As we head into the autumn, many firms are working with their auditors to prepare for the next CASS audit. This is always a busy and often pressured time, but this year the pressure is amplified as a result of the FCA fining an audit firm for CASS audit failings and we’re seeing audit firms being more detail focussed than ever.
So how can you make sure you’re in the best shape to have a smooth and efficient audit with the best possible chance of getting at least a qualified opinion at the end of it?
1. Auditor selection is crucial – It maybe a bit late to think about this for the current round of audits but it’s worth bearing in mind for future cycles. The FCA expect firms to make sure that auditors are skilled and experienced and have the resources available to carry out the audit.
2. Don’t be afraid to challenge your auditors on how they resource the work and how they maintain their understanding of your business – Some audit firms see a high turnover of staff and whilst that’s not always in the control of the auditor, they should have mechanisms for ensuring core information is handed over when team members change. You should always expect the auditor to ask exploratory questions about the business at the start of a new audit – they’ll need to make sure their understanding is correct and find out whether your business has changed since the last audit. However, if the same firm has audited you before, they shouldn’t need to ask for basic information that won’t have changed year-on-year.
3. Make sure your CASS documents are in good shape – Including things like policies, procedures and risk and control frameworks. Think about when they were last reviewed and updated, whether they are compliant with regulatory requirements as well as whether they reflect the processes that are actually in place. Don’t forget that if your policies and procedures say that you’ll do more than the rules require, the auditor will test against your own policy to assess compliance. This is particularly important for timescales and frequencies of controls. Make sure that you’ve captured all of the controls you have in the business within your risk and control framework, not forgetting IT controls.
4. Make sure that your breach and issues log is in good order and that it’s clear whether an item listed is actually a breach of FCA rules – The auditor will use the log to determine which breaches have been identified by the firm and if something has been recorded by the firm as a breach, they are likely to have to report on it, even if it’s not a true breach of the rules in the auditor’s view. It’s also worth making sure that any rules referenced are the right ones, to reduce the amount of discussion needed on the draft audit report.
5. Make sure that all client bank accounts and client transaction accounts have an up to date and fully compliant acknowledgement letter in place – It sounds like something that’s easy to get right, but we often see breaches on this in audit reports. Make sure the wording in your letters aligns fully with the templates, right down to punctuation and page numbering. Also make sure that each letter is countersigned by someone with authority and whose full contact details have been recorded.
6. Think about what walkthroughs the auditor is likely to need and make sure that the right people are prepared to share useful information on your operational processes in a CASS context – This doesn’t mean expecting your Ops teams to quote the detail of CASS rules, but you should equip them to explain how the process enables the firm to manage CASS risk. A dry run of the walkthrough is never a bad idea to make sure that the processes are demonstrated clearly and in a way that will equip the auditor to carry out useful testing.
7. When your auditor requests documents, make sure you understand what they’re asking for – So that you can be sure to provide the documents that reflect the processes and controls they’re looking at. Don’t be afraid to suggest that the auditor takes a look at something else, if they haven’t asked for something that you think will be useful.
8. Think about what changes have happened in the audit period – has your business model changed? Has your control framework changed? Have any changes been appropriately captured in documentation, can you explain the changes to your auditor clearly and can you also explain how the change process was managed?
9. Build a healthy dialogue with your auditor from the start. The auditor has a job to do and at times it’ll be just as challenging for them as it is for you. Do your best to make the process positive and useful so that you’re getting the best value for the spend and the best possible outcome for the firm.
10. When your auditor starts reporting on initial findings, make sure you understand the core issues they’re likely to be reporting on – so that you can check that they’ve had all relevant information to enable them to reach a sound conclusion. Don’t be afraid to push back and challenge your auditor, but always do it in a constructive and respectful way.
If you need any help preparing for your audit or navigating the process once it’s underway, please get in touch with us at hello@square4.com, or the member of the team below. We have a wealth of experience in guiding firms through the process, helping to prepare management responses, communicating with the FCA and remediating identified breaches.
Contacts:
Nicky Green, Advisory Director – ngreen@square4.com