Investment Compliance (Level 6)

Correct: Under the UK Market Abuse Regulation (UK MAR), firms are required to implement and maintain effective arrangements, systems, and procedures to detect and report suspicious activity. This obligation includes the submission of Suspicious Transaction and Order Reports (STORs) to the FCA without delay once the firm has a reasonable suspicion that an order or transaction could constitute insider dealing or market manipulation.

Incorrect: The strategy of waiting for a definitive legal proof of a breach fails to meet the regulatory threshold of reasonable suspicion, which is intended to ensure timely reporting. Simply reporting every trade by an insider regardless of suspicion is an incorrect application of the rules, as reporting should be based on suspicious characteristics rather than just the status of the individual. Focusing only on monthly summaries of volatility parameters is inadequate because surveillance must be continuous and reports must be filed without delay rather than on a periodic or summary basis.

Takeaway: UK MAR requires firms to proactively report suspicious orders and transactions to the FCA immediately upon forming a reasonable suspicion.

Correct: Under UK regulatory frameworks and professional ethics, confidentiality is not absolute and does not override the legal or regulatory requirement to report suspected financial crime or market abuse. Reporting through internal channels like the firm’s whistleblowing mechanism or the Compliance Officer (SMF16) ensures the auditor fulfills their duty under the SM&CR while respecting the firm’s internal governance structure and legal obligations to the FCA.

Incorrect: Relying on strict confidentiality to suppress findings of potential market abuse fails to meet the auditor’s professional and regulatory obligations to uphold market integrity and protect the firm from legal risk. Choosing to confront the client directly is inappropriate as it may lead to tipping off and interferes with the firm’s formal investigative processes. The strategy of seeking external legal advice before using internal reporting lines unnecessarily delays regulatory action and may violate internal data protection policies regarding sensitive client information.

Takeaway: Confidentiality obligations do not prevent auditors from reporting suspected market abuse through established internal regulatory and whistleblowing channels.

Correct: The requirement to act with integrity is the primary rule breached because the individual intentionally falsified a record to mislead others about their performance. Integrity involves being honest and truthful; any deliberate act to alter records to hide a mistake or delay is a fundamental breach of this conduct standard, regardless of whether the client suffered financial harm.

Correct: The fundamental principle of objectivity requires internal auditors to provide an unbiased assessment and report facts truthfully. In the United Kingdom regulatory environment, the Financial Conduct Authority emphasizes individual accountability and a strong culture of compliance. Suppressing a factual finding regarding the Senior Managers and Certification Regime (SM&CR) compliance to protect internal metrics would constitute a failure of professional integrity and would mislead the Audit Committee regarding the effectiveness of the firm’s governance.

Incorrect: Moving the finding to an informal management letter prioritizes personal rapport with stakeholders over the auditor’s duty to provide transparent reporting to the board. The strategy of excluding the finding simply because the late submissions were eventually received ignores the breakdown in the timely operation of the control during the period under review. Choosing to reclassify a clear control deficiency as a process enhancement opportunity obscures the severity of the non-compliance and prevents the firm from addressing the root cause of the accountability failure.

Takeaway: Professional integrity requires auditors to report significant control failures transparently, even when faced with management pressure to protect performance metrics.

Correct: Under the UK Market Abuse Regulation (UK MAR), firms are required to maintain accurate and contemporaneous insider lists of all persons who have access to inside information. When a failure in this process is identified, the internal auditor must evaluate the underlying control deficiency in the wall-crossing process. The firm must also rectify the record-keeping breach by updating the list immediately, ensuring a clear audit trail exists for the FCA regarding who had access to the information and when.

Incorrect: The strategy of recommending the divestment of securities is fundamentally flawed because trading while in possession of inside information, regardless of the motive, constitutes insider dealing under the Financial Services and Markets Act 2000. Choosing to delay a public announcement is not a valid response as disclosure obligations for issuers are strictly regulated and cannot be postponed for internal administrative remediation. Focusing only on personal account dealing records is insufficient because it fails to address the firm’s regulatory obligation to maintain comprehensive and accurate insider lists as a preventative market conduct control.

