Visit CISI TV for an insightful panel discussion on Managing CASS in disruptive times
The FCA's Client Assets Sourcebook (CASS) provides rules for firms to follow whenever the firm holds or controls client money or safe custody assets, helping to ensure the safety of client money and assets if the firm fails and/or leaves the market. There are two types of audit:
- A reasonable assurance opinion on whether the firm has systems and controls to meet the requirements of the CASS rules.
- A limited assurance opinion, which applies to firms that don't intend to (and claim not to) hold client assets and where the auditor will effectively provide an opinion that nothing to the contrary has come to their attention.
The assurance standard published in 2015 was the first consistent assurance standard for client assets. A revised standard for the audit of client assets, issued by the Financial Reporting Council, was published in November 2019 and came into effect on 1 January 2020.
Key developments include updates to reflect changes to regulation and the scope of the regime since it was first issued, and the strengthening of reporting requirements to those charged with governance. The revised audit standard also places more emphasis on firms being able to document how their IT and system controls comply with the CASS rules, expanding the scope of CASS audits. The increased scrutiny surrounding CASS audits means that many areas of a firm – several of which may not immediately spring to mind when considering the CASS rules – are now under the microscope.
What are some common challenges encountered with the 2015 CASS audit standard?
The rules are complex. The rulebook has developed over decades and is applied to companies from across the financial services sector, so there is no one-size-fits-all approach. The 2015 CASS audit standard led to firms needing to develop detailed CASS risk and control assessments. This has been an increased burden on firms. However, in my opinion, the additional focus has led to an increase in management-identified breaches or control deficiencies in the first years under the new standard.
The zero materiality reporting threshold means that even the smallest error has to be reported
It would be unusual for firms with a sizeable CASS business to have a completely clean opinion given the complexity of the rules. The zero materiality reporting threshold means that even the smallest error has to be reported, so a qualified opinion could be generated by an error of just a few pounds in a billion-pound business.
What constitutes a breach – and what approach should firms be taking to breaches?
In its simplest form, a breach is a failure to comply with a CASS rule. This could be a failure to undertake due diligence on a bank with which the firm has placed client money, although many errors arise from failures in record-keeping.
Firms should have preventative and detective systems and controls in place, and quality assurance processes are also vital. They also need to determine the severity of each breach, which needs to be logged along with details of its remediation plan, and assess whether they need to immediately notify the FCA.
About the expert
Richard Andrews is a financial services partner at KPMG.
How do the revisions address these issues?
One area in which the revisions will help is that it has been clarified that the auditor can use internal audit work as part of its planning and risk assessment.
The second area in which the audits could become more efficient is that the revisions are much more explicit around the use of service organisation reports. The challenge there is to ensure that these reports evolve so that they are sufficiently granular.
Is there a lack of knowledge and experience among audit staff with regard to CASS?
Client asset rules affect many different disciplines, so greater awareness across firms would help, as would specific training for reconciliations teams. This would help ensure that the auditor and the firm being audited are speaking the same language.
What can firms do to ensure a stress-free CASS audit, based on lessons learnt to date?
Best practice is to implement detailed rule-to-risk control frameworks that should be reviewed annually.
Firms need to look at the risks they are addressing, how frequently their controls are applied and whether they are detective or preventative to identify controls that might need to be tightened. It is also important to take account of changes to the business and regulations.
The level of documentation firms undertake around processes and controls has increased in recent years and the more straightforward the documentation, the easier it is for the auditor to see what is going on. It might also be useful to appoint someone to act as liaison between the auditor and the various teams within the firm.
This article was originally published in the June 2020 flipbook edition of The Review.
The full flipbook edition is now available online.
All CISI members, excluding student members, are eligible to receive a hard copy of the quarterly print edition of the magazine. Members can opt in to receive the print edition by logging in to MyCISI, clicking on My account, then clicking the Communications tab and selecting 'Yes'.
Once you have read the flipbook edition, keep coming back to the digital edition of The Review, which is updated regularly with news, features and comment about the Institute and the financial services sector.