In May 2017, the Auditing Standard Board of the American Institute of Certified Public Accountants (AICPA) issued its new Statement on Standards for Attestation Engagements (SSAE) No. 18. This new set of standards addresses concerns that focus on the complexity and length of its predecessor, SSAE 16, regarding outsourced services and is essentially a cleaner version that encompasses areas that were anticipated but excluded from the previous version.
SSAE 18 more implicitly addresses three very important areas for companies that perform outsourced services affecting the financial statements of another company: third-party vendor management, data validation and risk assessment. Information security is one of the most critical areas for any company to address and these new standards help companies tackle this constantly moving target of compliance.
To learn more about SSAE 18 means for mortgage servicers, MortgageOrb recently interviewed Tyler Page, CPA, chief financial officer for tax services firm LERETA.
Q: What kind of changes have mortgage servicers needed to make to accommodate SSAE 18?
Page: The most significant change required of mortgage servicers is time. Additional time is required to complete the audit and servicers have needed to make the necessary adjustments. With the SSAE18, integrity and validation of data became extremely important. Servicers are no longer sending data for testing. Auditors must visualize and validate how and by whom the data was generated. In most cases, this requires auditors to be on site (or face time) for several days while they work with business units to validate and test controls.
Additionally, servicers have needed to dedicate time to building a compliant and efficient vendor management department. With more companies outsourcing work both on and offshore, security breach concerns of NPPI (Non-Public Personal Information) data have grown. Although auditors do not conduct an in-department audit of all vendors, they are testing to ensure that a company has done its due diligence in ensuing vendors are properly vetted. Proper due diligence documents include items such as a contract, SOW (statement of work), insurance, BCP (business continuity plan) and testing information, in addition to an SSAE18 and an ISO. If a company did not have these artifacts in a central repository already, they would need to devote countless hours working with its vendors to obtain them.
Q: Now that we are more than six months into SSAE 18 compliance standards, what have been the benefits? Shortcomings?
Page: In general, customers are feeling more confident in services because they know a thorough audit of controls has been completed. There is now an additional layer of protection that helps customers feel more secure.
CPA firms that conduct audits will be required to perform a detailed risk assessment on each Service Organization Controls (SOC) audit client. Auditors will be required to have an understanding of the subject matter and to identify and assess risk of material misstatement and perform procedures in response to risks. Prior to SSAE 18, auditors only had to have adequate knowledge of the subject matter; they were not required to assess and respond to those risks.
With SSAE18, auditors’ focus on validation of information, organizations have been able to outline controls already set in place for each functional area and add controls where they may have fallen short. This also provides the opportunity to make sure all policies and procedures are up to date. The SSAE18 audit has laid the foundation for future audits to be seamless.
Q: How much has this cost mortgage servicers to be compliant?
Page: The cost to mortgage servicers to be compliant is minimal as the time the audit takes will be consistent with previous audits. The transition to the new standard may cause an increase in time the first year however the benefit of increased customer confidence is likely to outweigh the minimal investment in time or cost.
Q: How has the industry in general been affected?
Page: The effects of the SSAE18 audit on the industry have been generally positive. As businesses grow and technology changes, so must the means of testing controls a company has set in place. Although the initial transition from an SSAE16 to an SSAE18 can be bumpy due to implementation of new audit procedures, the change is meant to simplify things and is necessary.
Q: Does this signify a shift to complex vendor management programs?
Page: Yes. The addition of third-party vendor management programs does signify a shift to more complex vendor management departments. SSAE18 capturing this small piece of vendor management is a good indicator of potential future expansion in this area.
Service organizations must implement sufficient methods to monitor the relevant controls at their subservice organizations. The easiest way to accomplish this has been to obtain the subservice organization’s SOC report.
Additionally, review the report to ensure that its scope includes the specific services provided by the subservice organization and relied on by the service organization. Any exceptions noted in the testing of the controls would not influence the operating effectiveness of the service organization’s control environment.
The AICPA agrees that reviewing a SOC report is an acceptable method for monitoring the effectiveness of internal controls at a subservice organization. If this report is not available, alternative procedures would include the following:
- Reviewing and reconciling output reports;
- Holding periodic discussions with the subservice organization;
- Making regular site visits to the subservice organization location;
- Independently testing controls at the subservice organization; and
- Monitoring external communications (e.g., customer complaints about the subservice organization).
Information security is extremely important now more than ever in the financial industry. Thus, ensuring that a company has taken the necessary steps to ensure NPPI data is secure, is critical to the success of businesses and their reputation.
