Outsourced Compliance Audit: When and How to Use External Providers

When Should Firms Outsource Compliance Audits?

Not every FCA-regulated firm has the resources or expertise to maintain a fully independent internal compliance audit function. The FCA recognises this and permits firms to outsource audit activities — provided the firm retains ultimate responsibility for regulatory compliance and maintains adequate oversight of the outsourced function.

Outsourcing is particularly appropriate in the following circumstances:

• Small and mid-sized firms that do not have a dedicated internal audit team and where the compliance officer also owns the controls being reviewed, creating an independence conflict.
• Specialist audit areas where the firm lacks in-house expertise — for example, IT security audits, financial crime framework reviews or safeguarding assessments.
• New authorisation or significant business change where an independent external review can provide assurance to the board and demonstrate credibility to the FCA.
• Post-enforcement or post-incident reviews where an independent assessment is needed to rebuild regulatory confidence.

FCA Expectations for Outsourced Audit

The FCA's expectations for outsourced compliance audit are set out primarily in SYSC 8 (Outsourcing) and the broader systems and controls requirements in SYSC 6 (Compliance, internal audit and financial crime). Key principles include:

Retained responsibility. Outsourcing the audit function does not transfer regulatory responsibility. The firm's board and senior management remain accountable for the adequacy of the firm's compliance arrangements, including the quality and independence of the audit function.

Due diligence on the provider. Before appointing an external audit provider, the firm must conduct adequate due diligence. This includes assessing the provider's regulatory knowledge, sector expertise, methodology, independence, professional qualifications and track record. The firm should also verify that the provider has appropriate professional indemnity insurance.

Written agreement. The outsourcing arrangement must be documented in a written agreement that covers the scope of work, reporting obligations, data security and confidentiality, access to records, escalation procedures, termination provisions and fees.

Ongoing oversight. The firm must actively manage the outsourcing relationship, not simply hand over the function and forget about it. This includes reviewing the quality of audit reports, challenging findings and recommendations, monitoring remediation progress and periodically reassessing the provider's suitability.

Selecting an External Compliance Audit Provider

When selecting a provider, firms should evaluate the following criteria:

• Regulatory expertise: Does the provider have demonstrable expertise in the firm's specific regulatory framework? A provider experienced in banking regulation may not be suitable for auditing a payment institution's safeguarding arrangements.
• Sector experience: Does the provider understand the firm's business model, products and customer base? Sector-specific knowledge enables more targeted and relevant audit testing.
• Independence: Is the provider genuinely independent? Firms should be cautious about using the same provider for both compliance advisory and audit services, as this can compromise objectivity.
• Methodology: Does the provider use a structured, risk-based audit methodology? Ask for examples of their approach to scoping, testing and reporting.
• Team composition: Who will actually perform the audit work? Ensure the team includes individuals with appropriate regulatory qualifications and experience, not just junior staff supervised remotely.
• Reporting quality: Review sample audit reports to assess the quality of findings, root cause analysis and recommendations. Reports should be clear, actionable and calibrated to the firm's risk profile.

Structuring the Engagement

A well-structured outsourced audit engagement typically follows this process:

Step 1: Scoping and planning. The provider conducts an initial risk assessment and agrees the audit scope with the firm. This should include the regulatory areas to be covered, the testing methodology, sample sizes, key contacts, document requirements and the reporting timeline.

Step 2: Fieldwork. The provider conducts the audit through document review, process walkthroughs, sample testing and staff interviews. The firm should facilitate access to all necessary records, systems and personnel.

Step 3: Draft reporting. The provider issues a draft report with findings, root cause analysis, risk ratings and recommendations. The firm has the opportunity to review findings for factual accuracy and provide management responses.

Step 4: Final report and presentation. The provider issues a final report and presents findings to the board or relevant committee. The presentation should include an executive summary, key themes, high-risk findings and recommended next steps.

Step 5: Remediation support. Depending on the engagement scope, the provider may also support the firm in developing remediation action plans, providing templates, guidance or follow-up testing to verify that actions have been implemented effectively.

Managing the Ongoing Relationship

Outsourced compliance audit should not be a one-off engagement. Firms benefit from establishing an ongoing relationship with their audit provider to ensure continuity, build institutional knowledge and enable trend analysis across audit cycles. Key relationship management practices include:

• Annual planning meetings to agree the audit plan for the coming year based on an updated risk assessment.
• Regular progress updates during fieldwork to identify emerging issues early.
• Quality assurance reviews of completed audit reports to provide feedback and ensure standards are maintained.
• Periodic re-tendering to ensure the firm continues to receive value and that the provider remains the best fit. The FCA does not prescribe a rotation period, but good practice suggests re-tendering every three to five years.

Common Pitfalls

Firms should avoid the following common mistakes when outsourcing compliance audit:

• Treating the audit as a tick-box exercise. If the firm appoints a provider but does not engage with findings or invest in remediation, the audit adds little value and does not satisfy the FCA's expectations.
• Selecting on price alone. The cheapest provider is rarely the best. Audit quality, regulatory expertise and sector knowledge are more important than cost.
• Failing to define scope clearly. Vague scope definitions lead to audits that are either too superficial or too broad. The scope should be risk-based and clearly documented.
• Not challenging findings. The firm should critically review all findings, not simply accept them. This includes questioning risk ratings, challenging root cause analysis and ensuring recommendations are proportionate and practical.
• Ignoring conflicts of interest. Using the same firm for compliance advice and compliance audit creates an inherent conflict. The FCA expects audit independence to be maintained.

Cost Considerations

The cost of outsourced compliance audit varies depending on the firm's size, complexity, the scope of the engagement and the provider's fee structure. As a general guide, a focused compliance audit of a single regulatory area (e.g., AML framework review) typically costs between £5,000 and £15,000 for a small to mid-sized firm. A comprehensive annual compliance audit programme covering all material regulatory obligations may cost between £15,000 and £50,000 or more for larger or more complex firms.

Firms should view compliance audit as an investment in risk management rather than a cost. The potential cost of regulatory enforcement — including fines, restrictions, reputational damage and remediation programmes imposed by the FCA — significantly outweighs the cost of proactive, high-quality audit arrangements.

Regulatory Outlook

The FCA's supervisory approach increasingly emphasises the quality of firms' second and third-line assurance functions. Firms that can demonstrate a robust, independent compliance audit programme — whether in-house or outsourced — will be better positioned to manage regulatory expectations and respond to supervisory engagement. The trend towards outcomes-based regulation under the Consumer Duty further reinforces the need for audits that test actual customer outcomes, not just procedural compliance.