The Financial Conduct Authority (FCA) continues to state the importance of CASS 6 and 7 audit reports – both in recent ‘Dear CEO Letters’ as well as in correspondence received by firms following the submission of CASS reports. However, the deadline for the submission of CASS reports is four months after the year end and the audit process is often fast paced, with little room to stop and reflect. In this article Oliver Hawes, a Director at PKF Littlejohn, sets out some practical suggestions for firms both ahead of and following their audits to assist in making the process as smooth as possible.
Assessing the skill and competence of your auditor
Section 3.4.2 of the FCA’s Supervision Manual (SUP) states that the onus is on regulated firms to take reasonable steps to ensure that their auditor has the required skill, resources and experience to perform their functions. Any firms seeking to appoint new auditors, or reappoint their existing ones, should therefore ensure that appropriate questions are asked during the (re)appointment stage to ensure that they are able to document the rationale for their decision sufficiently.
When making these decisions, firms should ensure that their conclusions are challenged by the Board and that these discussions are also documented, demonstrating the involvement of Those Charged with Governance (who are ultimately responsible for this).
It is worth stressing that this is a key area of focus for the FCA at present, given that the regulator took the unprecedented step of censuring an audit firm in August 2024 due to failings noted in the preparation of CASS reports. This shows the severity with which shortcomings are treated by the FCA.
Internal training
In the censure noted above, the FCA also highlighted the importance of ensuring that the firm’s CASS team receives appropriate training to ensure that it remains up to date with the requirements of the CASS rules and any changes made to internal procedures.
As part of the audit process, or on a visit from the regulator, firms should expect to provide details of training courses held during the year, the topics covered and the names of attendees and details of how this was delivered, either internally or externally. If it is considered that insufficient training has been carried out, or that staff do not have appropriate knowledge of products or internal systems and controls, this could be seen as a deficiency in internal controls and result in a breach being recorded.
As a result, it is essential that firms, regardless of their size, devise and carry out a detailed training programme to all staff involved in CASS operations to ensure that they have the required knowledge for their roles.
Be ready for the audit
The key to a smooth CASS audit is organisation, both within the firm itself and with your auditor. Given the tight timeline to submit CASS reports to the regulator, early discussions should be held to agree the timetable for the audit work. This should involve setting a deadline for the draft report to be provided to the firm to allow sufficient time for review and for any responses to be drafted.
Where possible, we would strongly recommend that interim audits are carried out, at a point prior to the year end, which will enable the auditor to review process, controls and information for the first eight or nine months of the year. This will enable potential breaches to be identified and resolved ahead of the year end (and therefore to not affect the year end opinion); also, if any issues cannot be resolved ahead of the year end, at least the early identification will give firms more time to draft their responses.
At both the interim and final stages, ahead of the planned fieldwork date, firms should ensure that they receive a detailed information request list to enable them to organise and collate the required information in good time. This can then be discussed, if any clarity is needed, and will help everyone involved to be better prepared, leading to a more efficient process from the start.
Finally, given that many of the documents required for the CASS audit will be ready ahead of the year end, the auditor can also form an opinion on these early, which will reduce the pressure during the final stage of testing after the year end.
Audit work on IT systems and controls
A further factor that can impact the audit approach is the complexity of the firm’s IT systems and controls. The CASS Assurance Standard states that auditors are required to gain an understanding of the firm’s use of technology to support the application of the CASS rules. Given the increased reliance many businesses are placing on information derived from these systems, the operating effectiveness of IT controls, both automated and manual, will likely need to be tested.
In addition to this, many firms are now using bespoke rather than off the shelf platforms, which can add further complexity; as a result, auditors are needing to involve their IT teams in the audit process in order to understand the controls in place around these. This can take additional time and firm resources, some of which could be outside the direct CASS team.
We would recommend early communication with your auditor to ensure that this work is appropriately planned for, and to establish the time required by internal teams to assist with this. The work around IT systems should be carried out at the interim stage, so that there is time for additional work or to address deficiencies. Weaknesses in IT systems are likely to lead to reportable CASS breaches and therefore it is vital that these are picked up in good time.
