SOC 1 (SSAE 18) · Mortgage Industry
SOC 1 for Mortgage
Servicers
ICFR controls your investors' auditors require. A comprehensive guide to SOC 1 attestation for mortgage servicers and subservicers — from loan boarding accuracy to escrow administration, investor remittance, and CUECs.
Tranquility Cybersecurity has supported 100+ SOC 1 engagements for service organizations across mortgage, financial services, and fintech — readiness through CPA examination.
AICPA SSAE 18 (AT-C 320) · ISAE 3402 internationally · Last reviewed June 2026
The Business Case
Why Mortgage Servicers Need SOC 1
Direct answer: Mortgage servicing directly affects financial-statement line items for every investor who holds loans in your portfolio. Interest income, loan/principal receivable balances, escrow liabilities, servicing advances, investor payables, and suspense balances all originate from the records your servicing platform maintains and the remittances your team transmits.
Under SSAE 18 (AT-C Section 320), when a user entity relies on a service organization for processes relevant to its Internal Control over Financial Reporting (ICFR), that entity's external auditors must obtain assurance over the service organization's controls. A SOC 1 report — formally a “Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting” — provides exactly that assurance. Internationally, the equivalent standard is ISAE 3402 issued by the International Auditing and Assurance Standards Board.
Without a SOC 1 report, each investor's external auditor must either visit your servicing facility to test controls directly — expensive and disruptive — or issue a scope limitation on the investor's financial-statement audit. GSEs (Fannie Mae, Freddie Mac, Ginnie Mae) and institutional private-label investors treat the absence of a current SOC 1 Type II as a serious servicing-counterparty risk.
How Mortgage Servicing Affects Investor Financial Statements
Interest Income
P&I remittances drive interest income recognition on the investor's income statement. Remittance errors overstate or understate recorded revenue.
Loan / Principal Receivable
Principal balances on the balance sheet depend on accurate payment application and modification accounting. Errors misrepresent asset values.
Escrow Liabilities
Funds collected from borrowers for taxes and insurance are held liabilities. RESPA-non-compliant escrow analysis distorts this balance.
Servicing Advances
P&I advances made on delinquent loans are assets on the servicer's and investor's books. Unrecorded or over-advanced amounts misstate recoverability.
Investor Payables
Remittance amounts owed to investors but not yet wired are current liabilities. Reconciliation gaps cause timing differences in payable balances.
Suspense Balances
Unapplied cash in suspense is a balance-sheet liability. Aged suspense items signal payment-application control failures to auditors.
What Auditors Test
Mortgage-Specific Control Objectives
The following control objectives are typical for mortgage servicers and subservicers. Your CPA firm will tailor the exact objectives based on the services you perform, but these six areas cover the core of what investor auditors need to see.
Loan Boarding & Setup Accuracy
Controls ensuring accurate transfer of loan terms at onboarding and reconciliation to the prior servicer.
- Accurate capture of interest rate, principal balance, escrow balance, and maturity date from the prior servicer transfer file
- Reconciliation of boarding data to the trailing mortgage documents and pooling-and-servicing agreement (PSA)
- Validation of borrower demographics, payment history, and insurance information before first statement generation
- Segregation of duties between the boarding team and the team that activates the loan on the servicing platform
- Exception queues for tolerance variances with documented resolution and approval before boarding completion
Payment Processing & Application
Controls over the correct application of payments to principal, interest, escrow, and fees per the payment waterfall; suspense-account management.
- Application of funds strictly per the payment waterfall defined in the note (interest first, then principal, then escrow, then fees)
- Automated waterfall logic with daily exception reports for any payment not applied within the standard processing window
- Suspense-account controls: unapplied funds posted to suspense within 24 hours and resolved or returned within regulatory deadlines
- Returned-payment (NSF/reversed ACH) workflow with timely reversal and borrower notification
- Reconciliation of daily payment postings to lockbox bank deposits before end-of-day cut-off
Escrow Administration
Annual escrow analysis, accurate and timely tax and insurance disbursements, and RESPA shortage/surplus handling.
