ESMA's 2025 CSA on Compliance and Internal Audit Functions: What Fund Managers Should Take Away

On 11 May 2026, the European Securities and Markets Authority published the Final Report on its 2025 Common Supervisory Action (CSA) on compliance and internal audit functions of fund managers (ESMA34-1436284137-2305). This article walks through what the CSA covered, what NCAs found, and what UCITS management companies and authorised AIFMs should take away in practical terms.

1. Introduction

ESMA's 2025 CSA provides an EU-wide supervisory view of the compliance and internal audit functions of fund managers. All 27 EU and 3 EEA national competent authorities (NCAs) performed supervisory activities under a common ESMA framework. The result is a more comparable EU/EEA-wide picture of how UCITS management companies and authorised AIFMs are establishing and operating these two key control functions.

The headline is positive but qualified. The detail, and in particular the Annex of good and poor practices, gives compliance officers, internal auditors and senior managers a concrete benchmark against which to assess their own arrangements.

2. What the CSA covered

The 2025 CSA was conducted under a common assessment framework developed by ESMA in the course of 2024 and formally agreed in December 2024. The framework set out a common scope, coverage thresholds, methodology, supervisory expectations and timeline.

The legal scope was the compliance and internal audit functions of UCITS management companies and authorised AIFMs, with reference to Articles 9–11 of Commission Directive (EU) 2010/43/EU and Articles 60–62 of Commission Delegated Regulation (EU) 231/2013. Within that scope, NCAs were asked to give preference to entities with a retail investor base, entities with cross-border relevance, and entities where supervisory knowledge or experience indicated higher risks of non-compliance.

All NCAs met the common minimum coverage threshold agreed in the framework. Most chose a desk-based review approach, complemented by on-site inspections where appropriate. Several NCAs deployed dedicated IT tools, online reporting systems and secured exchange platforms to share data with entities in scope.

NCAs reported their national CSA findings to ESMA by 31 December 2025. ESMA then launched a follow-up survey on the impact of the exercise and on planned supervisory actions, to which NCAs responded by 31 January 2026.

3. Headline finding: satisfactory compliance, but important vulnerabilities

The majority of NCAs assessed the overall level of compliance of their supervised entities with the relevant provisions as satisfactory. ESMA, however, identifies areas for improvement which may be more pronounced in some jurisdictions, and notes that relevant NCAs may therefore provide more detailed or jurisdiction-specific guidance where appropriate.

Across the CSA sample, relevant policies and procedures were generally considered adequate. Their quality and practical implementation, however, varied significantly, also depending on the size, nature and complexity of the entities reviewed.

4. Breaches and vulnerabilities: what the numbers show

The CSA separately reports regulatory breaches and vulnerabilities. ESMA notes that the poor practices in the Annex cover both vulnerabilities and potential regulatory breaches, subject to further NCA investigation.

Regulatory breaches identified by NCAs:

· 21 NCAs reported no regulatory breaches in the entities they reviewed.
· 3 NCAs reported breaches in between 0–10% of entities reviewed.
· 0 NCAs reported breaches in between 10–20% of entities reviewed.
· 6 NCAs reported breaches in more than 20% of entities reviewed.

Where breaches were identified, ESMA notes they mostly concerned the independence of the internal audit and compliance functions, and cases of incomplete reports to senior management. NCAs reported they planned follow-up supervisory actions in those cases.

Vulnerabilities identified by NCAs:

· 5 NCAs reported no vulnerabilities.
· 1 NCA reported vulnerabilities in between 0–10% of entities reviewed.
· 6 NCAs reported vulnerabilities in between 10–20% of entities reviewed.
· 18 NCAs reported vulnerabilities in more than 20% of entities reviewed.

Examples of vulnerabilities reported by NCAs include missing or incomplete internal audit documentation, insufficiently robust compliance risk assessments, and the lack of a structured risk-based approach to assessing and addressing compliance risks. Where NCAs identified vulnerabilities, they planned follow-up supervisory actions or, in the most severe cases, issued immediate corrective actions to strengthen or reorganise the relevant functions.

What this means in practice: The overall picture is one of broad regulatory compliance, combined with vulnerabilities identified across a significant number of jurisdictions in how compliance and internal audit functions operate in practice. The supervisory dialogue on this topic is not closed by the publication of the report. It is being handed back to NCAs for jurisdiction-specific follow-up.

