AAF reports offer assurance over outsourced services, specifically elements that would affect financial reporting. The new Institute of Chartered Accountants in England and Wales (ICAEW) AAF 01/20 replaces the 2006 AAF standard (AAF 01/06). It applies to all reporting periods from 1 July onwards.
The updated standard codifies good practice, with additional clarity for both auditors and service organisations. Key changes include withdrawal of the stewardship supplement, updated guidance for senior management and changes to reporting on control objectives and supporting activities.
So what are the new AAF standards?
Senior management of service organisations have a key role to play in AAF reports, according to the new requirements under AAF 01/20. They must now deliver a description of the services provided, including control objectives and activities, governance arrangements and supporting infrastructure. The new standards also require an expanded management statement, previously the directors’ report, to include:
The ICAEW has provided sample management statements for type 1 and type 2 AAF reports, to help firms develop best practice.
Control activities include reconciliation, monitoring, authorisation and independent review, to name a few. The full list is available in the updated standards and the ICAEW does not expect reports to deviate from it.
When describing control activities, the updated AAF technical standards asks firms to maintain objective language and avoid terms such as 'adequate', 'appropriate', 'should', 'regular' or 'timely'. Similarly, management should avoid non-verifiable words such as 'only', 'always' or 'never'. Descriptions of control activities must be factual, with enough specific detail to allow auditors to assess and verify the effectiveness of the control.
There are some subtle changes to the AAF control objectives to reflect current risks, as listed in the appendices of the updated guidance. It’s particularly important for services organisations to review these closely, as they may result in material changes to control activities.
The information technology section has the most amendments, with 10 footnotes issuing additional guidance, and with particular focus on documented role profiles matching system access privileges. The technical standards add some new control objectives as guidance, but these can be used as needed and aren't mandatory.
Sections have been added to outline control objectives for fiduciary management and property investment administration, with the section on hedge fund managers removed from the previous iteration.
A service organisation must disclose any relevant outsourcing to a sub-service provider. If the AAF report includes any control activities performed by a sub-service provider, the service auditor must arrange access for inclusion in the review.
For any outsourced control activities not included in the report, the service entity must explain how they monitor the sub-service control activity, and outline what those activities are. When reviewing control activities from a sub-service provider, auditors can use either of the following approaches:
Where the AAF report includes a summary of the work undertaken by a sub-service organisation, but control objectives and control activities are not included and are not assessed by the service auditor.
Where the AAF report includes a summary of the work, and details of control objectives and activity, and are assessed by the service auditor.
To determine the appropriate approach, auditors will consider the type of assurance the user entity needs, any challenges around the inclusive method, and the degree of independence between the auditor and the sub-service provider. The availability of a type 1 or type 2 service audit report from the sub-service provider will also be a deciding factor.
New AAF clarifications aim to make sure the service organisation’s description of services is fair and accurate. This includes preventing senior management from changing the scope of the report in light of negative findings.
In a similar vein, the service auditor would consider any omitted control objectives or activities not addressing the entire objective, as a material misrepresentation.
The updated AAF standard includes new guidance on modifying the service auditor’s opinion, which can be categorised as:
Unqualified - which may include no exceptions to the standard of control activity, minor exceptions or a non-applicable rating due to limited scope
Qualified - where there are material exceptions to the standard of control activity or where testing is limited.
Adverse opinion - where there are pervasive exceptions
The ICAEW has included a number of examples to demonstrate best practice qualification criteria. If a control has not been tested in the review period, the service auditor can add details of this to the report. The updated guidance also includes more prescriptive reporting practices for operating effectiveness and exception reporting.
The AAF 01/20 specification introduces further criteria for quality control and highlights professionalism and adherence to the International Standard on Quality Control (ISQC). Service auditors must have a quality control process in place to make sure all reports are of appropriate quality, and follow all regulatory and legal requirements.
Quality frameworks would include ethical considerations, managing conflicts and monitoring engagement team performance.
In line with greater digital adoption since 2006, the new AAF standard includes provision for electronic distribution of reports. While this is convenient and more user friendly, it does carry greater risks of the report being accessed by intended recipients. And, most importantly, being used for assurance purposes beyond its original intentions.
To counter this, service auditors will enhance the online security of these reports and the verification required to access them.
For service organisations, the first step is reviewing the updated control objectives and assessing the impact on your activities. This may have an impact on your day-to-day risk management processes and will affect how these activities are represented in the senior management statement.
For service auditors, key areas of focus include:
