Mortgage Company Audit Obligations

Mortgage companies in the United States operate under a layered web of federal and state audit obligations that extend well beyond standard financial statement review. These obligations arise from the intersection of consumer protection law, secondary market participation rules, and prudential oversight frameworks. Understanding the scope and structure of these requirements is essential for mortgage bankers, servicers, and their compliance functions.

Definition and scope

A mortgage company audit obligation is a formal, recurring requirement imposed by statute, regulation, or contractual agreement that compels a mortgage originator, servicer, or holding entity to submit to independent examination of its financial records, compliance posture, or operational controls. These obligations apply to a broad spectrum of entities — from large bank-owned mortgage subsidiaries subject to federal banking oversight to non-bank independent mortgage companies (IMBs) regulated primarily at the state level.

The two foundational regulatory sources for federally connected mortgage companies are the Consumer Financial Protection Bureau (CFPB) and the Federal Housing Finance Agency (FHFA). The CFPB holds supervisory authority over non-bank mortgage originators and servicers with significant market presence under the Dodd-Frank Wall Street Reform and Consumer Protection Act (12 U.S.C. § 5514). The FHFA governs entities that sell or service loans for Fannie Mae and Freddie Mac, imposing seller/servicer eligibility standards that include audit and financial reporting requirements.

State-level obligations add a parallel layer. Each state that licenses mortgage companies — through frameworks that vary by jurisdiction — typically requires audited financial statements as part of annual license renewal. The Conference of State Bank Supervisors (CSBS) coordinates multi-state examination protocols through the Nationwide Multistate Licensing System (NMLS), which standardizes audit submission requirements across participating states.

Scope boundaries matter: a federally chartered depository institution that originates mortgages falls primarily under bank examination frameworks (see FDIC Audit Requirements for Banks), while a non-depository IMB faces a distinct and often more fragmented set of requirements. The compliance audit vs. financial audit distinction is particularly relevant here, as mortgage companies must satisfy both types simultaneously.

How it works

Mortgage company audit obligations operate through three distinct tracks that run concurrently rather than sequentially.

1. Audited financial statements — Most state licensing regimes require submission of annual audited financial statements prepared by an independent CPA firm in accordance with Generally Accepted Auditing Standards (GAAS) as issued by the American Institute of Certified Public Accountants (AICPA). Fannie Mae and Freddie Mac seller/servicer guides impose specific net worth and liquidity thresholds that audited financials must demonstrate. As of the 2023 Fannie Mae Selling Guide update, non-depository seller/servicers must maintain a minimum adjusted net worth of $2.5 million plus 0.25% of the unpaid principal balance of the total servicing portfolio (Fannie Mae Selling Guide).

2. Compliance audits — The CFPB's supervision program evaluates compliance with statutes including the Real Estate Settlement Procedures Act (RESPA, 12 U.S.C. § 2601), the Truth in Lending Act (TILA, 15 U.S.C. § 1601), and the Fair Housing Act. Mortgage companies must maintain internal compliance audit functions or engage external auditors to test controls around loan origination, disclosure timing, servicing practices, and escrow administration. The CFPB Compliance Audit Overview details the bureau's examination procedures.

3. Operational and controls audits — Servicers handling Ginnie Mae mortgage-backed securities face additional audit requirements under the Ginnie Mae Mortgage-Backed Securities Guide, including reviews of custodial account management and document custody procedures (Ginnie Mae MBS Guide).

The risk-based auditing in financial services approach governs how internal audit teams prioritize coverage, weighting high-volume origination channels, servicing transfers, and loss mitigation functions as elevated-risk areas.

Common scenarios

Mortgage companies encounter audit obligations in four recurring contexts:

• Annual state license renewal: Submission of CPA-audited financial statements to one or more state regulators through the NMLS. Companies operating in 20 or more states manage this as a coordinated, calendar-driven engagement with defined submission deadlines that vary by state.

• GSE seller/servicer eligibility review: Fannie Mae and Freddie Mac conduct periodic financial and operational reviews of approved counterparties. A servicer experiencing a net worth breach must notify the applicable GSE within specified timeframes and may face remediation timelines or transfer of servicing obligations.

• CFPB supervisory examination: Non-bank mortgage servicers above certain volume thresholds receive scheduled CFPB examinations that function similarly to a formal audit, producing examination reports with findings requiring management response. This parallels the audit findings and management response process used in traditional audit engagements.

• Anti-money laundering program review: Mortgage companies that are non-bank financial institutions must maintain Bank Secrecy Act (BSA) compliance programs under 31 U.S.C. § 5318 and undergo independent testing of those programs at least annually (FinCEN BSA requirements). The BSA/Bank Secrecy Act Audit Obligations page covers this area in detail.

A critical scenario comparison: an IMB that only originates loans (and sells all production) faces lighter ongoing audit burdens than an IMB that retains a servicing portfolio, because servicing introduces custodial account, escrow, and consumer protection obligations that generate continuous regulatory audit triggers.

Decision boundaries

Audit obligation scope for a mortgage company shifts based on four primary classification factors:

1. Depository vs. non-depository status — Bank-affiliated mortgage operations fall under prudential regulator examination frameworks (OCC, FDIC, Federal Reserve); non-bank IMBs do not have a single federal prudential regulator and must self-manage compliance with CFPB and GSE requirements.

2. Originator vs. servicer vs. both — Servicers face heavier ongoing audit requirements than pure originators due to escrow, loss mitigation, and investor reporting obligations.

3. GSE seller/servicer approval — Holding active approvals from Fannie Mae, Freddie Mac, or Ginnie Mae triggers contractually mandated financial reporting, audit standards, and net worth covenants beyond what state law requires.

4. Volume thresholds — CFPB supervisory examination authority under 12 U.S.C. § 5514 applies to "larger participants" as defined by rule; the mortgage threshold is set at 5,000 or more aggregate annual originations (CFPB Larger Participant Rule, 12 CFR Part 1090).

The fair lending audit requirements add a horizontal obligation that applies regardless of the originator/servicer distinction — Home Mortgage Disclosure Act (HMDA) data integrity and fair lending statistical analysis must be reviewed as part of a complete compliance audit program.

References

• Consumer Financial Protection Bureau (CFPB)
• Federal Housing Finance Agency (FHFA)
• Fannie Mae Selling Guide
• Freddie Mac Seller/Servicer Guide
• Ginnie Mae MBS Guide
• Conference of State Bank Supervisors (CSBS) — NMLS
• FinCEN — Bank Secrecy Act Resources
• CFPB Larger Participant Rule — 12 CFR Part 1090
• Dodd-Frank Wall Street Reform and Consumer Protection Act — 12 U.S.C. § 5514
• AICPA — Generally Accepted Auditing Standards
• Real Estate Settlement Procedures Act (RESPA) — 12 U.S.C. § 2601