For many service organisations that perform CASS operations for their regulated clients, the use of CASS assurance reporting remains largely unexplored. However, demand is rising, barriers to adoption are falling, and a new industry norm seems to be emerging - CASS specific International Standard on Assurance Engagements “ISAE” 3000 reports.
The key driver for these reports is typically from the firms (“ManCos”) who have outsourced their operations to service providers. According to a recent Deloitte survey in which 99 CASS firms responded:
- 58% of the firms outsourced elements of their CASS operations to a service organisation; and
- Over 80% of the firms that outsource, with respect to 3rd party assurance reporting, either “partially rely”, “don’t rely” or “don’t have access to” such reporting.
The figures above show that there are real efficiencies to be gained by ManCos as they are currently not fully utilising these reports, whether available to them or not.
Following the introduction of the FRC Client Assets Assurance Standard (“FRC Standard”), increased FCA scrutiny and a number of high-profile fines in the last 5 years we have seen an upwards trend in the extent of oversight performed by CASS teams over outsourced functions. Overall, we have seen firms demonstrating stronger governance, asking more probing questions and performing more in-depth focussed due diligence. As a result, the oversight performed by all lines of defence is extensive and for many service providers can feel duplicative when the same controls are tested throughout the period by a variety of stakeholders. For service providers, this can be time consuming, and the amount of effort and resource required to support the review requests from firms and their auditors can be significant.
In this blog, we highlight the potential benefits of a CASS focussed ISAE 3000 assurance report to interested stakeholders based on our experience in providing both service auditor reporting and CASS assurance support to the Financial Services industry.
What is an ISAE 3000?
ISAE 3000 is an international framework for assurance engagements other than audits and reviews of historical financial information. It can act as a general framework for other subject-specific engagements, such as information technology, risk management and CASS controls.
Service providers, such as Transfer Agents (“TA”), Third Party Administrators (“TPAs”) (including Model A and Model B offerings) and Custodians have been producing internal control reports under varying standards such as the AAF 01/06, ISAE 3402 and SSAE 18 SOC1 regulations for a number of years. These reports can demonstrate the effectiveness of their control environment to their clients highlighting any control exceptions and failings. However, ManCos have noted that while these reports are useful in the understanding the service providers relevant technology and operational controls, there is often a gap for CASS-specific controls and IT systems.
Why should service organisations care?
The potential use of an ISAE 3000 report seems too valuable to be ignored. One of the most effective ways that service providers can communicate information about their risk management and control environment is through the use of Internal Controls Reports. The FCA and the FRC require regulated firms and audit firms to gain comfort over the effectiveness of such controls. There seems to be a strong argument to have a central CASS report providing assurance to multiple parties. Some of the benefits to service providers are as follows:
- Market credibility in the effectiveness of the control environment - Having an ISAE 3000 report helps to boost the credibility of the service provider and the quality of their control environment to the external market. We have seen that the initial due diligence performed when selecting a new service provider to partner with is becoming more extensive and often CASS compliance can be the deciding factor.
- Value-add differentiator - Using CASS Assurance reports to demonstrate an effective CASS operating environment can be seen as a real value-add differentiator and provide confidence to prospective new customers.
- Lower administrative burden from external audit requests for service providers – An external CASS auditor may be able to place reliance on an ISAE 3000 report, thus reducing the number of audit requests from different audit firms throughout the audit cycle.
- Reducing the need for duplicative on-site visits – On-site visits are regularly conducted by a variety of stakeholders and firms throughout the year and furthermore the COVID-19 restrictions over the last year have accentuated the difficulties of hosting such sessions. Having a central report can support in oversight as well as reduce/remove the need for such regular visits to perform due diligence. It is important to know that not all processes can be replaced completely by a report, however firms will be able to review the report to inform their own 1st, 2nd and 3rd line risk assessments and monitoring reviews which may reduce ad-hoc requests and queries throughout the year. ManCos may even be able to place reliance on the testing performed for in-scope controls and in particular over the IT systems which could further reduce direct testing performed.
Benefits to users
- Enhances oversight - When used correctly, management oversight over systems and controls for outsourced services may be enhanced. ManCos may also have greater visibility on assurance over relevant CASS IT systems.
- Initial due diligence - Firms can use the ISAE3000 to aid due diligence verification on internal controls before outsourcing a business function to a service organisation.
- Compliance “requirements” - Demonstrates to service users and regulatory bodies that controls are in place and operating effectively.
- Improve overall control awareness - Generates increased awareness within the organisation of the importance of controls and embeds a strong control culture.
- Stakeholder assurance - Builds trust and confidence in outsourced systems, process and controls. This provides a strong message to clients/potential clients that the firm understands the risk involved and is aware of outsourced controls.
- Audit service support - Deloitte has enhanced its methodology to place reliance on controls reports following recent changes in the FRC Standard. Other CASS auditors may now also be able to place reliance on controls reports for the purposes of their audit testing, helping to resolve key issues and reduce CASS testing where scope overlaps.
So, what’s next?
CASS ISAE 3000 assurance reporting is becoming more and more popular due to the benefits associated with it, but what should ManCos do now:
- Map out the key operational and IT CASS controls (including relevant IT systems) performed by your service provider(s) on your behalf;
- Identify those that are already being covered by existing assurance reports (for example, an ISAE 3402) and identify any gaps; and
- Enquire with your service provider about additional Assurance reporting that could reduce/close any identified gaps.
For more insight and support on how CASS ISAE 3000 Assurance reports can benefit your organisation, please reach out to the authors.