CASS Audit Services: Requirements & Compliance Guide 2026
CASS audit services are mandatory assurance engagements conducted by independent auditors to verify that FCA-regulated firms comply with the Client Assets Sourcebook rules when handling client money and assets. These audits protect investors by ensuring firms maintain proper segregation, reconciliation, and safeguarding controls, with non-compliance resulting in FCA fines ranging from £700,000 to approximately £9 million.
When your firm holds client assets or client money, the stakes couldn’t be higher. The Financial Conduct Authority doesn’t just expect compliance with CASS regulations—it demands independently verified proof that client funds remain protected at all times.
That’s where CASS audit services come in.
These specialized assurance engagements go beyond traditional financial audits. They scrutinize how firms segregate, reconcile, and safeguard client assets, ensuring that if a firm fails, clients can quickly recover what belongs to them. But here’s the thing: not all CASS audits are created equal, and understanding the nuances can mean the difference between a clean opinion and regulatory action.
What Are CASS Audit Services?
CASS audit services are independent assurance engagements that examine whether FCA-regulated investment firms comply with the Client Assets Sourcebook regulations. The Financial Conduct Authority established these rules to protect client assets and client money from misappropriation, commingling, or loss if a firm encounters financial difficulties.
The Client Assets Sourcebook contains detailed provisions governing how firms must handle, segregate, and account for assets that don’t belong to them. CASS specialists support firms with interpreting these rules and developing control environments that withstand external scrutiny.
Unlike standard financial audits that focus on a firm’s own accounts, CASS audits specifically examine the systems, controls, and processes protecting client assets. Think of it as a regulatory health check for investor protection mechanisms.
The Two Main Types of CASS Audits
Most firms encounter one or both of these audit categories:
- CASS 5 audits focus specifically on client money—the cash deposits and funds firms hold on behalf of clients. These audits verify that money gets properly segregated in designated client bank accounts, reconciled daily, and protected from the firm’s own creditors.
- CASS 7 audits examine client assets such as securities, stocks, bonds, and other investment instruments. Auditors verify that these assets remain properly registered, segregated from firm assets, and accurately recorded in client custody accounts.
Some investment firms require both audit types, depending on whether they hold client money, client assets, or both. The specific CASS chapters that apply determine which audit services firms need.
Who Needs CASS Audit Services?
Not every financial services firm requires a CASS audit. The requirement depends on the permissions granted under a firm’s FCA authorization and whether it actually holds client assets or client money.
FCA-regulated investment firms typically need CASS audits when they:
- Hold or control client money in segregated accounts
- Maintain custody of client securities or other investment instruments
- Operate as investment managers, stockbrokers, or wealth advisors with client asset responsibilities
- Provide execution, clearing, or settlement services involving client funds
The FCA’s Client Assets Sourcebook specifies which firms fall under CASS 5, CASS 7, or both regimes. Firms classified as exempt generally don’t require full CASS audits, though they may still face reporting obligations.
Here’s what gets interesting: the regulatory framework aims to prevent disorderly failure. If a firm collapses, proper CASS compliance means clients can rapidly identify and recover their assets rather than becoming general creditors in an insolvency proceeding.
Understanding CASS Audit Opinions
CASS audits culminate in an assurance opinion that communicates the auditor’s findings to both firm management and the FCA. These opinions aren’t binary pass-fail grades—they exist on a spectrum reflecting compliance quality.
Unqualified Opinion
An unqualified or clean opinion represents the gold standard. It means auditors found no material non-compliance with CASS rules during their examination. The firm’s systems, controls, and processes adequately protect client assets and client money.
That doesn’t mean perfection—minor administrative issues might still appear in the auditor’s management letter. But overall, the firm demonstrates effective CASS compliance.
Qualified Opinion
A qualified opinion signals moderate concerns. Auditors identified specific areas of non-compliance that don’t meet CASS requirements, though these issues aren’t pervasive enough to constitute wholesale failure.
Firms receiving qualified opinions must take prompt remediation action. The FCA expects detailed plans addressing identified weaknesses, with implementation timelines and progress monitoring.
Adverse Opinion
This represents the most serious outcome. An adverse opinion means auditors found material failings in how the firm handles client assets or client money. Controls may be inadequate, segregation practices deficient, or reconciliation processes unreliable.
Adverse opinions trigger immediate regulatory scrutiny. According to Ocorian, firms must prioritize remediation particularly where qualified or adverse opinions land, as the FCA expects prompt action to protect clients.
Disclaimer of Opinion
Sometimes auditors can’t form an opinion because they lack sufficient evidence. This happens when records are inadequate, systems unreliable, or the firm restricts audit scope.
A disclaimer often raises more red flags than an adverse opinion because it suggests fundamental control breakdowns that prevent even basic verification.
CASS Audit Deadlines and Reporting Requirements
Timing matters enormously in CASS compliance. The FCA mandates specific deadlines for audit completion and opinion submission based on a firm’s financial year-end.
Firms must complete their CASS audit and submit the auditor’s report to the FCA within four months of their accounting reference date. For firms with December year-ends, the busy season typically concludes by late April.
