The FSA has expressed very serious concerns about the scrutiny applied by auditors during their annual reviews, and the quality of the reports that are being produced. In some cases the FSA has referred auditors to disciplinary boards.
In June 2011 new rules for auditor client asset reporting will take effect. The main objective is to improve the FSA’s oversight of firms’ client asset systems and compliance through better quality, more transparent and consistent auditor client asset reports. Auditors will also be keen to repair their reputation by showing the FSA they are up to the task, and firms can expect auditors to be more probing, thorough and challenging in their annual reviews.
The main resulting risk to firms is that breaches that were previously undetected (or perhaps just undisclosed) are now more likely to be identified, examined and reported to the FSA, and therefore the chances of the auditor client asset report resulting in a formal FSA investigation (and enforcement action) are greater. To reduce the risk of such a regulatory crisis, firms should confirm their understanding of precisely how CASS applies to them and the extent to which they are CASS-compliant, ideally resolving any issues before their auditor commences its annual review. They should also be prepared to address any further breaches identified by the auditor with appropriate remedial action and, in some cases, they may need to challenge auditors where they believe they are wrong. The governing body of the firm will be formally required to read the auditor’s client assets report, and they and senior management are advised to take an auditor’s ‘adverse opinion’ very seriously.
Background - client assets auditor assurance
Under statute, auditors owe a general duty to report to the FSA any information which they become aware of that is relevant to any of the FSA’s functions. This is independent of a firm’s duty to report breaches and material information to the FSA under ‘Principle 11’. Even if an auditor has not been formally engaged on a matter relating to client assets, he may feel compelled to report a client assets issue he comes across to the FSA (without necessarily making the firm in question aware of this). The FSA has also recently finalised a code of practice regarding the relationship between the external auditor and the FSA (FG11/09) which reinforces this duty and highlights the wider role of the auditor in the context of regulatory supervision. The code refers to open and constructive two-way dialogues in which views are encouraged to be expressed between the auditor and the FSA on an informal basis, and calls for communication to be as frequent as necessary so that both the auditors and the FSA’s statutory duties are effectively fulfilled. Firms can, therefore, generally expect more information about them to be passed from their auditors to the FSA with greater frequency.
In respect of client assets in particular, firms carrying on investment business that hold client money/assets and insurance intermediaries that hold in excess of £30,000 of client money are required, annually, to instruct an auditor to express an opinion to the FSA as to whether the firm has maintained systems adequate to enable it to comply with CASS throughout the reporting period, and that the firm was in compliance with CASS at the end of the reporting period. Firms carrying on investment business that claim to not hold client money/assets are required to instruct an auditor to express an opinion to the FSA that nothing he is aware of causes him to believe the firms’ assertion is incorrect. This reporting regime is about to be enhanced.
FSA dissatisfaction with auditors
Over the past 18 months there has been an increasing number of FSA enforcement actions in respect of CASS breaches, largely in response to a realisation that this area was not being adequately regulated. The FSA might well be criticised for failing to spot client assets issues within Lehman Brothers International (Europe) before it was too late. This has itself resulted in a long running and ongoing courtroom debate stemming from ambiguities within CASS as various classes of Lehman stakeholder grapple for the remaining (and substantial) pot of client money – evidence of damage to the FSA’s statutory objectives of market confidence and consumer protection. In turn, the FSA has directed scathing criticism at the senior management of firms (see here for further analysis), and the auditors that supply the FSA with annual client asset reports on individual firms are also on the back foot.
The FSA’s discussion paper DP 10/3 (June 2010) set out the FSA’s concerns with widespread ‘material weaknesses’ in the auditor client asset reports that it receives. The evidence suggests that auditors are failing to maintain a basic understanding of CASS and failing to understand the specific audit requirements for client assets. The FSA has also received numerous unqualified ‘clean’ reports where the firm in question has committed significant CASS breaches. The FSA is therefore concerned that auditors portray a ‘worrying lack of scepticism’ and ‘focus too much on gathering and accepting evidence to support management’s assertions’.
The FSA does not regulate auditors’ professional standards, but in response to these concerns it recently established a referral arrangement with the Institute of Chartered Accountants in England and Wales (ICAEW) and the Accountancy and Actuarial Discipline Board (AADB). It has since made a number of disciplinary referrals, some high profile. The new rules discussed further below are also intended to improve the quality of auditor client assets reports, in order to better support the FSA in achieving its statutory objectives.
What will change under the new rules for auditor client asset reports?
Policy Statement 11/5 published in March 2011 sets out the new rules, which in brief:
- explain the two types of auditor engagement: (i) a ‘reasonable assurance report’ where the firm is holding client money and/or assets, and (ii) a ‘limited assurance report’ where the firm claims not to hold client money and/or assets;
- make it clear that the FSA expects the client assets report to comply with applicable auditing standards;
- prescribe a two-part template to be used for the report addressed to the FSA. Part 1 contains the auditor’s opinion, which, if there are any issues, may include a ‘qualified opinion’ or an ‘adverse opinion’. Part 2 contains a table of all identified CASS breaches. The table includes a column in which the FSA expects the firm to comment on each breach – for example by explaining any actions taken and/or mitigating factors;
- require firms’ governing bodies to review the findings of the report;
- bring the mandates rules (CASS 8) back within the scope of the report; and
- require auditors to deliver their reports within four months from the end of the reporting period.
The new rules will take effect from 1 June 2011. However, there will be an extended transitional period until 29 September 2011. Firms and auditors can choose not to comply with the new rules where reporting periods end on or before 29 September 2011. Reports with reporting periods ending 30 September 2011 onwards will need to comply with the new rules.
