Head of Internal Audit (SMF5) Recruitment at FCA-Authorised Firms

Head of Internal Audit (SMF5) Recruitment at FCA-Authorised Firms

The Head of Internal Audit is one of the most structurally complex appointments a regulated firm can make. Under SMCR, where the role is a designated senior management function — SMF5 — the individual carries personal regulatory accountability for the internal audit function. But the complexity goes beyond the regulatory designation. Internal audit must be genuinely independent of the business it reviews, and that independence requirement shapes everything from reporting lines to remuneration structure to the candidate profile itself.

Exec Capital works with FCA-authorised firms to identify Heads of Internal Audit who combine the technical depth the role demands with the personal authority to operate independently of management and report directly and effectively to the Audit Committee. This guide sets out what firms need to consider before opening a Head of Internal Audit search.

SMF5: What the Designation Covers

Not every Head of Internal Audit at an FCA-authorised firm holds the SMF5 designation. The function is only a prescribed senior management function at firms that are required to have an internal audit function under FCA rules — primarily banks, insurers, and certain investment firms subject to MIFIDPRU. At other regulated firms, the role may still be significant but without the associated FCA approval requirement.

Where SMF5 applies, the individual must be approved before taking up the role. The approval process follows the same Form A route as other senior management functions, and the FCA will review the candidate’s fitness and propriety, including their regulatory history and any material disclosures. Firms should build this timeline into the search — typically an additional six to twelve weeks from appointment to approval, depending on regulatory category and current FCA processing capacity.

The Statement of Responsibilities for an SMF5 appointment should reflect the genuine scope of the internal audit function, including any co-sourcing or outsourcing arrangements. Where part of the internal audit function is provided by an external firm, the SoR should make clear that the SMF5 holder retains oversight responsibility for the quality and independence of that external work. The FCA expects this to be explicit, not implied.

The Independence Requirement

The FCA expects the internal audit function to be independent of the activities it reviews. In practice, this has significant implications for how the role is structured and who can credibly hold it. A candidate who has spent their career in the first or second line at the same firm — or who has close relationships with the management team they will be required to audit — starts the role with a structural credibility problem that no governance framework can fully compensate for.

The most effective SMF5 appointments are individuals who report directly to the Audit Committee chair with an administrative line to the CEO or CFO. They attend board and Audit Committee meetings as of right, have unrestricted access to records and personnel, and have a remuneration structure that is not materially influenced by the outcomes of the business units they review. Where any of these conditions is missing, the FCA supervisory team is likely to notice.

The independence requirement also has implications for the candidate’s previous employer relationships. Where an HIA candidate has previously worked at the firm in a business role — particularly in the first or second line — boards should consider carefully whether that prior relationship creates a perception issue with the regulator, even if the individual is technically qualified for the role. The FCA’s fitness and propriety assessment looks at independence of mind as well as structural independence.

The FCA’s Approach to Internal Audit at Regulated Firms

The FCA’s supervisory approach to internal audit at regulated firms has evolved significantly over the past decade. The regulator now expects to see evidence that internal audit is providing genuine challenge to management, not simply confirming that processes are being followed. Audit reports that are consistently positive, that rarely identify material control weaknesses, or that are not followed up with robust management action tracking are indicators of a function that may be too close to the business it is reviewing.

Multi-firm supervisory reviews in the banking and insurance sectors have highlighted a number of recurring concerns: internal audit functions that lack the technical expertise to audit complex risk areas such as model risk or financial crime; functions that are under-resourced relative to the complexity of the business; and functions that have insufficient access to senior management to escalate concerns effectively. Firms that have experienced regulatory commentary on any of these issues need to factor that context into the HIA appointment brief.

The FCA also pays attention to the internal audit function’s relationship with the external auditor. Where internal audit and external audit are not well coordinated — where there is duplication, gaps, or tension between the two functions — the quality of the overall assurance framework is weakened. Strong HIA candidates understand how to manage this relationship productively, using the work of each function to complement rather than duplicate the other.

What the Right Candidate Looks Like

The Head of Internal Audit at an FCA-regulated firm typically has a background in one or more of the following: external audit at a major accounting firm with financial services clients, an internal audit leadership role at another regulated firm, or a risk function role that has involved significant audit committee exposure. Professional qualifications — CIIA, ACA, ACCA — are common but not universal.

Beyond technical credentials, the regulated firm HIA must be able to present complex audit findings to a board audience that includes non-executive directors who may not have operational backgrounds. They must be prepared to escalate concerns about management behaviour or control failures without hesitation. And they must be capable of maintaining a productive working relationship with a management team that may not always welcome their conclusions.

