The Audit of Investment Business Entities Regulated by the FCA
This helpsheet is designed to assist firms in the audit of investment business entities regulated by the Financial Conduct Authority (FCA). The term “investment business” should be taken to refer to firms regulated by the FCA for the conduct of “designated investment business” as set out in the glossary to the FCA’s handbook (examples of types of businesses covered by this definition are included below). Please note that banks/building societies and insurance companies are covered by their own APB Practice Note (19 and 20) and are not covered in this helpsheet. The ICAS Audit Monitoring (ICAS AM) team regularly review investment business audits to ensure that the specialist aspects have been properly addressed and often find that these are not approached in a consistent manner. In approaching the audit of an investment business, the major issue from the auditors’ perspective is the specific need to consider the regulatory environment in which the investment business operates, and any operational and regulatory issues which could elevate audit risk. It is therefore crucial that sufficient time and resource is applied to the audit process, and that the audit is approached with rigour and professional scepticism, even on the audit of the lowest category authorised clients. This helpsheet aims to assist firms in the consideration of particular areas of interest, including developing an understanding of investment business related risks; compliance with laws and regulations; appropriately tailored engagement letters; and audit reports.
What is the FCA? The Financial Services and Markets Act 2000 (FSMA) established the Financial Services Authority (FSA) to operate a single regime for the authorisation and regulation of financial services businesses. A new regulatory framework came into force on 1 April 2013, when the Financial Services Authority (FSA) ceased to exist, being replaced by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA). The FCA, as a Regulator, covers a wide range of businesses linked to the financial services industry. To cover this, there are a range of classes of membership covering the different aspects of its responsibilities. These are published on the FCA website and it is imperative that an auditor is familiar with the permissions granted to clients. Examples of common financial services business regulated by the FCA and covered by this helpsheet, include: • retail intermediaries/brokers (arranging transaction of certain financial products between customer and provider, usually in exchange for commission eg home finance, investments, insurance); • wholesale investment firms (eg investment managers, advisors and arrangers of wholesale funds, insurance firms, larger firms dealing in securities, finance providers); and • independent financial advisers (offering investment products such as life policies, personal pension schemes, stakeholder schemes, and structured investment products). Firm types are defined in the glossary to the FCA’s handbook, and the rules regarding the application of the Markets in Financial Instruments Directive (MiFID) are complex. The auditor should consider whether it applies in any investment business they audit. More information on the FCA and different categories of investment business can be found on their website at: fca.org.uk/
How to develop an effective approach to the audit of investment business entities Details of the regulatory framework relating to the audit of an investment business, including when an investment business may be subject to an audit can be found at Appendix 1. In approaching the audit of an investment business, a major issue from the auditors’ perspective is the need to specifically consider the regulatory environment in which these types of business operate, and the issues which may arise which can elevate audit risk, including: • operational issues – eg inadequate or failed internal processes, poor compliance systems as a result of regulatory changes, resource or training issues, time commitment defending threats of complaint or litigation; and • regulatory issues – eg fines and restrictions imposed by the FCA, withdrawal of authorisation to conduct all or some of businesses activities, or censure as a result of negative publicity. Due to the nature of investment business entities, there are a large number of potential risk areas which could affect the financial statements and the ability of the business to trade as a going concern. It is crucial therefore, that not only is sufficient time and resource applied to the audit of an investment business, but that the audit is approached with rigour and professional scepticism, even on the audit of the lowest category authorised clients. There are some factors that firms should consider in developing an effective audit approach, including: Audit Procedures Firms have choices regarding specialist audits – either purchase a specialist set of audit programmes or tailor purchased or internally developed standard company programmes. In the experience of ICAS AM, firms using specialist programmes tend to have a greater level of compliance, as the other options require firms to dedicate significant time and resource to ensuring a tailored set of programmes remain up to date. Whatever option is taken, it is important that these procedures are fully applied to all relevant audit clients, as specialist aspects apply regardless of the size of the entity.
Training Given the nature of the specialist aspects in the audit of investment businesses, it is important that Responsible Individuals (RIs) and senior audit staff who have FCA regulated audit clients remain up to date in this area. It is crucial that RIs remain up to date with changes in legislation or regulations affecting their clients and this should be demonstrated in their training records. Firms are reminded that International Education Standard 8 (IES8) requires that engagement partners ensure that necessary specialist knowledge is obtained and maintained. Attendance at an FCA related audit course is still one of the most effective ways of maintaining specialist audit competence, however there are other available options, including webinars and other on-line training solutions.