- Annual escrow analysis conducted in compliance with RESPA Section 10 (12 CFR 1024.17) with timely disclosure to borrowers
- Automated disbursement scheduling tied to county tax due dates and insurance renewal dates
- Dual-authorization for escrow disbursements above a defined dollar threshold
- Shortage and surplus calculation methodology applied consistently across the portfolio, with repayment plan or refund issued within RESPA timelines
- Post-disbursement confirmation reconciling disbursed amounts to tax bills and insurance invoices; exceptions reported to management within one business day
Investor Reporting & Remittance
Accurate remittance and reporting to investors (Fannie Mae, Freddie Mac, Ginnie Mae, private), and custodial cash reconciliation.
- Principal and interest (P&I) remittance to GSEs (Fannie Mae, Freddie Mac) and Ginnie Mae pools calculated per the applicable servicing guide and remitted by the required date
- Investor reporting files (MISMO, eMBS, loan-level data) generated, reconciled, and transmitted by investor-specified deadlines
- Custodial bank account reconciliation performed daily; open items aged beyond 30 days escalated to management
- Segregation between the remittance calculation team and the treasury team transmitting funds
- Trailing documentation completeness reviews before each investor reporting cycle close
Default & Loss-Mitigation Accounting
Accurate accounting for delinquency, forbearance, modifications, and foreclosure/REO proceeds.
- Delinquency-status coding (30/60/90/120+ days) updated nightly; mismatches between system status and actual payment dates flagged for same-day correction
- Forbearance plan accounting tracks deferred principal and interest separately from current obligations per applicable GAAP guidance
- Loan modification effective-date controls ensure payment streams, rate changes, and term extensions are applied as of the modification effective date
- Foreclosure and REO accounting tracks advances, legal costs, and sale proceeds against reserve estimates with variance analysis
- Loss-mitigation decision audit trail capturing approvals, denial reasons, investor concurrence, and regulatory compliance checks
Payoff & Lien Release
Accurate payoff quotes, payoff application, and timely lien release; segregation of duties.
- Payoff quote generation calculates per-diem interest, outstanding escrow advances, prepayment penalties, and fees accurately as of the requested payoff date
- Payoff funds applied to the loan account on the date received; excess funds refunded to the borrower within three business days
- Segregation between the staff issuing payoff quotes and the staff applying payoff proceeds to prevent unauthorized fee manipulation
- Lien release (satisfaction of mortgage) initiated within the statutory deadline for each state; tracking dashboard monitors open releases against due dates
- Reconveyance and lien-release documents reviewed for accuracy before recording submission; post-recording confirmation matched to the closed loan file
From the Audit Floor
Common Audit Findings in Mortgage SOC 1
These four findings appear repeatedly across mortgage servicing SOC 1 engagements. Address them during the readiness phase to avoid exceptions in your report.
Misapplied Payments Without Reconciliation
Payments are posted to the wrong loan or applied out of waterfall order (e.g., fees satisfied before escrow), and no daily reconciliation detects the error. The variance sits in suspense for weeks, distorting investor remittance and borrower statements.
Impact: Investor reporting discrepancies, RESPA/CFPB regulatory exposure, and a qualified opinion in the SOC 1 report citing inadequate payment-application controls.
Remediation: Implement an end-of-day exception report comparing posted payments to the contractual waterfall. Require supervisory sign-off on any payment applied outside the standard rule set. Reconcile suspense balances to zero daily with aged-item escalation after 48 hours.
Escrow Disbursement Errors and Late Tax Payments
Tax disbursement schedules are not updated when counties change due dates, or insurance renewal dates shift after a carrier change. Late or incorrect disbursements trigger penalties, forced-placed insurance events, or tax-sale risk on the property securing the loan.
Impact: Borrower harm, lender/investor losses, RESPA Section 10 violations, and a SOC 1 exception for inadequate escrow disbursement controls.
Remediation: Automate tax-due-date ingestion from a third-party tax service updated at least quarterly. Require pre-disbursement reconciliation of the disbursement amount to the tax bill or insurance invoice, with dual authorization for disbursements above a materiality threshold.
Investor Remittance Reconciliation Gaps
Custodial account balances are not reconciled to investor remittance files before funds are wired. Rounding errors, manual overrides, and pool-level adjustments accumulate undetected, causing out-of-balance investor statements and audit exceptions.
Impact: GSE or private-investor sanctions, potential breach of the pooling-and-servicing agreement, and a control exception for incomplete reconciliation procedures.
Remediation: Require a sign-off from a supervisor independent of the remittance preparer before any wire transmission. Implement a three-way reconciliation: loan-level remittance file → custodial bank statement → investor report. Investigate and clear all differences before the wire cut-off.
