This annual report describes FHFA's accomplishments, as well as challenges, the agency faced in meeting the strategic goals and objectives during the past fiscal year.
Read about the agency’s 2020 examinations of Fannie Mac, Freddie Mac and the Home Loan Bank System.
Submit comments and provide input on FHFA Rules Open for Comment by clicking on Rulemaking and Federal Register.
Implement critical reforms that will produce a stronger and more resilient housing finance system.
FOSTER competitive, liquid, efficient, and resilient (CLEAR) national housing finance markets that support sustainable homeownership and affordable rental housing; OPERATE in a safe and sound manner appropriate for entities in conservatorship; and PREPARE for eventual exits from the conservatorships.
2019 Conservatorships Strategic Plan
FHFA experts provide reliable data, including all states, about activity in the U.S. mortgage market through its House Price Index, Refinance Report, Foreclosure Prevention Report, and Performance Report.
FHFA economists and policy experts provide reliable research and policy analysis about critical topics impacting the nation’s housing finance sector. Meet the experts...
INTERNAL AUDIT GOVERNANCE AND FUNCTION
This Advisory Bulletin (AB) applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks) (collectively, the regulated entities), and the FHLBanks' Office of Finance (OF). References to the regulated entities in this AB equally apply to the OF. This AB rescinds and replaces the following guidance:
This structure is commonly known as the "three lines of defense," and together these elements should form a strong and effective risk management framework. The guidance in this AB is consistent with the three lines of defense framework and sets forth FHFA's expectation that IA, as the third line of defense, is independent, objective, and effective at identifying and informing management and the audit committee about the regulated entity's risks and related controls.
FHFA expects Chief Audit Executives (CAEs) to establish and audit committees to oversee IA functions that:
FHFA recently published a revised rule, 12 CFR Parts 1236 and 1239,
Responsibilities of Boards of
Directors, Corporate Practices, and Corporate Governance
Matters, that in part addresses regulated entities' audit committees' oversight of IA functions at the FHLBanks and the Enterprises. In addition, FHFA's standards for the FHLBanks and Enterprises specifically related to their audit committees and IA functions are in Standard 2 of the
and Operations Standards (PMOS) (12 CFR Part 1236, Appendix). FHFA requirements relating to the OF's audit committee are set forth at 12 CFR 1273.9.
For the FHLBanks, the regulations prescribe specific details about the composition of the audit committee, the independence of its members, the content of the audit committee charter, and the duties and responsibilities of the audit committee, including its oversight responsibilities with respect to the IA function.
The OF is the FHLBanks' fiscal agent. It compiles and publishes the FHLBanks' Combined Financial Reports. The OF's audit committee composition, responsibilities, and charter are addressed in 12 CFR 1273.9 and are similar to those applicable to FHLBanks. The OF is not a Securities and Exchange Commission registrant.
For the Enterprises, regulations in 12 CFR 1239.5(b) require that all the board committees comply with requirements established by the New York Stock Exchange (NYSE) and that the audit committees also comply with the requirements of Section 301 of the Sarbanes-Oxley Act of 2002. Relevant portions of the NYSE rules address the composition of the audit committee, the independence of its members, the general requirements for its charter, the responsibilities and duties of the audit committee (which include assisting the board in oversight of the IA function), and the need for audit committees to meet separately and periodically with management, CAEs, and independent auditors.
Because the existing regulations and guidelines provide general requirements for oversight of the IA function, FHFA is issuing this AB to provide an additional level of detail on the responsibilities of audit committees in their oversight of the IA function, as well as on the independence and operation of the IA function. This guidance reflects FHFA's supervisory expectations that the audit committee actively and rigorously oversees the IA function and that the function is independent, objective, and effective. Further, this guidance is informed by FHFA's understanding of industry best practices for IA governance and operations at larger and more complex financial institutions.
