ESMA Final Report on 2025 CSA of UCITS and AIFM control functions

On 11 May 2026, ESMA published its Final Report (the Report) on its 2025 EU wide Common Supervisory Action (CSA), which reviewed the effectiveness of compliance and internal audit functions in UCITS ManCos and AIFMs.

Scope of the CSA

The NCAs (with which ESMA undertook the CSA) examined whether managers’ compliance and internal audit functions are genuinely effective and independent in practice, with enough seniority, staff and expertise to challenge the business and influence decisions.

They also reviewed how risk‑based these functions are in reality, looking at the quality of policies and monitoring plans, the usefulness of reports to senior management and boards, and whether identified issues are properly documented, escalated and followed up.

Particular attention was paid to situations where work is done by group or third‑party providers, including whether local risks are adequately covered and whether managers retain clear oversight and responsibility for the functions.

Key findings - general

The Report assessed overall compliance as satisfactory, but the NCAs with which ESMA worked to undertake the CSA, identified a range of vulnerabilities and some breaches, particularly around independence, documentation and reporting.

Key findings – compliance function

The Report notes that NCAs found most firms to have written policies and broadly defined responsibilities for compliance, but quality and implementation vary significantly by size and complexity.

Weaknesses which were identified included:

• outdated or generic policies; insufficiently robust or documented compliance risk assessments;
• high‑level, non‑granular monitoring plans;
• inadequate or infrequent internal reporting to senior management/boards; and
• limited tracking, escalation and follow‑up of deficiencies.

The Report noted resource constraints, especially where compliance staff split roles or where heavy reliance on third parties left internal resources below 1 Full-Time Employee (FTE).

Independence issues were found to arise:

• where remuneration was linked to business performance
• where compliance lacked access to key information or
• where group‑level frameworks were not tailored to local risks.

Oversight of outsourced or group compliance was often found to be weak, with gaps in SLAs, KPIs and evidence of control execution.

Key findings – internal audit function

The Report found that most entities have an internal audit function or group/internal alternatives, and levels of formal compliance were generally found to be good. However, the Report notes variable quality and granularity of internal audit reports, with some lacking clear scope, objectives and actionable recommendations.

Weaknesses which were identified included:

• insufficiently risk‑based or transparent audit planning;
• inadequate coverage of key risk areas (including, in some cases, no internal audit of the compliance function);
• unclear roles and responsibilities for developing audit plans; and
• weak or poorly formalised follow‑up and feedback processes to operational functions.

Where internal audit tasks were performed by third parties or group entities, NCAs often found missing or incomplete audit charters, handbooks and documentation of audit plans.

Some firms invoked proportionality to avoid establishing an internal audit function, but NCAs questioned this where business models or group structures suggested a need for stronger independent assurance.

Regulatory breaches and vulnerabilities

Only a limited number of NCAs reported actual breaches, mainly relating to the independence of compliance and internal audit functions and incomplete reporting to senior management. In contrast, a large number of NCAs identified vulnerabilities across a significant proportion of entities, including missing or incomplete internal audit documentation, lack of structured risk‑based approaches, inadequate safeguards for electronic data processing, misallocation of compliance resources within groups, and poor coordination between second and third lines of defence.

Next steps

Most NCAs plan firm‑specific follow‑up (letters, meetings, requests for remediation) and broader industry communication, with only a minority anticipating enforcement action.

ESMA urges NCAs to focus on strengthening independence, resourcing, risk‑based planning, documentation and oversight of third‑party/group arrangements, while reminding managers that they remain ultimately responsible for their compliance and internal audit functions.