AAF 01/06 to AAF 01/20 - What you need to know about the new standard whether transitioning or adopting for the first time

ICAEW issued the Assurance on internal controls of service organisations (AAF 01/20) guidance in January 2020 and is mandatory for reporting periods commencing on or after 1 July 2020. Those service organisations that are approaching reporting period ends, or those reporting under the standard for the first time will be the first to be mandated to report under the new guidance.

Financial Services management should prepare themselves to understand the key enhancements from AAF 01/06 in order to plan and implement compliance against the new guidance. In this blog, we highlight the changes in the new guidance and help to provide the context, based on our experience as part of the ICAEW working group.

At its core, the spirit of the revised guidance seeks to provide greater explanations, examples and templates to assist service organisations preparing for their first report, increase the consistency of approach between all service auditors performing these audits and increase alignment with the most widely recognised comparative guidance / regulations (ISAE3402 and SSAE18 SOC1).

It was recognised that the AAF 01/06 control objectives were designed over a decade ago, and with the risks facing the financial services industry evolving, it was seen important to refresh these.

AAF 01/20 has tweaked its terminology to align with ISAE3402 and SOC1, changing terms such as “control procedures” to “control activities” and “reporting accountant” to “service auditor”. Also notable is the reinforcement of the responsibilities of the service organisation’s management, including a clearer responsibility to assess and tailor control objectives and activities specifically to their company’s service; as well as to disclose requirements on governance over sub-service providers.

The service auditor is also subject to more robust guidance, with testing approach being enhanced to include greater verification over the information provided.

Key enhancements under the new guidance include:

1. Control objectives

 Illustrative control objectives for a number of industries are set out in Appendix 1. These are considered to mitigate common industry risks and are still expected to be included as a minimum set of control objectives to report on. Where any are not applicable, they should be drawn out in the management statement. It is further clarified that management should consider inclusion of supplementary control objectives if they deem further risks to be applicable to the service organisation in addition to the minimum set.

Illustrative control objective sets have been newly split out for two fiduciary management and property investment administration. The hedge fund management control objectives have been removed as they were found to be seldom used. Instead, control objectives under similar services such as investment management and private equity may be used.

Generally, IT control objectives have been clarified in terms of the focus on customer data integrity, including third party logical access and external threats. The goal was to increase the understanding of the boundaries of the opinion and the subject matter. In the case of the external threat objective being split out, this was to make it more granular, prescriptive and demonstrate that the objectives are not designed to fulfil specific assurance on the wide topic of cyber risks. In the case where this assurance being requested, a separate method of reporting should be sought.

As a result, it is increasingly important for senior management to demonstrate independent assessment on the adequate coverage of key risks facing the service organisation.

2. Sub-service organisation relationships 

The guidance defines a sub-service organisation as being any provider who performs any form of control activities that are required to fully meet any of the in-scope control objectives. It is reiterated that the service organisation retains responsibility for these control activities and control objectives. Enhanced disclosure of the outsourced service provider relationships is expected including suitable governance control activities included in scope and disclosure of complementary sub-service organisation controls.

Senior management’s description of the processes should include the nature of the services performed by the sub-service organisation and senior management’s governance and oversight of these services.

The new standard emphasises if the sub-service organisation is deemed to play a significant role in the fulfilment of entity controls, then the ‘inclusive’ reporting should be considered, which would require the sub-service organisation to provide a Management statement alongside the service organisation for inclusion in the report and testing of control activities at the sub-service organisation.

3. Removal of the Stewardship Code

Assurance reporting on the UK Stewardship Code has been entirely removed under AAF 01/20. Whilst there is no clear guidance from the ICAEW on where the Stewardship Code will sit, it is acceptable that the service organisation’s AAF report to make reference to other reports that may be of interest to the user.

4. Requirement to report a Management Statement

The issuance of a Director’s Report within the report has now been replaced with a Management Statement under AAF 01/20.

The guidance contains suggested contents for disclosure in the statement and, at a minimum, must cover the purpose of the accompanying report description, specific attestation over the fairness of the description, and the design suitability of the service organisation’s control activities in meeting the control objectives if operated as described. Management should confirm they assessed additional aspects beyond the standard’s illustrative control objectives in the design of the control framework.  This includes assessment of the nature of transactions and the maintenance of the related accounting records, the systems used to capture and address significant events, or the nature of automated or manual controls.

5. Templates and guidance on control exceptions

The volume of guidance has increased, through explanations, examples and templates provided to help newcomers to the world of Service Auditor Reporting, but also to drive greater consistency in the preparation and testing of AAF reports.

Enhanced guidance is also provided on a range of control exception scenarios, providing much deeper explanations of what will constitute qualifying the audit opinion, and the different types of qualification, as well as modified, but not qualified, opinions.

The appendices now house revised and additional standardised templates for key areas such as:

• Management Statement (Appendix 2);
• Audit Bridging Letter (Appendix 9);
• Engagement Letter (Appendix 5) and;
• Audit Opinions (Appendix 3),

All templates are provided with tailoring options for whether the service organisation is reporting under AAF 01/20 standalone, or a combination with ISAE3402.

6. Increased expectations on service auditors 

Senior management should be aware of the increased guidance for the service auditor in carrying out the audit that may impact them.

The control framework and description should be formally reviewed and owned by management prior to the audit commencing. Any scope changes after the engagement has begun will not be lightly accepted and will need to be disclosed in the Management Statement.

Whilst management is responsible for identifying and disclosing subsequent events, greater guidance is provided for the service auditor to detect and disclose such events in the service auditor’s report if management does not make the necessary disclosures themselves.

Service auditors will be required to test information provided by the service organisation for accuracy and integrity before they perform detailed test procedures over that information. These procedures should be disclosed with other test procedures in the report. Management should therefore prepare for these additional tests and may need to implement their own formal completeness and accuracy controls. This additional testing will be focussed on lists of information, usually used to form populations that the service auditor will sample from.

For more insight and support with implementing AAF 01/20 please reach out to our dedicated contacts.