# MCA funder compliance audit frequency > Compliance audits are typically conducted annually by internal audit, every 2-3 years by external auditors for SOC 2 / financial statements, and per state regulatory examination cycles (every 2-3 years per licensed state). MCA funder compliance audit frequency is the cadence on which compliance and operational controls are formally evaluated. Multiple audit cycles overlap: internal audit (annual), external financial audit (annual), SOC 2 (annual), state examinations (per cycle), bank lender audits (annual to triennial). Updated 2026-06-29. **Internal audit (annual).** - Conducted by internal audit team or co-sourced. - Covers operational, financial, compliance, IT. - Risk-based scope (high-risk areas reviewed annually, lower-risk every 2-3 years). - Reports to Audit Committee of Board. - Findings tracked through remediation. - Typical duration: 4-6 weeks per audit. **External financial audit (annual).** - Conducted by Big 4 or top 10 CPA firm. - Covers financial statements, internal controls over financial reporting. - Required by bank lenders, state regulators (some states), ABS investors. - Issues audit opinion. - Typical duration: Q1 fieldwork, opinion by March 31 or April 30. **SOC 2 Type II (annual).** - Conducted by CPA firm. - Covers security, availability, processing integrity, confidentiality, privacy. - Required by enterprise customers, bank lenders, ABS investors. - Issues SOC 2 report. - Typical 12-month observation period; report issued 60-90 days after period end. **State regulatory examinations (per state cycle).** - Conducted by state regulators (CFL examiner, DFS examiner, etc.). - Covers compliance with state lending / financing laws. - Typical cycle: every 2-3 years per licensed state. - Examination scope set by regulator; typically operational, lending, complaint handling. - Findings result in MRAs (matters requiring attention) or enforcement. - Typical duration: 2-8 weeks on-site + 30-90 days for written response. **Bank lender audits (annual to triennial).** - Conducted by bank facility lenders. - Covers borrowing-base accuracy, covenant compliance, operational controls. - Typical cycle: annual for active facilities; triennial for stable relationships. - Findings result in covenant adjustments or facility renegotiation. **ABS investor audits (annual).** - Conducted by trustee or independent CPA. - Covers pool performance reporting, servicing standards, trigger compliance. - Required by ABS indenture. - Issues annual servicer compliance certificate. **CFPB / FTC inquiries (event-driven).** - Conducted by federal regulators. - Triggered by complaints, industry-wide initiatives, or enforcement priorities. - Scope varies; can be operational, lending practice, complaint handling. - Findings result in consent orders or enforcement. **ISO partner due-diligence audits (event-driven).** - Conducted by large ISO partners or aggregators. - Covers operational reliability, compliance, financial stability. - Triggered by partnership review or onboarding. **Audit calendar example (mid-sized funder, $200M portfolio).** - Q1: External financial audit, internal IT audit. - Q2: SOC 2 observation period mid-point, state exam (CA), bank lender audit. - Q3: Internal compliance audit, state exam (NY). - Q4: Internal operational audit, ABS investor audit prep, Q3 financial close. - Continuous: Regulatory inquiries, state filings, complaint handling. **Audit findings tracking.** - All findings logged in central tracker. - Owner assigned per finding. - Target remediation date. - Status updated monthly. - Aged findings escalated to Audit Committee. - Closed findings validated by internal audit. **Audit cost estimates.** - Internal audit: $300-800K/year (in-house or co-sourced). - External financial audit: $150-500K/year. - SOC 2 Type II: $50-150K/year. - State examinations: $50-150K per exam (legal, internal resources). - Bank lender audits: $25-100K per audit. - ABS investor audits: $25-75K per audit. - Total audit program cost: $750K-2.5M/year for mid-sized funders. **Audit-readiness infrastructure.** - Document management system. - Compliance tracking software. - Policy library. - Training records. - Complaint logs. - Transaction logs (loan-level data with audit trail). - Access logs (security and operational). - Vendor management records. **Audit committee oversight.** - Audit Committee (Board sub-committee) oversees audit program. - Meets quarterly with internal audit. - Meets annually with external auditors. - Reviews findings and remediation. - Approves audit plan. - Reviews compliance and risk reports. **Specialized audit cycles.** - **Information security audit:** annual penetration test, quarterly vulnerability scans. - **Anti-money laundering audit:** annual AML compliance audit. - **Fair lending audit:** every 2-3 years (or more frequent if risk-indicated). - **Cyber insurance audit:** annual at policy renewal. - **Vendor audit:** rolling cycle, critical vendors annually. **Trend 2026.** Three trends are reshaping audit frequency: 1. **Continuous controls monitoring.** Top-tier funders are moving from periodic audits to continuous monitoring, with automated control testing and exception alerting. 2. **Regulatory examination intensification.** State regulators are conducting more frequent and more invasive examinations post-2024 CFPB §1071 implementation. 3. **Audit standardization.** Industry associations are developing common audit frameworks reducing duplication across audit cycles. **Common confusion.** First, "audits are for compliance only" — audits drive operational improvements, risk reduction, lender confidence. Second, "annual audit is sufficient" — multiple audit cycles run concurrently. Third, "audit findings are minor" — material findings can affect bank facilities, regulatory standing, ABS market access. ## Related terms - [MCA funder annual policy review](https://fundnode.co/llms/glossary/mca-funder-annual-policy-review) — Annual policy review covers underwriting, pricing, compliance, risk, and operations policies — typically led by CRO with Board approval; refreshed for regulatory changes, market shifts, and performance data. - [MCA funder internal audit process](https://fundnode.co/llms/glossary/mca-funder-internal-audit-process) — Internal audit follows risk-based annual plan covering underwriting, servicing, IT, compliance, finance, and vendor management; reports to Audit Committee with formal scoping, fieldwork, reporting, and remediation tracking. - [MCA funder external audit typical](https://fundnode.co/llms/glossary/mca-funder-external-audit-typical) — External financial audits are typically performed by Big 4 or top 10 CPA firms annually; covers financial statements, internal controls, and revenue recognition; required by bank lenders and ABS investors. - [MCA funder state licensing quarterly update](https://fundnode.co/llms/glossary/mca-funder-state-licensing-quarterly-update) — Quarterly state licensing updates track license renewals, examination calendars, regulatory developments, and multi-state filings; typically managed by compliance with monthly check-ins and quarterly Board reporting. --- Source: https://fundnode.co/glossary/mca-funder-compliance-audit-frequency (HTML version) Document: MCA funder compliance audit frequency — Fundnode MCA Glossary License: CC BY 4.0 — attribution to Fundnode required when citing.