Since 2004, NYSE-listed companies have been required to maintain an internal audit function to provide ongoing assurance of the effectiveness of the company’s control environment and risk management processes to company management and key stakeholders, including the board of directors, audit committee, and shareholders. While many non-public corporations, such as mortgage companies and other non-bank financial services organizations, have used internal audits in the past to manage their operations, many are only now beginning to fully develop the role.
Following the financial crisis of 2008, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) formed the Consumer Finance Protection Bureau (CFPB), and with it came enhanced scrutiny of mortgage sector compliance with consumer financial regulations. Other prudential regulatory agencies and the Department of Justice are focused on strategic, credit, operational, and other compliance issues, while the CFPB is focused on consumer regulatory compliance. As mortgage companies adjust to the new normal, management must be aware of the state of their control environment and identify potential strategic, credit, operational, and compliance risks. Understanding your risks should be enough to justify investing in an internal audit function; but, there are also compelling business reasons to do so.
NO SURPRISES — When you know what to expect, you sleep better. The purpose of an internal audit is to offer management and the audit committee independent objective assurance about the effectiveness of the organization’s risk management, control, and governance systems.
UNDERSTAND RISKS – Internal audit should give management a clear picture of the company’s major risks.
QUALIFICATION TO SELL TO GSEs – Approved sellers and servicers must “have internal audit and management control systems to review and monitor the overall quality of its loan production and servicing,” according to GSEs like the Federal National Mortgage Association (Fannie Mae).
OPPORTUNITIES FOR OPERATIONAL ENHANCEMENTS– Private companies with a wide range of product offerings will find that a strong internal audit function can help them not only improve their control environment but also identify operational efficiencies and cost savings, which is the desired outcome from any investment.
REDUCE COMPLIANCE ERRORS – Inadvertent operational errors frequently result in technical compliance errors or errors that harm consumers. Internal auditing of operational procedures can help to avoid mistakes like this, which can result in expensive customer remediation or litigation.
MISSION OF THE INTERNATIONAL AUDIT
Internal audit is defined as “an independent, objective assurance and consulting activity aimed to add value and improve an organization’s operations” by the Institute of Internal Auditors (IIA). It assists a company in achieving its goals by implementing a systematic, disciplined approach to evaluating and improving the efficacy of risk management, control, and governance systems.”
The three lines of defense model is a generally established method of designing an organization-wide management system. The following is how the model assigns control duties and responsibilities to different parts of the organization:
At this level, management should be able to determine whether front-line employees are following organizational policies and procedures correctly. Internal controls, self-monitoring, and correction should all be embedded into day-to-day operations so that department managers and supervisors can check that duties are being carried out in line with business policies and procedures.
The second line, which is mostly a management function, advises business units on how to create and organize controls to limit risks. The second line of defense is usually responsible for continuing and periodic monitoring, as well as assisting management with control enhancements when necessary.
The audit function is an important part of a good corporate governance structure because it gives the board of directors and executive management independent assurance regarding the efficacy of internal controls and the level of compliance in the company’s operations.
THE INTERNAL AUDIT FUNCTION’S STRUCTURE
Management has some leeway in selecting how to set up the internal audit function, as the function should be proportional to the size and complexity of the firm. Rather than staffing the full role internally, some firms may choose to use external resources to supplement it. Internal auditing costs rise in tandem with a company’s size and complexity, thus organizations should examine which audits should be handled internally vs outsourced to a third-party service provider on a regular basis for enhanced oversight and efficiency. The following are some other factors to consider while establishing an internal audit function:
Accountability – While an audit function’s activities can be outsourced, management is nonetheless responsible for the function and its outcomes.
Expertise – Auditors must possess the necessary knowledge and expertise in the audited area(s).
Training – Training costs are incurred in order to maintain the required knowledge and expertise.
Independence – In appearance and fact, the audit function must be devoid of influence or bias. This is vital not only if you have an in-house audit department, but also if you hire a third-party agency. Rather than the Chief Financial Officer, Compliance Officer, or Operations Manager, the general counsel, top management, appointed Chief Audit Executive, or the board should employ third-party businesses.
Vendor Management – If the function is outsourced, make sure you analyze the external resource using your vendor management program. Remember that they are an extension of your team, and you are ultimately responsible for their behavior.
Internal auditing is the process of identifying hazards, identifying controls to minimize those risks, testing those internal controls for adequacy and effectiveness, and ensuring that appropriate corrective action is implemented when necessary. The following are typical key steps in a good internal audit function:
Conduct a company-wide risk assessment to ensure that all relevant risks have been recognized, graded, and addressed effectively.
The first stage in building a thorough risk-based audit plan is to conduct a company-wide risk assessment.
While the risks to be analyzed differ for each firm, common risk categories include strategic, credit, compliance and legal, reputational, financial, and operational risk. Risks should be assessed and prioritized at least once a year, and more frequently if significant operational or product changes occur.
