A relatively common compliance management issue to clarify.

So you hire an auditor to come in and dig through loan files or records of other transactions. They're investigating to find compliance violations or other weaknesses. They might also have recommendations on how to improve processes or operate more safely that don't rise to the level of an actual finding or violation.

The auditor spends 2 weeks performing this task and ultimately delivers a report identifying any and all weaknesses. A good audit report will cover all of the following topics:

1. Scope of the audit (e.g., which products or 3rd party relationships were reviewed)

2. List and describe all findings

3. Include the number of transactions sampled

4. Suggest corrective action (type and time-frame) But is that really all you need from the auditor?

Auditor's Work-Papers

To some extent, it is reasonable to request an auditor's work-papers -- not just the final report. The work-papers will show transaction-level notes and calculations, including any research done or tools utilized to get the work done. This can be compared to the final report (anything missing?) and be used to verify that the auditor's work is getting done properly.

Now, keep in mind - they're just work-papers, they won't necessarily be perfectly written or always make complete sense. But they can be helpful on occasion.

Here's an example of how work-papers become important:

Regulators come in and notice a particular issue in several loan files. They turn to your most recent 3rd party audit of this area and the audit report is clean - this issue was not identified. The regulators will want to review the auditor's work-papers. Not having them might be seen as a Compliance Management System weakness. But let's assume you do have the work- papers .... The regulators will look at the work-papers - if the work-papers also don't show this particular issue, then you're fine (auditor doesn't look too good though). But in some cases the work-papers DO show this issue and for some reason it just didn't make it into the final report. The regulators now have to ask: Did the auditor make a mistake and fail to include this on the final report? Or was the auditor pressured into removing it?

Some common examples of work-papers might include:

• SCA runs an APR test for mortgage compliance. Even on loans where SCA finds no APR issue, the status report generated by this tool would be available.

• SCA's quality control reports are generated by completed checklists, which make good work-papers themselves (albeit extremely long)

• With SCA's TRID review product, all notes, findings, recommendations, calculations, etc. are placed into a loan-by-loan excel table and provided to the client. Only verified violations would be carried over into a formal audit report, but the initial draft table is saved as work- papers.

Get any grief on this from auditors? Just remember they're working for you, and you own those work-papers. Moreover, you can bet they'd rather be giving them to you than responding to a formal request from the Feds!

In Other News

• TRID Compliance is not required for investment properties. Nonetheless, people selling to the secondary market may soon be required to do so - see this Freddie Mac announcement (FAQ #5) that will require an LE and CD on investment properties starting mid-2017.

• Swollen property values and rising rates have many lenders bracing for a boost in home equity lending (who wants to refinance their first mortgage if they got it in the past few years with a super low rate)? If you find yourself wanting to roll out a new HELOC or revamp an existing one, or if you just want to become more competitive in this area - we have a standard service to help with developing a product and process to be competitive in this market. My colleague Steve Kornfeld is taking the lead on these projects - give us a call if you want to bounce some ideas off of us.

• This video from Questsoft - a "HMDA Queen" instead of Dancing Queen - is equally hilarious and cringeworthy.

• Recent "news" article from the Onion: ATLANTA - Unable to contain their emotion when they heard the account name called aloud by the college provost, a group of teary-eyed Sallie Mae student loan officers proudly looked on Monday as their $200,000 balance sheet asset graduated from Emory University, witnesses confirmed. "It's been absolutely amazing to watch our revenue stream grow right before our eyes," said smiling collections officer Robin Black, explaining that, looking at the impressive figure now, she could hardly believe their future series of principal and interest payments was only$50,000 just four years ago. "This is such a big milestone, but to be honest, it's really just the beginning. We're all looking forward to seeing how our beloved asset progresses now that it's going out into the real world. Who knows where it will be 15 years from now?" The student loan officers went on to express their hope that they'd one day be able to see their source of profit go to law school.

So Yahoo's having a great year, huh? Two months after successfully negotiating a sale of primary assets to Verizon (a big win for Yahoo), it's announced that hackers stole data from 500 million users. Then just last week, a second breach was reported that affected 1 billion consumers! The most frustrating point of this, from a consumer perspective - was that these hacks occurred years ago (despite Yahoo knowing in 2014) ... scary to think what hackers have done with this access for years. Now, at least, consumers are tipped off and can change passwords, change security questions, cancel credit cards, (and maybe switch to Gmail or Outlook, for that matter). According to the most recent SEC filing - Verizon might very well back out of the deal because of this.

With cyber-security representing a greater risk every year, it's good for us to focus on it. This is especially true with e-mails, which is the most vulnerable area for hackers. The good news is that many of the ways for us to protect ourselves are intuitive - using better passwords (longer, more complex), changing them often, not re-using passwords for different accounts, carefully reading e-mail addresses before viewing attachments since it's easy enough to create e-mail addresses that closely resemble legitimate people (notice you're getting this e-mail from "BenGiumarra@scapartnering.com" and not "BenGiumarra@scapartn3ring.com" - see the difference?).

Fortunately, myself and my colleagues are pretty well protected with strict password requirements, encrypted computers on encrypted servers accessing secured networks, etc. but where do you go if you're doing this by yourself or if you want more information?

• The U.S. Small Business Administration has some helpful information for companies trying to manage cyber-security risk.

• The BBB studied small business in North America and found that (a) the vast majority believed they would not be hacked but that (b) 25% actually had been hacked in the past year!

• E-mail practices should be addressed in the ALTA best practices policies/procedure submitted by your settlement agents.

• Here you have the Division of Bank's letter on cyber-security and of course their examination manual on cyber-security issues for 2016

John and Steve take note that I resisted any temptation to somehow work any examples with Russian hackers or basement servers into this newsletter.

"Ultimately, cities survive by continually adapting their economies to new technologies, and colleges are central to that."

- Mark Muro

Thanks so much for reading our weekly newsletters. We're not always going to be perfect, but because we always do our best and try not to overpromise, we hope that we're always going to be trustworthy. Your calls and e-mails are very helpful

- please keep contributing.

**These are our opinions. We're not authorized, or willing, to express those of others.**

#auditors #AuditorWorkpapers