How do I get ALTA certified? Which audit should I do? What is the difference between a SSAE 16, SOC 1, SOC 2 and AT 101? What is the difference between an examination, review and agreed-upon procedures engagement? Will my lender accept the report I provide to them?
These are just some of the few questions that most Title Agents and other industry professionals have been asking. If you are a Title agent asking the same questions, hopefully this blog will provide the answers you need. There is no best audit that fits all and no mandatory report that is a requirement in the industry. The type of report you should receive is usually driven by your client’s request and/or your organizational objectives.
SSAE 16/SOC 1 & SOC 2
An SSAE 16 (Statements on Standards for Attestation Engagements No. 16) is an examination of the controls of the service organization (Title Company in this case) that are relevant to the user entities’ (e.g. lenders) internal controls over financial reporting. The SSAE 16 is also known as SOC 1 (Service Organization Controls No. 1), and was formerly known as SAS 70. This attestation report is widely known in the industry and accepted by most lenders. There are two types of reports a service auditor may provide:
- Type 1 – Report on Management’s description of the service organization’s System and the suitability of the design of controls as of a specified date. Here the service auditor issues an opinion on management’s assertion and that the controls are placed in operation.
- Type 2 – Report on Management’s description of the service organization’s System and the suitability of the design and operating effectiveness if controls throughout a specified period. Here the service auditor issues an opinion on management’s assertion and a description of the service auditor’s test of controls and the results of those tests.
A SOC 2 under the AT (Attestation) section 101 is focused more towards the examination of the Trust Services Principles and Criteria (i.e. Security, Availability, Processing Integrity, Confidentiality or Privacy) of a System. This should be performed mainly by Title Companies that develop and or host their title production application.
In April, 2015, the American Institute of Certified Public Accountants (AICPA) released a non-authoritative guidance to perform ALTA attest engagements under AT section 101 of the AICPA audit standards. This is not a SOC 2 report even though it is under AT section 101. Title Companies can use a CPA (practitioner) to perform either an examination, a review, or an agreed-upon procedures engagement using the Assessment Procedures detailed within the ALTA Best Practices Framework.
- An examination is an attest service that requires the practitioner to be independent, obtain a written assertion from management, and perform audit procedures such as inspecting documents and records obtained from management, observing activities and operations, and inquiring from management and personnel regarding procedures. This is done to express an opinion (positive assurance) on management’s assertion or on the subject matter (Title Insurance and Settlement Services System in this case) as of a specified date.
- A review is the next level of service in which the practitioner does not express an opinion but gives a negative assurance (i.e. states that “nothing came to their attention as of a specified date that caused them to believe that the system did not comply with the ALTA best practices”). The practitioner needs to be independent as well and obtain a written assertion from management, but the only procedures required to be performed include; reading policies and procedure documents, and inquiring from management regarding their procedures in place.
- In an agreed-upon procedure report, the practitioner disclaims an opinion and expresses no level of assurance at all. This level of service still requires the practitioner to be independent but the practitioner only performs specific procedures agreed with management and issues a findings report at the end.
ALTA released a Certification Package along with the publication of the ALTA Best Practices Framework in 2013. The certification package includes an Agency Letter, a Best Practices Certificate, and a Declarations Page. This is a self-certification and is intended solely for the use of the Title Company and not intended to be relied upon by anyone other than the Title Company itself.