JCBFL has acquired extensive experience in providing outsourced and co-sourced internal audit services to the insurance and non-insurance sectors and offers assurance that governance, risk management and internal controls are effective at mitigating the risks associated with achieving objectives such as protecting assets, reputation and sustainability of the organisation.

We provide highly cost effective third line of defence consultancy services, or fulfilment of specific internal audits on a client’s internal audit plan and we only use highly experienced auditors to undertake end to end audits, not audit trainees or juniors.

Internal Audit Services

The Institute of Internal Auditors (IIA) ( is the recognised international standard setting body for the internal audit profession, including in the UK. The IIA is responsible for the INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (Standards) and also introduced the Three Lines of Defence governance model to Corporate America and globally to the other free market economies.

The main features of the model are:

  • the Board and Executive management sit above the three lines and have collective responsibility for setting organisational objectives, defining strategies to achieve them, establishing the necessary governance risk management including setting the level of risk appetite that is tolerable, and in implementing control frameworks to mitigate the risks to the set tolerance,
  • First line: Primary responsibility for managing organisational risks through designing and implementing appropriate mitigating controls rests with operational management who own and manage risks,
  • Second line: comprises Risk Management and Compliance functions to help build and/or monitor the first line of defence controls, including risk appetite reporting,
  • Third line: The principal function of the third line is to provide risk assurance. Internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including first and second-line controls. Internal audit is pseudo independent of management with a direct reporting line to the Audit Committee which is made of Non-Executive Director (NEDs) members.

In addition to the Standards, there is the Financial Services Code and its Code of Practice which should be applied in conjunction with the Standards. The Code builds on those Standards, providing context specific to the financial services sector; and seeks to increase the effectiveness and impact of internal audit in organisations in that sector by clarifying expectations and requirements. The full publication is shown at Financial Services Code

Our services

  • Fee conscious provision of short-term co-source or outsourced partnering resource to manage and run with all elements of specific audit projects, including the development of audit programmes, when resources are not available internally,
  • Investigations related to a sensitive area requiring a discrete external forensic investigation,
  • Provision of independent health checks, or 5-year EQA reviews, of existing Internal Audit functions,
  • Assistance with the development of an Internal Audit function, and IA methodology, where there was no previous requirement to have one.

Subject to client requirements, we offer our internal audit services on the basis of a Statement of Work. An example is provided here. Rates are negotiable and can be on an hourly or day rate, or on a Fixed Fee basis, although clients tend to opt for the flexibility that comes with hourly rates.

Our expertise and experience

  • Outsourced and co-sourced internal audit services to a multi-national insurance/investment Group, a leading UK motoring organisation and a large UK based MGA.
  • In-house internal audit lead on over 150 internal audits and projects across the complete audit universe of a large Lloyd’s Syndicate group, a leading global reinsurer and many other insurance operators.
  • Experienced user and administrator for audit software such as TeamMate ( and Audimex (