What are the common areas of noncompliance to look out for in the audit of investment business entities? There are a number of areas that ICAS AM would advise firms to keep in mind when conducting such audits and the following are those that are more commonly identified on monitoring visits: Agreement of client engagement terms Signed engagement letters should be received prior to the commencement of the audit engagement, and matters which the auditor may wish to refer to include: • the responsibility of the directors/senior management to comply with applicable FSMA 2000 legislation and the FCA Handbook rules and guidance, including the need to keep the FCA informed about the affairs of the entity; • the statutory right and duty of the auditor to report directly to the FCA in certain circumstances (see also ISA 250B below); • the FCA requirement to cooperate with the auditor (SUP 3.6.1R), noting that it is a criminal offence for an investment business or its officers, controllers or managers to provide false or misleading info to the auditor (s346 FSMA 2000); • the need for the entity to make the auditor aware when it appoints a third party to review, investigate or report on any aspects of its business activities that may be relevant to the audit of the financial statements and to provide the auditor with copies of reports by such third party promptly after their receipt; • the letter should refer to the most recent auditing standards, being the International Standards (ISAs) (UK and Ireland); and • the letter should also refer to reporting responsibilities to the FCA, including the duty and right of auditors to report to the FCA. The engagement letter in respect of auditors’ client assets reports (see Appendix 2) to the FCA can be combined with the engagement letter for the statutory audit – it should make it clear however that the client assets report is addressed to the FCA. Investment business specific laws and regulations ISA 250A requires auditors to identify, and consider the impact of, key laws and regulations relevant to an audit client. For an investment business, these include: • Financial Services and Markets Act 2000 (FSMA 2000); • The FCA Handbook; • European directives, including: – Markets in Financial Instruments Directive (MiFID); – Capital Requirements Directive (CRD); and
– Undertakings for Collective Investment in Transferable Securities (UCITS); and • The Companies Act 2006. The Financial Services and Markets Act 2000 (FSMA 2000) sets out the high level regulatory framework for the whole financial services sector and not just investment businesses. Under FSMA 2000, the FCA has power to make rules – these are set out in the ‘FCA Handbook of Rules and Guidance’ (FCA Handbook) In order to help identify possible or actual instances of non-compliance with laws and regulations which are central to an IB’s ability to conduct its business, specific areas that auditors’ procedures may address include: • obtaining a general understanding of the legal and regulatory framework applicable to the entity and industry, and of the procedures followed to ensure compliance with the framework; • reviewing the client’s Scope of Part IV Permission (FCA document which sets out the regulated activities that the firm is permitted to engage in and any limitations and requirements imposed); • reviewing correspondence with the FCA and other regulators; • holding discussions with the entity’s compliance officer and other personnel responsible for compliance; • reviewing compliance reports prepared for the entity by an internally appointed compliance officer or by an external third party; • consideration of work on compliance matters carried out by internal audit. In addition to the above, there should be consideration of compliance with Money Laundering regulations. Authorised firms including investment business are subject to the requirements of the Money Laundering Regulations 2007 as well as FCA rules. These laws and regulations require institutions to establish and maintain procedures to identify their customers; establish appropriate reporting and investigation procedures for suspicious transactions; and maintain appropriate records. The above laws and regulations, and any others relevant to the investment business, should be identified and considered in the risk assessment process at the planning stage of the audit. At the fieldwork and completion stages the auditor should then consider whether the business is in compliance with these, and identify the impact if any issues are noted in this regard.
