Assurance on internal controls of service organisations (TECH 01/20 AAF)
Assurance reports on internal controls of service organisations available to third parties (TECH 01/20 AAF) is a Technical Release published by ICAEW’s Audit and Assurance Faculty. The Technical Release sets out good practice guidance on how to perform an assurance engagement on the internal controls of organisations that
Many entities outsource aspects of their business activities to service organisations. These activities range from performing a specific task directed by the entity to replacing entire business units or functions. The activities may be integral to the entity’s business operations and, affect the financial statements and so the entity’s external auditor may be required to understand and test controls over those outsourced business activities, particularly where they involve the processing of financial transactions.
This guidance enables the service organisation to engage an independent practitioner to provide an assurance opinion on the controls in place over the outsourced activities they perform for other entities. As the service organisation more often than not works for more than one entity, this means they can efficiently commission and share this independent assurance opinion with the entities they work for, saving numerous sets of external auditors testing the same internal controls.
The demand for these types of reports is particularly prevalent in the asset management sector and the guidance could also be applied to other activities, where appropriate control objectives can be identified.
The Technical Release provides guidance to those performing assurance engagements and is intended to promote consistency in approach. It also provides high-level guidance to senior management of the service organisation who prepare the report on the specific services and may also help entities that use service organisations to understand the scope and type of assurance provided in the assurance report.
The Technical Release is effective for reporting periods beginning on or after 1 July 2020 although early adoption is permitted.
Assurance reports on internal controls of service organisations available to third parties (TECH 01/06 AAF) will be withdrawn on 30 June 2020.
Transition from TECH 01/06 AAF
TECH 01/20 AAF was published in January 2020 and replaced TECH 01/06 AAF. While the overall purpose of the guidance remains the same, the following key changes were made:
- The introduction on assurance engagements was expanded to assist more firms undertake engagements in accordance with this guidance
- Expanded guidance for senior management of service organisations, particularly in their role as preparers of the description of the service organisation’s control activities
- Expanded guidance for service auditors, particularly in scenarios where the service organisation uses other service organisations and in respect of the nature, timing and extent of their testing and how the results of that testing gives rise to a range of reporting options that need to be considered by the service auditor
- Although the principle of specifying control objectives to promote consistency of reporting has been retained, the control objectives have been refined and reworded to reflect the current risks faced by service organisations. In some cases there has been a reduction in the specified control objectives, with certain objectives now presented as illustrative and supplementary
- Control objectives being specified for two new areas, fiduciary management and property investment administration, and the removal of separate control objectives for hedge fund management
TECH 01/20 AAF was produced with the help of a working party and was approved by ICAEW’s Technical and Practical Auditing committee. An exposure draft of TECH 01/20 AAF was published as part of a public consultation. The working party considered all consultation responses before finalising the guidance.
Other helpful resources
Access to controls reports at service organisations This article provides a brief explanation of who should be able to view reports on internal controls of service organisations, and the assurance reports thereon, and how difficulties in arranging access can be overcome.