AAF 01/02: What You Need to Know?

INTRODUCTION: –

In this blog post, we’ll explore the AAF 01/20, otherwise known as the Audit and Assurance Faculty. We’ll discuss what the AAF is, what it does, and why it’s important. We’ll also provide some essential tips for those who are interested in pursuing a career in auditing and assurance.

What Is AAF 01/20?

The purpose of the AAF 01/20 (Audit and Assurance Faculty) is to provide guidance on the auditor’s consideration of internal control in an audit of financial statements. The AAF 01/20 applies to all audits of financial statements performed in accordance with generally accepted auditing standards (GAAS).

What Does AAF 01/20 Mean for Businesses?

The AAF 01/20 standard provides generic guidance to Service Auditors who are reporting on specific services performed by a Service Organization (the ‘Subject Matter’). Additionally, it is intended to provide high-level guidance to Senior Management of the Service Organization who are responsible for preparing the report on the Subject Matter. Furthermore, the AAF 01/20 standard is expected to help User Organizations to understand the scope and type of assurance provided in the Service Auditor’s Report.

How Can Businesses Prepare?

As Reporting Accountants, our engagement will be in full compliance with International Standard on Assurance Engagement (ISAE) 3000 and the ICAEW Technical Release AAF 01/06. Our work will focus on ensuring that the control procedures in place are designed appropriately and, if followed satisfactorily, will provide reasonable assurance that the control objectives will be met. Our tasks will include:

gaining an understanding of the control procedures: –

  1. Understanding the control procedures;
  2. Evaluating the assertions of the Directors;
  3. Testing the operating effectiveness of specific control procedures;
  4. Obtaining evidence on the effectiveness of control procedures in meeting related control objectives.

WHAT ARE THE KEY CHANGES OF AAF 01/20?

AAF 01/20 has updated its terminology to align with ISAE3402 and SOC1, changing terms such as “control procedures” to “control activities” and “reporting accountant” to “service auditor”.

  • Include or explain any omitted or modified control objectives
  • Supporting evidence required for the Management Statement (the new Management Attestation)
  • Expanded requirements for information in the “Front Half”
  • Inability to change the scope of the report after the Service Auditor has commenced work
  • Updated to reflect changes in technology since 2006
  • Included Sub-service organisations require a Management Statement.

Conclusion

The AAF 01/20, otherwise known as the Audit and Assurance Faculty, is a professional body for those working in auditing and assurance. The AAF provides guidance and support for its members, and it helps to promote best practices within the industry. The AAF is important because it helps to ensure that auditors and assurance professionals are able to meet the highest standards of competency and ethics.

The New AAF 01/20: How It Replaces The AAF 01/06

Introduction: –

The updated version of AAF 01/06 is now available as of January 2020. This new version includes Control Objectives for administrators, investment managers, and other data recording industry workers. Technical release AAF 01/20 replaces the old AAF 01/06 reporting for periods beginning on or after 1 July 2020. It is encouraged that people adopt this new version early.

What is the AAF 01/20?

The AAF 01/20 (Audit and Assurance Faculty) provides guidance on the auditor’s consideration of internal control in an audit of financial statements to the financial institution . This document applies to all audits of financial statements performed in accordance with generally accepted auditing standards (GAAS).

How does the AAF 01/20 differ from the AAF 01/06?

The revised Control Objectives can be found in Appendix 1. These objectives are for businesses using custody, fiduciary management, fund accounting, investment management, investment administration, pension administration, private equity, property investment management, property investment administration, transfer agency and information technology. The term “Reporting Accountant” has been revised to “Service Auditor” and “control procedures” are now called “control activities” to be more in line with international standards.

The AAF 01/20 also provides helpful explanations on different types of assurance engagements (limited, Type 1, Type 2), key activities involved in preparing a report, how to identify reporting criteria/control objectives, and reporting on subservice organizations at governance and operational levels.

