Internal Audit vs. Quality Control Requirements - Fannie Mae
February 17, 2022 BY MQMR Blogger
Are the pre-funding and post-closing Quality Control (QC) audits a mortgage lender performs sufficient to satisfy Fannie Mae’s Internal Audit (IA) requirement?
No, the QC audits and IA are separate Fannie Mae requirements.
Fannie Mae (as well as Freddie Mac, FHA, VA, etc.) requires a lender to implement a QC program that identifies credit and/or regulatory issues in its origination and servicing functions. A QC audit generally reviews the end product, regardless of whether the process is credit or compliance-focused. QC audits, which are a form of transactional testing, are narrower in scope than Internal Audits.
With Internal Audit, the focus is not necessarily on the end product, but rather the adequacy, soundness, and effectiveness of internal controls within a lender’s processes to ensure that the lender attains the end result sought while complying with applicable investor guidelines, laws, and regulations and industry best practices.
As outlined in Fannie Mae’s Beyond the Guide, an appropriate IA program should at a minimum include the following key elements:
- An independent reporting structure with direct report to senior management and/or the board of directors. There should be no shared reporting lines within the QC functional areas to be reviewed by the internal audit function.
- A risk assessment methodology is used to identify the operational areas and functions to be audited and the frequency of those audits. The risk assessment is generally completed annually by the internal audit department to identify the scope of the review and apply risk rating to the areas to be reviewed. The risk assessment generally identifies the frequency of reviews based on the risk rating applied to the areas listed.
- Documented policies and procedures to detail the internal audit review processes, govern reporting to senior management, and address the remediation of findings.
- A departmental and functional audit schedule for a minimum 12-month period. The schedule should identify the areas subject to review during the current period and align with the risk assessment.
The number of audits and frequency should be commensurate with the size and complexity of the organization, but generally, a single, non-continuous internal audit is not acceptable.