Selecting the right safeguarding auditor

The FCA’s guidelines for payment and e-money firms highlight the importance of selecting an auditor with the right skillset, and it’s clear the easy choice is not always the best one.

Innovation in technology has accelerated the growth of the payments and e-money sector, which is increasingly popular with consumers. The risks associated with early-stage companies combined with current economic uncertainty make the sector vulnerable to insolvency and, with a lack of consumer protection from the FSCS, that vulnerability puts it squarely in the FCA’s sights. The latest Payment Services and Electronic Money approach document outlines several areas where they expect to see improvements – and audit remains key.

Although your statutory auditor may know your accounts, they may be less familiar with the specific safeguarding arrangements at your firm and which safeguarding regulations and guidance they should audit.

Audit requirements

To become authorised, e-money institutions (EMIs) and payment service providers (PSPs) need to satisfy the FCA that they have adequate internal control mechanisms to comply with safeguarding requirements. In their guidance on Covid-19 and safeguarding customer funds, the FCA clarified that they expect firms to audit their processes annually to remain compliant with safeguarding requirements. However, two years on, we’re still hearing from firms that are unaware of this expectation or when it comes into force.

The auditor is also expected to provide an opinion on whether the firm’s safeguarding arrangements have adequately met the FCA’s expectations during and at the end of the audit period. These safeguarding audits can be performed by compliance consulting firms with experience and expertise in safeguarding as well as by audit firms.

What to look for in your auditor?

The FCA has been clear in its expectation that firms must exercise skill, care and diligence in selecting and appointing their auditors. But how do you choose your safeguarding auditor? Here are a few helpful tips of what to look for.

Audit experience and safeguarding knowledge

Both components are equally important and should be considered separately. Although there are benefits to using your statutory auditor, don’t assume that they have the relevant knowledge to undertake your safeguarding audit. Safeguarding is a specialised type of regulatory audit and works in a vastly different way to statutory audits.

The first step is to look at whether your prospective auditor can run an audit with a clear and consistent risk-based methodology.

The second step is to assess their knowledge of the requirements. A lack of knowledge means your auditor wouldn’t understand where risks lie or what types of incidents to look out for. A failure to apply the appropriate risk-based approach to the safeguarding audit can result in over-testing, straining your resources and /or not having sufficient focus on areas of high-risk due to tight deadlines.

If they understand the requirements, your auditor would be able to spend more time on high-risk areas, making the audit focused, efficient and proportionate.

The third step is to ask your potential auditor for a breakdown of the reports they have issued in the last year. This will indicate what proportion of their opinions were clean, with findings or adverse.

Don’t take comfort in seeing a substantial proportion of clean reports. The FCA recognises that there will be instances where controls fail, or specific situations arise where a breach would have been inevitable. A clean report can sometimes be seen as an indication that the audit has been lacking.

You can do all this within your tender window. Don’t be afraid to ask your potential auditor some probing questions, such as:

  • What is your audit methodology?
  • How does your safeguarding audit methodology differ from your statutory methodology, or even your CASS methodology?
  • How many PSPs or EMIs have you audited?
  • How many of your reports are clean? Have you had clean reports for two consecutive years on the same firms? Why is that?

Sector and business understanding

It’s important that your auditor is familiar with the market sector that you operate in and has a familiarity with your business model, including what services you offer.

Understanding your firm’s sector and business model will allow your auditor to have a benchmark of good practices and common issues faced by similar businesses. This will allow them to challenge the design of your safeguarding arrangements while providing proportionally and consistency in their findings.

If you are still in your tender process, note which firms have asked you about your offerings, the nature of your transactions, the complexity of your group structures and your transaction flows. This is a good indication that your auditor understands the importance of this knowledge to build a proportionate plan.

If you already have an auditor, go back to your last audit and check whether they took the time to gain this understanding during the planning stages.

Audit plan and delivery model

The audit plan needs to consider the complexity of and be proportionate to your arrangements. It should include the scope, timing and direction of the consultation.

Your auditor should also allow sufficient time for planning (including understanding the business and key processes in depth), gathering evidence, testing, and raising findings with you. This information is always easier to access for your current auditor, as you would have the hands-on experience in how this is applied.

During the tender phase, don’t be afraid to ask questions on the audit timelines and how time is usually allocated between the key phases of the audit. You can then compare this between firms and evaluate if it would be appropriate for your arrangements.

Currently, there are no deadlines published by the FCA on when audit reports need to be submitted. However, the ICAEW factsheet from 24th November 2021 notes that it’s reasonable for opinions to be submitted within four months of the period end date to mirror the CASS regime.

For example, taking the above guidance as best practice, the report needs to be signed within four months after the end of your reporting period. But if the auditor proposes to commence the audit one month before the audit report is due, then this may not be a feasible deadline. It’s therefore important to consider whether the timeline proposed by the auditors is appropriate.

Unreasonably short audit turnarounds can:

  • Put undue stress on your staff with quick turnaround deadlines, which will divert time from performing business as usual safeguarding controls and expose your firm to a higher risk of human error in your processes.
  • Result in incomplete testing or omission of controls or areas, thus bringing in higher audit risk (with exceptions not being captured due to the way sampling is performed).
  • Result in insufficient time to discuss and challenge findings.

Consider how your auditor will communicate their findings. If these are communicated in a timely manner, you will have appropriate time to challenge them by considering and verifying their factual accuracy. You must also evaluate who you have access to when discussing these findings – is the person you are talking to sufficiently experienced? Do they know your business model and control environment?

Lastly, ensure that the staff delivering the audit plan have the appropriate training, competence, capability, and expertise. The work performed must be appropriately reviewed and challenged by members of audit staff.

Don’t be afraid to ask your potential auditor for their high-level audit timelines and details of how they operate their audit lifecycle during your tender process. If you already have an auditor, challenge them on their timeline where you feel it might not be realistic.

You can read more about how to meet the FCA’s payments and e-money safeguarding requirements in our recent article about setting up controls or reviewing those already in place.

We can help

We have PSPs, EMIs and safeguarding specialists with 20 years of experience. Get in touch if you need help with your audits, any safeguarding assurance reviews and readiness reviews.

Want more insights like this?

Join our mailing list