Most growing MGAs reach a point — often around the £20m GWP mark, or when a new capacity provider asks the question — where the answer "our compliance team checks things" stops being good enough. The regulator, capacity providers and the board start expecting a real third line. This is a practical framework for standing up MGA internal audit without buying a tier-1 carrier blueprint that your organisation cannot sustain.

Start with the right operating model

A growing MGA does not need — and cannot afford — a full in-house internal audit function. The options that actually work are:

  • Fully outsourced to a specialist firm, with a named partner accountable to your audit committee. Cheapest at small scale; weakest on institutional knowledge.
  • Co-sourced — a part-time Head of Internal Audit (often fractional) plus an external firm for fieldwork. The sweet-spot for MGAs between £20m and £150m GWP.
  • In-house with co-source overflow — appropriate above £150m GWP or where capacity providers explicitly ask for it.

Whichever you pick, the function must report functionally to the audit committee (or board if no audit committee exists) and administratively to the CEO. Anything else compromises independence and your auditors will say so.

Build the audit universe

The audit universe is the menu of everything the function could possibly audit. For an MGA, it is built from four lenses:

  • Regulatory: SM&CR, Conduct, CASS 5, complaints, financial crime, sanctions, data protection, operational resilience.
  • Capacity provider obligations: binder terms, minimum standards, bordereaux quality, claims authority.
  • Core processes: underwriting, pricing, claims, finance, IT, HR, vendor management, distribution.
  • Strategic risks: new product launches, system migrations, M&A activity, AI deployments.

Each universe entry gets a risk score (inherent risk × control maturity × strategic importance) refreshed annually. The output is a ranked list that drives the audit plan.

Write a risk-based annual audit plan

A workable MGA plan covers 6–10 audits per year. Resist pressure to do more — short, deep audits with real recommendations beat shallow coverage every time. Each plan entry needs:

  • Scope statement — what's in, what's explicitly out.
  • Risk rationale linking back to the universe.
  • Estimated effort (days) and quarter scheduled.
  • Named senior stakeholder.

Present the plan to the audit committee for approval, not noting. Their challenge is the point of the meeting.

A repeatable audit methodology

Every audit follows the same five-stage life cycle. Documenting it once and applying it consistently is the difference between a function that scales and one that re-invents itself every quarter.

  1. Planning: objectives, scope, risks, controls, tests, sample sizes, kick-off meeting with auditee.
  2. Fieldwork: walkthroughs, control design assessment, control operating-effectiveness testing, evidence capture in a working paper file.
  3. Findings: each finding has a condition, criteria, cause, consequence and recommendation, agreed with the auditee before being written up.
  4. Reporting: short report (≤10 pages), rated overall (satisfactory / needs improvement / unsatisfactory), with findings rated H/M/L and management actions with owners and dates.
  5. Tracking: findings logged in a single tracker, reported quarterly to the audit committee until closed and validated.

The minimum controls testing pack

Whatever else is in plan, an MGA internal audit function should test these every year:

  • Bordereaux accuracy and timeliness.
  • Underwriting authority compliance (sample-based).
  • Claims authority compliance (sample-based).
  • CASS 5 — calculation, reconciliation, breach reporting.
  • Complaints handling against DISP.
  • Financial crime — sanctions, PEP, source-of-funds.
  • SM&CR fitness, propriety and certification.
  • IT general controls — access, change, backup.

Reporting and the audit committee

Quarterly audit committee papers should include the plan progress, each report finalised in quarter, the open findings tracker with ageing, and an honest assessment of any scope or resource pressures. A committee that only sees green is not being well served — surface the difficult conversations.

Common mistakes growing MGAs make

  • Hiring a junior internal auditor and giving them no senior cover or methodology — they cannot challenge the C-suite alone.
  • Letting compliance "do" internal audit — it conflates the second and third lines and breaks independence.
  • Buying a tier-1 carrier methodology — too heavy, kills speed, gets quietly abandoned.
  • Auditing only what's easy — the function becomes window dressing.

JanthanaK provides fractional Head of Internal Audit support and outsourced fieldwork for growing MGAs through the MGA Internal Audit service. Book a 30-minute scoping call if you'd like to talk through what a workable function would look like for your organisation.