Hiring an SMF5 Head of Internal Audit: A Complete Guide

Hiring an SMF5 Head of Internal Audit: A Complete Guide

SMF5 is the FCA designation that attaches personal regulatory accountability to the Head of Internal Audit at an FCA-regulated firm. It is one of the most structurally distinctive senior management functions in the regime: the role sits in the third line of defence, must be substantively independent of both the business and the second-line risk function, and the candidate pool is dominated by qualified accountants with substantial internal audit experience. The role is also one of the SMFs where candidate scrutiny of the firm matters most — strong internal audit candidates are evaluating whether the firm is one where they can perform genuinely independent assurance, and firms whose internal audit function has been treated as junior or under-resourced struggle to attract the seniority their SMF5 role actually requires.

This guide is written for chairs of Audit Committees, CEOs, and Boards working through the appointment of a Head of Internal Audit into an FCA-regulated firm. It sets out what an SMF5 appointment actually involves: how the role differs from external audit firm partner roles or general assurance work, where it sits in the three lines of defence, what qualifications and experience the candidate pool draws from, what the Statement of Responsibility looks like, how the FCA approval process operates, and what compensation and structure look like. It draws on our work running SMF mandates across asset management, wealth management, insurance, brokerage, fintech and consumer credit firms — and on the FCA’s published guidance on senior management functions for solo-regulated firms. For the broader SMF picture, see our SMF Roles guide.

What SMF5 covers

SMF5 is the Head of Internal Audit function under the Senior Managers and Certification Regime. It applies to the senior individual responsible for the firm’s internal audit function — typically the Head of Internal Audit (sometimes Chief Internal Auditor or Director of Internal Audit) reporting directly to the Audit Committee Chair, with a dotted line to the CEO for administrative purposes. Like other prescribed senior management functions, SMF5 must be held by an FCA-approved individual at all times where the function exists at the firm; any change in the SMF5 holder triggers a regulatory notification and approval process.

The substantive scope of SMF5 covers what any senior internal audit leader would recognise — the firm’s internal audit framework, the audit plan and its alignment with the firm’s risk profile, the operation of the third line of defence, the relationship with the Audit Committee, the staffing and capability of the internal audit function, and the senior-level engagement with the firm’s external auditors and the regulator on assurance matters. The regulatory dimension is layered through every part of it: the SMF5 holder is personally accountable for the way the internal audit function operates, and the FCA can hold them personally accountable when something goes wrong in their area of responsibility.

One specific point worth being explicit about. SMF5 applies where the firm has an internal audit function — which most Enhanced firms are required to have, and most Core firms above a certain scale operate by good practice. Smaller Core firms and Limited Scope firms may not have a separate internal audit function at all; in those cases, audit responsibility may be addressed through outsourced arrangements, co-sourcing with an external firm, or risk-based reviews led by the second-line risk function. If you are unsure whether your firm has SMF5 in scope, your compliance lead or external compliance adviser will know.

It is also worth distinguishing internal audit from external audit. Internal audit is a continuous, in-house assurance function reporting to the Audit Committee; external audit is the statutory financial audit conducted by an external firm registered with the relevant audit regulator (in the UK, the Financial Reporting Council and the recognised supervisory bodies). SMF5 covers internal audit specifically — external audit is governed by a different framework entirely.

Three lines of defence: where the SMF5 sits

The “three lines of defence” model is the structural framework most boards and regulators use to think about how risk is managed and assured across a regulated firm. Understanding which line the SMF5 sits in is the starting point for the search.

The first line is the business — the people and functions that take risk on behalf of the firm in pursuit of its commercial objectives. They manage risk in their day-to-day decisions.

The second line is the independent risk function and the compliance function. Led by the SMF4 CRO and SMF16 Compliance Oversight respectively, they set the framework within which the first line operates, monitor first-line activity against that framework, and provide independent challenge to business decisions.

