Compliance Audit Checklist
1.1 Federal Regulations
- FTC Used Car Rule:
- Ensure Implied Warranty Buyers Guides are displayed on all vehicles for sale.
- Verify that Guides include accurate warranty information.
- FTC Safeguards Rule
- Gramm-Leach-Bliley Act (GLBA)
- FTC Unfair and Deceptive Practices Rule (UDAP):
- Ensure Pricing Concistency
- Across all mediums (print, digital, verbal, physical).
- All required add-ons included in price.
- Only state and federal taxes and fees listed separately.
- Express Informed Consent for all purchased items.
- Purchased add-ons have real value.
- Customer Complaint Policy
- Ensure Pricing Concistency
- Truth in Lending Act (TILA) / Regulation Z:
- Audit disclosures provided to customers for financing agreements.
- Ensure compliance with rules regarding APR and total financing costs.
- Equal Credit Opportunity Act (ECOA) / Regulation B:
- Review credit application processes for compliance with nondiscrimination policy.
- Confirm adverse action policy is being followed.
- Fair Credit Reporting Act (FCRA):
- Adverse Action Notice
- Audit processes for obtaining and using customer credit reports.
- Verify proper disposal of sensitive customer credit information.
- IRS Form 8300 Reporting:
- Check for proper reporting of cash payments over $10,000 within the required timeframe.
1.2 State-Specific Regulations
- Arizona Implied Warranty Laws:
- Ensure all sales contracts comply with implied warranty requirements.
- Confirm that any component exclusions are documented and signed by customers.
- Vehicle Titling and Registration
- Emissions Compliance (Arizona)
Internal Policies and Procedures
2.1 Policies
- Confirm all compliance policies are current, accessible, and effectively communicated to employees.
- Review policies related to:
2.2 Training
- Verify that all employees have completed required compliance training (e.g., Safeguards Rule, Red Flags Rule).
- Ensure training records are up to date and include certifications of completion.
2.3 Record Retention
- Audit compliance with Arizona’s record retention requirements (3 years minimum, 7 years recommended).
- Review storage systems for secure physical and digital document retention.
- Confirm that deal jackets contain all required paperwork (deal jacket checklist), including:
- Reassigned titles.
- Emissions certificates.
- Sales contracts.
- Temporary registration permits (TRPs).
2.4 Disaster Recovery
- Dealership Operations
3.1 Sales Practices
- Ensure accurate disclosure of pricing visible on all for-sale vehicles.
- Audit sales contracts for compliance with all federal and state laws.
- Confirm that customer disclosures are clear and meet all legal requirements.
- Ensure all staff are complying with Personal Device policy.
3.2 Lending Practices
- Verify that all financing agreements comply with TILA/Reg Z requirements.
- Review processes for handling adverse actions under ECOA.
- Check for consistent use of OFAC checks during financing transactions.
3.3 Trade-Ins
- Confirm that trade-in evaluations are documented accurately.
- Verify proper handling of vehicles with outstanding loans (e.g., lien releases, payoff calculations).
- Ensure Trade-Ins are not sold until financing has been approved on newly purchased vehicle.
3.4 Optional Products and Services
- Audit disclosures for optional products such as warranties, GAP insurance, and service contracts.
- Ensure all optional products are presented as optional, with customer consent documented.
- Financial Controls
- Verify timely and accurate payments to floor plan financing providers.
- Reconcile dealership financial records, including:
- Customer deposits.
- Vehicle sales proceeds.
- Loan payoffs.
- Vendor Oversight
- Confirm that all vendors (e.g., IT providers, service contract administrators) comply with dealership policies and data security standards.
- Review contracts for clear provisions regarding privacy and compliance responsibilities.
- Technology and Security
6.1 Information Security
- Ensure customer information is encrypted during transmission and storage.
- Confirm that multi-factor authentication is enabled for access to sensitive systems.
- Audit compliance with cybersecurity measures required under the FTC Safeguards Rule.
6.2 System Monitoring
- Check logs for unauthorized access attempts or security incidents.
- Verify that IT systems are patched and up-to-date.
6.3 Physical Security
- Inspect physical storage areas for secure access controls.
- Confirm proper disposal of documents containing sensitive information (e.g., shredding).
- Customer Complaint Handling
- Review customer complaints for patterns or unresolved issues.
- Confirm that complaint handling procedures align with the dealership’s policy.
- Ensure complaints are documented and resolved in a timely manner.
- Marketing and Advertising
- Audit all advertising materials for compliance with federal and state laws.
- Verify that pricing and financing terms are clear, accurate, and not misleading.
- Ensure all disclaimers meet legal requirements.
- Ensure advertising policy is in place, an complies with UDAP rule.
- Monitoring and Reporting
- Confirm regular compliance monitoring and reporting processes are in place.
- Review any internal or external audit reports for unresolved issues or recommendations.
- Action Plan for Remediation
- Identify gaps or deficiencies found during the audit.
- Develop a remediation plan with deadlines and assigned responsibilities.
- Schedule a follow-up audit or review to confirm that corrective actions are implemented.
Tools to Support the Audit
- Compliance Management Software: Use tools like DealerSocket or Compliance 360 to streamline audits and track progress.
- Checklists and Templates: Create detailed audit checklists for each compliance area.
- Employee Feedback: Gather input from employees to identify operational challenges or gaps in understanding.