Candidates who have led internal audit functions through a significant regulatory review, a material control failure, or a period of rapid business change are particularly valuable. The audit function’s quality is most visible under pressure, and firms benefit from appointing individuals who have been tested in that way. Interview processes should specifically explore what candidates did when they found something significant — how they reported it, how they managed the management response, and how they followed up to ensure remediation was genuine.

Reporting Lines and Audit Committee Dynamics

The relationship between the Head of Internal Audit and the Audit Committee chair is central to the effectiveness of the function. Before opening a search, boards should assess whether the current Audit Committee chair has the time, the appetite, and the expertise to provide the oversight the SMF5 role requires. A technically strong HIA with a passive or disengaged Audit Committee will struggle to fulfil the regulatory expectations of the function regardless of their individual competence.

Where the Audit Committee chair is new to the role or lacks deep familiarity with regulated firm audit requirements, it is worth considering whether a brief — setting out the FCA’s expectations of the internal audit function — would be useful before the search begins. Exec Capital can provide that briefing as part of the engagement.

The frequency and format of Audit Committee reporting is also worth reviewing before the appointment is made. An HIA who is expected to provide quarterly written reports to the Committee, without regular informal dialogue between meetings, is operating in a more constrained environment than one who has regular access to the chair outside of formal meetings. The best-governed internal audit functions have a clear protocol for escalating urgent findings between scheduled committee meetings, and HIA candidates should expect to be asked how they would operate within the firm’s existing governance arrangements.

Co-Sourcing and the HIA’s Oversight Role

Many regulated firms use a co-sourcing model for internal audit, where part of the function is delivered by an external professional services firm. This is a legitimate and often effective model, particularly where the firm’s risk profile requires specialised audit expertise that it would be difficult to maintain on a permanent basis. However, the co-sourcing arrangement does not reduce the SMF5 holder’s accountability — they remain personally responsible for the quality and independence of all internal audit work, including work delivered by external co-source partners.

HIA candidates who have managed co-sourced audit functions need to demonstrate that they have the skills and the relationship management capability to hold external providers to account — to challenge audit programmes, review work quality, and escalate concerns where the external firm’s work does not meet the required standard. A passive SMF5 holder who relies on the external firm to set the agenda is not meeting the regulatory expectation of the designation.

Compensation Benchmarks

Head of Internal Audit compensation at FCA-authorised firms reflects both the seniority of the function and the regulatory designation where it applies. At smaller authorised firms, base salaries typically range from £100,000 to £150,000. At mid-tier banks and larger investment firms, the range extends to £180,000 to £250,000. Where the role carries SMF5 designation and the firm is subject to the Remuneration Code, variable compensation must be structured accordingly — with deferral arrangements that reflect the individual’s status as a material risk taker or a senior manager function holder.

Firms that underprice the HIA role relative to equivalent functions in the first and second lines will find the candidate market limited and will typically attract individuals who lack the authority to operate effectively within the governance structure. The internal audit function’s credibility is partly a function of how it is perceived within the firm’s pay hierarchy. Where the HIA is materially less well compensated than the CRO or the CCO, it sends a signal — internally and externally — about the firm’s commitment to genuine independence of assurance.

Succession Planning for the HIA Role

Internal audit succession is frequently undermanaged at regulated firms. The combination of the independence requirement, the regulatory approval obligation, and the specialist nature of the role means that a vacancy in the HIA function — particularly an unplanned one — creates both a governance gap and a regulatory notification obligation. Firms should have a clear succession plan for the SMF5 holder and should have identified interim coverage arrangements that can be activated at short notice.

Where the HIA is approaching the end of a planned tenure — typically five to seven years is considered appropriate for maintaining independence — succession planning should begin at least eighteen months in advance. The regulatory approval timeline for an SMF5 appointment, combined with the need to allow an adequate handover period, means that a late start to succession planning carries real risk.

The Search Process

Exec Capital approaches Head of Internal Audit searches at FCA-regulated firms on a retained basis. We maintain relationships with experienced internal audit leaders across banking, insurance, asset management and consumer finance, and we prioritise candidates who have direct experience of operating under FCA supervision. We present a shortlist of four to five candidates within three to four weeks of brief, supported by detailed reference conversations that go beyond standard written references to explore how candidates have handled the most demanding aspects of the role.

Where SMF5 applies, we support the firm through the regulatory approval process and provide guidance on Statement of Responsibilities drafting to ensure the designation accurately reflects the individual’s scope and accountability.

Adrian Lawrence

Adrian Lawrence FCA is the founder of Exec Capital. He is a Chartered Accountant and holds an ICAEW practising certificate in his own name with over 25 years’ experience operating at C-suite level, Adrian brings direct executive experience to senior search. His background spans private equity-backed businesses, owner-managed companies, and listed environments, giving Exec Capital a practitioner’s understanding of what leadership hires actually require.