The third line is internal audit. Led by SMF5, internal audit provides independent assurance to the Board and the Audit Committee that both the first and second lines are working effectively. The third line is structurally independent of both the business and the second-line risk function — meaning internal audit reviews and challenges the work of the CRO and the compliance function as part of its normal scope.

For SMF5 hiring, this matters in three ways.

First, the candidate’s prior experience needs to be in the third line. A candidate moving directly from a second-line risk role into SMF5 will face a more substantive FCA assessment on whether they can operate with appropriate independence. Strong candidates may have moved between disciplines earlier in their careers — many internal auditors have first-line or second-line experience at junior levels — but their most recent senior experience should be in internal audit specifically.

Second, the candidate’s reporting line matters. SMF5 reports primarily to the Audit Committee Chair (SMF11 in Enhanced firms with a designated Audit Committee Chair, otherwise typically the Chair of the Board), not to the CEO. Where the firm’s structure has the Head of Internal Audit reporting to the CFO or another executive, this needs to be remediated before the search — internal audit reporting through the executive line compromises independence and is increasingly inconsistent with FCA expectations.

Third, the candidate’s psychological independence is examined. The third line cannot do its work if the Head of Internal Audit is unwilling to deliver findings that executives do not want to hear. Strong candidates demonstrate this through their track record of difficult engagements, their references from previous Audit Committee Chairs, and the way they handle the search process itself. Candidates who present as too accommodating during interview often turn out to be the ones who struggle when the role activates against executive resistance.

What an SMF5 Head of Internal Audit does that an external audit partner does not

Boards approaching SMF5 succession sometimes assume that any senior auditor can take the role — including senior partners from external audit firms. The substantive overlap is real: both internal and external auditors apply audit methodology, both produce assurance findings, both work with Audit Committees. But the differences matter for whether a candidate will succeed in SMF5.

Continuous in-house function vs. annual external engagement. External audit is a defined annual engagement with a tightly scoped objective (giving an opinion on the financial statements). Internal audit is a continuous in-house function with a much broader scope (assuring the Audit Committee that the firm’s risk management, governance and controls are operating effectively across all material activities). The cycle, the breadth of subject matter, and the relationship with management are fundamentally different.

Audit Committee relationship is daily, not annual. External auditors typically have substantive engagement with the Audit Committee a handful of times per year — at planning, at year-end, and at specific points when issues arise. Internal audit’s relationship with the Audit Committee is continuous: monthly or quarterly Committee meetings, frequent informal contact with the Audit Committee Chair, and an ongoing dialogue about emerging issues. Strong SMF5 candidates have built this kind of continuous Audit Committee relationship in previous roles.

Subject matter breadth. External audit focuses primarily on the financial statements and the controls relevant to financial reporting. Internal audit covers the full range of the firm’s activities — operational risk, conduct risk, regulatory compliance, IT and cyber, business continuity, third-party risk, culture, and so on. The breadth of subject matter is significantly greater, and SMF5 candidates need to be able to lead audit work across all of it.

Operating in-house vs. as a service provider. External auditors operate as a service provider with formal independence rules. Internal auditors operate in-house, embedded in the firm’s culture and politics, while still maintaining substantive independence from management. This requires a different temperament: the ability to be part of the firm but not of the executive team, to maintain professional relationships with executives while still delivering findings that may be uncomfortable for them.

Reporting to the Audit Committee, not management. External audit reports formally to the Audit Committee but works with management throughout the engagement. Internal audit reports primarily to the Audit Committee, and the head of the function defends the audit plan, the resourcing, and the findings to the Committee — sometimes in disagreement with management’s view. SMF5 candidates with prior Audit Committee Chair relationships handle this naturally; candidates without that experience need to develop it.

What an SMF5 Head of Internal Audit does that a non-regulated internal auditor does not

Even for candidates with substantial internal audit experience in non-regulated environments, SMF5 layers regulatory accountability over the substantive role and adds dimensions a corporate Head of Internal Audit would not encounter.

