A regulatory audit checks whether an organisation is meeting the rules set by the body that supervises its sector. It’s not the same as a statutory audit of the financial statements, although there’s plenty of overlap. For UK SMEs, charities and other regulated entities, getting the work right is often what keeps a licence active or a grant in good standing.
This guide covers the basics: what a regulatory audit is, who needs one, how it differs from a statutory audit, and which UK frameworks tend to apply.
What is a regulatory audit?
A regulatory audit is an independent review carried out to confirm that an organisation complies with the laws, regulations, codes and reporting requirements that govern its sector and jurisdiction. It can be performed by a registered audit firm, an internal audit team, or by the regulator itself. The objective is to give the regulator, the audit committee and every stakeholder assurance that the entity is operating within its rules.
A regulatory compliance audit usually looks at the organisation’s compliance with sector rules, its systems and controls, and the records it keeps. The auditor tests whether internal controls are designed and operating effectively against the regulatory requirements that apply, then issues an audit report with findings to management and, where required, the regulator. Where financial reporting is in scope, the audit team will also confirm that figures filed with the regulator reconcile to the underlying records.
Regulatory audit vs statutory audit (and the four main types)
People often ask what the difference between a regulatory audit and a statutory audit is. A statutory audit is the audit of the annual accounts that’s required by the Companies Act 2006. A regulatory audit is a wider check on compliance with sector-specific rules – it can sit alongside the statutory work, or be a separate engagement entirely.
The four main audit types in the UK are:
- Statutory audit – the audit of the annual financial statements under the Companies Act 2006. See our statutory audit services.
- Regulatory audit – compliance with the rules of a specific regulator (FCA, SRA, FRC, Charity Commission and others).
- Internal audit – an in-house review of risk management, governance and internal systems, usually run by the audit committee.
- Forensic audit – a targeted investigation, often following suspected fraudulent activity or a breach.
Who needs a regulatory audit in the UK?
Any organisation that operates in a regulated sector. We cover the main UK regulatory frameworks below – see our full sector index for sector-specific service pages. The longer answer depends on which regulatory bodies supervise you and what they’re asking for. Common UK frameworks include:
- Financial services – FCA-regulated investment firms have client money, CASS and prudential reporting obligations, plus anti-money-laundering checks. Our financial services audit page covers this in more detail.
- Solicitors – the SRA Accounts Rules require an annual accountant’s report for firms holding client money. See our SRA audit page.
- Charities – the Charity Commission expects compliance with the Charities SORP and trustees’ annual report standards. Smaller charities may need an independent examination instead of an audit. We cover this on our charity audit page.
- Pension schemes – The Pensions Regulator sets the audit thresholds and reporting requirements for trust-based schemes. Detail on our pension scheme audit page.
- Grant-funded bodies – Innovate UK, Horizon Europe and similar programmes require grant audit assurance.
- Public Interest Entities (PIEs) – listed companies, banks and insurers fall under FRC oversight. PIE audits face stricter independence rules and the FRC’s ethical standard, with particular focus on objectivity, professional scepticism and capital markets transparency. See our guide to auditor independence threats for the five categories the FRC monitors.
- Local government and academies – separate frameworks under DfE and Levelling Up.
Routine audit or breach investigation?
Not every regulatory audit is the same. A routine audit is a scheduled, planned engagement that confirms ongoing compliance and produces audit findings management can act on. A regulator-led investigation, by contrast, is triggered by a specific concern – a self-reported breach, a whistleblower complaint, or a thematic review. The audit function looks forward in the first case and is collaborative; the second is more forensic, with tighter timelines and a higher chance of remedial action, hefty fines or reputational damage if non-compliance is found.
What a regulatory audit looks at in practice
The auditor’s scope depends on the regulator, but most UK regulatory audits cover the same building blocks:
- Governance – how the board, audit committee and senior managers oversee compliance.
- Systems and controls – the policies, procedures and IT systems that translate the rules into day-to-day operations.
- Reporting – returns filed with the regulator, financial statements, and any non-financial reporting (sustainability, modern slavery, gender pay).
- People and culture – whether staff understand their obligations and have the training to apply them.
- Records – audit trails, exception reports, and evidence the firm can produce when challenged.
External auditors will often benchmark findings against auditing standards published by the FRC and against the regulator’s own checklist where one exists.
How a regulatory audit supports business growth
It’s tempting to treat a regulatory audit as a tick-box exercise. The firms that get the most value treat it as a governance MOT. A clean audit report shortens funding rounds, gives investors clear assurance during due diligence, and makes changing auditors or going to audit tender a much easier conversation. It also means corporate governance failures don’t snowball into client-money breaches or investigations across multiple jurisdictions.
Choosing a regulatory audit specialist
The right firm for your regulatory audit is usually one with sector experience, not just general audit experience. Look for an audit firm that already serves other entities under your regulator, has a registered auditor signing the file, and is comfortable having direct contact with the regulator if needed. Big 4 firms like PwC are often the default for capital-markets-listed PIEs, but specialist mid-size firms tend to be a better fit for SMEs and charities that want partner attention.
Audit Group is the audit arm of Jack Ross Chartered Accountants, established in 1948 in Manchester. We’re regulated by the Institute of Chartered Accountants in England and Wales (ICAEW) and our team covers regulatory audits across charity, SRA, pension scheme, financial services and grant audit frameworks. To talk through whether a regulatory audit applies to your organisation, request a scoping conversation.