Incomplete Offboarding and Undocumented Manual Loan-Balance Adjustments
Terminated servicing staff retain active credentials in the servicing system after their employment ends. Separately, principal balance adjustments (write-downs, capitalized modifications) are processed manually without a documented approval trail, making it impossible to determine who authorized the change.
Impact: Unauthorized-access finding and a separate exception for insufficient evidence on manual adjustments; user-entity auditors flag both as ICFR deficiencies.
Remediation: Enforce a same-day access-revocation SLA for all offboarding events, triggered automatically from the HRIS termination workflow. Require every manual balance adjustment to be submitted via a change-request ticket with manager and compliance approval before posting, and retain the ticket in the loan file.
Client Responsibilities
CUECs for Mortgage Investors & Owners
Complementary User Entity Controls (CUECs) define the responsibilities investors, master servicers, and loan owners must fulfil for the servicer's controls to work as designed. Your SOC 1 report lists these explicitly so that each investor's external auditor can test them on the investor side.
Supply Accurate Loan Data at Boarding
The investor or owner must provide complete and accurate boarding files — including note terms, escrow balances, payment history, and insurance information — by the agreed cut-off date. Errors or omissions in the boarding file are outside the servicer's control and may result in payment application or reporting inaccuracies.
Review Investor and Remittance Reports
The investor or master servicer must review the periodic investor remittance report and reconcile it to their own accounting records each reporting cycle. Unresolved variances not flagged to the servicer within the review window fall outside the servicer's control boundary.
Approve Loss-Mitigation Decisions and Modifications
Where investor concurrence is required for forbearance plans, loan modifications, or short-sale approvals, the investor must provide timely written approval. Delays in investor sign-off can result in accounting entries that do not reflect the true modification effective date.
Reconcile Custodial Accounts
The investor or custodian is responsible for reconciling custodial bank account statements to the servicer's remittance files and notifying the servicer of any discrepancy within the agreed reconciliation window. Custodial discrepancies identified after the close of the reporting period may not be correctable within that period.
Notify of Regulatory or Investor-Guide Changes
The investor must promptly notify the servicer of any changes to the applicable servicing guide, pooling-and-servicing agreement, or regulatory requirement (e.g., a new GSE servicing directive or CFPB rule) that affects remittance, escrow, or loss-mitigation procedures. The servicer relies on timely notice to update system configuration and procedures.
Best practice: Include a CUEC mapping table in your SOC 1 report and in investor onboarding materials so that finance teams and their auditors know exactly which controls sit on their side of the boundary. Poorly communicated CUECs are the most common source of friction during investor audits of the servicer relationship.
Dual-Report Strategy
SOC 1 + SOC 2 for Servicers with Borrower Portals
If you operate a borrower-facing web or mobile portal for payment processing, statement access, or loss-mitigation requests, your prospects will likely ask for both reports. Each serves a different audience and purpose:
SOC 1 (ICFR)
- Audience: Investor CFOs and their external financial-statement auditors
- Focus: Controls relevant to investor financial reporting (interest income, loan receivables, escrow liabilities, remittances)
- Standard: SSAE 18 (AT-C 320) / ISAE 3402
- Tests: Loan boarding accuracy, payment application, escrow disbursement, investor remittance reconciliation
SOC 2 (Trust Services)
- Audience: Investor CISOs, compliance teams, and borrower-facing operations
- Focus: Operational controls — security, availability, confidentiality, and privacy of borrower PII
- Standard: SSAE 18 (AT-C 205) / Trust Services Criteria
- Tests: Access controls, encryption, borrower portal uptime, incident response, borrower data privacy
The efficiency argument: A coordinated dual-report engagement lets the CPA firm test overlapping controls once. General IT controls — access management, change management, incident response — are relevant to both reports, so a single audit can produce two reports at 30–40% less effort than running them independently.
Tranquility Cybersecurity's role: We handle the readiness, gap assessment, remediation, and evidence preparation for both reports. An independent CPA firm performs the attestation examination and issues the final SOC 1 and SOC 2 reports. This separation preserves auditor independence as required by professional standards.
Frequently Asked Questions
Common questions about SOC 1 for mortgage servicers — scope, control objectives, RESPA, investor requirements, CUECs, and dual-report strategy.
Why do mortgage servicers and subservicers need a SOC 1 report?
