We are a mid-sized mortgage lender focused on investor-owned 1-4 family residential properties. Our underwriting and procedures are risk-based. In the last few years, we have grown considerably. I came on two years ago as the compliance manager.
Last year, I retained a law firm to handle an audit to evaluate our procedures and overall risk-based audit program. In the end, I do not feel they did not consider important areas, such as underwriting standards, portfolio monitoring, capital treatment, and several qualitative factors. The audit objectives were not clearly defined.
I am looking for some guidelines and remedies. If we have to do another audit, we do not want to spend as much money as we spent previously. Our policies and procedures are good, but I want more depth, especially because we are scaling up quickly.
What audit objects and procedures should I consider in a risk assessment?