In This Article
- Audit Readiness Is a Daily Discipline, Not a Quarterly Scramble
- Encompass Audit Features That Examiners Actually Verify
- Calyx Point and PointCentral Audit Features for Smaller Lenders
- Integrated Audit-Evidence Workflow Across Encompass, Calyx, and Microsoft 365
- The Microsoft Purview Audit Overlay for SaaS Data
- MortgageExchange: Routing LOS Audit Evidence Into the Microsoft 365 Timeline
- Microsoft Purview + M365 Guardian: The Continuous Compliance Layer
- Quarterly Self-Audit Cadence That Keeps You Examiner-Ready
- Building the Examiner-Grade Evidence Pack
- Frequently Asked Questions
When the examiner arrives, your team gets the evidence in four hours instead of four weeks. That means six weeks of your processors and underwriters back to do loans instead of audit prep. That is the operating-model difference between Encompass, Calyx, and Microsoft 365 running as a managed unit versus three separate vendor relationships. The same configuration that gives you those weeks back also protects loan-file data from being exfiltrated by departed employees or business email compromise attacks, and examiners pass you cleanly because the system enforced the compliance step at the time of the event. Audit readiness is an operational discipline built into how your team uses the loan origination system, not a binder assembled the month before regulators arrive.
This guide walks through the specific audit features inside Encompass and Calyx Point, shows how Microsoft 365 Purview Audit overlays the SaaS data those platforms generate, and gives you a quarterly self-audit cadence plus an examiner-grade evidence pack template. The goal is simple: when the examiner emails a document request, your team has the file ready before the response deadline.
Access Business Technologies hosts Calyx PointCentral on dedicated Azure subscriptions and manages the Microsoft 365 tenants for more than 750 financial institutions, so the workflow patterns here come from real exam responses, not theory.
What you will take away
- How to map TILA, RESPA, ATR/QM, TRID, and HMDA audit triggers to specific Encompass and Calyx fields and logs
- Why Microsoft Purview Audit and Compliance Manager become a second evidence layer over your LOS data
- A six-task quarterly self-audit cadence your compliance officer can run without enterprise tooling
- The four-section examiner-grade evidence pack that closes most document requests in under an hour
- Where ABT clients save the most time before exams, and where they still spend it
Audit Readiness Is a Daily Discipline, Not a Quarterly Scramble
Industry research consistently shows mortgage compliance teams spending the equivalent of multiple weeks per regulatory examination on preparation alone, with substantial additional time responding to follow-up document requests. The lenders who consistently come in under those numbers run their loan origination systems with audit features turned on every day, not turned on the week before the exam date.
The shift from scramble to discipline starts with the LOS configuration. Both Encompass and Calyx Point ship with compliance features that, when enforced through workflow rules and user permissions, generate the exact records examiners ask for. The mistake most mortgage compliance teams make is paying for those features and never wiring them into daily operations. Loan officers skip required fields because the system lets them. Document uploads sit in personal drives instead of the LOS document repository. Workflow stage transitions happen by manual checkbox, leaving no audit trail of who approved what.
The fix is configuration plus enforcement. Configure the audit features so they are present in every loan file, then enforce them through user permissions and workflow rules so the system blocks progression when a compliance step is missed. Encompass enforces this through its built-in CFPB-aligned loan application interface controls. Calyx enforces it through document-stage gates and required-field validation in Point.
What Examiners Actually Mean by "Examiner-Grade Evidence"
Examiners do not ask for screenshots, narratives, or PDF reports. They ask for system-generated records with timestamps, user IDs, and immutable audit trails. An examiner-grade record shows what happened, who did it, when, and proves the record has not been altered since. Encompass audit trails, Calyx activity logs, and Microsoft Purview Audit search results all meet this bar. Manual spreadsheets, screenshots, and exported PDFs do not.
Encompass Audit Features That Examiners Actually Verify
Encompass from ICE Mortgage Technology is among the leading loan origination systems used by U.S. mortgage lenders. Its compliance and audit features run deep, but only the institutions that configure and enforce them get the audit benefit. The features below are the ones examiners ask about by name.
