Consumer Duty has been in force since July 2023 for new and existing products, and since July 2024 for closed book products. The FCA has now completed its first wave of supervisory engagement and the picture that emerges is mixed, some firms are doing this well, many are not, and internal audit functions are frequently cited as a gap.

What the FCA has found

The FCA's thematic reviews and Dear CEO letters since the Duty came into force have been consistent on a small number of points. First, firms are better at writing policies than they are at changing practices. The documentation of Consumer Duty compliance is generally adequate; the evidence that the Duty has changed how products are designed, how communications are written, and how outcomes are monitored is much less consistent.

Second, the FCA has found that the four outcome areas, products and services, price and value, consumer understanding, and consumer support, are not being monitored with equal rigour. Price and value assessments are generally present, even if their quality varies. Consumer support monitoring, the evidence that customers who need help can actually get it, in the way they need it, at the point they need it, is the area most commonly found to be inadequate.

Third, the governance arrangements around Consumer Duty are often superficial. Boards are receiving Consumer Duty reports; they are less often receiving reports that contain meaningful outcome data and lead to changes in strategy or product design.

The specific findings on internal audit

The FCA has been explicit that internal audit is expected to provide independent assurance over Consumer Duty compliance, and that this assurance should cover the actual delivery of good outcomes, not just the existence of policies and processes.

The most common internal audit gap identified is an over-reliance on process audits. An audit that checks whether the price and value assessment was completed, whether it was reviewed by the right people, and whether it was approved at the right level tells you something useful. It does not tell you whether the assessment was honest, whether the methodology was sound, or whether the product actually represents fair value for the customers who buy it. The FCA wants to see internal audit going further.

A second gap is the absence of outcome data in internal audit work. If internal audit is auditing consumer support but is not looking at complaint rates, call abandonment rates, escalation outcomes, and the experience of vulnerable customers, it is not auditing the outcome, it is auditing the infrastructure around it. These are different things.

What this means for audit planning

For most financial services firms, Consumer Duty should now be a standing item in the audit plan, not a one-off thematic review but a programme of work that provides rolling coverage of the four outcomes across the relevant product and service lines. The specific audits within that programme will vary depending on the firm's risk profile and the regulator's stated priorities, but the programme itself should be permanent.

The scoping of Consumer Duty audits needs to be honest about what the audit is actually testing. An audit described as a Consumer Duty review that only covers process compliance is mislabelled. If the scope is process compliance, say so, and explain separately how the function intends to cover outcome assurance.

Vulnerable customers deserve specific attention. The FCA's guidance on vulnerability is detailed and the regulator's expectations are high. Internal audit work in this area should look at whether the firm's definition of vulnerability is workable in practice, whether frontline staff are identifying vulnerable customers accurately, and whether the adjustments made for vulnerable customers are actually improving their outcomes.

Data and MI

One practical implication of the outcome focus is that internal audit teams need better access to customer outcome data. This is sometimes a data governance issue, the data exists but internal audit does not have access to it, and sometimes a data quality issue, the data exists but is not reliable enough to support audit conclusions. Both are worth raising with management early in the planning process, before fieldwork begins rather than during it.

The firms that are ahead on this have built Consumer Duty MI that is genuinely designed for oversight and challenge, not just for regulatory compliance. Internal audit can play a useful role in assessing whether the MI the board receives is fit for purpose, and in identifying the gaps before the FCA does.

The board readiness question

The annual Consumer Duty board report is a governance requirement that puts explicit accountability on the board. Boards must be able to confirm that the firm is delivering good outcomes, and to evidence that conclusion. Internal audit is well-placed to assess whether the board is genuinely equipped to make that confirmation, or whether it is signing off on a document it cannot adequately challenge.

That assessment, board readiness, is increasingly part of what sophisticated audit functions are covering. It is also one of the questions the FCA will ask if a firm's Consumer Duty position comes under scrutiny.

Kyle McMullan
Kyle McMullan
Founder, the audit hub

25 years in senior financial services internal audit and risk advisory. Kyle writes from direct practitioner experience, having held audit leadership roles, managed regulatory remediation programmes, and advised boards through some of the most complex compliance challenges in UK financial services.

Connect on LinkedIn
← Co-sourcing versus outsourcing your internal audit function Making the move from in-house audit to consultancy →