As many firms are now approaching their CASS year end, we set out six key recommendations to assist in preparing for your upcoming audit and provide our top tips to ensure you are ahead of the curve in ensuring a smooth audit.
1. Early communication with auditors
The deadline for submission of CASS reports to the FCA is four months after your year end, so early communication with your auditors to set out a clear timeline for planning, fieldwork and completion is vital to ensure this is met. The majority of CASS engagements also require involvement of both the firm’s and the auditor’s IT teams, as well as other third parties, which will also require factoring into your timetable.
We recommend early discussions between the firm and its auditor in advance of the year end, to discuss the planned audit timetable, to ensure you are aware of when and what information will be required. Consider requesting an interim audit to cover the first half or 9 months of the year; this will be particularly important where there have been changes to internal systems and processes.
By this stage of the year the firm will already have a significant amount of the year end information available (for example, reconciliations for the first nine months of the year and approved updates to policies and procedures), which could be provided to the auditor ahead of the year end, enabling your auditor to review key issues early and potentially saving time during the final fieldwork phase.
These measures will enable the auditor to review information ahead of the year end and ensure that the firm has sufficient time to rectify any potential breaches arising from these ahead of the year end date.
2. Risk and controls matrix
In our Spring edition of ‘Common Breaches and areas of Regulator Focus’ we highlighted the importance of the firm’s risk and controls matrix. Given the controls based nature of a CASS audit, firms should expect their auditor to request this document as part of the planning as it will help them to identify the key controls the firm has in place in respect of CASS.
The risk and controls matrix will form a key part of the auditor’s risk assessment and so it is important that firms have this in place and it is kept up to date. The document should set out each CASS rule applicable to the firm and the systems in place.
The FCA consider it to be a recordable breach if it is not in place.
3. Resolution pack
Relevant firms that fall under CASS 6 and all those under CASS 7 are required to maintain a resolution pack in accordance with CASS 10. In our view, the FCA considers this to be a vital part of a firm’s compliance pack and firms should expect this to be requested and reviewed as part of their CASS audit.
The aim of the resolution pack is to assist an insolvency practitioner to achieve a timely return of client money and custody assets to the firm’s clients in the event of an insolvency. It should therefore include all the required information set out within CASS 10.
Once initially completed, the resolution pack essentially becomes a rolling document, which should be updated as and when there are changes to personnel, banking institutions and internal procedures. Firms should set aside time to thoroughly review this document and ensure that any relevant changes are made ahead of the year end.
4. Update and review policies and procedures
Under the CASS 6 and 7 rules, firms are required to update and review a number of documents annually, including due diligence on banking institutions and custodians and acknowledgement letters, and firms should set aside sufficient time to ensure this is done ahead of the year end. This can be time consuming and dependent on receiving information from third parties, so early planning and clarity on what is required is vital.
As well as assisting your auditor in gaining an understanding of processes, these documents can form a key point of reference for employees, particularly new starters, and therefore form a key element of the firm’s compliance function.
Best practice is that these policies are reviewed by those charged with the firm’s CASS governance (being Board of Directors or CASS committee) and we would recommend firms set aside appropriate time at Board and committee meetings to ensure this is completed.
5. Ensure your breach register is up to date
CASS auditors are required to report all breaches, including those identified by the firm, within their CASS report. Therefore, it is key that the firm maintains an appropriate breaches register. This should clearly set out the relevant CASS rule, how the breach occurred and the actions the firm took in resolving, as well as the date of occurrence and resolution.
In respect of reported breaches, the FCA has indicated that it expects both qualitative and quantitative information to be included and firms should ensure that this is recorded within their breach register.
Having these measures in place will save a significant amount of time at the year end when the auditor reviews and summarises breaches, and it will likely result in fewer queries and requests for additional information during the busier stage of the audit.
6. Internal training
In their first public censure of an audit firm in August 2024, the FCA highlighted the importance of ensuring that all relevant CASS staff receive appropriate training to ensure that they are up to date with the requirements of the CASS rules and any changes to internal procedures.
Firms should expect their CASS auditor to request details of training courses held during the year, the topics covered and the names of attendees. If it is considered that insufficient training has been carried out, this could be seen as a deficiency in internal controls and result in a breach being recorded.
We would recommend that firms set out a clear training programme and ensure that all staff who may come into contact with client money or custody assets attend this to ensure that they have the required knowledge to act in compliance with the CASS rules.
If you would like further guidance on the areas raised in this article, or with CASS rules relating to investment firms in general, please contact Benny Wong or Oliver Hawes.
About our Funds and Asset Management team
Our specialist Funds and Asset Management team advise businesses across the sector – from asset managers, wealth managers and private equity firms to listed and unlisted funds, listed investment trusts and companies, broker/dealers and private equity funds. Our services include statutory audit, CASS audit and health checks, limited assurance reviews and internal audit services, as well as structuring and tax advice on a range of complex issues.