Brokerage Technology Inventory Audit

Pull the asset list from the MDM or RMM tool, then walk the office to reconcile against agents on the active roster. Flag any device assigned to a departed agent — devices that left with a former agent are a recurring trust-account and CRM-data risk.

List each multifunction printer and scanner used to digitize signed disclosures, EMD checks, and trust-account paperwork. Confirm scan-to-email destinations don't include personal Gmail addresses — a common compliance finding during file review.

Cross-check the Supra (or SentriLock) roster against the brokerage's active license list. Inactive agents who still hold lockbox credentials is a security and liability gap that surfaces here, not at the MLS level.

Record each drone serial number and the Part 107 pilot it's assigned to. Verify FAA registration is current and that liability coverage extends to aerial listing photography — gaps here surface only after an incident.

Pull the seat list from Follow Up Boss, kvCORE, BoomTown, or whichever CRM the brokerage runs. Identify dormant seats assigned to departed agents — paying for unused seats is the obvious problem; the bigger issue is that those seats often still hold lead history that should have been transferred to the team owner.

Document Dotloop, SkySlope, Brokermint, or zipForm Plus subscriptions including agent-level seats, broker-admin access, and integrated eSign vendors. Note which platform holds the system-of-record transaction file for state-commission file review.

Compare DocuSign/Dotloop Sign, ShowingTime, and MLS subscriber rosters against the active license list. MLS dues for departed agents and active eSign accounts on personal emails are the two most common findings.

Cloud CMA, RPR, Canva Pro, BombBomb, and any farm-postcard service. Confirm brokerage branding compliance — designated REALTOR name and license number on every template — and that fair-housing-violating language scrubbers are turned on where available.

Email account compromise drives most real-estate wire-fraud incidents — MFA on every agent's primary email is non-negotiable. Verify enforcement at the tenant level (Google Workspace / Microsoft 365 admin), not just self-attestation.

Walk the transaction coordinator through the verbal-verification protocol for every wire instruction: callback to a known title-company number, never the number on the emailed PDF. Confirm the wire-fraud advisory is delivered to buyers at contract acceptance, not the day before closing.

List every user with view, transact, or admin access to the broker's escrow/trust account. Departed bookkeepers and former office managers retaining access is a common state-commission finding. Reconcile against current employment.

Verify FileVault or BitLocker is enforced on every device that handles client NPI (SSNs on loan apps, bank statements). Confirm screen-lock timeout is 5 minutes or less. Record any gaps — they drive the remediation step in the findings section.

Document where closed-transaction files actually live: SkySlope/Dotloop cloud, a brokerage SharePoint, an external archive, or all three. The system-of-record matters for state-commission file production requests.

State retention windows vary — commonly 3 to 7 years from closing — and apply to the full transaction file including agency disclosures, EMD records, and signed amendments. Look up your state commission's specific rule before signing off on retention duration.

Pick a closed file from the prior calendar year and restore it end-to-end: ratified contract, all addenda, signed disclosures, EMD ledger entry, CD/ALTA settlement statement. A backup that hasn't been test-restored isn't a backup.

The trust-account ledger is the single most-audited record in a brokerage. Confirm daily backup with off-site replication and a retention horizon that matches your state's statute of limitations on commission complaints.

Summarize gaps by section with severity and target remediation date. Attach the inventory exports so the next quarterly audit has a baseline to diff against.

For each gap recorded in the security review, open a ticket with the IT vendor or office manager naming the user, the system, and the fix. Set a 14-day SLA for MFA gaps and trust-account access removals — those don't wait until the next quarter.

Loop in the backup vendor or MSP the same day. A restore failure means the broker cannot prove file production for state-commission requests; this is a same-week fix, not a quarterly finding.

The designated REALTOR's signature closes the audit and locks the artifacts for the next quarterly review. File the signed report alongside the brokerage's compliance binder.