The CASS audit busy season has ended for many firms with December 31 year ends. For CASS personnel, pushing forward with remediation should now be a priority, particularly where a qualified or adverse opinion has landed.
Not only does the FCA expect prompt action but moving quickly after the opinion has landed should facilitate buy in from key stakeholders: disappointment at the result should be used to drive change.
Receiving your audit opinion
The CASS audit will opine on whether your systems and controls were compliant during the period and at period end. The FRC Client Asset Assurance Standard expects that audit opinions will express one of three broad outcomes:
| Opinion type | General rationale | Response needed |
|---|---|---|
| Clean opinion | Obtained where both the firm and auditor has identified no CASS breaches during the audit period. | Care is needed with such an opinion. While often appropriate for a firm with a limited CASS footprint, there have been historic issues with clean reports being given to firms with problems, often because the audit lacked rigour. So, where such an opinion is received, it can be a good prompt to consider whether your auditor has the appropriate resource and expertise. |
| Qualified opinion | Issued when the auditor considers that the firm follows the CASS requirements except for the breaches identified in the report and that these breaches do not suggest systemic issues impacting the firm’s ability to comply with the principle of protecting client assets. | Opinions in this space include those that had open and closed breaches at audit period end, although care is taken to differentiate between the two. Naturally, the firm with open breaches at period end likely has more work to do than the other, with remediation certainly needed. But even the firm with their breaches closed at period end might use the audit opinion as a useful time to take steps to strengthen its position to avoid reoccurrence. |
| Qualified opinion | Adverse opinions are modified opinions issued to firms where the auditors believe there is a systemic or pervasive issue within the firm impacting its ability to comply with CASS requirements. Adverse audit opinions may be due to (but not limited to) pervasive design errors within the firm’s systems and controls, incorrect applicability of CASS requirements to products or services, or thematic issues identified through a number of operational failures. | Simply put, FCA expectations are such that adverse opinions suggest an unacceptable state of affairs at a CASS firm. And the longer the issues underpin this endure, the more worried the FCA will be. Accordingly, any firm receiving such an opinion would be expected to commit material time and resources to rectifying matters. |
Each modified audit opinion will require management responses on a breach-by-breach basis. Within your management response, the expectation will be to acknowledge the issue, provide information on the root cause, and discuss remediation plans to prevent the issue reoccurring.
The remediation project
When reviewing the draft audit findings, firms should begin to create a remediation plan based on the severity of the breaches identified. Firms should take care to assess the findings in a holistic manner too, considering whether there are underlying issues driving the breaches that require attention, something that could be missed if you simply remediate on a ‘breach-by-breach’ basis.
An effective safeguard against errors when agreeing the plan and a sensible means of avoiding drift in the execution is ensuring your efforts are underpinned by good governance. Here, keeping it simple can reap rewards: agree the plan at your primary CASS committee, allocate ownership of tasks, and set deadlines that are ambitious but achievable (for example, deadlines you would be comfortable defending to the FCA). This committee should then monitor progress, escalating concerns (and achievements) to the board or another committee of appropriate seniority.
To succeed, appreciating the complexity of the CASS rules at the outset is prudent. In practice, this means considering whether your proposed solutions appropriately align with FCA and auditor expectations. It also means ensuring that those to whom remedial tasks are delegated have the support to execute; it is reasonable to expect that many of the staff supporting your CASS framework will need advice and training on the minutiae of the rules.
Crucially, each remediation action should be tracked to monitor completion and identify delays. Audit opinions are submitted to the FCA, so if firms have committed to remediate findings by a certain date, care must be taken to avoid slippage.
Chloe Arnold-Martin is a Principal Consultant at Bovill Newgate. She provides regulatory and compliance advice on CASS and safeguarding.
