For the past two years our company has been focusing on being ready for the August , 2015 implementation date. Well, now we are 5 days away and just last week the powers that be decided to push back implementation date, and made the Oct 3 date official… IMAO the delay does not really mean anything… you can purchase equipment, software, and model policies, but you cannot create a culture of compliance in just a few months. One week ago today our firm met at the office (its Sunday) and made final preparation for our SOC2 TYPE 2 and ALTA Best Practices Audit which was being performed by the CPA firm of KSJG of Anaheim, California.
Monday morning came, the auditors showed up at 930 and we had to get them signed in, and their key fobs issued. Next we introduced the company to them and explained what we did. North Carolina is a weird place, so we had to explain the ideosyncracies which are a big part of our workflow… Then the fun began.
The first thing we did was discuss our security policy, reviewed the physical security policy and did a full site audit of all of our facilities. We looked at film on windows, different levels of authorization on entry using key fobs, security cameras, sign in policy and sign in sheets; we visited every square inch and inspected all of the desks to ensure we had a clean desk policy which was enforced. I know that they also looked at other physical attributes which was important to them.
The Workflow for SOC2 and ALTA Best Practices
The auditors selected a large number of files which had been closed and we had to provide them with complete files and documentation. We had no idea which files were going to be chosen, we had no idea what things the auditors were going to focus on. For the past year and a half we have been very public about our compliance efforts- and now we had to prove it… and it was miserably nerve-wracking. The owner of a business can create policy, adopt it, but without GREAT employees and staff it just will not happen… MY STAFF IS UNBELIEVABLE and after pouring through this cross section of files we had no exceptions. What did they look for? here are the top things that stick out in my mind..
1. Did the HUD-1 match the disbursements
2. Did the money follow the workflow which we submitted for the SOC2 TYPE 1 Audit?- Trust me, me they looked everywhere!
3. Did the final title opinion/policy get issued within 20 days following closing and recording?
4. What did our consumer complaint policy and system look like (THANK YOU RIZOLV!)
5. Who signs what, when, how, who can deal with wires, checks etc…. how are checks and balances set up, etc, etc, etc….. (there were lots of et-cetras in this area)
Day two saw the auditors pouring through our HR Department and verifying our Employment Handbook met all necessary benchmarks required for the SOC2 and ALTA Best Practices… This was pretty interesting…. my biggest take away was not how good the policy was, it was not whether or not my staff was trained, it was HOW my staff was trained, and how was it documented. (You do need strong policies, an implementation plan, and records). They confirmed we had criminal background checks, credit checks, and due diligence on all employees. They also examined separation policy and checklists… (this was really important).
Day three and four was IT time! They basically spent that time going through each and every cyber security measure we had, the checked methodology, structure, redundancy and other long words. Again MY STAFF IS UNBELIVABLE and our IT Department is no exception….
Our firm started out in 2008 with less than 10 employees…. today we have more than that. We have our SOC2 SSAE 16 Type 1, a self certification for ALTA Best Practices, and an SSI qualification…now we have a third party ALTA Best Practices Certification and SOC 2 TYPE 2 Audit…. Small agents and medium agents are fully capable of meeting the new requirements of TRID… be patient, read, do it right the first time… so when the auditors come it will not be an embarrassing situation…. because they will look at everything. If we can do… any company can do it.