Loading…
Menu icon Search icon
Contact us
Mobile filter icon Mobile contact icon
Close iconClose icon DarkLight mode
Services
Employee benefits and pensionsFamily office servicesHelp me with taxHelp with pensions and benefitsHow can I raise funds?How do I start a business from scratch?How should I invest?I have HR or people issuesI need an auditI need corporate finance adviceI need expat tax adviceI need help sharing tipsI want to keep my data safeI'm being investigated by HMRCI'm getting divorcedInternal audit and third party assuranceInternational private clientsProbate and estate administrationRegulatory reporting and advisory servicesValuationsWhat can I outsource?What do I need to do when someone dies?
Sectors
Academies and schoolsArts & culture charitiesFCA regulated businessesHospitality and leisure businessesI need help sharing tipsInternational non-governmental organisations (INGOs)Professional PracticesReal estate and constructionRegulatory reporting and advisory servicesReligious InstitutesSocial businessesTechnology and media businesses
News and insightsOur eventsAbout usMeet our peopleJoin our teamSign up to our mailing list

News – 10.04.24

Form PF: Are you up to speed with the latest developments?

Through this insight we will bring to your attention the main changes in a bitesize manner so that you can stay abreast of the requirements as they may apply to your firm. … Read more

Insight – 16.04.24

US and UK tax on carried interest

Learn more about the opportunities to minimise double taxation for dual US/UK taxpayers … Read more

Upcoming event – 29.04.24

Governance code updates and advice for Further Education colleges from Buzzacott and the ESFA

Join Buzzacott and the ESFA for a governance update for further education colleges … Read more

Find us quickly

130 Wood Street, London, EC2V 6DL
enquiries@buzzacott.co.uk    T +44 (0)20 7556 1200

Google map screengrab
fca cass
Last updated: 28 Mar 2022
On this page
Go to
Top of page
News & insights
Stay in touch
Sign up to our mailing list
LinkedIn
Contact us
Print this page

CASS audits – what are they and what do you need to know?

In this Insight, we explore the CASS audit and reporting requirements for certain FCA-regulated firms that hold client money and/or custody assets.
What is the requirement?

What is the requirement?

Designated Investment Firms (DIFs) that hold client money and/or custody assets in relation to their regulated activities require a CASS audit. In accordance with rule SUP3.10.5R in the FCA Handbook, the CASS auditor must prepare a report giving two opinions: 

  • whether the firm maintained systems adequate to enable it to comply with the relevant rules throughout the period; and
  • whether the firm was in compliance with those rules as at the end of the period.  

These are “reasonable assurance” opinions: positive opinions that the firm is complying with the CASS requirements.

If, however, the firm holds client money but does not hold custody assets, a hybrid report is prepared by the CASS auditor, in which the auditor gives the above opinions in relation to the client money rules (CASS 7) and  a “limited assurance” opinion on the custody asset rules (CASS 6).

“Limited assurance” is giving a ‘negative’ opinion that confirms that, based on review procedures performed, nothing came to the auditor’s attention that led them to believe that (in this case) custody assets were held during the period.

The firm’s specific permissions will determine the type of report required.

About the author

Jay Patel

+44 (0) 207 556 1390
patelj@buzzacott.co.uk
LinkedIn

What is the requirement?

Designated Investment Firms (DIFs) that hold client money and/or custody assets in relation to their regulated activities require a CASS audit. In accordance with rule SUP3.10.5R in the FCA Handbook, the CASS auditor must prepare a report giving two opinions: 

  • whether the firm maintained systems adequate to enable it to comply with the relevant rules throughout the period; and
  • whether the firm was in compliance with those rules as at the end of the period.  

These are “reasonable assurance” opinions: positive opinions that the firm is complying with the CASS requirements.

If, however, the firm holds client money but does not hold custody assets, a hybrid report is prepared by the CASS auditor, in which the auditor gives the above opinions in relation to the client money rules (CASS 7) and  a “limited assurance” opinion on the custody asset rules (CASS 6).

“Limited assurance” is giving a ‘negative’ opinion that confirms that, based on review procedures performed, nothing came to the auditor’s attention that led them to believe that (in this case) custody assets were held during the period.

The firm’s specific permissions will determine the type of report required.

What if I do not hold client money or custody assets?

What if I do not hold client money or custody assets?

DIFs that do not hold client money and/or custody assets in relation to their regulated activities still require a CASS audit if they have a statutory audit. A CASS audit report must be submitted to the FCA by the CASS auditor, which includes a “limited assurance” opinion, as described above. 

Do other FCA-regulated firms fall within the CASS regime?

Do other FCA-regulated firms fall within the CASS regime?