A Mortgage Origination Risk Assessment (MORA) evaluation is conducted on non-depository mortgage bankers who sell loans to Fannie Mae. Internal Audit has been recognized as an issue that requires management’s attention in these reviews by Fannie Mae. Risk assessments should cover areas such as Quality Control, Originations, Closing, Funding, Underwriting, Servicing, and Secondary Marketing, as well as other areas relevant to Fannie Mae’s investor needs.
Allow enough time to adequately address all of the components required for an effective internal audit function if internal auditing is an area that needs improvement. The difference between a hastily created internal audit function aimed to avoid criticism and penalties and an effective, worthwhile function designed to add value and improve an organization’s operations will be determined by how much time you devote to this procedure.
Develop a multi-year risk-based audit plan to determine whether controls are in place and functioning as intended. The risk assessment will aid in the creation of a multi-year audit strategy. Areas classified as lower risk can be audited on a semi-annual or even tri-annual basis, therefore a multi-year approach is recommended. The audit plan should specify how often each area will be audited, with higher-risk areas being audited more regularly, at least once a year. At the conclusion of each risk assessment update, the multi-year audit plan should be examined and, if necessary, revised. Fannie Mae has requested the organization’s audit plan, which identifies which sections will be reviewed, their relative risk ratings, and the scheduling of audits, as part of their MORA evaluation. Mortgage lenders will need to set aside enough time to undertake the risk assessment before designing the audit strategy to meet the MORA standards.
Estimating the audit plan without first doing a thorough risk assessment might lead to misdiagnosed or undetected hazards, which can wind up costing the company more in the long run. Examine processes and controls to determine what needs to be improved in the control environment. Audits should evaluate policies, procedures, practices, and controls, and they should be carried out using a variety of techniques, including key personnel interviews, policy and procedure reviews, and extensive transactional testing. If problems or flaws are discovered, the auditor should provide practical solutions to address the underlying cause of the problem, such as modifications to procedures or controls, extra training, or increased monitoring. Internal auditors should be considered as partners who have the organization’s best interests at heart. The purpose of developing practical solutions to challenges and control gaps is to decrease risk and build a more efficient organization, which will lead to increased profit. Internal auditing entails more than simply “ticking the boxes.” Keep track of previously identified control issues and follow up on them to ensure prompt and adequate solutions. When concerns are discovered, management must take the necessary corrective action to resolve the problem. This could include everything from individual transactional corrections to policy, procedure, and practice changes, as well as retraining staff if necessary. Prior issues should be followed up on by an internal audit to ensure that appropriate, effective, and long-term corrective action has been performed.
It is critical that the internal audit function has access to ALL business records as part of its daily responsibilities, which include following up on previous issues. Internal audit, for example, should have unfiltered access to and evaluate all of a mortgage company’s data if it operates in 20 jurisdictions and has been investigated by numerous state authorities. Internal auditing information is filtered, indicating a lack of transparency. The goal of an internal audit function is to give independent and objective assurance to management that processes and controls address the company’s principal risks. Regulatory bodies and investors will raise red flags if you don’t provide complete documentation.
Report findings to Executive Management or the Board of Directors so that they are aware of the situation and can oversee the remedial process. To ensure that all key findings are conveyed to the Board of Directors, audit reports that include the scope, objectives, findings, and management’s action plan for rectification should be provided to executive management and summarized for the board of directors by the Chief Audit Executive. Executive management and the board of directors are expected to exercise active oversight and ensure that proper repair is carried out. Meeting minutes should include a discussion of the internal audit issues raised, the measures taken in response to those issues, and any additional actions that may be required.
EXPECTATIONS OF THE CFPB
As a result of the CFPB’s regulatory scrutiny operations, many private mortgage companies are now placing a greater emphasis on internal audits. The CFPB expects the entities it regulates, including depository institutions and non-depository consumer financial services companies, to design and maintain an effective Compliance Management System (CMS) to ensure that compliance policies, procedures, and internal controls are in place. Internal auditing is a prerequisite for a CMS to function properly. The CMS describes how a supervised entity establishes compliance responsibilities, communicates those responsibilities to employees, ensures that responsibilities for meeting legal requirements and internal policies are incorporated into business processes, reviews operations to ensure that responsibilities are carried out and legal requirements are met, and takes corrective action and updates tools, systems, and materials as needed. Four interdependent control components make up an effective CMS:
Why Mortgage Audits Online company?
Mortgage Audits Online is one of the few companies capable of handling audit reports on a big scale such as a company’s internal audits. Our team of professional can help company’s carry out a thorough audit to find out if there is misappropriate acts going on within the organization.
We can also help the company look into their mortgage loan accounts to ensure it is fraud-free. Contact us today and you won’t regret it.
Please visit Mortgage Audits Online below.