Internal Audit for Payment Firms: What FCA Expects and How to Build an Effective Programme

Internal audit is the third line of defence in the three-lines-of-defence governance model — the independent assurance function that reviews whether controls across the first and second lines are working as designed. For FCA-authorised payment firms, internal audit is not merely good practice; it is an expectation embedded in SYSC 6.2, which requires firms that are significant (or that choose to implement a robust compliance function) to have an internal audit function. The FCA's assessment of governance quality frequently begins with the quality of internal audit — its scope, independence, and the board's response to findings.

The Three Lines of Defence

Before examining internal audit specifically, the three-lines model provides necessary context. The first line is operational management — the business functions that own and manage risk day-to-day, including the controls they implement. The second line is oversight functions — compliance, risk management, and financial crime. These functions set standards, monitor adherence, and advise the first line. The third line — internal audit — independently assesses whether the first and second lines are functioning effectively.

A common error at smaller payment firms is to conflate the second and third lines. The MLRO or compliance officer cannot audit their own function — this creates the appearance of independence without its substance. Where the same individual who designs the AML framework is also reviewing whether it is working, there is no independent assurance. The FCA's SYSC requirements and the Institute of Internal Auditors (IIA) standards both require genuine independence of the audit function from the activities being audited.

FCA Requirements for Internal Audit

SYSC 6.2.1R requires firms (subject to proportionality) to establish and maintain an internal audit function that: develops and implements an audit plan, the scope of which is approved by the board; independently reviews the adequacy and effectiveness of the firm's systems and controls; provides an opinion on the adequacy of those systems to the board; and is staffed by persons with appropriate skills and experience. For smaller payment firms, the FCA accepts that internal audit may be carried out by an appropriately independent co-sourced or outsourced provider — a specialist compliance consultancy conducting periodic reviews — rather than a dedicated in-house team.

Audit Scope and Universe

The audit universe defines the full population of auditable areas at the firm. For a payment firm, this typically includes: AML/CTF controls (transaction monitoring, KYC/EDD, SAR process); sanctions and PEP screening; safeguarding compliance; regulatory capital and liquidity management; IT security and data protection; operational risk (system resilience, business continuity); conduct and consumer protection obligations; and third-party management. The annual audit plan selects from this universe based on risk priority — higher-risk areas receive more frequent, more intensive coverage.

Risk-based planning requires the internal audit function to maintain a current assessment of risk across the audit universe. This assessment should draw on the firm's own risk register, regulatory developments (new supervisory priorities, thematic reviews, enforcement actions in the sector), and any findings from prior audits. Areas with unresolved findings from previous reviews should automatically receive priority follow-up coverage.

Independence and Objectivity

Internal audit's value depends entirely on its independence. For an in-house function, independence means organisational positioning — the Head of Internal Audit should report to the board (or its audit committee) and not to the Chief Executive or MLRO. For outsourced or co-sourced arrangements, independence means the external auditor has no conflicting relationship with the firm (they should not also be advising on the design of the controls they are auditing).

Independence also requires that audit findings be reported without prior filtering by management. The audit report should go directly to the board, with management given the opportunity to respond to findings but not to edit them. The FCA examines whether audit reports contain genuine, unvarnished assessments of control weaknesses — bland reports that consistently give positive opinions are a signal that audit independence may be compromised.

Reporting to the Board

Internal audit reports should provide a clear opinion on the adequacy of controls in the area reviewed, with specific findings rated by severity (critical, high, medium, low), a management response to each finding, and agreed remediation timelines. The board should review audit reports at the relevant board or audit committee meeting, approve the remediation plan, and hold management accountable for on-time delivery. Outstanding high or critical findings that remain unresolved beyond agreed timelines should be escalated automatically — this creates the compliance culture the FCA expects to see.

Frequency and Quality

The FCA expects audit coverage of the highest-risk areas at least annually, with lower-risk areas on a two to three year cycle. For a payment firm serving high-risk sectors, AML controls, sanctions screening, and safeguarding should be audited annually as a minimum. The quality of audit work — the depth of testing, the evidence base for findings, and the expertise of auditors — is more important than volume. A single well-executed audit of transaction monitoring is more valuable than three superficial reviews that identify no findings in an area with known control weaknesses.