CASS also applies to several other types of firms where they hold client money. Buzzacott can provide CASS audit services to the following:

  • Firms operating a peer-to-peer lending platform (CASS 7)
  • Mortgage and General Insurance firms (CASS 5)
  • Debt management firms (CASS 11)
  • Claims management firms (CASS 13)
What is the deadline?

What is the deadline?

The CASS auditor must deliver their report to the FCA within four months of the end of the period covered (this can be up to 53 weeks but, most commonly, the period covered is the calendar year ending when the firm’s accounting year ends). The CASS audit is often completed at the same time as the financial statements audit, but it is a separate exercise from that audit, and there is no requirement for the CASS auditor and the financial statements auditor to be the same.

What are the applicable standards?

What are the applicable standards?

The UK’s Financial Reporting Council has issued an Assurance Standard which outlines the work CASS auditors need to perform in order to provide the assurance opinions above, and which emphasises the need for the CASS auditor to apply an insolvency mindset when completing these procedures. It also makes it clear that CASS auditors cannot apply a level of materiality to their work, unlike with financial statements audits. Therefore, any rule breach identified that relates to the period (whether identified by the firm or the CASS auditor), no matter how small, must be included in a Breaches Schedule which is appended to the report that is submitted to the FCA. In advance of the report being submitted to the FCA, the CASS auditor must deliver a draft copy to the firm so that the firm can provide its comments on the rule breaches included in the Breaches Schedule. The CASS auditor has no responsibility in respect of the firm’s comments.

What about payment services firms and EMIs?

What about payment services firms and EMIs?

These firms are not caught by the CASS regime, but the FCA  does expect firms to have an annual audit of compliance with the requirements relating to safeguarding of customer funds. Please see more information on this here.

Get in touch
Get in touch

If you would like to discuss your CASS audit and reporting requirements, please fill in the form below and one of our experts will get in touch.

Related links
Buzzacott_FCA-regulated_businesses FCA Regulated Businesses 1 Buzzacott_Jay_Patel Jay Patel
Director - CASS 2 Does my FCA-regulated firm need an audit?
The FCA rules do not dictate whether the firms that they regulate need statutory audits of their accounts – the rules… Read more Ambient _wave_ Buzzacott _top_20_accountancy _firm _for _charities _corporates _individuals Regulatory reporting and advisory services 4 Investment Firms’ Prudential Regime (IFPR) – Act now
With less than a year left for implementation, preparing for the FCA’s IFPR effective 1 January 2022 should be at the… Read more Gradient_ambient_ Buzzacott _top_20_ accountancy _firm _for _charities _corporates _individuals Contact us 6
© 2018 - 2024 Buzzacott LLP All rights reserved   |   
Sign up to our mailing list    |    Anti-slavery statement
Sitemap   |   Privacy policy   |   ICAEW Diversity Report 2023   |    Accessibility   |   Transparency report   |   Gender Pay Gap Report   |   Diversity and inclusion   |   Cookies   |   Legal
Close iconClose icon backback
Your search for "..."
did not yield any results.
... results for "..."
Search Tags
We use cookies for the best experience on our website and also to analyse web traffic. For more information see our Cookie notice. By clicking accept all you agree to our use of cookies. To alter the types of cookies we use click “Cookie settings”.
Accept all Cookie settings
Our use of cookies

We use necessary cookies to make our site work. We’d also like to set optional analytics and marketing cookies. We won't set these cookies unless you choose to turn these cookies on. Using this tool will also set a cookie on your device to remember your preferences.

For more information about the cookies we use, see our Cookies page.

Please be aware:

— If you delete all your cookies you will have to update your preferences with us again.
— If you use a different device or browser you will have to tell us your preferences again.

Necessary cookies
Always active

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

bscookie
1 year
This cookie is used to identify the visitor through an application. This allows the visitor to login to a website through their LinkedIn application for example.
CONSENT
2 years
Used to detect if the visitor has accepted the marketing category in the cookie banner. This cookie is necessary for GDPR-compliance of the website.
cookietest
Session
This cookie is used to determine if the visitor has accepted the cookie consent box.
li_gc
179 days
Stores the user's cookie consent state for the current domain.
PHPSESSID
Expires: Session
Preserves user session state across page requests.
rc::a
Expires: Persistent
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
rc::c
Expires: Session
This cookie is used to distinguish between humans and bots.
test_cookie
Expires: 1 Day
Used by Google Ads to check if the user's browser supports cookies.
wow.schedule
Expires: 1 Day
This cookie is used in context with load balancing - This optimises the response rate between the visitor and the site, by distributing the traffic load on multiple network links or disk drivers.
_GRECAPTCHA
Expires: 179 Days
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
Analytics cookies
Inactive

Analytics cookies help us to understand how visitors interact with our website by collecting and reporting information anonymously.

