As published in Mortgage Compliance Magazine by Chris Ortigara, August 2017
As independent mortgage companies continue to enhance their governance structures, they may look to outside resources for internal audit support. Though some believe only large companies need an internal audit function and smaller entities could combine internal audit with other compliance/review functions, the times may be changing. An effective internal audit function is front and center with secondary market investors and regulators alike. The cost of implementing a function, misinformation, and a perception that checking the box is good enough sometimes leads to ineffective implementation. So, what are the key considerations?
1) Begin your conversations about internal audit with internal audit professionals. The Certified Financial Services Auditor (CFSA), Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), and Certified Public Accountant (CPA) are the professional designations for internal auditors. Deep understanding of internal audit concepts and standards coupled with mortgage industry expertise is critical in establishing a function that provides constructive input to management in evaluating its operations.
2) Who sets internal audit standards? Don’t the regulators and investors describe them in detail? Not really. Many lenders are looking for answers in the wrong places. The International Institute of Internal Auditors (IIA) is considered the authority on internal audit and sets standards of practice for the profession. The regulatory agencies and large private investors may refer mortgage companies to the IIA for detailed guidance.
3) What’s all this talk about “lines of defense”? The “three lines of defense” is a governance model adopted by many high-performing organizations. The first line is comprised of the front office and operations functions where risk is managed through policies, proper execution, and monitoring. The second line is an oversight function and includes risk management and compliance. Internal audit is the third line of defense and should be independent of the first and second lines. The third line audits the first and second lines.
4) What is the internal audit process? A certified internal auditor will assess a company’s credit, compliance, operational, financial, reputational, and strategic risks. It will cover the mortgage process from originations through sale to the secondary market and include areas such as accounting, information technology, and other operational functions. The assessment will rank identified risks as high, moderate, or low, and will identify areas requiring substantive testing to determine whether the company’s established policies and procedures are operating as intended and controls are sufficient to protect the company from misappropriation of assets, inadvertent errors, fraud, or non-compliance. A consistent, disciplined process is a hallmark of an effective internal audit function.
5) What is the audit? Neither the plan nor the risk assessment is the actual audit. The risk assessment generally serves as the basis of the internal audit plan. Often a multi-year plan is developed and the highest risk areas are audited first and most often; lower risk areas might be audited every two or three years. Risk assessments may be refreshed annually or as needed. Planned audits are scheduled throughout the year depending on urgency, staff availability, risk, and are coordinated with scheduled regulatory examinations.
There is no substitute for an experienced and credentialed internal auditor — ideally with mortgage expertise. CrossCheck’s work has withstood regulatory review; we follow IIA standards and employ auditors with mortgage experience and recognized designations.
