An external confirmation is audit evidence obtained as a direct written response to the auditor from a third party (the confirming party), in paper form, or through electronic or other medium. Requesting external confirmations is a commonly used audit procedure in an audit of financial statements. It can be useful in obtaining audit evidence about relevant financial statement assertions regarding such items as receivables and payables, bank and other third party deposits and liabilities, investments, inventory, guarantees, contingent liabilities, significant transactions outside the normal course of business, and related party transactions.
Circumstances may exist where it may be difficult to obtain responses to external confirmation requests or all the information requested. While such difficulty should not dissuade auditors from sending confirmation requests in appropriate circumstances, the auditor may discover that confirming parties will not respond or provide all the information requested by the auditor and, therefore, may need to plan alternative or additional procedures. While a confirmation request may be an appropriate substantive procedure to obtain relevant audit evidence regarding some assertions, it may not provide appropriate audit evidence regarding others. Accordingly, it is important that proper regard be given to whether requesting confirmations will provide sufficient appropriate audit evidence when testing specific assertions.
This post overviews the use of external confirmations in audit of financial statement. Enjoy!
Relevant Auditing Standards to the Use of External Confirmation
ISA 5053 establishes the relevant requirements and provides guidance on the use of external confirmation procedures to obtain audit evidence. ISA 505 requires the auditor to determine whether the use of external confirmations is necessary to obtain sufficient appropriate audit evidence at the assertion level. This determination is based on a consideration of the assessed risk of material misstatement at the assertion level and how the audit evidence from other planned audit procedures will reduce the risk of material misstatement at the assertion level to an acceptably low level. The auditor is required to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the audit opinion.
ISA 500 explains that for audit evidence to be appropriate, it must be both relevant and reliable. Relevance deals with the logical connections with, or bearing upon, the purpose of the audit procedure and, where appropriate, the assertion under consideration. A given set of audit procedures, for example, may provide audit evidence that is relevant to certain assertions, but not others.
The reliability of audit evidence is influenced by its source and by its nature and is dependent on the individual circumstances under which it is obtained. ISA 500 observes that audit evidence is generally more reliable when it is obtained from independent sources outside the entity. However, even when audit evidence is obtained from sources external to the entity, circumstances may exist that could affect the reliability of the information obtained.
In addition, ISA 505 emphasizes the importance of the auditor maintaining control over the process of selecting those to whom a request will be sent, the preparation and sending of confirmation requests, and the responses to those requests.
The auditor is required to exercise professional skepticism in accordance with ISA 200.
ISA 200 explains that “an attitude of professional skepticism means [that] the auditor makes a critical assessment, with a questioning mind, of the validity of audit evidence obtained and is alert to audit evidence that contradicts or brings into question the reliability of documents and responses to inquiries …”
If there is any indication that a confirmation response may not be reliable, ISA 505 emphasizes the need for the auditor to consider the response’s authenticity and to perform audit procedures to dispel any concern (for example, the auditor may choose to verify the source and contents of the response in a telephone call to the purported sender).
Possibility of Fraud in the External Confirmation Process
External confirmation procedures may be effective in detecting fraud when used properly. However, certain recent cases of major corporate fraud have brought into focus the importance of being alert to:
- The circumstances in which the confirmation process is conducted;
- The characteristics of the respondent, particularly its independence, objectivity, motivation, and authority to respond; and
- The nature of the information received.
A particular circumstance where the auditor may need to be alert to the possibility of receiving a fraudulent response to a confirmation request is when requesting confirmation about the entity’s assets from another entity that is both the custodian and manager of those assets. The possible lack of proper segregation of duties over the custodial and asset management functions in such a case may create a fraud risk factor in the confirmation process. Consequently, this situation may need to be considered when designing the confirmation request and evaluating the results in accordance with ISA 505.
For example, if the auditor knows the identity of an authorized individual within the custodial function who is not involved in the asset management function, it may be possible to direct the confirmation request to that individual.
Corroborative procedures could also be performed. For example, when confirming the existence of investment securities held by the entity with an investment manager, additional procedures that might be performed include:
- Obtaining a list of the entity’s transactions during the period from the relevant securities clearing house and performing appropriate reconciliations.