Takeaway: UK firms must maintain precise, contemporaneous insider lists for all individuals with access to inside information to comply with UK MAR.

Correct: Under the Senior Managers and Certification Regime and professional ethics fundamentals, integrity requires absolute transparency and the proactive management of conflicts. Since a Senior Management Function holder is involved, the breach of Individual Conduct Rule 1 regarding integrity is significant. Escalation to the Audit Committee and Compliance ensures independence and adheres to UK governance protocols for investigating potential misconduct by senior individuals.

Incorrect: The strategy of retrospectively updating the register attempts to mask a prior breach of integrity and fails to address the underlying failure in conduct standards. Simply holding a private meeting with the individual involved risks compromising the auditor’s independence and may lead to perceived collusion or undue influence. Focusing only on process efficiency while ignoring a clear conflict of interest violates the auditor’s duty of objectivity and the requirement to report significant control failures.

Takeaway: Professional integrity requires auditors to escalate undisclosed conflicts involving senior management to independent oversight bodies to ensure objective investigation.

Correct: Under the UK’s SM&CR, the Statement of Responsibilities (SoR) is a critical document that must be kept up to date to clearly delineate what a Senior Manager is accountable for. If the SoR is not updated to reflect significant new duties, it creates a gap in the accountability trail. This makes it difficult for the FCA to hold the individual to account under the statutory Duty of Responsibility, which requires Senior Managers to take reasonable steps to prevent regulatory breaches in the areas for which they are responsible.

Incorrect: Relying on the Certification Regime as a justification is incorrect because SMF holders are governed by the Senior Managers Regime, which is a separate pillar from the Certification Regime applied to other staff. The strategy of requiring a full new Form A application for every change in duty is a misunderstanding of the process, as many changes only require an updated SoR rather than a full new approval for a different SMF category. Focusing only on the Consumer Duty’s disclosure requirements misidentifies the core regulatory failure, which is a governance and accountability issue under SM&CR rather than a specific product transparency failure.

Takeaway: Accurate Statements of Responsibilities are essential for the FCA to enforce individual accountability and the statutory Duty of Responsibility under SM&CR.

Correct: The FCA’s Consumer Duty requires firms to focus on outcomes, specifically the consumer understanding outcome. This means firms must go beyond technical compliance and actively ensure that communications are tailored to the needs of their customers. Testing disclosures with a representative sample of the target market is a key method for demonstrating that the firm is supporting customers in making informed financial decisions and that the information provided is clear and not misleading.

Incorrect: Focusing only on mapping disclosures to the Financial Services and Markets Act ensures legal accuracy but ignores the qualitative requirement for information to be understandable to the layperson. Choosing to prioritize the timestamping and delivery of documents addresses the process of disclosure rather than the effectiveness of the communication itself. The strategy of reviewing insurance coverage is a risk transfer mechanism for litigation but does not evaluate whether the firm’s disclosure practices meet regulatory conduct standards or support fair treatment of customers.

Takeaway: Firms must proactively test disclosures to ensure they meet the FCA’s consumer understanding outcome for retail customers.

Correct: In the United Kingdom, sanctions compliance is a strict liability regime overseen by OFSI. To maintain organizational integrity and meet FCA expectations for financial crime systems and controls, any decision to override a potential match must be subject to independent, senior-level oversight. The MLRO or a designated deputy should provide this second line of defense to ensure that personal biases or conflicts of interest do not lead to a breach. A robust audit trail is essential for demonstrating compliance during regulatory inspections.

Incorrect: The strategy of relying on client attestations is insufficient because individuals subject to sanctions are unlikely to self-disclose, and firms must perform independent verification. Opting to increase fuzzy logic thresholds to only flag exact matches is dangerous, as it would likely miss sanctioned individuals using aliases or slight spelling variations. Choosing to freeze assets and file a SAR immediately upon a partial match is premature; firms are expected to conduct internal due diligence first to determine if the alert is a ‘true match’ or a ‘false positive’ before taking such drastic legal actions.

Takeaway: Sanctions match overrides must be independently verified by the MLRO and fully documented to ensure regulatory accountability and prevent breaches.

Correct: Under the SM&CR, the ‘fit and proper’ test is not a one-time event but must be specific to the role being performed. When a Senior Manager moves to a new Senior Management Function (SMF), the firm must ensure the individual is suitable for that specific role’s demands, as the skills and potential conflicts for Compliance (SMF16) differ significantly from those required for Internal Audit (SMF5).

Incorrect: Relying on a previous assessment from a different role fails to address the unique competency requirements and professional standards of the new position. Opting for a 24-hour notification period to the PRA is incorrect as the standard regulatory window for such notifications is generally longer and depends on the specific firm type. Focusing only on the timing of the Management Responsibilities Map update identifies a documentation lag but misses the more fundamental risk of an unvetted individual holding a key accountability. The strategy of requiring a new DBS check for every internal title change is an overstatement of the specific SM&CR requirements, which focus on the fitness for the SMF role rather than administrative title changes.

Takeaway: SM&CR requires firms to validate that Senior Managers are fit and proper for the specific requirements of every new function they assume.

Correct: Under the FCA’s Conduct of Business Sourcebook (COBS 9), firms must obtain necessary information regarding a client’s knowledge, experience, financial situation, and investment objectives. A critical part of the financial situation is the ‘capacity for loss.’ Without granular data on how much a client can afford to lose without impacting their standard of living, a suitability assessment is fundamentally flawed and fails to meet the standard of acting in the client’s best interests.

Incorrect: Relying on the assumption that appropriateness tests apply to advised sales is incorrect, as appropriateness is specifically for non-advised services involving complex instruments. The strategy of requiring a three-competitor comparison is not a codified FCA requirement for suitability reports, even under the higher standards of the Consumer Duty. Focusing on a specific 14-day disclosure timeframe misidentifies the primary regulatory failure, as the core issue is the qualitative assessment of suitability rather than a specific pre-sale cooling-off period.

Takeaway: Suitability assessments must include a robust evaluation of a client’s capacity for loss to ensure recommendations align with their financial resilience.

Correct: Under the UK’s Senior Managers and Certification Regime (SM&CR), Senior Managers are permitted to delegate tasks but they cannot delegate their ultimate accountability. The Financial Conduct Authority (FCA) requires SMF holders to take ‘reasonable steps’ to ensure the business for which they are responsible is controlled effectively. A failure to receive regular reports or monitor the delegate’s performance for six months indicates a lack of reasonable steps in maintaining oversight, which is a breach of individual accountability standards.

Incorrect: The strategy of assuming accountability transfers with delegation is incorrect because SM&CR specifically prevents the shifting of ultimate responsibility away from the Senior Manager to subordinates. Simply conducting a competency check at the start of an appointment is insufficient, as the regime demands ongoing supervision and active control of the business area. Relying solely on the existence of a Management Responsibilities Map is a procedural error, as the map describes the governance structure but does not replace the active duty of the individual to exercise and prove effective oversight.

Takeaway: Under SM&CR, Senior Managers remain personally accountable for delegated tasks and must demonstrate active, ongoing oversight through reasonable steps.

Correct: The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 require that all Politically Exposed Persons, whether domestic or foreign, be subject to enhanced due diligence (EDD). This includes obtaining senior management approval for the business relationship. While the FCA’s guidance (FG17/6) allows firms to treat domestic PEPs as lower risk than foreign PEPs, it does not exempt them from the statutory requirement for EDD and senior management oversight. The auditor must verify if the firm’s practices align with these legal obligations.

Incorrect: Relying solely on the MLRO’s status as a Senior Management Function holder ignores the internal auditor’s responsibility to provide independent assurance on the effectiveness of controls and regulatory compliance. The strategy of reporting the MLRO to the National Crime Agency is inappropriate at this stage as a lack of documentation for PEP onboarding is a procedural compliance failure rather than definitive evidence of money laundering. Opting for simplified due diligence for any PEP is a direct violation of UK law, which mandates enhanced measures for all individuals meeting the PEP definition regardless of their jurisdiction.

