CASS audit

Expert CASS audit services

A CASS audit is required for firms regulated by the Financial Conduct Authority (FCA) that hold client money and assets. It ensures compliance with the FCA’s Client Assets Sourcebook (CASS) regulations, providing assurance that client funds are protected. Maintaining compliance is essential not only for regulatory adherence but also for safeguarding client assets and upholding your company’s integrity.

How do Price Bailey CASS audits add value?

  • A dedicated CASS audit team throughout the audit process with input from experienced senior members.
  • Experience across a range of clients, including crowdfunding and FX trading firms.
  • Knowledge of key systems used by regulated firms.
  • CPD and attendance at regular FCA webinars to stay up to date with regulatory changes.
  • Early breaches identification, allowing firms time to prepare their responses to the FCA.

The type of CASS audit report that is required depends on a company’s permissions. The CASS audit team possesses the knowledge and experience to determine whether a firm falls within the scope of a CASS audit and what type of report is required to be submitted. At Price Bailey we support the following key areas of CASS audit engagements:

  • Limited assurance – for firms that do not have permission to hold or control client money or the firm is permitted to, but claims not to hold client assets. The limited assurance report issues a ‘negative’ opinion that confirms that, based on review procedures performed, nothing came to the auditor’s attention that led them to believe that custody assets/client money were held during the period.
  • Reasonable assurance – for firms that do have permission and hold client money and safe custody assets.
  • Hybrid assurance report – for firms that hold client money but not safe custody assets or vice versa. The report issued includes both of the above opinions in relation to client money rules (CASS 7) and safe custody rules (CASS 6).

We can help

Contact us today to find out more about how we can help you with your CASS audit

Get in touch

Our approach to reasonable assurance engagements

Our approach begins with gaining a thorough understanding of the firm’s control environment, including the systems and procedures in place for managing client money.

We recommend that clients undertake a CASS mapping exercise, which involves listing out the relevant CASS rules and the controls in place to ensure compliance. This exercise helps organisations identify potential breach points and implement measures to mitigate risks.

Once our team of CASS auditors understand your organisation, we assess the control environment and subsequently test the operating effectiveness of these controls for our overall opinion. We perform any additional non-control tests that may be required to gain assurance over the firm’s compliance with CASS rules. A significant part of our work involves reconciliation reviews, where we examine internal and external reconciliations on a random basis.

Key areas of focus include:

  • Confirming client money is held in segregated bank accounts.
  • Reviewing the acknowledgement letter held for client bank accounts and assessing if the letter is in line with the CASS rules template.
  • Conducting walkthroughs to verify that systems operate as described.
  • Sampling deposits and withdrawals to check compliance with CASS rules.

We primarily work with three types of regulated firms, each with specific CASS obligations.

  • Investment businesses providing safe custody of client assets (CASS 6).
  • Investment businesses receiving or holding client money (CASS 7).
  • Businesses receiving or holding client money when distributing insurance products (CASS 5).

Breach identification

If breaches are identified, they must be reported in detail. The FCA considers breaches in black-and-white terms, regardless of whether they were one-off occurrences or due to human error.

If breaches are found, we provide a breaches schedule outlining:

  • The specific CASS rule in breach.
  • Details of the breach and our findings.
  • A section for our client’s response, detailing the cause and corrective actions to prevent recurrence.

CASS audits must be completed within four months of the firm’s year-end, which differs from the deadline for submitting audited financial statements to the FCA (80 business days). If breaches are identified, they may also appear in the following year’s audit report, as corrective actions often take time to implement.

Areas of focus for the FCA?

Payment Service Providers (PSPs)

The number of firms collecting client monies via a non-bank payment services provider (‘PSP’) has increased significantly over the last few years. For CASS 7 firms applying the normal approach to client money segregation, they are required to receive client money in a central bank, a CRD credit institution, a bank authorised in a third country or a qualifying money market fund. As such, monies received into a PSP could be considered a breach of the normal approach to the segregation of client money. In addition, in instances where clients are able to use funds immediately after deposit there is a risk that they are trading with funds of another client whilst their own funds are in transit.

Firms are also advised to document their understanding of the PSPs used and what they have done to gain comfort as to how or whether client monies are protected. Understanding these regulatory expectations is crucial to maintaining compliance and avoiding unintended breaches.

Internal and external reconciliations

Internal reconciliations must be completed daily whilst external reconciliations must be done at least monthly. Firms need to consider the number and value of transactions, complexity of services in order to determine how frequently external reconciliations should be completed. A lot of firms choose to complete the external reconciliations daily alongside the internal reconciliations as the internal records are used in both, and this also helps firms identify and address any discrepancies.

Some common reconciliation breaches we have come across relate to not transferring money within the required time frame to address any excess or shortfall, as well as manual errors due to incorrect use of formulas and incomplete data. Another common issue is where firms rely on feeds from the external bank or custodian to maintain their internal records whereas the internal reconciliation should be based only on internal data.

Acknowledgement letters

Firms are required to obtain an acknowledgement letter before holding or receiving client money in a client money account. The purpose of the letter is to confirm that the entity acknowledges the firm’s responsibilities in managing client money and assets and agrees to the terms outline in the letter. Common pitfalls relating to acknowledgement letters are where the firm name, account details and/or FCA registration number has not been included on the letter or the text in the letter is not in line with the CASS template.

Changes to safeguarding audit regulations

The FCA has proposed changes to the safeguarding regime for payment and e-money firms under CP24/20. These changes aim to strengthen the requirements for safeguarding audits and ensure better protection of client funds within the payments sector.

Can you complete a CASS audit alongside other types of audits?

We can run CASS audits in conjunction with statutory audits, but we can also be engaged solely for CASS audits. When performing statutory and CASS audits simultaneously, there are efficiencies to be gained.

If a business has permission to hold client money, it is important to assess compliance from a legal and regulatory perspective, as any non-compliance could impact its ability to trade or lead to FCA-imposed restrictions.

Additionally, from a going concern perspective, understanding regulatory compliance is crucial. Conducting both audits together can provide a more comprehensive assessment and improve audit efficiencies.

We have a dedicated CASS audit team that has undergone specialist CPD training, ensuring that our auditors are up to date with the latest regulatory changes and industry best practices.

What do you need to have in place for a CASS audit?

An example of some of the things you need to have in place, include:

  • An understanding of reconciliation processes, how client money is segregated, and whether you have a buffer in your segregated accounts.
  • Appropriate documentation and evidence of management’s review of the banks used to hold client money, reconciliations, incident reporting
  • Employee training to ensure compliance with CASS rules
  • Acknowledgement letters in line with CASS rules.
  • Regular updates to the breaches register for any breaches that occur during the year.

When might a modified audit opinion be required for a CASS audit, and what types of opinions could be issued?

Where a modified opinion may be required for the CASS audit, this can be either an “except for” or an “adverse” opinion. An adverse opinion may be required if the identified weaknesses in control and/or breaches of rules are systemic or pervasive and client assets may be at risk. Other areas that may give rise to an adverse opinion include a breach of the requirement to keep proper records of client assets, failure to or incorrectly carrying out to a significant extend the required CASS reconciliations.

Each audit opinion is determined on a case‑by‑case basis, and auditors apply professional judgement when assessing the nature and severity of issues before deciding whether an “except for” or “adverse” opinion is warranted.

We can help

Contact us today to find out more about how we can help you

Meet our Audit & Assurance team below...

Top