A risk-based internal audit programme prioritises audit activity according to an entity’s most significant risks, rather than conducting reviews on a fixed cycle regardless of risk. For an offshore investment manager, the key components are: a risk universe and risk assessment, an annual audit plan derived from that assessment, structured individual audit engagements, findings and recommendations reporting to the board or audit committee, and a process for tracking management’s responses through to resolution.
What are the Foundations of a Risk-Based Internal Audit?
The foundation of any risk-based programme is a comprehensive risk universe: a structured inventory of the risks the entity faces across its operations, governance, compliance, and financial reporting. This is assessed for likelihood and potential impact, producing a risk ranking that drives the audit plan. For a Cayman-registered investment manager, the risk universe will typically include: AML/KYC compliance, NAV calculation processes, oversight of delegated service providers, regulatory reporting (FATCA/CRS, CIMA filings), valuation governance, IT and cybersecurity controls, and conflicts of interest management.
What is in an Annual Audit Plan?
The risk assessment translates into an annual, or multi-year, audit plan that sets out which areas will be reviewed, in what depth, and on what schedule. Higher-risk areas receive more frequent or more detailed coverage; lower-risk areas may be reviewed less often or in lighter scope. The audit plan should be approved by the board or audit committee before the programme begins and reviewed periodically if circumstances change materially, for example, following a regulatory update, a business change or a significant operational event.
What do Individual Audit Engagements Look Like?
Each audit engagement should have a defined scope, clear objectives, and a structured methodology. Common engagements for an investment manager include: an AML/KYC controls review; a review of the oversight and due diligence framework for delegated functions; a review of CIMA regulatory reporting processes; a valuation governance review; and an IT access controls review. Each engagement should produce a written report with findings rated by severity and specific, actionable recommendations addressed to management.
How Should Findings be Reporting and Governed?
Audit findings should be reported to the board or audit committee in a summary format that highlights the highest-severity issues and tracks management’s commitments to remediation. An effective programme includes a findings tracker that records each recommendation, the agreed management response, the responsible owner, and the target completion date. This creates a governance audit trail, precisely the type of documented evidence that the Cayman Islands Monetary Authority (CIMA) will expect to see during an inspection.
What Follow-up and Continuous Improvement is Required?
Closing audit findings is not the end of the process. Open items should be followed up until resolved, and repeated failures to remediate agreed actions should be escalated to the board. The overall programme should also be reviewed annually to ensure the risk assessment remains current. For growing investment managers, the scope of the programme will need to expand as the business scales, new strategies are added, or regulatory obligations increase.
A well-designed risk-based internal audit programme is one of the clearest signals of operational maturity for an offshore investment manager, and one of the most practical tools for staying aligned with CIMA’s governance expectations.
Related questions: What is an internal audit charter and does a Cayman Islands regulated entity need one? | How does internal audit interact with CIMA’s Corporate Governance Rule for Cayman Islands funds?
wb.group designs and delivers risk-based internal audit programmes for offshore investment managers. Contact us to discuss your current risk profile.
FAQs
A risk-based internal audit programme prioritises audit activity according to an entity’s most significant risks, rather than conducting reviews on a fixed cycle regardless of risk. For an offshore investment manager, the key components are: a risk universe and risk assessment, an annual audit plan derived from that assessment, structured individual audit engagements, findings and recommendations reporting to the board or audit committee, and a process for tracking management’s responses through to resolution.
A cyclical approach audits all areas on a fixed rotation regardless of risk level: every function gets reviewed in every cycle. A risk-based approach allocates audit resource according to where the risks are greatest, meaning high-risk areas are reviewed more frequently and in more depth, while lower-risk areas may be covered less intensively. CIMA’s governance expectations align more closely with a risk-based approach.
The risk assessment underlying the programme should be reviewed at least annually, and more frequently following material changes, such as a new regulatory requirement, a significant operational event, or a change in the entity’s business model. The audit plan itself should be updated to reflect any changes in the risk assessment. The board or audit committee should formally approve any material changes to the programme.
The highest-priority areas typically include AML/KYC compliance, NAV calculation and valuation governance, oversight of delegated service providers (including fund administrators and prime brokers), CIMA regulatory reporting (FATCA/CRS filings, annual returns), and IT access controls. The specific risk ranking will depend on the manager’s strategy, investor base, and regulatory obligations, which is why the risk assessment must be tailored to the entity rather than applied generically.