Six Major UK Broadband ISPs Found to Lack an Internal Audit Function UPDATE

The Chartered Institute of Internal Auditors (CIIA) has today raised “serious concerns” about the financial resilience of the UK’s broadband sector, which appears to be based on the fact that six of the country’s thirteen “major” ISPs currently operate without an internal audit – potentially exposing them to “unchecked risks and increasing the likelihood of corporate collapse“.

The announcement itself arguably makes this sound a bit worse than it is, since it soon becomes apparent that we’re actually only talking about six alternative networks (altnet) and retail ISPs that serve “around two million customers” – including CommunityFibre, Hyperoptic, Utility Warehouse (UW), YouFibre, Glide, and CityFibre.

Nevertheless, the CIIA has written a new Open Letter to Ofcom’s CEO, Dame Melanie Dawes, which highlights how the absence of internal audit functions across these companies could, they claim, leave the firms at “heightened risk of collapse” – this is particularly relevant given the current economic pressures and climate of wider market consolidation.

The organisation is thus encouraging the regulator to introduce a “clear expectation” (requirement) for broadband providers to maintain internal audit functions in order to “strengthen independent oversight of how key risks are managed, improve organisational resilience, build investor confidence, and support the growth of the UK’s digital economy“.

Anne Kiem OBE, CEO of the Chartered IIA, said:

“Broadband companies are now essential to daily life and the economy. Yet, nearly half of the UK’s major broadband providers are operating without internal audit. This is a serious audit and governance weakness. We’ve seen time and again the damage caused when companies collapse due to failures that might have been prevented with proper internal controls. We cannot afford to make the same mistakes with broadband companies.”

For the uninitiated, the core role of internal audit is to provide independent and objective assurance that an organisation’s risk management, governance, and internal control processes are operating effectively, thereby ensuring the organisation can achieve its goals (although audits aren’t a 100% guarantee of this). But in the UK and Ireland, the requirement for having an internal audit function is not universal across all types of organisations.

The letter also highlights how other regulators have already “acted decisively” on this issue. For example, it notes that Ofgem now requires energy suppliers to report on their internal audit capability in its updated Financial Responsibility Principle Guidance, while the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) mandate internal audit in financial services.

UPDATE 5th Aug 2025 @ 7:28am

As one provider pointed out, Ofcom’s regulation via their General Conditions of Entitlement (industry rules), which are designed to protect consumers, do require broadband and phone providers to carry out regular audits of their Metering and Billing to ensure customers are billed correctly. But this is not quite the same thing as the deeper financial audits being highlighted by the Chartered IIA above.

In addition, we have also managed to get hold of the full letter to Ofcom, which we’ve pasted below.

Chartered IIA’s Open Letter to Ofcom

Dear Melanie,

I am writing to highlight concerns about the absence of internal audit functions across several major broadband companies. Given the role these companies play in maintaining parts of the UK’s digital infrastructure and providing essential broadband services to millions of customers, their resilience is vital to the functioning of modern society and a growing digital economy. The absence of internal audit functions within some of these companies raises concerns about whether they have the necessary independent assurance over their ability to identify, manage, and mitigate risks effectively. In response to our findings, we urge Ofcom to introduce a clear regulatory expectation for broadband companies to maintain a dedicated internal audit function, aligning with expectations already established in other regulated sectors.

To give you some background, the Chartered Institute of Internal Auditors (Chartered IIA) is the professional body for internal auditors, representing over 10,000 professionals across the UK and Ireland. We advocate for good corporate governance, strong risk management and a rigorous control environment, leading to the long-term success of organisations and the contribution internal audit makes to these aims.

A robust broadband infrastructure and fast and reliable internet services are now a fundamental necessity that underpin almost every aspect of modern society and the digital economy. They are vital for the daily activities of millions of individuals and businesses across the UK, including office and remote working, online education, healthcare services, financial transactions, online purchasing and social connectivity — all of which contribute to productivity, innovation and support long-term economic growth.

Our research has identified six major broadband companies that, as far as we can tell, currently operate without an internal audit function: Community Fibre, Hyperoptic, Utility Warehouse, YouFibre, Glide and CityFibre. Collectively, these companies serve around two million customers. Some of these companies not only provide essential internet services to thousands of customers but also develop and maintain their own infrastructure networks. For example, CityFibre, the third-largest ISP infrastructure provider in the UK, supports major ISPs such as Vodafone, TalkTalk, and Zen Internet. While many other large broadband companies benefit from fully established internal audit functions, it is currently unclear whether CityFibre has a dedicated internal audit function that provides independent assurance over its risk, governance and internal control processes.

We recognise that these companies are subject to legal duties under the Telecommunications (Security) Act 2021, which is aimed at protecting the security and resilience of networks and services. These duties, along with the accompanying Telecommunications Security Code of Practice, focus primarily on technical and cyber risks. However, as far as we can tell, no Ofcom requirements or guidance reflect the critical role of internal audit in good governance, nor set expectations around internal controls or effective board leadership.

Internal audit provides vital independent assurance to an organisation’s board and senior management. Without it, they may not receive adequate assessments of their operational, financial, liquidity and cybersecurity risks. Internal audit can play a role in assessing the effectiveness of governance and internal controls related to technology, digital transformation, cloud services, data management, and emerging technologies such as artificial intelligence. Internal audit can also be harnessed to assess the effectiveness of scenario planning and stress testing, as seen in regulated sectors such as financial services, helping organisations prepare for economic and financial shocks, as well as other crisis events, such as major cyberattacks.

Other regulators have set clear regulatory expectations regarding the need for internal audit in sectors that provide essential services and maintain critical national infrastructure. The energy regulator Ofgem has introduced principles-based requirements for suppliers to report on their internal audit capability following concerns about financial resilience in the sector. Similarly, the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) set clear expectations for regulated financial services companies to establish and maintain an internal audit function. The recent Cyber Security and Resilience Bill reflects the government’s continued focus on strengthening the laws and regulations that underpin the security and resilience of the UK’s critical national infrastructure, including digital networks provided by broadband providers. Given the strategic role that broadband companies play in supporting the Government’s economic growth objectives and digital infrastructure, Ofcom should adopt an approach consistent with other regulators by setting a clear regulatory expectation that it is best practice for broadband companies to have an internal audit capability proportionate to the nature, scale and complexity of their business.

While internal audit is not a panacea for governance and operational challenges, its role is vital for supporting organisations and their boards to manage and mitigate their business-critical risks effectively. Setting a clear regulatory expectation for broadband companies to have appropriate internal audit arrangements would strengthen independent oversight of how key risks are managed, improve organisational resilience, build investor confidence, and support the growth of the UK’s digital economy.

We would welcome the opportunity to discuss this matter further in person and explore how Ofcom could set clear regulatory expectations around the need for broadband companies to have internal audit.

Thank you for considering this important issue. I look forward to your response.

Yours sincerely,

Anne Kiem OBE
Chief Executive