The AAF 01/20 is a technical release from the ICAEW Audit and Assurance Faculty. The ICAEW has regular seminars on assurance and IT, so it is worthwhile investing in joining the ICAEW Audit and Assurance Faculty and the ICAEW Tech Faculty to get access to the comprehensive and accessible packages of guidance and technical advice that they offer.

In similar fashion to AAF 01/06, the AAF 01/20 adheres to the framework for assurance engagements as set forth in the IIASB Assurance Framework and the International Standard on Assurance Engagements (ISAE 3000 (Revised) Assurance Engagements other than Audits or Reviews of Historical Financial Information, published by the IAASB). AAF 01/20 is also designed to be compatible with ISAE 3402 Assurance Reports on Controls at a Service Organization.

What are the objective of audit and assurance faculty?

The AAF control objectives have been updated to reflect current risks, as set out in the appendices of the updated guidance. Services organisations should review these closely, as they may result in significant changes to control activities.

The most amendments have been made to the IT section, with 10 footnotes providing additional guidance. Particular focus is given to documented role profiles that match system access privileges. The latest version of the policy includes sections on fiduciary management and property investment administration, with the section on hedge fund managers removed.

These sections outline the objectives for control and provide guidance for policy implementation. Additionally, new control objectives are added to the technical standards as guidance; however, these are merely suggestions and not mandatory requirements.

Sub Service provider

Approach 1

The service auditor must review the AAF report and identify any control activities that were outsourced to a sub-service provider. For any outsourced control activities not included in the report, the service entity must explain how they monitor the sub-service control activity, and outline what those activities are. The service auditor can then use this information to assess the risks associated with the outsourced control activities and determine whether any additional testing is necessary.

Method of curve out

In instances where the AAF report includes a summary of the work undertaken by a sub-service organization, but control objectives and control activities are not included and are not assessed by the service auditor, the auditor should state this in the report.

Inclusive method

When determining the appropriate approach, auditors will consider the type of assurance the user entity needs, any challenges around the inclusive method, and the degree of independence between the auditor and the sub-service provider. The availability of a type 1 or type 2 service audit report from the sub-service provider will also be a deciding factor.

Service auditor AAF reporting

The revised AAF standard includes new provisions regarding modifying the service auditor’s opinion, which can be classified as:

Unqualified: –

The control activity being assessed may have no exceptions, minor exceptions, or a non-applicable rating due to limited scope.

Qualified: –

In instances where there are material exceptions to the standard of control activity or where testing is limited, management must take appropriate corrective action.

Adverse opinion: –

In places where there are many exceptions, it can be difficult to know what the rule is.

The ICAEW has provided a number of examples to illustrate best practices for qualification criteria. If a control has not been tested during the review period, the service auditor can include details of this in the report. The updated guidance also provides more specific reporting practices for operating effectiveness and exception reporting.

How can businesses take advantage of the AAF 01/20?

The AAF 01/20 report issued by the ICAEW will bring about significant changes for service organisations that routinely obtain such reports. The purpose of the AAF 01/20 is to establish a more consistent standard of reporting, with greater emphasis placed on management, and to enable easier comparisons between organisations providing similar services.ISO 22301

  1. Include or explain any omitted or modified control objectives to ensure complete understanding of the requirements.
  2. The Management Statement must be supported by evidence in order to be accepted.
  3. The “Front Half” of the document must include expanded information on the requirements for the project.
  4. Once the Service Auditor has commenced work, the scope of the report cannot be changed.
  5. The current article reflects changes in technology since 2006.
  6. Organizations that are part of this service require a management statement.

To wrap things up.

The purpose of this paper was to provide information on the new AAF 01/20 and how it replaces the AAF 01/06. As of January 2020, the updated version of AAF 01/06 is available, which includes Control Objectives for administrators, investment managers, and other data recording industry workers. Technical release AAF 01/20 replaces the old AAF 01/06 reporting for periods beginning on or after 1 July 2020.