But wait—there’s more complexity. Some firms face accelerated deadlines if they hold significant client assets or operate under particular permissions. The specific CASS chapter application determines exact timing requirements.
| Firm Type | CASS Chapter | Standard Deadline | What Gets Audited |
|---|---|---|---|
| Client money holdings | CASS 5 | Within 4 months of year-end | Cash segregation, reconciliations, client money calculations |
| Client asset custody | CASS 7 | Within 4 months of year-end | Asset segregation, registrations, custody records |
| Both money and assets | CASS 5 & 7 | Within 4 months of year-end | Comprehensive review of all client holdings |
| Large firms | Various | May be shorter | Enhanced scrutiny and reporting |
Missing these deadlines constitutes a breach of regulatory requirements. It can trigger enforcement action even if underlying CASS compliance is otherwise sound.
The CASS Audit Process
Understanding what happens during a CASS audit helps firms prepare effectively and avoid unpleasant surprises. The process typically unfolds across several distinct phases.
Pre-Audit Preparation
Smart firms don’t wait until audit season. They maintain continuous CASS compliance through robust control environments, regular internal reviews, and proactive gap analysis.
Before auditors arrive, firms should verify that:
- Client money reconciliations are current and balanced
- Segregation calculations reflect accurate positions
- Custody records match external confirmations
- CASS resolution packs remain updated
- Documentation trails support all transactions
Developing a CASS control environment that withstands external scrutiny requires skilled interpretation of the rules themselves.
Fieldwork and Testing
Auditors examine three critical areas: design effectiveness, implementation accuracy, and operating reliability of CASS controls.
They’ll test whether controls exist on paper, whether firms actually use them as designed, and whether they consistently function throughout the audit period. Sample testing verifies that reconciliations happen daily, that segregation calculations use correct methodologies, and that client asset records accurately reflect holdings.
Real talk: auditors scrutinize exception handling intensely. When reconciliations don’t balance or discrepancies arise, how quickly and effectively does the firm investigate and resolve issues?
Opinion Formation
After completing fieldwork, auditors assess their findings against FCA requirements. They consider both the nature and magnitude of any identified issues.
Minor procedural lapses might warrant management letter comments without affecting the opinion. Material control weaknesses typically result in qualification. Pervasive failures lead to adverse opinions.
Consequences of Non-Compliance
CASS breaches aren’t academic exercises—they carry real financial and reputational consequences.
According to available data, FCA fines for CASS failings in recent years have ranged from £700,000 up to approximately £9 million. These penalties reflect the regulator’s view that client asset protection represents a fundamental trust obligation.
But financial penalties tell only part of the story. Firms facing CASS enforcement may experience:
- Restrictions on business permissions
- Requirements to appoint skilled persons
- Increased capital requirements
- Reputational damage affecting client relationships
- Difficulty obtaining professional indemnity insurance
The regulatory philosophy prioritizes orderly firm failure over prevention of failure itself. When firms do collapse, proper CASS compliance ensures clients can rapidly recover their assets rather than becoming unsecured creditors.
Effective Remediation Strategies
Receiving anything other than an unqualified opinion doesn’t mean game over. What matters is how firms respond.
Effective remediation starts with honest root cause analysis. Why did the control fail? Was it design deficiency, implementation error, or resource constraint? Surface-level fixes that don’t address underlying causes simply delay the next audit finding.
Prioritization matters too. Not all findings carry equal weight. Focus remediation resources on issues that pose the greatest risk to client asset protection, then address lower-priority items systematically.
Building a Sustainable CASS Framework
The best CASS audit response is preventing findings in the first place. That requires embedding client asset protection into operational culture rather than treating it as a compliance checkbox.
Sustainable frameworks feature:
- Clear accountability with named individuals responsible for CASS oversight
- Robust systems that automate reconciliations and flag exceptions
- Regular internal reviews that catch issues before external auditors do
- Comprehensive documentation that creates audit trails
- Training programs ensuring staff understand CASS requirements
Many experts suggest treating CASS controls as business-critical infrastructure rather than regulatory burden. When client asset protection becomes embedded in how firms operate, compliance naturally improves.
Selecting the Right CASS Audit Provider
Not all audit firms possess equivalent CASS expertise. The specialized nature of client assets regulation means generic auditors may miss nuances that specialists catch immediately.
When evaluating potential CASS audit services providers, firms should consider:
- Regulatory knowledge: Does the audit team demonstrate current understanding of CASS requirements and FCA expectations? Rules evolve, and auditors must stay current.
- Industry experience: Have they audited firms with similar business models, client bases, and operational complexity? Investment managers face different challenges than execution-only brokers.
- Technical capability: Can they effectively audit the specific systems and platforms the firm uses? Modern trading infrastructure requires auditors who understand technology.