Personal accountability to the regulator. The SMF5 holder’s Statement of Responsibility allocates specific prescribed responsibilities to the role. When the FCA reviews how a regulated firm has handled a matter, it asks whether the SMF5 took reasonable steps in the area they are accountable for — including whether the audit plan was appropriately risk-based, whether the audit findings on the relevant area were robust, and whether issues that should have been escalated were escalated.

The relationship with the FCA. SMF5 holders are sometimes the firm’s principal point of contact with the FCA on internal audit matters — particularly during firm visits, thematic reviews, or any FCA-led work focused on assurance and governance. The FCA may also engage with the SMF5 directly on the audit plan, on resourcing, or on specific findings. Candidates with prior SMF5 experience handle this naturally; first-time candidates need preparation on the dynamics of FCA engagement.

Operational resilience assurance. The FCA’s Operational Resilience policy requires firms to demonstrate they can deliver important business services during severe but plausible disruption. Internal audit has a substantial role in this framework: independently assessing the firm’s operational resilience self-assessment, testing the impact tolerance settings, and providing third-line assurance on the firm’s preparedness. SMF5 candidates need to be comfortable with operational resilience as a discipline distinct from financial controls audit.

Consumer Duty assurance. The FCA’s Consumer Duty requires firms to deliver good outcomes for retail customers, evidenced by senior management oversight and Board-level review. Internal audit has emerged as one of the principal sources of independent assurance on Consumer Duty implementation — assessing whether the firm’s customer outcomes monitoring is robust, whether the controls on product design and pricing are working, and whether the Board’s annual Consumer Duty report is supported by reliable data. SMF5 candidates working in consumer-facing regulated firms need conduct-risk audit experience to be credible.

The Audit Committee’s regulatory expectations. Audit Committees in regulated firms operate under regulatory oversight that doesn’t apply in the same way in non-regulated firms. The Audit Committee Chair (SMF11 in Enhanced firms) is personally accountable to the FCA for the Committee’s work, and the SMF5 supports the Committee in discharging that accountability. The dynamic is different from a non-regulated Audit Committee where the regulatory dimension is absent.

Qualifications and the SMF5 candidate pool

SMF5 is one of the SMF roles where formal qualifications matter substantively. The candidate pool is dominated by qualified accountants with substantial internal audit experience, and the FCA’s competence and capability assessment looks closely at credentials.

Chartered accountancy qualifications. Most SMF5 candidates hold a chartered accountancy qualification — typically ICAEW (ACA), ACCA, or one of the Scottish or Irish equivalents. The qualification provides the technical foundation in financial reporting, audit methodology, controls assessment, and professional ethics that the role requires. It also provides the professional framework — codes of conduct, continuing professional development requirements, disciplinary processes — that the FCA expects in senior assurance roles.

Internal audit-specific credentials. Beyond chartered accountancy, many senior internal auditors hold specific internal audit qualifications — most commonly the Certified Internal Auditor (CIA) designation from the Institute of Internal Auditors, or the equivalents from the Chartered Institute of Internal Auditors. These qualifications signal commitment to the internal audit discipline specifically, as distinct from external audit or financial control more broadly.

Pure-play internal audit candidates. Strong SMF5 candidates often have substantial in-house internal audit experience — in some cases their entire career has been in internal audit, moving through senior auditor and audit manager roles to head-of-function level. Candidates from this pool clear the FCA’s competence assessment cleanly and bring deep methodology depth. The challenge is that the population is not large.

External audit firm transitions. A common pattern: candidates from Big Four or other external audit firms transitioning into in-house internal audit at director or senior manager level, then progressing to Head of Internal Audit and SMF5. This pathway brings strong technical foundations but requires the candidate to have made the substantive transition from external to internal audit (covered above) — not just to have moved firms while retaining an external audit mindset. Candidates who made this transition more than three or four years ago and have been operating effectively in-house since are typically credible for SMF5.

Cross-discipline candidates. Some senior internal audit roles are filled by candidates from related disciplines — qualified risk professionals, qualified compliance professionals, or controls specialists — who have moved into internal audit leadership. The FCA’s assessment will probe the underlying audit methodology depth more carefully for these candidates, but the appointment is appointable where the broader background fits the firm’s profile.

