CASS 15 Safeguarding Audits 2026: FRC Guidance and Key Compliance Steps for Firms

The first thing to note is that this is not the final assurance standard. It is ‘Interim Guidance’ intended to aid transition to a formal standard to be introduced in H1 2027 after consultation. It will eventually be an appendix to the existing CASS assurance standard.

What this tells me is that, yes, this is NOT a full CASS 6/7 style requirement yet, but the key word is YET. We are going to get there and need to plan accordingly. The challenge will be the potential for inconsistency across the market, some auditors are planning to stick closely to what the guidance says, but some will go all in with this being a full CASS audit.

One quick point, as the interim guidance says in note 9, I’m going to refer to these as audits, we all know they aren’t audits, but that’s how they are known.

A key area that is coming up in conversations is the focus on controls. Because most firms in the sector rely heavily on automated systems, the FRC is clear that we have to test the IT General Controls (ITGCs) as well as the wider controls that have been put in place to address the requirements of the rules.

From a general controls point of view, I’ll want to see a detailed rules mapping document. This should consider every rule. Some won’t be applicable and this can be noted and, importantly, justified. For the rules that apply the document should detail (or refer to) the control(s) in place that address the risk.

For the ITGCs, you should be ready for your auditor to ask detailed questions about:

• User Access: Who has the power to change bank details or move funds
• Change Management: How do you test and approve updates to your core platform
• IT Operations: How do you ensure the data being fed into your daily reconciliations is accurate

Personally, the inclusion of ITGCs in the interim guidance is good to see. In a digital-first sector, you can’t have confidence in the safeguarding numbers if you don’t have confidence in the systems producing them. Though this may not be something firms have documented in the past to this extent, we will now be asking about them so it is important to be ready.

I would want to understand and test these controls before we get to the period end date on the report. I’ll want to see how the systems work and be able to trace the money flow, then we can streamline the detailed testing after the period end.

You need a breaches register that is robust and detailed. If you have a 1p shortfall, it needs to be recorded. The FCA expects to see breaches, especially in the first year. What they will be looking for is how you identified them and what you did to fix the root cause. It should also include the CASS rule number that has been breached, the amount of time the breach lasted for and the numeric value of the breach, if applicable.

The FRC has granted a one-off extension, allowing six months (rather than four) to submit the first report. While that provides some breathing room, I expect auditor capacity to be a big bottleneck.

Firms should hopefully have systems that comply with the rules ready to go now, though I expect there are many that aren’t fully ready. In a lot of cases your compliance consultants will have been helping you with the gap analysis, rule mapping documents etc and you should have some clarity on the controls that are in place and how the CASS 15 rules will be complied with.

Consider talking to auditors early and having some interim work carried out. Anything identified by the auditor will need to be included on the report, but if controls and processes have been updated to minimise the chance of reoccurrence, this will look more positive.

I’d be very happy to work with firms on their safeguarding audits, please get in touch with our FInancial Services Team if you’d like to discuss how we could help.