QUESTION
Although approved by Fannie Mae, we have not set up an internal audit schedule. This issue came up in a recent discussion with our Fannie representative. They want us to be ready for the MORA audit, and the audit schedule is going to be required. We haven’t even done an internal audit yet. This got us thinking about what we don’t know for preparing for the MORA visit.
We know your company is well-known for independent risk assessments and self-evaluations, which are called the Compliance Tune-up®. I spoke to one of your Directors this morning about several of them that could help us get prepared for the Fannie audit. We need to know which policies and procedures will be reviewed, and we need to know so much more. Our first MORA audit is coming soon. So, we’re somewhat intimidated.
I am the compliance manager. I have
never handled a MORA audit before. And I have never been involved in an
internal audit. I need some guidance about what Fannie expects for internal
audits and a “heads-up” for their requirements.
·
What
are Fannie’s expectations for internal audits?
·
Can
you please provide a “heads-up” for the internal audit requirements?
· What have you found that shows your clients were not prepared for an internal audit?
SOLUTION
Compliance Tune-up® List
MORA Tune-up® Fannie's Mortgage Origination Risk Assessment (MORA)
CMS Tune-up® Compliance Management System
RESPONSE
Anyone who has an interest in our Compliance Tune-up®, in general, or our MORA Tune-up®, in particular, can contact us here. The Compliance Tune-up® is an extensive series of mini-audits that targets departments, functions, and regulations. It is a self-identification and risk assessment review that complies with the second line of defense.[i] The review provides a report and risk rating. It shows the strengths and weaknesses of the area subject to review.
Fannie Mae conducts regular reviews to evaluate seller/servicer compliance with its guidelines and assess operational risks. Reviews are conducted by a team that operates independently of the Business Account Management Solutions team.
You will need to establish an independent internal audit function. During the MORA process, Fannie Mae examines the lender's internal audit plan and the latest independent internal audit. A financial institution may outsource its internal audit process; however, it remains responsible for the findings that show compliance (or lack thereof) with Fannie's requirements.
An internal audit is the central feature of the third line of defense. From Fannie’s perspective, management control is itself a function. Indeed, establishing a professional internal audit activity should be a governance requirement for all organizations.
Management is supposed to rely on the internal audit to validate a financial institution’s governance, risk management, and control processes to help it achieve strategic, operational, financial, and compliance objectives. This compliance framework is meant to ensure a risk-based approach, and the internal audit function evaluates and improves the effectiveness, exigencies, and readiness of risk management, control, and governance processes.
We believe the following outline provides the guardrails and requirements of an internal audit. It would be best if you considered them collectively so that you prepare adequately for the development of this function. In other words, don’t cut corners. Be sure you comply with all these criteria.
Internal Audit
Function: Guardrails and Requirements
·
Be
sure that the internal audit manager is free from any responsibility over any
business unit.
·
Be
sure the internal audit is independent of all key functions of the loan
origination and servicing processes.
·
Draft
internal audit and management control procedures for evaluating and monitoring
the overall quality of loan production.
·
Ensure
that your organization chart shows that the internal audit function reports
directly to the senior management and, if applicable, the Board of Directors. (By the way, we know from experience that Fannie will permit exceptions in
situations in which the size of the organization is insufficient to support
adequate resources to allow for the separation of these functions. In those
situations, your audit plan must include the rationale for the lack of
separation of controls in place to mitigate risks associated with the lack of
separation of these functions.)
·
Be
especially careful that internal audit lines of reporting reflect the
independence of the audit process at all levels so that the activities are
conducted in an unbiased manner and without compromises that may result from
internal influences or conflicts of interest.
·
Be
especially careful that the internal audit function does not share any
reporting lines with the functional areas that it reviews.
· Create a reliable and scaleable reporting procedure to ensure that the written findings provide methodologies that derive recommendations that management can use to accomplish actionable objectives through a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
Adverse Findings and Required Document Preparation
There are a few other things I would like you to consider. I’ll get to them in a moment. You had asked about how some clients show that they are not ready for an internal audit. By this point, I think we’ve seen just about everything there is to see about internal audit findings and preparation. However, most challenges can be overcome if you have robust plans.
We have an extensive database of common findings from independent internal audits and Compliance Tune-up®. I have picked seven of them that I think are virtually non-negotiable.
Adverse Findings
1)
There
is no comprehensive written plan to direct the internal audit process across
all loan manufacturing and servicing business functions.
2)
There
is no internal audit function.
3)
MBS
Trust compliance is not included in the internal audit review plan and testing.
4)
The
internal audit process has not been initiated.
5)
There
is no internal audit function that is independent of the business functions
subject to review.
6)
An
internal audit schedule has not been established to specify the areas of
review, and there’s no timeframe for conducting them.
7) The internal audit plan does not include all required components.
Required Document Preparation
Each financial institution differs and is unique in terms of size, products, services, complexity, risk profile, and business strategy. Keep that in mind as I outline the document preparation needed to be ready for a MORA review. You can tighten up preparation by using the appropriate Compliance Tune-up® tool, such as a MORA Tune-up® or a CMS Tune-up®.
A Compliance Tune-up® report provides recommendations indicating what should be done now and in the future to ensure readiness, but you can’t undo mistakes of the past. Willingness to correct errors, however, is a sign of good management and governance. So, it would be best if you got ready immediately to prevent a lookback that discloses unmitigated adverse findings.
· Organization chart reflecting the internal audit department
· Internal audit policies and procedures.
· Current year’s testing schedule and internal audit plan.
· Current year’s Compliance Tune-up®. (Second Line of Defense).
· Current year’s independent internal audit. (Third Line of Defense).
· Ability to identify any significant findings for the past 12-month period.
· Management and tracking reports for monitoring performance in operational areas.
WordS to the Wise should be Sufficient!
I stated above that there are a few other things I want you to consider. I list them in no order of importance because they are all equally important. Let’s group these remarks in the category of “words to the wise should be sufficient!”
· An internal audit plan should be risk-based, updated annually, and include a review of all controls and key functions in each origination and servicing department.
· Applying a risk rating for each key process area of the originations and servicing platforms is critical to implementing a continuous internal audit schedule.
· A second line of defense review, such as the Compliance Tune-up®, should be initiated for specific departments, functions, and regulations in anticipation of performing the internal audit. (This ensures that the internal audit, the third line of defense, may present accurate and reliable findings.)
· A process should be in place to define the scope and frequency of audits to be performed based on the specific risk rating for all key functions. (This ensures that the functions that represent the highest risk are audited on at least an annual basis.)
· An internal audit schedule should be in place, reflect current activity, and be reviewed on a regular basis to incorporate any emerging risks in operational areas.
· Adverse internal or external audit findings pertaining to key functions or regulatory compliance should be reviewed by the audit committee for remediation.
· An established framework for interaction between internal audit functions, business units, and management exists to ensure open communications regarding risk and control management, including the adoption and implementation of self-assessment methodologies.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
[i] Three
Lines of Defense in Effective Risk Management and Control, Institute of
Internal Auditors (IIA), January 2013. The Lines of Defense (LOD) model assigns
and coordinates risk and control responsibilities across business functions.