One specific note on candidate availability. The senior internal audit population in the UK is small enough that strong candidates are typically known across the market. Discreet introduction is the standard search method, and candidates approaching the natural end of their tenure (typically four to seven years in role for senior internal audit positions) are the most genuinely available pool at any moment. Searches that connect with candidates 12-18 months before they intend to move see better outcomes than searches that begin only when the firm urgently needs to fill the role.

Building the SMF5 role specification

The role specification for an SMF5 search needs to communicate three things at once: what the internal audit role substantively involves at this specific firm, the regulatory dimension, and the working environment the candidate will join. Specifications that handle the substantive role generically — “lead internal audit, deliver the audit plan, support the Audit Committee” — without firm-specific context attract candidates who are not seriously evaluating the role.

The substantive dimension covers the standard internal audit content tailored to the firm: the firm’s risk profile and where internal audit’s effort is concentrated, the maturity of the existing function (greenfield build, established function inherited from a predecessor, function in transition after a regulatory matter), the size and structure of the audit team, the use of co-sourcing or guest auditors with external firms, the relationship with the executive team, and the specific strategic priorities where the SMF5 is expected to lead.

The regulatory dimension covers the SMF5 designation explicitly, the prescribed responsibilities allocated to the role, the firm’s classification under SMCR (Core / Enhanced / Limited Scope), the FCA supervisory category, and the regulatory priorities the firm is currently working on (Consumer Duty implementation status, operational resilience self-assessment cycle, any active FCA matters on assurance topics).

The governance dimension covers the Audit Committee Chair (typically SMF11 in Enhanced firms), the Audit Committee composition, the Committee’s expectations on internal audit, the working relationship with the SMF1 CEO, the SMF4 CRO and the SMF16 Compliance Oversight, and the responsibilities map. SMF5 candidates evaluating an offer will read all of this carefully — the strength of the Audit Committee, the Committee Chair’s support for genuinely independent audit, and the working relationship with the rest of the senior management team are first-order considerations for whether they can perform the role effectively.

One specific point: SMF5 candidates with prior experience will scrutinise the firm’s internal audit budget and resourcing relative to peer firms. Specifications that demonstrate the firm has invested appropriately in the function — through team size, technology, training budget, and use of co-sourcing for specialist areas — attract better candidates than specifications that present internal audit as cost-constrained or under-resourced.

The FCA approval process for SMF5

Once the firm has selected its preferred candidate, the FCA approval process begins. The mechanics are similar to other SMF approvals — and we cover the detailed mechanics in the SMF1 CEO hiring guide — but several aspects of SMF5 approval are worth flagging specifically.

The submission is built around Form A, supported by the candidate’s Statement of Responsibility, the firm’s Management Responsibilities Map, regulatory references covering the candidate’s previous six years of regulated employment, and supporting evidence on competence and capability. The FCA’s published service standard for Form A turnaround is up to three months for SMF approval, with most clean SMF5 applications resolved within four to ten weeks.

For SMF5 specifically, the FCA’s assessment focuses on three things beyond the standard fit-and-proper criteria.

Independence from the second line. The FCA examines whether the candidate has the independence required to operate effectively as a third-line Head of Internal Audit. Where the candidate is moving from a second-line role at the same firm — for example, the firm’s Head of Risk being promoted to SMF5 — the FCA may probe how the independence will be established and maintained. The bar is higher here than for SMF4 because internal audit’s job includes independently reviewing the second line itself.

Technical audit competence. The bar on technical competence is high for SMF5. The FCA expects substantive depth in audit methodology — risk-based audit planning, controls testing approaches, sampling methodology, audit reporting standards, follow-up and remediation tracking. Candidates with formal internal audit credentials and substantial in-house experience clear this bar; candidates with general management or risk backgrounds but limited specific audit depth face a more rigorous assessment.

