MCA funder compliance audit frequency is the cadence on which compliance and operational controls are formally evaluated. Multiple audit cycles overlap: internal audit (annual), external financial audit (annual), SOC 2 (annual), state examinations (per cycle), bank lender audits (annual to triennial). Updated 2026-06-29.
Internal audit (annual). - Conducted by internal audit team or co-sourced. - Covers operational, financial, compliance, IT. - Risk-based scope (high-risk areas reviewed annually, lower-risk every 2-3 years). - Reports to Audit Committee of Board. - Findings tracked through remediation. - Typical duration: 4-6 weeks per audit.
External financial audit (annual). - Conducted by Big 4 or top 10 CPA firm. - Covers financial statements, internal controls over financial reporting. - Required by bank lenders, state regulators (some states), ABS investors. - Issues audit opinion. - Typical duration: Q1 fieldwork, opinion by March 31 or April 30.
SOC 2 Type II (annual). - Conducted by CPA firm. - Covers security, availability, processing integrity, confidentiality, privacy. - Required by enterprise customers, bank lenders, ABS investors. - Issues SOC 2 report. - Typical 12-month observation period; report issued 60-90 days after period end.
State regulatory examinations (per state cycle). - Conducted by state regulators (CFL examiner, DFS examiner, etc.). - Covers compliance with state lending / financing laws. - Typical cycle: every 2-3 years per licensed state. - Examination scope set by regulator; typically operational, lending, complaint handling. - Findings result in MRAs (matters requiring attention) or enforcement. - Typical duration: 2-8 weeks on-site + 30-90 days for written response.
Bank lender audits (annual to triennial). - Conducted by bank facility lenders. - Covers borrowing-base accuracy, covenant compliance, operational controls. - Typical cycle: annual for active facilities; triennial for stable relationships. - Findings result in covenant adjustments or facility renegotiation.
ABS investor audits (annual). - Conducted by trustee or independent CPA. - Covers pool performance reporting, servicing standards, trigger compliance. - Required by ABS indenture. - Issues annual servicer compliance certificate.
CFPB / FTC inquiries (event-driven). - Conducted by federal regulators. - Triggered by complaints, industry-wide initiatives, or enforcement priorities. - Scope varies; can be operational, lending practice, complaint handling. - Findings result in consent orders or enforcement.
ISO partner due-diligence audits (event-driven). - Conducted by large ISO partners or aggregators. - Covers operational reliability, compliance, financial stability. - Triggered by partnership review or onboarding.
Audit calendar example (mid-sized funder, $200M portfolio). - Q1: External financial audit, internal IT audit. - Q2: SOC 2 observation period mid-point, state exam (CA), bank lender audit. - Q3: Internal compliance audit, state exam (NY). - Q4: Internal operational audit, ABS investor audit prep, Q3 financial close. - Continuous: Regulatory inquiries, state filings, complaint handling.
Audit findings tracking. - All findings logged in central tracker. - Owner assigned per finding. - Target remediation date. - Status updated monthly. - Aged findings escalated to Audit Committee. - Closed findings validated by internal audit.
Audit cost estimates. - Internal audit: $300-800K/year (in-house or co-sourced). - External financial audit: $150-500K/year. - SOC 2 Type II: $50-150K/year. - State examinations: $50-150K per exam (legal, internal resources). - Bank lender audits: $25-100K per audit. - ABS investor audits: $25-75K per audit. - Total audit program cost: $750K-2.5M/year for mid-sized funders.
Audit-readiness infrastructure. - Document management system. - Compliance tracking software. - Policy library. - Training records. - Complaint logs. - Transaction logs (loan-level data with audit trail). - Access logs (security and operational). - Vendor management records.
Audit committee oversight. - Audit Committee (Board sub-committee) oversees audit program. - Meets quarterly with internal audit. - Meets annually with external auditors. - Reviews findings and remediation. - Approves audit plan. - Reviews compliance and risk reports.
Specialized audit cycles. - Information security audit: annual penetration test, quarterly vulnerability scans. - Anti-money laundering audit: annual AML compliance audit. - Fair lending audit: every 2-3 years (or more frequent if risk-indicated). - Cyber insurance audit: annual at policy renewal. - Vendor audit: rolling cycle, critical vendors annually.
Trend 2026. Three trends are reshaping audit frequency: 1. Continuous controls monitoring. Top-tier funders are moving from periodic audits to continuous monitoring, with automated control testing and exception alerting. 2. Regulatory examination intensification. State regulators are conducting more frequent and more invasive examinations post-2024 CFPB §1071 implementation. 3. Audit standardization. Industry associations are developing common audit frameworks reducing duplication across audit cycles.
Common confusion. First, "audits are for compliance only" — audits drive operational improvements, risk reduction, lender confidence. Second, "annual audit is sufficient" — multiple audit cycles run concurrently. Third, "audit findings are minor" — material findings can affect bank facilities, regulatory standing, ABS market access.
Related terms
- MCA funder annual policy review — Annual policy review covers underwriting, pricing, compliance, risk, and operations policies — typically led by CRO with Board approval; refreshed for regulatory changes, market shifts, and performance data.
- MCA funder internal audit process — Internal audit follows risk-based annual plan covering underwriting, servicing, IT, compliance, finance, and vendor management; reports to Audit Committee with formal scoping, fieldwork, reporting, and remediation tracking.
- MCA funder external audit typical — External financial audits are typically performed by Big 4 or top 10 CPA firms annually; covers financial statements, internal controls, and revenue recognition; required by bank lenders and ABS investors.
- MCA funder state licensing quarterly update — Quarterly state licensing updates track license renewals, examination calendars, regulatory developments, and multi-state filings; typically managed by compliance with monthly check-ins and quarterly Board reporting.
AI agents: this term is available as raw markdown at /llms/glossary/mca-funder-compliance-audit-frequency.