The Head of Internal Audit is one of the most consequential hires a financial services firm can make. Get it right and you have a trusted, independent voice at the top table, someone who protects the firm, challenges the business, and builds genuine credibility with the regulator. Get it wrong and you can find yourself repeating the process eighteen months later, with all the disruption and cost that entails.
After three decades placing internal audit professionals across financial services, including a significant number of SMF5 mandates, we’ve seen the full range of how these appointments play out. What follows is an honest account of where firms most commonly trip up, and what the best processes look like.
Positioning: the JD may look the same on paper, but it isn’t
The first consideration, before the process even begins, is to think carefully about how the role is positioned and what that signals to the best candidates in the market. A Head of Internal Audit role at two broadly comparable firms can look almost identical on paper. But the best candidates those with options, those who can afford to be selective, will look well beyond the job description. They are asking: Does this firm actually value internal audit, or is this a compliance exercise?
Positioning communicates the answer before a candidate has spoken to anyone. Where does the role sit in the hierarchy? Is audit treated as a strategic partner or a back-office function? These signals are picked up quickly by experienced professionals, and they matter enormously in a market where the best SMF5 candidates are rarely actively looking.
Reporting Lines: The signal every candidate reads first
Nothing tells an experienced Chief Auditor more about a firm’s attitude to internal audit than its reporting line structure. The UK Internal Audit Code of Practice is clear on this point: the Chief Internal Auditor must have a primary reporting line to the Chair of the Audit Committee (ACC). That much is non-negotiable. Where firms differ, and where candidates form strong views, is on the secondary reporting line.
The ACC and CEO combination is the gold standard. This matters for several reasons. It signals that the most senior executive in the organisation is engaged with and supportive of internal audit. It ensures there are no potential no-go areas, no part of the business that might be awkward to audit because of a managerial relationship with the person overseeing the function. And it positions internal audit as a genuine strategic partner rather than a compliance exercise bolted on to satisfy regulatory requirements.
ACC with a dotted line to the CFO or General Counsel (GC) is common place, but can be viewed more cautiously. The concern being, if the CFO or GC has day-to-day managerial responsibility for the Chief Auditor, then auditing their areas of the business becomes inherently complicated. The best candidates, those who take their independence seriously, will identify this immediately and factor it into their thinking. It doesn’t make a firm uninvestable as an opportunity, but it does raise questions that will need honest answers.
Occasionally there is a gap between the formal reporting structure and the day-to-day working rhythm, which is entirely understandable in complex organisations. The firms that navigate it best address it directly with candidates and demonstrate that the independence of the function is protected in practice. Transparency here is always the right instinct.
Committee Attendance: independence, access, and the right balance
Reporting lines are one signal. Committee attendance is another. The Chief Auditor will, of course, attend the Audit Committee and typically the Risk Committee(s). The question that candidates increasingly ask, and that the UK Internal Audit Code addresses, is whether they also attend the Executive Committee, and if so, on what basis? The Code is clear that the Chief Internal Auditor should have access to senior management meetings where this is necessary to carry out their role effectively. But independence cuts both ways. A Chief Auditor who is a full member of the ExCo risks becoming too embedded in executive decision making, which can compromise the objectivity that gives internal audit its value.
Based on the feedback we have, the arrangement that works best in practice is attendance by standing invitation rather than full membership. This gives the Chief Auditor visibility of strategic discussions, the ability to raise concerns at the appropriate level, and access to the people and information they need,without crossing the line into executive accountability that would undermine their independence.
Some firms operate this way as a matter of course. Others don’t extend this access at all, which candidates at this level notice and then question if internal audit is regarded as a strategic function. If also combined with a suboptimal reporting line, that can be enough to make the best people look elsewhere.
Process Design: keeping it focused and efficient
The recruitment process itself deserves careful thought. An SMF5 appointment involves important stakeholders, and bringing them together efficiently makes a significant difference, both to the quality of the decision and to the candidate experience.
The core stakeholders are typically the ACC, CEO, and HR. For firms with a Global Chief Auditor, timing their involvement matters. Too early creates ambiguity about where decisions are being made; too late and a critical relationship hasn’t been tested before an offer is made. A useful framing is to distinguish between who needs to meet candidates before a decision and who can be involved afterwards. Some ExCo meetings can work well post-offer, particularly where they are relationship-building rather than assessment-focused. The appointments that work best have three to four well-structured stages, with candidates kept informed throughout. Senior professionals will draw conclusions about how a firm operates from the experience of its hiring process so it’s worth making sure that experience reflects well.
Regulatory Approval: plan for it, don’t let it catch you out
Regulatory approval under the Senior Managers and Certification Regime adds a step that firms occasionally underestimated. Most firms make an offer conditional on regulatory approval, with compliance leading the submission once the candidate has joined or is preparing to. What matters is that compliance is involved early before the final hire decision so that any fit and proper issues can be identified rather than surfacing after an offer has been made.
The profile of the candidate matters here. Where the incoming SMF5 has a substantive internal audit background, the assessment is usually straightforward. Where they are coming from a different discipline; risk, compliance, or elsewhere regulators have in some cases required the new SMF5 to obtain a recognised audit qualification within an agreed period. This is not a barrier, and we have seen excellent appointments made on this basis, but it needs to candidate buy-in.
What good looks like
The best appointments share a set of common characteristics. The role is positioned as genuinely senior, with reporting lines that reflect that. The process is structured and efficient. Stakeholders are engaged at the right moments, not every moment. And the regulatory dimension is planned for rather than reacted to.
None of this is complicated. But it requires someone,whether internal, or an external partner who knows this market to think it through before the first candidate conversation takes place. That is what we do and after three decades specialising exclusively in this market, it is what we do better than anyone.
If you are planning a Chief Internal Auditor or SMF5 appointment and would like to work with a firm that has one of the deepest track records in financial services internal audit executive search, we would welcome that conversation.
Hybridge is the specialist executive search firm for Chief Internal Auditor and SMF5 appointments in financial services. If you are planning a senior internal audit hire, we would welcome the opportunity to talk.