The internal audit function must periodically review the scope of the activities of the compliance function using the risk-based approach. The audit of the compliance function must include an assessment of how effectively it fulfils its responsibilities.