Built-In Compliance Testing Across TRID, HMDA, ATR/QM, and HOEPA
Encompass runs rule-based compliance tests against every loan file at configurable stage transitions. The system flags TRID timing violations, HMDA field gaps, ATR/QM documentation shortfalls, HOEPA high-cost loan thresholds, and KBYO knowledge-based-authentication failures in real time. The AllRegs integration keeps the rule definitions current as federal and state regulations change, so you are not auditing against last year's interpretation of Regulation Z.
The configuration step examiners verify: confirm the compliance test suite is running at three stage transitions at minimum. Application submission, underwriting approval, and final closing-disclosure issuance. If your Encompass admin disabled tests at any of those gates, the audit trail will show the gap and examiners will follow the thread.
Real-Time Audit Trails on Every Loan File
Encompass logs every read, write, and edit on every field in every loan file, with user ID, timestamp, IP address, and field-level before-and-after values. The Audit Trail tab inside any loan file produces this record on demand. Examiners use it to verify that disclosures were not edited after issuance, that fees were not modified post-lock, and that closing-disclosure changes followed the three-business-day rule.
Configuration gotcha: Encompass audit-trail retention is configurable. Verify your retention setting against the longest state requirement in your originating footprint plus any applicable SOX, GLBA, or state-specific record-retention requirements. The frameworks differ (SOX favors a seven-year horizon while Regulation Z generally calls for two to five years for most consumer-credit records), so the right setting is the longest applicable requirement across the products you originate, not a single default.
Workflow Automation That Enforces Stage Gates
Encompass workflow rules block loan-file progression when a compliance step is incomplete. Configure rules that require Loan Estimate generation before underwriting, identity verification before conditional approval, and Closing Disclosure issuance at least three business days before closing. When a loan officer or processor tries to skip a step, the system refuses and logs the attempt.
This is the single highest-leverage configuration most mortgage lenders skip. Workflow enforcement turns audit-trail logging from a passive record into an active compliance control. The audit trail then proves not just that the step happened, but that the system prevented every attempt to skip it.
Document Management With E-Signature Capture
Encompass Docs Solutions stores every document, every revision, and every signature event with the loan file. E-signature capture writes the signer identity, IP address, signing timestamp, and consent-to-electronic-records acknowledgment to the audit trail. ESIGN Act and UETA compliance requires exactly these records to be retrievable for the life of the loan plus statutory record-retention periods.
Granular User Permissions Tied to Compliance Roles
Encompass user roles let you grant or deny access at the field, document, workflow-stage, and report level. Map your roles to compliance roles: loan officers see fields they need, processors see what they need, underwriters see what they need, and compliance officers see everything. Examiners verify that segregation of duties is enforced in the system, not just documented in your policies. The Encompass Role Management report exports the full permission matrix for any examiner who asks.
Calyx Point and PointCentral Audit Features for Smaller Lenders
Calyx Point is the LOS choice for smaller mortgage lenders, brokers, and community-bank mortgage divisions that need solid compliance features without enterprise-tier configuration complexity. The 2024-2026 product roadmap added Calyx PointCentral (cloud-deployed Point), Calyx Zip (borrower portal), and broker-specific compliance templates. The audit features below are the ones our financial-institution clients use most heavily.
Standard and State-Specific Disclosure Templates
Calyx ships TRID-compliant Loan Estimate and Closing Disclosure templates that auto-populate from loan-file data and update as regulations change. State-specific templates handle the variations between, for example, Texas, New York, and California disclosure requirements. The Calyx forms library is one of the platform's strongest compliance assets, particularly for smaller lenders that lack a dedicated forms-management team.
Pipeline Tracking With Required-Field Validation
Point's pipeline view shows every loan file by stage with required-field validation at each transition. Files that are missing income documentation, credit pulls, or required disclosures cannot advance to underwriting until the gaps are closed. The pipeline log records every stage transition with user ID and timestamp, giving you the same kind of audit trail Encompass produces for stage gates.
Encrypted Audit Trails for RESPA and TRID Documentation
Calyx's audit-trail feature logs file edits, document additions, and disclosure issuances with encryption at rest. RESPA Section 8 compliance reviews and TRID timing reviews pull directly from these logs. The trails do not have the field-level granularity Encompass produces, but for most smaller-lender audit responses they meet the examiner-grade bar.
