Banks and financial institutions overseen by the federal prudential regulators have been required to maintain a comprehensive internal audit function for years. But though independent mortgage banks have always had to conduct financial audits, it’s only since the financial crisis of 2008 that attention has turned to making them set up more robust audit functions.

With the current downturn in the mortgage market, as well as recently heightened regulatory oversight, there is sure to be a greater focus on risk and internal controls for mortgage companies. The Consumer Financial Protection Bureau (CFPB) and state regulators, as well as government-sponsored enterprises (GSEs) and other investors, are going to want to make sure that mortgage lenders have an independent view on high-risk areas of their company.

For example, the CFPB’s Compliance Management Review Examination Procedures state that: “A compliance audit program provides the board of directors or its designated committees with a determination of whether policies and procedures adopted by the board to guide risk management are being implemented and followed to provide for the level of compliance and consumer protection established by the board.”

Each of the stakeholders has a particular focus:

  • The CFPB (and to a degree, state regulators) targets consumer protection.
  • GSEs focus on origination and servicing processes, especially quality control (QC).
  • Investors look at loan quality, and how it is maintained.

Getting Started

What does all this mean for independent mortgage banks? It means you should take a good hard look at your internal audit and risk management programs to ensure that they meet the requirements of the CFPB, GSEs, and your investors. This article should help you in making that determination.


Lenders that sell loans to GSEs such as Fannie Mae are subject to a Mortgage Origination Risk Assessment (MORA) review, which includes assessing the adequacy and effectiveness of the company’s internal audit function. The size of your company will play a part in how much Fannie will want to see during the MORA.

For smaller mortgage companies, GSEs may want to see that you have an internal audit function and that it covers the mortgage origination and quality control processes. All mortgage companies that sell loans to Fannie are required to perform an annual independent review of their QC function. Larger companies (generally over $1 billion in originations) will likely have to show a more robust program that covers a full risk universe for the organization.

The CFPB has a different set of requirements (including an independent audit function as part of an effective Compliance Management System, or CMS). However, most companies will go through a MORA before they are examined by the CFPB. So, think of setting up your program for the MORA as basic blocking and tackling, while setting up the internal audit function for the CFPB is like getting ready for gameday.

What Does the CFPB Want from an Internal Audit Program? 

The CFPB expects mortgage companies to establish and maintain an effective CMS to assure executive management and the board of directors that compliance policies, procedures, and internal controls are working. One of the requirements of the CMS is an independent compliance audit program that is adequate for the size and scope of the company’s products and services. As noted earlier, the CFPB is going to be more focused on consumer protection. Some of the items you would want to see covered in your audit program while getting ready for gameday are:

  • Service provider oversight
  • Loan officer compensation
  • Fair lending practices
  • Adherence to consumer protection laws related to origination and/or servicing (which can include, though to a lesser extent, information security compliance under the Gramm-Leach-Bliley Act)

One thing that a lot of companies get wrong as they establish an internal audit program is the “independent” piece of this puzzle. Generally, internal audit functions should report to the board, an audit committee, or some other committee of the board. Since many mortgage companies do not have a board, this independence becomes a bit more challenging. One alternative is to set up an audit committee comprised of executive leaders representing different areas of your company. In order to establish proper voting rights, the committee should have an odd number of members. Some examples of audit committee members include the following:

  • Chief Executive Officer
  • President
  • Chief Financial Officer
  • Chief Operating Officer
  • Chief Administrative Officer
  • Chief Compliance Officer
  • General Counsel
  • Chief Information Security Officer

The audit committee should not only be independent, but also active in holding the audit team to its practices as outline in the internal audit charter. While the CFPB does not lay out explicit requirements, the bureau generally expects mortgage companies to provide the following during an examination (gameday):

  • A monitoring or audit review schedule for the exam review period and the following 12 months
  • Applicable risk assessments that led to the creation of the audit plan
  • Engagement letters or contracts if audit(s) are performed by a third party
  • Proof of the reporting structure, including whether the audit team is independent from the business lines and compliance management function and reports its findings directly to the board or an audit committee
  • Adequate workpapers for audits performed
  • Policies and procedures implemented to govern the reporting to senior management and the remediation of findings

A whole article could be dedicated to the subject of workpapers. However, there are a few basic components to consider (blocking and tackling!) to create adequate and effective workpapers. These include:

  • An objective (what are you trying to achieve?)
  • A conclusion
  • References to all documents the auditor used to reach the conclusion
  • Most importantly, enough information so that an objective third party can come to the same conclusion as the auditor, based on the information within the workpaper

What Do the GSEs Want? 

In addition to the CFPB requirements, the GSEs have their own, which are broader. The GSE guidelines generally state that the seller/servicer must have internal audit and management control processes to evaluate and monitor the overall quality of its mortgage loan production and/or servicing. These particular requirements are very similar to the CFPB’s.

As noted above, Fannie Mae’s MORA review also includes an assessment of the adequacy and effectiveness of the company’s internal audit function, which may include some of the same review components included in a CFPB examination, although the MORA is more focused on origination.

Most mortgage companies will undergo a MORA review before an examination by the CFPB, so your exam will be less challenging if you have an effective program in place before the bureau knocks. At an absolute minimum, be sure to have your annual independent quality control review performed by your internal audit function. This is basic blocking and tackling.

How About Investors?

Similar to the GSEs, investors and warehouse lenders want to ensure that the companies they do business with have an effective corporate governance program that includes an effective internal audit function. Investors will perform initial and ongoing due diligence reviews to ensure that the lender’s corporate governance structures are adequate. Companies may be subject to additional scrutiny from investors about their risk management if they do not have an effective internal audit function.

What Are Some Best Practices? 

In addition to the general requirements of the regulators, GSEs, and investors noted above, some general audit best practices include:

  • Make sure your audit function is independent.
  • Develop and maintain an audit universe. This can be created and managed through the annual internal audit risk assessment process. This audit universe will identify the operational areas of your organization that are important enough to be included in the audit program.
  • Perform an annual internal audit risk assessment. This will work to identify the areas of your organization that will be included in the audit plan, as well as the frequency of the audits. This assessment will also apply a risk rating to each of the areas included in the audit universe. The risk assessment must be adequate for the size and scope of your organization’s products and services.
  • Audit schedules should be created for no less than a 12-month period. This schedule should always align with the risk assessment.
  • Always make sure your workpapers are adequate and complete. Incorporate a second-level review for workpapers that includes a signoff.

So, What Should You Do?

So, does your company have an internal audit function? If yes, does it meet all of the investor, GSE, and regulatory requirements? If not, do you know where the gaps are and how to address them?

Keep in mind that having a great internal audit function is not only a requirement, but it can also add a lot of value to your organization. Internal auditors spend their time examining risks to the company, and meeting with and understanding all the business units and how they interconnect. They can be a great source of information for what is going on in the trenches, and can alert senior and executive management to significant risks before they do harm.

And don’t forget about the audit committee (or equivalent). The internal audit function cannot be truly independent from the business without an independent function overseeing it. Not only can the audit committee provide guidance to the internal audit program, it can effect change when the business may not agree with risk identified by internal audit. That’s because the board and/or a committee truly understands the company’s risk appetite and can make more objective decisions on risk. This is an essential part of the internal audit program.

So, is your internal audit function ready for gameday? If not, it’s time to enhance the playbook and hit the practice field.

1 CFPB Examination Procedures, CMR 10: