BLOG

QUESTION

What is Internal Audit and is it a requirement for mortgage lenders?

ANSWER

Internal Audit is a function that independently evaluates the risks to the organization and the control environment that is in place. Typically, Internal Audit reports directly to the Board of Directors or Senior Management and is separate from all other departments to ensure that the evaluation remains independent.

Internal Audit is required if you are approved or seeking approval from any of the GSEs, and it is also becoming a requirement for some states. A common deficiency in a Fannie Mae or Freddie Mac review is an inadequate or non-existent internal audit program.

Entities approved or seeking to become approved with the GSEs must have, at a minimum, the following three items:

1. Risk Assessment - an assessment that evaluates the various risks of an organization, which may include, but is not limited to, reputational risk, compliance risk, fraud, etc.; and takes into consideration various factors such as past audit results, regulatory requirements, the potential for fraud, the experience of personnel, growth trends, and date of the last internal audit.

2. Policies and Procedures - an Internal Audit Policy and Procedure charter should be approved by the Board of Directors and put into place. 

3. Audit Plan - a minimum 12-month audit plan should be developed which outlines ongoing audits to be performed.  The audit plan should identify low, moderate, and high-risk areas, and the timeline for auditing those areas. 

For more information, check out Fannie Mae’s Seller/Servicer Risk Self-Assessment for Internal Audit about tips, recommendations, and requirements that every Seller/Servicer should have in place as part of its internal audit program or download MQMR’s Lenders Guide to Internal Audit.