Electronic Signature Support
Calyx integrates with DocuSign, DocMagic, and several other e-signature providers to capture borrower signatures with the records ESIGN Act and UETA require. Signing events flow back to the loan file and write to the activity log. The audit-evidence chain matches what Encompass produces, just routed through the third-party signature platform instead of natively.
PointCentral Cloud Deployment on Azure
Calyx PointCentral runs on dedicated Azure subscriptions through ABT's Tier-1 Microsoft Cloud Solution Provider partnership. We host your PointCentral instance in an Azure tenancy you control, with Microsoft Defender for Cloud protecting the workload and Microsoft Sentinel monitoring authentication and admin activity. The architectural advantage for audit readiness: Microsoft's compliance attestations (SOC 2 Type II, FedRAMP Moderate, HIPAA, GLBA-aligned controls) become inheritable evidence for your PointCentral environment. Examiners who ask about your hosting infrastructure get a Microsoft Service Trust Portal report instead of a custom security questionnaire from a regional MSP.
Integrated Audit-Evidence Workflow Across Encompass, Calyx, and Microsoft 365
Examiners do not stop at the LOS. They follow the data into email, document storage, and collaboration tools. A loan file in Encompass or Calyx is only part of the audit picture. The email that approved a fee exception lives in Microsoft Outlook. The shared spreadsheet that tracks the underwriting decision lives in SharePoint or OneDrive. The Teams chat where the manager authorized a closing-date change lives in Microsoft Teams. All of those records become part of the loan file from an examiner's perspective.
The integrated workflow treats Encompass or Calyx as the primary system of record and Microsoft 365 as the secondary evidence layer. Both layers must produce examiner-grade records. The LOS handles loan-file evidence. Microsoft Purview Audit handles SaaS-collaboration evidence. Both write to immutable logs. Both are searchable in minutes. Both close document requests faster than manual evidence assembly. The hard part is keeping the two layers in sync so an examiner sees one unified record across the entire originating perimeter, not two disconnected systems that almost agree.
The matrix below maps the audit-evidence question, the LOS feature that answers it, and the Microsoft 365 control that provides the secondary evidence layer.
| Audit Evidence Question | Encompass Feature | Calyx Feature | Microsoft 365 Overlay |
|---|---|---|---|
| Was the Closing Disclosure issued at least three business days before closing? | Workflow rule + audit trail timestamp | Pipeline stage gate + activity log | Email transmission audit log via Purview Audit |
| Was the fee exception approved by an authorized manager? | Approval workflow with user-role enforcement | Manager-tier required-field validation | Approval email or Teams message via Purview Audit search |
| Did the loan file include required ATR/QM documentation? | Compliance test at underwriting stage | Required-document gate on stage transition | Document storage audit via SharePoint audit log |
| Were HMDA fields complete and accurate? | HMDA validation at submission | HMDA template required-field gate | Backup file storage audit via OneDrive audit log |
| Did the borrower receive the privacy notice required by GLBA? | Disclosure tracking with delivery confirmation | Disclosure issuance log | Email transmission confirmation via Defender for Office 365 |
| Was access to the loan file limited to authorized users? | Role-based permissions report | User-tier permission matrix | Conditional Access policy log + Sign-in activity via Microsoft Entra ID |
MortgageExchange: Routing LOS Audit Evidence Into the Microsoft 365 Timeline
The hardest part of running Encompass or Calyx alongside Microsoft 365 is not the configuration of either platform. It is the integration plumbing that keeps the two audit trails writing to the same examiner-grade timeline. ABT MortgageExchange is the integration layer purpose-built to do exactly that for the 750+ financial institutions ABT operates Microsoft 365 tenants for. Event by event and loan by loan, MortgageExchange routes audit evidence from Encompass and Calyx PointCentral into the Microsoft 365 SaaS evidence stream so examiners see one continuous record across the entire originating perimeter, not two parallel systems that almost agree. A Closing Disclosure issuance recorded in Encompass writes a paired event into the SharePoint loan-file audit log via Purview Audit. A fee exception approved in a Calyx Point workflow lands in the Microsoft Teams thread and the Outlook record the manager already used to authorize the exception, with the Purview Audit timestamp pinning the approval to the same minute as the LOS activity log. A borrower disclosure delivered through Calyx PointCentral on Azure writes its delivery confirmation into the Microsoft Defender for Office 365 transmission log. MortgageExchange is the connective tissue that turns two parallel audit trails into one examiner-grade timeline, and that consolidation is what lets your team close FFIEC document requests in hours instead of days. The lender keeps Encompass or Calyx as the primary system of record. ABT manages Microsoft 365 as the secondary evidence layer. MortgageExchange is the routing fabric in between.
