PERSON OF THE WEEK: Most mortgage lenders and servicers are already familiar with SOC (Systems and Organization Control) reports and their value in vetting third-party software and services providers during the vendor selection process, but many mortgage executives are not aware of the intricacies of SOC reports and how they impact the inner workings of these third parties.
To learn more about why it is important for mortgage software providers to obtain SOC reports and how SOC compliance changes their internal processes, MortgageOrb recently interviewed Jon Dipre, operations manager of USRES and RES.NET, offering real estate owned (REO) disposition, default valuations services and technology to the mortgage banking industry.
Q: What exactly is an SOC report?
Dipre: SOC stands for Systems and Organization Controls. An SOC report reports on the controls at a service organization that are relevant to their internal control over audits and financial reporting.
Today, in our industry, there are two versions that have become relevant: SOC 1 and SOC 2. For both of these versions, there are two sub-types available: Type 1 and Type 2.
All of these versions result in robust reports that list out a series of controls, verified as in place, and being followed without exception, by a third party CPA.
Depending on which SOC version, the listing of controls will vary, but the intent for all is to give the report reviewer an inside look into the key compliance operations in place to safeguard his or her business, and ultimately instill a sense of trust and assurance.
Q: You mentioned, SOC 1 and SOC 2 reports, What’s the difference?
Dipre: The SOC 1 report focuses on a service organization’s controls that could affect a customer’s financial statements. In this report, control objectives are related to both business process and information technology.
A SOC 2 report addresses a service organization’s non-financial reporting controls that relate to availability, security, processing integrity, confidentiality and privacy.
As mentioned earlier, both a SOC 1 and SOC 2 report can come as either a Type 1 or Type 2. The distinction between those sub-types is that a Type 1 is a snapshot review that certifies the given controls were in place as of a specified date. A Type 2, in contrast, certifies the same controls, but over the course of a longer period of time (typically four to nine months).
Q: Why should a mortgage software provider obtain SOC Reports?
Dipre: It’s a matter of providing a higher level of assurance to customers and their downline auditors.
Typical vendor questionnaires that mortgage companies must complete serve to give their customers a baseline level of assurance, and they’re typically enough to check the boxes for meeting compliancy standards, at least for now.
But they are still based on self-assessments and “one-size-fits-all” control objectives that don’t always apply.
SOC Reports, on the other hand, are independent, third-party audited, industry-specific and world-renowned. Obtaining SOC Reports is important for a service organization because it sends a powerful message to its competitors, existing customers and prospects that it is applying best practices when it comes to process efficiencies and cybersecurity.
Q: How has the SOC process changed your business?
Dipre: Quite a bit actually. We found the process, while very time-consuming, to be extremely beneficial to our continued growth and improvement as a company. While we didn’t uncover any major gaps in our operations per se, we did note that there were large areas for improvement in documentation and the formalizing of some of the processes we did organically as expected of a tightly knit software shop with an average employee tenure of more than 8 years would.
We found the process to not only validate us as the top-tier service provider we knew we were, but to also help us put new procedures in place to more easily prove that to others on the outside looking in.
Q: What recommendations do you have for other service organizations looking to become SOC certified?
Dipre: My first recommendation would be to choose an auditing firm wisely. Mortgage companies should partner with a group that has the knowledge and moreover willingness to truly assist along the entire process.
Navigating the various types of SOC Reports available, and their seemingly endless lists of controls can be confusing. Thus it becomes critical that a mortgage company have a partner to show it the way.
A particularly helpful step we took with our partner was engaging in a readiness assessment, at their suggestion. Although it may have seemed daunting to add a step to an already long and tedious process, it was very beneficial to first determine where gaps and other weak points existed within our network that could have caused us to ultimately fail the SOC Audit.
Going through this process ultimately made our internal processes stronger, which will further give our customers confidence in us as a service provider.