Internal Audit - Policies and Procedures

Question:

How do I know if my internal audit policies and procedures are meeting federal and agency requirements?

Answer:

 

Fannie Mae recently released several checklists as part of their Seller/Servicer Risk Self-Assessments, and Internal Audit was one of the checklists that was included. Internal audits are an important risk mitigation tool that uncover operational inefficiencies and potential areas of risk within a lender’s organization. For that reason, it is important for seller/servicers to know that their Internal Audit policies and procedures satisfy federal and agency requirements and are effective for identifying risk.

 

According to Fannie Mae, the following is a list of requirements for an internal audit self-assessment checklist.

  • Internal Audit and management control policies and procedures are in place to evaluate and monitor the overall quality of loan production and the effectiveness of operations.
  • An internal audit process must be independent of all key functions of the loan manufacturing process and the servicing processes.
  • The internal audit function must report directly to the seller/servicer’s senior management and/or board of directors. Exceptions are permitted in situations in which the size of the seller/servicer’s organization is insufficient to support adequate resources to allow for separation of these functions. In those situations, the seller/servicer’s audit plan must include the rationale for the lack of separation, and the controls in place to mitigate the risks associated with the lack of separation of these functions.
  • The internal audit lines of reporting must reflect the independence of the audit process at all levels, resulting in activities that are conducted in an unbiased manner and without quality compromises resulting from internal influences and/or conflicts of interest.
  • The internal audit function must not share any reporting lines with the functional areas that it reviews.
  • Internal audit procedures must be consultative, so that they help the seller/servicer accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
  • Internal Audit Director/Manager is free from responsibility over any business units.

Fannie Mae also included several recommended checklist items for seller/servicers reviewing or implementing new internal audit policies and procedures. In addition to publishing a checklist for developing Internal Audit Policies and Procedures, Fannie Mae also regularly conducts reviews to evaluate compliance with its guidelines and to assess operational risk. The Risk Self-Assessment also included common findings when internal audit policies and procedures are reviewed by Fannie Mae, as well as a list of required documentation for MORA reviews.