What is the internal audit function requirement for a Cyprus Investment Firm under CySEC?

CySEC requires every Cyprus Investment Firm to establish and maintain an internal audit function that is separate and independent from all other functions, including compliance and risk management. The function is mandated by Commission Delegated Regulation (EU) 2017/565, which is directly applicable in Cyprus as an EU regulation, and must operate on a risk-based audit plan approved by the board of directors. An annual internal audit report must be submitted to CySEC. The board must record its response to the report's findings, including implementation timeframes for corrective actions. Since January 2025, DORA has required regulated entities to ensure their ICT and digital operational resilience risks are also independently audited. CySEC permits the firm's external internal auditor to cover this scope, subject to the provider having the requisite ICT audit expertise.

What is the difference between the compliance function and the internal audit function in a CIF?

The compliance function is the second line of defence. It monitors whether the firm's operations comply with applicable laws and regulations, advises management on regulatory obligations, and supervises day-to-day conduct. The internal audit function is the third line of defence. It examines whether the first line (business operations) and the second line (compliance and risk management) are themselves working effectively. The internal auditor examines the compliance function. The two roles cannot be combined: an individual cannot simultaneously hold the compliance function and the internal audit function. Each requires structural independence from the other.

What does CySEC look for when reviewing a CIF's internal audit report?

CySEC expects internal audit reports to document a risk-based methodology, identify specific findings across all areas of the firm's operations, and include clear recommendations. It expects the board minutes accompanying the report to record the decisions taken in response to findings and to specify implementation timeframes for corrective actions. In its supervisory assessments, CySEC has found that many reports fall short in three areas: board minutes do not contain implementation timeframes for corrective actions, the audit methodology is insufficiently described, and sample selection is not proportional to the risk profile of the firm's client base and activities. A recurring finding, one that appeared in a prior report and was not corrected, signals to CySEC that the board received it and did not act with sufficient discipline.

CIF Internal Audit Function Cyprus

Q: Can the internal audit function of a CIF be outsourced in Cyprus?

Yes. CySEC permits a Cyprus Investment Firm to outsource its internal audit function to an external provider. The firm retains full regulatory responsibility: outsourcing the activity does not transfer the obligation. The outsourced provider must have the necessary authority, resources, expertise and access to perform the function effectively. For many CIFs, an outsourced internal audit function delivers stronger independence and broader specialist expertise than an internal hire, particularly where DORA-related ICT audit capability is required.

The internal audit function has one job that no other governance mechanism in a Cyprus Investment Firm shares. It exists, by regulatory mandate, to find what is wrong. Not to run the business. Not to supervise it. To examine it independently, across every area it touches, and report what it finds to the people who carry ultimate accountability for the firm.

Most CIFs have an internal audit function. Fewer have one that is doing what it is supposed to do. The distinction is not visible in whether the annual report was submitted to CySEC on time. It is visible in what the board did after they read it.

What the function is and what it cannot be

The three lines of defence model is the framework within which the internal audit sits. The first line is the business: the investment activities, the client-facing teams, the operations that execute the firm's daily work. The second line is supervision: the compliance function and the risk management function, which monitor whether the first line is operating within regulatory and internal boundaries. The third line is the internal audit, which examines whether the second line is doing its job.

This structure has a consequence that is often underappreciated. The internal auditor examines the compliance function. It examines whether the compliance officer is monitoring what they are supposed to monitor, whether the firm's procedures reflect its actual activities, and whether the oversight mechanisms described at licensing are the ones genuinely operating. The internal auditor and the compliance officer are not doing the same work from different angles.

Commission Delegated Regulation (EU) 2017/565, which is directly applicable in Cyprus as an EU regulation, requires the internal audit function to be separate and independent from all other functions of the firm. It cannot be combined with the compliance function or risk management. An individual cannot simultaneously hold the position of compliance officer and internal auditor. The independence is structural, the entire value of the function depends on its ability to examine the second line without being part of it. The risk-based audit plan is approved by the board and updated as the firm's activities and risk profile change. The reporting line runs to the board, not through the compliance officer, not through the CEO.

A CySEC inspection and an internal audit ask the same questions

CySEC inspections are not announced with sufficient advance notice to prepare from scratch. They examine client onboarding and KYC procedures. They examine conflicts of interest management. They examine client funds handling and safeguarding. They examine the methodology behind the compliance officer's annual report. They examine whether the firm's operating procedures correspond to the business model approved at licensing. They examine AML controls, record-keeping, best execution, and governance. Since DORA became applicable in January 2025, digital operational resilience and ICT risk management have also entered CySEC's supervisory scope.

A properly conducted internal audit examines all of the same areas. The structural difference is sequence. When the internal auditor identifies a gap, the firm has the opportunity to close it on its own timeline, before the regulator arrives. When CySEC identifies the same gap during an inspection, the firm has the obligation to close it under regulatory scrutiny, on CySEC's timeline, with the finding recorded on its supervisory history.

