Internal audits are an important part of every company’s operations because they independently examine how well an organization is positioned to handle the risks. Specifically, it evaluates the existing controls and how well they are mapped to external and internal risks. Typically, the reports are submitted to the Board of Directors or the C-Suite to ensure the independence of the audit and provide visibility into the existing gaps. Given its important role, we will take a detailed look at the internal audit process geared specifically for the mortgage industry, as it faces many risks in today’s business environment.
What Is an Internal Audit in the Mortgage Industry?
Mortgage industries are facing increased government scrutiny and higher risks. This is why internal audits help identify gaps and improve the security posture while meeting the compliance requirements.
Definition and Goals of Internal Auditing
An internal audit is a structured and independent review of your organization’s controls, processes, and operations. The goals of an internal audit are:
- Checks if the organization complies with all regulations.
- Identifies and remediates the risks.
- Evaluates the effectiveness of controls.
- Examines documents and records.
These internal audits are conducted by the internal team, or organizations may hire a third-party for a more independent approach.
Regulatory Pressures (CFPB, HUD, Fannie/Freddie Guidelines)
Another unique aspect of the mortgage industry is that it is under intense scrutiny from federal agencies. A lot of these regulations, like the Consumer Financial Protection Bureau (CFPB), Department of Housing and Urban Development (HUD), and state housing regulators, came into effect after the 2008 financial crisis. This is why internal audits can be critical for the mortgage industry.
Why Internal Audits Are Critical for Mortgage Companies
Companies in the mortgage industry have multiple operational aspects, and it is easy to miss out on any of them. Aspects like inconsistent documentation, loan-level errors, failure to protect data privacy, and policies that don’t comply with the latest regulations, etc., can lead to fines and penalties. A well-conducted internal audit can reduce this non-compliance. Additionally, it can identify and fix gaps and build trust with stakeholders.
Key Areas Internal Auditors Review
Internal audits can cover many areas of operations. To make them more effective, it’s important to keep the focus on the key areas, like the following:
Loan Origination & Underwriting Practices
Underwriting practices are one of the closely watched processes for regulators. In this area, auditors verify how borrower applications are received and processed, whether the income and credit data are correctly documented, and if the decisions made based on this data are backed by organizational guidelines. In particular, they check the accuracy of the Loan Estimate (LE) and Closing Disclosure (CD), as required by TRID.
Loan Servicing and Escrow Management
Auditors verify the accuracy of escrow account calculations and the documentation processes of loan servicing and modifications to see if they meet the regulatory requirements. They also check if notices and statements are sent to the respective stakeholders before the required timeframe.
Regulatory Compliance (RESPA, TILA, ECOA)
Since the mortgage industry has to comply with a long list of regulations, auditors examine the process and accuracy of;
- Truth-in-Lending Act (TILA) disclosures,
- Real Estate Settlement Procedures Act (RESPA) timelines,
- Equal Credit Opportunity Act (ECOA) requirements related to sending notices and evaluating loan decisions.
Fair Lending Practices and Anti-Discrimination
Auditors evaluate if the mortgage companies use fair lending practices and do not discriminate when making loan disbursement decisions. To this end, they verify loan pricing disparities by age, race, gender, and geography, along with denial rates and any adverse action notices.
Financial Reporting and General Ledger Accuracy
Internal auditors help reconcile loan balances with the general ledger. They can also help with bank reconciliations by identifying items that fall under revenue, like loan fees and gain-on-sale. Such reconciliations and checks ensure that the organization does not violate GAAP standards.
Cybersecurity and Data Protection (GLBA Compliance)
Another key area in today’s operations is cybersecurity. Auditors verify if the mortgage company meets the requirements of the Gramm-Leach-Bliley Act (GLBA). This includes data access controls, encryption policies, and incident response plans to mitigate the impact of cyberattacks.
With the help of independent auditors, mortgage companies can plug the gaps across these areas to ensure compliance and improve their operational efficiency.
The Internal Audit Cycle: Step-by-Step
The internal audit cycle can vary greatly based on the regulations that must be followed, the scope of operations, geographical coverage, and the goals of the audit. That said, the following broad steps are a part of every audit and can improve the audit’s outcomes.