- Confirming the transactions in the entity’s accounts with independent brokers used by the investment manager and performing appropriate reconciliations.
On the other hand, when the entity’s assets are both held and managed by a single individual, this creates a de facto fraud risk factor in the confirmation process. Alternative procedures may be more effective in obtaining the necessary audit evidence in such circumstances.
The current economic environment may also increase incentives for fraudulent financial reporting. Many entities around the world are experiencing greater challenges with regard to their profitability and, in some cases, their ability to continue as a going concern. In such circumstances, the risk of fraudulent financial reporting may be greater.
Even when the auditor retains control over the confirmation process, there may be a higher risk of collusion between management and the respondent in responding to the auditor’s confirmation request in the present economic environment. The significance of this risk will depend on the extent of influence the entity and its management have over the respondent. For example, it may be higher if the respondent is a related party of the entity or is economically dependent on the entity. Accordingly, when evaluating the reliability of a confirmation response, it may be important to be alert to the entity’s circumstances and its environment, the circumstances surrounding the confirmation process, and the information obtained from the confirmation process that may indicate a risk of material misstatement.
Being alert to the possibility of fraud may be particularly important when an external confirmation is the primary audit evidence for a material financial statement item, particularly if the item itself is susceptible to fraud. This risk may arise, for example, when requesting confirmation of the existence of liquid funds and investments held by the entity in an offshore jurisdiction. In such a case, as part of maintaining control over the confirmation process, ISA 505 indicates that a key consideration is whether the response has come from the purported sender.
Procedures that might be performed include:
- Telephoning the respondent to corroborate the information provided in the response.
- Telephoning the respondent’s supervisor to corroborate the respondent’s independence, knowledge of the matter, and authority to respond.
- Sending confirmation requests at interim and period end dates, and reconciling period movements in the relevant account balances using the entity’s records and other relevant information.
- Contacting an audit or law firm in the offshore jurisdiction to confirm the existence of the entity holding the funds through corporate registers or the existence of a legitimate office (especially if the holding entity’s mailing address is a post office box).
Heightened professional skepticism may also be called for when dealing with unusual or unexpected responses to confirmation requests, such as a significant change in the number or timeliness of responses to confirmation requests relative to prior audits, or a non-response when a response would be expected. These circumstances may indicate previously unidentified risks of material misstatement due to fraud. In such cases, the assessed risks of material misstatement at the assertion level may need to be revised, and planned audit procedures modified, in accordance with ISA 315.
External Confirmation Procedures May Not Provide Sufficient Appropriate Audit Evidence
ISA 505 emphasizes that the design of a confirmation request involves a consideration of the assertions being addressed. It also notes that the practice of potential respondents in dealing with confirmation requests is a factor in deciding the extent to which to use external confirmations.
A confirmation request may therefore not necessarily be the most appropriate response to an assessed risk of material misstatement regarding a specific assertion. One circumstance where a careful consideration of whether a confirmation request will provide sufficient appropriate audit evidence, and the design of any confirmation request, may be important is when seeking to obtain audit evidence regarding investments.
For some types of investments such as hedge funds, private equity funds, so-called “funds of funds” that invest in hedge funds, and investments in limited partnerships, respondents may be unwilling or reluctant to confirm relevant information on the basis of client confidentiality or for competitive reasons. In such circumstances, it may be necessary to consider performing alternative or additional audit procedures to address the existence and valuation assertions.
Even when a response is received in these circumstances, the auditor may need to carefully evaluate the information that has been confirmed. For example, while the response may provide relevant audit evidence regarding the existence assertion, it may not provide, either in the aggregate or on a security-by-security basis, adequate audit evidence with respect to the valuation assertion. In such circumstances, additional or alternative audit procedures may be necessary.
It may, for instance, be possible, through discussion with the investment manager, external investment advisors and others, to obtain an understanding of the process by which the relevant investments are valued and independently attempt to estimate the valuation of those investments using third party data and other relevant information.
