Continuing on the Lines of Defence series, in this third and final instalment, Thistle Initiatives Partner, Michael Knight-Robson, looks at independent assurance in the Third Line of Defence.
In previous articles, we explored what good looks like across the first and second lines of defence within financial crime compliance frameworks. The first line is responsible for executing controls and ensuring operational processes prevent and detect financial crime risk. The second line provides oversight through monitoring, testing and quality assurance to assess whether those controls are operating effectively.
However, neither of these functions can provide truly independent assurance. This is where the third line of defence plays a critical role. The third line, typically internal audit, provides independent, objective assurance to senior management and the Board on whether financial crime compliance systems and controls are appropriately designed and operating effectively. From experience, the FCA frequently observes weaknesses in third-line oversight. In particular, a number of s166 Skilled Person reviews highlight ineffective internal audit programmes that fail to identify material control weaknesses. And, as we have highlighted throughout this assurance framework series, it is imperative that all lines of defence must work collaboratively and effectively. When implemented correctly, the third line acts as the final safeguard to ensure that weaknesses missed by the first or second line are identified and remediated, and mitigate the risk of regulatory scrutiny.
The Importance of Independent Assurance
An effective third line of defence provides senior management with confidence that financial crime controls are operating as intended across the firm. As mentioned, one of the most common findings documented in s166 Requirement Notices is that internal audit reviews are either too infrequent, too high-level, too generic or insufficiently focused on financial crime risks. As a result, material weaknesses remain undetected until they are identified by regulators.
In numerous supervisory reviews and final notices, the FCA has observed that internal audit programmes did not adequately challenge the effectiveness of first and second-line activities. Instead, they relied heavily on management assurances or high-level documentation reviews. A well-designed third line programme should therefore provide deep, evidence-based testing, covering both the operational controls themselves and the effectiveness of the oversight framework.
Internal Audit vs External Assurance: Advantages and Limitations
When designing a third line of defence framework, firms must decide whether assurance reviews should be conducted by internal audit teams or external specialists. Both approaches have advantages and limitations.
Internal audit teams offer strong knowledge of the firm’s governance structure, internal processes, and risk appetite. They also provide continuity and can build institutional knowledge over time. Where internal audit teams possess sufficient financial crime expertise, they can deliver highly effective assurance reviews.
However, many internal audit teams are structured as generalist functions, responsible for reviewing a wide range of risk areas across the firm. As a result, financial crime reviews may be conducted by auditors without deep subject matter expertise in areas such as the design of transaction monitoring rules, sanctions screening calibration, and, in general, the FCA’s financial crime compliance expectations. This lack of specialist knowledge can lead to reviews that focus on procedural compliance rather than assessing whether controls are genuinely effective at detecting financial crime risks. It can also lead to several back-and-forth constructive (mostly) discussions between the first and second line and the third line of defence on some of the less ‘black and white’ and undocumented elements of the FCA’s expectations.
External consultancy firms, by contrast, bring deep subject matter expertise and current regulatory insight. Specialist financial crime auditors are typically more familiar with supervisory expectations and emerging industry practices, and provide benchmarking against similar firms. As highlighted in the FCA’s Financial Crime Guide under good practice for ‘Quality of Oversight’, “Smaller firms seek external help if needed.” They may also provide a more independent perspective where internal teams have become too close to existing processes. The downside, of course, is that external reviews can be more costly and may require time for consultants to understand the firm’s specific operating model.
In practice, many firms adopt a hybrid approach, where internal audit maintains ownership of the programme while bringing in external financial crime specialists to conduct the review. Working together to ensure the third line assurance review is effective and identifies all potential gaps.
Building an Effective Third Line of Defence Programme
Designing a robust third-line assurance programme begins with ensuring that internal audit coverage is risk-based and aligned to the firm’s financial crime business-wide risk assessment (BWRA). Financial crime risk varies significantly across firms based on customer types, geographies, products, transactions and delivery channels. Internal audit programmes should therefore prioritise areas of highest inherent and residual risk.
Rather than reviewing every process on a fixed cycle, firms should consider factors such as:
- High-risk products provided by the firm
- Controls previously identified as not meeting expectations
- Higher risk customer types (i.e. PEPs)
- Areas of focus by the FCA (i.e. sanctions)
A risk-based programme ensures that internal audit resources are focused where they will provide the greatest value.
