An update to the well-established technical release AAF 01/06 arrived in early 2020 and is effective for control assurance periods commencing on or after 1 July 2020.
01/20 AAF “Assurance reports on internal controls of service organisations made available to third parties” (“AAF 01/20”) issued by the Institute of Chartered Accountants in England and Wales (“ICAEW”) will mean significant changes to those organisations who routinely obtain such reports. The aim of the AAF 01/20 is to provide a more consistent standard of reporting, putting a greater onus on management, and easing comparison between organisations providing similar services.
- Include or explain any omitted or modified control objectives
- Supporting evidence required for the Management Statement (the new Management Attestation)
- Expanded requirements for information in the “Front Half”
- Inability to change the scope of the report after the Service Auditor has commenced work
- Updated to reflect changes in technology since 2006
- Included Sub-service organisations require a Management Statement
Illustrative Control Objectives
As previously, the standard provides a set of control objectives for various types of service e.g. investment management, pensions administration, and custody. It also sets out the expected Information Technology objectives, which must be included with each report. It provides some optional control objectives which can be included, if appropriate, but excluded if not; however, all other control objectives for the service provider type must be included, and any exclusions must be explained within both the Management Statement and the Service Auditor’s Report. The descriptions of controls should be factual and objective and words such as “adequate”, “regularly” and “appropriate” are discouraged.
The biggest change in management’s responsibility is the requirement for service provider management and any included sub-service organisation, to carry out sufficient testing themselves during the period to support their Management Statement. This testing and the results must then be made available to the Service Auditor to help them with their risk assessment and planning of their work. Previously, although some organisations would carry out specific work through routine internal audits or other management testing, many organisations would rely upon the Service Auditor’s testing to inform the approval of the Management Statement or “attestation”, as it was previously known. In addition, management must disclose to the Service Auditor any illegal acts, fraud and uncorrected errors, including any design exceptions where the cost of remediation is considered to outweigh the benefits alongside any known issues found within management’s testing or otherwise that show that the control is not working.
Front Half Information
The new standard is more prescriptive about what must be included such as: process descriptions and, governance arrangements but, also sets out some helpful suggestions as to what could be included.
AAF 01/20 not only makes clear what it expects of Management but it also sets out clearly the responsibilities of the Service Auditor in respect of;
- explaining exactly what testing has been undertaken to reach conclusions;
- making it clear that enquiry alone is not sufficient for a Type 2 test;
- that changes in scope of the engagement during the Service Auditor’s work (for example, where exceptions have been found), are very unlikely to be justifiable and would need to be explained by both Management and the Service Auditor.
Within the expected control objectives, the changes in technology and service delivery methods have been reflected, bringing in: cloud services, websites, and security of data transmissions. Not only are there new objectives, but there are 10 footnotes clarifying the expectation of the coverage of these areas.
Where sub-service organisations are involved in delivery of the control objectives, either the ‘carve-out’ or ‘inclusive’ method can be used. Note that where the inclusive method is used, the sub-service organisation must provide a Management Statement too.
As before, the new standard gives examples of all the expected disclosures and provides helpful information to support both management and their auditors to work together to provide robust, comprehensive and ultimately useful reports for customers of the service providers.
Should you wish to discuss the new requirements in more detail please do not hesitate to contact Cathy Allen:
By necessity, this briefing can only provide a short overview and it is essential to seek professional advice before applying the contents of this article. This briefing does not constitute advice nor a recommendation relating to the acquisition or disposal of investments. No responsibility can be taken for any loss arising from action taken or refrained from on the basis of this publication. Details correct at time of writing.