What is the internal audit function requirement for a Cyprus Investment Firm under CySEC?

CySEC requires every Cyprus Investment Firm to establish and maintain an internal audit function that is separate and independent from all other functions, including compliance and risk management. The function is mandated by Article 24 of the MiFID II Delegated Regulation and must operate on a risk-based audit plan approved by the board of directors. An annual internal audit report must be submitted to CySEC. The board must record its response to the report's findings, including implementation timeframes for corrective actions. Since January 2025, the scope of the internal audit must also cover ICT and digital operational resilience under DORA.

What is the difference between the compliance function and the internal audit function in a CIF?

The compliance function is the second line of defence. It monitors whether the firm's operations comply with applicable laws and regulations, advises management on regulatory obligations, and supervises day-to-day conduct. The internal audit function is the third line of defence. It examines whether the first line (business operations) and the second line (compliance and risk management) are themselves working effectively. The internal auditor examines the compliance function. The two roles cannot be combined: an individual cannot simultaneously hold the compliance function and the internal audit function. Each requires structural independence from the other.

What does CySEC look for when reviewing a CIF's internal audit report?

CySEC expects internal audit reports to document a risk-based methodology, identify specific findings across all areas of the firm's operations, and include clear recommendations. It expects the board minutes accompanying the report to record the decisions taken in response to findings and to specify implementation timeframes for corrective actions. CySEC's Circular C655 documented that many firms failed on these points: board minutes lacked implementation timeframes, methodology was insufficiently described, and sample selection was not proportional to client risk categories. A recurring finding — one that appeared in a prior report and was not corrected — signals to CySEC that the board received it and did not act with sufficient discipline.

The Internal Audit Is Not a Compliance Obligation. It Is a Dry Run.

Q: Can the internal audit function of a CIF be outsourced in Cyprus?

Yes. CySEC permits a Cyprus Investment Firm to outsource its internal audit function to an external provider. The firm retains full regulatory responsibility: outsourcing the activity does not transfer the obligation. The outsourced provider must have the necessary authority, resources, expertise and access to perform the function effectively. For many CIFs, an outsourced internal audit function delivers stronger independence and broader specialist expertise than an internal hire, particularly where DORA-related ICT audit capability is required.

The internal audit function has one job that no other governance mechanism in a Cyprus Investment Firm shares. It exists, by regulatory mandate, to find what is wrong. Not to run the business. Not to supervise it. To examine it independently, across every area it touches, and report what it finds to the people who carry ultimate accountability for the firm.

Most CIFs have an internal audit function. Fewer have one that is doing what it is supposed to do. The distinction is not visible in whether the annual report was submitted to CySEC on time. It is visible in what the board did after they read it.

What the function is and what it cannot be

The three lines of defence model is the framework within which the internal audit sits. The first line is the business: the investment activities, the client-facing teams, the operations that execute the firm's daily work. The second line is supervision: the compliance function and the risk management function, which monitor whether the first line is operating within regulatory and internal boundaries. The third line is the internal audit, which examines whether the second line is doing its job.

This structure has a consequence that is often underappreciated. The internal auditor examines the compliance function. It examines whether the compliance officer is monitoring what they are supposed to monitor, whether the firm's procedures reflect its actual activities, and whether the oversight mechanisms described at licensing are the ones genuinely operating. The internal auditor and the compliance officer are not doing the same work from different angles. They are doing fundamentally different work, and the regulation is explicit that neither can do the other's job.

Article 24 of the MiFID II Delegated Regulation (EU 2017/565), transposed into Cyprus law through Law 165(I)/2021, requires the internal audit function to be separate and independent from all other functions of the firm. It cannot be combined with the compliance function. It cannot be combined with risk management. An individual cannot simultaneously hold the position of compliance officer and internal auditor. The independence requirement is not administrative. It reflects the fact that the entire value of the internal audit depends on its ability to examine the second line without being part of it.

The risk-based audit plan must be approved by the board of directors and updated regularly to reflect changes in the firm's activities and risk profile. The internal auditor may review any area of the firm on their own initiative, without requiring authorisation from the function being examined. The reporting line runs to the board, not to the CEO in their management capacity, not through the compliance officer. To the governance body that holds ultimate responsibility for how the firm operates.

