22 | The M RepoRT

Those not committed to compliance and the necessary investment will not survive the new regulatory environment . . .

Feature

The M RepoRT | 23

Feature

When President Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, it represented the largest set

of financial regulatory reforms seen in the United States since the Great Depression.

The wide-ranging and compre-hensive legislation significantly impacted every aspect of the financial services sector—and the field services industry was no ex-ception. It is imperative that field services companies make the ap-propriate investment in resources, both human and technology, to minimize clients’ exposure to the risks of noncompliance for a wide range of requirements. Those not committed to compli-ance and the necessary invest-ment will not survive the new regulatory environment; those who embrace the compliance re-quirements will strengthen their organization and the industry in immeasurable ways.

While not all-encompassing, the regulatory environment that field services companies must operate in include but are not limited to:

• Consumer Financial Protection Bureau (CFPB) rules and regulations • False Claims Act provisions • Gramm-Leach Bliley Act (GLBA) • Protecting Tenants at Foreclosure Act (PTFA) • Service Members Civil Relief Act (SCRA)

• Fair Debt Collections Practices (FDCPA) • Unfair Deceptive or Abusive Acts or Practices (UDAAP)

The financial services industry has invested heavily in their audit and compliance functions to ensure there are proper frameworks in place to assess their suppliers’ adherence to applicable rules and regulations. This has fostered a renewed sense of partnership and collaboration within the industry as client/vendor audit and compliance teams have worked side-by-side to identify gaps, implement monitoring procedures, and create best practices around adherence to these important requirements. Importantly, organizations that provide services in this space must embrace the new environment and ensure that executive leadership is engaged and provides thought leadership to their teams in this dynamic regulatory environment.

Financial Services Focus on Compliance and Audit

There is a renewed focus and investment on vendor

oversight within the financial services industry. Typically, the vendor management department of these organizations will risk rank their vendors based on predefined criteria such as annual spend, service provided, potential risk to the organization, and maturity of the suppliers’ systems and processes. In the course of a year, depending on their size, a field services company could undergo close to 75 onsite and desk audit assessments. There’s no question audits can be time consuming, but each audit should be looked at as an opportunity to strengthen and enhance existing compliance frameworks.

There are two focused audits that field services companies un-dergo: vendor compliance audits and global information security audits. These audits are focused on different criteria but often overlap in a number of areas. The global information security audits are generally focused around the ISO 27002 control set, Information Technology Infrastructure Library (ITIL) controls, Control Objectives for Information and Related Technology (COBIT) controls, and other IT-related control frameworks. From a test-ing perspective, the IT auditors perform reviews of:

• Physical security • Business continuity and disas-ter recovery • Software development and change management proce-dures

• Application permission and authority levels • Data integrity and protection (encryption) • Network vulnerability testing

As field services companies typically receive and utilize confidential consumer data, it is imperative that the controls safeguarding this data are robust, comprehensive, and scalable.

The vendor compliance audits focus primarily on the business processes and proce-dures and the frameworks by which controls are in place to ensure quality service delivery. Comprehensive business process control walkthroughs are per-formed and transactional control testing is conducted to ensure compliance. In the past year, the audits have expanded their scope to ensure compliance with regulations and to assess the field services companies’ policies and procedures as they relate to:

• Comprehensive customer com-plaint tracking systems • Legal complaint tracking systems • Background check validation for anyone who performs services on a property

• Human resource manage-ment and systems entitlement reviews

• Customer service call monitoring • Vendor management controls and scalability of network

• Protection of confidential customer data and adherence to privacy requirements

Front of the ClassRegulatory reform brings compliance and third-party oversight

to the forefront of the field services industry.

By Greg Robinson, CFO, Safeguard Properties

24 | The M RepoRT

Feature

Upon completion of the audit, an exit conference is conducted to share any findings, risk rank those findings based on a severity matrix, and agree upon remediation activities and time-lines. This also is an opportunity for the vendor to respond to any misinformation and agree upon the formal execution of a CAP, or corrective action plan. Progress on the CAP is moni-tored monthly and evidence is provided to close out action items once completed.

To ensure compliance, many in the field services industry have invested heavily in resources to manage their organizational risk as a supplier. From new technology and the expansion of in-house internal audit and compliance teams, a strong partnership of collaboration with clients is formed to proactively and aggressively manage risk and to ensure the frameworks are in place to maintain regulatory compliance and fully protect the consumer.

Enhanced Focus on the Supply Chain

A s third-party oversight and compliance has become

more formalized, it should be seen as an opportunity to expand activities focused on the compliance and quality frame-works of third-party provid-ers. While many field services companies have implemented robust administrative compli-ance and verification activities when onboarding vendors in the past, much like the financial ser-vices industry, some have taken the process to the next level by including onsite vendor audits at their headquarters as part of the overall audit.