In addition, the provisions of this AB are consistent with IA guidance issued by the federal banking regulatory agencies. That guidance includes the
Interagency Policy Statement on the Internal Audit Function and its Outsourcing (March 17, 2003) and the Federal Reserve Board's
Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing (January 23, 2013). This AB is also consistent with the
OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches;
Integration of 12 CFR Parts 30 and 170 (effective November 10, 2014) and with guidance in the October 27, 2009 FHFA
Examination for Accounting Practices document, which remains in effect.
Committee Oversight of the
The board of directors of each regulated entity is required to have an audit committee responsible for overseeing the IA function and an individual responsible for the IA function (referred to in this document as the CAE, regardless of that individual's title). The audit committee should have regular and open communications with the CAE.
The audit committee should direct the CAE to structure the IA function so that it is appropriately designed, independent, and objective, and so that it effectively identifies and assesses risks. The committee should confirm that the regulated entity's IA audit methodology is established and activities are conducted in accordance with appropriate professional standards, such as the Institute of Internal Auditors'
Standards for the Professional
of Internal Auditing
(IIA Standards). The CAE should periodically review IA's audit methodology with the committee and the committee should approve the methodology and significant changes thereto. Further, the audit committee should oversee the process by which issues that are reported by IA are promptly addressed and satisfactorily resolved by management.
The audit committee is required to operate pursuant to a written charter, which should be reviewed at least annually by the audit committee and full board of directors (board), and be re-approved at least every three years by the board.
FHFA expects that, at a minimum, the audit committee charter will address the following matters regarding the IA function:
Committee Communication with
The audit committee and the CAE, including IA staff, should have unrestricted access to each other without prior management knowledge or approval. FHFA expects audit committee leadership to discuss audit matters with the CAE between and apart from regular audit committee meetings to stay current on IA operations, emerging risks, and other relevant matters. If significant issues arise in these discussions, they should be covered timely with the committee. Regular executive sessions with the CAE are essential to ensure open and complete communications. These executive sessions should be confidential, closed to management, and should be regularly scheduled.
An important component of effective communications between the CAE and audit committee are the regular written reports to the audit committee prior to each meeting and otherwise as warranted. Regular written reports from IA to the committee should generally address:
The audit committee should maintain a robust process for monitoring and, at least annually, formally assessing and evaluating CAE performance and the effectiveness of the IA function. The process should generally incorporate input from senior management and external auditors, from any outside peer reviews or assessments including regulatory examinations, and from the audit committee's own observations of and interactions with the CAE and IA staff. The audit committee should document its assessments of the CAE's and IA function's performance.
IA Independence and Objectivity
Before appointing a CAE, and thereafter at least annually, the audit committee should confirm with the CAE and document whether the CAE has any actual or apparent conflicts of interest and should develop appropriate limits for the CAE's activities accordingly. If an audit committee considers a candidate for CAE with potential conflicts of interest, the conflicts, and any mitigating considerations, should be disclosed to and discussed by the audit committee and should be clearly documented in audit committee records.
Similarly, the CAE should regularly assess whether IA staff has actual, potential, or apparent conflicts of interest and appropriately restrict the activities of the staff to avoid those conflicts. At least annually, the CAE should confirm IA activities' independence to the audit committee. To help maintain the highest level of objectivity in the IA function, CAEs should consider rotating assignments for lead auditors and audit staff when feasible.
in the Organization
Properly positioning the CAE and the IA function in a regulated entity's organization helps achieve objectivity and independence of the IA function and minimizes the opportunity for management to unduly influence, override, or limit IA activities or findings. The most structurally independent organizational arrangement for the IA function would have the CAE report directly to the audit committee regarding both audit issues and administrative matters. However, the CAE may report administratively to the Chief Executive Officer (CEO) if the audit committee so approves.
Board and senior management engagement and cooperation with IA are essential to its effectiveness. Boards and management should give IA full and unconditional access to any records and data, including access to management information systems and records and the minutes of all board and management committee meetings. FHFA expects IA to have access to management committee meetings and related materials in an ex-officio capacity, and any exceptions should be discussed and reconciled with the audit committee. Boards and management should also require timely remediation of audit issues.
