CASS in point
Dipak Vashi outlines the Financial Services Faculty’s position on CASS audits.
Client Assets Sourcebook (CASS) audits are under the regulator’s microscope. On 6 February, the Financial Services Faculty team reacted to this by holding a webinar detailing the ins and outs of the CASS audit process.
Produced and delivered by the major players in the CASS audit industry and the Financial Conduct Authority (FCA), which is one of the main users of it alongside the Prudential Regulation Authority, the webinar looked to produce a comprehensive and easy-to-digest summary for CASS auditors and firms subject to an audit.
A total of 3,500 CASS audits are currently carried out every year. There is a requirement to audit FCA-registered firms (however, some are out of scope) and our webinar details the process by which firms can decipher whether or not they require a CASS audit. This is a particular focus of the FCA and the Financial Reporting Council going forward as they try to drive standards and quality in the market. The webinar will also prove useful for auditors, who can determine whether their statutory audit clients are subject to a CASS audit.
The planning stage of a CASS audit is key and determines the main aspects of engagement set-up. The auditor must ensure an engagement letter is in place, resource planning has been done and the appropriate permissions are gained, along with many other activities prior to the beginning of audit testing.
Once planning is complete, the risk assessment and testing of controls will begin in earnest. The central premise of a CASS audit is to assess the risk that a breach of the CASS rules would cause the auditor to issue an incorrect opinion. To do this, the auditor must identify and test relevant controls. This testing will ensure that the systems operated by the firm are adequate to allow the firm to meet CASS rules, and a correct opinion to be issued.
A common misconception of CASS audits relates to the format of reporting at the end of the engagement and the type of opinion that is produced. Usually either a ‘limited’ or ‘reasonable’ assurance opinion will be produced, and this will be agreed at the start of the engagement and will guide the depth of the work carried out. As in a statutory audit, the partner or director with responsibility for the work will sign off in their name on behalf of their firm. The reporting of breaches is where it gets complex, and the webinar explains the process around this as well as what happens when an adverse or qualified opinion occurs.
Following the signing of the report and the opinion, the CASS auditor has a duty by law to report to the relevant regulator. The auditor should also ensure any findings and deficiencies are reported to those charged with governance within the firm on a timely and ongoing basis.
However, there are also responsibilities required of the firm that is being audited. The firm should ensure appropriate documentation is in place. This includes a rule-mapping document that highlights all in scope CASS rules to the relevant business area as well as a risk assessment document outlining CASS rules to risks faced. Underlying all of this is the CASS control framework, and the firm’s document that underpins all CASS activity must ensure this is available for the auditor.
Many aspects of a CASS audit require judgement and procedures, and testing needs to be tailored to each individual client. Inevitably, the work involved in the audit will be more time consuming (and costly), but the feedback to the FCA changes has generally been positive.
The FCA has noticed the change too, with clear moves from them to speak to organisations that have received adverse or qualified opinions. As expected, the regulator is asking these organisations what their plans are to fix the issues
and how they’re going to make sure they have the right controls in place in future.
They’ve also been contacting organisations with clean audit opinions and, in some cases, carrying out CASS thematic visits. In some cases, this has happened when an organisation uses a lesser known audit firm, so it is maybe an indication that the FCA is looking at how well firms are considering the knowledge and expertise of their auditor.
One of the key areas for auditors will be the use of technology – automated solutions and cloud-based records – as well as processes for recording, resolving and reporting breaches and errors. Risk and control frameworks and CASS ‘footprints’ will remain a key way for the auditor to understand how client assets arise and are treated in a client business.
We believe the webinar is a useful starting point and handy go-to guide for those wanting to clarify certain issues. The Financial Services Faculty team at ICAEW is fully engaged on CASS, so keep a look out for further material and guides.
Top tips for preparing your next CASS audit:
- Make sure you can explain your business to your auditor and flag how and why CASS does (or doesn’t) affect your business. Remember that while the auditor may have worked with similar firms before, every firm is different where CASS is concerned.
- Make sure your risk and control framework is a living and breathing document throughout the year. And make sure your biggest risks aren’t getting lost in the noise of a massive matrix.
- Perform a health check to ensure your controls are giving you the right level of assurance.
- Appoint key contacts during the audit process to smooth the way for requests, queries and chasing outstanding actions.
- Hire auditors with the right level of CASS knowledge and experience – and make sure you get the people you’ve been sold.
- Complete a total capture exercise and document your CASS ‘footprint’ showing where and how client assets arise.
- Make better use of compliance monitoring to help identify any CASS issues by making sure they’re looking at the right risks and adding value to your operations – remember that you should never hear about a breach during your CASS audit that you haven’t already identified internally.
Source: Bovill, financial services regulatory consultants
About the author
Dipak Vashi, manager, financial services assurance, Financial Services Faculty