5. Compliance function: good and poor practices

The Annex to the report lists good and poor practices identified by NCAs during the exercise. ESMA notes that some good and poor practices were similar across compliance and internal audit, and were not repeated under both sections in the interest of brevity. Read together with Section 7 of the report, the Annex is a practical benchmark, not a formal supervisory checklist.

For the compliance function, ESMA records 5 good practices and 12 poor practices.

Good practices identified:

Compliance consultation. The compliance function provides an opinion on policies and procedures (for example, in the context of regulatory changes, the introduction of new processes, or new products and related product governance requirements) before documents are submitted to senior management or the board of directors.

Dedicated IT tools. Tools enabling efficient and traceable interaction between the compliance and operational functions, facilitating ex-post controls, including those carried out by NCAs.

Controls Committee. Establishment of an internal Controls Committee to ensure effective cooperation between the compliance and operational functions, so that compliance requirements are properly embedded in day-to-day operations.

Internal reporting. Internal reports from the compliance function are submitted on at least a semi-annual or quarterly basis to the board. Internal procedures clearly describe how deficiencies should be promptly reported, how remedial actions and their deadlines are defined, and how progress is reported to the board.

Ad-hoc compliance reporting. In addition to regular reporting, the compliance function prepares ad-hoc reports on specific topics triggered by events, news, or regulatory or market developments, with a particular focus on investor protection measures (costs, product governance, marketing, client onboarding, complaints, investment process),and subsequently requests procedural updates and enhanced monitoring of critical activities.

Poor practices identified:

Insufficient follow-up monitoring and progress updates. Compliance matters were reported to the board, but updates on action plan progress and follow-up monitoring were often lacking, leaving compliance gaps unresolved.

Lack of clear recommendations and deadlines. Deficiencies were mentioned in compliance reports but lacked clear recommendations or deadlines.

Lack of documentation. Some minutes of board meetings did not adequately document compliance discussions.

Insufficient focus of the group's compliance function. Where a UCITS manager that is part of a larger financial group relied on the group's compliance function, the group function had prioritised risks identified as relevant at the group level. This resulted in insufficient focus on risks specific to the local UCITS manager. Two issues were identified: manager-specific risks not prioritised in the annual planning, and certain key areas not assessed at all — including risk management, liquidity management, valuation, and delegation.

Inadequate safeguard arrangements for electronic data processing. One NCA identified a failure from a supervised entity to maintain adequate internal control mechanisms and safeguard arrangements for electronic data processing as required under Article 31 of the UCITS Directive and Article 18(1) of the AIFMD. Board documents were circulated without password-protection or authentication, which might expose the entity to data breaches.

Restricted access to relevant information. The compliance function had restricted access to relevant information, such as employee remuneration data.

Misallocation of compliance resources. One entity failed to demonstrate that sufficient resources were allocated to the local compliance function, while available resources were instead used to provide advice to other entities within the group.

Lack of tracking non-compliance. The manager failed to systematically track reports of non-compliance.

Insufficient controls with relevance to investment limits. Lack of coverage or responsibility of the compliance function regarding certain risks, especially limited controls with relevance to the manager's ability to ensure compliance with investment limits.

Inadequate controls. Some compliance issues were missed or discovered too late, indicating that the second and third lines of defence had failed to identify and prevent those issues in a timely manner.

Lack of coordination between second and third lines of defence. One entity lacked structural coordination between compliance monitoring and internal audit plans, creating an efficiency gap.

Undocumented and inconsistent risk assessment methodology. The risk assessment methodology that guides the compliance monitoring plan was not always formally documented, and in some cases was applied inconsistently.

6. Internal audit function: good and poor practices

For the internal audit function, ESMA records 1 good practice and 4 poor practices. This smaller list should be read together with ESMA's note that some practices were similar across compliance and internal audit and were not repeated for brevity.

Good practice identified:

Internal audit reporting as a standing item on the board agenda. Some entities put internal audit reporting as a standing item of the board agenda, resulting in more frequent reporting and alignment than legally required and ensuring the board remains consistently and actively involved in internal audit matters.

Poor practices identified:

Lack of quality and clarity of internal audit reports. Some internal audit reports lacked clear descriptions, objectives, scope, and thorough explanations of findings. As a result, senior management or the board could not reliably use these reports for informed decisions or effective follow-up.

