Pension Scheme Accountants of the year 2007
Tel: 020 7917 2987
Ask Ash Shaw

New reporting environment for service organisations holding financial data

by Andrew Riley of Ash Shaw LLP on 13 November 2006

The ICAEW (Institute of Chartered Accountants in England & Wales) recently issued new assurance guidance for engagements concerning internal controls of service organisations Assurance reports on internal controls of service organisations made available to third parties AAF 01/06.

The new guidance offers more potential value to clients, client auditors and potential customers than previous reporting formats because it sets out minimum control objective criteria for directors and enables the reporting accountant to express an opinion on how fairly and suitably described are the control procedures set out by the directors and how they operated. It also places third party service organisations which hold financial data under greater scrutiny.

This guidance replaces the Institute's AUDIT 4/97 Reports on internal controls of investment custodians made available to third parties, FRAG 21/94 (Revised), and is effective for periods ending on or after 31 March 2007. Service organisations and reporting accountants are encouraged to apply this guidance before that date as best practice.

The organisations affected include custodians that hold and service assets, and investment managers for securities and property. Directors of these organisations need to decide whether they should prepare a report on their organisation's internal control procedures, and whether to have this independently reviewed under this new AAF 01/06 guidance by a reporting accountant.

More rigorous requirements have been put in place in order to address the criticisms of FRAG 21s. Rather than only stating factual test results, users will now be given a positively worded independent assurance conclusion on the description, design and operating effectiveness of the service organisation's control procedures by the reporting accountants.

Under the new guidance the AAF 01/06:

  • clarifies the expected responsibilities of directors and reporting accountants;
  • sets out a minimum set of control objectives to be described, tested and reported on;
  • gives detail on the control objectives for specific financial service activities namely custody, investment management, pension administration, property management, fund accounting and transfer agency;
  • issues an opinion by reporting accountants as to the adequacy of the control description, design and operation of controls; and
  • makes reports more consistent and easier to compare from one period to another and from one service organisation to another.

Directors of service organisations are responsible for:

  • stating their responsibility for internal controls;
  • evaluating the effectiveness of their organisation's control procedures;
  • supporting their evaluation with sufficient documentation and evidence; and
  • providing a written report of their control environment and the effectiveness of their control procedures for the period under examination.

The directors are responsible for the completeness, accuracy, validity and method of presentation of the description of the control objectives and procedures, and the assertions they make as to the reasonable assurance that the specified control objectives are being achieved.

The reporting accountant will read the description of control objectives and procedures written by the directors to gain an understanding of the representations made. After reading the description, the reporting accountants undertake enquiry, review and testing to determine whether the directors' description fairly present the design and operation of these control objectives and procedures in all material respects for the relevant reporting period, and issue an assurance opinion.

The AAF 01/06 appendix illustrates control objectives for six types of service organisations (custodians, investment managers, pension administrators, property managers, fund accountants, and transfer agencies). As an example Investment Management has:

  • 25 control objectives specified for six types of financial service activities
    (Accepting clients, Authorising and processing transactions, Maintaining financial and other records, Safeguarding assets, Monitoring compliance, and Reporting to clients)
  • 13 control objectives on five information technology control procedures to supplement the above financial services activities
    (Restricting access to systems and data; Providing integrity and resilience to the information processing environment, commensurate with the value of the information held, information processing performed and external threats; Maintaining and developing systems hardware and software; Recovering from processing interruptions; and Monitoring compliance).

These control objectives are for guidance only but any omission would lead the reporting accountant to question the directors as to how they have prevented any design deficiencies in their risk control framework and request explanation in the directors' report. Should the directors fail to disclose the omission satisfactorily, the AAF 01/06 directs reporting accountants to add an explanatory paragraph to their report identifying omitted or inappropriate control procedures to draw to the attention of the service organisation's customers and auditors. Appendix 4 in the AAF 01/06 gives this example:

We draw attention to page [x] of the report of the directors which sets out the control objectives. One of the control objectives, [xxxx] in Technical Release AAF 01/06 is not included in the directors' report and no reason for omission is explained...

Deciding whether to have an AAF 01/06 report

The AAF 01/06 is not an auditing standard and is not a regulatory requirement. Service organisations currently having a FRAG 21 will most likely continue their third party reporting with the replacement AAF 01/06. For directors of service organisations that have had no FRAG 21, the arrival of the new guidance gives them the opportunity to consider the cost and benefits of independent assurance reporting.

An external review that assesses the design, documentation and operation of control objectives and procedures against core criteria issued by the ICAEW Audit and Assurance Faculty would help many service organisations become more risk aware and efficient through better design, documentation and recording of control procedures - but at the cost of paying for the services of an ICAEW reporting accountant.

With the significant increase in the use of outsourced service organisations by companies and pension funds, it is expected that the executives of these entities will want to ensure the control procedures at the service organisation can be held up to scrutiny by their customers. In addition, because many of the functions performed by outsourced service organisations affect an entity's financial statements, auditors may also seek information about the control procedures surrounding those services.

Directors of service organisations in financial services may also want for an AAF 01/06 report to be made available to their clients and client auditors in order to demonstrate that they have strong internal controls and procedures.

FRAG 21 reports can no longer be issued from April 2007. Reporting accountants are bound by the International Auditing and Assurance Standards Board International Framework for Assurance Engagements (the Framework) and the first International Standard on Assurance Engagements (ISAE) 3000, Assurance Engagements Other Than Audits or Reviews of Historical Financial Information. These pronouncements provide high level principles for assurance engagements other than audits and reviews of historical financial statements and have been used to produce the AAF 01/06 guidance. Previously specific guidance on subject areas such as internal control for outsourced financial services was limited in the UK and reporting accountants had to seek guidance from other areas, such as the US auditing standard SAS 70.

Should directors not wish to have an AAF 01/06 report they may be faced with producing their own assessment of their internal controls without independent verification from a reporting accountant.

Next steps

It would be prudent for service organisations to make an assessment of their state of readiness for a potential AAF 01/06 review. Particular challenges may be the documentation of control design and operations and the collection of evidence throughout the period under examination.

The ICAEW Audit and Assurance Faculty is expected to keep the AAF 01/06 Technical Release under regular review to accommodate industry developments in relation to the control objectives set out in Appendix 1 and the range of custody, investment management, pension administration, property management, fund accounting and transfer agency activities set out in paragraph 6. It is inviting comment in writing to the Audit and Assurance Faculty at tdaf@icaew.co.uk on the control objectives currently contained within Appendix 1 and for other industry groups to propose further service activities for inclusion within the guidance if appropriate.

This article was published in Compliance Online. To receive a 14 day FREE trial to Compliance Online complete the registration form using a valid email address.
Compliance Online

For access to simple, practical and clear advice to help you make a difference, sign up for our free monthly newsletter

We respect your privacy at all times. Unsubscribe easily

Email this Page Email this Page
Print this Page Print this Page
Copyright © 2005-2006 Ash Shaw. All Rights Reserved. Legal    Privacy Policy    Site Map