Auditors’ duty to report to the FCA Under the FSMA 2000, auditors have duties in certain circumstances to make reports to the FCA. The criteria for determining matters to be reported include situations where: • the auditor reasonably believes there is or has been a contravention of any “relevant requirement” and that contravention may be of material significance to the FCA; • the auditor reasonably believes that the company concerned is not, may not be, or may cease to be, a going concern; or • the auditor is precluded from stating in his report that the annual accounts have been properly prepared in accordance with CA 2006 or, where applicable, give a true and fair view or have been prepared in accordance with relevant rules and legislation. Further detailed guidance and examples are given in Appendix 5 & Appendix 6 to PN 21. In July 2013, the FCA published its ‘Code of Practice for the relationship between the external auditor and the supervisor’. This Code sets out principles that establish, in the context of a particular regulated firm: • the nature of the relationship between the supervisor and auditor; • the form and frequency that communication between the two parties should take; and • the responsibilities and scope for sharing information between the two parties. Copies of the Code and related guidance can be found here. Understanding the investment business and its risks Obtaining an understanding of an audit client is the key requirement of ISA 315. Investment businesses can be complex and the auditor seeks to understand the business and the regulatory regime in which they operate. Practice Note 21 provides guidance on this, and there is a list below of some of the areas that should be considered. Firms are advised to utilise Practice Note 21, and this list, to ensure sufficient understanding is obtained: • Audit and accounts requirements; • Sources of income and revenue recognition; • Branches, connected entities and how these are accounted for; • Compliance responsibilities and whether a third party service provider is engaged in this regard; • Reporting responsibilities; • Assessment of controls over key risks; • Accounting systems and controls; • Risk assessment at the assertion level; and • The auditor’s response to risks.
As investment businesses can be involved in any of a wide range of market segments and products, the auditor should accurately identify the principal income and expenditure categories, which could include: • fees and commission receivable; • commission payable; and • trading securities and other instruments and related gains and losses. Revenue recognition is one area that will require careful attention. The extent to which income, and related costs, should be recognised can depend on the nature of product or service offered by the investment business, which can mean different recognition rules. The auditor should also pay particular attention to business risks that may have an impact of the financial statements and how they are controlled and managed by the client. These business risks may include: • operational risk – risk of loss resulting from inadequate or failed internal processes, people or systems or from external events including legal risk; • credit risk – risk a counterparty will be unable to meet its obligations; • market risk – risk that changes in value of assets, liabilities and commitments will occur as a result of movements in relative prices; and • regulatory risk – risk of public censure, fines and restriction or withdrawal of authorisation to conduct all or some of businesses activities. Failure to manage the risks outlined can cause serious damage to an investment businesses reputation, potentially leading to loss of confidence in the business. Some of the most effective planning that ICAS AM sees is where a detailed audit planning memorandum has been prepared. Such a document helps to ensure all the key areas are covered and provides useful, informative, commentary on the audit approach and significant risks identified. If an audit team decides to prepare such a document, it is important to ensure that this has not merely been carried forward from the previous year, but that additional thought and consideration is given in the current year. Obtaining and documenting audit evidence In the development of an audit plan all relevant financial statements assertions and risks require to be addressed, including: • Completeness and recognition of all sources of income; • Bank confirmation letters; • The audit of expenditure, including authorisation; • Completeness and cut-off of creditors;
• Existence and recoverability of debtors; • Valuation of assets and title to property; and • The audit of payroll costs. The importance of recording audit evidence properly cannot be stressed enough. Firms can help themselves by using a standard format for their working papers, which encourages staff to record why they have carried out a particular audit test, what work they have actually performed, the results and conclusions. ISA 230 specifically states that: ‘The auditor should prepare the audit documentation so as to enable an experienced auditor, having no previous connection with the audit, to understand: (a) The nature, timing, and extent of the audit procedures performed to comply with ISAs (UK and Ireland) and applicable legal and regulatory requirements; (b) The results of the audit procedures and the audit evidence obtained; and (c) Significant matters arising during the audit and the conclusions reached thereon.’ Consideration of service organisations and reliance on an expert Investment businesses will often use service organisations such as accountancy firms, administrators, and investment managers. In addition, the entity may outsource some or all of its compliance functions to an external service provider (eg safe custody of investments by a custodian, maintenance of accounting records, product administration). ISA 402 is clear that there should be consideration of the controls within the service organisation, the terms of the arrangement with the entity, the supervision and control by the directors, and the consideration of the impact of this on audit risk. Audit firms must ensure that these areas are addressed at the planning stage and to identify if there will be the use of a service organisation at this time. It is not sufficient to identify the use of a service organisation during the course of the audit. Accounting estimates Accounting estimates are used for valuation purposes in some investment businesses eg over the counter derivatives and illiquid trading positions. For various derivatives the auditor may not be able readily to substantiate an independent fair market valuation. In these instances the business may arrange for some form of mathematical modelling to be undertaken to provide a valuation for review and testing by the auditor.
