CASS Audits – Lessons learnt and hotspots
9 March 2018
It’s more than two years since the Financial Reporting Council (FRC) published its updated Standard for audit firms on Providing Assurance on Client Assets to the FCA. By now, every firm has had at least one CASS audit under the new standard and it’s fair to say that most firms have seen a significant difference. The approach taken by auditors across the board – Big Four and others – has drastically changed. Audits are more intrusive and more control focused; a definite move away from the old ‘box-ticking’ exercise.
Our clients and contacts tell us that the new audit standard has resulted in them needing to devote significantly more time and resource to the audit process. It has also increased the cost of audits by 50% on average. But the overwhelming feedback we’ve had is that firms have generally found the new-style audits to be beneficial, adding value to their business.
The FCA has noticed the change too, we’ve seen clear moves from them to speak to firms who’ve received adverse or qualified opinions. As you’d expect, they’re asking firms what their plans are to fix the issues and how they’re going to make sure they have the right controls in place in future. They’ve also been contacting some firms with clean audit opinions and in some cases, carrying out CASS thematic visits. It’s noteworthy that the cases we’ve seen where that’s happened have been where the firm is using a lesser-known audit firm so maybe an indication that the FCA are looking at how well firms are considering the knowledge and expertise of their auditor.
Recurring themes in the new audit standard
Key themes we’ve seen in the new style CASS audits include:
- Total capture – auditors expect a clear explanation of how client money and assets arise in a firm, if this isn’t documented then they need to obtain this information through staff interviews
- Risk and control framework – most auditors expect to see a line-by-line analysis of how the CASS rules apply to a firm, with risks and controls clearly mapped to the rules
- Outsourcing – auditors are examining the oversight of functions outsourced to third parties, checking that firms have a good understanding of the processes followed and the ownership of responsibilities
- Internal records – some firms are coming unstuck with their internal records because they are polluted by external data feeds or, in the case of outsourced functions, it is unclear who is the legal owner of the records
- Prudent segregation – confusion about the difference between prudent segregation and prefunding is getting some firms in a pickle with their auditors
- Mandates – auditors are taking a closer look at assertions by firm who say they have no CASS 8 mandates, checking for direct debit instructions and such
- Staff skills and experience – the CASS knowledge of first, second and third lines of defence are all being examined.
Bovill insight: making your next CASS audit a success
This more intrusive audit approach is here to stay. And the wealth of data it’s creating will keep CASS a priority focus for the FCA.
We think the hot topics for auditors this year will include the use of technology – automated solutions and cloud-based records – as well as processes for recording, resolving and reporting breaches and errors. Risk and control frameworks and CASS ‘footprints’ will remain a key way for the auditor to understand how client assets arise and are treated in your business and also a good way for you to reduce the time and effort (and hopefully the cost!) of your audit, by giving your auditor clear and useful information.
Here are some tips from our Bovill CASS team on preparing for your next CASS audit:
- Make sure you can explain your business to your auditor and flag how and why CASS does (or doesn’t) impact your business. Remember that whilst the auditor may have worked with similar firms before, every firm is different where CASS is concerned
- Make sure your risk and control framework is a living and breathing document throughout the year. And make sure your biggest risks aren’t getting lost in the noise of a massive matrix
- Perform a healthcheck to ensure your controls are giving you the right level of assurance
- Appoint key contacts during the audit process to smooth the process for requests, queries and chasing outstanding actions
- Hire auditors with the right level of CASS knowledge and experience – and make sure you get the people you’ve been sold
- Complete a total capture exercise and document your CASS ‘footprint’ showing where and how client assets arise
- Make better use of compliance monitoring to help identify any CASS issues by making sure they’re looking at the right risks and adding value to your operations – remember that you should never hear about a breach during your CASS audit that you haven’t already identified internally.
Bovill doesn’t do CASS audits, but we can help with all other aspects of CASS. Contact us if you’d like to ask us something – we love a tricky question!