Additionally, if information is confirmed on an aggregate (such as a percentage ownership in the underlying fund) as opposed to on a security-by-security basis, that information may not provide adequate audit evidence with respect to the existence assertion for individual investments.
In the case where a confirmation request is sent to an asset manager that is not the custodian of the entity’s assets, the response on its own would likely not provide sufficient appropriate audit evidence regarding the assertions about the existence of the assets or whether the entity holds or controls the rights to them.
ISA 505 also indicates that a further factor in deciding the extent to which to use external confirmations is the characteristics of the environment in which the entity operates.
In the light of the current economic environment, the auditor may find that certain respondents may be less likely to respond than they might have previously. While this does not imply that confirmation requests should not be sent, it may be more likely that additional or alternative procedures will need to be performed to obtain sufficient appropriate audit evidence in the circumstances.
Use of Technology in the Confirmation Process
Largely in an effort to make the external confirmation process more efficient and effective, auditors have been increasingly relying on technology to obtain external confirmations. Electronic mail, facsimiles, and other electronic communications have become accepted methods of communication in addition to traditional mail.
In some countries, certain confirmation processes also now involve the use of third party service providers serving as intermediaries between the auditor and the respondent through an electronic medium. For example, some financial institutions will no longer accept and respond to paper confirmation requests received by mail and will only respond to confirmation requests sent electronically through designated third party service providers.
Additionally, web portals are used by some respondents to allow auditors to access and obtain confirmation of their clients’ information. For example, a brokerage firm may set up such a portal and grant the auditor a unique ID and password for a one-time access to the client’s detailed account statements. In setting up such a portal, the respondent aims to achieve greater efficiencies in processing and responding to a large number of confirmation requests from auditors.
Confirmations obtained through these various technological means may broadly be described as “electronic confirmations”.
ISA 505 does not preclude the use of an electronic confirmation process or the acceptance of electronic confirmations as audit evidence. However, no confirmation response is without some risk of interception, alteration or fraud, regardless of whether it is in paper form, or received through an electronic or other medium. While electronic confirmations may improve response times and claim to increase the reliability of responses, they may also give rise to new risks that the responses might not be reliable. This is because with electronic responses, proof of origin and authority of the respondents to respond may be difficult to establish, and alterations may be difficult to detect.
An electronic confirmation process that creates a secure environment for executing the confirmation request may mitigate the risk of inappropriate human intervention and manipulation. An important factor may therefore be the mechanism that is established between the auditor and the respondent to minimize the risk that the electronic confirmation will be compromised because of interception, alteration, or fraud.
If the auditor plans to use an electronic confirmation process to obtain audit evidence, the following risks may be relevant in designing the confirmation procedure:
- The response may not be from the proper source.
- The respondent may not be authorized to respond.
- The integrity of the transmission may have been compromised.
If the auditor has doubts about the reliability of an electronic confirmation, it may be possible to verify the source and contents of the response by contacting the respondent. For example, when a confirmation response is transmitted by electronic mail or facsimile, it may be appropriate to telephone the respondent to determine whether the respondent did, in fact, send the response.
It may also be possible to ask the respondent to mail the original confirmation directly to the auditor. If a response is received indirectly (for example, because the respondent incorrectly addressed it to the entity rather than to the auditor), it may be appropriate to ask the respondent to respond again in writing directly to the auditor.
If a respondent will only respond to a confirmation request through a third party service provider and the auditor plans to rely on the service provider’s process, it may be important that the auditor be satisfied with the controls over the information sent by the entity to the service provider, and the controls applied during processing of the data and preparation and sending of the confirmation response to the auditor. A service auditor’s report on the service provider’s process may assist the auditor in evaluating the design and operating effectiveness of the electronic and manual controls with respect to that process. Such a report will often address the three types of risk noted above.
Various techniques may also be used for validating the identity of the sender of electronic information and its authorization to confirm the requested information. For example, the use of data encryption, electronic digital signatures, and procedures to verify website authenticity may improve the security of the electronic confirmation process.