This then involves the auditor obtaining an understanding of the assumptions and a review of the estimates used for reasonableness, consistency and conformity with generally accepted practices. Given the special complexities involved with these types of products it is common practice for the auditor to engage a specialist in this area to be involved in the work (an auditor’s expert under ISA 620). Accounting estimates might also be required in connection with establishing liabilities for compensation payable to clients or for potential fee claw-backs. Subsequent events and going concern In addition to the usual procedures, the auditor should review correspondence with the FCA and make enquiries of management to determine whether any breaches of regulations and other regulatory concerns have come to their attention since the year end. As the relationship with the FCA and the continued authorisation of the business is particularly relevant to the going concern assumption, the auditor should also consider the following areas in addition to those set out in ISA 570: • regulatory censure or fines; • regulatory capital deficits (as at reporting date and forecast for an appropriate period); • reputational or other indicators; • general non-compliance with the rules of the FCA. If the auditor has any doubts as to the ability of an investment business to continue as a going concern, the auditor should consider whether to make a report directly to the FCA.
Other matters to consider when a firm audits an investment business When a firm has FCA regulated audit clients ICAS AM would also advise that the following areas, (all of which are considered during a monitoring visit) are addressed: Client assets (CASS) reports Client assets are assets or monies belonging to clients which an investment business is holding or controlling. In certain circumstances an investment business will have to appoint a CASS auditor to provide an opinion on compliance with FCA rules. Many firms will appoint their statutory auditor to be their CASS auditor; however a firm may appoint different auditors to fulfil each duty. Further information on client asset reporting and requirements can be found at Appendix 2. Firm’s annual return (FAR) The audit firm should ensure that the audit client list on the FAR correctly reflects the total number of investment business audits conducted by the firm. The audit compliance review (ACR) When selecting files to cold file review, as part of the ACR, firms are advised to include investment business audits as a representative sample of audit work conducted.
Additional assistance from ICAS and useful references: • M embers with any query in relation to the information held in this helpsheet can contact Audit Monitoring by telephone on 0131 347 0284 or by email [email protected]
• ICAS Practice Support provides assistance to registered audit firms. It offers a variety of services on all aspects of audit regulation, which can be tailored to meet the needs of your firm, and provides standard audit programmes that may be useful for your firm. For more information on any of these services, contact Linda Laurie on 0131 347 0249 or email [email protected]
• T he Audit Monitoring team, on an annual basis, publish an article in Audit News detailing key findings from the visits carried out during the year. This provides a useful summary of the most common weaknesses on audit files, and this also refers to the audit of specialist entities. Audit News can be accessed at: icas.org.uk/regulation/ news/regulatorynews/ • Information on the FCA and different categories of investment business can be found on their website at: fca.org.uk/ • T he APB Practice Note 21, and the Bulletin 2011/12, referred to in this helpsheet can be accessed at the FRC website: frc.org.uk/Our-Work/ Codes-Standards/Audit-and-assurance/Standards-and-guidance/ Standards-and-guidance-for-auditors.aspx • T he Accounting and Auditing team are happy to receive technical queries on these and many other issues. Members should submit their queries via e-mail to: [email protected]
• F urther helpsheets on other specialist audits have also been prepared and these can be accessed at: icas.org.uk/regulation/news/ helpsheets/
APPENDIX 1 What is the regulatory framework relating to the audit of investment business? Key legislation relevant to investment business is detailed in the laws and regulations section below, however the following are the key matters that auditors should consider when undertaking such an audit: When is an investment business required to be subject to an audit? A guide to the different types of investment firm and requirement for an audit can be found in Appendix 7 of Practice Note 21 ‘The audit of investment businesses in the UK’. A copy of the Practice Note can be accessed at: frc.org.uk/ getattachment/e7c1b5b4-67fb-420a-9b3c-c3c0094ab5e7/PN-21The-audit-of-investment-businesses-in-the-Un.aspx Under the Companies Act 2006 (CA 2006) however, no statutory audit is required for small companies with financial years ending on or after 31 December 2006. In short, small company exemptions are available providing the firm: a) meets the requirements for small company exemption under the CA 2006; and b) does not undertake any activity within the scope of MiFID, UCITS Directive, Banking Consolidation Directives, or Insurance Directives. Examples of small regulated businesses commonly encountered by auditors include those permitted to give personal investment advice, arrange transactions for investors in life policies and any other insurance contracts regulated by FCA, or receive orders from investors for securities and units in collective investment schemes only and transmit them only to: • investment firms • authorised banks • operators or managers of regulated collective investment schemes • investment trusts Appointed Representatives An appointed representative (AR) is a person or firm who conducts regulated activities and acts as an agent for a firm directly authorised by the FCA. Appointed representatives other than those carrying out one of the activities specified in (b) above are also eligible for audit exemption. LLPs Corresponding changes have been made to the LLP Regulations so the rules apply in exactly the same way that they would for a company.