Understanding of the firm’s specific risk profile. The FCA expects the SMF5 to understand which areas of the firm warrant audit attention and to articulate a credible audit plan that reflects the firm’s actual risks. Candidates who can demonstrate this from prior experience — for example, by describing how they would approach the audit of a specific area of the firm in their first year — clear this aspect of the assessment cleanly.

The fit-and-proper assessment for SMF5

The fit-and-proper assessment for SMF5 covers the same three statutory criteria as for any senior management function: honesty, integrity and reputation; competence and capability; and financial soundness. The application of these criteria to the Head of Internal Audit role has some specific dimensions.

Honesty, integrity and reputation is examined with particular attention to the candidate’s track record on independent challenge and on willingness to escalate uncomfortable findings. The FCA looks for any pattern in previous roles that suggests the candidate has been accommodating of management pressure rather than independent of it. References from previous Audit Committee Chairs are particularly important here, because they provide direct evidence of how the candidate has handled the moments where independent assurance has been tested.

Competence and capability for SMF5 is assessed substantively. Prior SMF5 experience is the strongest evidence. Substantial Head of Internal Audit experience without prior FCA approval — for example, in a non-regulated firm or in an overseas regulated context — is the next strongest. Candidates with prior senior internal audit experience without head-of-function tenure (deputy head, audit director) can clear competence and capability where the broader profile and the firm’s environment support the appointment.

Financial soundness covers the candidate’s personal financial position. Same bar as for other SMF roles — anything significant must be disclosed, explainable, and not indicative of broader integrity concerns.

One specific dimension that comes up in SMF5 assessments more than other SMFs: the candidate’s professional standing within the internal audit community. Active engagement with professional bodies (ICAEW, ACCA, IIA), continuing professional development records, and standing within the audit profession provide useful supporting evidence on competence and ongoing professional currency. Candidates who have let their professional engagement lapse can find this surfaces during fit-and-proper review.

The Statement of Responsibility for an SMF5 Head of Internal Audit

The Statement of Responsibility for the SMF5 sets out what the Head of Internal Audit is accountable for. For SMF5, the SoR will typically include:

• The operation of the firm’s internal audit function, including its design, deployment, and ongoing effectiveness
• The internal audit plan — the multi-year and annual plan setting out which areas of the firm will be audited, when, and to what depth
• The independence of the audit function, including reporting lines, resourcing, and the relationship with management
• Audit reporting and follow-up, including the integrity of audit findings and the tracking of management responses
• The relationship with the Audit Committee, including supporting the Committee in discharging its oversight responsibilities
• The capability of the internal audit team, including hiring, retention, training and the use of co-sourcing where appropriate
• Engagement with external auditors, including coordinating internal and external audit work to optimise overall assurance coverage
• Engagement with the FCA on matters relating to internal audit and assurance

The exact allocation varies by firm and by classification. In Enhanced firms with a designated Audit Committee Chair (SMF11), certain prescribed responsibilities sit with the SMF11 rather than the SMF5 — typically those relating to the Committee’s oversight of audit matters and the Committee’s relationship with the external auditor. The SoR for the Head of Internal Audit must be consistent with how the firm’s overall responsibilities map allocates these.

Three drafting points are worth flagging for SMF5 SoRs.

Independence is part of the SoR. The SoR should reference the SMF5’s independence at the time of appointment and the firm’s process for monitoring independence over time. This includes the reporting line (primary to Audit Committee Chair, dotted line to CEO for administrative purposes), the prohibition on the SMF5 holding additional executive responsibilities that would compromise independence, and any restrictions on the SMF5’s involvement in operational decision-making.

Resourcing is implicit but real. The SoR cannot guarantee specific resource levels, but the role requires the SMF5 to have authority over the audit plan and the audit team. Where the firm has constrained the function in ways that compromise the SMF5’s ability to deliver, the SMF5 has both an internal escalation path (the Audit Committee Chair) and an external escalation path (raising the matter with the FCA). The SoR should not preclude these escalation routes.