- Communication approach: Will they explain findings clearly and provide actionable recommendations, or just identify problems without solutions?
| Selection Criteria | Why It Matters | Questions to Ask |
|---|---|---|
| CASS specialization | Generic auditors may lack depth | How many CASS audits does your team complete annually? |
| FCA relationship | Understanding regulatory expectations | Do you maintain regular dialogue with FCA supervisors? |
| Sector experience | Different firms face unique challenges | Have you audited firms with our business model before? |
| Remediation support | Finding problems vs. solving them | What post-audit support do you provide? |
Pass Your CASS Audit With FCA Compliance
CASS audits come with strict FCA expectations, especially around how client money and assets are handled. Acumon is a UK-registered audit firm providing CASS 5, 6 and 7 audit services for FCA-regulated firms, with a clear focus on compliance with the Client Assets Sourcebook.
Get a CASS Audit That Meets FCA Requirements
Here’s what Acumon provides as part of its CASS audit work:
- CASS 5, 6 and 7 audits aligned with FCA requirements
- Review of systems, controls and processes around client money and assets
- Assessment of compliance with the FCA Client Assets Sourcebook (CASS)
- Identification of gaps in controls and regulatory alignment
- Clear audit outcomes to support reporting and compliance
If you need your CASS audit delivered in line with FCA expectations, speak with Acumon and discuss your requirements directly.
Emerging CASS Challenges
The regulatory landscape continues evolving, presenting new challenges for CASS compliance and audit services.
Technology transformation represents a significant pressure point. As firms adopt cloud platforms, algorithmic trading, and digital custody solutions, traditional CASS controls may not translate directly. Auditors must adapt methodologies to assess controls in modern infrastructure.
Cryptocurrency and digital assets create particular complexity. How do CASS rules apply when assets exist on distributed ledgers rather than traditional custody arrangements? Regulatory guidance continues developing, but audit approaches must evolve in parallel.
Cross-border operations complicate matters further. Firms operating across multiple jurisdictions must reconcile CASS requirements with other regulatory frameworks, creating overlapping and sometimes conflicting obligations.
Moving Forward With CASS Compliance
CASS audit services represent more than regulatory obligations. They verify that the fundamental trust relationship between firms and clients rests on solid foundations.
When markets function smoothly and firms prosper, client asset protection may seem like administrative overhead. But when disruption strikes—market volatility, operational failures, or firm insolvency—proper CASS compliance determines whether clients emerge intact or suffer losses.
The firms that excel at CASS compliance don’t view it as a burden to minimize. They recognize that investor protection directly enables their business model. Without client trust in asset safety, investment services cannot function.
Sound familiar? That’s precisely why the FCA maintains strict CASS requirements and mandates independent verification through specialized audit services.
For firms currently preparing for CASS audits, the message is clear: start early, invest appropriately in controls, and treat client asset protection as the business-critical function it truly represents. For those considering whether they need CASS audit services, consult with FCA authorization specialists to understand obligations specific to planned activities.
Client assets deserve protection. CASS audit services verify that protection exists.
Frequently Asked Questions
CASS audit costs vary significantly based on firm size, complexity, and the scope of holdings. Smaller firms with straightforward arrangements might pay £15,000-£30,000 annually, while larger, more complex organizations can face fees exceeding £100,000. Factors influencing cost include the number of client accounts, transaction volumes, custody arrangements, and the firm’s control environment quality. Check with audit providers for current pricing specific to particular circumstances.
No. The FCA requires CASS audits to be conducted by independent external auditors who meet specific qualifications. Internal audit functions play valuable roles in ongoing CASS monitoring and control testing, but they cannot substitute for the required external assurance opinion. Independence ensures objective assessment and protects against conflicts of interest.
Missing the regulatory deadline constitutes a breach of CASS rules that firms must report to the FCA. Depending on circumstances, the regulator may impose fines, restrict permissions, or require enhanced monitoring. Even without formal sanctions, late submission damages the firm’s regulatory relationship and may trigger increased supervisory scrutiny. Firms facing potential delays should communicate proactively with both auditors and the FCA.
Most firms subject to CASS requirements must complete audits annually, tied to their financial year-end. The audit examines controls and compliance throughout the preceding 12-month period. Some firms with specific characteristics may face different frequencies, but annual assessment represents the standard requirement for CASS 5 and CASS 7 compliance verification.
No. Only FCA-regulated firms that hold or control client money or client assets require CASS audits. Firms that never handle client funds—perhaps because they operate on an execution-only basis with direct settlement—may be exempt. The specific permissions granted under FCA authorization determine whether CASS rules apply and what audit requirements follow.
CASS 5 audits examine client money holdings—cash deposits and funds held in segregated bank accounts. They verify proper segregation, daily reconciliation, and calculation methodologies. CASS 7 audits focus on client assets like securities, stocks, and bonds. They examine custody arrangements, asset registration, and segregation from firm assets. Firms holding both client money and assets require comprehensive audits covering both regimes.
First-time audit preparation should start well before the audit date. Firms should conduct gap analyses comparing current practices against CASS requirements, implement necessary systems and controls, establish documentation processes, and perform internal testing. Engaging CASS consultants or specialists early helps identify issues while time remains for correction. Building a robust control environment from the outset proves far easier than remediation after adverse findings.