Confirmations have long been part of auditors’ toolkits for obtaining information from third parties about management’s assertions. They may be used to confirm such financial statement items as cash held by third parties, accounts receivables, loans and pending litigation. Here’s an overview of how audit confirmations are performed in today’s electronic world. The Public Company Accounting Oversight Board (PCAOB) recently approved updated guidance that modernizes the auditor’s confirmation process and strengthens confirmation procedures to better help prevent fraud.
Confirmation basics
Under U.S. Generally Accepted Auditing Standards (GAAS), an external confirmation is “a direct response to the auditor from a third party either in paper form or by electronic other means, such as through the auditor’s direct access to information held by a third party.” Confirmations generally come in the following formats:
Positive. Recipients are requested to reply directly to the auditor and make a positive statement about whether they agree or disagree with the information included.
Negative. Recipients are requested to reply directly to the auditor only if they disagree with the information presented on the confirmation.
Blank. The amount (or other information) isn’t stated on this type of request. Instead, it requests recipients to complete a blank confirmation form.
The types of confirmations your auditor uses will vary depending on your situation and the nature of your organization’s operations. Confirmation procedures may be performed as of a date that’s on, before or after the balance sheet date. If the procedures aren’t performed as of the balance sheet date, the account balance will need to be rolled forward (or backward) to the balance sheet date.
Shift to electronic forms
In the past, auditors sent out confirmation letters through the U.S. Postal Service. Then, they waited to receive written responses from their audit clients’ customers, suppliers, banks, benefits plan administrators, attorneys and others. If an auditor failed to receive an adequate level of response, follow-up confirmation letters could be sent, which could lead to delays in the audit process. Alternatively, the auditor could contact nonresponding recipients by phone or in person. Otherwise, the auditor would need to perform alternative procedures.
Although written confirmations are still permitted, auditors routinely use electronic confirmations today. These may be in the form of an email submitted directly to the respondent by the auditor or a request submitted through a designated third-party provider.
Electronic confirmations can be considered reliable audit evidence under GAAS. Plus, they overcome some of the shortcomings of written confirmations. That is, they’re sent and received instantaneously at no cost, and the electronic confirmation process is generally secure, minimizing the risks of interception or alteration. As a result, some financial institutions no longer respond to paper confirmation requests and will respond only to electronic confirmation requests.
Recent PCAOB update
On September 28, 2023, the PCAOB unanimously approved a new confirmation standard. Work on the new standard began in 2009. The updated guidance is currently awaiting approval from the U.S. Securities and Exchange Commission. If approved, it will take effect for audits of public companies’ financial statements for fiscal years ending on or after June 15, 2025. The new standard — Auditing Standards (AS) No. 2310, The Auditor’s Use of Confirmation — would replace interim AS 2310, The Confirmation Process, in its entirety.
After the PCAOB was established two decades ago, it adopted AS 2310 on an interim basis, until an updated version could be approved. The current interim standard went into effect in 1992. In addition to mailed confirmation responses, it refers to confirmation responses received orally or via facsimile — but not to electronic communications or online records.
The new standard will bring audit confirmations into the 21st century by allowing use of technology that wasn’t available when the existing standard was written. It also aims to strengthen confirmation procedures to help prevent fraud by integrating the guidance with the audit risk assessment standards.
Specifically, the new confirmation standard would require an auditor to confirm cash and cash equivalents held by third parties — though most auditors already routinely do this. It wouldn’t allow negative confirmation formats. Instead, when it’s not feasible for the auditor to perform confirmation procedures, the auditor will need to perform alternative procedures to obtain relevant and reliable evidence for the information in question. For instance, auditors can obtain direct access through read-only access to transactions or balances.
The new principles-based standard emphasizes the auditor’s control over the confirmation process. Auditors would be responsible for:
- Selecting the items to be confirmed,
- Sending confirmation requests and receiving responses,
- Addressing non-responses or incomplete responses to obtain audit evidence, and
- Identifying situations in which alternative procedures should be performed.
The new standard also provides more specific illustrations of alternative procedures that can be performed for confirmation.
Valuable audit tool
External confirmations can be a simple and effective audit tool. However, some companies may be put off when auditors reach out to customers, lenders and other third parties — and sometimes confirmation recipients fail to respond in a timely, complete manner. Contact us if you have questions about how we plan to use confirmations during your next audit or if you have concerns about the efficacy or security of the confirmation process.
© 2023