The boundary with SMF4 needs to be clear. Internal audit reviews the second line, including the work of the CRO. The SoR for both roles should make this independence relationship explicit so neither the SMF5 nor the SMF4 finds themselves operating in ways that compromise the integrity of the third line.

The Audit Committee relationship

The relationship between the SMF5 Head of Internal Audit and the Audit Committee Chair (typically SMF11 in Enhanced firms) is the most important working relationship in the role. The SMF5 reports primarily to the Audit Committee Chair, defends the audit plan and the audit findings to the Committee, and works with the Committee Chair on emerging issues between formal Committee meetings.

The healthy version of this relationship looks like this. The SMF5 and Audit Committee Chair speak regularly outside formal Committee meetings — typically monthly at minimum. The audit plan is developed jointly, with the SMF5 leading the technical work and the Committee Chair providing the Board-level perspective. Audit findings are discussed in private session before they are presented to the full Committee, so the Chair is not surprised by what comes forward. Difficult engagements with management — where audit findings are contested — are escalated to the Committee Chair early, so the Committee can support the SMF5 if needed.

The unhealthy version typically presents in one of three ways. The SMF5 and Audit Committee Chair do not speak frequently enough, and the Chair learns about audit findings only at formal Committee meetings — leaving them with no prior context to support the SMF5 against management resistance. Or the SMF5 becomes too close to management and the Committee Chair starts to receive findings that have already been softened in negotiation with executives. Or the Committee Chair is not sufficiently engaged in the audit plan, leaving the SMF5 to defend resourcing and scope without Committee backing.

For boards hiring an SMF5, the strongest specifications include explicit conversation about how the SMF5–Committee Chair relationship will work. Strong candidates with prior experience will probe this carefully during the search, particularly where the Committee Chair role itself is also being recruited or refreshed.

Compensation, indemnity and the personal accountability dimension

SMF5 compensation in UK regulated firms typically reflects the substantive seniority of the role — the Head of Internal Audit at a meaningful regulated firm operates at a senior level comparable with other senior management functions, even where the role does not sit on the firm’s executive committee. Base salary, bonus and long-term incentive structures vary by firm classification, with the FCA’s Remuneration Code overlay applying to relevant firm types.

One specific compensation consideration: the design of the bonus structure. Internal audit cannot be compensated on commercial outcomes — the role is structurally independent of business performance, and linking compensation to commercial outcomes would compromise that independence. Strong SMF5 compensation structures use metrics like audit plan delivery, finding quality, regulatory engagement quality, Audit Committee feedback, and team development. Boards designing SMF5 packages without thinking through this dimension sometimes inadvertently create perverse incentives that the FCA will probe during firm reviews.

Insurance and indemnity arrangements are an important part of the SMF5 offer. The Head of Internal Audit’s personal accountability under the regime means the candidate is exposed to potential FCA action against them as an individual where the SMF5 functions have not been performed effectively. Most regulated firms maintain D&O insurance and SMF-specific cover. The strength of this cover is a real consideration for SMF5 candidates and should be discussed during offer rather than after acceptance.

The reasonable steps test for SMF5 has a specific shape. The most common scenario where it applies is where something has gone wrong in the firm and the question becomes whether internal audit should have caught it — whether the audit plan covered the relevant area, whether the audit work was conducted to appropriate depth, and whether findings were appropriately escalated. SMF5 candidates with prior experience evaluate the firm’s environment carefully on these dimensions before accepting an offer, particularly the quality of the existing audit plan, the resourcing of the function, and any matters in the firm’s recent regulatory history that bear on assurance.

Common SMF5 search pitfalls

Several patterns recur in SMF5 searches that go off-track. Each is avoidable with deliberate planning at the start.

Underestimating the candidate pool tightness. The senior internal audit population in the UK is genuinely small at the regulated-firm level. Boards that begin SMF5 searches assuming a robust pool of available candidates often discover the reality more slowly than they expect. The fix is to start the search earlier than the comfortable timeline suggests and to engage candidates 12-18 months before they intend to move.

