Most firms that hold or control client money and assets are audited once a year to check they have adequate systems and controls in place to keep those assets safe. This is done through a CASS audit, based on the rules set out by the Financial Conduct Authority (FCA) in the Client Assets Sourcebook (CASS).

As part of these checks, auditors often ask to see documentation of a CASS risk and control framework. However, this causes some confusion for both management and auditors as there is no universally agreed definition or template of the framework.

Management often questions the purpose of the framework and its relevance to their firm, wondering what level of detail is required. Auditors, in turn, want to use the firm's documentation to apply the Financial Reporting Council’s (FRC) CASS Assurance Standard, but they need to keep their review independent without just repeating what management has done.

The disconnect can result in the framework being treated as a compliance formality rather than a meaningful part of risk management. This means management may not use it much, and auditors may find it adds little value.

Even though the FRC CASS Assurance Standard has been around for a decade, these challenges persist and are made worse by differences in firms’ business models, approaches to risk, available resources and audit styles. To address this, firms must understand the FCA’s broader expectations and make CASS a real part of their risk management, not just a compliance step.

Risk management expectations

The FRC CASS Assurance Standard promotes a risk-based audit approach, focusing on areas with the highest risk of non-compliance. This requires auditors to assess the internal control environment, rule applicability and firm-specific risks. While the Standard is not a firm-wide risk management directive, it assumes firms maintain a risk-based compliance framework for CASS.

This assumption is grounded in FCA Handbook provisions, notably Principle 3, which mandates firms to organise and control their affairs responsibly, with adequate risk management systems. Senior Management Arrangements, Systems and Controls (SYSC) reinforces this by requiring robust governance arrangements, effective risk identification and monitoring processes, and proportionate internal controls.

SYSC also obliges firms to maintain policies and procedures that identify risks across activities, systems and processes, and to define risk tolerance where appropriate. Governance bodies must approve and periodically review risk strategies and policies. These principles are echoed in MIFIDPRU 7’s internal governance requirements.

In addition, FCA Supervision (SUP) rules require firms to use the client assets report to assess the effectiveness of their CASS compliance systems. This report should be integrated into broader risk management and decision-making processes.

The CASS Handbook mandates firms to maintain organisational arrangements that minimise the risk of loss or diminution of client money, and to establish policies ensuring compliance with CASS rules – aligned with SYSC standards.

Implementing a CASS audit risk and control framework in practice

Neither the FCA Handbook nor the FRC Standard explicitly reference a CASS risk and control framework. However, they do provide clear guidance on what firms should include: risk-based compliance structures, governance protocols and documented procedures.

At RSM, our audit teams combine deep knowledge of the FRC Standard with an understanding of FCA expectations. This enables us to conduct truly risk- and control-based audits and use framework documentation effectively. We can deliver valuable insights to management, ensuring your firm gains tangible benefits from the audit process.

For support with your CASS risk and control framework or FCA compliance audit, reach out to Nav Sarai or your regular RSM contact.

Related insights