Should management attempt to hinder IA's objectivity and independence, for example, by restricting IA's access to records or personnel, IA staff should disclose to and discuss such attempts with the CAE. If the scope of an audit is affected by management's action, the limitation should be disclosed in the audit report and documented in the associated work papers. The CAE should report any attempts to hinder IA's objectivity and independence or limit the scope of an audit activity to the audit committee, generally through the chair, immediately for appropriate resolution.
CAE compensation, which should be approved by the audit committee, should include an appropriate focus on performing audit activities and should only include incentives tied to actions and outcomes within the CAE's control and influence. Audit committees should not link CAE incentive compensation to the regulated entity's financial position, results of operations, achieving growth or volume targets, business unit compliance levels, or other measures or metrics that could impair or appear to impair IA independence or objectivity. CAE compensation should be reasonable and comparable with compensation for employment in other similar businesses (including publicly held financial institutions or major financial services companies) involving similar duties and responsibilities. To these ends, consulting with and obtaining input from a regulated entity's compensation committee may provide useful insights.
IA Attributes and Operations
IA Function Attributes
The IA department should have a written charter, which should be reviewed at least annually and be approved by the audit committee every three years or whenever substantive changes are made. The charter should define the purposes, authorities, and responsibilities of the IA function. The charter is the foundational document governing all IA activities. The charter should generally cover:
The IA function needs sufficient staff with the requisite knowledge, skills, professional competence, resources, and stature within the regulated entity to assess the effectiveness of the regulated entity's controls and to credibly challenge management.
A regulated entity should have policies and procedures designed to reinforce that:
Collectively, IA staff, supplemented as needed by external resources, should have the knowledge and skills, as evidenced by education and audit, industry, and technical experience, to audit the entire regulated entity. Relevant and current professional certifications and licenses provide evidence of certain technical knowledge and skills. Generally, IA staff should audit business units or functions related to their areas of expertise.
At least annually, the CAE is expected to assess and document the knowledge, skills, and abilities of IA staff and compare those with both the Audit Plan and the universe of risks in the regulated entity. When assessing the knowledge, skills, and abilities of IA staff, the CAE may consider management feedback and internal or external quality assurance assessments. If the assessment identifies gaps within IA staff knowledge, skill, and abilities, the CAE should identify a means for filling those gaps, which might include staff training, hiring new staff, and/or using co-sourcing or outsourcing arrangements. The CAE should report the results of the assessment to the audit committee.
The CAE should confirm that he/she and all IA staff receive ongoing formal training. CAEs and staff should generally receive a minimum of forty hours of training per year. The IA function should have a process to evaluate and monitor the quality and appropriateness of training. In addition to formal training, IA staff may benefit from staff rotations, both within the IA department and with business and risk management functions, in order to provide IA staff with broader exposure to those functions and opportunities to develop additional areas of expertise. We encourage such rotations where they are feasible and can be done without compromising audit coverage and IA independence.
The IA function may be staffed using IA employees solely or by supplementing them with co-sourced or outsourced resources. Co-sourcing or outsourcing engagements are generally entered into when a regulated entity has insufficient staff to complete planned audits in a timely manner or needs technical expertise beyond that of the IA staff. The CAE retains responsibility for managing and providing the audit committee with reports to enable the audit committee to oversee all IA work, whether done by IA staff, co-sourced, or outsourced.
Co-sourcing is a partnership between IA and an outside vendor (auditor or firm) that works with and often alongside, but does not replace, existing IA staff. In co-sourcing, IA staff takes an active part in project planning and decision making and may participate in preparing final reports. Further, IA manages and/or works alongside the specially-skilled partner(s) or vendor(s). One objective of co-sourcing may be to transfer knowledge from the vendor to IA. In a co-sourcing arrangement, the vendor has a dual reporting relationship to IA and the vendor's own management. The CAE should require in associated contracts with co-sourced partners that work complies with applicable IA policies and standards and that the workpapers associated with the co-sourced work are retained by IA, not the vendor.