Treating SMF5 as a junior or staffing-level appointment. Boards that frame the SMF5 role as primarily about delivering an audit plan, without giving sufficient weight to the senior management function dimension, attract candidates at a more junior level than the role actually requires. Strong SMF5 candidates expect to be treated as senior management, with appropriate access to the executive team and the Audit Committee.

Inadequate audit function resourcing. SMF5 candidates with prior experience scrutinise the firm’s internal audit budget and resourcing relative to peer firms. Specifications that present internal audit as cost-constrained — small team, no co-sourcing budget, limited training investment — often fail to attract the candidate seniority the role actually requires.

Reporting line problems. Where the existing structure has the Head of Internal Audit reporting through the executive line (to the CFO, for example) rather than to the Audit Committee Chair, the search needs to address this before the appointment. Strong candidates will not take a role where the reporting line compromises independence at the start.

Underspecifying the boundary with SMF4 and SMF16. The SMF5 reviews the work of the SMF4 (CRO) and the SMF16 (Compliance Oversight) as part of normal third-line scope. Specifications and SoRs that do not address these relationships explicitly create governance friction in the first year of the appointment. The fix is to articulate the boundaries before the search and reflect them clearly in the SoR.

Skipping the Audit Committee Chair conversation. The SMF5 will work most closely with the Audit Committee Chair. Searches that do not actively involve the Committee Chair in candidate evaluation start the relationship on the wrong footing. The fix is to involve the Committee Chair throughout, including direct conversations between the Committee Chair and shortlisted candidates before the offer.

How Exec Capital approaches SMF5 mandates

Exec Capital runs SMF5 mandates as integrated audit-and-regulatory searches. The substantive internal audit dimension — audit plan fit, methodology depth, Audit Committee Chair relationship, team capability — receives the same rigour we bring to any senior assurance appointment. The regulatory dimension is built in from the brief, not added at the end. As an ICAEW-registered practice with a Fellow at the helm, we bring particular insight to senior accounting-qualified mandates, and our network of senior internal audit professionals is one we have invested in deliberately.

Our regulated-firm practice covers the full set of senior appointments under SMCR — SMF1 CEO, SMF3 Executive Director, SMF4 CRO, SMF5 Head of Internal Audit, SMF24 Chief Operations Function, SMF9 Chair and SMF14 SID — alongside the senior C-suite, director-level and specialist roles that operate within regulated firms. Where the appointment falls within a sister firm’s specialism — finance and compliance functions including SMF2, SMF16 and SMF17 (FD Capital), or wider non-executive appointments outside the SMF designation specifically (NED Capital) — we make the introduction directly and work alongside the relevant team.

For boards beginning Head of Internal Audit succession or appointing an SMF5 for the first time, we offer a structured initial conversation that walks through the responsibilities map, the role specification and the realistic candidate pool before any formal mandate begins. For more on the broader SMF cluster, see our SMF Roles guide. For the corresponding board role, our SMF14 SID hiring guide sets out how SID appointments fit alongside the Audit Committee Chair function.

Further Reading and Authoritative Sources

For the FCA’s authoritative guidance on the SMCR and the SMF5 designation, see the FCA’s SMCR overview and the solo-regulated firms guidance. The FCA’s Form A guidance sets out the application requirements for SMF appointments.

For the broader regulatory framework, see the FCA Operational Resilience policy and the FCA’s Consumer Duty, both of which create substantial assurance scope for SMF5 holders.

For internal audit standards and methodology, the Institute of Internal Auditors publishes the International Standards for the Professional Practice of Internal Auditing — the foundational reference for the discipline globally. The Chartered Institute of Internal Auditors publishes UK-specific guidance, including the Financial Services Code which is widely used as a benchmark for internal audit in regulated firms.

For accounting qualifications and professional standards relevant to senior internal audit candidates, see the ICAEW and the ACCA. For the broader corporate governance context, the UK Corporate Governance Code published by the Financial Reporting Council is the foundational reference for Audit Committee composition and effectiveness.