The Internal Audit Function forms an important part of the governance and internal control framework of Cyprus regulated firms. Both the Cyprus Securities and Exchange Commission (“CySEC”) and the Central Bank of Cyprus (“CBC”) require regulated entities to maintain an independent Internal Audit Function responsible for assessing the adequacy and effectiveness of the institution’s systems, internal controls, policies, and procedures, in a manner proportionate to the nature, scale, and complexity of its activities.
In parallel, increasing regulatory focus on ICT risk management and operational resilience, particularly following the introduction of DORA, has further expanded supervisory expectations relating to internal control and assurance functions.
CySEC Expectations for Internal Audit Functions
CySEC’s framework, including Circular C056 and subsequent supervisory guidance, places particular emphasis on the provision of independent assurance to the Board of Directors and Senior Management on the quality and effectiveness of the regulated entity’s internal control, risk management and governance systems and processes, including the assessment of internal controls, governance arrangements, AML/CFT procedures, and ICT and cybersecurity controls.
In relation to ICT and cybersecurity risks, recent CySEC Circular C751 relating to the requirements of Regulation (EU) 2022/2554 (“DORA”) states that ICT risk management frameworks are expected to be subject to regular internal audit reviews in line with the regulated entity’s audit plan and ICT risk profile. CySEC further emphasises the importance of appropriate segregation and independence between ICT risk management functions, control functions, and internal audit functions, as well as the establishment of formal follow-up procedures for the remediation of ICT audit findings.
Internal audit is expected to operate with an unrestricted scope covering all activities of the regulated entity, including outsourced activities. In determining the scope of its work, the Internal Audit Function is expected to independently identify and assess the key risks faced by the institution, including emerging and systemic risks, and evaluate how effectively these risks are being managed.
There should be no impediment to the Internal Audit Function’s ability to challenge senior management and report its concerns to the Board of Directors (“Board”).
The Internal Auditor is also responsible for establishing, implementing, and maintaining a risk-based internal audit plan. Audit planning is expected to focus on areas where risks are considered higher, while also taking into consideration the views of the Board and other control functions.
CySEC’s framework also places emphasis on the content and quality of Internal Audit Reports (“IA Reports”). IA Reports are expected to include:
- an overall description of the institution’s internal control, risk management, and governance framework;
- a description of the audit plan and the risk-based approach followed;
- details of regular and/or extraordinary audits performed;
- major findings and weaknesses identified during the audit process;
- recommendations proposed in relation to identified findings and deficiencies;
- management responses and corrective actions taken;
- any outstanding issues where remediation measures remain pending or insufficient; and
- follow-up procedures relating to previously identified findings and outstanding matters.
CySEC also expects IA Reports to be discussed by the Board, with Board minutes clearly documenting the corrective measures to be taken and the timetable for their implementation. The IA Report must be submitted to CySEC along with the minutes within 20 days from the date of the relevant meeting and not later than 4 months from the end of the calendar year.
The Central Bank’s of Cyprus (“CBC”) Expectations for Internal Audit Functions
The CBC has also increased supervisory focus on the content, scope, structure, and quality of IA Reports submitted by Electronic Money Institutions and Payment Institutions.
The recent CBC Guidance issued in January 2026, sets out the CBC’s minimum expectations regarding the annual submission of IA Reports and emphasises that institutions should uphold high standards of independence, professionalism, and transparency in the execution of their Internal Audit Functions.
The CBC further states that institutions are encouraged to utilise the IA Report as a strategic tool for risk management and continuous improvement, rather than merely as a regulatory compliance deliverable.
According to the CBC Guidance, each IA Report should commence with a concise Executive Summary which should:
- clearly state the audit scope, areas assessed, timeframe covered, and any exclusions or limitations concerning key risk areas;
- provide the Internal Auditor’s opinion on the overall internal control environment of the institution;
- summarise key audit findings, systemic weaknesses, and high-level recommendations for improvement; and
- include comments on remediation progress, management corrective actions, and relevant timelines.
The CBC also states that the Audit Plan for the forthcoming year (for the year ending 31 December 2025) should be risk-based and forward-looking and communicated to the relevant approving Board Authority in a timely manner. The Internal Auditor is expected to determine audit work based on the severity and criticality of the respective risks and verify the integrity of processes ensuring the reliability of the institution’s methods, techniques, assumptions, and information sources used in internal calculations and models.
The CBC further expects IA Reports to include:
- reference to the audit area or section reviewed;
- detailed description of identified deficiencies and the audit work performed, including the sample selected for review;
- classification of findings according to risk level and potential adverse impact;
- recommendations for corrective actions;
- management responses, agreed remediation plans, and expected timeframes for resolution; and
- follow-up on outstanding issues from previous audit engagements, including implementation status, delays, responsible owners, and updated target completion dates.
The CBC Guidance also states that Internal Auditors are expected to cover, on a yearly basis, key operational areas including:
- safeguarding of client funds;
- adequacy of governance arrangements;
- outsourcing arrangements and their review/monitoring;
- ICT risks;
- AML/CFT framework and monitoring;
- controls relating to ongoing compliance with licensing obligations and capital adequacy requirements; and
- controls relating to the ongoing correctness of regulatory reporting submissions.
In relation to ICT risks, the CBC specifically refers to review of the ICT risk management framework and ICT response and recovery plans under Regulation (EU) 2022/2554 (DORA). The Guidance also notes that micro-enterprises may perform these procedures on a best-effort basis.
Finally, the CBC states that IA Reports should be formally reviewed and approved by the institution’s Board of Directors, with Board minutes documenting the discussion and approval of the report made available to the CBC upon request.
Final Remarks
The role of internal audit within Cyprus regulated firms continues to evolve in line with increasing regulatory expectations relating to governance, internal controls, risk management, and operational resilience.
As regulatory frameworks continue to develop, Internal Audit Functions are expected to maintain effective and independent assurance processes capable of supporting sound governance and appropriate oversight of the institution’s activities.
A well-structured Internal Audit Function contributes not only to regulatory compliance, but also to the ongoing assessment and strengthening of the institution’s control environment and governance framework.
At FiveComply, we support Cyprus regulated firms through the provision of risk-based Internal Audit services tailored to the nature, scale, and complexity of each institution’s activities, while taking into consideration the evolving expectations of CySEC, the CBC, and the broader European regulatory framework. We seek to adopt a holistic approach in assessing the institution’s governance, control, risk management, operational, and compliance frameworks, while applying a risk-based methodology that places greater focus on areas carrying higher levels of risk and regulatory significance.
