Internal Audit – Your Third Line of Defence Against Regulatory Penalties

As regulations grow more complex, financial services firms face increasing scrutiny of their governance and controls. Robust internal audits are essential to test and evidence compliance across areas like conduct, governance and AML/CFT. This Q&A examines the role of independent internal audit and how specialist firm Complyport can help regulated businesses meet their audit obligations.

Q: What is an internal audit?

A: The FCA Handbook states that the purpose of an internal audit function is to provide independent assurance that a firm’s governance, risk management, and internal controls are operating effectively. The FCA expects internal audits to adopt a risk-based approach, prioritising risks that the firm deems crucial, whilst still ensuring that the full GRC/AML/CTF framework gets  tested at appropriate intervals.

We have seen the FCA and firms take comfort from the appointment of an internal audit review to demonstrate that the firm is prepared to assess itself and look to improve standards.  In particular, senior managers have used the independent internal audit to be assured that an area or areas for which they are responsible are acting in the way in which the FCA would expect.
– Simon Chapman, Complyport Director

Beyond financial compliance, internal audits should also assess the firm’s culture, policies, and processes to provide assurance that conduct risks are being effectively identified and mitigated. A critical role of internal audit is making recommendations to address any control deficiencies identified through testing, verifying these are implemented, and reporting key themes to senior management and the board. Robust internal audits require appropriate resourcing and support from management so assurance activities are not constrained. By providing transparency into a firm’s defences, independent internal audit helps demonstrate to the regulator that risks are being appropriately managed and regulatory requirements are being met.

Q: What is the difference between an internal audit and an external audit?

A: External audits verify financial accounts and assess records, while internal audits evaluate and improve a firm’s FCA compliance and controls. The two functions have different but complementary scopes and regulatory accountability.

Q: What are the FCA’s requirements for internal audit?

A: Once it is established that a firm is required to undergo an independent internal audit, the FCA expects the independent internal audit function to assume the following responsibilities:

  • Developing risk-based audit plans
  • Testing internal controls
  • Issuing recommendations
  • Verifying compliance
  • Reporting to senior management

Q: Why is independent internal audit important?

A: An independent internal audit provides assurance that systems and controls are effective. As a third line of defence, it plays a vital role in assessing and improving compliance frameworks.

Key benefits include evaluating risk assessments, testing due diligence, reviewing monitoring, checking data quality, assessing training, and compliance culture. By identifying weaknesses, internal audit helps firms enhance defences and avoid regulatory penalties.

Q: What does a robust program include?

A: A robust program would:

  • Cover key risk areas with detailed audit plans
  • Rigorously test controls and transactions
  • Review policies, procedures, data, staff competence
  • Verify risk assessments match exposures
  • Check due diligence, monitoring, reporting effectiveness
  • Assess training, resourcing, compliance culture
  • Provide transparent findings
  • Make recommendations to enhance defences
  • Conduct rapid reviews of issues

Q: How can Complyport help with internal audits?

A: Conducting robust internal audits requires a deep knowledge of the regulatory expectations as set out by the FCA. Leverage Complyport’s extensive experience through the Section 166 work we have undertaken as part of our appointment on FCA’s Skilled Persons Panel, as well as the 600+ internal audit assignments and engagements we have successfully delivered within our Group. This places Complyport as a provider your firm can trust when it comes to the provision of Internal Audit services to FCA-regulated firms.

Complyport helps firms meet internal audit requirements through:

  • Risk-based Audit Planning: We analyse your operations, controls, and risk profile to develop customised annual audit plans focusing on key risk areas.
  • Compliance Control Testing: We thoroughly evaluate your AML/CFT compliance program, including due diligence, transaction monitoring, record keeping, staff training, and overall governance.
  • Detailed Reporting: Audit reports provide comprehensive reviews, testing results, control ratings, risk assessments, and practical recommendations to enhance compliance.
  • Ad-hoc Engagements: We conduct rapid response reviews to address emergent issues and regulatory requests. Our experience includes investigative audits.
  • Compliance Training: We provide tailored training to boards, management, and staff on regulations, risks, audit techniques, and industry best practices.

With over 22 years of regulatory excellence and a deep understanding of the financial services industry, Complyport is well-positioned to deliver high-quality internal audits that provide assurance to firms, regulators and stakeholders. A proactive internal audit program can help firms continue to build trust and maturity in a rapidly evolving market.

Q: How can your firm take action?

A: As regulations evolve, you will want to check that your internal audit program is up to date in accordance to the FCA’s expectations.  With over 22 years of experience and FCA/PRA Skilled Person Panel status, Complyport provides focused support.

Don’t navigate the regulatory maze alone. Email Thomas Salmon at to book a consultation on how we provide you with robust and effective internal audit.

About Complyport

Complyport is a market-leading consulting firm supporting the UK financial services industry for over 22 years. We specialise in providing Governance, Risk and Compliance services to support the regulated financial services industry to raise standards and thrive.

Complyport can assist with the preparation of a GAP analysis and impact assessment on the investment firm’s capital adequacy and risk management framework of the Company under the regulatory framework.

We specialise in supporting the UK financial services industry with compliance guidance, advice and best practice.

  • Financial Crime support and Forensics
  • Compliance managed services and resourcing compliance personnel
  • Skilled Person Reviews and Regulatory Investigation
  • Prudential support, IFPR, ICARA and financial resilience advice
  • Consumer Duty implementation advice
  • Operational resilience & Cybersecurity advice
  • Financial Promotions guidance, support, and management software solutions
  • CASS advice and protections of client assets
  • Comprehensive compliance work-flow management software

Contact Thomas Salmon in our Regulatory Solutions team via email at: to book a free consultation.