ICAEW.com works better with JavaScript enabled.

Access to controls reports

This article provides a brief explanation of who should be able to view reports on internal controls of service organisations and the assurance reports thereon (controls reports) and how difficulties in arranging access can be overcome.

Join the Audit and Assurance Faculty

Stay ahead of the rest with our comprehensive package of essential guidance and technical advice.

Join online now

Entities that outsource part of their operations to service organisations indicate that they sometimes encounter difficulties in accessing  these service organisations’ controls reports presumably issued for the benefit of users including the entity outsourcing its operations.

Assurance reporting, as envisaged in the Faculty’s AAF 01/06 Assurance reports on internal controls of service organisations made available to third parties and similar frameworks such as ISAE 3402 (an equivalent international standard) and SSAE 16 (a US equivalent), presumes the existence of third party users interested in the internal controls of the service organisation that carries out outsourced operations for them. Indeed this is often the primary purpose of a service organisation commissioning an assurance report.

The framework for such assurance reports assumes a three-party relationship comprising:

  • the issuing party (the service organisation), 
  • the users of the service provided by the service organisation who seek to rely on the report (customers or user organisations); and
  • the independent reporting accountants (sometimes called ‘service auditors’).

The intended recipients of such controls reports are the existing customers of the service organisation with whom the service organisation has an existing direct contractual relationship. The normal situation envisaged by these assurance reporting frameworks is therefore for a service organisation to provide a copy of its controls report to existing customers, either proactively or upon request.

Where required, such reports may also be accessed by customers’ auditors e.g. for the purpose of ISA 402, Audit considerations relating to an entity using a service organisation.  In such a scenario, the intended users or recipients of the controls report should ideally be set out in the engagement letter between the service organisation and the reporting accountants.

Customers of service organisations should also confirm, as required, when contracting with a service organisation whether they are entitled to a controls report in relation to the outsourced operations.   

Specific circumstances

There are some specific outsourcing arrangements where a wider distribution of a controls report may be sought. For example:

  • entities may have a genuine interest in obtaining a copy of a controls report even though they are not legally a direct customer of the service organisation; or 
  • an organisation that supplies supplementary services in the supply chain of outsourced services may wish to provide a copy of a controls report to an entity who is not its direct customer.

In such situations, the simplest approach is for the service organisation and the reporting accountants to agree, ideally up-front, in writing the basis on which the report is to be made available, including to whom, and document the responsibilities and liability, if any, that the service organisation and the reporting accountants owe to the recipient of the controls report. However, this may not always be feasible and the practical issues concerning such access in three specific cases are considered below.

Controls reports of asset managers

For asset managers, customers are typically its segregated clients, e.g., asset owners such as pension funds, for which separate investment portfolios are managed by the asset manager. The scope of the asset manager’s controls report will therefore be limited to control activities associated with that group of customers.

However, a situation may exist where an asset manager manages pooled investment funds in which asset owners invest alongside other asset owners. This may give rise to one of two situations.

1) Asset management activities, including fund pricing and administration, in which asset owners may be interested with respect to those pooled funds, may not be within the scope of the controls report. This may be because the asset manager has decided to report only on its internal controls over segregated client investment activities.

In this situation, it would be inappropriate for an asset manager to provide a controls report on its segregated client investment activities to customers with ownership interests in a pooled fund. This is because the internal controls that are covered in the controls report do not necessarily apply to the service provided to the pooled funds. 

2) Even if the activities concerning the management of investments in pooled funds are within the scope of the controls report, from a legal standpoint, the customer (and therefore the intended recipient of the report) is the pooled fund itself (or possibly the operator of the fund) and not investors in the pooled fund; since it is the fund that legally appoints the asset manager.

Under this situation the asset owners (who have invested in the pooled fund) may not expect to receive the controls report because they are not the legal customers of the asset management firm. 

In the latter situation, asset managers and their reporting accountants may recognise the interest of asset owners in the controls report and consider providing asset owners with a copy of the controls report on pooled funds. The key consideration for both service organisations and reporting accountants is how to manage liabilities which may be owed (including implicit liability) to recipients of the controls report who are not a direct party to the contract between the service organisation (the asset manager) and its customer (the pooled fund or its operator). 

Consequently, both the service organisation and the reporting accountants may wish to restrict any duty of care to those asset owners, for example, by using a form of disclaimer in their reports as explained in the section of AAF 01/06 dealing with managing professional liability. In those cases where controls reports on pooled funds are not made available to those who are not direct customers of the service organisation, it may be helpful to asset owners for the service organisation to explain the reasons for such a decision.

Control reports of custodians

Many pension scheme trustees with segregated investment portfolios directly appoint their own custodian and should therefore be able to access the custodian’s controls report. However, in some cases the investment manager appoints the custodian or, where the investment is made via a pooled investment fund, the operator of the pooled fund appoints the custodian. In these situations, trustees who have appointed an investment manager or have invested in a pooled fund may be refused access to a controls report from the custodian.

In such circumstances, the trustees should seek assurance from the investment manager or the operator of the fund, as appropriate, that they have performed appropriate due diligence over appointment of the custodian and that appropriate on-going monitoring controls are in place. Ideally, the relevant monitoring controls over the custodian should be described in the investment manager’s or fund operator’s controls report. 

Where the custodian, and its reporting accountants, do agree to provide their reports to such trustees, they are likely to place restrictions on the use of the report (for example, by way of disclaimers) in order to limit any potential liability.

Control reports of administrators

Asset managers may use outsourced investment administrators or fund administrators to undertake day to day record keeping for their investment portfolios. Customers of asset managers, such as pension scheme trustees and other asset owners who have their investments managed by these asset managers are likely to have a genuine interest in these activities which are fundamental to the accuracy of their accounting records.

In such cases, these customers have effectively delegated the monitoring of this activity to the appointed asset manager and similar considerations to those for control reports of custodians would apply.

As with custodians, investment or fund administrators, and their reporting accountants, are not prohibited from providing copies of their controls report to the customers of asset managers. However, these customers may need to be proactive in requesting the investment manager to make arrangements with the administrator to provide access to those control reports and, as for custodians, such controls reports are likely to have restrictions placed on their use. 


In summary, controls reports are primarily prepared and made available to the direct (or contractual) customers of the services covered by the report.

Other entities in the supply chain of outsourced services may have a genuine interest in, and be able to access a copy of, these controls reports, even if they are not legally direct customers.

However, this may require some negotiation as service organisations would need to be persuaded of the merits of so doing and agree with the reporting accountants on the basis on which the report is provided so as to fairly reflect the responsibilities and liability, if any, owed to the recipient of the controls report.


ICAEW's assurance resource

This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.

Find out more.