Blog Index
The journal that this archive was targeting has been deleted. Please update your configuration.

Developing An Internal Audit

With the kids starting school last week, we got a harsh dose of reality that summer is winding down and cooler temperatures will soon be with us.  Recently while in Cleveland performing an internal audit on a wholesale mortgage banker, we decided one night to catch a few innings of Indians baseball.  Progressive Field in ClevelandThe night was warm and too nice to stay inside the hotel.  The picture to the left was taken as the sun was setting and rain clouds were rolling in.  Warm thunder and lightening soon followed.  Beautiful stadium with a gorgeous backdrop and the tickets, hot dogs and beer was about half the cost of what we pay at a Giants game.  Can’t wait to go back. 

When we think of internal audits, we may think back to movies we’ve seen where a law enforcement department is under investigation from “internal affairs” for inappropriate behavior or illegal activities.  The police may consider these internal auditors intrusive and a “detached breed” that really don’t understand the actual inner workings of the job and the corresponding tasks.  They may be seen similarly to an IRS auditor; just wanting to make a bust and working to justify their job.  The police on their beat trying to keep the city safe may understand the police department’s policies and procedures, but may adjust and adapt according to the situation at hand.  In the end, policies and procedures may be breached with risk of serious reprisals, but the job gets done.  

However a breach can have serious consequences.  Breaches of policies and procedures can result in serious reprisals such as lawsuits or criminal violations. In addition, the more these policies and procedures are breached the process may go down a slippery slope whereby other employees deem these violations a modus operandi, escalating further violations.  Wrong behavior becomes right. 

In the end, employees within any enterprise need to understand the coral they can work and maneuver in.  They need to know someone is monitoring them to ensure they are working within the coral and are accountable if they jump outside the coral.  Internal audits help to assess whether the enterprise’s current policies and procedures are adequate and meet industry standards.  The audit also assesses, through testing, if employees are adhering to the polices and procedures.  

Audits should be performed by internal employees that are not performing the actual tasks or by independent auditors with broad based industry experience.  The end result of an internal audit is to identify risks and develop a plan to mitigate the risks.  Work flow process weaknesses, flawed polices/procedures and employee inappropriate behavior can all result in increase risks, potential reprisals and/or monetary penalties.

In the last 12 months, we’ve seen in increase in awareness by many mortgage bankers to develop an internal audit program.  Many mortgage bankers have been requested by the GSEs or by their board of directors to conduct internal audits to assess risks and to develop appropriate plans to mitigate risks.  Let’s look at the key components of developing an internal audit program. 

  • Areas to Review:  The first requirement is to identify the company’s areas of risks.  Mortgage banks have many areas and departments that have risks.  For example, quality control, secondary market and loan servicing are critical areas of a mortgage bank that should maintain written policies, procedures and controls to ensure employees perform their task in a compliant and best practice manner.  
  • Level of Risks:  After identifying risk areas, what is the degree of risks and how does the auditor prioritize the review?  Management and the auditor may develop an assessment tool to determine the degree of risk and develop the schedule of review based on the risk.  For example, if management considers quality control or secondary market high risk, those areas should be reviewed first.  
  • Internal Audit Scope:  The auditor must develop a scope document to perform the audit.  A scope document should include an assessment of the policies, procedures and controls of the area under review.  The assessment should include a gap analysis comparing the policies, procedures and controls to external counter party requirements and industry best practices.  The scope document should also include management and employee interviews to ensure there is an understanding of the policies, procedures and controls.  Finally, the auditor should perform testing to ensure what is in writing and stated by employees is actually happening.  The testing uncovers the true weaknesses and risks of each area.  
  • Memorialized Findings:  The auditor should memorialize the findings, including an executive summary that is presented to the board of directors and/or the owner.  The written report should identify areas of risks and recommend appropriate action plans to address and mitigate risk 

C. Watts believes the internal audit is not a “box checking” process and should be performed by an experienced professional that has broad knowledge of all aspects of a mortgage banking operation.  Identifying and addressing the risks with appropriate action plans to reduce and mitigate those risk internally is much more pleasant than waiting for the CFPB, a state regulatory agency or one of government agencies to uncover those areas of risk during an audit.


C. M. "Corky" Watts, CMB                                               Cameron Watts, CMB     
408.497.3135                                                               415.722.0369