Takeaway: UK regulations mandate enhanced due diligence and senior management approval for all PEPs, regardless of whether they are domestic or foreign officials.

Correct: Under the FCA Consumer Duty, firms must ensure that their communications are understandable and enable customers to make informed decisions. Simply ensuring legal or technical accuracy is insufficient; firms are expected to test communications to ensure they are clear and helpful for the specific target market, especially for complex products.

Incorrect: The strategy of providing simplified summaries to retail clients while maintaining technical depth for professional clients is generally considered a good practice for ensuring suitability and understanding. Using data analytics to track customer engagement with disclosures is a proactive monitoring tool that supports the Consumer Duty objectives. Opting to adapt communications for vulnerable customers is a core requirement of the Duty to ensure fair treatment and does not represent a failure.

Takeaway: The FCA Consumer Duty requires firms to test and monitor communications to ensure they actually support informed decision-making by the target audience.

Correct: Under the UK Money Laundering Regulations 2017 and FCA guidance, PEPs are inherently high-risk and require Enhanced Due Diligence (EDD). This mandatory process includes taking proactive steps to establish the source of wealth and obtaining senior management approval for the ongoing relationship. Failing to refresh this data for 30 months represents a significant control failure that must be remediated immediately to ensure the firm is not facilitating financial crime.

Incorrect: The strategy of downgrading risk ratings based on account longevity or lack of suspicious activity ignores the mandatory high-risk classification for PEPs under UK law. Opting to delay action until an external regulatory review occurs fails the internal audit responsibility to identify and remediate control weaknesses promptly. Relying solely on the unverified personal knowledge of relationship managers lacks the objective evidence required for EDD and creates significant conflict of interest risks. Simply maintaining outdated documentation violates the requirement for ongoing monitoring and periodic data refreshment for high-risk individuals.

Takeaway: PEPs require mandatory Enhanced Due Diligence, including source of wealth verification and senior management approval, to comply with UK AML regulations.

Correct: The FCA Consumer Duty requires firms to proactively deliver good outcomes for retail customers and to evidence these outcomes through monitoring. By enhancing the product governance framework with data analytics, the firm can identify if specific segments, particularly vulnerable ones, are experiencing foreseeable harm or failing to receive fair value. This approach moves beyond technical disclosure and focuses on the actual impact of the product on the consumer, which is a core expectation of the Duty’s monitoring requirements.

Incorrect: Focusing only on disclaimers in terms and conditions is insufficient because the Consumer Duty shifts the burden from ‘buyer beware’ to firm responsibility for consumer understanding. The strategy of increasing verbal explanations during sales is a process-oriented fix that does not provide a systemic way to monitor whether the product remains suitable over its entire lifecycle. Choosing to restrict the product based solely on years of experience is an arbitrary measure that may not accurately reflect a customer’s actual financial literacy or their specific needs, potentially leading to financial exclusion without addressing the underlying governance weakness.

Takeaway: The FCA Consumer Duty requires firms to use data-driven governance to monitor and evidence that products deliver fair outcomes for customers.

Correct: Under the UK Market Abuse Regulation (UK MAR) and FCA guidance, firms must have effective systems to detect and report suspicious orders and transactions. Automated surveillance is critical in high-frequency environments because it can analyze the entire order book in real-time. This allows for the detection of patterns like layering or spoofing, where orders are placed and then cancelled to create a false impression of supply or demand, a task that is impossible through manual review of executed trades alone.

Incorrect: The strategy of increasing manual reviews of completed trades is insufficient because layering and spoofing often involve orders that are never intended to be executed. Simply conducting annual attestations serves as a compliance record but lacks the proactive capability to detect or prevent actual manipulative behavior in the markets. Opting for stricter mobile device policies addresses the risk of disclosing inside information or unauthorized communications but does not mitigate the technical execution of market manipulation within the firm’s trading systems.

Takeaway: Effective market abuse prevention in high-volume environments requires automated surveillance capable of analyzing order book data, including cancelled and non-executed orders.

Correct: The FCA emphasizes that culture is defined by ‘the way things are done around here’ rather than just formal policies. By analyzing management’s response to near-misses and complaints, an auditor can see the ‘culture in action’ and determine if the firm truly prioritizes the Consumer Duty and fair treatment of customers when faced with a choice between ethics and revenue. This approach evaluates the behavioral drivers and the actual outcomes for customers, which is central to the UK regulatory focus on firm culture.

Incorrect: Relying solely on the frequency of Board meetings or the presence of agenda items fails to assess the actual substance of the discussions or the impact of governance on staff behavior. Simply conducting a technical gap analysis of the whistleblowing policy ensures the framework exists but does not provide evidence of whether employees feel safe using it or if the culture supports transparency. Opting for a review of signed attestations only confirms a administrative completion of a task and does not measure whether the principles of the Code of Conduct are actually embedded in the daily decision-making processes of the firm.

Takeaway: Auditing culture requires moving beyond formal policy verification to evaluate the behavioral drivers and actual outcomes of management decisions.

Correct: Under the FCA’s SYSC 18 sourcebook, relevant firms must appoint a Whistleblowers’ Champion, typically a non-executive director, to oversee the independence and effectiveness of the whistleblowing policies. The internal auditor must verify that this role is functioning correctly and that the firm’s culture supports protected disclosures by ensuring whistleblowers do not face detrimental treatment, which is a core component of organizational integrity and the SM&CR framework.

Incorrect: The strategy of forcing employees to exhaust internal procedures before contacting the regulator contradicts FCA guidance, which allows individuals to contact the regulator at any time. Opting for settlement clauses that restrict a whistleblower’s right to seek legal advice or make a protected disclosure is legally unenforceable under the Public Interest Disclosure Act 1998. Choosing to have the whistleblowing function report to a commercial head like the Head of Sales creates a significant conflict of interest and undermines the independence required for an effective integrity framework.

Takeaway: UK firms must maintain independent whistleblowing oversight through a Whistleblowers’ Champion to ensure protected disclosures are handled without victimisation.

Correct: Under FCA SYSC 10 (Senior Management Arrangements, Systems and Controls) and the SM&CR, firms must take all reasonable steps to identify and prevent or manage conflicts of interest. Disclosure alone is often insufficient when a conflict is material. Recusal ensures the integrity of the decision-making process, while a retrospective review identifies if the conflict has already compromised the firm’s duty to act in the best interests of its clients or the firm itself.

Incorrect: Relying solely on a prior disclosure and partial abstention fails to address the ongoing influence the individual may exert during deliberations. The strategy of increasing committee size is an ineffective control that does not remove the core conflict of interest or the potential for bias. Focusing only on board minutes while allowing continued technical input ignores the risk that the individual’s expertise could be used to steer the committee toward a specific outcome, violating the requirement to manage conflicts effectively.

Takeaway: Effective conflict management requires active mitigation, such as recusal and independent review, rather than mere disclosure or passive monitoring.

Correct: The principle of integrity requires internal auditors to be honest and not be party to any activity that is illegal or discreditable to the profession. In the UK, the FCA Conduct Rules (specifically Rule 1) mandate acting with integrity; downgrading a clear breach to protect the firm’s reputation violates both the IIA Code of Ethics and regulatory standards. Escalation ensures that the governance structure, such as the Audit Committee, is accurately informed of risks and conduct issues.

Incorrect: The strategy of agreeing to a downgrade while adding comments is insufficient because it still misrepresents the severity of the risk to the Audit Committee and regulators. Focusing only on future remediation by deferring the finding ignores the auditor’s duty to report current significant control failures and potential misconduct. Opting for external legal consultation before reporting internally is an unnecessary delay that bypasses the firm’s established governance and accountability frameworks.

Takeaway: Internal auditors must prioritize integrity and objective reporting over management pressure to protect the firm’s regulatory standing.