Microsoft Purview + M365 Guardian: The Continuous Compliance Layer
Microsoft Purview supplies the compliance primitives inside Microsoft 365: Purview Audit (Standard captures 180 days; Premium extends to one year and up to ten with the long-term retention add-on), Purview Data Loss Prevention for borrower NPI and order-ticket data, Purview Compliance Manager mapping your tenant configuration to GLBA, FFIEC IT Examination Handbook, NIST CSF, and SOC 2 control families, retention policies that bind tamper-evident retention to mailboxes and SharePoint sites under SEA Rule 17a-4-style mortgage recordkeeping, and Communication Compliance for sampling and reviewing loan-officer correspondence against off-channel and fair-lending policy. Those primitives are necessary but they are not sufficient. The continuous compliance layer is the operating model that runs them every minute of every day across the entire 750+ financial-institution footprint ABT manages. That operating model is M365 Guardian. Guardian tunes Microsoft Sentinel analytic rules to the LOS-to-M365 data access paths so anomalous loan-file pulls actually fire and reach the security operations center. Guardian configures Microsoft Defender for Office 365 and Microsoft Defender for Endpoint with broker-dealer and mortgage-lender threat patterns rather than vendor SMB defaults. Guardian aligns Purview retention with the longest applicable state requirement across the products you originate. Guardian calibrates Communication Compliance review templates to actual FINRA and CFPB findings rather than generic templates. Guardian runs the 24/7 SOC that watches the Sentinel and Defender signals every minute and writes the response evidence back into the Microsoft 365 audit timeline. Lighthouse is the Microsoft control plane that ABT uses to apply, monitor, and document the Guardian deployment consistently across every tenant in your firm's footprint. The lender keeps Microsoft 365 licensing and retains tenant ownership. The Guardian continuous compliance layer is added through ABT's Tier-1 Direct-Bill Cloud Solution Provider partnership.
The Microsoft Purview Audit Overlay for SaaS Data
Microsoft 365 Purview Audit (Standard and Premium) captures user activity across Exchange Online, SharePoint Online, OneDrive for Business, Teams, and Microsoft 365 admin centers. The audit log retains data for 180 days in Purview Audit Standard and up to 10 years in Purview Audit Premium with a long-term retention add-on. For mortgage compliance, the 180-day retention is the practical baseline. Most exam document requests reference activity within the prior 90 days; longer retention is required for litigation holds and specific regulatory subpoenas.
Microsoft Purview Audit captures user and admin activity across the entire Microsoft 365 tenant, while Microsoft Purview Compliance Manager maps your tenant configuration to GLBA, FFIEC IT Examination Handbook, NIST Cybersecurity Framework, and SOC 2 control families. For mortgage lenders running Encompass or Calyx alongside Microsoft 365, the Compliance Manager dashboard becomes the second evidence layer over the LOS. Examiners asking about access controls, data handling, and audit log retention get a Microsoft-attested control score instead of a vendor questionnaire.
ABT delivers Microsoft 365 to mortgage lenders as MortgageWorkSpace, the secure desktop and email environment hardened for FI workflows with Purview Audit, DLP, and Communication Compliance pre-configured for examiner expectations. The Purview Audit overlay below assumes that hardened baseline; community-bank and credit-union compliance teams running a stock Microsoft 365 tenant should plan to invest more configuration time before the first quarterly self-audit.
