For too many firms, the annual CASS audit is treated as a box-ticking formality. That mindset is both dangerous and increasingly costly.

Few regulatory obligations generate as little enthusiasm or as much quiet anxiety as the annual CASS audit. Mention it in a compliance meeting and you will likely be met with a familiar mix of resignation and administrative dread. That reaction is understandable. It is also, we would argue, a significant mistake.

The Client Assets Sourcebook (CASS) exists for a reason. In the aftermath of high-profile firm failures most notably the Lehman Brothers, the FCA and its predecessors recognised that the boundary between firm money and client money was full of gaps. The CASS rules were designed to draw a hard and auditable line. The CASS audit exists to test whether that line is actually holding.

What does a CASS audit actually involve?

A CASS audit is an independent, external examination of a firm’s compliance with the client money and custody asset rules as set out in the FCA’s Handbook. Depending on a firm’s classification, business model and risk profile, the scope and depth of the audit will vary, but the core questions remain the same: are client money and client’s safe custody assets properly recorded, segregated, protected and reconciled? Does the firm have robust arrangements in place to return assets promptly if it were to fail?

The auditor’s output is a formal report to the FCA. That report is not internal. It is a regulatory document, and the FCA reads it. Firms that receive qualified or adverse opinions findings that indicate material non-compliance should expect supervisory attention to follow.

The audit as a tool, not a test

The most sophisticated firms do not wait for the auditor to identify problems. They use the annual cycle as a structured opportunity to pressure-test their CASS framework: reviewing their client money calculations methodology, stress-testing their reconciliation procedures, and ensuring that their resolution pack reflects the current state of the business rather than a historical snapshot. Engaged senior management, regular internal CASS reviews, and clear ownership of the CASS officer role all correlate strongly with clean audit outcomes.

That approach requires treating the CASS audit not as an annual imposition, but as a legitimate governance mechanism one that, when taken seriously, provides genuine assurance to the firm, its clients, and its regulator alike. The firms that learn to value it tend to be the ones that never have cause to regret it.

Why it matters more than firms often appreciate

The purpose of CASS is ultimately protective: if a firm becomes insolvent, clients should be able to recover their assets quickly and in full. The external audit is the mechanism by which the FCA gains assurance that this protection is real and not merely theoretical. When the audit reveals weaknesses for e.g. poor reconciliation practices, incorrect acknowledgement letters, operational gaps in the resolution pack this could be evident that the protection clients believe they have may, do not exist in the way they assume.

Beyond client protection, the reputational and regulatory stakes for firms are considerable. The FCA has demonstrated a clear willingness to take enforcement action over CASS failings, with fines running into tens of millions of pounds for major breaches. Importantly, those fines have not been reserved for firms that actually lost client money, they have been imposed on firms whose systems and controls were found to be inadequate, even where no client suffered a direct loss.

Where firms most commonly fall short

CASS audits consistently surface a recognisable set of recurring issues. Reconciliation failures, both internal and external, remain among the most common findings, often because firms have expanded their business lines without updating their CASS frameworks to match. Inadequate oversight of third-party custodians is another persistent weakness, as are gaps in the firm’s resolution pack: the document that would guide administrators in returning client assets in an insolvency. Firms also frequently underestimate the operational complexity of CASS in high-volume or multi-asset environments, where the margin for error compounds quickly.

None of these are exotic or unforeseeable failures. They are, almost without exception, the product of treating CASS compliance as a back-office function rather than a firm wide discipline with genuine board level accountability.