A CySEC inspection and an internal audit ask the same questions

CySEC inspections are not announced with sufficient advance notice to prepare from scratch. They examine client onboarding and KYC procedures. They examine conflicts of interest management. They examine client funds handling and safeguarding. They examine the methodology behind the compliance officer's annual report. They examine whether the firm's operating procedures correspond to the business model approved at licensing. They examine AML controls, record-keeping, best execution, and governance. Since January 2025, they also examine digital operational resilience under DORA.

A properly conducted internal audit examines all of the same areas. The structural difference is sequence. When the internal auditor identifies a gap, the firm has the opportunity to close it, on its own timeline, under its own management, before the regulator arrives. When CySEC identifies the same gap during an inspection, the firm has the obligation to close it under regulatory scrutiny, on CySEC's timeline, with the finding recorded on its supervisory history.

A CIF that invests in a rigorous internal audit function is running a structured dry run of the inspection that will eventually come. Every gap that the board identifies through internal audit and closes through a documented corrective action plan is a gap that does not appear in the CySEC inspection report. Every gap that the internal audit does not surface, or that the board receives but does not act upon, remains in the firm's operations, waiting for someone with more authority to find it.

This reframes the cost of the internal audit function entirely. The fee is fixed and visible. The cost of what it prevents is variable and invisible until it materialises. At that point, it does not materialise as a single manageable item. It materialises as regulatory enforcement, mandatory remediation, and the operational disruption of addressing failures simultaneously under external scrutiny rather than sequentially under internal management.

What a recurring finding tells the regulator

CySEC issued Circular C655 in 2024, following its assessment of internal audit reports submitted for the year 2022. Among the deficiencies it documented was one that carries particular governance significance: the board minutes accompanying annual internal audit reports did not contain implementation timeframes for the corrective measures the board had decided upon.

This extends beyond the administrative failure it appears to be. When a finding appears in an internal audit report and the board records no implementation timeframe, and the same finding reappears the following year, the regulatory reading is not that the firm has a persistent operational problem. The reading is that the board received the finding, acknowledged it, and failed to manage the correction. A governance failure layered on top of an operational one.

CySEC's Circular C655 also found that internal audit methodology was insufficiently described in many reports: the specific clients tested, the timing of reviews, the audit tests performed. And that sample selection was not proportional to client risk categories. These are not technical failures in the report's presentation. They are indicators of whether the audit was conducted with genuine rigour or produced to satisfy a submission deadline.

An internal audit function that operates properly treats follow-up as a core responsibility. After each annual report, the auditor tracks the status of prior findings, verifies that corrective actions have been implemented, and reports to the board on those that have not been closed. A board that receives a follow-up report showing all prior findings resolved has demonstrated governance discipline. A board that receives one showing prior findings still open has a documented problem and, in time, a regulator who will see the same pattern across successive submissions.

The practical implication is that the internal auditor's work does not conclude when the annual report is issued. The report is the beginning of a cycle: findings, board decisions, corrective actions, implementation, verification. Firms that treat the report as the end of the process are the firms that generate recurring findings.

Every stage of growth produces findings

A firm that has just been licensed has built its compliance framework around a specific business model, a specific set of investment services, a specific client profile, and a specific governance structure. The internal audit in year one tests whether the firm that is operating corresponds to the firm that was approved. It almost never corresponds exactly. Not because the firm misrepresented itself at licensing, but because the distance between a governance document and a live operation always produces gaps. This is not a problem. It is information.

The same dynamic applies at every subsequent stage of the firm's development. Adding a new investment service creates compliance obligations that the existing framework may not yet cover. Cross-border passporting introduces the regulatory requirements of another jurisdiction, which must be mapped against existing procedures and may require new controls. Onboarding a new client segment changes the risk profile in ways that risk management procedures must absorb. Bringing on new personnel introduces individuals whose conduct must be supervised under the firm's existing monitoring structure.

Each of these events changes the scope of what the internal audit must examine. The risk-based audit plan must reflect these changes. A plan designed for a firm in year one does not serve a firm that has doubled its services and entered two new markets. The board's role is to ensure that the audit plan evolves with the firm, not that it remains consistent with the description in the original licensing application.

A board that understands this is not unsettled by findings that emerge during growth phases. It expects them. It treats them as the audit function delivering precisely the value it is supposed to deliver. The board that should be unsettled is the one whose annual report returns consistently clean, regardless of what the firm has done in the intervening year. That pattern does not signal a well-run firm. It signals an audit that is not looking hard enough.

