The updated version of AAF 01/06 is now available as of January 2020. This new version includes Control Objectives for administrators, investment managers, and other data recording industry workers. Technical release AAF 01/20 replaces the old AAF 01/06 reporting for periods beginning on or after 1 July 2020. It is encouraged that people adopt this new version early.
What is the AAF 01/20?
The AAF 01/20 (Audit and Assurance Faculty) provides guidance on the auditor’s consideration of internal control in an audit of financial statements to the financial institution . This document applies to all audits of financial statements performed in accordance with generally accepted auditing standards (GAAS).
How does the AAF 01/20 differ from the AAF 01/06?
The revised Control Objectives can be found in Appendix 1. These objectives are for businesses using custody, fiduciary management, fund accounting, investment management, investment administration, pension administration, private equity, property investment management, property investment administration, transfer agency and information technology. The term “Reporting Accountant” has been revised to “Service Auditor” and “control procedures” are now called “control activities” to be more in line with international standards.
The AAF 01/20 also provides helpful explanations on different types of assurance engagements (limited, Type 1, Type 2), key activities involved in preparing a report, how to identify reporting criteria/control objectives, and reporting on subservice organizations at governance and operational levels.
The AAF 01/20 is a technical release from the ICAEW Audit and Assurance Faculty. The ICAEW has regular seminars on assurance and IT, so it is worthwhile investing in joining the ICAEW Audit and Assurance Faculty and the ICAEW Tech Faculty to get access to the comprehensive and accessible packages of guidance and technical advice that they offer.
In similar fashion to AAF 01/06, the AAF 01/20 adheres to the framework for assurance engagements as set forth in the IIASB Assurance Framework and the International Standard on Assurance Engagements (ISAE 3000 (Revised) Assurance Engagements other than Audits or Reviews of Historical Financial Information, published by the IAASB). AAF 01/20 is also designed to be compatible with ISAE 3402 Assurance Reports on Controls at a Service Organization.
What are the objective of audit and assurance faculty?
The AAF control objectives have been updated to reflect current risks, as set out in the appendices of the updated guidance. Services organisations should review these closely, as they may result in significant changes to control activities.
The most amendments have been made to the IT section, with 10 footnotes providing additional guidance. Particular focus is given to documented role profiles that match system access privileges.The latest version of the policy includes sections on fiduciary management and property investment administration, with the section on hedge fund managers removed.
These sections outline the objectives for control and provide guidance for policy implementation. Additionally, new control objectives are added to the technical standards as guidance; however, these are merely suggestions and not mandatory requirements.
Sub Service provider
The service auditor must review the AAF report and identify any control activities that were outsourced to a sub-service provider. For any outsourced control activities not included in the report, the service entity must explain how they monitor the sub-service control activity, and outline what those activities are. The service auditor can then use this information to assess the risks associated with the outsourced control activities and determine whether any additional testing is necessary.
Method of curve out
In instances where the AAF report includes a summary of the work undertaken by a sub-service organization, but control objectives and control activities are not included and are not assessed by the service auditor, the auditor should state this in the report.
When determining the appropriate approach, auditors will consider the type of assurance the user entity needs, any challenges around the inclusive method, and the degree of independence between the auditor and the sub-service provider. The availability of a type 1 or type 2 service audit report from the sub-service provider will also be a deciding factor.
Service auditor AAF reporting
The revised AAF standard includes new provisions regarding modifying the service auditor’s opinion, which can be classified as:
Unqualified: – The control activity being assessed may have no exceptions, minor exceptions, or a non-applicable rating due to limited scope.
Qualified: – In instances where there are material exceptions to the standard of control activity or where testing is limited, management must take appropriate corrective action.
Adverse opinion: – In places where there are many exceptions, it can be difficult to know what the rule is.
The ICAEW has provided a number of examples to illustrate best practices for qualification criteria. If a control has not been tested during the review period, the service auditor can include details of this in the report. The updated guidance also provides more specific reporting practices for operating effectiveness and exception reporting.
How can businesses take advantage of the AAF 01/20?
The AAF 01/20 report issued by the ICAEW will bring about significant changes for service organisations that routinely obtain such reports. The purpose of the AAF 01/20 is to establish a more consistent standard of reporting, with greater emphasis placed on management, and to enable easier comparisons between organisations providing similar services.
- Include or explain any omitted or modified control objectives to ensure complete understanding of the requirements.
- The Management Statement must be supported by evidence in order to be accepted.
- The “Front Half” of the document must include expanded information on the requirements for the project.
- Once the Service Auditor has commenced work, the scope of the report cannot be changed.
- The current article reflects changes in technology since 2006.
- Organizations that are part of this service require a management statement.
To wrap things up.
The purpose of this paper was to provide information on the new AAF 01/20 and how it replaces the AAF 01/06. As of January 2020, the updated version of AAF 01/06 is available, which includes Control Objectives for administrators, investment managers, and other data recording industry workers. Technical release AAF 01/20 replaces the old AAF 01/06 reporting for periods beginning on or after 1 July 2020.