Aug 01, 2013
Featuring Henry Bagdasarian, Compliance and Audit Director
Monthly Podcast Transcript
Adrienne Ainbinder, Moderator: Welcome to the Veros Real Estate Solutions monthly podcast. This month, we’re taking a look at how lenders can have some assurances that the vendors providing support services are meeting compliances and regulatory expectations. Joining me on this topic is Veros’ Compliance and Audit Director, Henry Bagdasarian. Thanks for joining me Henry.
Henry Bagdasarian: Thanks, Adrienne for this opportunity. It’s a great pleasure to discuss vendor audits and assurance practices.
Adrienne Ainbinder: Well good, we are looking forward to your expertise. So let’s start by letting our listeners know a little bit about your role within Veros.
Henry Bagdasarian: Well our group is responsible for making sure that the company complies with various rules, regulations and practices. We also make sure that the company follows our established policies and procedures through training and monitoring. The audit team actually develops and executes an audit plan on an annual basis to assess risks and provide constructive feedback to management regarding policies, procedures and operations. And our group also reviews, vendors risk management practices through annual risk assessments and we also process our customer's due diligence requests such as standard information gathering questionnaires and various copies of audit reports, policies and procedures.
Adrienne Ainbinder: Very good. So let’s take a step back for a second and let’s talk about why it is important for a lender to conduct a compliance audit beyond of course the fact that it is required by the regulator. So how are vendors exposing lenders to risk?
Henry Bagdasarian: When a mortgage lender outsources some services to a vendor, whether it’s for account management, mortgage application processing with software development and system management, the lender also expects and relies on the vendor to manage related risk. For example, vendors are expected to have proper hiring practices of their employees and contractors, which include full background checks, adequate policies and procedures and employee training. When internal controls don’t exist or are not functioning properly, then lenders can be exposed to some unmanaged risk.
Adrienne Ainbinder: Very good. So there’s clearly a lot to deal with here and depending on the data and the level of exposure, in your experience, Henry what are the most important risks that a lender needs to focus on when it comes to collateral evaluations?
Henry Bagdasarian: There’s normally less risk associated with the automated evaluation systems other than availability and accuracy of property values. However, when we consider appraisal management and workflow systems, lenders can be expected to exposed to a variety of high risks around privacy, timeliness, and accuracy of submitted appraisals as well as system integrity, security and availability, including data backup, disaster recovery and business continuity.
Adrienne Ainbinder: Very good. Earlier you used the term, “unmanaged risk,” maybe you can explain how you define that. Is it different from managed risk when it comes to a lender-vendor relationship?
Henry Bagdasarian: Any business is exposed to risks. Lenders are liable for the quality of services that they provide to their clients. They must also ensure privacy and other aspects of regulatory compliance as part of their business operations. In the normal course of business companies manage their risks by identifying, prioritizing and mitigating them. However, businesses might be a little bit less concerned with risks that they assign to their vendors along with outsourced services. So assigned risk to vendors may be unaddressed or unmanaged, and can have a variety of negative consequences for lenders.
Adrienne Ainbinder: Sure. Okay. What are some of the consequences that lenders might assume if the risks are unaddressed as you discussed?
Henry Bagdasarian: Consequences of unmanaged risks can be enormous and unpredictable in terms of lost clients and revenues, lawsuits, negative publicity, damaged company brand and penalties from noncompliance with government regulations. Mortgagees are often unaware of lenders outsourced services and even if they did they would expect the same level of privacy and quality of services that they receive from their vendors.
Adrienne Ainbinder: Absolutely. So let’s move into solution mode now. How can lenders ensure the vendors are properly managing all these risks that we have just identified?
Henry Bagdasarian: There are a few ways that that mortgage lenders can make sure that vendors are properly managing the risks. They can request information through, requests for information, RFI documents or standard information gathering, questionnaires. They can perform their own audits of the vendors or they can request independent auditory reports such as SSAE16 and FISMA Compliance Audit Reports. Most lenders will use a combination of all these options to get comfortable with a vendor's internal control
Adrienne Ainbinder: Sure, which audit form do you think is best?
