CASS – audit of IT systems
It is fascinating that 10 years on from the collapse of Lehman Brothers, the Client Assets sourcebook (CASS) is still high on the regulatory agenda.
The Financial Conduct Authority (FCA) has repeatedly scrutinised CASS and enhanced standards, starting with the issuance of ‘PS14/9: Review of the client assets regime for investment business’ in June 2014, followed by the response from the Financial Reporting Council (FRC) with their enhanced standard in ‘Providing Assurance on Client Assets’ which came into effect for periods commencing on or after January 1, 2016 and finally with the Senior Managers and Certification Regime which will come into force for investment managers in 2019.
There is of course very good reason for CASS remaining to be a key area of focus. The tolerance for relying on manual processes and spreadsheets has been waning considerably for some time. The expectation from auditors and the FCA is that automation is to be embraced, as evidenced by the audit scrutiny on systems and control environments.
Integrity of data is fundamental to CASS and auditors will consider how firms mitigate IT risks inherent in systems, in particular when considering the completeness and accuracy of data. Automated controls will be reviewed to ensure that they are operating as expected, including the processing of data, calculations and postings. Controls will be assessed to ensure that they are working effectively and that they result in the desired and expected outputs for CASS reporting. System generated reports will also be assessed for completeness and accuracy, to ensure management’s reliance on them.
IT controls are widespread and can have a significant impact if found not to be effective. The determination of client balances must be accurate and the correct segregation of monies and assets must be maintainable otherwise CASS breaches can very quickly ensue. The data sourced and used to undertake internal and external reconciliations must be well controlled and furthermore validated before the reconciliation process is undertaken. The old adage of ‘rubbish in, rubbish out’ stands true, as not only could the value of client monies and assets be wrong, but the identification of breaks and exceptions could lead to wasted time and effort, as well as the masking of underlying operational issues.
There are many areas to consider and so in undertaking the audit of IT systems the FRC stipulated that ‘the use of IT specialists, appropriately trained in the implications of their work for the work of the CASS auditor, should be considered by the CASS engagement leader’. It is fair to say that the approach being taken for the enhanced CASS audit regime will continue to evolve as much for auditors as it is for firms.
Turning attention now to the FCA – don’t be fooled by the perception that the FCA is purely focussed on Brexit right now. Remember that the FCA will have received a number of less than favourable CASS audit reports since the FRC’s enhanced assurance standard came into play. It is anticipated that some action will arise next year and into 2020, whether that be an increase in site visits by the FCA or an increase in Section 166 Skilled Person Reviews.
The FCA do seem satisfied that the additional scrutiny that is being undertaken during CASS audits is leading to better performance both by firms and auditors alike. There will, however, be a consultation soon on the effectiveness of CASS audits and it will be interesting to see if this leads to any further revision of the FRC’s assurance standard. As previously mentioned, the Senior Managers and Certification Regime will come into force for investment management firms in 2019 and so, it really is time to optimise your CASS controls and governance framework.
For those who have UK branches, be aware of the consultation paper ‘CP18/29: Temporary permissions regime for inbound firms and funds’ that was issued by the FCA on October 10, 2018. The Government has legislated for a temporary permissions regime to allow relevant EEA firms and investment funds to continue to access the UK market while seeking full authorisation or recognition in the UK. In summary, what this means is that a UK branch could seek temporary permissions under the FCA’s CASS regime, which in turn would see them having to adhere to ‘watered down’ CASS reconciliations and CMAR. The UK branch could then potentially apply for full permission, therefore, adopting CASS, otherwise, they would have to adhere to the relevant EEA regulator’s client protection regime. Definitely, one to watch as the consultation process unfolds. What this does prove however is that the FCA still has CASS very much on their radar.
To conclude, data integrity and controls and paramount to CASS. There are solutions available to help ensure that you have a robust CASS framework in place. The overriding message is clear – start automating now, if you haven’t already – whether CASS is undertaken in-house or you undertake CASS oversight of your third-party provider.