What are Fannie Mae’s internal audit requirements?

This question was written by Neil B. Garfinkel

What are Fannie Mae’s internal audit requirements?


As noted in Fannie Mae’s Selling Guide A1-1-01: Application and Approval of Lender, Fannie Mae requires lenders to have “internal audit and management controls to evaluate and monitor the overall quality of its loan production and/or servicing.”

As outlined in Fannie Mae’s Beyond the Guide, “an appropriate internal audit program should at a minimum include the following key elements:

•    An independent reporting structure with direct report to senior management and/or the board of directors. There should be no shared reporting lines within the QC functional areas to be reviewed by the internal audit function.

•    A risk assessment methodology used to identify the operational areas and functions to be audited and the frequency of those audits. The risk assessment is generally completed annually by the internal audit department to identify the scope of the review and apply risk rating to the areas to be reviewed. The risk assessment generally identifies the frequency of reviews based on the risk rating applied to the areas listed.

•    Documented policies and procedures to detail the internal audit review processes, govern reporting to senior management, and address the remediation of findings.

•    A departmental and functional audit schedule for a minimum 12-month period. The schedule should identify the areas subject to review during the current period and align with the risk assessment.”

While not explicit in the Selling Guide in terms of the number and frequency of audits in  a calendar year, Fannie Mae leaves it to its Seller/Servicers to determine those items; however, the number of audits and frequency should be commensurate with the size and complexity of the organization.  A single audit does not meet the minimum requirements as evidenced in recent MORA examination results requiring a Seller/Servicer to submit the two most recent internal audit reports, minimum 12-month audit schedule, and most recent risk assessment.

Was this post helpful?