Henry Bagdasarian: Due to their inherent nature, RFIs are less reliable because vendors attest to their own internal controls and there is no independent verification that being said independent audits are more reliable, but they can be expensive. So in order to be cost effective in their vendor assurance efforts, lenders can identify the high-risk vendors and to be audited and determine the type of audit that they would require as well as the frequency of the audits
Adrienne Ainbinder: Sure. Now who pays for the audits? What’s customary there?
Henry Bagdasarian: Often the lenders are required to pay for the audits it chooses to perform other times RFI questionnaires and SSAE16 and audit reports, costs are covered by the vendors. There are many reasons for that which we’ll cover later. Independent audits by third-parties can be very expensive, however sometimes vendor cover the costs to satisfy either contractual agreements made with their clients or they desire to be of just good business in order to attract new customers and retain the existing ones.
Adrienne Ainbinder: Absolutely, in the past a lot of lenders seemed to be confused about SAS-70 vendor’s claims that they are – their SAS-70 compliant whatnot. Now we’re seeing SSAE 16. Can you talk about those, maybe clear up some confusion and talk about what’s important to lenders?
Henry Bagdasarian: Sure, SSAE 16 stands for the standers for Standards for Attestation Engagements, number 16, which is an internationally recognized third-party assurance audit designed for service organizations. SSAE 16 replace – replaced SAS-70 in 2011. They are normally two types of SSAE 16 audits. Type one provides the limited assurance at a point of time where as the SSAE 16 type two provides the highest level of assurance based on a period of time, which includes detailed testing. The scope of the SSAE 16 audits depends on the outsourced services and or either identified in the negotiated contracts or by the vendor to provide assurances for his services, it markets and provides to its clients. Some common areas covered in the SSAE 16 audits include employee and contractor management, privacy, access management, information security system developments, lifecycle, data backup and IT operations. The final SSAE 16 audit report is very important to lenders because it gives them an independent opinion regarding vendor’s internal controls.
Adrienne Ainbinder: Very good. Then you mentioned one reason why it might be important to a lender. But why else would a service organization undergo an audit? Or this specific audit I should ask.
Henry Bagdasarian: Sure, there’s also many reasons why service organization may decide to obtain a SSAE 16 audit report as well as due to the increased regulatory oversight of the Sarbanes-Oxley act, which many customers are now requiring, their service organization to obtain an independent audit report. Other benefits to vendors of an SSAE 16 audit report includes instant credibility with – with the public and perception that the vendors responsible, independent confirmation by a third-party of their internal controls, procedures and policies, and lastly, cost savings, where a one audit report can satisfy multiple customer requests and reduce the number of customer self assessment questionnaires.
Adrienne Ainbinder: Sure, sure makes sense, especially with Type II being so comprehensive, so to encapsulate everything for our lenders who might be listening to the podcast, if you were to put yourself in the lender's shoes, how would you summarize what you’re going to look for in a vendor that you want to do business with?
Henry Bagdasarian: To manage their vendor risk, I would first identify the high-risk vendors, depending on the type of services that we outsource and the data that we share with them. Next, I would decide, the type and frequency of assurance methods such as RFI, internal audit of reliance on the SSAE 16 audit report that they provided or a combination of multiple of these methods. One thing to keep in mind is that you know normally to do this we would have to coordinate with the legal on audit team for a couple of reasons, 1.) We want to make sure that there’s an audit clause included in the contract, which allows us to actually go on audit the vendor, but also allow the audit team to schedule resources if they have to go in and audit the vendor so that it’s scheduled for the year. And then next we would review the results of the audit and follow up with this service organization to make sure that they remediate the potential findings within the agreed upon time frame.
Adrienne Ainbinder: Absolutely. That follow-up has got to be key. Well, Henry, I want to thank you for taking the time to talk with us today and I hope our podcast listeners feel much better equipped to go out and get stronger assurance on their vendor partners.
Henry Bagdasarian: Thanks again. It was a pleasure to present this highly important topic for the listeners.
Adrienne Ainbinder: Very good. Well for our listeners, I hope you will visit us at Veros.com and follow us on twitter at our handle, which is @verosRES until next month’s podcast, thanks for listening.