So what are some best prac-tices to consider when designing a framework for establishing the nature, timing, and extent of audit procedures? First, perform a high-level risk assessment or tier-ranking activity across all service lines to place vendors into risk

categories. The purpose of the as-sessment is to group vendors into “risk” tiers to determine the audit frequency as well as to properly schedule and execute on a plan.

To facilitate an audit program, contracting with a national independent audit firm is highly suggested. The company’s sub-ject matter experts can work hand-in-hand with the firm to create the audit plan, scope, and program. The scope can include compliance issues, administrative oversight activities, control frame-works, and substantive testing of

work orders and human resource practices. The following includes a brief overview of the focused audit and control objectives.

Internal fIle revIew—Vendor files are inclusive of verification of proper insurance; required acknowledgements are executed by applicable vendor personnel; evidence of required background checks are available; confidential-ity agreements protecting client data have been executed; and diversity certifications are present if applicable.

BusIness process walk-

throughs—Auditors perform a general walkthrough of the orga-nization’s controls surrounding the applicable business processes they perform. Gaps are discussed

and best practice discussions are offered to improve the capacity of the organization.

work order testIng—Substantive testing focused on key criteria is conducted on a representative sample of vendor work orders.

lIcense affIrmatIons—File re-views are conducted to validate that the organization maintains the proper licensing as required by its jurisdictions and applicable professions.

QualIty control frame-

work—A review is conducted of the organization’s quality control processes and procedures. Evidence is noted for the nature, timing, extent, and tools utilized to formalize its quality program.

Similar to the client audits we undergo, an exit conference is conducted to share any findings, risk rank them based on a sever-ity matrix, and agree upon reme-diation activities and timelines. A formal CAP is executed and progress is monitored monthly.

Compliance Frameworks and Executive Ownership

As should be evident by the increased investment in third-party oversight, execu-tive involvement in compliance activities must be focused and

committed. It is a dynamic envi-ronment we are operating in and having appropriate frameworks in place to be agile, to efficiently identify risks, and to make pro-cedural adjustments and resource investment is critical.

Anticipating client needs, implementing best practices to minimize their risk, and creating comprehensive frameworks to ensure transparent communication protocols are in place from the operational departments to the boardroom should be a priority in any organization. To proactively identify and mitigate risk in operations and vendor network, and create an environment of continual process and procedure improvement, a nimble governance structure is recommended.

While there are varied ways organizations can accomplish these objectives, a streamlined committee approach consisting of a cross section of executive and service-line leadership will enable companies to ensure consistency and transparency of duties for their clients.

Compliance Committee

T he purpose of the Compli-ance Committee is to en-

sure compliance and ethical be-havior within the organization by defining responsibilities and ownership, increasing awareness of compliance requirements, and providing a mechanism for iden-tifying and responding to new requirements and noncompli-ance with existing requirements. The committee has general oversight responsibility for com-pliance programs, policies, and procedures.

The purpose of the commit-tee is to oversee the company’s implementation of compliance programs, policies, and proce-dures that are designed to be responsive to the various compli-ance and regulatory risks; assist the organization in fulfilling its

A streamlined committee approach consisting of a cross section of executive and service-line leadership will enable companies to ensure consistency and transparency of duties for their clients.

The M RepoRT | 25

Feature

oversight responsibility for the compliance and ethics programs, policies, and procedures; delegate responsibility for ensuring com-pliance; and determine prioriti-zation and resources necessary to have an effective compliance program.

Security Advisory Board

T he purpose of a Security Advisory Board (SAB) is to

provide continuity of knowledge, leadership, executive oversight and guidance for security policies and activities. The SAB acts as the governing body for risk and compliance for all of the organization. This includes both physical and information security.

Through the assessment of security risk and application of appropriate controls, the SAB is continually focused on the protection of confidential data and integrity of assets in support of business objectives, physical and financial resources, reputa-tion, legal position, employees, partners, and other tangible and intangible assets.

Quality Council

C omprised of executive leader-ship, the Quality Council’s

main focus is to review progress on quality assurance efforts and drive change based on the results of internal audits and quality as-surance initiatives. The objectives of the Quality Council include:

• Report on key metrics such as quality control results and in-ternal operations audit findings. • Discuss trends impacting qual-ity of services and agree on short- and long-term actions to address quality problems. • Provide updates on quality improvement initiatives and prioritize quality improvement initiatives and resources.

The governance structure can be organized within any framework that meets the orga-nization’s goals and objectives. The key point is that executive leadership is continually involved in risk management and that a transparent and actionable environment is created within an organization.

The enhanced focus on compliance brought on by the regulators has proven to provide a solid framework for third-party oversight—something that was much needed in the field services industry. Those who welcome the changes and continue to invest in the resources neces-sary to improve their organiza-tion will continue to flourish in this dynamic environment. This requires the collaboration and partnership with their clients, executive ownership, and under-standing of risk factors that af-fect day-to-day activities, proper investment in both human and technological resources, and a fo-cused partnership with vendors through collaborative third-party oversight.