ESMA’s review: Key findings on compliance and internal audit in FMCs

ESMA has published its final report on the 2025 common supervisory action (CSA) conducted with national competent authorities (NCAs) on the compliance and internal audit functions of AIFMs and UCITS management companies (FMCs) (the Report). The CSA assessed supervised entities’ adherence to the key AIFMD and UCITS requirements relevant to those functions, including Articles 9 - 11 of Commission Directive (EU) 2010/43/EU and Articles 60 - 62 of Commission Delegated Regulation (EU) 231/2013. Most NCAs used a desk-based review, complemented by on-site inspections.

The Report, published on 11 May 2026, concludes that, although most NCAs rated overall compliance as satisfactory, the CSA identified recurring weaknesses, which were more pronounced in some jurisdictions than others. Reported issues included concerns around the independence of compliance and internal audit, incomplete reporting to senior management, gaps in internal audit documentation, weak compliance risk assessments and insufficiently structured, risk-based approaches to identifying and addressing compliance risks.

Key findings - compliance function

The Report identifies the following key findings and areas of focus in relation to the compliance function:

Policies and procedures

Supervised entities generally maintained written policies and procedures covering the core responsibilities of the compliance function. However, the CSA found that policies were not always regularly updated or reviewed, procedures were not consistently followed and appropriate follow-up measures were not always in place. Many NCAs noted a correlation between the size and maturity of the organisation and the solidity of its compliance framework: larger entities tended to have more formalised documentation but often relied heavily on group-level policies not tailored to the local regulatory environment, while smaller firms in some severe cases lacked basic compliance policies.

Independence and resources

A small number of NCAs identified breaches or vulnerabilities with respect to the independence of the compliance function. The majority of NCAs confirmed that remuneration frameworks prevent undue links to business performance and are designed to safeguard independence. Most NCAs concluded that resource allocations in terms of full-time employees (FTEs) were deemed appropriate. However, a few NCAs identified resource shortages, especially where compliance staff split their time across multiple functions or where compliance tasks were entrusted to third parties, with internal resources well below 1 FTE, raising concerns about the adequacy of internal resources.

Compliance monitoring plans and internal reporting

Compliance monitoring plans sometimes lacked sufficient granularity, with themes formulated at a relatively high level, limiting the assessment of specific risks and reducing the ability to provide focused, actionable recommendations. Internal reports were found in some cases to contain missing elements, weak documentation or inadequate alignment with the compliance monitoring plans. Smaller entities tended to produce less detailed and less structured reports and, in some cases, relied on oral rather than written reporting.

Organisational setup and use of third parties

The CSA revealed different market practices across the EU regarding the organisational setup of the compliance function. In some member states, supervised entities made significant use of third-party providers or group entities for compliance-related tasks, whilst in others all tasks were performed internally. Where third parties were used, some NCAs identified weak or insufficient oversight as a recurring issue, particularly regarding SLAs, KPIs and evidence of control execution. The Report also highlights divergent national practices on whether arrangements with third parties for compliance tasks qualify as delegation pursuant to the AIFMD and UCITS Directive, though FMCs always remain responsible for ensuring adherence to the applicable rules.

The Report includes an annex of good and poor practices identified by NCAs, as summarised below.

Good practices examples - compliance function

• Provide input before policies or procedures are submitted to senior management or the board (particularly for regulatory changes, new processes or new products).
• Dedicated IT tools supporting efficient, traceable interaction between compliance and operational functions, including ex-post controls.
• An internal ‘Controls Committee’ supports effective cooperation between compliance and operations so that compliance requirements are embedded in day-to-day activities.
• Compliance reports are submitted to the board at least semi-annually or quarterly, with clear remediation actions, deadlines and progress reporting.
• Ad-hoc compliance reports address specific issues arising from events, news, regulatory or market developments, particularly investor protection matters.

Poor practices examples - compliance function

• Insufficient follow-up and board reporting on compliance issues (leaving gaps unresolved).
• Lack of clear recommendations or remediation deadlines in reporting.
• Group compliance functions do not sufficiently focus on entity-specific risks, leaving key areas such as risk, liquidity, valuation and delegation under-assessed.
• Compliance has restricted access to relevant information, such as remuneration data.
• Local compliance resources are diverted to advising other group entities instead of the local function.
• Reports of non-compliance are not systematically tracked and compliance monitoring is not coordinated with internal audit plans.
• The risk assessment methodology for the compliance monitoring plan is undocumented or inconsistent.

Key findings - internal audit function

The Report identifies the following key findings and areas of concern in relation to the internal audit function:

Establishment and independence

The majority of NCAs reported that supervised entities established independent internal audit functions with sufficiently knowledgeable and experienced staff. However, several NCAs noted that some entities assessed did not maintain an internal audit function at all, citing the proportionality principle. In those cases, entities often relied on alternative arrangements such as assigning internal audit responsibilities to the board of directors or making use of a group-wide internal audit function. 

Audit planning and reports

The majority of NCAs reported that entities used risk-based methodologies and/or multi-year cycles and that audit plans are regularly updated to reflect emerging risks, regulatory changes and past results. However, some NCAs identified weaknesses in risk-based planning, including insufficient coverage of key areas and use of risk-based models that underestimate specific risks related to the FMC’s business model. Audit plans sometimes lacked transparency on how priorities are set and how risks are assessed. Regarding the quality of internal audit reports, these were overall satisfactory, though quality and granularity varied. Some NCAs reported that senior management and boards were not always able to demonstrate how they oversee internal audit activities or ensure audits were performed on areas relevant to the risk profile of activities.

Use of third parties for internal audit

A significant number of entities relied on external service providers or group-level entities for internal audit work. Where FMCs relied on third parties, some NCAs found missing or incomplete internal audit handbooks, audit charters or documentation of internal audit plans. As with the compliance function, divergent national practices exist on whether third-party internal audit arrangements qualify as delegation pursuant to the AIFMD and UCITS Directive.

Good practices examples - internal audit function

• Internal audit is a standing board agenda item, promoting more frequent reporting and active board oversight.

Poor practices examples - internal audit function

• Internal audit reports lack clarity, scope or adequate explanation of findings, limiting their usefulness for decision-making.
• The proportionality principle is misapplied and some deficiencies are missed by internal audit and only identified by supervisors.
• Group internal audit policies are not formally applied to the local entity and the compliance function is never audited.

ESMA’s views and recommendations

ESMA emphasises that FMCs must maintain effective compliance and internal audit functions in line with the AIFMD and UCITS frameworks. The Report then sets out the following recommendations for NCAs and, indirectly, market participants:

• Internal control mechanisms: NCAs should verify that comprehensive internal control mechanisms are in place, including clear reporting lines, compulsory training programmes, regularly updated risk assessments, comprehensive compliance monitoring plans, regular compliance controls and monitoring of remedial actions. Appropriate written documentation and recordkeeping arrangements (such as records and logs for monitoring breaches, conflicts of interest and related party transactions) should also be maintained.
  
  
• Resources and authority: ESMA stresses, without prejudice to the principle of proportionality, the importance of ensuring that the compliance and internal audit functions have the necessary resources in terms of FTEs to perform their tasks properly and that organisational arrangements provide for a strong role within the organisation. The compliance function must have the necessary authority and remuneration must not compromise objectivity. There should be a clearly defined escalation procedure in the case of disagreements between control functions and operational units.
  
  
• Consultation before strategic decisions: FMCs should appropriately consult the compliance and internal audit functions before taking significant strategic decisions, such as entering new markets, engaging in new asset classes, setting up new funds, or delegating functions under Annex II of the UCITS Directive and Annex I of the AIFMD.
  
  
• Group-level risk assessments: FMCs which are subsidiaries of banking groups should be aware that risk assessment methodologies and tools provided by the parent company can potentially lead to underestimating relevant or local risks. FMCs should develop their own risk assessment where the group assessment does not properly capture the risks applicable to their business. The assessment of compliance risks should at least take into consideration business areas for the establishment of the compliance monitoring plan, types of products, types of services, distribution channels and categories of investors.

Next steps

ESMA will continue promoting engagement among NCAs on the supervision of compliance and internal audit functions with a view to promoting convergence. ESMA has reiterated that FMCs always remain responsible for ensuring that the compliance and internal audit functions operate in accordance with the applicable rules. The majority of NCAs have indicated that they do not envisage enforcement action at this stage, given the overall satisfactory level of compliance, but ESMA expects NCAs to use their full enforcement powers where appropriate.

NCAs have indicated that they intend to follow up through bilateral communications, requests for remediation or additional information, meetings with FMCs where gaps were identified and broader engagement with industry. We expect the Central Bank of Ireland to consider similar steps and will monitor for any communication. 

If you have any queries on the content of this advisory and/or the impact that it may have on you and your business, please speak to your usual contact or connect with any of the key contact listed below.