The new Audit and Assurance Faculty (AAF) technical standard is now in effect. Rob Benson looks at the key changes and what this means for service organisations and auditors.
AAF reports offer assurance over outsourced services, specifically elements that would affect financial reporting. The new Institute of Chartered Accountants in England and Wales (ICAEW) AAF 01/20 replaces the 2006 AAF standard (AAF 01/06). It applies to all reporting periods from 1 July onwards.
The updated standard codifies good practice, with additional clarity for both auditors and service organisations. Key changes include withdrawal of the stewardship supplement, updated guidance for senior management and changes to reporting on control objectives and supporting activities.
So what are the new AAF standards?
Guidance for senior management
Senior management of service organisations have a key role to play in AAF reports, according to the new requirements under AAF 01/20. They must now deliver a description of the services provided, including control objectives and activities, governance arrangements and supporting infrastructure. The new standards also require an expanded management statement, previously the directors’ report, to include:
additional information and evidence to support the assertions made on the design and operating effectiveness of the control activities
details of any control objectives outlined in the technical standards that have not been assessed, or have been materially modified
information and explanation of any sub-service organisations omitted from the report
an opinion on the design and operating effectiveness over the given timeframe, including any information from the service auditor to change that opinion.
The ICAEW has provided sample management statements for type 1 and type 2 AAF reports, to help firms develop best practice.
Describing control activities
Control activities include reconciliation, monitoring, authorisation and independent review, to name a few. The full list is available in the updated standards and the ICAEW does not expect reports to deviate from it.
When describing control activities, the updated AAF technical standards asks firms to maintain objective language and avoid terms such as 'adequate', 'appropriate', 'should', 'regular' or 'timely'. Similarly, management should avoid non-verifiable words such as 'only', 'always' or 'never'. Descriptions of control activities must be factual, with enough specific detail to allow auditors to assess and verify the effectiveness of the control.
AAF control objectives
There are some subtle changes to the AAF control objectives to reflect current risks, as listed in the appendices of the updated guidance. It’s particularly important for services organisations to review these closely, as they may result in material changes to control activities.
The information technology section has the most amendments, with 10 footnotes issuing additional guidance, and with particular focus on documented role profiles matching system access privileges. The technical standards add some new control objectives as guidance, but these can be used as needed and aren't mandatory.
Sections have been added to outline control objectives for fiduciary management and property investment administration, with the section on hedge fund managers removed from the previous iteration.
A service organisation must disclose any relevant outsourcing to a sub-service provider. If the AAF report includes any control activities performed by a sub-service provider, the service auditor must arrange access for inclusion in the review.
For any outsourced control activities not included in the report, the service entity must explain how they monitor the sub-service control activity, and outline what those activities are. When reviewing control activities from a sub-service provider, auditors can use either of the following approaches:
Where the AAF report includes a summary of the work undertaken by a sub-service organisation, but control objectives and control activities are not included and are not assessed by the service auditor.
Where the AAF report includes a summary of the work, and details of control objectives and activity, and are assessed by the service auditor.
To determine the appropriate approach, auditors will consider the type of assurance the user entity needs, any challenges around the inclusive method, and the degree of independence between the auditor and the sub-service provider. The availability of a type 1 or type 2 service audit report from the sub-service provider will also be a deciding factor.
New AAF clarifications aim to make sure the service organisation’s description of services is fair and accurate. This includes preventing senior management from changing the scope of the report in light of negative findings.
In a similar vein, the service auditor would consider any omitted control objectives or activities not addressing the entire objective, as a material misrepresentation.
Service auditor AAF reporting
The updated AAF standard includes new guidance on modifying the service auditor’s opinion, which can be categorised as:
Unqualified - which may include no exceptions to the standard of control activity, minor exceptions or a non-applicable rating due to limited scope
Qualified - where there are material exceptions to the standard of control activity or where testing is limited.
Adverse opinion - where there are pervasive exceptions
The ICAEW has included a number of examples to demonstrate best practice qualification criteria. If a control has not been tested in the review period, the service auditor can add details of this to the report. The updated guidance also includes more prescriptive reporting practices for operating effectiveness and exception reporting.
Service auditor quality control
The AAF 01/20 specification introduces further criteria for quality control and highlights professionalism and adherence to the International Standard on Quality Control (ISQC). Service auditors must have a quality control process in place to make sure all reports are of appropriate quality, and follow all regulatory and legal requirements.
Quality frameworks would include ethical considerations, managing conflicts and monitoring engagement team performance.
Electronic use of AAF reports
In line with greater digital adoption since 2006, the new AAF standard includes provision for electronic distribution of reports. While this is convenient and more user friendly, it does carry greater risks of the report being accessed by intended recipients. And, most importantly, being used for assurance purposes beyond its original intentions.
To counter this, service auditors will enhance the online security of these reports and the verification required to access them.
Next steps on AAF
For service organisations, the first step is reviewing the updated control objectives and assessing the impact on your activities. This may have an impact on your day-to-day risk management processes and will affect how these activities are represented in the senior management statement.