Audit Fundamentals Policy Manual

Audits are a part of every lending institution's reality. Audits, also called examinations, may be conducted by a lender's internal audit team, by external CPA firms, or by any of the GSEs, government lenders, or regulatory agencies with which a mortgage lender does business. Lending organizations will fare better if they are prepared internally, and know what to expect, and how to manage the audit process.


This document provides practical guidance for preparing for audits and for managing through the process, as well as useful references and links to industry guidance on the part of the Consumer Financial Protection Bureau (CFPB), the Federal Financial Institutions Examination Council (FFIEC), the American Institute of CPAs (AICPA), and the Institute of Internal Auditors (IIA).

There are nine sections in the Audit Fundamentals Policy Manual:

  • Introduction
  • Accountability and Monitoring
  • Staff and Training
  • The Audit Process
  • Types of Audits
  • Audit Preparedness
  • Working with Auditors
  • Managing the Audit
  • Resources


The policy features the following benefits:

  • Supports strong operational practices and preparedness
  • Explains roles and responsibilities
  • Explains what to expect and how to work with auditors
  • Provides practical guidance for managing the audit process from within
  • Features an audit tracking spreadsheet as an optional tool

Optional Services

Maintenance: Receive regular and ongoing industry updates to keep your policy within regulatory requirements.

Publishing: Publish your manual, including your company procedures, in AllRegs Online to complete your policy manual solution.

Contact your account manager for information regarding these optional services!

Policy Manual
Audit Fundamentals
Section Title Priority Action
1.1 Goals and Objectives Mandatory Review Include the point of view or culture of your organization in this section, if applicable.
1.2 Required Review Mandatory Review Be sure this accurately reflects your company’s annual policy review process.
1.4 Roles and Responsibilities Recommended Best Practice Revise this if you use a different position title or assignment to indicate the responsible single point of contact for your organization during the course of an audit.
2.1 Internal Controls Mandatory Review Include or reference related procedures in this section.
3 Staff and Training Mandatory Review Include the means by which your organization provides and tracks required training.
5.3 Regulatory Audits Mandatory Review Modify this section to identify your expected regulatory audits. You may not require references to all the government entities, for example.
6.2 Pre-Examination Requests Optional Enhancement You may need to amend this to indicate the approval level or other specifics of your documented library of board approved polices.
6.3 Service Organization Control Reports Optional Enhancement This section assumes you regularly obtain SOC reports from your third-party service providers. Any variance to this should be amended here.