The configuration steps that turn Purview Audit into examiner-grade evidence:
- Enable audit logging tenant-wide. The default state for tenants provisioned after 2019 is enabled, but verify in the Purview compliance portal. Older tenants and migrated tenants sometimes have audit logging disabled.
- Configure mailbox audit logging for every user. Mailbox audit logging captures email send, receive, delete, and forwarding-rule activity. Examiners ask about these specifically when investigating BEC and wire-fraud allegations.
- Set up audit log alerts for high-risk events. Mass file downloads from OneDrive, external sharing of SharePoint sites containing loan files, and inbox forwarding rules to external addresses are the three alert categories every mortgage lender should configure.
- Document the audit log search procedures. Your compliance officer needs a documented procedure that names which Purview Audit search queries answer which exam questions. ABT provides a starter procedure to financial-institution clients during the M365 onboarding.
- Train compliance staff on the Purview Compliance Manager dashboard. The dashboard shows current control scores against GLBA, FFIEC, and NIST CSF. Compliance staff need to read it monthly and respond to score drops the same week.
ABT manages the Microsoft 365 tenant for clients through our Tier-1 Cloud Solution Provider partnership. The Purview Audit and Compliance Manager configuration is part of the standard managed-services onboarding, which means the second evidence layer is in place before the next exam cycle.
Quarterly Self-Audit Cadence That Keeps You Examiner-Ready
A quarterly self-audit is the operational rhythm that makes the difference between scrambling for evidence and producing it on demand. Run the six checks below on the first business week of every quarter. The same checks work for Encompass shops, Calyx shops, and lenders running both platforms.
Pull files randomly across loan officers, product types, and underwriting decisions. Run the same compliance test suite the LOS runs at submission. Confirm zero findings or document and remediate every finding.
Verify role assignments match current job titles. Remove permissions for departed employees. Document any role changes since the prior quarter. Examiners check this every visit.
Search on the loan-officer mailbox group for external email forwarding rules, mass downloads from OneDrive containing loan-file data, and external sharing of SharePoint sites with loan-file content. Investigate every hit.
Compare the current GLBA, FFIEC, and NIST CSF scores against the prior quarter. Drops greater than three points get a remediation task assigned the same day.
Attempt to advance a test loan file past a required compliance step in both Encompass and Calyx. Confirm the system blocks the advancement and writes the attempt to the audit trail.
Update the template described in the next section with any new query patterns, new regulatory citations, or new audit-trail features added by Encompass, Calyx, or Microsoft since the prior quarter.
The quarterly cadence prevents two common audit-readiness failure modes. The first is configuration drift, where features that were enabled six months ago get disabled in a routine admin change and nobody notices until the exam. The second is documentation lag, where the procedures the LOS supposedly enforces no longer match the procedures the compliance team actually follows. Both fail the examiner-grade evidence test at the same point: the audit trail shows a different story than the written policy.
For broader institutional context on continuous audit readiness, see our FFIEC IT Examination Readiness guide, which covers the cross-platform self-audit cadence beyond the LOS. The M365 self-audit guide covers the Microsoft 365 layer in more depth.
Building the Examiner-Grade Evidence Pack
The examiner-grade evidence pack is a four-section document set your compliance officer maintains continuously and updates every quarter. When the exam document request arrives, your team pulls the relevant section, runs the queries inside Encompass, Calyx, or Purview Audit, and produces the evidence in hours instead of days. The structure below is the one ABT recommends to financial-institution clients.
Section 1. System Configuration Evidence
Encompass workflow rule export, Calyx pipeline stage configuration export, Microsoft 365 Purview audit-log retention setting screenshot from the Purview portal, Microsoft Entra ID Conditional Access policy export, and the most recent Purview Compliance Manager score report. These documents prove your systems are configured to enforce compliance, not just configured to allow it.
Section 2. User and Permission Evidence
Encompass Role Management report, Calyx user-permission matrix, Microsoft Entra ID privileged role assignments report, and the prior 90 days of access reviews from Microsoft Entra Access Reviews. These prove that user access matches policy and that access changes are reviewed on a documented cadence.
