Vendor auditing best practices that will help your organization succeed

Published: March 29, 2012 by Jeff Bernstein

Jeff Bernstein Experian Global Consulting Practice Risk Management

Auditing provides the organization with assurance that all financial controls are in place to ensure that trust account funds are maintained, access to financial records at the vendor location is tightly controlled, customer data is secure, and that the vendor is in full compliance with contractual requirements (i.e., minimum account servicing requirements for issues such as vendor actions following initial placement, ongoing contact efforts, remittance processing, settlement authorizations, etc.).

There are two basic auditing processes that occur from a best practices perspective. The first one is fairly common, and involves use of an on-site audit.

Onsite Auditing

The onsite audit is required to examine financial records involving customer transactions, accounting processes, trust accounts and remittances, IT and security for handling sensitive customer information and records, and documentation of the processes that have occurred towards customer communication, contact efforts and results.

There are differences of opinion as to both the frequency of onsite audits, and whether they should be announced or unannounced. Frequency is primarily an issue of the size of the overall vendor relationship and the degree of financial risk associated with a default, typically involving the trust account and legal exposure to litigation and brand reputation risk.

Most utilities should follow an annual onsite audit schedule due to size of portfolio and attendant financial exposure. While surprise audits have the advantage of reducing any opportunity by the vendor to potentially alter records to cover up what would normally be audit violations, it does result in a more time-consuming audit schedule onsite, as the vendor is unable to prepare and have documentation available. The use of substantial online documentation lessens this issue, but nonetheless, there is more work to do onsite when nothing has been captured for review in advance. The other issue is that key managers from the vendor may not be available on the dates of a surprise audit.

One way in which organizations chose to resolve the issue of surprise versus planned audit is to conduct one pre-planned and announced audit annually, and a smaller scaled unannounced onsite audit annually at least 2 quarters separated from the planned audit. The use of remote auditing and monitoring lessens the requirements for onsite audits in certain areas, other than IT / Security, financial and compliance.

Remote Auditing / Monitoring

Remote auditing and monitoring of vendors is a stronger tool for credit grantors to improve performance of agencies, in that it combines some of the same auditing checks to ensure compliance and quality of collections with an added value of focus on performance.

The best tool in the arsenal is the use of digital logging to capture the collection call between the vendor and customers. When digital logging technology first came into use, it was cost prohibitive for collection agencies, and not fully accepted by the industry due to its possible use in litigation against the agencies. Over the past decade, as the costs of deployment have lessened, and agencies became more attuned to customer satisfaction and full FDCPA compliance, more agencies have installed digital logging into their call centers.

Most agencies that utilize digital logging capture every customer contact effort that results in either a right party contact, or third party contact for messages, etc. Many of those agencies will tag each of these voice records as to whether they were a right party contact or not. The intent is to be able to audit more frequently those calls that were right party contacts, so that collector skills can be assessed in terms of how they managed the customer, their ability to create and sell payment solution, and ability to negotiate successfully with the customer.

Typically, an organization that is using digital logging will have an internal quality assurance team that will create a compliance audit process that establishes a number of right party and non-right party contacts per collector. These calls are typically evaluated using a scorecard approach, and used for training purposes. They might alter the frequencies of monitoring based upon the tenure of the collector, their performance levels, and the results of prior monitoring, such that sample sizes are affected.

Utilities and other credit grantors should have access to the entire inventory of raw digital log files for their projects and randomly audit them remotely. These should not be “assembled” or pre-selected by the vendor, so that there is no undue influence in deciding which calls / collectors to review. If the vendor is using a QA monitoring / compliance program and separately maintains a scorecard driven monitoring process, the credit grantor should have access where those calls and evaluations related to their own customers and contacts.

The intent of the process is to listen for both quality of the communication with the customer from the perspective of effectiveness, but also to ensure compliance with FDCPA and that the customer was treated with respect and appropriately. Typically, a credit grantor would establish a remote monitoring schedule where x calls across the agent pool handing their assigned portfolio are monitored and evaluated with a simple checklist. Ideally, the credit grantor should be listening to a range of 100-150 right party contacts per month, based upon overall inventory and activity, but typically no more than 1-2% of the total right party contacts per month on their customer accounts.

The credit grantor should provide monthly feedback to the agency regarding the monitoring of quality and compliance, noting any compliance or policy violations, and any concerns relating to customer contact quality and performance.

Other aspects of the remote auditing that occurs each month should include ensuring that all servicing requirements are met. As an example, we would expect that the agency should perform various external checks for bankruptcy, deceased, etc. before initiating contact once the file has been received from the credit grantor as a placement. These database checks should be performed within the first 24 hours once placed, and then a letter of representation should be sent to those not flagged. The initial call to the customer should also occur within 24-48 hours from placement by the credit grantor, subject to phone number availability. Skip trace processes should commence immediately on those without phone numbers. There are requirements for how often accounts are attempted for contact, and settlement authorizations. All of these requirements are subject to the remote monitoring that is performed to ensure these are met.

Coming soon... Best practices for improving agency performance.