Failures in basic internal controls are linked to at least £1bn in fines from the Financial Conduct Authority (FCA), according to new research.
Figures compiled by the Chartered Institute of Internal Auditors (CIIA) reveal that 54% of all FCA fines between 2021 and 2025 were connected to deficiencies in internal controls that “regulators warned could have enabled money laundering, terrorist financing or organised crime”.
Arleen McGichen, president of the CIIA, says the findings should concern boards across the financial services sector.
“Too many firms are not getting the basics right in areas such as anti-money laundering, where there should be zero tolerance for failure.”
The CIIA’s report, Internal Control Failure, analysed FCA final notices issued over the previous five years. Out of 97 fines, 52 were linked to internal control failures. Many of the cases involved “consumer harm”.
CIIA says that in “case after case”, regulators uncovered warnings and red flags from internal controls and compliance teams that were ignored.
McGichen says: “Internal audit has a critical role to play in independently assessing whether controls are effective and in holding senior management and boards to account when issues persist.
“But assurance only works when it is properly resourced, with issues taken seriously and acted upon.”
Provision 29 compliance
The warning comes at a time when companies are implementing Provision 29, a new element of the UK’s Corporate Governance Code revised in 2024, which asks boards to report on the effectiveness of their internal controls.
Controversially, there were proposals to mandate the reporting in legislation but government at the time opted to include the measures in the governance code.
Provision 29 was part of a broad sweep of reform proposals triggered by the Carillon collapse, prompting major review of audit content and regulation.
In January, the government announced it was bringing an end to audit reform efforts, though it added that it would push ahead with placing the regulator, the Financial Reporting Council, on a statutory footing. When that will happen remains unclear, as does whether the FRC would acquire any new powers.
Related Posts
-
January 8, 2025
Risk management goes beyond compliance: it’s a critical aspect of governance that supports long-term success.
-
October 13, 2023
In all, the auditing giant has now been fined £30m for its failures at Carillion, reduced to £21.5m for co-operation.
-
July 16, 2025
A growing number of audits from the top firms require only limited improvement, according to the Financial Reporting Council.
-
November 27, 2024
Annual review of reporting on the UK's corporate governance code reveals some companies make no mention of internal controls in their annual reports.
