The annual CASS audit always presents significant challenges for firms holding client money or custody assets.
Investment firms are required by the Handbook to send a client assets report to the regulator on an annual basis. This report must be prepared and provided to the FCA by an appropriately qualified external auditor, in line with prescribed requirements.
While business-as-usual servicing of client assets places consistent daily pressure on firms, the additional workload required to facilitate a comprehensive audit adds further strain to already stretched resources. Nevertheless, a successful and positive audit is an essential tick in the box for a firm’s governance, operational processes, systems, and controls.
Understanding FCA requirements
The first step to a successful CASS audit is a thorough understanding of Chapter 3 in the FCA’s Supervision Handbook (SUP), which details the requirement for firms to select and appoint an appropriate auditor. The chapter also lays out the FCA’s expectations of auditors, including the contents of the client assets report. Within the chapter, firms will find details of the type of report that is required (i.e. limited or reasonable assurance), dependent on the firm holding client money or custody assets during the reporting period.
The FCA makes it clear that client assets reports, which are submitted within four months of the end of the reporting period, are an important aspect of its monitoring and supervisory work, providing valuable and timely insights into a firm’s arrangements for the protection of client assets.
As stated in the Dear CEO letter issued to firms in September 2020: “We will continue to conduct assessments of firms’ client assets arrangements, and review the annual independent external auditors’ client assets reports.” The importance of CASS audits and client assets reports is therefore not lost on firms.
What steps can firms take to help achieve a successful CASS audit?
1. Allocate sufficient resources to prepare
Whilst resource allocation is always a challenge, firms must ensure sufficient time and resources are dedicated to working with their auditor. Allowing enough time to perform walk-throughs of key operational processes in particular will benefit both the firm and the auditor. While handling these sessions remotely has proved challenging over the last two years, many have derived benefit from virtual meetings as functionalities, such as multi-way screenshare, which is often more productive than four people huddled around a single monitor on an office floor.
Regardless of how firms choose to approach this, informative and interactive walk-throughs will be instrumental to ensuring the auditor understands the processes under review, which should in turn limit the need for follow-up and clarification.
2. CASS rule and control mapping
Rule, risk, and control mapping is another important element of the CASS audit. Firms should strive to provide their auditor with a well-documented CASS environment, which details both in-scope and out-of-scope rules, the associated risks, and the controls in place to mitigate them. Reviewing and maintaining this environment throughout the year is vital to start the audit on the correct footing.
The ongoing review and maintenance of this environment during the year is therefore vital to starting an audit on the correct footing. This information allows your auditor to identify the key controls for testing, to allow them to form the basis of their opinion. A firm’s oversight and governance of their CASS arrangements can also be demonstrated via regular review and attestation of these key controls.
3. Regularly record errors and breaches
Because the auditor will conduct a thorough review of a firm’s breach log, the information firms record and document as part of their error and breach process is equally important for informing the CASS audit. It is therefore vital to record quality information to understand how mistakes occurred and how they were fixed. Firms will need to regularly review and oversee breaches during the year to ensure the relevant information for the full reporting period is available. Tracking and resolving actions identified as a result of breaches is also key for demonstrating where a firm has learned and enhanced processes and controls.
Maintaining oversight of errors and breaches is a critical aspect of a high-quality client assets report in the eyes of the regulator. As the breaches schedule will be provided as part of the submission, clear and concise detail regarding each breach is vital for helping the FCA’s understanding. This is also true of breaches identified and described by the auditor during the review process.
The rules within the Supervision Handbook describe the FCA’s expectations for firms to review and respond to the breaches identified within the report. This is an important element of demonstrating to the regulator that, while breaches do occur, the firm has either taken action to remediate the breach or has plans in place to do so. This should be done in response to the auditor’s draft report and therefore ahead of submission to the FCA.
The bottom line
The audit process is always a challenging one for firms, but it should be viewed as a valuable task for ensuring their suitability to meet regulatory requirements. Whether this be through the identification of issues, or as confirmation that current processes are sufficient, firms must use the process to the benefit of their operations. As the handbook states: “The FCA expects a firm to use the client assets report as a tool to evaluate the effectiveness of the systems that it has in place for the purpose of complying with requirements.”