Mortgage servicing directly affects multiple financial-statement line items for the investors and owners who hold the loans: interest income, loan receivable balances, escrow liabilities, servicing advances, and investor payables all flow from the servicer's records and remittances. Under SSAE 18 (AT-C 320), when a user entity relies on a service organization for processes relevant to Internal Control over Financial Reporting (ICFR), its external auditors must obtain assurance over the servicer's controls. A SOC 1 report satisfies that requirement across the entire investor base without individual on-site audits at the servicer.
What is the difference between SOC 1 Type I and Type II for a mortgage servicer?
A Type I report describes the servicer's control environment and confirms that controls are suitably designed at a single point in time. A Type II report goes further: it tests whether those controls actually operated effectively over an observation period of six to twelve months. Most GSE servicing guides and institutional investors require a Type II because it proves sustained control performance, not just a design snapshot. Subservicers bidding on new servicing agreements are regularly asked to provide the most recent Type II report as part of due diligence.
What control objectives do auditors expect in a mortgage servicing SOC 1?
At minimum, auditors expect to see: loan boarding and setup accuracy (rate, balance, escrow, maturity reconciled to prior servicer); payment processing and application (waterfall compliance, suspense management); escrow administration (RESPA-compliant analysis, timely tax/insurance disbursements); investor reporting and remittance (P&I remittance accuracy, custodial reconciliation); default and loss-mitigation accounting (delinquency coding, modification effective-date controls); and payoff and lien release (accurate per-diem calculations, timely satisfaction filings). The exact objectives are scoped by your CPA firm based on the specific services you perform.
How does RESPA / escrow compliance tie into a SOC 1 audit?
RESPA Section 10 (12 CFR 1024.17) imposes specific requirements on escrow analysis frequency, shortage repayment timelines, and surplus refund deadlines. A SOC 1 auditor evaluates whether the servicer's controls consistently enforce these requirements — for example, whether annual escrow analyses are generated and disclosed within RESPA timelines, and whether disbursements are made before tax penalties are incurred. RESPA compliance failures that surface during the audit period will appear as exceptions in the SOC 1 report unless remediated.
What are CUECs in a mortgage servicing context?
Complementary User Entity Controls (CUECs) define what investors, master servicers, and loan owners must do for the servicer's controls to work as designed. Typical mortgage-servicing CUECs include: supplying accurate boarding files by the agreed cut-off, reviewing and reconciling investor remittance reports each cycle, providing timely approval for loss-mitigation decisions requiring investor concurrence, reconciling custodial accounts, and notifying the servicer of changes to the applicable servicing guide or regulatory requirement. The SOC 1 report lists these explicitly so that each investor's external auditor knows which controls sit on the investor side of the boundary.
Does a mortgage servicer with a borrower-facing portal also need SOC 2?
Yes, in most cases. SOC 1 covers ICFR controls relevant to investor financial reporting. If the servicer also operates a borrower-facing web or mobile portal through which borrowers make payments, access statements, or submit loss-mitigation requests, prospects and regulators will often ask for SOC 2 in addition to SOC 1. SOC 2 covers the Trust Services Criteria — security, availability, confidentiality, and privacy — which are directly relevant to borrower PII and portal uptime. A dual-report engagement allows the CPA to test general IT controls once and produce both reports efficiently.
How much does a SOC 1 for a mortgage servicer cost?
Cost depends on the size of the serviced portfolio, the number of control objectives, investor types (GSE vs. private), and report type (Type I vs. Type II). Budget for two components: the CPA firm's attestation fee and the readiness/consulting fee. Tranquility Cybersecurity provides readiness, gap assessment, evidence preparation, and remediation support for mortgage SOC 1 engagements at a significant cost advantage versus US- or UK-based firms. Contact us for an indicative scope and fee.
Keep Exploring
Related Reading
SOC 1 Knowledge Hub
Every SOC 1 guide — Type I vs II, ICFR controls, timelines, costs — in one place.
Read moreSOC 1 for Loan Servicers
Controls over payment processing, interest accrual, and investor remittance.
Read moreICFR Controls Guide
The six ICFR control categories auditors test in a SOC 1 examination.
Read moreSOC 1 for Payroll Processors
ICFR controls your payroll clients' auditors require.
Read moreSOC 1 vs SOC 2
ICFR financial controls vs security and trust — which one, or both.
Read moreSOC 1 (ICFR)
Internal controls over financial reporting — SSAE 18/ISAE 3402.
Read moreWritten By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours