MQMR performs internal audit risk assessments and ongoing internal audit support to lenders of all sizes.

Leverage internal audit to identify credit, regulatory, operational, financial, and reputational risks, as well as evaluate and improve the effectiveness of risk management, control activities, and governance processes within your organization.


What is the difference between QC and Internal Audit?

A mortgage lender is required, for a variety of reasons, to implement a QC program that identifies credit and/or regulatory issues in either their origination or servicing functions. A QC audit looks at the end product, regardless if the process is credit or compliance focused. Generally, you find that QC audits, which are basic forms of transactional testing, are narrower in scope than Internal Audits, which tend to be broader in scope.

Internal Audits identify a variety of items such as credit, regulatory, operational, financial, and reputational risks. An Internal Auditor looks at the process itself and independently evaluates the risks and control activities within the process. When Internal Auditors test controls in a process, they are not necessarily looking at the end product like a QC audit, but rather looking at the controls within a process to ensure the end product is attained and all investor guidelines, laws and regulations and industry best practices are followed.


What are the GSEs’ requirements?

The GSEs are broad in their requirements for seller/servicers to maintain an internal audit program.  The guidelines broadly state that the seller/servicer must “have internal audit and management control processes to evaluate and monitor the overall quality of its mortgage loan production and/or servicing, which must include the following minimum requirements”:.

  • The procedures must be independent of all key functions of the loan manufacturing process and the servicing processes that they review.
  • The seller/servicer’s lines of reporting must reflect the independence of the audit process at all levels.
  • The audit function must not share any reporting lines with the functional areas that it reviews.
  • The audit function must report directly to the seller/servicer’s senior management and/or board of directors. Exceptions are permitted in situations in which the size of the seller/servicer’s organization is insufficient to support adequate resources to allow for separation of these functions.
  • The procedures must be consultative, so that they help the seller/servicer accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.


This means that ongoing audits must be performed of the seller/servicers operations and functions to ensure that loans sold to these entities meet investor requirements. Through MQMR’s review of Fannie MORA and Freddie CORE examination findings, in addition to discussions with various Fannie/Freddie representatives, we have been able to extrapolate some basic requirements and key elements that an appropriate Internal Audit program must include:

  1. The risk assessment methodology used to identify the operational areas and functions to be audited and the frequency of those audits. The Risk Assessment is generally completed on an annual basis by the Internal Audit Department to identify the scope of the review and apply risk rating to the areas to be reviewed. The Risk Assessment generally identifies the frequency of reviews based upon the risk rating applied to the areas listed.
  2. The policies and procedures implemented to govern the reporting to senior management and the remediation of findings.
  3. The departmental and functional audit schedule for a minimum 12-month period. This schedule should identify the areas subject to review during the current period and it should align with the risk assessment.


If the Seller chooses to contract with a qualified third party vendor to complete the audit process, they must provide the following to Fannie Mae:

  1. Complete copy of the executed contract, or certified statement of work, between the vendor and Seller;
  2. The contract, or certified statement of work, must include policies and procedures for auditing each function or department within the organization, and the reporting methodology and distribution;
  3. The procedures for how and when findings will be remediated and monitored; and,
  4. The departmental and functional audit schedule for the following 12-month period.


What are general terms that I should know about Internal Audit?

While there are other requirements, the items listed above are the most common baseline findings. MQMR’s program has been developed over the years to ensure we’re meeting these requirements. While the Fannie Mae Selling Guide glossary does not provide specific definitions, these terms are referenced at various points in the guide:

Internal Audit – Fannie will require that a lender have an Internal Audit function in place which an organization and its management controls to evaluate and monitor the overall quality of its loan production. Internal Audit is not formally defined in the Selling Guide, but the definition and link from The Institute of Internal Auditors ( states that, “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Internal Control –The FHFA website provides additional guidance on Internal Controls and applies to Fannie Mae and Freddie Mac. The statement in section A1-1-01 also speaks to Management Controls, which can be used interchangeably with Internal Controls.

The Operational Risk Management program states, “Risk identification and assessment includes processes that assess both the severity and likelihood of operational events with consideration given to the quality of controls and infrastructure that are designed to prevent, avoid, or reduce the likelihood of occurrence of operational events and their impact should they occur. These internal controls should meet or surpass industry standards and be periodically reviewed as part of an effective internal risk control self-assessment (RCSA) process.”

Internal Policies – Internal Policies are simply the policies that an entity establishes to govern their various functional area activities. To put it in context; the Lender should establish Internal Policies to manage their business and ensure compliance with regulatory and investor requirements. They must establish Internal Controls to ensure that the Internal Policies are followed. And lastly, they should establish an independent Internal Audit program that evaluates the lenders compliance with their Internal Policies and the effectiveness of their Internal Controls.