As published in Mortgage Compliance Magazine, November 2018
Accurately defining your risk using a proven methodology can help ensure you are making the best use of your audit dollars. A risk assessment is the basis of an efficient and cost-effective internal audit plan. Areas that pose the most risk to the organization should be audited more frequently, typically annually, while areas posing less risk to the organization can be audited every other year or even every third year depending upon management’s risk appetite. An accurate risk assessment allows you to focus your audit efforts on higher risk areas.
The risk assessment process begins with the identification of inherent risk and then considers the adequacy and maturity of policies, procedures, and internal controls to mitigate that risk and define residual risk. The frequency and scope of internal audit testing is based on the level of residual risk posed by the audit area and an understanding of whether that risk is increasing, stable, or decreasing.
Risk Assessment Methodology and Risk Ratings
The risk assessment process is best performed by someone with a thorough understanding of the mortgage industry and comprehensive internal audit experience. The assessment process should consider the matrix in Figure 1 above.
Once completed, the risk assessment and assigned risk ratings are used to develop a multi-year internal audit plan. Management should also use the risk assessment to determine an action plan to address any higher risk areas identified. When an area is rated higher risk, management should ask what mitigating controls should be implemented and whether procedures or systems need to change to lower risk and reduce operational losses and audit costs over time.
Assessing risks of an organization is an ongoing process. The risk assessment and audit plan should be reevaluated at least annually and whenever significant changes occur in the organization.
Internal audit is required by federal and state regulators, as well as government sponsored enterprises. Moreover, it is an effective management tool that helps to reduce operational errors, deter fraudulent activity, assess compliance with regulatory requirements, and optimize operational efficiency. CrossCheck Compliance has the experienced, trained, and certified resources that you need to evolve your internal audit activities. Let us help you!