Another critical element is sufficient depth of testing. Internal audit reviews should not rely solely on policies, procedures, and process walkthroughs. Instead, they should include detailed testing of operational controls, including sample testing of CDD/EDD files, transaction monitoring alerts, fraud detection alerts, sanctions screening processes, and suspicious activity reporting.
Importantly, internal audit should also assess the effectiveness of the first and second lines of defence themselves. For example, if the first line operates a quality control (QC) framework and the second line performs quality assurance (QA) monitoring and testing, the internal audit should test whether these frameworks are operating effectively. This should involve selecting samples of cases that:
- Have passed through first-line QC checks
- Have been reviewed through second-line QA testing
- Have not been subject to either process
By doing so, the internal audit can determine whether the first and second-line oversight mechanisms are successfully identifying errors and control weaknesses.
The Importance of Financial Crime Expertise
Another issue frequently observed across firms is the use of generalist/head-office auditors rather than UK financial crime compliance specialists. While general auditors possess strong risk management and assurance skills, financial crime controls are highly specialised. Without this knowledge, reviews may fail to identify subtle but critical control weaknesses. This issue can be further compounded when internal audit reviews are conducted by head office teams located outside the UK. While centralised audit teams can provide consistency across global operations, they may lack a detailed understanding of UK regulatory expectations, beyond documented legislation and regulation.
As highlighted in the FCA’s Financial Crime Guide of examples of poor practice, an area of concern and feedback from the regulator is “Compliance unit and audit teams lack experience in financial crime matters.” In these cases, internal audit reviews did not identify weaknesses that were later raised by regulators during supervisory visits. Ensuring that internal audit teams possess appropriate financial crime expertise and jurisdiction-specific knowledge is therefore essential.
Reporting Findings and Driving Remediation
The value and effectiveness of internal audit assurance ultimately depend on how effectively findings are communicated and remediated. Internal audit reports should clearly articulate:
- The root cause of the identified issues
- The potential financial crime risk exposure
- The severity of control weaknesses
- Recommended remediation actions
- Clear ownership of actions
Findings should be presented in a way that allows senior management, the Board and the business to understand the implications for the firm’s financial crime risk framework. Equally important is ensuring that remediation actions are properly tracked and validated. Many firms maintain issue tracking frameworks through auditable systems where management commits to remediation timelines.
However, the internal audit should not simply rely on management confirmation that actions have been completed. It is paramount that the internal audit conduct independent validation testing to confirm that remediation actions have been effectively implemented and that the underlying control weaknesses have been addressed. This should be done following the implementation and embedding of the control, to assess the effectiveness, especially for actions identified as higher risk. Without this validation process, there is a risk that issues are recorded as closed even though the underlying control deficiencies remain.
Conclusion
The third line of defence plays a crucial role in providing independent assurance over financial crime compliance frameworks. When implemented effectively, internal audit can identify control weaknesses before they become regulatory issues, strengthen governance frameworks, and provide senior management with confidence that financial crime risks are being appropriately managed and mitigated.
However, this requires more than simply conducting periodic internal audit reviews. Third line assurance programmes must be risk-based, sufficiently detailed, and supported by appropriate financial crime expertise. By ensuring that internal audit reviews thoroughly assess the effectiveness of first and second-line controls, firms can build a more robust and resilient financial crime compliance framework.
Ultimately, a strong third line of defence is not just about meeting regulatory expectations, it is about ensuring that firms are genuinely equipped to detect, prevent, and respond to financial crime risks.
Meet the Expert
Michael Knight-Robson, Financial Crime Partner 
Michael has joined as a Partner in the Financial Crime team, working alongside Jessica Cath. With over 15 years’ experience in financial crime compliance, he was most recently a Director at BDO, where he built a strong reputation for leading s166 Skilled Person reviews and providing firms with proportionate, risk-based advice to stay compliant. His career also includes senior roles at Bovill, Lloyds Banking Group and Investec, giving him practical, well-rounded expertise to help firms strengthen their financial crime compliance frameworks.