Under an outsourcing arrangement, the outside vendor (auditor or firm) is responsible for performing discrete IA engagements. The CAE maintains ownership of the entire IA function, including outsourced activities. When outsourcing audit work, the CAE should approve the scope of work and procedures to be performed. The CAE remains responsible for results of outsourced work, including findings, conclusions, and recommendations.
Before hiring a vendor to perform IA work, the CAE should confirm that: the vendor and staff who will work on the engagement have the technical knowledge and ability to perform the work; the engagement will be effectively managed; the vendor's work will be well-documented; that all control weaknesses and other significant findings, including any apparent regulatory violations, will be timely communicated to the CAE and other stakeholders; and that the regulated entity has appropriate contingency plans should a vendor be released or terminated before completing the engagement.
Co-sourced and outsourced audit work should be completed pursuant to an engagement letter or similar agreement covering all significant aspects of the engagement. Such engagement letters should generally:
Internal Audit Operations
Internal Audit Risk
Regulated entities' IA universes (comprising all auditable entities that are significant and subject to risks for which controls should be reviewed) should be regularly updated for organizational changes. Audit plans should be formulated to provide reasonable assurance that a regulated entity's system of controls is well-designed, operates effectively, and manages risks to an acceptable level. At least annually, IA should perform a risk assessment that includes reviews of its IA universe and Audit Plan to ensure that all auditable entities receive audit coverage over an appropriate period of time commensurate with associated risks.
The IA risk assessment should include four basic steps: 1) identify inherent risks to the regulated entity; 2) understand management's controls over those inherent risks; 3) assess residual or remaining risks to establish the frequency with which activities should be audited; and 4) prioritize auditable entities from the audit universe for audit coverage. The IA risk assessment should also consider multiple approaches. For example a "top-down" approach could complement a bottom-up approach. A top-down approach begins with identifying industry, environmental, and other enterprise-wide current or emerging risks. A bottom-up approach starts with the audit universe, then assesses and aggregates risks attributable to auditable entities within the audit universe.
The CAE should perform the risk assessment annually and should document the IA staff's understanding of the entity's significant business activities and the associated risks. To facilitate risk assessment and audit planning, IA should maintain (or regularly review if such an inventory is maintained by independent risk management) a complete inventory of all of the regulated entity's material processes, product lines, services, and functions, and then assess the risks, including emerging risks, associated with each. The risk assessment should consider and address risks to the regulated entity from all sources, both internal and external. These include, but are not limited to, credit, market, operational, governance, reputational, fraud, and compliance risk. The assessment should also consider thematic control issues and layered or aggregated risks that cross business units or lines of business. The risk assessment should analyze and prioritize key risks and risk management functions.
While the risk assessment should reflect IA's independent analysis, IA may consider all available information, for example, input from management self-assessments. While the formal risk assessment is performed annually, IA should update it as needed for major organizational changes, infrastructure changes, or changes in the regulated entity's external business or regulatory environment.
As underlying technology has advanced, more business entities are using "Continuous Monitoring" (CM) tools to continuously assess and provide management feedback on whether business processes are performing effectively and "Continuous Auditing" (CA) tools, which allow IA to gather and review control-related business process data.
FHFA expects IA functions to employ formal CA and/or CM practices. CA and CM can be conducted by IA staff and/or through technological tools. In either case, it should be done pursuant to written policies and procedures that support consistent and comparable results. CA and CM should be documented through business metrics, management reporting, reports to audit committees, and through any related adjustments made to audit risk assessments and plans. IA should continuously monitor key business metrics and performance indicators. IA should work to understand changes and their drivers in order to help identify potential audit issues and changes in the business environment and to adjust risk assessments and audit plans, if needed, in a timely manner.
At least annually, IA should review and update the Audit Plan. The Audit Plan should be based on the risk assessment and should consider key risks and related controls within each significant business and functional activity, the timing and frequency of planned IA work, and a resource budget. During the planning process, IA should analyze the regulated entity's specific risks, mitigating controls, and level of residual risk. The CAE should have a contingency plan to mitigate any significant disruption to audit coverage, particularly for high-risk areas. Documentation supporting the Audit Plan should reference the IA program that describes the objectives of the audit work and the audit work expected to be performed during each IA activity.
The audit planning process should include evaluating management's root cause and lessons learned analyses performed after a significant adverse event. IA should consider management's analysis of reasons for the adverse event and whether it resulted from a control breakdown or failure. IA should confirm that management correctly identified the measures needed to prevent a similar event from occurring in the future. In certain situations, IA should conduct its own lessons learned analysis outlining the remediation procedures necessary to detect, correct, and/or prevent future internal control breakdowns (including improvements in IA processes).
The audit planning process should also be designed to inform the board's responsibilities for risk oversight to include: overseeing the regulated entity's operational and risk management; remaining informed about the regulated entity's operations and condition; and remaining informed about the entity's risk exposures and senior management's actions to address them. The Audit Plan should be designed to provide the audit committee with the depth and breadth of IA assurance it needs to inform those responsibilities.
Internal Audit Coverage of Risk Management and Regulatory Compliance Programs
FHFA regulations require the Enterprises and FHLBanks to appoint a Chief Risk Officer (CRO) to implement and maintain appropriate enterprise-wide risk management practices and a Compliance Officer (CO) to head a compliance program designed to assure that they comply with applicable laws, rules, regulations, and internal controls. Both officers should regularly report to the board (in addition, the CRO reports to the Risk Committee) and to the CEO. These functions are part of the regulated entity's second line of defense, its independent risk management function, and are separate from first-line operating management but still under the direction and control of senior management.
IA is the regulated entity's third line of defense. IA should, through its risk assessment and auditing processes, provide the audit committee with independent assurance that enterprise risk management and compliance programs are working effectively, that those programs have identified and reported timely enterprise and compliance risks, and that significant risks are managed to an acceptable level.
Internal Audit Frequency
Internal audits should generally cover the entire audit universe over a maximum four year period. High-risk areas should generally be audited annually, and moderate- and low-risk audits should be scheduled every 12 to 48 months (or one to four years) based on a risk assessment and ranking that is regularly reviewed and updated. FHFA expects that IA will weigh both inherent and residual risk when deciding on how frequently to audit an area and in considering the audit approach, including the nature and extent of testing. The CAE should confirm that higher level risks, including thematic trends and control issues, are not underreported due to being separately captured in moderate- or low-risk audits. Audit plans should be dynamic and include time to expand audit work when unexpected or higher risks are identified through CM activities, scheduled audits, or otherwise. The CAE should regularly report significant changes to the audit universe or audit plans to the audit committee, along with an analysis supporting the changes.
IA reports should generally present the purpose, scope, objectives, and results of the audit, including findings, conclusions, observations, and/or recommendations however styled. Final reports should also document management's response to findings. IA should maintain work papers that document the work performed and support the audit report.
IA should establish and implement a documented methodology that employs appropriate criteria to prioritize and rank audit issues. The criteria should be sufficiently objective to promote consistent application of judgment and appropriate prioritization of audit issue severity.
Internal Audit Issues Monitoring and Tracking
Audit committees should regularly receive clear, timely, and detailed reports on significant open violations, findings, weaknesses, and other issues, regardless of their original source. Issues that FHFA requires to be reported to audit committee chairs, whether by FHFA or regulated entities' management, including all FHFA Matters Requiring Attention (MRAs), should be presumed significant. Issues may originate from IA audits and reviews, external audit, regulatory examinations, management self-identification, outside consultants' work, and other sources. IA should also verify that significant risks and/or control deficiencies identified by first- and second-line of defense units, external auditors, or other parties are adequately assessed and communicated to management and board stakeholders. To facilitate the timely and effective remediation of open audit issues, IA and management or the board (as warranted) should agree on a resolution date and on interim milestones, if appropriate.
IA should establish standards for performing timely and appropriately rigorous validation work once management asserts that remediation of significant audit issues (to include MRAs) has occurred. When management or the board indicates that they have performed the required remediation, IA should validate that revised processes and controls are in place, operating, and sustainable before closing the issue. The level of validation work that IA should perform to close an issue will vary based on the issue's risk, complexity, and associated interdependencies. For higher-risk issues, IA should verify that sufficient testing is performed over an appropriate period of time to validate that the issue is sustainably resolved.
IA reports should include key information about open remediation plans and associated timetables agreed on by stakeholders. Reports should highlight significant issues with delayed remediation, including those for which management has made agreed-upon corrective steps and/or control design changes that are pending validation, until testing is complete. These steps should help to verify that control changes are effective and sustainable and to identify issues for which the planned remediation may need to be amended.
Regulated entities should establish and implement policies and/or procedures as appropriate for documenting, monitoring, tracking, and reporting on management's acceptance of risks for any management decision not to remediate audit issues, or for time extensions to perform agreed-upon remediation. If such accepted risks are individually or in aggregate more than insignificant, the CAE should consult with senior management and the audit committee as appropriate.
An effective IA Quality Assurance Program (QAP) should be implemented to help minimize audit risk, including the risk that an audit reaches inaccurate conclusions. A QAP should include regular internal processes and reviews, as well as an external Quality Assurance Review (QAR) to be performed at least every five years.
The internal QAP review should include rigorous reviews by IA management and/or peer reviews of reports and work papers for clarity, adherence to IA policies and procedures, and consistency with relevant professional standards. The QAP should help confirm that IA policies, procedures, and processes comply with applicable regulatory and industry guidance; are appropriate for the size, complexity, and risk profile of the regulated entity; are updated to reflect changes to internal and external risk factors, emerging risks, and improvements in industry; and are followed consistently. QAP reviews and self-assessments may be activity driven or ongoing. Gaps identified should be documented and addressed timely. The CAE should report the results of the QAP to the audit committee at least annually and results from the QAR and any other external review, as received.
 The OF is not a "regulated entity" as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. However, for convenience, references to the "regulated entities" in this AB should be read to also apply to the OF.
 "Management" as the term is used in this guidance generally comprises the CEO and subordinate managers, who engage in business operations.
 As used in this guidance, the term "Chief Audit Executive" means the individual responsible for the internal audit function at a regulated entity.
 12 CFR 1239.32.
 Section 301 of the Sarbanes-Oxley Act does not directly address the audit committee's oversight of the IA function.
 NYSE Listed Company Manual, Rule 303A.07.
 12 CFR 1239.5(c).
 For the FHLBanks, annual review by the committee and the full board, and re-approval by the board at least every three years are required by regulation. 12 CFR 1239.32(d).
 For the FHLBanks, these items, except audit committee approval of IA department budget approval, are regulatory requirements. 12 CFR 1239.32(d) (3), (e) (3).
 12 CFR Part 1273.9 (b) (5), which relates to the OF only, states "the internal auditor shall report directly to the Audit Committee and administratively to executive management."
 Co-sourced and outsourced audit engagements should be awarded in compliance with the requirements for equal opportunity in employment and contracting under applicable provisions of the Minority and Women Inclusion and Diversity at Regulated Entities and the Office of Finance regulation, 12 CFR 1207.21.
 Auditable entities collectively comprise the potential audit universe and may represent business units, departments, processes, general ledger accounts, or other functions at a regulated entity that are suitable for audit.
 For example, if a regulated entity relies on user-developed spreadsheets across its operations, and IA has identified high level or thematic control issues regarding such spreadsheets, the incremental spreadsheet control risk in moderate- or low-risk auditable entities should be aggregated, addressed, and reported appropriately.
© 2021 Federal Housing Finance Agency