_clck
Expires: 1 year
Collects data on the user’s navigation and behaviour on the website. This is used to compile statistical reports and heat maps for the website owner.
_clsk
Expires: 1 day
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
_cltk
Expires: Session
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
_ga
Expires: 399 days
Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
_ga_#
Expires: 399 days
Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit.
_gid
Expires: 1 day
Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
_hjAbsoluteSessionInProgress
Expires: 1 day
This cookie is used to count how many times a website has been visited by different visitors - this is done by assigning the visitor an ID, so the visitor does not get registered twice.
_hjFirstSeen
Expires: 1 day
This cookie is used to determine if the visitor has visited the website before, or if it is a new visitor on the website.
_hjIncludedInPageviewSample
Expires: 1 day
Used to detect whether the user navigation and interactions are included in the website’s data analytics.
_hjIncludedInSessionSample
Expires: 1 day
Registers data on visitors' website-behaviour. This is used for internal analysis and website optimisation.
_hjRecordingLastActivity
Expires: Session
Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.
_hjSession_#
Expires: 1 day
Collects statistics on the visitor's visits to the website, such as the number of visits, average time spent on the website and what pages have been read.
_hjSessionUser_#
Expires: 1 year
Collects statistics on the visitor's visits to the website, such as the number of visits, average time spent on the website and what pages have been read.
_hjTLDTest
Expires: Session
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
AnalyticsSyncHistory
Expires: 29 days
Used in connection with data-synchronisation with third-party analysis service.
c.gif
Expires: Session
Collects data on the user’s navigation and behaviour on the website. This is used to compile statistical reports and heat maps for the website owner.
CLID
Expires: 1 year
Collects data on the user’s navigation and behaviour on the website. This is used to compile statistical reports and heat maps for the website owner.
hjViewportId
Expires: Session
Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.
ln_or
Expires: Session
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
wow.anonymousId
Expires: 399 days
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
wow.session
Expires: 1 day
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
Marketing cookies
Inactive

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

#,#
Expires: Persistent
Collects data on user behaviour and interaction in order to optimise the website and make advertisement on the website more relevant.
#,#_expiresAt
Expires: Persistent
Collects data on user behaviour and interaction in order to optimise the website and make advertisement on the website more relevant.
_fbp
Expires: 3 months
Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.
_gcl_au
Expires: 3 months
Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.
_hjRecordingEnabled
Expires: Session
This cookie is used to identify the visitor and optimise ad-relevance by collecting visitor data from multiple websites – this exchange of visitor data is normally provided by a third-party data-centre or ad-exchange.
_uetsid
Expires: Persistent
Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
_uetsid_exp
Expires: Persistent
Contains the expiry-date for the cookie with corresponding name.
_uetvid
Expires: Persistent
Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
_uetvid_exp
Expires: Persistent
Contains the expiry-date for the cookie with corresponding name.
ads/ga-audiences
Expires: Session
Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites.
ANONCHK
Expires: 1 day
Registers data on visitors from multiple visits and on multiple websites. This information is used to measure the efficiency of advertisement on websites.
bcookie
Expires: 1 year
Used by the social networking service, LinkedIn, for tracking the use of embedded services.
IDE
Expires: 1 year
Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
MUID
Expires: 1 year
Used widely by Microsoft as a unique user ID. The cookie enables user tracking by synchronising the ID across many Microsoft domains.
pagead/1p-user-list/#
Expires: Session
Tracks if the user has shown interest in specific products or events across multiple websites and detects how the user navigates between sites. This is used for measurement of advertisement efforts and facilitates payment of referral-fees between websites.
SM
Expires: Session
Registers a unique ID that identifies the user's device during return visits across websites that use the sam e ad network. The ID is used to allow targeted ads.
SRM_B
Expires: 1 year
Tracks the user’s interaction with the website’s search-bar-function. This data can be used to present the user with relevant products or services.
UserMatchHistory
Expires: 29 days
Ensures visitor browsing-security by preventing cross-site request forgery. This cookie is essential for the security of the website and visitor.
wow.utmvalues
Expires: 1 day
Used to measure the efficiency of the website’s advertisement efforts, by collecting data on the conversion rate of the website’s ads across multiple websites.
_gl.p.p_#
Expires: Persistent
Used by Spotler, our email platform provider, as part of its Gator Leads programme. Provided by t.wowanalytics.co.uk. Currently in the process of being classified.
Cookie management
Use of cookies Necessary cookies Analytics cookies Marketing cookies Allow all Save settings
Use of cookies Necessary cookies Analytics cookies Marketing cookies
Accept all Save settings