Insufficient internal audit details, missed deficiencies and weak follow-up. Some internal audit engagements had overly broad themes, causing controls to lack sufficient detail. The proportionality principle was not always properly applied: it did not adequately reflect the entity's size and significance in the local market regardless of its position within the wider group, and often relied on group-level interpretations of certain regulatory requirements. Certain deficiencies were missed by internal audit and only found during supervisory review. Some weaknesses received neither formal recommendations nor adequate follow-up despite supervisory attention.

Group internal audit policy not applied locally. Where internal audit was entrusted to a group entity, the internal audit policy of the group entity was not formally made applicable to the local entity.

No internal audit coverage of compliance. The compliance function was never made subject to an internal audit.

7. Group reliance and local accountability

Group reliance is a recurring theme in the findings, but the report is not one-sided on it.

On the risk side, ESMA observes that managers that are subsidiaries of banking groups should be aware that the risk assessment methodologies and tools provided by the parent company can potentially lead to underestimating relevant local risks. Managers should not just rely on the group risk assessment, but develop their own risk assessment if the group risk assessment does not properly capture the risks applicable to the business of the manager. The assessment of compliance risks should at least take into consideration the business areas, types of products, types of services, distribution channels and the categories of investors.

On the other hand, ESMA records cases where group internal auditors produced more high-quality reports, and cases where external persons entrusted with internal audit tasks delivered more challenging reports compared to internal audit teams. ESMA also notes that in the case of entities which are part of bank or insurance groups, the use of a strong, independent and well-staffed group-wide internal audit function for periodic audits may actually result in a better control outcome than other arrangements.

Group reliance is therefore not inherently problematic. The issue is whether the local manager can demonstrate that the group framework properly captures its own risk profile, business areas, products, services, distribution channels, categories of investors and applicable rules. Where this is not the case, the local entity needs to develop its own risk assessment and ensure that its compliance and internal audit functions operate effectively, independently and with the necessary authority within the organisation.

What this means in practice: Reliance on a group function is not, on its own, sufficient evidence of effective local oversight. The local manager remains responsible for ensuring that the compliance and internal audit functions operate in accordance with the applicable rules. Where group functions are relied on, the local entity needs to evidence that the local risk profile has been independently assessed and properly covered, and, where reliance is placed on a group internal audit policy, that the policy is formally made applicable to the local entity.

8. Third-party arrangements, delegation uncertainty and internal resources

The CSA also examined arrangements where compliance or internal audit tasks are entrusted to third parties, either specialised providers or entities within the same group.

NCAs reported significant variation across the EU. In some Member States, supervised entities made significant use of third parties for compliance-related tasks. In others, those tasks were fully performed internally.

Some NCAs reported that, where third parties were used, they required structured and documented due diligence — including written and signed contracts or mandates, clear internal responsibility, regular monitoring and formalised reporting. Some NCAs identified weak or insufficient oversight as a recurring issue, especially regarding service level agreements, key performance indicators and evidence of control execution.

A few NCAs noted that external providers can bring specialised compliance expertise, broader market insight and experienced staff, which can be particularly beneficial to smaller managers, while other NCAs did not have the same impression. One NCA specifically highlighted that service providers servicing multiple entities can lead to capacity issues or errors spread across different firms, and that standard contracts often cover only a small number of hours, which may be insufficient in case of significant compliance risks or issues.

An important quantitative point: in some cases where compliance tasks were entrusted to third parties, resource allocations within the authorised manager were well below 1 FTE, raising concerns about the adequacy of internal resources.

NCAs in some jurisdictions also noted that the use of group entities may involve additional risks, notably insufficient tailoring to the specific local business and rules.

NCA feedback indicated divergent national practices on whether arrangements with third parties for compliance or internal audit tasks qualify as delegation pursuant to the AIFMD and UCITS Directive, and on the extent to which internal resources need to be maintained in those cases. ESMA emphasises, however, that managers always remain responsible for ensuring adherence to the applicable rules, including where third parties are entrusted with the performance of tasks related to the compliance or internal audit function.

9. What ESMA encourages NCAs to verify next

Section 7 of the report sets out the areas ESMA encourages NCAs to verify. While addressed to NCAs, this list also functions as a practical reference for managers wishing to anticipate the lines of supervisory enquiry.

