Page Contents
Key contacts
Related areas
On 11 May 2026, the European Securities and Markets Authority (ESMA) published its Final Report on the 2025 Common Supervisory Action (CSA) on compliance and internal audit functions of fund managers (Final Report). The CSA assessed how alternative fund managers (AIFMs) and UCITS management companies have implemented the compliance and internal audit requirements under the AIFMD and UCITS Directive and their implementing measures.
The EU-wide review found that most fund managers comply with key requirements. However, the CSA identified governance weaknesses, particularly in the independence of control functions, the quality and implementation of internal policies and in senior management and board oversight. The Final Report also sets out examples of good and poor practices, highlighting where controls were effective and where further strengthening is needed.
Key findings: compliance function
Policies and procedures
NCAs confirmed that entities generally maintain written compliance policies and procedures. However, shortcomings were observed where policies were not regularly reviewed or updated, procedures were not consistently followed and follow up measures were absent.
Larger entities or those within financial groups tended to have more formalised and well-documented policies but often relied on group-level policies not always tailored to local regulatory requirements or business activities. Smaller firms often had minimal documentation with a small number of entities lacking basic compliance policies.
Resources, independence and expertise
Most NCAs concluded that resource allocations were appropriate. However, resource shortages were identified in some larger firms where staff performed multiple functions and in some cases compliance tasks were outsourced to third parties with manager resources below one FTE. A small number of NCAs identified breaches or vulnerabilities with respect to the independence of the compliance function (and audit functions).
Compliance officers were generally regarded as having appropriate experience and expertise with regular training undertaken. Some NCAs noted the role of compliance in approving the appointment of head of compliance.
Monitoring plans and internal reporting
Most NCAs considered compliance monitoring plans and reporting to senior management or boards to be generally adequate. However, vulnerabilities were identified, including missing elements, weak documentation and inadequate alignment with compliance monitoring plans. Areas for improvement included limited scope of compliance processes, the generic description of activities without specifying the aspects to be reviewed and compliance audit plans not being formalised. Smaller entities tended to produce less detailed or less structured reports and, in some cases, relied on oral reporting.
While monitoring plans generally followed a risk‑based approach, some NCAs identified insufficiently formalised methodologies, risk models that underestimated certain business‑specific risks and limited transparency around escalation triggers. Follow‑up and remediation processes were broadly adequate, though in some cases NCAs observed weaknesses in tracking deficiencies, documenting root‑cause analysis and monitoring remedial actions.
Use of third parties
In some jurisdictions, entities made significant use of third parties for compliance-related tasks, either through specialised providers or group entities. Where third parties were used, some NCAs required structured and documented due diligence, written and signed contracts, clear internal responsibility, regular monitoring and formalised reporting.
Some NCAs identified weak oversight as a recurring issue, especially regarding SLAs, KPIs and evidence of control execution. ESMA noted divergent national practices on whether such arrangements qualify as delegation pursuant to the AIFMD and UCITS Directive and to what extent internal resources needed to be maintained in those cases. ESMA reiterates that managers remain fully responsible for compliance, irrespective of outsourcing arrangements.
Key findings: internal audit function
The majority of NCAs reported that entities established independent internal audit functions with sufficiently knowledgeable and experienced staff. Overall compliance was assessed as good. However, the quality and granularity of internal audit reports varied, some NCAs observed that senior management and boards did not always demonstrate adequate oversight of internal audit activities or ensure that audits covered risks relevant to the risk profile of activities, with the role of senior management in some cases being too reactive. Some NCAs noted room for improvement on follow-up and remedial measures.
Most NCAs reported that entities use risk-based methodologies and multi-year cycles, with audit plans regularly updated to reflect emerging risks, regulatory changes and past results. However, weaknesses were identified including insufficient coverage of key areas, risk-based models underestimating specific risks and audit plans that lacking transparency on how priorities and risks are assessed.
Some entities rely on external providers or group-level entities for internal audit work. Where third parties were engaged, some NCAs found missing or incomplete documentation including audit handbooks, audit charters or audit plans.
ESMA's views and conclusions
ESMA stressed the importance of effective compliance and internal audit functions supported by clear reporting lines, compulsory training, regularly updated risk assessments, comprehensive compliance monitoring plans, compliance controls and monitoring of remedial actions, appropriate documentation and recordkeeping (such as records for monitoring breaches, conflicts of interest, related party transactions) and sufficient FTEs with organisational arrangements supporting a strong role for these functions.
ESMA further stressed that managers remain responsible for compliance and internal audit functions even where third-parties are appointed and highlighted to NCAs that compliance and internal audit functions should be consulted before taking significant strategic decisions, compliance should have the necessary authority within the entity, their remuneration methodology must not compromise objectivity and that there should be clearly defined escalation procedures for disagreements between control functions and operational units.
Managers that are subsidiaries of banking groups were cautioned against relying exclusively on group-level risk assessments where these do not capture local risks.
Good and poor practices identified
The Final Report includes an annex of good and poor practices identified by NCAs.
Compliance function
Examples of good practice include:
Examples of poor practice include:
Internal Audit Function
Some practices identified for the internal audit function overlap with those above (and vice versa).
Examples of good practice include:
Examples of poor practice include:
Conclusion
While acknowledging the overall positive outcome of the CSA, ESMA encourages NCAs to follow up on breaches and vulnerabilities identified, to understand their root causes and to ensure effective remedial actions are implemented. ESMA will continue promoting exchanges among NCAs on this topic, including through follow-up supervisory actions, to further enhance supervisory convergence across the EU funds sector.
Fund managers should treat the Final Report as a prompt for an internal review of their compliance and internal audit arrangements, and boards and senior management should take a proactive approach to addressing any gaps.
For more information, please contact any member of the Asset Management & Investment Funds team.
Date published: 14 May 2026