APB Practice Note 21 ‘The audit of investment businesses in the UK’ The Practice Note gives guidance on the application of ISAs to the audit of investment businesses in the UK. It is referred to throughout this helpsheet and firms are advised to ensure that they are familiar with this prior to undertaking any investment business audits APB Bulletin 2011/2 ‘Providing assurance on Client Assets to the Financial Services Authority’ Issued in October 2011, this Bulletin updates, revises and supersedes the contents of paragraphs 180 to 263 and appendices 1.1 and 2 of Practice Note 21. As noted above, the Bulletin provides guidance on the responsibilities of auditors under the revised CASS Rules, which are required to be followed for periods ending 30 September 2011 onwards. A copy of the bulletin can be found at: frc.org.uk/Our-Work/Publications/APB/PN-21-Theaudit-of-investment-businesses-in-the-Un/Paragraphs-180-to-263,Appendix-1-1-and-Appendix-2.aspx
APPENDIX 2 What is a Client’s Assets Report, and when is one required? Client assets are assets or monies belonging to clients which an investment business is holding or controlling. This could include assets such as securities, bonds, free money or settlement money. In 2011, the FCA created a specialist unit focused on firms’ compliance with the FCA’s Client’s Assets Sourcebook (CASS) Rules. Those rules require regulated firms to hold client money and custody assets (collectively ‘client assets’) separately from their own in order to minimise the risk of loss to clients in the event of the firm’s insolvency. In October 2011, the Auditing Practices Board (“the APB”) issued Bulletin 2011/2 “Providing Assurance on Client Assets to the Financial Services Authority” (“the Bulletin”), which is the APB’s extant guidance relating to the provision of assurance to the FCA on client assets. The bulletin addressed the requirements of the old FSA’s Policy Statement (PS11/5) on Auditor’s Client Assets Reports. The Bulletin introduced: • reasonable assurance reports where a firm is holding client money and/or assets; and • limited assurance reports where a firm claims not to hold client money and/or assets or does not have the permission to hold client money and/or assets; and • standard CASS report templates. Reasonable Assurance Report The FSA has stated the Client Assets report is a reasonable assurance report stating whether the Firm has complied with the FCA’s Client Money and Custody rules throughout the year, and at the period-end date. In order to give “reasonable assurance” the APB guidance states that the CASS auditor will test transactions, controls and reconciliations at various points in time throughout the period, rather than continuously. Most firms that carry on investment business claim not to hold client assets. In the circumstance where the firm’s permissions allow it to hold client assets but it claims that it does not, the FCA’s SUP Rules require the CASS auditor to provide a limited assurance Client Assets Report. Such reports are also required to be made annually and to provide the CASS auditor’s opinion as to whether ‘‘nothing has come to its attention that causes it to believe that the firm held client money or custody assets during the period’’. Examples of Client Asset Reports can be found in Appendices 2–10 of APB Bulletin 2011/2 ‘Providing assurance on Client Assets to the Financial Services Authority’.
Many firms will appoint their statutory auditor to be their CASS auditor; however a firm may appoint different auditors to fulfil each duty. Statutory auditors of regulated firms that have not appointed a CASS auditor should be alert for circumstances which indicate that one should have been appointed. Section 41 of APB Bulletin 2011/2 provides a useful decision tree to assist in determining whether a client assets audit is required by the FCA.
CA House 21 Haymarket Yards Edinburgh EH12 5BH [email protected]
+44 (0)131 347 0284 icas.org.uk