AAF 01/06 Information Technology Reporting

Information technology uses and the controls over a business’s use of it to keep client data safe have developed beyond recognition in over a decade. Therefore, it is a welcome development to find in October 2019 that there was a completed consultation on the update to Technical Release AAF 01/06, Assurance Reports on internal controls of service organisations made available to third parties. AAF 01/06 is a widely recognised assurance standard developed by the Institute of Chartered Accountants in England & Wales (‘ICAEW’).

Sometimes known as an “Internal Controls Report”, the AAF 01/06 represents that a service organisation has been through an in-depth examination of their control objectives and control activities of the entity’s controls over information technology and related processes.

With these changes it is intended that Directors and Trustees with governance responsibilities are encouraged to dig deeper into lines of defence that operate to safeguard client data and manage cyber security risk.

If you wish for any more information as to what detailed control activities should operate and what tools to use, please contact Assure UK’s Director of Assurance, Andrew on andrew.riley@assureuk.co.uk. Alternatively, you can give Andrew a call on 020 7112 8300.


The information technology control objectives that appear in the ICAEW consultation document are:

Restricting access to systems and data

  • (1) Physical access to in-scope systems is restricted to authorised individuals (Note ‘Physical access’ may include access to office floor space with desktops, server rooms that hold application hardware and facilities that house cloud hardware holding relevant data).
  • (2) Logical access to in-scope systems and data is restricted to authorised individuals in accordance with job roles and business requirements
  • (3) Client and third-party access to in-scope systems and data is restricted and/or monitored (Note ‘Data’ includes both where systems and data are maintained / held in-house and also where systems and data are maintained / held externally).
  • (4) Segregation of incompatible duties within and across business and technology functions is formally defined, implemented, updated and enforced by logical security controls. (Note ‘Formally defined’ means Management have formalised and documented which roles and privileges are incompatible; and ‘Formally implemented’ means management have documented which functions and privileges each role is approved to perform and which, per the defined segregation of incompatible duties, are not permitted to perform).

Maintaining integrity of the systems

  • (5) Scheduling and internal processing of data is complete, accurate and within agreed timescales
  • (6) External transmission of data is complete, accurate, within agreed timescales and encrypted in line with external party agreements
  • (7) Network perimeter security devices which may include firewalls, anti-malware and intrusion detection technology are installed and changes are tested and approved
  • (8) Anti-virus definitions are periodically updated across all terminals and servers, deployment and settings are periodically reviewed and updated when required; and patterns of attempted external breaches are monitored
  • (9) Data received via email, dedicated interface, file transfer protocol and via any removable media is scanned for known vulnerabilities, any compromised data is quarantined and definitions of threats are periodically updated


Maintaining and developing systems hardware and software

  • (10) Development and implementation of new in-scope systems, both in house and third party, and any related data migrations are authorised, tested and approved prior to implementation
  • (11) Changes to existing in-scope systems, including hardware upgrades, software patches and direct configuration changes, are authorised, tested and approved prior to implementation (Note ‘Post-implementation approval’ requires a formally approved emergency change process to be in place).


Recovering from processing interruptions

  • (12) IT related Disaster Recovery Plans are documented, updated, approved and tested
  • (13) In-scope systems and data are backed up and can be restored completely within agreed timescales
  • (14) Events and incidents relating to in-scope systems are identified and resolved within agreed timescales


Managing and monitoring compliance and outsourcing

  • (15) Outsourced activities are governed by contracts and service level agreements that are authorised and subject to regular review. Service performance is regularly monitored and assessed against the standards set out in the service level agreements

Illustrative supplementary control objective:

Recovering from processing interruptions

  • (16) Performance and capacity of in-scope systems are monitored and issues are resolved


If you would like to contact us regarding an audit, please call us on 020 7112 8300 alternatively you can email info@assureuk.co.uk.