CASS audits in 2026: what FRC standards now require

CASS audits in 2026: what FRC standards now require

The annual Client Assets audit is a statutory obligation for FCA-regulated investment firms that hold client money or custody assets. The audit is required under CASS 6.6 and CASS 7.15, must be conducted by an approved external auditor, and the resulting report must be submitted to the FCA as part of the firm’s annual regulatory returns. In 2026, both the FRC’s evolving auditing standards and the FCA’s heightened expectations around CASS governance have raised the bar for what a credible CASS audit looks like — and by extension what the firm’s compliance function must demonstrate to support it.

This article sets out what the CASS audit now requires, where the FRC’s standards have tightened, and what the compliance officer and SMF18 must have in place to enable an effective audit.

The statutory framework — what triggers a CASS audit

An investment firm is required to have an annual CASS audit if it holds client money under CASS 7, safe custody assets under CASS 6, or both. The obligation applies regardless of the volume of client assets held — a small CASS firm holding under £1m of client money is subject to the audit requirement in the same way as a large CASS firm holding over £1bn, though the scope and complexity of the audit differs materially between firm sizes and tiers.

The CASS firm tier classification — large, medium or small — determines the frequency of certain reconciliations and the specific reporting obligations that apply. The compliance officer and SMF18 carrying governance responsibility for CASS must confirm the firm’s current tier annually and assess whether any change in client asset volumes during the year has triggered a tier reclassification. Failure to identify a tier change and adjust the firm’s CASS procedures accordingly is a recurring finding in FCA CASS supervisory visits.

The FRC’s audit standards and what has tightened

CASS audit engagements are subject to the FRC’s auditing standards — the ISAs (UK) as applicable to assurance engagements — and the FRC’s Ethical Standard for auditors. In recent years the FRC’s Audit Quality Review thematic work has specifically examined CASS audit quality and identified consistent weaknesses in how auditors have approached these engagements.

The principal tightening in FRC standards relevant to CASS audits in 2026 relates to the depth of understanding the auditor must obtain before forming an opinion. The previous standard permitted a relatively high-level review of the firm’s CASS framework against the relevant FCA rules. The current expectation — developed through the FRC’s thematic reviews and incorporated into practice guidance — is that the auditor must obtain and assess the firm’s specific written CASS policies and procedures, test the operating effectiveness of key controls rather than relying on management representations, and explicitly opine on whether the firm’s CASS compliance framework is adequate rather than merely whether individual breaches have occurred.

This shift from a compliance review to a controls-effectiveness assessment has direct implications for the firm. A CASS audit that is testing the operating effectiveness of controls — reconciliation processes, segregation of client money, custody asset records — requires the firm to have those controls documented, consistently operated, and evidenced. Firms that have maintained CASS compliance through skilled individuals rather than documented, repeatable processes will find 2026 audits more challenging than their predecessors.

Reconciliation controls and what auditors now test

The reconciliation process is the operational core of CASS compliance. Under CASS 7, firms must perform internal client money reconciliations and external reconciliations against bank statements on a prescribed frequency. Under CASS 6, custody asset reconciliations must be performed and discrepancies resolved promptly. The FRC’s current standards require auditors to test whether these reconciliations are being performed in accordance with the firm’s own documented procedures and the FCA’s CASS rules — not merely to review whether a reconciliation was completed.

What this means practically: the auditor will review a sample of reconciliations, assess whether they were performed on time, whether discrepancies were identified, how discrepancies were resolved and how quickly, and whether the resolution was documented. A firm whose reconciliation records are incomplete, whose break resolution process is informal, or whose procedures describe a process that is not consistently followed in practice will receive findings — and potentially a qualified CASS audit report.

A qualified CASS audit report triggers specific regulatory obligations. The firm must notify the FCA promptly and explain the nature and cause of the qualification. Material CASS breaches disclosed through the audit process may require separate standalone notification to the FCA under the FCA’s rules on breach reporting. The SMF18 carrying governance responsibility for CASS is personally accountable for the escalation and notification process.

Bank acknowledgement letters and third-party arrangements

Client money held at banks and other third-party institutions must be subject to a client money trust acknowledgement letter from the relevant institution — a document confirming that the institution recognises the money is held on trust for clients and does not form part of the firm’s own assets in an insolvency. The FRC’s current audit approach requires auditors to verify that these letters are in place, are appropriately worded, and are updated when banking arrangements change.

Firms that have changed banking arrangements, added new client money accounts, or modified the terms of existing arrangements without obtaining updated acknowledgement letters will face audit findings. The compliance officer responsible for CASS should maintain a register of all client money accounts, the institutions holding them, the date of the current acknowledgement letter, and a reminder process for letter renewal when account terms change.

CASS audit report — what the FCA receives and what it looks for

The CASS auditor’s report submitted to the FCA must confirm whether the firm’s CASS systems and controls were adequate throughout the period under review and whether the firm complied with CASS rules. An unqualified report confirms both. A qualified report identifies specific areas where compliance was not achieved or where controls were inadequate, and must describe the nature of the issues found.

The FCA uses CASS audit reports as a supervisory data source — firms with qualified reports, or firms whose reports reveal recurring findings across consecutive years, are more likely to be the subject of supervisory engagement or a skilled person review under section 166 of the FSMA. The compliance officer and SMF18 should treat the CASS audit as a regulatory relationship management exercise, not only as a technical compliance requirement.

What good CASS governance looks like ahead of the audit

The firms that receive clean CASS audit reports consistently are those that treat CASS compliance as a live governance process rather than an annual exercise. The compliance officer should maintain a CASS monitoring programme that runs throughout the year — tracking reconciliation performance, logging breaks and their resolution, maintaining the acknowledgement letter register, and reviewing the adequacy of client money segregation whenever the firm’s client asset profile changes significantly.

The SMF18 should receive structured monthly reporting on CASS performance and escalation of any material issues — a monthly CASS MI pack covering reconciliation status, break aging, breach log and any changes to third-party arrangements. Where the compliance officer identifies issues that may require FCA notification, the SMF18 must be in a position to assess the materiality of the issue and make the notification decision within the FCA’s required timeframe.

FD Capital places Heads of Compliance and SMF16 professionals in FCA-regulated investment firms where CASS governance is a primary compliance obligation. The specific knowledge of CASS reconciliation requirements, audit preparation and FRC standards that this role demands is a material differentiator in the candidate pool.

Related Services

• Compliance Recruitment
• SMCR Compliance Recruitment
• Recruitment for FCA Regulated Firms
• Investment Firm CFO Recruitment

Related Guides

• The SMF18 Oversight Role: Governance Over CASS
• CASS: A Complete Guide for FCA-Regulated Firms
• SMF16 — Compliance Oversight Function Guide
• SMF18 — Other Overall Responsibility Guide
• SMCR: A Complete UK Guide