Correct: Internal auditors must maintain confidentiality while fulfilling their reporting obligations. Under the IIA Code of Ethics and UK regulatory expectations in the FCA Handbook (SYSC), auditors must report control weaknesses to those charged with governance. By redacting specific client names while reporting the systemic risk to the Audit Committee, the auditor balances the duty to inform the board of a policy breach with the duty to protect sensitive client information from unnecessary further exposure.

Incorrect: The strategy of notifying the regulator immediately without following internal escalation procedures is generally premature unless there is evidence of a systemic cover-up or immediate significant harm. Focusing only on a technical fix through the IT department fails to address the underlying governance and policy compliance issues that must be reported to the board. Choosing to disregard the finding because it is internal ignores the risk of unauthorized internal access and the explicit breach of the firm’s own data classification and security policies.

Takeaway: Auditors must report confidentiality risks to governance while simultaneously protecting the specific sensitive information discovered during the audit engagement.

Correct: Under the UK SM&CR framework, the Duty of Responsibility allows the FCA and PRA to take action against a Senior Manager if a firm breaches a regulatory requirement and the manager failed to take ‘reasonable steps’ to prevent it. Internal audit must look for substantive evidence of active oversight, such as minutes of meetings where the manager challenged reports, evidence of resource allocation to risk areas, and documented follow-up on red flags, as these demonstrate the practical application of their duty.

Incorrect: Relying solely on signed annual attestations is insufficient because these are self-certifications that do not provide objective proof of proactive risk mitigation or oversight. The strategy of reviewing the Statement of Responsibilities only confirms the scope of the individual’s role and legal accountability but does not demonstrate how they actually discharged those duties in a specific scenario. Focusing only on training completion records confirms that the manager was informed of their obligations but fails to provide evidence of their actual conduct or the effectiveness of their supervision in preventing the breach.

Takeaway: Individual accountability under SM&CR requires documented evidence of proactive, reasonable steps taken to prevent and mitigate regulatory risks.

Correct: The FCA’s Consumer Duty requires firms to ensure that their communications are likely to be understood by the customers they are intended for. This involves a shift from simply providing information to ensuring that the information is effective. Firms are expected to test their communications and use the insights gained to improve them, ensuring they support good outcomes.

Incorrect: The strategy of presenting exhaustive technical disclosures in a standardized format often fails to consider the specific needs of the target audience and can lead to confusion. Relying on signed acknowledgments is a procedural step that does not provide evidence of actual understanding or the effectiveness of the communication itself. Choosing to provide only the minimum statutory information ignores the firm’s obligation to tailor communications so that customers can truly assess the value and risks of a product.

Takeaway: Firms must verify that disclosures are effective by testing and monitoring whether they truly support informed customer decision-making under Consumer Duty rules.

Correct: Under the UK Market Abuse Regulation (UK MAR), firms are required to maintain an accurate and up-to-date insider list of all persons who have access to inside information. Once the analyst gained access to price-sensitive information, they became an ‘insider’ by definition. The firm must add them to the list and take all reasonable steps to ensure they acknowledge in writing the legal and regulatory duties entailed and are aware of the sanctions applicable to insider dealing and unlawful disclosure.

Incorrect: The strategy of deleting the email from the server fails to address the regulatory reality that the information has already been processed by the individual, necessitating formal tracking. Focusing only on a supplemental non-disclosure agreement is insufficient because it does not satisfy the specific statutory requirement to maintain a formal insider list as mandated by the FCA. Opting for administrative leave is a disproportionate response that does not fulfill the firm’s primary obligation to document and notify the individual of their specific responsibilities under market abuse laws. Simply conducting a technical cleanup without regulatory documentation leaves the firm in breach of record-keeping standards.

Takeaway: UK MAR requires firms to immediately add any individual who accesses inside information to an insider list and notify them of their duties.

Correct: Under the FCA’s Senior Manager Conduct Rules and professional ethics fundamentals, identifying a conflict is only the first step; the auditor must assess if the controls, such as recusal, are functioning to prevent biased decision-making. Recommending recusal ensures the integrity of the procurement process remains intact and aligns with the requirement to manage conflicts of interest effectively rather than just disclosing them.

