The first stage of any CASS audit will focus on your CASS footprint. To make your auditor’s job easier, you should maintain a file that clearly explains and documents how client money and custody assets arise in your business. Now is the time to review and update that document.
Your CASS footprint will sit alongside your risk and control framework, which gives your auditor an insight into the CASS risks you’ve identified and controls you have in place to manage these risks. Most firms now have a well embedded risk and control framework, providing a detailed line-by-line analysis of the application of the CASS rules.
It’s also important to keep this document up to date with changing risks and controls. If you don’t already have a process in place for this, you should take the opportunity to review it before your audit starts. We’ve provided some tips on how to design and make the most of your control matrix as part of your governance and oversight arrangements.
Document, document, document
There is a known saying in the auditing world – “if it’s not written down, it didn’t happen”, which illustrates that auditors can only rely on written information. Keeping comprehensive written documentation and records helps maintain the firm’s CASS corporate knowledge.
As time passes, individuals who were involved in decision making and setting internal policy on CASS may leave the firm. Without good documentation, it can be difficult to remember the reason a decision was taken or the logic behind adopting a particular approach. Therefore, it’s good practice to document anything of importance from a CASS perspective.
At a minimum, your auditor will expect to see:
- your overall business model and its CASS impact
- a CASS resolution pack
- your risk and control framework
- key policies and procedures underpinning CASS compliance and CASS operations
- minutes of regular meetings forming part of your CASS governance arrangements
- any key judgements made by the firm relating to CASS compliance
- evidence of the performance of CASS controls (including but not limited to reconciliations and discrepancy resolution).
The way you document these elements should be in line with the CASS rules and in a way that enables your auditor to understand the key aspects of your CASS compliance arrangements.
Designated point of contact with your auditors
Appointing a key contact during the audit process can increase the efficiency of the audit. This can result in less overall time spent by the business in dealing with requests, queries or evidence provision. It can also ensure that the auditor gets the information they need as quickly as possible, which helps them do their job more efficiently.
The key contact must understand enough about CASS to understand the information requests they’re likely to get. They may not carry out CASS work on a day-to-day basis, however, should be familiar enough with the teams that run the CASS controls to identify where to direct queries. This contact can coordinate any requests coming from the auditor across the different teams and challenges to the auditor on any judgements made.
Regular contact with your auditors
You will need to hold regular meetings with your auditors to understand what progress they are making and what support they need. It will also enable you to hear about any emerging issues being identified as part of the audit. Knowing about potential issues as they arise allows you to provide valuable information to the auditor that may clarify matters, or fact check any of these initial findings or emerging issues so that you can challenge them promptly, if you feel you have a sound basis to do so.
It also gives you time to start designing a remediation plan before the final auditor’s report is issued, enabling you to add more context within your management responses. In some cases, you may be able to resolve an emerging issue before year end, changing how it gets reported to the FCA.
You can use these regular check-ins to get your auditor’s perspective on the root causes of issues identified and your approach to their remediation. They’re not likely to be able to give you formal advice, but they can indicate whether your proposed remediation would address the underlying root cause.
It’s important to get to know your audit team and how the responsibilities are split between audit team members. This will help you identify the appropriate audience for regular audit update meetings and ensure that the audit partner or CASS SME attends any meetings where key findings likely to end up on the final report are discussed.
Review the audit report content
Auditors consume data from your breaches and errors register and many of the breaches listed may have the same root cause. We’d usually expect to see auditors amalgamate breaches with the same root cause into a single breach. This makes it easier for the FCA to understand what the key issues and themes are, making the audit report shorter and easier to work with.
We’d usually expect to see auditors amalgamate breaches with the same root cause into a single breach.
We’ve also seen reports where breaches haven’t been aggregated in this way, meaning that there’s a lot of repetition in the report, making it longer than necessary. You can challenge your auditor on this and see if they are willing to combine breaches with the same root cause or, if not, highlighting your rationale for believing that items have the same root cause within the management’s comments.
Management responses to CASS findings in the auditors report
The FRC standard allows for both auditor’s findings and management responses to be included within the CASS audit report.
CASS is a judgemental subject matter and there may be instances where you disagree with the auditor’s CASS interpretation or the factual accuracy of the auditor’s findings. The management responses are your opportunity to have your say and iron out any uncertainties.
The management report allows you to provide your regulatory argument to explain your interpretation if you disagree with a finding. A word of caution though – you shouldn’t disagree for the sake of it, you should be able to formulate a clear argument that shows the FCA you understand the auditor’s viewpoint while explaining why you disagree. Remember that the management response shouldn’t be the first time the auditor has been made aware of this challenge – you should give them the chance to consider your viewpoint before this time.
Remember that your challenge needs to be constructive and grounded in fact. Oftentimes, we see firms challenge auditors on the basis that remediating the breach would be too difficult, costly or time consuming to do. We don’t advise that you put this type of argument forward as it’s unlikely to be viewed favourably by the FCA.
Apart from communicating any challenge or disagreement with the auditor, you should use the management response to communicate the following:
- The circumstances under which the breach occurred.
- The current status of the breach and any progress that has been made towards remediation since the year end.
- Any remediation plans you are implementing to resolve the specific issue and to prevent similar issues going forward.
Remember, any plan you communicate to the FCA would need to have gone through your CASS governance channels, be documented and have realistic timescales. Should the FCA follow up, they should be able to see the action you have proposed to take as part of the management comments within the timescales you have committed to. If during the remediation project you find that you need to take a different course of action, you need to make sure that this goes through the appropriate CASS governance channels and to document any considerations and decisions made.
Nicola Green, consulting lead – Capital Markets and heads up client assets compliance and Vessy Mihovska, consultant, provides advice on compliance with client asset protection regulations at Bovill.