SMF5 Head of Internal Audit Function: A Guide

The SMF5 Head of Internal Audit function designates the individual who leads the internal audit function at enhanced SMCR firms — a role that carries both a personal accountability obligation under the Senior Managers Regime and a structural independence requirement that is fundamental to the function’s effectiveness.

Internal audit is the third line of defence in the three lines of defence model — the function responsible for providing independent assurance to the board and senior management that the firm’s risk management, controls and governance are operating effectively. Under the SMCR, the individual who leads the internal audit function at an enhanced firm is required to hold the SMF5 function — making the head of internal audit personally accountable to the FCA for the adequacy of the assurance they provide.

What Is the SMF5 Function?

The SMF5 function is defined in SUP 10C as the function of acting as the head of the internal audit function of the firm. The function applies where the firm has an internal audit function — which enhanced SMCR firms are expected to have as part of an adequate governance and control framework. Where the internal audit function is led by a single individual, that individual holds SMF5. Where the function is structured with a committee or a shared leadership arrangement, the FCA expects the firm to identify the individual with ultimate responsibility for the function and designate them as SMF5 holder.

The SMF5 function is distinct from the SMF3 Executive Director function: an SMF5 holder does not necessarily sit on the board as an executive director, though they may do so. The function attaches to the leadership of the internal audit activity rather than the formal board position.

Which Firms Must Designate SMF5?

Like SMF3, the SMF5 function applies to enhanced SMCR firms. Enhanced firms are required to have an internal audit function and to designate the head of that function as SMF5. For core SMCR firms, the obligation to have an internal audit function depends on the firm’s size and the requirements of any applicable sector rules — smaller firms often satisfy their audit assurance needs through periodic external review rather than a dedicated internal function.

For firms in the dual-regulated sector — banks, building societies, PRA-regulated insurers — equivalent obligations arise under the PRA’s Senior Managers Regime. The PRA and FCA requirements for internal audit leadership are broadly aligned, but firms should confirm the applicable obligations under each regulator’s framework when structuring the SMF5 designation.

The Independence Requirement

The structural independence of the internal audit function from the business lines it audits is fundamental to the SMF5 role. The FCA’s expectation — consistent with the Basel Committee’s guidance on internal audit in banks and the Chartered Institute of Internal Auditors’ standards — is that the internal audit function has unfettered access to the information and personnel it needs to carry out its work, reports directly to the audit committee or board rather than to executive management, and is not subject to direction by the business on the scope, conclusions or reporting of its audit work.

Independence is compromised where: the head of internal audit reports to the CEO or CFO rather than the audit committee; the audit plan is subject to approval by the business areas being audited; findings are withheld from the board or downgraded before reporting; the internal audit function is involved in designing or implementing the controls it is subsequently asked to audit; or the head of internal audit holds other executive responsibilities that create a conflict with their audit role.

An SMF5 holder who is not structurally independent faces a particular personal risk: the SMCR’s reasonable steps obligation requires them to take adequate steps to provide effective assurance. If independence is structurally compromised, the reasonable steps obligation cannot be satisfied regardless of the individual’s personal integrity or competence.

Scope of the Internal Audit Function

The internal audit function at an enhanced SMCR firm is expected to provide assurance across the full scope of the firm’s risk management, controls and governance — not merely its financial processes. This includes: the adequacy of the first-line risk management framework; the effectiveness of the second-line risk and compliance function; the accuracy of management information provided to the board; the adequacy of regulatory capital and liquidity risk management; the robustness of operational resilience and business continuity arrangements; and the firmwide culture and conduct risk environment.

The FCA expects the internal audit function’s work plan to be risk-based — prioritising areas of highest risk to the firm and its customers — and to be updated as the firm’s risk profile changes. A static audit plan that repeats the same coverage year-on-year without reference to how the firm’s activities or risk environment has changed is not consistent with the FCA’s expectations for effective internal audit at an enhanced firm.

FCA Approval and Fit and Proper Assessment

An individual proposed as SMF5 must be approved by the FCA through the standard Form A application process. The FCA’s fit and proper assessment for SMF5 focuses on: the individual’s technical competence in internal audit methodology and in the regulated activities the firm carries on; their professional qualifications (the FCA does not require specific qualifications, but the Chartered Internal Auditor designation from the Chartered Institute of Internal Auditors is considered strong evidence of technical competence); and their personal integrity and financial soundness.

The FCA also assesses whether the proposed head of internal audit has the personal authority and standing to operate independently at the firm. An individual who lacks the experience or confidence to challenge executive management, or who has a history of reporting relationships that compromised their independence at previous employers, may not meet the fit and proper standard for an enhanced firm’s SMF5 role.

The SMF5 Holder’s Statement of Responsibilities

The Statement of Responsibilities for an SMF5 holder must clearly describe the scope of the internal audit function, the reporting lines of the function, and the individual’s specific accountability for the adequacy of the assurance provided. It should make explicit that the function reports to the audit committee or board, that the SMF5 holder has access to all areas of the firm’s activities, and that the individual is responsible for the quality and independence of the function’s work.

Where the firm uses co-source or outsource arrangements for some internal audit activities — supplementing the in-house function with specialist external expertise — the SoR should reflect that the SMF5 holder retains accountability for the quality and adequacy of all internal audit work, including that carried out by third parties on the function’s behalf.

The Relationship with the Audit Committee

The audit committee is the SMF5 holder’s primary governance relationship. The FCA expects the head of internal audit to report to the audit committee chair on a regular basis, to present the findings and conclusions of completed audits to the committee, and to have direct access to the committee chair between scheduled meetings where urgent matters arise. The audit committee’s oversight of the internal audit function — including approval of the audit plan, review of resource adequacy, and assessment of the SMF5 holder’s performance — is itself an important governance control.

Key References

• FCA Handbook SUP 10C — Senior Managers Regime for FCA-authorised firms
• FCA — Senior Managers and Certification Regime
• Chartered Institute of Internal Auditors — professional standards