One of the easiest ways of picking up more knowledge on assurance reporting and AAF controls is to read through the Introduction section of the 2019 consultation document for Technical Release AAF 01/06 (AAF 01/06), Assurance Reports on internal controls of service organisations made available to third parties. AAF 01/06 is a widely recognised assurance standard developed by the Institute of Chartered Accountants in England & Wales (‘ICAEW’).
This document has useful explanations about how assurance works. For instance, it explains how ‘Agreed upon procedures’, ‘Internal audit report’ and ‘Defined scope report’ may be of more use to the User applying Informal assurance than AAF Formal assurance reporting.
Extract from August/September 2019 ICAEW consultation on proposed updates to Tech 01/06 AAF 2. ASSURANCE ENGAGEMENTS #14
It may in some circumstances be sufficient for a user of an AAF report to have only ‘Limited Assurance’, where there is less detailed work required.
Limited assurance is explained as where in a limited assurance engagement, ‘the Service Auditor expresses an opinion stating whether they have identified anything that contradicts or disproves the existence and/or operation of the Subject Matter outlined in the report.’ Whereas ‘In a reasonable assurance engagement, the Service Auditor seeks to obtain sufficient appropriate evidence that enables them to express a positive opinion on the report.’
The principal difference between a reasonable assurance engagement and a limited assurance engagement is the weight of evidence required to support the opinion of the Service Auditor (and hence the level of assurance that is provided). For a limited assurance engagement, the Service Auditor collects less evidence than for a reasonable assurance engagement. The Service Auditor achieves this ordinarily by performing different or fewer tests than those required for reasonable assurance or using smaller sample sizes for the tests performed.
The Assurance report often needs to examine what is inside the supply chain and the use of a specialist organisation to undertake activities for the Service Organisation being examined. It may be that there is commercial outsourcing relationships which is fundamental to the responsibilities of the Service Organisation in the context of the User Organisations. Where the Service Organisation would have carried out the operation of related Control Activities in-house, had it not outsourced to a third party, the organisation undertaking the outsourced activity is known as a Subservice Organisation.
Examples of Subservice Organisations are investment administration outsourced to another party and Information Technology (IT) outsourced to another group entity outside the scope of the Report. Service Organisations retain responsibility for the control activities that have been outsourced to a Subservice Organisation. They are required to monitor the effective operation of controls over activities carried out on their behalf. It may even be required that the Service Organisations that employ the services of Subservice Organisations has to include monitoring and oversight control activities at a governance level and ALSO an operational level.
This would mean more planning and sample testing for the service auditor to assess the fairness of presentation, design suitability and, where appropriate, operating effectiveness of control activities against the control objectives.
If you wish for any more information as to what level of assurance would best meet your user requirement, please contact Assure UK’s Director of Assurance, Andrew on firstname.lastname@example.org. Alternatively, you can give Andrew a call on 020 7112 8300.