Governance expectations in Malta continue to evolve as regulators place greater emphasis on evidence, accountability, and the interaction between control functions. Both the Malta Financial Services Authority and the Financial Intelligence Analysis Unit have signalled a clear shift toward assessing how governance operates in practice, with scrutiny now extending beyond structures to include decision making, challenge, cultural indicators, and the quality of oversight documentation. This evolution reflects broader European regulatory trends that prioritise transparency, risk awareness, and the effectiveness of internal controls.
This series examines those developments through practical insights. Each article focuses on a key governance theme that regulators have highlighted, such as Board engagement, follow up on risk decisions, and the application of the three lines model. The series also explores emerging expectations around AML reporting quality, the role of internal audit as a governance partner, and how training frameworks can demonstrate a firm wide commitment to AML culture. The aim is to provide clear guidance on how firms can strengthen their governance evidence and demonstrate effectiveness during supervisory reviews.
Internal audit as the Board’s Early Warning System: From Oversight to Insight
The Regulatory Context
February 2026’s Malta Financial Services Authority (MFSA) conference, “From Oversight to Insight: Internal audit in Financial Services” reinforced that internal audit is evolving from a retrospective assurance function to a strategic pillar of governance across all MFSA‑regulated sectors.
The MFSA continues to highlight internal audit’s growing role in strengthening decision‑making, enhancing regulatory trust, and improving governance effectiveness.
This aligns with the EBA Guidelines on Internal Governance (EBA/GL/2021/05 and EBA/GL/2022/05), which require internal audit to assess governance, risk culture, ICT risks, outsourcing and internal control frameworks. The MFSA’s 2026 Supervisory Priorities further emphasise governance substance over form, operational resilience and responsible adoption of technology and AI - all areas where internal audit is expected to provide robust, forward‑looking assurance.
Our Observations
Our Malta regulatory services team sees internal audit’s value not in the volume of reports produced but in the quality of insight provided to the board. The themes emerging from the MFSA conference (integrated assurance, board‑level visibility, and early detection of systemic risks) mirror our own experience. Firms that treat internal audit as a strategic partner achieve better governance outcomes and enjoy more constructive supervisory interactions. Internal audit becomes not just a compliance safeguard but a governance intelligence function that enhances organisational resilience.
Shift from Retrospective to Predictive Auditing
The MFSA conference underscored that internal audit is expected to look ahead, anticipating emerging risks across governance, ICT, outsourcing, and financial crime.
Instead of only reviewing historical activity (e.g., last year’s safeguarding reconciliations), internal audit should assess:
- Whether current processes can withstand future stress scenarios
- Where technology, AI, or operational change may weaken controls
- Indicators of control fatigue or early deterioration
Predictive auditing transforms internal audit from a hindsight reviewer into a proactive risk radar aligned with supervisory expectations.
Audit Planning Linked to Risk Appetite & Supervisory Priorities
Effective audit plans now require clear linkage to the firm’s Risk Appetite Statement and the MFSA’s 2026 supervisory focus (governance effectiveness, AI oversight, operational resilience).
Practical application:
- Map audit coverage to the board’s top residual risks and tolerances
- Assign each audit engagement a risk appetite metric and MFSA priority
- Demonstrate how internal audit validates governance substance not just formal policy adherence
This creates a direct, regulator‑aligned link between governance, assurance, and board oversight.
Embed Follow‑Up Discipline
A recurring regulatory concern echoed at the conference is persistent, unaddressed, or repeated issues.
Internal audit follow‑up should therefore become a board KPI, supported by:
- A clear audit action tracker with owners, deadlines, and evidence of closure
- Risk‑based validation before closure
- A quarterly “Top 10 Open Issues” view for board or committee discussion
Strong follow‑up practices demonstrate accountability and strengthen regulatory trust.
Integrate Audit Insights into Governance Reports
The MFSA conference emphasised internal audit’s role in enhancing board insight, not just providing assurance.
To act as an early warning system, internal audit must integrate cross‑audit themes into governance dashboards:
- Recurring patterns in ICT incidents, outsourcing oversight, safeguarding issues, conduct themes
- Systemic weaknesses that cut across functions
- Emerging concerns requiring board discussion
This elevates internal audit from issue‑reporting to governance intelligence, a core theme of the MFSA event.
Leverage Data & Technology for Continuous Assurance
Both the MFSA conference and supervisory priorities highlight the importance of technology not only as a risk source but as a tool for improved assurance.
Internal audit should adopt incremental, realistic data‑led techniques:
- Trend analysis of reconciliation breaks, exceptions, downtimes and KYC backlogs
- Continuous monitoring of high‑risk processes (safeguarding, payments and onboarding)
- Audit procedures covering AI governance: model oversight, training data, monitoring and change control
Introducing even one analytics‑enabled metric per quarter materially strengthens internal audit’s predictive capability.
What You Can Do This Quarter
- Revisit your internal audit plan and align it with your top operational and regulatory risks and MFSA supervisory priorities.
- Refresh and enforce your audit action tracker and present closure progress to the board.
- Integrate Internal audit insights into your board and committee dashboards for the next cycle.
- Pilot a data‑driven audit technique by testing a simple trend analysis to enhance forward‑looking assurance.
- Update your internal audit charter to reference risk‑based, insight‑driven, and technology‑enabled assurance.
How We Can Help
Trident helps boards and audit committees to transform internal audit from a compliance function to a forward‑looking assurance and insight function.
Our team supports firms in:
- Re‑designing audit plans aligned with MFSA priorities and risk appetite
- Integrating cross‑audit insights into board governance reporting
- Strengthening action tracking and follow‑up
- Building evidence of effective governance, oversight, and control culture the elements regulators value most
Our aim is to position internal audit to serve as the board’s most reliable early warning system.
For more information on our Malta regulatory services, please reach out to Jesmar Ciappara, Senior Manager – Regulatory Services.
Regulatory References
- MFSA Financial Institutions Rulebook (FIR/03)
- MFSA Supervisory Priorities for 2026
- EBA Guidelines on Internal Governance (EBA/GL/2021/05)
- EBA Guidelines on the Role of Risk and Audit Functions (EBA/GL/2022/05)