ESMA_QA_2839

30/04/2026

Subject Matter

Annually conducted audit under Commission Delegated Regulation (EU) 2016/957

Original question

Under Article 2(5)(b) of Commission Delegated Regulation (EU) 2016/957 (“RTS on STORs”), should the annually conducted audit of arrangements, systems and procedures be performed by an external auditor, or would an internal audit be sufficient? How should the “internal review” mentioned alongside the audit be understood?

ESMA Answer

08-05-2026

Original language

Commission Delegated Regulation (EU) 2016/957 does not explicitly specify whether the annual audit should be external or internal. Therefore, Persons Professionally Arranging or Executing Transactions (PPAETs) and trading venues may conduct the required annual audit either internally or externally. If it is carried out internally, the audit is expected to be performed by an independent function. It is also worth noting that the reference to an internal review should be understood as a complementary exercise to the audit.

Status: Answer Published

Additional Information

Level 1 Regulation

Market Abuse Regulation (MAR) Regulation (EU) No 596/2014 - Market Intergrity

Level 2 Regulation

Regulation 2016/957- RTS on arrangements, systems, procedures and notification templates for preventing, detecting and reporting abusive practices or reporting suspicious orders or transactions

Topic

Prevention and detection of market abuse, including STORs