processing User Guide - PayPros, Inc

Credit Card Processing - Turnkey Technologies

Credit Card Processing - Turnkey Technologies

NeuroKit2: A Python toolbox for neurophysiological signal processing

NeuroKit2: A Python toolbox for neurophysiological signal processing

Processing Feature Codes - D W Tech

Processing Feature Codes - D W Tech

Dune:&Safe&User-level&Access&to& Privileged&CPU&Features&

p; Privileged&CPU&Features&

PG&E GAS R&D AND INNOVATION WHITEPAPER Conversion and Processing of .

PG&E GAS R&D AND INNOVATION WHITEPAPER Conversion and Processing of .

PopularTags

Recent Views