The cheapest internal auditor is often the most expensive one

An internal audit that is underpowered (whether because the auditor lacks the regulatory depth to identify complex gaps, lacks the independence to report findings that are uncomfortable for management, or lacks the commercial understanding to distinguish between a minor process imperfection and a genuine compliance risk) does not reduce the firm's exposure. The gaps exist in either case. What changes is whether the firm knows about them.

This is the correct frame for evaluating the cost of the internal audit function: not against what it charges, but against what it prevents. The auditor who identifies five significant compliance gaps before a CySEC inspection has not generated a cost. They have generated a return. The precise magnitude of that return is unknowable in advance and substantial in retrospect, because the alternative (a CySEC inspection report carrying those same five findings, each requiring mandatory remediation on the regulator's timeline) is considerably more expensive than the fee.

The same logic applies to the depth of the annual report. CySEC reads internal audit reports. Circular C655 exists because CySEC assessed a sample of them and found them wanting. A report that documents its methodology, specifies the clients reviewed, justifies the sample selection by risk category, and provides actionable recommendations with clear findings is a report that reflects a genuine audit. A report that reaches the same clean conclusion every year without that substance is a report that invites exactly the kind of scrutiny the board was hoping to avoid.

Independence and commercial understanding are not in conflict

The independence of the internal audit function is a structural requirement. The auditor cannot be directed to soften a finding. The auditor cannot be excluded from any area of the firm. The report goes to the board without passing through the functions being examined. None of this is negotiable, and none of it is in tension with the other quality a good internal auditor for a CIF must have: commercial awareness.

A good internal auditor for a licensed investment firm understands what investment activities are being conducted, what client types are being served, what the commercial pressures of the business are, and what the practical constraints within which management operates look like. This understanding does not compromise the audit. It makes the findings more accurate and the recommendations more executable.

An internal auditor who examines a dealing desk without understanding how investment orders are processed will produce findings that management cannot contextualise. An auditor who reviews client onboarding without understanding the commercial relationship between the CIF and its client base will misjudge the significance of what they find. An auditor who generates recommendations that cannot be implemented in the operational reality of the firm produces a report that the board files rather than acts upon.

Commercial awareness is not a concession to management pressure. It is the foundation of a finding that is both accurate and actionable. The internal audit function is supposed to ensure that the business runs solidly. Not to stop it from running. A CIF that treats its internal auditor as the person who will tell it what it needs to hear, before someone with more authority does, has understood the function correctly. A CIF that treats the audit as an annual document to be produced and submitted has not.

Why outsourcing the internal audit works for most CIFs

CySEC permits the internal audit function to be outsourced to an external provider. The regulatory responsibility remains with the firm. Outsourcing the activity does not transfer the obligation. The firm must retain the ability to oversee the provider, ensure the provider has the necessary authority, resources, expertise and access to perform the function effectively, and maintain continuity if the arrangement needs to change.

Within those conditions, an outsourced internal audit function frequently delivers stronger performance than an internal appointment. A provider operating across multiple CIFs and other regulated entities brings pattern recognition that a single internal hire cannot match. They see the same categories of finding repeated across different firms, at different stages of development, under different cycles of CySEC supervisory attention. They understand what the regulator is currently focused on not from reading circulars in isolation, but from operating in the environment those circulars describe.

Structural independence is also stronger in an outsourced model. An internal hire, however independently the function is formally structured, reports within an organisation where senior management has institutional influence. An external provider's obligation runs to the board and to the accuracy of their findings. Their professional interest is in rigour, not accommodation.

For many CIFs, outsourcing also provides access to specialist capability that an internal appointment would not. The capital requirements of a small investment firm do not always support a full-time internal audit function staffed to cover every area the regulation now requires. Since January 2025, internal audit coverage of ICT risk under DORA is not optional. If the appointed internal auditor does not have the necessary expertise in digital operational resilience, CySEC expects a specialist to be engaged for that portion of the work. An outsourced provider with a multidisciplinary team covers this within a single engagement, without requiring the firm to source and manage a separate specialist.

The internal audit report is not a document you submit to CySEC. It is a record of what your board knew, when it knew it, and what it chose to do.

The internal audit is nota compliance obligation.It is a dry run.