Ah, IT compliance – everyone’s favorite subject matter! What better way to guarantee suddenly waking up at 2 a.m. in a cold sweat! Yes, the subject matter is not only confusing, but may also be frustrating. This confusion and frustration typically stems from the uncertainty associated with not knowing what is really needed to satisfy your clients’ requests, and the process of becoming compliant. For providers and administrators to the F&I industry, there is an increasing demand for Statement on Standards for Attestation Engagements (SSAE) No. 16 audits. This is because these companies are considered “service organizations”, which are defined by the American Institute of CPAs (AICPA) as “an organization that operates information systems and provides information system services to user organizations (aka ‘your clients’).” The SSAE 16 is a risk-based report that is designed to provide your company with a means of building trust and confidence in your service delivery processes and internal controls through a report performed by an independent Certified Public Accounting (CPA) firm.
Within this article, I hope to provide some clarification around the SSAE 16 audit. Think of it as an imaginary dose of antacid to get rid of that discomfort associated with audits. This article will focus on two primary objectives. First, what the SSAE 16 audit is, and how much is involved in undergoing the audit. Secondly, I will provide some specific examples of the types of business process controls that pertain specifically to providers and administrators to the F&I industry.
Overview of the SSAE 16 Audit
For companies undergoing the SSAE 16 for the first time, the uncertainties around the process can make it seem like a daunting task. You may have many questions around the scoping of the report, documentation requirements, and the amount of time and company resources it will take to complete the audit. When preparing for your first audit, the SSAE 16 audit process can be broken down into three different phases: 1) readiness assessment, 2) SSAE 16 Type I audit, and 3) SSAE 16 Type II audit. These three phases are defined as follows:1. Readiness Assessment: The primary purpose of a readiness assessment is to document the key risks associated with a service offering and identify a control to mitigate each risk. By obtaining documentation and performing a detailed walk through of each control, the CPA firm will be able to provide a gap matrix on what would pass right away and what would fail. All failed controls should be listed in priority order and should include a detailed action plan, which will allow you to remediate the gaps. Once the issues have been fixed, it is important for the CPA firm to walk through each control again, to ensure there is documented evidence available to support the control conclusion. Utilizing a readiness assessment slows the entire process down and allows for a more controlled approach to the audit, which increases the likelihood of a successful audit free of any control deficiencies.
Once a readiness assessment has been performed, you can gain efficiencies by piggy-backing the SSAE 16 Type I audit.2. SSAE 16 Type I Audit: The SSAE 16 Type I is a report on policies and procedures placed in operation as of a specified “point in time”. SSAE 16 Type I reports evaluate the design effectiveness of a service provider’s controls and then confirms that the controls have been placed in operation as of a “specific date.” Basically, the SSAE 16 is an audit covering a single day. Think of this as a stopgap measure until you perform the Type II audit. Instead of waiting a minimum of six months to begin your SSAE 16 Type II, you can have an SSAE 16 Type I audit report in your hands shortly after your readiness assessment. Once in hand, you can provide this report to your current clients and client prospects to ease their minds when it comes to evaluating your internal controls. The SSAE 16 Type I audit allows your company to start realizing the ROI and benefits of the audit immediately following the readiness assessment. 3. SSAE 16 Type II Audit: The SSAE 16 Type II is a report on policies and procedures placed in operation and tests of operating effectiveness for a “period of time.” SSAE 16 Type II reports include the examination and confirmation steps involved in a Type I examination, plus includes an evaluation of the operating effectiveness of the controls for a period of at least six consecutive calendar months. After your first 6-month SSAE 16 Type II audit has been completed, the recommended course of action is to migrate to an annual audit cycle, with each subsequent audit covering a 12-month period of time. This ensures your controls are audited annually and can be relied upon by your clients.
Now, you may ask “Why should we spend the money on undergoing the SSAE 16 Type II audit when we already have the SSAE 16 Type I?” Well, the answer is two-fold. First, it is easy to say a control has been placed in operation for one day. Ensuring a control is in place and “operating” effectively over a period of time requires much more rigor and discipline from your company. Most of your clients will require you to undergo the SSAE 16 Type II audit for the greater level of assurance and reporting detail it provides. Secondly, if you have any clients who are publicly traded, they will have to undergo Sarbanes-Oxley (SOX) testing. Your clients’ auditors will want to review your SSAE 16 audit report, and unless it is an SSAE 16 Type II report, they will reject it.Internal Controls for Providers and Administrators of the F&I Industry
Now that the nuts and bolts of the SSAE 16 audit process has been identified, the rubber really meets the road in identifying risks and applicable controls to meet those risks. Essentially, the scope of any SSAE 16 report is comprised of two primary control areas:
- Information Technology General Computer Controls (ITGCC’s); and
- Business Process (F&I industry specific) Controls.
