• Creator
    Topic
  • #525

    jw1949
    Participant

    The Financial Reporting Council has issued a new standard for CASS audits effective for audit periods beginning on or after 1 January 2016. This requires CASS firms to produce a documented control framework showing, for each relevant CASS rule, the control objective, the control, evidence of operation and monitoring controls.

    This seems to be a massive project. Have any Forum members had experience of this? Do they have any useful information on how they went about it which they are willing to share with other Forum members.

    Julian Wolf
    Synergy Financial Products Limited
    St Albans

Viewing 2 replies - 1 through 2 (of 2 total)
Replies
  • Chris Burr
    Keymaster
    Post count: 6
    #529 |

    Hi JW1949

    I’ve been recommending and producing the mapping of CASS rules to key controls for my clients for a few years. A methodical mapping does, necessarily, take a while to complete. However once done, it is very useful. Its a chance for management to identify where the main risks on CASS are, how well their controls address them and who is actually taking practical responsibility for them. In my experience, doing the mapping always identifies gaps and weaknesses on CASS that otherwise just simply get missed by management and auditors.

    The FRC’s new standard means auditors are now expecting firm’s to produce CASS rule mappings.

    Once you’ve identified the rules that apply to your firm you need to focus on your firm’s business model and working assumptions. Establishing an objective for each rule is usually pretty obvious ( i.e. you want to avoid breaching that particular rule). However the key is to identify the various risks/situations that can lead to a breach on each given rule. ( there can be many risks to each rule) If you firm works on a certain business model/ assumption(s), how well founded are those assumptions? Once you’ve worked out the risks and situations that can create a breach you can then focus on the key controls you run to stop those situations arising. Where ever possible you want a ‘P’ control to prevent the breach and also a ‘D’ control to detect if the P control has failed. A lot of it is ( or should be) the mapping of existing controls. The exercise does serve to highlight the significance of various normal controls for CM protection /CASS compliance. ( Eg ‘P control – The daily review of your office bank account for potential CM items for transfer to CM within one day, and ‘D’ control being bank reconciliations and review/clearance of rec items on your office account to identifying potential CM items that might languish on the office bank account in breach of CASS). You also find many of these existing controls need evidencing/recording better.

    The mapping highlights the need for really good CASS ‘checklist’ controls for many areas of the firm’s activity. In my view a good well implemented checklist built into your ‘business as usual’ processes is the best way to ensuring compliance with many of the CASS requirements. The CASS requirements are very detailed and very dull. As a result breaching CASS is easy to do. Good CASS focused checklists work well in ensuring stuff gets done and is evidenced properly.

    I will dig out some suggested column headings for the mapping and post them here later today.

    Chris Burr

    Chris Burr
    Keymaster
    Post count: 6
    #535 |

    JW1949

    I will email you an extract from my model mapping which provides a suggested layout. If, when you receive it, its not clear, just give me a shout on 07876 417146.

    Regards

    Chris

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.