Brokerage Technology Inventory Audit

Pull the asset list from the MDM or RMM tool, then walk the office to reconcile against agents on the active roster. Flag any device assigned to a departed agent — devices that left with a former agent are a recurring trust-account and CRM-data risk.

List each multifunction printer and scanner used to digitize signed disclosures, EMD checks, and trust-account paperwork. Confirm scan-to-email destinations don't include personal Gmail addresses — a common compliance finding during file review.

Cross-check the Supra (or SentriLock) roster against the brokerage's active license list. Inactive agents who still hold lockbox credentials is a security and liability gap that surfaces here, not at the MLS level.

Pull the seat list from Follow Up Boss, kvCORE, BoomTown, or whichever CRM the brokerage runs. Identify dormant seats assigned to departed agents — paying for unused seats is the obvious problem; the bigger issue is that those seats often still hold lead history that should have been transferred to the team owner.

Document Dotloop, SkySlope, Brokermint, or zipForm Plus subscriptions including agent-level seats, broker-admin access, and integrated eSign vendors. Note which platform holds the system-of-record transaction file for state-commission file review.

Compare DocuSign/Dotloop Sign, ShowingTime, and MLS subscriber rosters against the active license list. MLS dues for departed agents and active eSign accounts on personal emails are the two most common findings.

Email account compromise drives most real-estate wire-fraud incidents — MFA on every agent's primary email is non-negotiable. Verify enforcement at the tenant level (Google Workspace / Microsoft 365 admin), not just self-attestation.

Walk the transaction coordinator through the verbal-verification protocol for every wire instruction: callback to a known title-company number, never the number on the emailed PDF. Confirm the wire-fraud advisory is delivered to buyers at contract acceptance, not the day before closing.

List every user with view, transact, or admin access to the broker's escrow/trust account. Departed bookkeepers and former office managers retaining access is a common state-commission finding. Reconcile against current employment.

Document where closed-transaction files actually live: SkySlope/Dotloop cloud, a brokerage SharePoint, an external archive, or all three. The system-of-record matters for state-commission file production requests.

State retention windows vary — commonly 3 to 7 years from closing — and apply to the full transaction file including agency disclosures, EMD records, and signed amendments. Look up your state commission's specific rule before signing off on retention duration.

Pick a closed file from the prior calendar year and restore it end-to-end: ratified contract, all addenda, signed disclosures, EMD ledger entry, CD/ALTA settlement statement. A backup that hasn't been test-restored isn't a backup.

Summarize gaps by section with severity and target remediation date. Attach the inventory exports so the next quarterly audit has a baseline to diff against.

For each gap recorded in the security review, open a ticket with the IT vendor or office manager naming the user, the system, and the fix. Set a 14-day SLA for MFA gaps and trust-account access removals — those don't wait until the next quarter.

Loop in the backup vendor or MSP the same day. A restore failure means the broker cannot prove file production for state-commission requests; this is a same-week fix, not a quarterly finding.