ESMA encourages NCAs to verify that:

· Comprehensive internal control mechanisms are in place, including clear reporting lines, compulsory training programmes, regularly updated risk assessments, comprehensive compliance monitoring plans, regular compliance controls and monitoring of remedial actions, and that these mechanisms detect any risks of failure with the obligations under the AIFMD and UCITS Directive.

· Appropriate written documentation and recordkeeping arrangements are in place, including records and logs for monitoring breaches, conflicts of interest and related party transactions.

· The compliance and internal audit functions have the necessary resources in terms of FTEs to perform their tasks properly, and organisational arrangements provide for a strong role of these functions within the organisation.

· Both the compliance and internal audit functions are appropriately consulted before significant strategic decisions, including entering new markets, engaging in new asset classes, setting up new funds, or delegating functions listed in Annex II of the UCITS Directive and Annex I of the AIFMD to third parties.

· The compliance function has the necessary authority within the organisation, and the method of determining the remuneration of the relevant persons involved in the compliance function does not compromise or affect their objectivity.

· There is a clearly defined escalation procedure in the case of disagreements between control functions and operational units.

· The compliance and internal audit functions operate independently from operational functions, taking into account the principle of proportionality, with key risks assessed by individuals who have sufficient knowledge and experience in the relevant matters and who are independent of operational functions.

· The compliance function receives all necessary information (including all periodic reports of risk management and internal audit) and is informed in a timely and documented manner of violations of relevant rules, such as investment limit breaches, in a way that enables it to assess and mitigate the relevant risks.

10. Practical takeaways for UCITS management companies and AIFMs

Read alongside Section 7, the Annex of good and poor practices provides a concrete practical benchmark for firms wishing to assess their compliance and internal audit arrangements against findings from the CSA. Some practical questions worth working through internally:

· Does the compliance function consistently provide a documented opinion on new policies, procedures, products and processes before they go to the board?

· Are compliance reports to the board accompanied by clear recommendations, deadlines and progress updates on previously identified deficiencies?

· Is the risk assessment methodology that drives the compliance monitoring plan formally documented and applied consistently?

· Where the firm relies on a group compliance or internal audit function, is the local risk profile (business areas, products, services, distribution channels, investors and applicable rules) demonstrably covered? Are group frameworks and policies relied upon locally properly adopted, tailored and evidenced at local entity level? Where reliance is placed on a group internal audit policy, has that policy been formally made applicable to the local entity?

· Has the compliance function itself ever been subject to an internal audit?

· Where compliance or internal audit tasks are entrusted to third parties, is the internal resource allocation adequate, and is the oversight (SLAs, KPIs, evidence of control execution, regular reporting) structured and documented?

· Are records and logs maintained for breaches, conflicts of interest and related party transactions, in a form that would withstand supervisory review?

11. Conclusion

The 2025 CSA confirms a picture that is broadly compliant overall, but with vulnerabilities identified by many NCAs in how compliance and internal audit functions operate in practice. The Annex of good and poor practices, read together with Section 7, is the most useful part of the report for managers: it identifies, based on practices reported by NCAs, what works and what does not. Managers that are part of larger groups, or that rely significantly on third parties for compliance or internal audit tasks, should pay particular attention to whether the local risk profile is independently assessed and properly covered, and whether the local entity can demonstrate effective oversight, independence and authority of these two functions.

Know what supervisors are looking for. ESMA's 2025 CSA gives compliance officers, internal auditors and senior managers a practical benchmark to assess their compliance and internal audit arrangements against findings identified by NCAs across the EU and EEA.

Explore seminars at cpds.academy

Source

ESMA, Final Report — 2025 CSA on compliance and internal audit functions of fund managers (ESMA34-1436284137-2305, 11 May 2026): Full PDF

Legal references: Articles 9–11 of Commission Directive (EU) 2010/43/EU (UCITS implementing directive); Articles 60–62 of Commission Delegated Regulation (EU) 231/2013 (AIFMD Level 2). Article 31 of Directive 2009/65/EC (UCITS Directive) and Article 18(1) of Directive 2011/61/EU (AIFMD) are referenced in the report only in the context of the specific poor practice on inadequate safeguard arrangements for electronic data processing.