ITGCC’s are a set of broad-based internal controls, which are typically found across most companies, regardless of industry. Examples of control domains include:
- Logical security
- Physical security
- Technical security
- Computer operations
- Backup and recovery
- Application change management
Business process controls, on the other hand, are both industry-specific and company-specific. Depending on the services performed by your company, there are numerous control domains, which pertain to providers and administrators of the F&I industry. Examples of these control domains, together with practical examples, include:
1) Internal Management and Training Processes (e.g. initial hiring processes, internal training procedures, key business operations controls, typically apply across industry segments)o Practical examples:
- Upon employment all employees sign and acknowledge a non-disclosure and assignment agreement, which includes sections on access to confidential information, safeguarding non-public personal information, copyrights, inventions, and ownership of material created during their employment.
- On an annual basis, management reviews the complementary user entity control considerations contained within the Service Organization Control (SOC) audit reports for applicable subservice providers and verifies the controls are satisfactorily implemented and in place within their environment.
2) Program and Channel Management(e.g. controls related to on-going risks and reporting, product development activities, reporting of controls to specific clients and partners);o Practical example:
- Legal/Compliance reviews and approves all new products to insure compliance with various national, state and local governmental statutes and regulations prior to the product being established within the SCS system.
- All new products and programs developed by product management require executive management review and written approval prior to integration into the service offering.
3) Client Contract and Data Processing(e.g. actual contracts and income management, partner management, high volume key transactional control areas, access and authorization to data and capabilities);o Practical example:
- A dealer setup is not complete within the core contract application until the contract management team completes a test of the quote process for the new and / or modified product set. Such test is evidenced via manual sign off on the dealer commission rate worksheet.
- Cancelled contracts are reconciled and residual value is extracted and reimbursed to the dealer or applied to the dealer periodic statement or the vehicle lienholder / customer as necessary.
4) Claims Processing Management (e.g. controls focused on approval and payment of claims, inbound data accuracy, outbound data accuracy, internal – client contract and processing controls, internal – financial teams and process linkage, information portals, and access and authorization to data and capabilities)o Practical example:
- Mechanical "large value claims" (LVC) in excess of $2,500 must be inspected by an independent third party resource. Once the inspection is complete, a written report review is completed prior to claim payment issuance.
- The claims processing system calculates the correct claim total based on key claim information (deductible, claim amount(s), associated claim contract terms) contained in the system and the information supplied by the claim team in the specific claim entries.
5) Financial and Accounting Processes (e.g. client contract and processing, claims management, reconciliation processes);o Practical example:
- On a daily basis the credit merchant service provider disbursement transactions are reconciled to bank activity.
- Monthly net premiums are reconciled for each insurance carrier between the core processing system and the financial management application.
6) Technology interfaces (Portals) and Vendors (e.g. portals to integration partner controls, portals to other programs and systems, mobile technology impact)o Practical example:
- Systems are in place to monitor and log critical integration portals and provide automated e-mail notification to operational IT management upon portal functionality and data transfer failures.
- Data transfers initiated via mobile devices (phones, tablet and other similar systems) are filtered to ensure the expected data is being transferred to the core processing environment.
Now, unless you are a masochist or enjoy having a root canal without Novocain, you may be asking yourself “Why in the world would I want to voluntarily undergo the SSAE 16 audit?” Well, there are numerous benefits of undergoing an SSAE 16 audit:
- Competitive Advantage – performing the audit provides your company the ability to differentiate your services amongst your competition. The ability to use the report to market your compliance with the standard has provided companies a significant return on investment.
- Contractual Requirement of Service Providers – many times, your clients may build IT compliance requirements into your contractual agreement. The SSAE 16 has been the “go to” audit. Additionally, if you have public companies as clients, the report may be a SOX audit requirement for your company.
- Provides Clients and Prospective Clients Increased Confidence in your Services – many times, your clients may request to have a detailed security questionnaire completed by your staff. This takes valuable time and energy away from running your business. Once the SSAE 16 report has been completed, the report may be able to replace the multiple security questionnaires your company must complete each year.
- Increased Awareness on Internal Controls Related to Client Requirements – performing the report shows your clients that you are confident in your internal controls and that protecting their information is a high priority.
The good news is the stress and frustration of not knowing how best to satisfy clients’ requests regarding compliance matters can be alleviated. For providers and administrators to the F&I industry, the SSAE 16 audit can not only eliminate the need for numerous security questionnaire requests, but can also provide a means of building trust and confidence in your service delivery processes and internal controls with your clients. And that is something that will set you apart from your competitors!