What is an internal audit function and is one required for a Cayman Islands regulated entity?

An internal audit function is an independent, objective assurance and advisory activity that evaluates an organisation’s governance, risk management, and internal control processes. For Cayman Islands entities regulated by the Cayman Islands Monetary Authority (CIMA), having a formal internal audit function is not universally mandated by statute. But CIMA’s Corporate Governance Rule and broader regulatory expectations mean that many regulated entities, particularly larger or more complex structures, will in practice require either a formal internal audit function or an equivalent independent review arrangement.

What an internal audit function does

Internal audit assesses whether an organisation’s systems, processes, and controls are operating as intended and whether they are adequate to manage the risks the entity faces.

Unlike external audit, which focuses on verifying financial statements for shareholders, internal audit is an ongoing, management-facing activity. Its findings inform the board, senior management, and audit committee, and ultimately support better decision-making across the organisation.

When CIMA expects an internal audit function

CIMA’s Rule – Corporate Governance for Regulated Entities (2023) – sets out governance requirements for all regulated entities including investment managers, advisers and funds. The Rule does not prescribe a dedicated internal audit department for every entity, but it does require that governance structures are commensurate with an entity’s size, complexity and risk profile. For larger and more complex regulated entities, including those managing significant assets or operating across multiple lines of business, CIMA’s expectation of independent oversight will in most cases necessitate a formal internal audit function or an equivalent independent review arrangement.

Smaller entities and proportionality

CIMA applies a proportionality principle. Smaller, simpler entities may discharge their internal audit obligations through periodic independent reviews rather than maintaining a dedicated internal audit team. However, the complete absence of any internal audit-equivalent activity is unlikely to satisfy CIMA’s governance expectations for a regulated entity, regardless of size.

Outsourcing the internal audit function

Many Cayman Islands regulated entities, particularly investment managers and advisers without large in-house compliance teams, outsource their internal audit function to a specialist provider. This is an accepted and practical approach. Where internal audit is outsourced, the regulated entity remains responsible for oversight of the provider and for ensuring the function operates effectively and independently. The key requirement is that the function remains independent of the activities being audited and reports to an appropriate level of governance, such as the board or audit committee, rather than to management.

Understanding whether your entity needs a formal internal audit function, and what form it should take, is an early governance decision with long-term regulatory implications.

Related questions: What is an internal audit charter and does a Cayman Islands regulated entity need one? | How does internal audit interact with CIMA’s Corporate Governance Rule for Cayman Islands funds?

WB Group provides internal audit services for Cayman Islands regulated entities. Contact us to discuss what’s right for your structure.