How to Hire a Head of Internal Audit: A Complete Guide for UK Companies

How to Hire a Head of Internal Audit: A Complete Guide for UK Companies

The Head of Internal Audit is the senior leader of the firm’s third line of defence — the independent assurance function that examines whether the firm’s risk management, controls and governance are operating as intended, and reports its findings to the audit committee and board. The role exists most prominently in larger established UK businesses, listed companies, FCA-regulated firms (where the function is anchored in SMF5), and increasingly in PE-backed mid-market firms where investor governance expectations have driven internal audit capability into the management team. The Head of Internal Audit’s effectiveness depends substantially on independence — both structural (the reporting line and audit committee relationship) and personal (the willingness to deliver uncomfortable findings credibly). The appointment is consequential because the function’s effectiveness shapes the board’s ability to discharge its risk oversight responsibilities and the firm’s exposure to control and governance failures.

This guide is written for chairs, audit committee chairs and CEOs working through Head of Internal Audit succession at UK firms. It covers the corporate (non-regulated) appointment primarily — what the role covers, the qualifications dimension, the audit committee chair relationship, the candidate pool and the search process. For Head of Internal Audit appointments in FCA-regulated firms holding SMF5, see our SMF5 Head of Internal Audit hiring guide for the regulated firm context. For our recruitment service see Head of Internal Audit recruitment.

Internal audit and the three lines of defence

Internal audit is the third line of defence in the UK risk management framework that has become standard across most sizeable businesses. The first line is the business itself — the operating teams making commercial and operational decisions, with primary accountability for managing the risks those decisions create. The second line is the independent risk and compliance functions — providing oversight, challenge and framework support to the first line without being part of operational activity. The third line is internal audit — providing independent assurance to the audit committee and board on whether the first and second lines are operating as intended.

The Head of Internal Audit leads the third line. The independence dimension matters substantively. Strong Heads of Internal Audit deliver uncomfortable findings credibly to senior management and the audit committee chair; weaker holders soften findings to maintain working relationships, with predictable consequences when material issues come to light later through other channels.

When does a firm need a Head of Internal Audit?

Five triggers typically signal the move from outsourced or co-sourced internal audit (typically provided by Big Four or specialist firms) to a dedicated in-house Head of Internal Audit warranted.

Listed company status. The UK Corporate Governance Code Provision 26 sets out audit committee responsibilities including monitoring the effectiveness of internal audit, with most listed companies operating in-house internal audit functions led by a Head of Internal Audit reporting to the audit committee chair.

FCA regulation and SMF5. Where the firm is FCA-regulated and an SMF5 holder is required, a dedicated Head of Internal Audit at executive or director level is the standard appointment. See our SMF5 hiring guide for the regulated firm specifics.

Scale and complexity. Multi-jurisdiction operations, complex business models, large operational footprints, material third-party arrangements. At this scale the audit committee typically needs in-house leadership able to scope, plan and deliver the audit programme that gives the committee the assurance it needs.

Recent audit findings or control failures. Firms that have experienced material control failures, regulatory enforcement, accounting restatements or significant audit findings often need to demonstrate strengthened internal audit capability to boards, auditors, regulators and (for listed companies) shareholders.

Investor or capital structure expectations. PE investment, IPO preparation, debt facility expansion. Investors and lenders increasingly expect to see in-house internal audit capability in the management team for sizeable businesses.

What a Head of Internal Audit actually does

The substantive work splits into four areas.

The internal audit plan. Setting and maintaining the audit programme — what gets audited, when, with what resources, and how findings are reported. The plan is typically risk-based, covering operational, financial, regulatory and increasingly cyber and ESG risk areas. The audit committee chair approves the plan and reviews progress against it.

Audit delivery. Running individual audits — scoping, fieldwork, reporting, follow-up on remediation. Strong Heads of Internal Audit run audit work that is substantively useful to senior management and the audit committee; weaker holders deliver audit reports that are technically correct but commercially marginal.

Audit committee partnership. The Head of Internal Audit’s most important working relationship is with the audit committee chair. The relationship covers the audit plan, individual audit findings, the firm’s risk and control environment, and the committee’s overall assurance needs. Strong Heads of Internal Audit are partners to the audit committee chair while preserving their independence; weaker holders either get too close to executive management or operate at too great a distance from the committee.

Stakeholder management. Working relationships with the CFO, CEO, CRO (where one exists), external auditors, and (in regulated firms) the regulator. The Head of Internal Audit needs to maintain effective working relationships across these stakeholders while preserving the independence the role requires.

Qualifications and credentials

The qualifications dimension distinguishes internal audit searches from many other senior management searches. Strong Heads of Internal Audit typically hold one or more recognised professional qualifications, and the audit committee’s view on which qualifications matter shapes the candidate pool materially.

ICAEW (Institute of Chartered Accountants in England and Wales) — ACA qualification is common, particularly for Heads of Internal Audit who came through the Big Four audit route. The ICAEW route is the strongest credential for financial-controls-focused internal audit functions.