Section 3. Audit Trail Evidence
Encompass audit-trail exports for the loan files the examiner identifies, Calyx activity log exports for the same files, and Microsoft Purview Audit search results for the email, document, and Teams activity associated with the loan officers, processors, and underwriters who touched those files. The combined record produces the full timeline from application through closing.
Section 4. Compliance Test Evidence
Encompass compliance test results for the prior four quarters showing zero open findings or full remediation documentation, Calyx disclosure timing reports, and the quarterly self-audit findings from the cadence in the prior section. These prove that compliance testing is happening, not just documented as a policy.
Two operational notes about the evidence pack. First, store it in a SharePoint site with retention labels applied so the documents themselves are protected against accidental deletion and have their own audit trail. Second, name the access-control group on that SharePoint site narrowly. The compliance officer, the IT director, and the institution's primary external counsel are typical members. Loan officers and processors do not need access to the evidence pack itself.
For the broader picture on how mortgage-platform decisions affect compliance economics, see our loan platform pricing breakdown for financial institutions and the Calyx PointCentral hosting buyer guide.
Ready to make your Encompass or Calyx environment examiner-grade?
ABT manages the Microsoft 365 tenant, hosts Calyx PointCentral on Azure, and runs MortgageExchange as the integration spine for more than 750 financial institutions. We configure Purview Audit, Microsoft Entra ID Conditional Access, and Compliance Manager through the M365 Guardian operating model so your second evidence layer is in place before the next exam cycle.
Frequently Asked Questions
Encompass provides automated compliance testing across KBYO, ATR/QM, TILA, HOEPA, HMDA, and NMLS licensing, with AllRegs integration that keeps regulatory definitions current. The platform writes a real-time audit trail on every loan file, enforces workflow stage gates that block progression when a compliance step is incomplete, manages documents and e-signatures with full chain-of-custody records, and supports granular user permissions tied to compliance roles for examiner-verifiable segregation of duties.
Yes. Calyx Point delivers TRID and HMDA form automation, encrypted audit trails for RESPA documentation, customizable state-specific disclosure templates, pipeline tracking with required-field validation, and e-signature support through DocuSign and DocMagic integrations. Calyx PointCentral cloud deployment runs on Azure through ABT for institutions that need the audit-evidence benefits of Microsoft compliance attestations without enterprise-tier LOS configuration complexity.
Microsoft 365 Purview Audit captures user and admin activity across Exchange Online, SharePoint Online, OneDrive for Business, Teams, and Microsoft 365 admin centers. For mortgage lenders, it becomes the second evidence layer over Encompass or Calyx, capturing the email approvals, shared spreadsheets, and Teams conversations that surround every loan file. Microsoft Purview Compliance Manager then maps the tenant configuration to GLBA, FFIEC IT Examination Handbook, and NIST CSF control families so examiners can verify the control posture without a custom questionnaire.
MortgageExchange is ABT's integration layer that routes audit events from Encompass and Calyx PointCentral into the Microsoft 365 SaaS evidence stream so examiners see one continuous record across the entire originating perimeter. A Closing Disclosure issuance in Encompass writes a paired event into the SharePoint loan-file audit log via Purview Audit. A fee exception approved in a Calyx Point workflow lands in the Microsoft Teams thread and the Outlook record the manager already used to authorize the exception. Examiners get one examiner-grade timeline that spans the LOS and the M365 collaboration layer, which closes FFIEC document requests in hours instead of days.
Quarterly is the recommended baseline cadence. The six-task quarterly self-audit covers a 20-file random sample compliance test, a user-permission matrix review, a 30-day Microsoft Purview Audit search for high-risk activity, a Purview Compliance Manager control-score comparison, a workflow stage-gate enforcement test, and an evidence-pack template refresh. High-risk products and channels should add monthly monitoring on top of the quarterly cadence.
The most common mistake is paying for compliance features and leaving them configured but unenforced. Both Encompass and Calyx ship with workflow rules, audit-trail logging, and compliance testing that, when wired into daily operations through user permissions and stage gates, generate the exact records examiners ask for. The lenders who fail audit document requests are not the ones missing the features. They are the ones whose LOS allowed loan files to progress without the compliance step actually running.