ESMA Identifies Structural Weaknesses in Compliance and Internal Audit Functions

Effective Governance Requires More Than Formal Control Functions

Effective Governance Requires More Than Formal Control Functions

ESMA has published the results of its 2025 Common Supervisory Action (CSA) on compliance and internal audit functions within investment fund managers. While overall compliance was assessed as broadly satisfactory, the review identified significant differences in quality, independence and governance practices across organisations.

What stands out is that supervisors are increasingly moving beyond assessing the mere existence of control functions. Instead, the focus is shifting towards whether these functions operate effectively in practice and contribute meaningfully to governance, risk management and internal control.

The key question is no longer whether compliance and internal audit functions are in place, but whether they are genuinely effective within the day-to-day operation of the organisation.

Findings on Compliance

With regard to compliance functions, ESMA found that monitoring plans often remain too high-level, reporting lacks sufficient depth, and the follow-up of findings is not always clearly documented. In addition, policies and procedures are not always up to date or fully aligned with actual practice.

ESMA also notes that smaller organisations often face challenges in ensuring sufficient resources and maintaining the independence of the compliance function.

According to ESMA, effective compliance functions are characterised by:

• sufficient independence;

• a clear risk-based monitoring programme;

• well-defined escalation procedures;

• periodic evaluation of the compliance function; and

• active involvement of senior management and the governing body.

Findings on Internal audit

ESMA also identified significant differences in the quality of internal audit functions. In practice, audit methodologies, documentation standards and reporting quality vary considerably across organisations.

In addition, ESMA places particular emphasis on outsourcing arrangements. Both compliance and internal audit activities are frequently outsourced to group functions or external service providers. In some cases, however, organisations lack sufficient local oversight, clear service arrangements or effective monitoring of outsourced activities.

According to ESMA, effective internal audit functions are characterised by:

• a consistent audit methodology;

• independent reporting lines;

• high-quality audit documentation; and

• demonstrable follow-up of audit findings and recommendations.

What does this mean for organisations?

Although the review focuses on investment fund managers, many of the findings are relevant far beyond the financial sector.

An increasing number of organisations are establishing or further professionalising their compliance, risk and internal audit functions, often based on the three lines of defence model.

For these organisations, the ESMA report provides valuable practical insights. Not because its conclusions should be adopted wholesale, but because it highlights the key elements that contribute to effective governance, risk management and internal control.

Key questions for organisations include:

• How independently are compliance and risk functions positioned within the organisation?

• To what extent are monitoring activities genuinely risk-based?

• Are roles, responsibilities and escalation procedures clearly defined?

• And how is the follow-up of findings and recommendations monitored and embedded within the organisation?

A broader supervisory trend

The findings reflect a broader trend in supervisory expectations.

Governance and control processes are increasingly assessed not on their formal existence alone, but on their demonstrable effectiveness in practice.

For board members, compliance officers, risk managers and supervisory board members, this means that the focus is shifting beyond policies and procedures. The key question is whether governance, monitoring and internal control arrangements genuinely contribute to effective decision-making, risk management and organisational resilience.

What Does This Mean in Practice for Your Organisation?

Many organisations invest significantly in compliance, risk management and internal control. The challenge often lies not in drafting policies, but in ensuring that processes, responsibilities and control functions operate effectively in practice.

This is precisely where ESMA's findings resonate with questions many organisations face:

• Are roles, responsibilities and escalation procedures sufficiently clear?

• Do monitoring activities genuinely focus on the organisation's key risks?

• Are compliance, risk and internal audit functions positioned with sufficient independence?

• Are findings and recommendations systematically followed up and documented?

• And is the governance framework both explainable and demonstrably effective?

DUFINCO helps organisations address these questions. Not by applying standardised models, but by translating supervisory expectations into practical solutions that fit the organisation.

This may include:

• assessing governance and control frameworks;

• strengthening compliance, risk and internal audit functions;

• designing or evaluating the three lines of defence model;

• developing risk-based monitoring programmes; or

• improving reporting, escalation and follow-up processes.

In this way, we help organisations ensure that governance and internal control are not only well designed on paper, but also demonstrably effective in practice.

Would you like to discuss what the ESMA findings may mean for your organisation? Please contact us at info@dufinco.nl or call +31 (0)6 512 47 217.