ICAEW.com works better with JavaScript enabled.

Assurance on internal controls of service organisations (TECH 01/20 AAF)

Assurance reports on internal controls of service organisations available to third parties (TECH 01/20 AAF) is a Technical Release published by ICAEW’s Audit and Assurance Faculty. The Technical Release sets out good practice guidance on how to perform an assurance engagement on the internal controls of organisations that

Download TECH 01/20 AAF

Download Now

Many entities outsource aspects of their business activities to service organisations. These activities range from performing a specific task directed by the entity to replacing entire business units or functions. The activities may be integral to the entity’s business operations and, affect the financial statements and so the entity’s external auditor may be required to understand and test controls over those outsourced business activities, particularly where they involve the processing of financial transactions.

This guidance enables the service organisation to engage an independent practitioner to provide an assurance opinion on the controls in place over the outsourced activities they perform for other entities. As the service organisation more often than not works for more than one entity, this means they can efficiently commission and share this independent assurance opinion with the entities they work for, saving numerous sets of external auditors testing the same internal controls.

The demand for these types of reports is particularly prevalent in the asset management sector and the guidance could also be applied to other activities, where appropriate control objectives can be identified.

The Technical Release provides guidance to those performing assurance engagements and is intended to promote consistency in approach. It also provides high-level guidance to senior management of the service organisation who prepare the report on the specific services and may also help entities that use service organisations to understand the scope and type of assurance provided in the assurance report.

The Technical Release is effective for reporting periods beginning on or after 1 July 2020 although early adoption is permitted.

Assurance reports on internal controls of service organisations available to third parties (TECH 01/06 AAF) will be withdrawn on 30 June 2020.

Note to users

This technical release was issued by the Audit and Assurance Faculty of the Institute of Chartered Accountants in England and Wales in January 2020

The applicable assurance framework for this technical release is ISAE 3000 (Revised), International Standard on Assurance Engagements: Assurance Engagements Other Than Audits or Reviews of Historical Financial Information.

In July 2020 the Financial Reporting Council (FRC) published International Standard on Assurance Engagements (UK) 3000: Assurance Engagements Other Than Audits Or Reviews Of Historical Financial Information. This standard is mandatory for public interest assurance engagements specified by the FRC and voluntary for other assurance engagements, including engagements done in line with TECH 01/20 AAF. 

This technical release does not currently reflect the revised standard, but for more information about it, please visit icaew.com/ISAEUK3000.

Transition from TECH 01/06 AAF

TECH 01/20 AAF was published in January 2020 and replaced TECH 01/06 AAF. While the overall purpose of the guidance remains the same, the following key changes were made:

  • The introduction on assurance engagements was expanded to assist more firms undertake engagements in accordance with this guidance
  • Expanded guidance for senior management of service organisations, particularly in their role as preparers of the description of the service organisation’s control activities
  • Expanded guidance for service auditors, particularly in scenarios where the service organisation uses other service organisations and in respect of the nature, timing and extent of their testing and how the results of that testing gives rise to a range of reporting options that need to be considered by the service auditor
  • Although the principle of specifying control objectives to promote consistency of reporting has been retained, the control objectives have been refined and reworded to reflect the current risks faced by service organisations. In some cases there has been a reduction in the specified control objectives, with certain objectives now presented as illustrative and supplementary
  • Control objectives being specified for two new areas, fiduciary management and property investment administration, and the removal of separate control objectives for hedge fund management

TECH 01/20 AAF was produced with the help of a working party and was approved by ICAEW’s Technical and Practical Auditing committee. An exposure draft of TECH 01/20 AAF was published as part of a public consultation. The working party considered all consultation responses before finalising the guidance.

Other helpful resources

Buyer's guide to assurance on non-financial information

Find out more

Access to controls reports at service organisations This article provides a brief explanation of who should be able to view reports on internal controls of service organisations, and the assurance reports thereon, and how difficulties in arranging access can be overcome.