An FCA supervisory review puts pressure on every function in a firm. For internal audit, the pressure takes a specific form: the regulator wants to see what internal audit has found, and management wants internal audit to demonstrate that the firm is in good shape. Those two things are not always compatible.

The independence problem

Internal audit's value to the FCA is precisely its independence from management. When a supervisory review begins, examiners will typically ask to see internal audit reports, follow-up actions, and the audit committee's response to findings. They are looking for evidence that internal audit is genuinely independent, that it identifies real issues, reports them clearly, and follows through on management's remediation commitments.

The problem arises when management begins to treat internal audit as part of the firm's response to the regulator. Requests come in: can internal audit confirm that a particular remediation has been completed; can the audit team attend a meeting with the FCA to explain the firm's assurance framework; can the CAE provide a letter confirming that the firm's controls in a particular area are adequate. Each of these requests, taken individually, may seem reasonable. Taken together, they position internal audit as an advocate for the firm rather than an independent assessor of it.

What the FCA actually expects from internal audit

The FCA's expectations of internal audit in a supervisory context are set out in various places, the Responsibilities of Providers and Distributors for the Fair Treatment of Customers, the Senior Managers and Certification Regime, and the FCA's own internal audit guidance, but they are consistent. The FCA expects internal audit to operate in accordance with the IIA's standards, to have genuine independence from the business lines it audits, and to report to an audit committee that takes its findings seriously.

What the FCA does not expect is for internal audit to provide a clean bill of health on demand. If internal audit has found significant issues in recent audits, the FCA will want to understand what those issues were and what management has done about them. An internal audit function that appears to have found nothing significant in the relevant period will attract more scrutiny, not less.

Practical boundaries to maintain

The following positions are worth establishing clearly at the start of a supervisory review, ideally with the audit committee's explicit support:

Internal audit reports speak for themselves. If the FCA wants to see internal audit findings, the appropriate response is to provide the reports. Internal audit does not need to interpret or contextualise those reports on management's behalf. The reports should be written clearly enough to speak for themselves.

Issue validation is not sign-off. If management asks internal audit to validate that a remediation has been completed, the scope of that validation should be defined precisely. Internal audit can confirm that specified actions have been taken; it cannot confirm that the underlying risk has been eliminated, or that the firm's overall position is satisfactory. These are different things and the distinction matters.

The CAE attends supervisory meetings as an observer, not a sponsor. If the CAE is invited to a meeting with the FCA, their role is to explain the audit function's approach and findings, not to endorse management's account of the firm's compliance position. This distinction should be understood by everyone in the room before the meeting begins.

When management pushes back

The most common form of pushback is the suggestion that internal audit is not being a team player. This is worth addressing directly. Internal audit's independence is not an obstacle to the firm's regulatory relationship, it is one of the firm's most valuable assets in that relationship. A regulator that trusts internal audit's findings is a regulator that can have confidence in the information it receives from the firm. Undermining that trust to smooth a particular interaction is a short-term trade with long-term costs.

If the pressure to compromise independence is coming from senior management and the audit committee is not providing adequate support, the CAE should escalate, if necessary to the non-executive directors directly. This is not a comfortable conversation, but it is the right one.

After the review

Once the supervisory review is complete, it is worth taking stock of how the audit function navigated it. Were there moments where independence was compromised? Were there requests that should have been declined? A short debrief, documented for the audit committee, is useful both as a record and as a reference point for the next review. The FCA's supervisory cycle means that most firms will go through this process again, and being prepared makes it more manageable.

Kyle McMullan
Kyle McMullan
Founder, the audit hub

25 years in senior financial services internal audit and risk advisory. Kyle writes from direct practitioner experience, having held audit leadership roles, managed regulatory remediation programmes, and advised boards through some of the most complex compliance challenges in UK financial services.

Connect on LinkedIn
← What the failure to prevent fraud duty means for your 2026 audit planBuilding an IIA-aligned methodology from scratch: a practical framework →