A CIF that invests in a rigorous internal audit function is running a structured dry run of the inspection that will eventually come. Every gap the board identifies and closes through a corrective action plan is a gap that does not appear in the CySEC inspection report. Every gap the internal audit does not surface, or that the board receives but does not act upon, remains in the firm's operations, waiting for someone with more authority to find it.

What a recurring finding tells the regulator

In its supervisory assessments of internal audit reports, CySEC has consistently found one failure that carries particular weight: board minutes do not contain implementation timeframes for the corrective measures decided upon. When the same finding reappears the following year without a recorded timeframe, the reading is not that the firm has a persistent operational problem. It is that the board received the finding and did not manage the correction, a governance failure layered on top of an operational one.

CySEC has also found that internal audit methodology is insufficiently described in many reports: the specific areas and clients examined, the timing of reviews, the tests performed, and sample selection proportional to the risk profile of the firm's activities. These are not technical failures in presentation. They are indicators of whether the audit was conducted with genuine rigour or produced to satisfy a submission deadline.

Every stage of growth produces findings

Every licensed CIF builds its compliance framework around a specific business model, investment services, client profile, and governance structure. The internal audit in year one tests whether the firm operating corresponds to the firm that was approved. It almost never does exactly, not because the firm misrepresented itself at licensing, but because the distance between a governance document and a live operation always produces gaps. The same dynamic applies at every subsequent stage: adding a new service creates compliance obligations the existing framework may not yet cover, cross-border passporting introduces jurisdictional requirements that must be mapped, and new client segments change the risk profile in ways risk management procedures must absorb.

A board that understands this is not unsettled by findings that emerge during growth phases. It expects them, and treats them as evidence the audit function is working. The board that should be unsettled is the one whose annual report returns consistently clean, regardless of what the firm has done that year. That pattern does not signal a well-run firm. It signals an audit that is not looking hard enough.

The cheapest internal auditor is often the most expensive one

An internal audit that is underpowered, whether because the auditor lacks regulatory depth, independence from management pressure, or the commercial understanding to distinguish a process imperfection from a genuine compliance risk, does not reduce the firm's exposure. The gaps exist in either case. What changes is whether the firm knows about them before the regulator does.

The correct frame for evaluating the internal audit function is not what it charges, but what it prevents. The auditor who identifies five significant compliance gaps before a CySEC inspection has generated a return, the alternative is a CySEC inspection report carrying those same findings, each requiring mandatory remediation on the regulator's timeline.

CySEC reads internal audit reports. A report that documents its methodology, specifies the clients reviewed, justifies the sample selection by risk category, and provides actionable findings is a report that reflects a genuine audit. A report that reaches the same clean conclusion every year without that substance invites exactly the kind of scrutiny the board was hoping to avoid.

Independence and commercial understanding are not in conflict

The independence of the internal audit function is a structural requirement, not a matter of professional preference. In practice it means the reporting line runs directly to the board, access to any area of the firm cannot be restricted, and the findings are what the evidence shows. These conditions are entirely compatible with the other quality a good internal auditor for a CIF must bring: commercial awareness.

A good internal auditor for a licensed investment firm understands what investment activities are being conducted, what client types are being served, what the commercial pressures of the business are, and what the practical constraints within which management operates look like. This understanding does not compromise the audit. It makes the findings more accurate and the recommendations more executable.

Commercial awareness is not a concession to management pressure. It is the foundation of a finding that is both accurate and actionable. A CIF that treats its internal auditor as the person who will tell it what it needs to hear, before someone with more authority does, has understood the function correctly. A CIF that treats the audit as an annual document to be produced and submitted has not.

Why outsourcing the internal audit works for most CIFs

CySEC permits the internal audit function to be outsourced to an external provider. The regulatory responsibility remains with the firm, outsourcing the activity does not transfer the obligation. The firm must ensure the provider has the necessary authority, resources, expertise and access to perform the function effectively.

Within those conditions, an outsourced function frequently delivers stronger performance than an internal appointment. A provider operating across multiple CIFs brings pattern recognition that a single internal hire cannot match: they see the same categories of finding repeated across different firms, at different stages of development, under different cycles of CySEC supervisory attention. Structural independence is also stronger, an external provider's professional obligation runs to the board and to the accuracy of their findings, not to institutional accommodation.

For many CIFs, outsourcing also provides access to specialist capability that an internal appointment would not. Since January 2025, DORA requires every CySEC-regulated entity to ensure its ICT and digital operational resilience risks are subject to independent audit. CySEC permits the firm's external internal auditor to cover this scope, but only where the provider has the requisite expertise in digital operational resilience. An outsourced provider that combines regulatory audit capability with ICT audit experience delivers both requirements under a single engagement.

The internal audit report is not a document you submit to CySEC. It is a record of what your board knew, when it knew it, and what it chose to do.

The internal audit is nota compliance obligation.It is a dry run.