ESMA CSA on compliance and internal audit functions: key takeaways for fund managers

On 11 May 2026, ESMA published its final report on the 2025 Common Supervisory Action (CSA) assessing the effectiveness of compliance and internal audit functions across UCITS management companies and AIFMs. The exercise, conducted with all EU and EEA national competent authorities (NCAs), aimed to evaluate adherence to AIFMD and UCITS requirements and to promote supervisory convergence. 

The overall conclusion is positive: most fund managers comply with core regulatory requirements. However, ESMA highlights some governance weaknesses, notably around independence, resourcing, and practical effectiveness of control functions, as well as inconsistencies between documented policies and their real-world implementation.  

Good vs. Poor Practices Identified 

Supervisors identified several practices that contribute to robust governance frameworks: 

• Prior involvement of the compliance function in the review of policies and procedures  
• Use of dedicated IT tools enabling efficient and traceable interaction between compliance and operational functions 
• Establishment of internal ‘Controls Committees’ to foster effective collaboration between compliance and operational functions and ensure compliance requirements are properly embedded in day-to-day operations 
• Regular internal reports by the compliance function to the board of directors (at least semi-annually or quarterly) 
• Clearly defined internal procedures describing how deficiencies should be promptly reported, how remedial actions and deadlines are set, and how progresses are monitored and reported to the board of directors on a regular basis 
• Preparation of ad-hoc reports on specific topics triggered by events, news, regulatory developments or market changes, followed by appropriate procedural updates and enhanced monitoring of critical activities 
• Inclusion of internal audit reporting as a standing item on the board agenda (to ensure that the board remains consistently and actively involved in internal audit matters) 

Conversely, ESMA observed recurring weaknesses across jurisdictions: 

• Insufficient follow-up monitoring and progress updates 
• Lack of clear recommendations and defined deadlines 
• Lack of documentation 
• Insufficient focus of the group's compliance function 
• Weak safeguard arrangements for electronic data processing 
• Restricted access to relevant information 
• Misallocation of compliance resources
• Lack of tracking of non-compliance events 
• Insufficient controls relating to investment limits 
• Inadequate controls frameworks overall 
• Lack of coordination between second and third lines of defense 
• Undocumented and inconsistent risk assessment methodologies 
• Poor quality and lack of clarity in internal audit reporting 
• Insufficient internal audit details, missed deficiencies and weak follow-up 
• Group internal audit policies not properly implemented at local level 
• Absence of internal audit review of the compliance function 

These shortcomings suggest that, in some firms, compliance and internal audit still operate as “tick-the-box” functions rather than as strategic enablers of risk management.  

Key areas of focus for fund managers

Based on ESMA’s findings, several priority areas require immediate attention: