The FRC issued the revised Client Asset Assurance Standard on 21 November 2019, following a post implementation review of the Standard issued in 2015.
Audit firms should carefully review the changes and make sure they are carrying out CASS audits in line with the revised requirements of the Standard. Regulated firms should embed the enhanced and amended expectations into their CASS processes to further improve audit preparation.
What do the updates aim to address?
While the 2015 Standard improved the quality of CASS audits and firms’ readiness for audit, the FRC recognised areas for further improvement and progress. As such, the changes are of limited scope and provide clarifications in areas such as:
use of internal control reports and internal audit work
tightening and enhancing reporting requirements to those charged with governance
amendments around risk management and quality control of CASS audits, with regard to the size and scope of the CASS firms.
The revised Standard applies from periods beginning on or after 1st January 2020.
Summarising the key changes
Some of the more notable revisions to the Standard include:
Area of focus
New and enhanced requirements
Reliance on internal control reports
Greater clarity on use of internal controls reports covering the adequacy of operating controls within an outsourced service provider. Auditors should consider factors such as independence, skill and quality of work before placing reliance.
Reporting to those charged with governance
Formalisation of and priority reporting of internal control deficiencies to those charged with governance.
Clearer focus on the requirement to consider IT controls and environment during testing and risk assessment – with regard to the complexity of IT impacting the level of audit work.
Assurance over outsourced operations
Requirement to assess adequacy and effectiveness of governance and controls at the Third Party Administrators, as part of obtaining assurance over the outsourced functions for which the firm retains CASS responsibility.
Engagement quality control review
Revisions to requirement for an engagement quality control review; Requirement for large and medium-sized CASS firms as opposed to smaller CASS firm audits where judgement is required. Assessment to be documented on all CASS audit files.
Guidance provided by reference to ISAs
Guidance included by reference to International Standards on Auditing (ISA) in areas such as using the work of internal auditors and the approach to testing in respect of IT controls.
What should auditors and regulated firms do now?
CASS is an area of public interest with continued regulatory focus, and auditors must comply with the revised Standard to deliver consistent and effective audits. All revisions will need to be factored into and built into the CASS audit frameworks, including materials, training and deliverables to clients.
For firms, while this is a Standard for auditors, the revisions also have an impact on them as they are required to prepare for audit in line with these expectations. For example:
considering where internal controls reports can be made available to the CASS auditors for consideration during their work.
demonstrating the robustness and effectiveness of the internal audit reviews on CASS
providing evidence of consideration of IT controls and environment within the firm’s risk assessment.
For further information on how we can help you embed the revised Standard, please contact us.