Documentation is key
Both the regulator and auditors will expect to see appropriate and detailed documentation in a number of key areas and firms should ensure that these are kept relevant and up to date. These include:
- The Risk and controls mapping document. This is a key document in understanding the controls the firm has implemented to address each of the applicable rules and the FCA expects firms subject to the CASS 6 and 7 rules to have this in place.
We would recommend that firms review this document at least annually and ensure it contains the full list of rules applicable to the firm. The control processes attached to each rule should also be checked to ensure that the processes are up to date and, in particular, any staff referenced within these are still correct.
- Resolution packs. Relevant firms that hold client money and assets under CASS 6 and 7 are required to maintain a resolution pack, the aim of which is to allow an insolvency practitioner to take control of the firm’s compliance processes should this event occur.
The full required content list is set out in CASS 10, so firms can check to make sure that their document is complete. We would also encourage firms to ensure that all relevant internal contacts have been included, the list of banking institutions and custodians is up to date and that all internal policies relevant to CASS functions have been included.
Firms should see the resolution pack as a rolling document, which is updated as and when required, but at a minimum it should be updated annually.
- Breaches registers. The firm’s breaches register forms a key document during the audit as all breaches identified by the firm are required to be included within the audit report. Firms should ensure that all breaches recorded have appropriate rule references, and show the dates of occurrence, identification and resolution as well as the amount.
A detailed and complete breaches register can also allow management responses for any identified issues to be drafted prior to the audit, giving management and audit committees time to review and approve. This can also be provided to the auditor at the planning stage, which will allow queries to be raised earlier in the audit.
Ensuring a smooth process during the audit
Once the fieldwork commences, firms should ensure that they schedule regular catch ups with their auditor. This will ensure that issues are discussed as and when they occur, which will assist in preventing any last minute breaches being picked up. The earlier breaches are identified, the more time management will have to investigate, resolve and, if required, provide responses to these – particularly where there is challenge from management. These catch ups also allow both sides to see the overall status of the audit and gauge any potential delays.
Once the draft report is received, firms should seek to arrange a call with the auditor to run through the contents once this has been reviewed internally. While the scheduled catch ups noted above should prevent any surprises, it is important that the firm fully understands any auditor-identified breaches.
When drafting responses, it is important to remember that, although the CASS report is prepared by the auditor for submission to the FCA, the ‘management responses’ column forms a key part of the completed document, as it enables firms to add their comments for the regulator to see.
We would encourage firms to be detailed in their responses, including information around the cause of the breach, remediation action taken and any measures put in place to prevent reoccurrence going forward. The CASS auditor is required to report on the position of the breaches during the period and at the period end; however in their responses, firms can include details of events and resolutions post year end.
Following the audit
Once the audit has concluded, firms should take time to review the breaches noted within the CASS report, as well as any management letter points arising. For any breaches open at the period end, the firm should put an action plan in place to ensure that, where possible, the breach is rectified by the end of the following period. If there are a number of instances of a breach of a specific CASS rule, then a root cause analysis should be carried out to ascertain whether further internal training is required or internal policies and procedures should be revised to prevent this reoccurring.
Firm should also consider their responses to any management letter points raised. These are often areas of best practice and an experienced auditor will draw on its knowledge of other similar firms to provide practical recommendations on improving internal documentation and procedures. Whilst your auditor will need to remain independent, and cannot provide advice on how to implement any suggestions, they provide a helpful window in areas where systems can be improved.
Conclusions
CASS continues to be a key area of interest for the regulator, with an ever growing focus on the content of CASS reports. Moreover, the FCA is actively following up with firms where recurring breaches continue to be reported. The message it is sending is clear: there is nowhere to hide.
In our view, the key to an efficient CASS process is organisation, both internally (by ensuring that the areas above are addressed) and externally (with early communication with your auditor) to secure a smooth and timely process, which will avoid last minute surprises and ensure your report is submitted within the deadline.
This article was originally published in Compliance Monitor and i-law in April 2025. For more information, please contact Oliver Hawes.
