With audit season underway many asset managers and their third party administrators (TPAs) are already encountering a tougher CASS audit.
This is a direct result of the publication by the Financial Reporting Council (FRC) of its revised standard for auditors for providing assurance on client assets.
Key objectives of the FRC include improving the quality of CASS audits and assurance engagements, and supporting the Financial Conduct Authority (FCA) in its quest to ensure firms effectively safeguard client assets and client monies, and in particular to guard against systemic failure of the CASS regime.
Although the revised standard is only mandatory for periods commencing 1 Jan 2016, early adoption by auditors is permitted. In effect, early adoption together with the zero tolerance stance being taken by the FCA, means that some firms are already coming under increased scrutiny from their CASS auditors.
What to expect during your next CASS audit
One of the auditor's tasks is to establish which CASS rules are relevant to a firm. Asset managers should therefore be prepared and make this transparent for the auditors, by mapping out the CASS rules and documenting how they apply, providing demonstrable evidence to substantiate application, and also documenting precisely why certain CASS rules are not applicable to them.
Materiality is a word familiar to asset managers during financial audits, but certainly not during CASS audits. If no documentation or evidence exists, then auditors will assume, for example, that a control or process does not exist or is not being undertaken. All breaches will be recorded in the CASS audit report that is submitted to the FCA. In turn, the FCA will use the audit report as a clear indicator of the overall health of controls and compliance at the firm.
Asset managers should maintain an insolvency mindset to be able to demonstrate that in the event of insolvency clients will not lose out. Any discrepancies between records intra-day would be a potential problem upon insolvency. If one record does not agree with another, the insolvency administrator would have difficulty in knowing how to recompense clients.
The Need for Primary and Detective Controls
Firms should have primary controls (data validation and automated financial control regimes), and secondary 'detective' controls (reconciliations). The secondary controls must be early enough in the day to enable breaks to be resolved, therefore safeguarding against breaches occurring.
Asset managers should be reviewing their SLAs with their TPAs, to ensure that timely and effective reconciliations are being undertaken. The responsibility resides with the firm, and not the TPA, to ensure that controls are sufficiently robust and operating correctly.
CASS auditors are also asking what asset managers will do if their TPA's systems are unavailable. How would an asset manager prudently segregate? Doing nothing is not an option.
Adverse opinions may not be uncommon going forward as firms fail to sufficiently tighten up their existing CASS control regimes. Firms should be aware of the possibility that the auditor could record a breach of CASS 7.15.3 (accuracy of internal records), and worse-case scenario the FCA issues a S166.
AutoRek's market-leading CASS solution has helped several of the largest asset managers to achieve on-going compliance. AutoRek has been successfully deployed to fix deficient CASS processes in response to several major regulator-driven mandates. AutoRek is fast to implement and works with existing systems to perfect CASS processes, ensuring data accuracy at the most granular level, with the ability to provide real-time management information to the CF10a and CASS governance committee.