News

Protecting clients’ assets - 2012-02-01

The industry needs to get up-to-speed over new rules governing client assets, explains David Roberts

Ever since huge amounts of client assets turned out not to be protected in the collapse of Lehman Brothers, the Financial Services Authority (FSA) has increased its focus on this area. After all, the whole point of the CASS (client assets) rules is to ensure that client assets are protected in the event of an insolvency.

It is the responsibility of a firm's management to ensure that it complies with the relevant CASS rules, but CASS auditors' reports on compliance with the rules are a significant part of the regulatory toolkit.

The FSA has identified a number of failings both in firm's compliance and in the CASS audit regime. The most recent and public example resulted in a Big Four firm being fined £1.4m for failings in relation to their work on a global investment bank. The Auditing Practices Board (APB) has now issued a Practice Note (PN154) specifically addressing the audit of client assets, which was previously only dealt with as a small part of the guidance on the audit of investment businesses generally.

The new PN applies to the audit of client money held by investment businesses and insurance intermediaries. The PN raises the profile of the CASS audit, and while much of what it contains is not new, there are a few points that may impact both on insurance firms and on CASS auditors.

Tale of two audits

In many cases currently, the CASS audit is completed as an adjunct to the statutory audit (if one is required). However, the objectives and approaches of the two audits are very different. The FSA is concerned that the CASS audit is viewed as secondary, and that the specific perspectives and requirements of the CASS audit are lost in a combined audit that seeks to address both requirements.

The PN envisages the CASS audit to be separately planned, conducted, supervised, reviewed and reported. The implicit suggestion is that the two audit teams may not be the same, which is certainly likely to increase the costs of the work concerned.

The PN also places additional emphasis on the need for the auditor to really understand the often complex CASS rules, a real challenge for any auditors who are not specialists.

The note also requires these auditors to adopt “an insolvency mindset”, ie. to test systems and controls by reference to their effectiveness in the event that the firm is insolvent. That is not normally the perspective that a statutory auditor is required to adopt, and it will be a challenge to maintain both an “insolvency mind-set” and the normal going concern assumption simultaneously.

The PN confirms that as the CASS audit requirement is to report on the adequacy of systems and controls to enable compliance with the rules, all breaches, however identified and of whatever nature, and whether rectified or not, must be reported.

What that means, for instance, is that for an insurance broker with any degree of complexity in the business, it is unlikely that there will be no breaches to be reported by the CASS auditor. A clean CASS audit report may be taken not as a confirmation that everything is fine, but rather that the CASS auditor has not done a proper job.

In addition, firms are required to comment on the breaches identified  and reported, and the tenor of  that comment clearly is expected to be a description of how the systems and controls have been changed to prevent such breaches recurring.

Prevention not detection

Consistent with the “insolvency mind-set” required, the CASS auditor's focus is required to be on preventative rather than detective controls. What this means, for example, is that if a firm operates bank reconciliations as the main control over the correct segregation of client monies, they need to be undertaken sufficiently frequently to enable rectification of errors discovered within the timeframe envisaged under the CASS rules.

CASS: the facts

1. New client money rules apply to insurance businesses, not just investment businesses.

2. Client money audits should be kept separate from the statutory audit.

3. All breaches of CASS rules must be reported.

4. CASS audits will take longer and cost more

5. Most firms will have a breach and will need to change processes and systems as a result.

Subject to exceptional cases, the rectification period is one day, and that means that only daily bank reconciliations will operate as a preventative control. Firms for whom bank reconciliation is the primary control in this area therefore need to do them daily; as an alternative, a different primary control over segregation needs to be in place.

Any firm undertaking CASS audits needs to take care that it addresses all these issues in its work. Even if the firm is already doing a good job, evidencing compliance with 90 pages of specific guidance is more work than doing so for a few paragraphs and an appendix. It is therefore likely that there will be additional costs arising from the need to comply and the need to show evidence of compliance with the PN.

David Roberts is head of the financial services division at accountancy firm Littlejohn, For further details cotact David on droberts@littlejohnllp.com or 020 7516 2251.

This article was first published in Insurance Age on 1 February 2012.