ACCA (Association of Chartered Certified Accountants) — ACCA qualification is common, particularly for Heads of Internal Audit from broader finance backgrounds.

CIA (Certified Internal Auditor) — globally recognised internal audit qualification awarded by the IIA. CIA qualification is the strongest pure-internal-audit credential.

CMIIA (Chartered Member of the IIA) — UK Chartered Internal Auditor status. The Chartered Institute of Internal Auditors is the UK professional body for internal audit, and CMIIA is the strongest UK-specific internal audit credential.

Many strong candidates hold combinations — typically ACA plus CIA, or ACCA plus CMIIA. The audit committee chair’s view on which qualifications matter most should be confirmed at the start of the search.

The candidate pool

The UK Head of Internal Audit candidate pool is reasonable in size. Five pools recur.

Sitting Heads of Internal Audit at peer firms. The most common pool — candidates currently in equivalent roles at firms of similar size, sector and complexity.

Senior internal auditors stepping up. The natural step-up pool — typically a Senior Audit Manager or Internal Audit Director at a substantially bigger firm who is ready for the leadership seat at a smaller firm.

Big Four and consulting firm transitions. Senior managers and directors from Big Four internal audit and risk advisory practices transitioning into in-house Head of Internal Audit roles. The pool is substantial in the UK and brings broad sector exposure.

Sector specialists. Where the firm operates in a sector with specific audit dynamics — financial services, healthcare, energy, regulated industries — sector-specialist candidates bring distinctive credentials.

Cross-discipline candidates. Senior risk leaders, financial controllers and senior CFOs broadening into internal audit leadership. These candidates bring substantive control and governance depth, with the question being whether they have the audit-specific methodology depth the role still requires.

The search process and timeline

A well-run Head of Internal Audit search has six phases. Total timeline runs to twelve to eighteen weeks for non-regulated appointments. For FCA-regulated firms requiring SMF5 approval, add four to twelve weeks for the FCA Form A approval window.

The phase structure mirrors other senior searches with internal-audit-specific considerations. The brief phase requires substantive audit committee chair engagement. The market mapping covers the senior in-house internal audit community plus the Big Four and consulting senior pool. The assessment combines audit methodology evaluation (typically through case-style discussion of recent audit work) with the independence dimension and the audit committee partnership capability.

Compensation

UK Head of Internal Audit compensation has the four standard components — base salary, annual bonus, long-term incentives, benefits — with two specific compensation considerations for the role.

Performance metrics need to fit a third-line role. Bonuses cannot be linked to commercial outcomes — the role is structurally independent of operating performance. Strong structures use audit programme delivery, audit committee feedback, and stakeholder feedback as performance metrics.

Compensation levels. SME and mid-market Heads of Internal Audit (where they exist) typically £100,000-180,000 base, 15-30% bonus. Larger private and PE-backed Heads of Internal Audit £150,000-280,000 base, 20-35% bonus. Listed company and FTSE 250 Heads of Internal Audit see substantially higher compensation, with FCA-regulated SMF5 appointments commanding sector premiums.

Common search pitfalls

Five patterns recur. Audit committee chair under-engagement — searches where the audit committee chair is informed rather than involved produce shortlists that miss the committee’s needs. Qualifications confusion — specifications that don’t clarify which credentials matter most attract a confused candidate pool. Briefing an Internal Audit Manager rather than a Head of Internal Audit — operational rather than strategic positioning. Bonus structures that compromise independence. Underestimating the FCA approval timeline for SMF5 appointments.

How Exec Capital approaches Head of Internal Audit mandates

Exec Capital runs Head of Internal Audit searches as integrated audit-and-governance work. The substantive audit dimension — methodology depth, qualifications, audit programme experience, regulator engagement (where applicable) — receives the same rigour we bring to any senior search. The audit committee partnership and independence dimensions are built in alongside it. We work on a retained basis, with engagement running through to the candidate’s first day in role.

Our internal audit practice covers UK corporate, listed, PE-backed and FCA-regulated businesses. For FCA-regulated SMF5 mandates, see our SMF5 hiring guide. Every internal audit mandate is led personally by Adrian Lawrence FCA — fitting for a search where the search firm leader’s professional standing in the audit community matters substantively to candidate engagement.

Further reading

For our internal audit and audit committee chair recruitment services, see Head of Internal Audit recruitment and audit committee chair recruitment. For FCA-regulated SMF5 appointments, see our SMF5 hiring guide and the broader FCA-regulated firm executive recruitment hub.

For our complete senior hiring guide collection, see our Knowledge Centre.

For UK internal audit professional standards, see The Chartered Institute of Internal Auditors (UK). For accounting and audit qualifications relevant to internal audit leadership, see the ICAEW and the ACCA. For corporate governance frameworks underpinning internal audit, see the UK Corporate Governance Code and guidance from the Institute of Directors.