TheMReport — News and strategies for the evolving mortgage marketplace.
Issue link: http://digital.themreport.com/i/1187758
M R EP O RT | 17 SPONSORED CONTENT The Never-Ending Audit Are you prepared for your annual SSAE18 audit? By Staci Hardy I t's that time of the year again! You just completed last year's SSAE18 audit, and now it's time to start preparing for the next one. Mathematician Colin Adams wrote, "The better you're prepared, the better chance you'll have at staying on top of every- thing that is coming your way." Since an SSAE18 audit period can run anywhere between nine to 12 months, it's important that each functional area of your organiza- tion is prepared. The Importance of an SSAE18 I n May of 2017, when the SSAE16 transitioned to an SSAE18, a key change included the oversight of subservice orga- nizations. Since many mortgage servicers use offshore vendors and subcontractors to procure tax ID numbers, tax amounts, and flood determinations, mortgage servicers must conduct due diligence to ensure their customers' nonpublic per- son- al in- for- ma- tion (NPPI) is protected. The 2017 change required many organi- zations to implement a formal vendor management program to address customers' security concerns. A robust program adds a level of assurance to customers that your fourth-party vendors are properly vetted. That's why it is important that vendor managers are proactive when performing annual due diligence audits on all vendors to ensure that documents, such as the non-disclosure agree- ment (NDA), master service agree- ment (MSA), statement of work (SOW), insurance, and SSAE18/ ISO certifications are current. LERETA's audit process begins approximately three to four months after the previous one ends. We are proactive in ensur- ing that there are no exceptions identified in our report. Our clients can trust that the controls we have in place will ensure ac- curate processing and reporting of property tax flood-related services. As a mortgage servicer or company that provides support services, it is important to have an audit report with no excep- tions. Not only does a satisfactory report demonstrate sufficient con- trols in place; but having a third- party review and test controls to ensure they are functioning properly provides an added level of reassurance that a company can trust your organization with their information. External audits also serve to improve the performance of an organization because auditors are available to provide year-round input. In addition to that, auditors can assist with establishing or modifying existing controls. They are an additional layer of review for internal audit departments. Preparing for the Audit T he primary purpose of an audit is to validate that an or- ganization is doing what it says it is doing; therefore, the first step a company should take in prepara- tion for an audit is to ensure that an annual review of all company policies and procedures has been completed. Policies and procedures must be current and align with how work is being processed. Any changes to documentation (as well as proof of annual review) must be evident within the policies/ procedures document history and version control page. Here, an auditor will be able to review the date of annual review, verify the author and approver as well as any changes made. Another step that must be completed prior to an audit is an assessment of existing controls to determine if a control has transi- tioned from manual to automated or if the scope of the audit has changed to include an additional system or functional area. In some instances, a control may need to be removed, and this should be done prior to the audit. As technology improves, so do processes, therefore, making sure updates and changes are com- municated to your auditors in ad- vance of the audit is critical. This will allow time for controls to be added and deliverable items to be established. It's also important to remember that a new control must be established for three months before it can be audited. IT security is one of the most important areas that should be assessed prior to an audit. The biggest threat to any company is a data breach that can lead to sig- nificant legal, financial, and repu- tational ramifications. A servicer's information security department should regularly monitor user access, conduct penetration test- ing, as well as have antivirus and firewall protections. Controls surrounding an organization's data center must also be assessed. This includes camera footage, dual-factor authentication, redun- dant power, and temperature and humidity controls. Business continuity planning and proof of testing must also be completed. Customers want confidence that in the event of a business impact event, services provided will not be interrupted. With all this in mind, now it's time to execute! Develop a schedule of when you want to assess areas in scope. In the mortgage industry, the fourth quarter tends to be the busiest time, and this limits access to subject matter experts more than other times of the year. Make sure to use low-volume seasons to your advantage. More importantly, empowering staff to take owner- ship of their processes is key to a successful audit. STACI HARDY is the audit, compliance, and risks services manager at LERETA, a national provider of property tax and flood hazard data. Hardy has more than 15 years of experience in the mortgage loan servicing and real estate tax servicing industry. She has spent the last three years overseeing internal compliance at LERETA.