Even The Devil Hates Internal Audits

Share This Post

Question – Which of the following fully addresses the expectations of the Monetary Authority of Singapore (“MAS”) /best practices with respect to ensuring the adequacy of the compliance function at a financial services firm?

  1. Nominating a receptionist with no compliance experience as your compliance
  2. Hiring a junior compliance
  3. Hiring a dedicated compliance
  4. Fully outsourcing your compliance function to Holland & Marie
  5. None of the

The answer is E. While each of B, C and D (with D being our favourite) may satisfy the MAS for most issues, regulated financial services firms are also expected to conduct a periodic internal audit of their compliance functions.


Yes. However, we consider it an expectation of the MAS. If the MAS expects something, we advise you to do it.1

We refer to the MAS’ Guidelines on Risk Management Practices – Internal Controls (the “Internal Control Guidelines”)2. The Internal Control Guidelines are not laws or regulations.3 Instead, they should be seen as recommended best practices.

Paragraph 2.6.1 of states: “An institution should have in place an adequately staffed, independent and permanent internal audit function responsible for assessing whether existing policies, processes and internal controls (including risk management, compliance [emphasis added] and corporate governance processes) are independent, effective, appropriate, and remain sufficient for the institution’s business.”

What happens when you comply with applicable law but choose not to adopt MAS recommended practices? The answer depends on the facts and circumstances of the specific case. If nothing else, you will likely increase regulatory scrutiny of your business, which we do not recommend.4


The Institute of Internal Auditors definition of internal audit is: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

In layman’s terms, an internal audit is a process by which an independent party checks your work, similar to someone who proofreads an article for spelling errors.

Can you hire an outsider to do an “internal” audit? 

Yes. Instinctively, you may think of an internal department that runs checks on the business’ processes. However, an internal audit may be outsourced to (i) company affiliates (such as the internal audit department of your parent company or (ii) third parties, including firms like ours.

What functions are audited?

You can do an internal audit of any function. Imagine you wanted sales people to summarize all their sales calls in writing (the “Sales Policy”). You could then do an internal audit of that process to confirm whether staff had in fact (i) catalogued such contacts and/or (ii) included sufficient details in their written summaries to comply with the Sales Policy?

The Internal Control Guidelines highlight checks on controls and governance, but internal audits are not necessarily tied to “back office” functions.

What is the difference between an internal audit of compliance and the review of internal controls done by a firm’s financial auditor? 

Nothing unless otherwise agreed.

The Financial Audit 

Every capital markets license holder is required to have their financial statements audited (the “Financial Audit”). Firms that do this work include accounting firms such as Ernst & Young or PWC. Upon completion of the Financial Audit, the auditor prepares an opinion which is sent to the MAS.

The Controls Review 

As part of the Financial Audit, the auditor reviews your accounting system and internal controls (the “Controls Review”). The Controls Review is done to assist the auditor in expressing an opinion on your financial statements as a whole. The auditor prepares a memorandum setting out the findings of the Controls Review. This memorandum is also sent to the MAS.

How is the scope of an internal audit determined?

As discussed above, there is no prescribed scope for an internal audit of the compliance function. It should be appropriate for the scale and complexity of your business. We recommend you consult with your management, compliance team and financial auditors to understand what they think is an appropriate scope. Then the Board (or relevant subcommittee) should reach a final determination of the scope.

How are internal audits conducted?

Typically, auditors will ask you for a master list of whatever process is being audited, and then conduct a sample check. For example, in an audit of compliance with the Sales Policy for 2018, the auditor may ask to see a list of (i) all the written summaries of sales calls and (ii) client trades for 2018. Next, the auditor may ask for particular samples of the summaries and query any trades that do not have a corresponding entry in the master list of sales contacts (which may indicate a failure to adhere to the Sales Policy).

After the sample check, the auditor typically shares its draft findings with management and asks for management comment. This often results in several discussions where management may disagree with the auditor’s factual findings, risk ratings, recommendations or other observations. In addition, the auditor may have questions and comments on management’s replies. Regardless of such back and forth, management has no control of the internal auditor’s ultimate opinion5 and the auditor cannot dictate what management says in its replies. Nevertheless, typically both sides make an effort to produce a report that both sides believe is fair and reasonable.

After the internal audit report and management replies are finalised, the report is shared with the firm’s Board of Directors as well as the MAS.

What happens as a result of deficiencies found in an internal audit? 

The answer depends on the specific of the deficiency. A material breach of law will likely result in a follow up query from the MAS at a minimum. A report with minor, technical deficiencies will likely be reviewed and then simply put in your file, with no further consequence.


