Many mortgage companies know they are required by various agencies to have an Internal Audit function. However, many companies outsource this service for cost-savings and convenience.
Every audit is unique, however an effective internal audit function typically includes the following steps.
Conduct a company-wide risk assessment.
Identify risks through review of policies and procedures, prior examination and quality control reports, and discussions with functional area managers. Outline mitigating controls and assign residual risk rating. Usually conducted annually or when the risk environment changes (i.e. structural changes within organization, new product or origination channels, regulatory changes, turnover of key personnel, etc.).
Develop a multi-year audit plan.
Use risk assessment and residual risks assigned, determine the priority and frequency auditable areas should be reviewed and develop a three-year audit schedule. Once the audit schedule is developed, get the necessary approvals as required by the organization (i.e. Board of Directors, Audit Committee, President/CEO).
Develop the Audit Programs
Through review of regulatory and agency requirements, as well company specific requirements addressed in related policies and procedures, develop audit programs to test if key internal controls are followed and operating as intended. Testing methods may include personnel interviews and walk-throughs, test of design and effectiveness, and/or transactional testing.
Execute the audit plan.
Utilizing the audit programs developed, conduct audits and identify findings, instances of noncompliance, or control deficiencies and report to management. Determine root-cause for the findings identified and, if necessary, develop and implement corrective action plans. Conduct remediation testing to ensure changes are being followed and operating as intended.
Note for company leaders: a common finding of regulators is that the audit function reports to compliance. The mortgage internal audit function must be independent of operational processes and totally free from influence of the business units, and should report directly to the Audit Committee. No personnel conducting the audit should have any involvement or responsibility in the areas under audit.
Our process is designed to help mortgage leaders understand their risks and mitigate them at every step. Our team is specialized in the mortgage industry, meaning we speak your language and understand your needs. Contact us to get started today!
