Many firms have now begun to experience CASS audits under the new FRC standards, with varying degrees of pain being felt. Others have their first audit under the new standards yet to come. If you’re in the latter camp, is there anything you can do to ease the pain when the time comes? There’s plenty you can do – preparation is the key to a smooth running CASS audit and a happy auditor and will also play a big part in how costly your CASS audit is.
There are a number of key areas that all auditors will cover in their requests for information and having documents ready in a clear, comprehensible format will make your life (as well as theirs) much easier:
- Explain your business at a CASS level
In many cases, your auditor will already be familiar with your business, but describing and explaining it clearly in CASS terms will not only make their work easier but will mean that irrelevant questions and work is avoided, keeping your audit invoice as low as possible. You should have documentation ready to provide that sets out what the firm does, how it earns money, how transactions are carried out and where the flows of money and assets are. Process maps and visual aids are really useful for this. It’s also worth clearly setting out any intra-group interactions on the CASS front as well as the role of any sub-custodians or third party administrators.
- CASS rule and risk analysis
Different auditors will give this a different name (‘map’ or ‘matrix’ being the terms we’ve seen most often) but ultimately, what they’re hoping to see is a clear analysis setting out which rules apply to the firm (and which don’t) and why. The logical next step is to consider and document the risk each applicable rule presents to the business and what controls are in place within the firm to manage that risk. The auditor is also likely to ask for the methodology for preparing the rule and risk analysis, including the process for assessing severity and likelihood of risk.
- CASS systems and controls
If you can provide policies and procedures that set out all CASS systems and controls (not just those that the rules require policies and procedures for) in place within the business, that’ll save time explaining things to the auditor and will mean less work for them to produce their assessments. Remember that the documents should be written in a way that explains how the processes ensure compliance with the regulatory requirements and should be understandable by an external party. Remember: the less time the auditor has to spend on getting to the bottom of your controls, the less costly the audit is likely to be.
- Culture and Governance
One of the most difficult things to demonstrate in any area of compliance is that the firm has a compliant culture. How can you demonstrate that the firm has a culture of honesty and ethical behaviour with respect to CASS? How do you prove the effectiveness of the CF10a? What tone does the Governing Body set in terms of CASS compliance? How have they equipped themselves to understand what the key risks are? Another key area here is the breach identification, reporting, monitoring and resolution processes. You’ll need to demonstrate that the firm deals with breaches in a way that ensures that they will be identified and given appropriate priority. At a more basic level, you’ll need to be able to explain the governance structure to the auditor including CASS roles, responsibilities and reporting lines, setting out attendees and terms of reference for any relevant committees or working groups. Don’t forget easy wins like making sure CASS responsibilities are documented in role descriptions and thinking about how performance of those responsibilities is assessed in appraisals.
- How does CASS risk and control work in your firm?
The auditor will want to know what roles the CF10a, Compliance and Internal Audit play in the oversight of CASS controls. A key part of this will be demonstrating that the roles are independent of but aligned with each other. You should be ready to provide information around how the CF10a has carried out their function in the period, including how they have reported to the Board on the processes in place. You will also need to give information about the CASS activities of Compliance and Internal Audit, including what risk assessments they have done, any breaches or issues identified and how they were reported and dealt with. You should also be ready to explain how the results of Compliance and Internal Audit CASS reviews are fed into the firm’s CASS risk assessment.
If you would like help preparing for your CASS Audit, please get in touch. Good preparation can save you time and money in the end.