• About
    • Our Clients
    • Our People
    • Careers
  • Our Services
    • Regulatory Compliance
      • Consultation
      • Assessment & Monitoring
      • Independent Compliance Reviews
    • Internal Audit
      • Compliance Audits
      • Operational Audits
      • Audit Function Development
    • Fair and Responsible Lending
      • Fair Lending
      • HMDA
      • CRA
    • Due Diligence
      • The CrossCheck Advantage
      • Rated Securitizations
      • Portfolio Acquisitions
    • Loan Review
      • Pre-funding Quality Assurance
      • Post Closing Quality Control
      • Commercial Loan Review
    • Litigation Support
      • Expert Testimony
      • Expert Support Services
      • File Review
  • Our Approach
    • Representative Engagements
  • Resources
    • Announcements
    • Articles
    • Speaking Engagements
    • White Papers
    • Industry Insights
    • HMDA Hub
    • Mortgage Chat
  • Contact Us
  • About
    • Our Clients
    • Our People
    • Careers
  • Our Services
    • Regulatory Compliance
      • Consultation
      • Assessment & Monitoring
      • Independent Compliance Reviews
    • Internal Audit
      • Compliance Audits
      • Operational Audits
      • Audit Function Development
    • Fair and Responsible Lending
      • Fair Lending
      • HMDA
      • CRA
    • Due Diligence
      • The CrossCheck Advantage
      • Rated Securitizations
      • Portfolio Acquisitions
    • Loan Review
      • Pre-funding Quality Assurance
      • Post Closing Quality Control
      • Commercial Loan Review
    • Litigation Support
      • Expert Testimony
      • Expert Support Services
      • File Review
  • Our Approach
    • Representative Engagements
  • Resources
    • Announcements
    • Articles
    • Speaking Engagements
    • White Papers
    • Industry Insights
    • HMDA Hub
    • Mortgage Chat
  • Contact Us
  • Home
  • Articles
  • Distinguishing Between a Real Internal Audit and an ‘Imitation’
  • Distinguishing Between a Real Internal Audit and an ‘Imitation’

    Articles
    Download PDF

    As published in Mortgage Compliance Magazine by Chris Ortigara, August 2017

    As independent mortgage companies continue to enhance their governance structures, they may look to outside resources for internal audit support. Though some believe only large companies need an internal audit function and smaller entities could combine internal audit with other compliance/review functions, the times may be changing. An effective internal audit function is front and center with secondary market investors and regulators alike. The cost of implementing a function, misinformation, and a perception that checking the box is good enough sometimes leads to ineffective implementation. So, what are the key considerations?

    1) Begin your conversations about internal audit with internal audit professionals. The Certified Financial Services Auditor (CFSA), Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), and Certified Public Accountant (CPA) are the professional designations for internal auditors. Deep understanding of internal audit concepts and standards coupled with mortgage industry expertise is critical in establishing a function that provides constructive input to management in evaluating its operations.

    2) Who sets internal audit standards? Don’t the regulators and investors describe them in detail? Not really. Many lenders are looking for answers in the wrong places. The International Institute of Internal Auditors (IIA) is considered the authority on internal audit and sets standards of practice for the profession. The regulatory agencies and large private investors may refer mortgage companies to the IIA for detailed guidance.

    3) What’s all this talk about “lines of defense”? The “three lines of defense” is a governance model adopted by many high-performing organizations. The first line is comprised of the front office and operations functions where risk is managed through policies, proper execution, and monitoring. The second line is an oversight function and includes risk management and compliance. Internal audit is the third line of defense and should be independent of the first and second lines. The third line audits the first and second lines.

    4) What is the internal audit process? A certified internal auditor will assess a company’s credit, compliance, operational, financial, reputational, and strategic risks. It will cover the mortgage process from originations through sale to the secondary market and include areas such as accounting, information technology, and other operational functions. The assessment will rank identified risks as high, moderate, or low, and will identify areas requiring substantive testing to determine whether the company’s established policies and procedures are operating as intended and controls are sufficient to protect the company from misappropriation of assets, inadvertent errors, fraud, or non-compliance. A consistent, disciplined process is a hallmark of an effective internal audit function.

    5) What is the audit? Neither the plan nor the risk assessment is the actual audit. The risk assessment generally serves as the basis of the internal audit plan. Often a multi-year plan is developed and the highest risk areas are audited first and most often; lower risk areas might be audited every two or three years. Risk assessments may be refreshed annually or as needed. Planned audits are scheduled throughout the year depending on urgency, staff availability, risk, and are coordinated with scheduled regulatory examinations.

    There is no substitute for an experienced and credentialed internal auditor — ideally with mortgage expertise. CrossCheck’s work has withstood regulatory review; we follow IIA standards and employ auditors with mortgage experience and recognized designations.

    Category: Internal Audit

    Speaking Engagements

    • Bank Administration Institute (BAI) Webinar – Addressing Regulatory Change Management and its Impact on Policies and Procedures
    • American Bar Association (ABA) – 2025 Consumer Financial Services Committee Meeting
    • Central Florida Compliance Association (CFCA) 2025 Annual Conference
    View All

    Courses and Guides

    • ABA 34th Edition of the Reference Guide to Regulatory Compliance
    • ABA 33rd Edition of the Reference Guide to Regulatory Compliance
    • MBA Course – Managing Consumer Complaints for Compliance Professionals
    View All

    Announcements

    • CrossCheck General Counsel Appointed as Co-Chair of the Corporate Counsel Committee of American Bar Association’s Business Law Section
    • CrossCheck Compliance LLC Strategic Alliance with Gate House Compliance
    • CrossCheck Compliance LLC Added to DBRS Morningstar List
    View All

    White Papers

    • Implementing an Effective Internal Audit Function
    • Building Your Defenses: Compliance Management for First-Line Operations
    • Why Mortgage Companies Should Embrace Internal Audit
    View All

    810 W. Washington Blvd.
    Chicago, IL 60607

    LinkedIn




    Print Page

    312.346.4600



    Privacy Policy | Terms of Use