New AAF 01/20 replaces AAF 01/06

The keenly awaited update for AAF 01/06 became available in January 2020 with Control Objectives for administrators, investment managers and other data recording industry. Technical release AAF 01/20 replaces AAF 01/06 reporting for periods beginning on or after 1 July 2020. Early adoption is encouraged.

The revised Control Objectives can be found in Appendix 1 for businesses using custody, fiduciary management, fund accounting, investment management, investment administration, pension administration, private equity, property investment management, property investment administration, transfer agency and information technology. The term Reporting Accountant’ is revised to ‘Service Auditor’ and ‘control procedures’ are called ‘control activities’ to be more in line with international standards.

In addition, AAF 01/20 has helpful explanations in section 2 (#13-34) of:

• types of assurance engagements (limited, Type 1, Type 2)
• key activities involved in putting together a report
• how to identify reporting criteria/Control Objectives;
• reporting on Subservice Organisations at governance and operational levels

The AAF 01/20 is a technical release from the Institute of Chartered Accountants in England & Wales Audit and Assurance Faculty at icaew.com/auditandassurance. The ICAEW has regular seminars on assurance and IT so it is worthwhile investing in joining the ICAEW Audit and Assurance Faculty and the ICAEW Tech Faculty to get access to the comprehensive and accessible packages of guidance and technical advice they offer.

Like AAF 01/06, the AAF 01/20 follows the framework for assurance engagements set out in the IIASB Assurance Framework and International Standard on Assurance Engagements (ISAE 3000 (Revised) Assurance Engagements other than Audits or Reviews of Historical Financial Information, published by the IAASB. AAF 01/20 is also intended to be compatible with ISAE 3402 Assurance Reports on Controls at a Service Organization.

As a reminder AAF 01/20 has been developed to enable a Service Organisation (a third party organisation that provides information processing and other services for entities such as a company pension fund (‘User Entities’) to engage an independent practitioner (the ‘Service Auditor’) to provide an assurance opinion over the relevant controls which seek to manage risks on behalf of User Entities. The independent assurance opinion can then be made available to User Entities and their external auditors (‘User Organisations’) to avoid the need for several different User Organisations to test the same controls.

Actions you should take are:

1. Talk to an experienced assurance service auditor about the changes
2. Review what new types of evidence may need to be required to meet the revised control objectives given in Appendix 1
3. Make Senior Management aware that the wording of their statement for AAF 01/06 will change for AAF 01/20 in many cases to be in line with international standards
4. Decide whether to adopt the new AAF 01/20 earlier
5. Check out the examples of explanatory paragraphs and qualification wording in Appendix 4: (A) description misstatements, (B) design deficiencies, (C) exceptions to operating effectiveness, (D) non-applicable Control Objective
6. Consider whether the Subservice Organisation ‘carve-out method’ or ‘inclusive method’ is best for your AAF reporting
7. Compare your Bridging Letter to the version provided in Appendix 9 as signed by Senior Management for periods after the last AAF 01/20.

The AAF 01/20 is a 78-page document that needs some thought.

You can download here: TECH AAF 0120 assurance reports on internal controls of service organisations.

You can have a complimentary call to find out more by emailing info@assureuk.co.uk or giving us a call on 020 7112 8300.