In practice, we have seen that some auditors are already beginning to apply the rules even before they take effect – this points towards a resolute intention from auditors to restore their reputation with the FSA and the market.
How should firms be prepared for the new regime?
Although the new rules principally concern auditors and their approach to producing client asset reports, firms should not overlook the effect that the resulting higher level of scrutiny could have on their business and relationship with the FSA. Armed with these new rules, and under the threat of referral for their own disciplinary breaches, auditors are very likely to actively seek out CASS breaches and challenge management assertions, particularly where firms are already known to have weaknesses.
Before the auditor is appointed (and business as usual)
Under this new regime it is even more important for firms to have robust governance arrangements around client assets, and a full understanding of how CASS applies. Senior management should gain assurance through regular, accurate and detailed management information that the firm’s CASS risks are being adequately evaluated, monitored and mitigated. CEOs are reminded that they will have responded to a ‘Dear CEO’ letter last year as to whether or not their firms are in compliance – it will be no doubt embarrassing (and may lead to personal investigation) if an auditor’s client assets report identifies breaches in the same period as a Dear CEO response that stated that there were none.
One means of obtaining comfort prior to the auditor’s review being carried out is to appoint an external consultant to undertake a quality assurance review. Indeed, this method was used by Barclays Capital and ActivTrades - although both went on to receive Final Notices (and substantial fines) from the FSA for their respective CASS breaches, the pro-active appointment of external consultants to undertake a review was viewed favourably by the FSA. Furthermore, using an external legal adviser can be a useful way of gaining technical advice in a legally privileged environment. Unlike external auditors, lawyers do not have a statutory duty to report breaches to the FSA, and can therefore concentrate on advising firms on CASS compliance and how to make improvements.
Appointing the auditor
Choosing the right auditor to carry out the review is an important part of the process. Firms are required to take reasonable steps to ensure that their appointed auditor has the required skill, resources and experience to perform the client asset review and to produce the report to the new four month deadline. This should reduce the risk of mistakes in the report and may save management time spent on challenging a sub-standard report. The FSA expects firms to keep their choice of auditor under review.
During the auditor’s review
Firms are required under the FSA’s rules to co-operate with their auditors, including by giving them access to relevant records and staff, and to third parties (such as appointed representatives and outsourcing providers). Firms should also be aware of the FSA’s criticisms of auditors (some of which are described above) as they observe the progress of the review. For example, if a firm is conscious that an auditor is investigating an area of the business that is not in the scope of CASS (for example, because CASS does not apply), then it should challenge the auditor’s understanding of the rules (armed with a legal opinion if necessary). In our experience such misunderstandings may be more likely to occur where there are complex product structures, platforms, distribution arrangements or outsourcing arrangements in place.
When reviewing the draft report
An auditor carrying out a client assets review will be required to provide the firm with a draft report and give the firm adequate time to consider the auditor’s findings and make comments within Part 2 of the report. Under the new rules a firm’s governing body is required to review the final findings of the report. Although the rules are not prescriptive as to when this review needs to take place (e.g. before or after submission to the FSA), it may be appropriate for any issues in the draft report to be flagged up to the governing body.
In reviewing the draft report the firm should keep in mind its purpose, which is essentially to confirm that the firm has adequate systems and controls to comply with CASS and is in compliance as at the date of the report. The firm should also understand the implications of any negative conclusions that have been reached. Such conclusions will be expressed as either ‘qualified opinions’ or ‘adverse opinions’.
A ‘qualified opinion’ will be given, for example, where a firm has adequate systems and controls but there has nevertheless been a low number of incidental failures (e.g. due to human error). On the other hand, an ‘adverse opinion’ may be given, for example, where there are inadequate systems, systems are not adequately maintained, the volume of breaches suggest systemic failures or there is a poor understanding of how the systems are meant to operate. An ‘adverse opinion’ may be given irrespective of whether or not there has been any customer loss or complaint.
An ‘adverse opinion’ should be taken very seriously as it may trigger further FSA investigation (possibly leading to enforcement). To the extent possible, firms should use the opportunity to make comments in Part 2 of the report to challenge the conclusions reached and/or to demonstrate to the FSA that any issues are being dealt with expeditiously and appropriately. This is essentially the firm’s first opportunity to assert to the FSA that further regulatory action would be unnecessary or disproportionate. It is not the responsibility of the auditor to ensure that a firm makes comments in Part 2, and the FSA may raise queries if a firm has failed to respond where serious breaches have been identified, or has failed to provide a full response. Firms may wish to consult external advisers in preparing their responses.
How CMS Cameron McKenna can support you
We have extensive experience in advising firms on the application of CASS and on how to be CASS-compliant. This includes reviewing and advising on different types of CASS structures (including third party administrator/outsourcing arrangements and platforms), reviewing and drafting legal documentation (including customer terms of business, banking documentation, trust letters/deeds and outsourcing agreements), delivering tailored training, and advising on treasury and compliance procedures. We have also guided numerous firms through the FSA’s various enforcement processes (including s.166 investigations, document requests and interview preparation), and have dealt with auditors on behalf of firms in relation to client assets and other financial matters.
We would be happy to advise on any concerns that you may have on the matters discussed above, or on the FSA’s wider reform of CASS.
The client assets and living wills page on our Regzone contains more useful information relevant to this topic. If you would like to look at these topics in more detail, follow the sequence for developments or read the underlying publications, click here to access our daily monitoring reports on this subject - starting with the most recent; each report contains a summary and a hyperlink to the publication concerned.