Disclaimers and Other Restrictions in Confirmation Responses
Besides such factors as the nature of the information being confirmed and the respondent’s knowledge of the matter and authority to respond, ISA 505 notes that a further factor that affects the reliability of external confirmations is whether any restrictions have been included in the responses.
Auditors have seen an increasing number of instances where respondents have included disclaimers and other restrictions in confirmation responses, whether transmitted in paper form or through an electronic medium.
Restrictions that appear to be boilerplate disclaimers of liability may not affect the reliability of the information being confirmed. Examples of such disclaimers sometimes seen in practice include:
- Information is furnished as a matter of courtesy without a duty to do so and without responsibility, liability or warranty, express or implied.
- The reply is given solely for the purpose of the audit without any responsibility on the part of the respondent, its employees or agents, and it does not relieve the auditor from any other inquiry or the performance of any other duty.
Other restrictive language also may not invalidate the reliability of a response if it does not relate to the assertion being tested. For example, in a confirmation of investments, a disclaimer regarding the valuation of the investments may not affect the reliability of the response if the auditor’s objective in using the confirmation request is to obtain audit evidence regarding whether the investments exist. On the other hand, certain restrictive language may cast doubt about the completeness, accuracy or the auditor’s ability to rely on the information contained in the response.
Examples of such restrictions sometimes seen in practice include:
- Information is obtained from electronic data sources, which may not contain all information in the respondent’s possession.
- Information is not guaranteed to be accurate nor current and may be a matter of opinion.
- The recipient may not rely upon the information in the confirmation.
Whether the auditor may rely on the information confirmed and the degree of such reliance will depend on the nature and substance of the restrictive language. Where the practical effect of the restrictive language is difficult to ascertain in the particular circumstances, the auditor may consider it appropriate to seek clarification from the respondent or seek legal advice.
If restrictive language limits the extent to which the auditor can rely on the confirmation responses as audit evidence, additional or alternative audit procedures may need to be performed. The nature and extent of such procedures will depend on factors such as the nature of the financial statement item, the assertion being tested, the nature and substance of the restrictive language, and relevant information obtained through other audit procedures. If the auditor is unable to obtain sufficient appropriate audit evidence through alternative or additional audit procedures, the auditor is required to consider the implications for the auditor’s report in accordance with ISA 701.
Recent Revision to Extant ISA 505
In conjunction with its Clarity Project, the IAASB revised a number of its standards, including ISA 505. The revised ISA will be effective for audits of financial statements for periods beginning on or after December 15, 2009, the date when all the standards redrafted under the IAASB’s Clarity Project become effective. The revised ISA 505 is available at http://web.ifac.org/clarity-center/isa-505.
- External confirmation procedures can be an effective tool in obtaining relevant and reliable audit evidence when used properly. Circumstances may exist where it may be difficult to obtain responses to external confirmation requests or all the information requested. While such difficulty should not dissuade auditors from sending confirmation requests in appropriate circumstances, the auditor may discover that confirming parties will not respond or provide all the information requested by the auditor and, therefore, may need to plan alternative or additional procedures.
- While a confirmation request may be an appropriate substantive procedure to obtain relevant audit evidence regarding some assertions, it may not provide appropriate audit evidence regarding others. Accordingly, it is important that proper regard be given to whether requesting confirmations will provide sufficient appropriate audit evidence when testing specific assertions.
- All confirmation responses carry some risk of interception, alteration or fraud. Such risk exists regardless of whether a response is obtained in paper form, or through electronic or other medium. Accordingly, it is essential that the auditor maintain control over the confirmation process. It is also important that the auditor maintain appropriate professional skepticism throughout the confirmation process, particularly when evaluating the confirmation responses.
- The ISAs do not preclude the use of electronic confirmations, as they can, if properly managed, provide appropriate audit evidence. However, there are additional risks that may affect the reliability of confirmations received through an electronic medium that may need to be taken into account when designing the confirmation procedure.
- Disclaimers and other restrictions included in confirmation responses do not necessarily invalidate the reliability of the responses as audit evidence. However, in evaluating the responses to determine whether they provide appropriate audit evidence, the auditor may need to carefully consider the nature and substance of the restrictions.