Compliance Audit for FCA-Regulated Firms: Planning, Scope & Best Practice

What Is a Compliance Audit?

A compliance audit is a systematic, independent review of a firm's adherence to regulatory requirements, internal policies and industry standards. For FCA-regulated firms, compliance audits are a core component of the systems and controls obligations set out in SYSC (Senior Management Arrangements, Systems and Controls) and are fundamental to demonstrating effective governance.

Unlike compliance monitoring — which involves ongoing, day-to-day oversight — a compliance audit is a periodic, in-depth assessment designed to test whether controls are operating effectively and whether the firm's regulatory framework remains fit for purpose.

Who Needs a Compliance Audit?

Every FCA-regulated firm is expected to maintain an appropriate compliance audit programme. This includes payment institutions authorised under the Payment Services Regulations 2017 (PSRs), electronic money institutions under the Electronic Money Regulations 2011 (EMRs), banks, building societies, investment firms, consumer credit firms and insurance intermediaries.

The scope and frequency of audits will depend on the firm's size, complexity, risk profile and the nature of its regulated activities. The FCA does not prescribe a one-size-fits-all approach, but it does expect firms to demonstrate a proportionate and risk-based audit framework.

Planning a Compliance Audit

Step 1: Risk Assessment. Begin with a comprehensive risk assessment of the firm's regulatory obligations and business activities. Identify high-risk areas by considering factors such as regulatory change, past compliance failures, customer complaint trends, volume and complexity of transactions, and the firm's exposure to financial crime risk.

Step 2: Scope Design. Based on the risk assessment, design an annual audit plan that covers all material regulatory obligations over a rolling cycle. High-risk areas should be audited annually; lower-risk areas may be reviewed on a two- or three-year cycle. Key areas to include are:

• Anti-money laundering and counter-terrorist financing (AML/CTF) controls
• Client money and safeguarding arrangements
• Consumer Duty and treating customers fairly (TCF) outcomes
• Conduct of business and financial promotions
• Data protection and information security
• Complaints handling and root cause analysis
• Fitness and propriety of senior managers and certified persons
• Outsourcing and third-party risk management
• Regulatory reporting accuracy and timeliness

Step 3: Methodology. Define your testing methodology, including sample sizes, testing techniques (walkthrough tests, re-performance, data analytics) and the criteria for rating findings. Document the methodology so it can be reviewed and challenged.

Conducting the Audit

The audit itself should follow a structured process. Begin with a planning meeting to confirm scope, key contacts and document requests. Conduct fieldwork through a combination of document review, process walkthroughs, sample testing and interviews with relevant staff.

For each control tested, assess whether it is designed effectively (design effectiveness) and whether it is operating as intended (operating effectiveness). A control may be well designed on paper but poorly implemented in practice — the audit must test both dimensions.

Common testing techniques include:

• Walkthrough testing: Trace a transaction or process from end to end to verify each control point operates correctly.
• Sample testing: Select a statistically meaningful sample of transactions, files or records and test them against defined criteria.
• Re-performance: Independently re-perform a control (e.g., re-run a sanctions screening check) to verify the output.
• Data analytics: Use data analysis to identify anomalies, patterns or outliers that may indicate control weaknesses.

Documenting Findings

Each finding should be documented with a clear description of the issue, the specific regulatory requirement or internal policy it relates to, the root cause of the failure, the risk rating (critical, high, medium, low) and a recommended remediation action with a realistic timeline.

Root cause analysis is essential. A finding that identifies a symptom without understanding why it occurred will lead to superficial fixes that do not address the underlying problem. Common root causes include inadequate training, unclear policies, poor oversight, system limitations and resource constraints.

Reporting to Senior Management

Compliance audit reports should be presented to the board or a relevant committee (such as a risk or audit committee) on a regular basis — typically quarterly or after each significant audit engagement. Reports should include an executive summary, a summary of findings by risk rating, trend analysis comparing current findings with previous audits, the status of open remediation actions and an overall assessment of the firm's compliance posture.

The FCA expects senior management to actively engage with audit findings. This means not simply noting the report but challenging the findings, questioning root causes, ensuring remediation is adequately resourced and holding individuals accountable for completing actions within agreed timelines.

The Three Lines of Defence

The FCA's expectations around compliance audit are closely linked to the three-lines-of-defence model:

• First line: Business units and operational management are responsible for day-to-day compliance and implementing controls.
• Second line: The compliance function provides oversight, monitoring and advisory support.
• Third line: Internal audit (or an independent compliance audit function) provides independent assurance that the first and second lines are operating effectively.

For smaller firms that do not have a dedicated internal audit function, the compliance audit role may be performed by the compliance officer or outsourced to an external provider. However, the FCA expects that whoever performs the audit has sufficient independence, competence and authority to provide objective assurance.

Common Audit Failures

The FCA has identified several recurring weaknesses in firms' compliance audit arrangements:

• Audit plans that are not risk-based and simply repeat the same scope each year
• Insufficient sample sizes that do not provide meaningful assurance
• Findings that lack root cause analysis or clear remediation actions
• Remediation actions that are repeatedly deferred without adequate justification
• Senior management that does not actively engage with audit findings
• Lack of independence where the auditor also owns the controls being tested

Practical Actions for Firms

• Conduct a formal risk assessment at least annually to inform the audit plan
• Ensure the audit plan covers all material regulatory obligations over a rolling cycle
• Use a consistent methodology with defined sample sizes and testing techniques
• Document all findings with root cause analysis, risk ratings and remediation timelines
• Report to the board or a relevant committee at least quarterly
• Track remediation actions to completion and escalate overdue items
• Ensure the audit function has appropriate independence and authority
• Consider using external specialists for complex or high-risk audit areas

Regulatory Outlook

The FCA's increasing focus on outcomes-based regulation — particularly through the Consumer Duty — means that compliance audits must go beyond checking boxes. Auditors need to assess whether the firm's controls are actually delivering good outcomes for customers, not just whether procedures exist on paper. Firms that invest in robust, risk-based audit programmes will be better placed to manage regulatory risk and respond to FCA supervisory engagement.