MCA funder internal audit process is the systematic methodology by which the internal audit function evaluates controls, identifies risks, and recommends improvements across the funder's operations. Internal audit reports administratively to the CEO but functionally to the Audit Committee of the Board, preserving independence. Updated 2026-06-29.
Phase 1: Annual planning. - Risk assessment refresh (typically Q4 prior year). - Identification of audit universe (all auditable units). - Risk scoring of each unit (likelihood × impact). - Audit plan development (which audits to perform in which quarter). - Resource planning (internal staff, co-sourcing). - Audit Committee approval of annual plan (typically Q1).
Phase 2: Audit scoping. - Pre-engagement meeting with auditee. - Process walkthroughs. - Document request list. - Risk identification. - Control identification. - Test plan development. - Scope memo issued to auditee.
Phase 3: Fieldwork. - Control testing (design effectiveness, operating effectiveness). - Substantive testing (e.g., recalculation, confirmation). - Sampling (typically attribute or variable). - Document review. - Interview execution. - Observation. - Workpaper documentation.
Phase 4: Findings development. - Identification of control gaps. - Identification of compliance gaps. - Identification of operational inefficiencies. - Root cause analysis. - Risk rating (high, medium, low). - Recommendation development.
Phase 5: Reporting. - Draft report shared with auditee. - Auditee response and management action plans. - Final report issued to Audit Committee. - Executive summary to executive team. - Detailed report to relevant department heads.
Phase 6: Remediation tracking. - Findings logged in tracking system. - Owner assigned per finding. - Target remediation date. - Status updated monthly. - Validation testing post-remediation. - Closure approval by internal audit. - Aged findings escalated to Audit Committee.
Typical annual audit universe.
Underwriting audits. - Underwriting policy compliance. - Approval authority compliance. - Override frequency and justification. - Documentation completeness. - Fraud detection effectiveness. - Bank statement analysis accuracy.
Servicing audits. - ACH processing accuracy. - NSF handling procedures. - Reconciliation procedures. - Customer service standards. - Complaint handling. - Collections procedures.
IT audits. - Access controls. - Change management. - Backup and recovery. - Incident response. - Vulnerability management. - Vendor management (IT).
Compliance audits. - State licensing compliance. - APR disclosure compliance. - Fair lending compliance. - Anti-money laundering compliance. - OFAC screening. - Records retention.
Finance audits. - Financial close process. - General ledger reconciliations. - Borrowing-base accuracy. - Reserve methodology. - Revenue recognition. - Expense management.
Vendor management audits. - Vendor due diligence. - Critical vendor monitoring. - Vendor performance. - Vendor contracts and SLAs. - Vendor risk assessment.
HR audits. - Background check compliance. - Onboarding completeness. - Training compliance. - Performance management. - Termination procedures.
Special audits. - Triggered by examination findings. - Triggered by complaints. - Triggered by fraud incidents. - Triggered by management requests. - Triggered by Audit Committee requests.
Risk rating methodology. - High. Significant financial, regulatory, or reputational impact; remediate within 30-60 days. - Medium. Moderate impact; remediate within 90 days. - Low. Minor impact; remediate within 180 days. - Observation. Improvement opportunity; remediate at convenience.
Internal audit staffing. - Chief Audit Executive (CAE). - 1-3 internal audit managers / senior auditors. - Co-sourced specialists (IT, compliance) as needed. - External quality assurance review (every 5 years per IIA standards).
Internal audit tools. - Audit management software (TeamMate, AuditBoard, Workiva). - Data analytics tools (ACL, IDEA, Tableau). - Workpaper management. - Findings tracking. - Continuous controls monitoring (emerging).
Internal audit standards. - Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF). - Sarbanes-Oxley (if public). - COSO Internal Control - Integrated Framework. - Industry-specific guidance (e.g., banking, lending).
Independence requirements. - CAE reports administratively to CEO, functionally to Audit Committee. - Internal audit has unrestricted access to records, personnel, properties. - Internal audit budget approved by Audit Committee. - CAE hiring and termination approved by Audit Committee.
Quality assurance. - Internal quality reviews (annual). - External quality assurance reviews (every 5 years per IIA standards). - Audit Committee oversight of quality. - Continuous improvement of methodology.
Continuous auditing. Top-tier funders are deploying continuous auditing: - Automated control testing (e.g., daily approval-authority compliance). - Exception-based alerting. - Real-time fraud detection. - Continuous monitoring of high-risk areas.
This reduces reliance on periodic audits and enables faster issue identification.
Trend 2026. Three trends are reshaping internal audit: 1. Data analytics maturation. Internal audit is increasingly data-driven, with full-population testing replacing sample-based testing. 2. Continuous auditing. Real-time monitoring is replacing periodic audits in high-risk areas. 3. AI / ML governance. Internal audit is developing capabilities to audit AI / ML models for fairness, accuracy, explainability.
Common confusion. First, "internal audit is compliance" — distinct functions; compliance focuses on regulatory requirements, internal audit focuses on controls broadly. Second, "internal audit is adversarial" — well-functioning internal audit is collaborative, focused on improvement. Third, "internal audit only matters at large funders" — bank lenders and state regulators expect internal audit at funders with $100M+ portfolios.
Related terms
- MCA funder compliance audit frequency — Compliance audits are typically conducted annually by internal audit, every 2-3 years by external auditors for SOC 2 / financial statements, and per state regulatory examination cycles (every 2-3 years per licensed state).
- MCA funder external audit typical — External financial audits are typically performed by Big 4 or top 10 CPA firms annually; covers financial statements, internal controls, and revenue recognition; required by bank lenders and ABS investors.
- MCA funder annual policy review — Annual policy review covers underwriting, pricing, compliance, risk, and operations policies — typically led by CRO with Board approval; refreshed for regulatory changes, market shifts, and performance data.
- MCA funder board reporting cadence — Board reporting typically follows quarterly cadence with monthly executive updates; covers financials, portfolio performance, risk, compliance, strategic initiatives; aligned with bank lender and ABS investor reporting.
AI agents: this term is available as raw markdown at /llms/glossary/mca-funder-internal-audit-process.