Understand the scope of your internal audit and stay tight to it

The auditors work for you. To that end, if the auditor asks questions or makes recommendations that fall outside the scope decided by the Board, it is reasonable to take issue with that.6 When auditors go outside their scope, there can be material, adverse effects on your business such as causing employees to step away from their regular duties to address matters raised that the Board did not intend to be considered. In addition, a broader review may result in increased costs not envisaged by the Board.

Obviously, the auditor may make superfluous inquiries/observations that are helpful to your business, including finding errors or breaches that you want to correct. However, it is your choice to decide (i) whether the additional inquiry/observation is helpful and (ii) how such matter is raised. For example, if an auditor has a helpful suggestion that is outside the agreed scope, the auditor can share the suggestion verbally and the point can still be constructively addressed by the company.

Not all issues need to be addressed through an internal auditor’s formal report.

Choose your auditor wisely 

Make sure the auditor has the strengths that you want. If you want a bloodhound investigator, make sure you get that. If you want an industry expert to do the work rather than the most junior person who will learn on the job, make sure you get that. If you want someone who applies common sense and is reasonable to work with…. you get the point.

Address observations before the report is finalized

Towards the end of the audit process, the auditor will present you with draft findings and recommendations for your comment. Have your compliance team review the comments and address them such that they are closed before the report is finalized and even goes to the MAS, if possible. For example, if there is a finding that your outsourcing register is insufficient, make the changes immediately so that that the management response to the auditor’s suggestion can be: “Completed. No further actions required.” For recommendations that cannot be implemented upon finalizing the report, make sure you are reasonable in your timeline for completion and committed to doing what you say you will do in your reply.

Manage your expectations

Although you are paying the auditor and it owes your firm a professional service level, the auditors do not know your business as well as you do. As a result, the audit process often feels unnecessarily painful. Common complaints of internal auditors include:

  • I’ve explained this Why don’t you understand my business by now?
  • I’ve already given these documents to
  • What you are asking for is impossible/no one in our industry
  • My staff have no time to do their regular work they are so busy with your requests.
  • Your risk rating is too
  • The control failure you identify was the result of human error rather than a systemic

When Holland & Marie conducts internal audits, we try to be cognizant of and pre-empt such potential complaints. Still, these complaints are pervasive with respect to internal audits and you should be aware of that truth. In particular, it’s possible for staff to improperly make such complaints to avoid mundane work or conceal potential issues from discovery.

There is also a perception that auditors have to find something wrong when they do an audit and cannot issue a perfect report. Technically, that cannot be correct. But it feels true and we suggest not expecting perfection out of any function subject to an audit.


Internal audits are painful. That’s why even the devil hates them. However, because our partners have been through internal audits from the perspective of being compliance officers at regulated firms, we know how to conduct an internal audit that is exacting and thorough without being unreasonable or unfair.

If that sounds compelling, feel free to reach out. We would be glad to buy you a coffee and make a proposal.

About the Author

Holland & Marie is a compliance, C-Suite and legal solutions firm based in Singapore. We have extensive experience resolving typical compliance issues including regulatory inspections, satisfying regulatory requirements and maintaining best practices in corporate governance to navigate the rapidly changing regulatory landscape.

For further information, contact:

Chris Holland: Partner | Holland & Marie | 201802481R 7 Straits View, Marina One East Tower, #05-01 Singapore 018936

Disclaimer: The material in this post represents general information only and should not be relied upon as legal advice. Holland & Marie Pte. Ltd. is not a law firm and may not act as an advocate or solicitor for purposes of the Singapore Legal Profession Act.

1 Yes, we are biased. What kind of compliance firm would we be if we did not acknowledge our conflict of interest on this subject? Internal audit of compliance is one of the services we provide. If we sell enough internal audit services, we are planning to buy a corporate jet which we will call “Air Audit One”. Having said that, we prefer to be firm’s primary compliance advisor rather than conduct internal audits. Internal audit is one of our least favourite compliance tasks for reasons we will explain later in the article.

2 See “Internal Controls“. MAS. July 2014

3 Paragraph 1.2.1 of the Internal Control Guidelines states: “The guidelines are not intended to be exhaustive nor do they prescribe a uniform set of requirements on internal controls for all The extent and degree to which an institution adopts these guidelines should be commensurate with the institution’s risk and business profile.”

4 Even completely transparent businesses that are fully compliant with applicable law and regulation have little to nothing to gain from increased regulatory Sadly, there are no awards given by regulators for excellence in compliance (a topic of a future, planned article).

5 Although management could fire the auditor if it feels the auditor is being

6 An internal audit can have a broad scope or a narrow The scope of an internal audit is the decision of the firm’s board of directors and management and the auditor must defer to the Board.

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore