When we think of internal audits, we may think back to movies we’ve seen where a law enforcement department is under investigation for inappropriate behavior or illegal activities. Cops on the beat and/ or performing criminal investigations consider these internal auditors intrusive and a detached breed that really don’t understand the actual inner workings of the job and the corresponding tasks: Just like an IRS auditor, there’re just trying to make a bust and make a name for themselves. The folks on the street trying to bust criminals may understand the policies and procedures but adjust and adapt to them according to situation at hand. Yes, in the end, the policies and procedures may be breached, and risk of serious reprisals may results, but the job gets done and the final results may be positive.
However, a breach can have serious consequences. Breaches of policies and procedures could result in serious reprisals such as lawsuits or criminal violations. In addition, the more these policies and procedures are breached it becomes a slippery slope whereby other employees deem these violations a modus operandi, escalating further violations. Behavior that is wrong becomes the right.
In the end, employees within any enterprise need to understand the coral they can work and maneuver in. They need to know someone is monitoring them to ensure they are working within the coral and are accountable if they jump outside the coral. Internal audits help to assess whether the current policies and procedures are adequate and meet industry standards. The audit also assesses through testing if employees are adhering to them.
Audits should be performed by internal employees that are not performing the actual tasks or by independent auditors with broad experience. The end result of an internal audit is to identify risks and develop a plan to mitigate those risks. Work-flow process weaknesses, flawed polices and employee inappropriate behavior can all result in increased risks and potential reprisals and/or monetary penalties.
FNMA has a requirement that seller servicers need to have an internal audit program and perform period audits according to the plan audit program. FNMA has broad guidance and requirements on complying with the internal audit requirement. Mortgage bankers should visit FNMA’s web site to obtain the specific guideline requirements. Those guidelines are provided at the end of this article.
Let’s look at the key components of developing an internal audit program.
- Areas to Review: The first requirement is to identify the areas of the company that have risks. There are many areas and departments within a mortgage bank that have areas of risk. For example, quality control, secondary market and loan servicing are critical areas of a mortgage bank that should maintain written policies, procedures and controls to ensure employees perform their task in a compliant and best practice manner
- Level of Risks: After identifying areas of risk, what is the degree of risks and how does the internal auditor prioritize the review. Management and the internal auditor may develop an assessment tool to determine the degree of risk and develop the schedule of review based on the risk. For example, if management considers quality control or secondary market high risk, those areas should be reviewed quickly
- Internal Audit Scope: The internal auditor must develop a scope document to perform the audit. A scope document should include an assessment of the policies, procedures and controls of the area under review. The assessment should include a gap analysis comparing the policies, procedures and controls to external counter party requirements and industry best practices. The scope document should also include management and employee interviews to ensure there is an understanding of the policies, procedures and controls. Any finally, the auditor should perform testing to ensure what is in writing and stated by employees is actually happening. The testing uncovers the true weaknesses and risks of each area
- The internal auditor should memorialize the findings, including an executive summary that is presented to the board of directors and/or the owner. The written report should identify areas of risks and recommend appropriate action plans to address and mitigate risk
CW believes internal audit is not a “Box Checking” process and should be performed by experienced professional that has broad knowledge of all aspects of a mortgage banking operation. Identifying areas of risks and addressing them with appropriate action plans to reduce and mitigate those risk is much more pleasant than waiting for the CFPB, a state regulatory agency or one of government agencies to uncover those areas of risk during an audit.
A4-1-01, Maintaining Seller/Servicer Eligibility (09/04/2018)
FNMA Current Internal Audit Requirements:
The seller/servicer must have internal audit and management control procedures to evaluate and monitor the overall quality of its loan production and servicing processes, as applicable. At a minimum:
- The procedures must be independent of all key functions of the loan manufacturing process and the servicing processes that they review, so that such procedures provide an objective and unbiased evaluation that adds value and improves the seller/servicer’s operations.
- The seller/servicer’s lines of reporting must reflect the independence of the audit process at all levels, resulting in activities that are conducted in an unbiased manner and without quality compromises resulting from internal influences or conflicts of interest.
- The audit function must not share any reporting lines with the functional areas that it reviews.
- The audit function must report directly to the seller/servicer’s senior management and/or board of directors. Exceptions are permitted in situations in which the size of the seller/servicer’s organization is insufficient to support adequate resources to allow for separation of these functions. In those situations, the seller/servicer’s audit plan must include the rationale for the lack of separation as well as the controls that have been established to mitigate the risks associated with the lack of separation of these functions.
- The procedures must be consultative, so that they help the seller/servicer accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.