Step 1 – Risk Assessment and Planning
Every audit starts with a risk assessment, where auditors evaluate the high-risk areas, past audit findings and the actions taken on them, regulatory requirements, and notices or lawsuits against the company, if any. Based on these factors and the goals of the audit, the auditor creates a plan, which includes the audit scope and timelines.
Step 2 – Internal Control Evaluation
After creating the plan, the next step is to verify your internal controls. Auditors check if they map well to your internal and external risks, and if they are designed and implemented to identify and mitigate the existing risks. This process can also check whether the roles and responsibilities are clear for employees and if the key functions like origination and approval are distinct.
Step 3 – Fieldwork and Evidence Gathering
This is the most intensive part of the audit, as this is where the auditors will review loan files and financial data. If required, they will test specific samples and documentation to evaluate the accuracy of your processes. For cybersecurity, they can also check logs, emails, system access reports, and more. At the end of this step, the auditors will have enough evidence to support their findings.
Step 4 – Reporting and Issue Documentation
Once the findings are done, it’s time to document them and generate a detailed report for the concerned authorities. This report will be backed by evidence and can also provide a list of recommendations for improvement. The report should be clear, factual, and provide sufficient detail for management to understand the issues and their implications.
Step 5 – Management Response and Remediation Planning
Depending on the audit scope, the auditors may also work with the management to create a remediation or a Corrective Action Plan (CAP), and follow it up with an assessment of its implementation. They set reasonable guidelines for each CAP and help identify the responsible parties for it. Management is expected to respond to audit findings, often by developing a Corrective Action Plan (CAP). Auditors may assist in this process, but management is responsible for implementing corrective actions.
Step 6 – Follow-Up and Ongoing Monitoring
Finally, auditors can follow up on the progress. Some auditors even provide training if required.
When executed well, these steps identify and close the compliance gaps while boosting your productivity.
What Mortgage Companies Should Prepare Before an Audit
Before an audit begins, mortgage companies must also prepare for the same for a smooth and fruitful outcome. Some areas to stay prepared are:
Policies & Procedures Manuals
Check if you have manuals for loan origination, servicing, escrow, and decision-making. It’s always good to have documents that lay down the policies and procedures involved. Incomplete or unavailable manuals are a red flag, so check with the auditors on the next steps to create them.
Loan Files and Documentation (TRID, HMDA, LE/CD docs)
Besides manuals, keep the documentation ready for your key activities, like loan estimation, closing disclosure, HMDA demographic data, credit reports, and income verification for every applicant, and underwriting notes. These files are necessary to ensure compliance with different legislation.
IT Access Logs and Data Controls
Auditors are likely to ask for IT-related logs and data controls, especially if cybersecurity is within the audit scope. Keep ready your system access logs, password change policies, vendor due diligence records, encryption logs, and anything else related to IT controls.
Training Records and Compliance Certifications
Training is mandatory under some regulations, and it’s important that you maintain records of the training imparted to employees. Also, keep attendance records and course materials ready for TILA, ECOA, and AML. Auditors may also look for evidence that training is ongoing, that employees are tested or certified, and that there is a process for updating training in response to regulatory changes.
Financial Statements and Internal Reports
Gather financial statements, like year-end financials, budgets, and their corresponding actual reports, trails for ledger entries, and any other financial records that can improve the audit’s accuracy and speed.
Prior Audit Findings and Resolution Logs
Lastly, collect the audit findings of previous years and any logs or documentation that show that the identified gaps were addressed. To this end, collate tickets and their statuses, documentation of remediation actions, follow-up audits, and any other evidence in this regard.
Centrally store these documents and provide access to the concerned auditors to view these files. Such proactive collection of documents can save time and make the audits smooth and effective.
Common Internal Control Weaknesses in Mortgage Lending
Mortgage lending businesses are complex because they involve strategic decisions based on multiple parameters. Since these decisions can involve personal bias or may not follow all regulatory processes, internal audits can help find these gaps. Specifically, the following weaknesses can be identified in an audit.
Incomplete Loan Documentation
Loan documentation can be incomplete due to oversight. Missing signatures, wrong dates, or a lack of supporting documents can trigger legal action.
Poor Data Segregation or Role Management
An often overlooked aspect is cybersecurity, as it does not fall into the traditional mortgage lending process. However, security is a key aspect of businesses today, as documents are collected and processed digitally. Failure to streamline access or allow unauthorized approvals can lead to fines and penalties.