Incorrect: Simply resigning from the external board might be an overreaction if the conflict can be managed through proper governance and does not address the historical influence on the steering committee. Reporting to the regulator immediately is premature as internal auditors should first utilize internal governance and reporting lines unless there is evidence of a serious, unaddressed regulatory breach or bad faith. Focusing only on the annual disclosure is insufficient because disclosure without active management fails to mitigate the risk of actual or perceived bias in high-value procurement decisions.

Takeaway: Effective integrity management requires both the disclosure of conflicts and the implementation of active mitigation strategies like recusal.

Correct: Under the UK’s Senior Managers and Certification Regime (SM&CR), firms must ensure that specific Senior Management Functions (SMFs) are held accountable for the firm’s systems and controls, including those designed to prevent financial crime and fraud. Evaluating the alignment between the fraud framework and the Statement of Responsibilities ensures that there is no ‘accountability gap’ and that the firm meets the FCA’s expectations for individual accountability and governance integrity.

Incorrect: The strategy of reporting all alerts directly to the regulator without internal review is incorrect as firms are expected to conduct their own analysis and only report genuine suspicions of money laundering or fraud. Opting for a shared responsibility model across all staff contradicts the core principle of the SM&CR, which seeks to identify specific individuals who are responsible for failures. Choosing to outsource the process to transfer liability is a fundamental misunderstanding of UK law, as regulatory responsibility for oversight and systems remains with the firm’s senior management regardless of third-party involvement.

Takeaway: Effective fraud prevention in the UK requires clear alignment between control frameworks and the individual accountability mandated by the SM&CR.

Correct: Under FCA COBS 10, when providing non-advised services related to complex products, firms must assess whether the product is appropriate for the client. This requires the firm to ask the client to provide information about their knowledge and experience in the investment field relevant to the specific type of product or service offered. A simple self-certification checkbox does not constitute an assessment of the client’s actual knowledge or experience.

Correct: Under UK MAR and the FCA’s Handbook, firms are required to maintain effective arrangements, systems, and procedures to detect and report suspicious orders and transactions. Evaluating the calibration of surveillance alerts is critical because generic thresholds often fail to capture manipulative behaviors like ‘marking the close’ in illiquid markets. A robust audit must determine if the technical controls are appropriately tuned to the specific risks identified in the firm’s risk assessment, ensuring that suspicious patterns in less active securities are not overlooked.

Incorrect: Focusing only on training records and policy attestations is insufficient as it merely confirms administrative compliance rather than the operational effectiveness of detection systems. Choosing to recommend an immediate external report to the regulator is premature for an internal auditor, whose primary role is to evaluate the control environment and internal escalation processes first. Relying solely on the whistleblowing policy as a primary detection mechanism is inappropriate because technical surveillance is a mandatory regulatory requirement that should not be replaced by or secondary to employee reporting.

Takeaway: Internal auditors must ensure market abuse surveillance is risk-based and specifically calibrated to detect manipulation across different asset classes and liquidity levels.

Correct: Under the Sanctions and Anti-Money Laundering Act 2018 and FCA requirements, UK firms must have robust systems to identify and report designated persons. The auditor must prioritize the escalation process because firms are legally required to report to OFSI as soon as practicable if they suspect a client is subject to financial sanctions. A three-day delay in investigating a potential match suggests a failure in the firm’s internal controls and its ability to comply with mandatory reporting timelines.

Incorrect: Focusing on the historical accuracy of the algorithm prioritizes technical efficiency over the immediate regulatory risk of an unaddressed potential match. The strategy of assessing commercial impact is secondary to the legal requirement to prevent the movement of funds when a sanction is suspected. Relying on the vendor’s update frequency is a peripheral control that does not address the immediate failure in the firm’s internal investigation and reporting timeline.

Takeaway: Effective sanctions compliance requires robust escalation procedures to ensure potential matches are investigated and reported to OFSI without delay.