Business Insights
SOC 1 for Mortgage Service Providers
Articles by: Richey May, Aug 03, 2020
What is a SOC 1?
A SOC 1 is an audit of internal controls over financial reporting, designed explicitly for service organizations. It assures users of the effectiveness of the internal controls. Users of a SOC report include management of a service organization, management of your customer’s organization, and auditors of the user organization.
Mortgage companies are under increasing scrutiny from regulators and customers. They may request a SOC report so they can feel confident your policies and procedures will result in accurate data for financial reporting. Customers are looking for comfort that you are processing payments to mortgage loans timely, meeting investor reporting requirements, or filing bankruptcy and loss mitigation documentation in accordance with requirements in order to protect their mortgage assets.
Scope of SOC 1 Audit
A SOC 1 report is focused on financial reporting risks and controls specified by the service provider. It is most relevant when the service provider performs financial transaction processing or supports the transaction processing system. If your company provides financial processing services for mortgage companies, this may be the best scope to choose. The scope of a SOC 1 audit includes:
- Classes of transaction
- Procedures and methodology for processing and reporting transactions
- Accounting records of systems
- Management of significant events and conditions other than transactions
- Report preparation for users
- Other linked aspects relevant to processing and reporting user transactions
The SOC 1 audit engagement covers transaction processing controls, supporting information, technology, and IT general controls. The service provider defines control objectives, which may vary depending on the type of services you provide to your customers.
Your current controls may or may not be in alignment with the controls that users need to have from a financial reporting perspective. This report can help identify these gaps, so you can comply with what a customer’s regulatory environment requires before services begin.
Types of SOC 1 Reports
There are two types of SOC 1 reports.
- Type I: Also referred to as “point in time” report. This report covers an audit occurring as of a specific date, detailing the control framework at that specific time.
- Type II: This report pertains to the testing of controls over a duration of time.
| Type I | Type II | |
|---|---|---|
| Coverage | Single point of time, “as of” date | Duration, Period of time |
| Assessment | Design | Design Operating Effectiveness Results of test |
Among these two types, Type II is considered more reliable as it involves testing the effectiveness of controls over a period of time.
Why is the SOC 1 Report Needed?
By providing the SOC report to customers, the customers are assured that the mortgage services provider uses procedures in a way that ensures the financial data provided is consistent with regulatory requirements.
The report demonstrates your reliability and credibility to the customer, enabling them to trust your company with sensitive financial data.
Our team specializes in SOC Audits for mortgage service providers. Our industry specialization means we can help you choose the framework your customers need and execute your audit and report at a high level. Contact us today to get started.