ESMA reports on Good and Poor Practices in Compliance and Internal Audit Functions Across the EU Funds Sector
meeting of people

ESMA reports on Good and Poor Practices in Compliance and Internal Audit Functions Across the EU Funds Sector

The European Securities and Markets Authority (ESMA) has published the results of its 2025 Common Supervisory Action (CSA) on compliance and internal audit functions of fund managers. While the overall level of compliance was assessed as satisfactory, the review identified several areas where governance, independence, and oversight require further strengthening.

Examples of Good Practices Identified

▪ Compliance monitoring programmes based on formal risk assessments and regularly updated to reflect changes in the business and regulatory environment.

▪ Clear reporting lines and direct access of Compliance and Internal Audit functions to senior management and the Board.

▪ Comprehensive documentation of compliance monitoring activities, findings, remediation actions, and follow-up reviews.

▪ Internal Audit plans developed using a risk-based methodology and covering all material activities over an appropriate audit cycle.

▪ Regular reporting to governing bodies, including key risks, breaches, monitoring results, and remediation status.

▪ Sufficient resources, expertise, and training allocated to control functions.

▪ Well-defined escalation procedures for significant compliance issues and disagreements with business units.

Examples of Poor Practices Identified

▪ Compliance and Internal Audit functions lacking sufficient independence from operational activities.

▪ Policies and procedures that exist on paper but are not effectively implemented or regularly reviewed.

▪ Generic group-level frameworks that are not tailored to the specific activities, risks, and regulatory requirements of the local entity.

▪ Compliance risk assessments that are incomplete, outdated, or not linked to monitoring activities.

▪ Insufficient documentation of monitoring work, findings, and follow-up actions.

▪ Weak oversight by senior management and boards over control functions.

▪ Inadequate staffing and resources to effectively perform compliance and internal audit responsibilities.

▪ Outsourced control functions without sufficient oversight by the regulated entity. ESMA reiterates that responsibility for compliance and internal audit remains with the regulated firm, even when activities are outsourced.


Key Message

One of the strongest messages from the review is that having policies, procedures, and control functions in place is not enough. Supervisors increasingly focus on the effectiveness, independence, documentation, and practical implementation of compliance and internal audit frameworks.

The findings provide valuable lessons not only for fund managers but for all financial institutions seeking to strengthen governance, internal controls, and regulatory compliance. 

2025 Common Supervisory Action (CSA) on the compliance and internal audit functions of fund managers
https://www.esma.europa.eu/press-news/esma-news/esma-identifies-areas-further-supervisory-convergence-compliance-and-internal

Share: 

Related news:

meeting of people

EBA Consults on a Simpler 2027 EU-Wide Stress Test and Introduces Climate Risk Assessment

Business professionals engaged in a strategic meeting in a modern office setting with natural light.

First DORA Incident Report Published by the ESAs

Low angle view of illuminated skyscrapers against a twilight sky, capturing urban architecture and city life.

Basel Committee publishes report on ICT risk management