Inadequate Escrow Handling
Escrow handling is the process where an independent third-party holds funds or assets on behalf of two or more parties. Errors in the holding amount or untimely disbursements can violate RESPA rules.
Untimely Financial Reconciliations
Reconciliations are a common process, as there can be discrepancies in bank accounts and the accounts maintained by the company. However, these reconciliations must be done regularly to prevent misrepresented financial statements.
Non-Compliance with Annual Training or Reporting
Organizations must have current training certificates and annual compliance attestations. Failure to have them or if they are expired, your company can attract penalties from regulatory bodies.
Auditors can identify these different control weaknesses in your organization and can provide recommendations to rectify them. This way, you can avoid the penalties that come with non-compliance.
Regulatory Bodies and Frameworks Auditors Reference
Depending on your area of operations, geographic boundaries, nature of your business, you will have to comply with different regulations. For example, if you have operations in California, CCPA is applicable to your business. Besides such geo-specific regulations, here are the others that apply to all mortgage businesses.
CFPB Guidelines
The Consumer Financial Protection Bureau (CFPB) ensures that all customers have access to financial products in a fair, transparent, and competitive manner. For mortgage companies, it translates to fair lending, mortgage servicing without any discrimination, and transparent policies that can be audited at any time. Violation of these guidelines can result in severe enforcement actions.
HUD/FHA Requirements
The Department of Housing and Urban Development (HUD) is a federal agency for housing, while the Federal Housing Administration (FHA) is a sub-agency of HUD that’s responsible for mortgage insurance. HUD oversees the Federal Housing Administration (FHA) and enforces the Fair Housing Act. While HUD’s regulatory role predates the 2008 crisis, the aftermath saw increased scrutiny and new rules, particularly around fair lending, anti-discrimination, and the origination and servicing of FHA-insured loans. HUD also oversees Ginnie Mae, which guarantees mortgage-backed securities. Internal audits should assess compliance with HUD’s evolving requirements, especially for companies involved in FHA lending. Together, these agencies strive to make housing affordable for all, including those who cannot access traditional loans.
Mortgage companies must meet the insurability criteria laid down by these federal agencies. Also, they must establish quality control standards and data accuracy based on which decisions were made. These documents, as well as communication letters sent to mortgagees, must be maintained for audit. These aspects are checked by auditors to ensure compliance.
Freddie Mac / Fannie Mae Seller-Servicer Guides
Fannie Mae and Freddie Mac are GSEs that purchase and guarantee mortgages. While not regulatory agencies, their guidelines for loan origination, underwriting, and servicing are de facto industry standards. Lenders must comply with these guidelines to sell loans to the GSEs. After the 2008 crisis, both entities were placed under federal conservatorship, and their requirements have been updated to reflect heightened risk management and compliance expectations. Internal audits should verify that company practices align with current GSE guidelines to ensure market access and avoid repurchase risk.
Bank Secrecy Act & Anti-Money Laundering (AML)
The BSA and AML are designed to safeguard your organization from fraudulent customers and those who are on the global watchlists. Also, complying with these rules can help identify transactions that are used for financing banned activities. Auditors test for compliance with these provisions.
SOC 1 / SOC 2 Reports and IT Security Standards
SOC compliance is related to security and controls. Complying with these standards can safeguard your organization from security threats. Auditors check if the existing IT controls are compliant with SOC requirements. Also, if you outsource data to third-party vendors, auditors request reports from those vendors to evaluate their security posture.
Besides the above important regulations, companies may also have to comply with SOX, GDPR, and other regulations based on the specific country of operations.
Benefits of a Well-Executed Internal Audit Program
A well-executed audit program goes beyond just checking compliance with regulatory standards. It can improve the overall efficiency of your operations, safeguard your assets from threats, mitigate risks, and more.
Risk Mitigation and Regulatory Confidence
A comprehensive audit will examine your controls against the likely internal and external risks facing your organization, and fixing the identified vulnerabilities can help you to mitigate the losses from these risks. This proactive approach to risk management can help meet compliance requirements as well. As a bonus, it can also build trust with oversight agencies.
Reduced Penalty Exposure and Legal Costs
When an internal audit identifies compliance gaps, you can fix them right away before an external audit. These efforts will reduce penalties and the associated legal costs.
Increased Operational Efficiency
A thorough audit will identify process inefficiencies, redundant tasks, and other aspects that are draining the productivity of your workers. With this data, you can implement automated workflows and improve processes to boost the overall operational efficiency.
Stronger Corporate Governance
Auditors create and submit reports that contain the findings of their work. These reports are often submitted to the top executives and the board, so they will have visibility into operations and existing gaps. Accordingly, the board can direct the concerned departments to implement controls, resulting in stronger corporate governance.
Better External Audit and Examination Outcomes
Internal audits set the stage to boost the outcomes of external audits. Many times, the audit process doesn’t change, except that the findings are used by the organization to address the problems. As a result, the organization can have better external audit outcomes.
Regular internal audits can bring enormous operational and financial benefits for organizations, and hence must be an essential part of your operations.
Best Practices for Audit-Ready Mortgage Companies
Audit processes can vary among industries because of the changing regulations and processes involved. For mortgage companies, the following best practices can make any internal audit more effective.
Maintain a Live Audit File (Always Be Ready)
It is always a good practice to maintain a live audit folder containing policies, system logs, training details, compliance certificates, past audit reports, evidence for audit trails, and more. Such a centralized storage can ease the audit process for auditors and your internal teams.
Regulatory agencies (such as the CFPB, FHA, and state banking departments) expect mortgage companies to maintain comprehensive and organized records to demonstrate compliance with lending, disclosure, and anti-fraud requirements. Centralized documentation supports this expectation and facilitates timely responses to audit requests.
Conduct Internal Spot Checks Monthly/Quarterly
Create a schedule where you conduct internal spot checks once a month or quarter, as this will help identify issues early. Findings from these checks must be integrated into your ticketing system to ensure they are fixed, well before internal audits start. While the frequency (monthly or quarterly) may vary based on company size and risk profile, the practice of ongoing monitoring and formal issue resolution is consistent with regulatory expectations for internal controls and risk management.
Assign Clear Roles and Responsibilities
An often overlooked aspect is assigning clear roles and responsibilities to employees. Provide clear instructions to employees on what is expected of them before, through, and after an audit. Also, provide a clear owner for each task, like preparing documents, gathering documents, implementing access controls, tracking tickets, and more. Such clarity boosts confidence and reduces gaps.
Document Everything – If It’s Not Documented, It Didn’t Happen
In auditing, documentation is everything. Create a culture where everything is documented and stored in a secure place. Such a practice can come in handy for all kinds of audits, and also to back up your decisions and practices.
Use a Qualified External CPA for Oversight
Lastly, use a qualified external CPA over an internal team, as this auditor can provide an independent review of your operations. They will be an extra pair of eyes, who can pore into your processes through their experience.
With the above best practices, your internal audits can be highly useful for securing your future.
How Manay CPA Supports Internal Audit Readiness
Manay CPA is an experienced CPA firm that has many years of providing internal audits for a wide range of industries, including mortgage companies. Its audit processes are thorough, and the reports are detailed, all of which add value to your organization. It can also improve your internal audit readiness in the following ways.
Process Mapping & Internal Control Reviews
Manay CPA identifies existing controls and maps them with your organization’s processes to help improve your operational efficiency. It can also identify gaps and strengthen compliance before external audits.
Financial Reconciliation and Reporting Support
One of the strengths of this firm is its solid accounting base. This means it can handle financial reconciliation, check for the accuracy of ledger entries, and even perform loan-level reporting to avoid misstatements. All these can boost compliance while building trust with regulators and other stakeholders.
Documentation Audits and Remediation Guidance
Its experienced team reviews every single document, including policies, procedures, and historical findings. Accordingly, it builds a remediation plan and offers guidance on how you can bridge the gaps. Its team even follows up on the implementation and supports you in every way to streamline operations.
Ongoing Consulting for Compliance with CFPB/FHA/State Regulators
With Manay CPA, internal audits are an ongoing process that will ensure continuous compliance with TRID, HMDA, ECOA, state licensing rules, and other privacy-related regulations. By partnering with Manay CPA, you are always abreast of the changing regulations and their impact on your operations.
Book a Free Consultation (CTA)
Internal audits can offer enormous benefits, provided it is well-structured and executed. Manay CPA is your go-to firm for internal audits because of the extensive experience and expertise of its teams. A keen eye for detail and a thorough understanding of regulations make them a preferred partner for any mortgage company.
Book a free consultation today to explore ways to leverage Manay CPA’s expertise.
