GS 016

This Guidance Statement has been formulated by the Auditing and Assurance Standards Board (AUASB) to provide guidance to auditors on meeting the requirements of relevant AUASB Standards when external confirmation procedures are performed regarding an entity’s banking activities, including treasury operations.

This Guidance Statement is issued on 7 June 2022 by the AUASB and replaces GS 016 Bank Confirmation Requests, issued in June 2010.

This Guidance Statement, in addition to providing guidance for auditors when performing paper-based external confirmations, addresses the impact of the use of technological resources by the auditor on the external confirmation process, including technological resources from a service provider.

This Guidance Statement provides supplementary guidance for auditors in meeting their responsibilities in ASA 505 External Confirmations where the auditor has determined, in accordance with ASA 330 The Auditor’s Responses to Assessed Risks, that external bank confirmation procedures are to be performed as part of the audit.

For definitions, refer to the AUASB Glossary.

ASA 330 requires the auditor to design and implement overall responses to address the risks of material misstatement identified and assessed by the auditor in accordance with ASA 315 Identifying and Assessing the Risks of Material Misstatement in an audit of a financial report. In particular, ASA 330 requires the auditor to consider whether external confirmation procedures are to be performed.^[1]

The auditor may determine that bank confirmation procedures are to be performed when the entity’s banking activities, including treasury operations, are:

1. significant;
2. complex;
3. unusual;
4. have a heightened risk of fraud; or
5. there are deficiencies in the entity’s control environment that may impact the assertions and disclosures regarding the entity’s banking activities.

In other instances, when:

1. an entity’s banking activities are simple and straightforward;
2. the auditor has considered the entity’s control environment and assessed the risk of material misstatement of bank-related account balances and disclosures as low; and
3. there are other means to obtain sufficient appropriate audit evidence in respect of banking activities;

the auditor may decide not to request a bank confirmation.

The information to be confirmed may relate to:

1. normal banking activities, such as:
   1. account balances at the period end for current accounts, interest bearing deposit accounts, foreign currency accounts, money market deposits, overdraft accounts, bank loans and term loans;
   2. interest rates and terms of other liabilities to the bank, such as bills of exchange, forward exchange contracts, letters of credit, guarantees and indemnities undertaken by the bank;
   3. items held as security for the entity’s liabilities to the bank;
   4. accounts opened or closed by the entity during the period; and
   5. unused limits and facilities; and/or
2. treasury operations, such as:
   1. forward rate agreements;
   2. foreign currency contracts;
   3. interest rate swaps;
   4. options;
   5. treasury futures contracts; and
   6. other contractual arrangements.

Although external confirmations may provide relevant audit evidence relating to certain assertions, there are assertions for which external confirmations provide less relevant audit evidence. For example, external confirmation procedures may provide audit evidence for the existence assertion but not the accuracy, valuation and allocation or completeness assertions. In such circumstances, it may be necessary to consider performing alternative or additional audit procedures to address these assertions.

ASA 500 Audit Evidence requires the auditor to design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufficient appropriate audit evidence, and consider the relevance and reliability of information to be used as audit evidence in an audit of a financial report.^[2],[3]

The reliability of audit evidence is influenced by its source and by its nature and is dependent on the individual circumstances under which it is obtained.^[4] The reliability of the evidence obtained from information contained in a response to a bank confirmation request, is influenced by the circumstances in which the request is made and the response received.

Whilst exceptions may exist, the reliability of audit evidence is generally increased when it is obtained from independent sources outside the entity, and obtained directly by the auditor.^[5] However, even when audit evidence, such as a bank confirmation, is obtained from sources external to the entity, circumstances may exist that could affect the reliability of the information obtained. For example, all confirmation responses carry some risk of interception, alteration or fraud. Such risk exists regardless of whether a response is obtained in paper form, or through electronic or other medium.

ASA 200 requires the auditor to plan and perform an audit with professional scepticism recognising that circumstances may exist that cause the financial report to be materially misstated.^[6] Unless the auditor has reason to believe the contrary, the auditor may accept records and documents as genuine.^[7] If there is any indication that a confirmation response may not be reliable, ASA 505 emphasises the need for the auditor to consider the response’s reliability and to perform audit procedures to dispel any concern (for example, the auditor may choose to verify the source and contents of the response in a telephone call to the purported sender).^[8]

While the primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management,^[9] the auditor, in exercising professional scepticism, remains alert to the possibility of fraud in the bank confirmation process.

When determining whether to use bank confirmation requests, the auditor may consider the entity’s circumstances and its environment, the circumstances surrounding the confirmation process, and the information obtained from the confirmation process that may indicate a risk of material misstatement.

Being alert to the possibility of fraud may be particularly important when an external confirmation is the primary audit evidence for a material financial report item, particularly if the item itself is susceptible to fraud. This risk may arise, for example, when requesting confirmation of the existence of liquid funds and investments held by the entity in an offshore bank. In such circumstances, it may be necessary to consider performing alternative or additional audit procedures.

Professional scepticism is necessary to the critical assessment of audit evidence. For example, when dealing with unusual or unexpected responses to confirmation requests, such as a significant change in the number or timeliness of responses to bank confirmation requests relative to prior audits, or a non-response when a response would be expected.

Whilst there are a range of ways in which a confirmation may be performed, regardless of the method, the auditor remains responsible for meeting the requirements of the ASAs. In particular, the auditor is responsible for maintaining control of the confirmation process.^[10]

Maintaining control over the confirmation process mitigates (but does not eliminate) the risk of interception, alteration or fraud. Where the auditor has maintained control of the confirmation process the reliability of the results of the confirmation are increased.

The auditor’s approach to supporting that they have maintained control over the confirmation process depends on whether they have used an electronic or paper-based confirmation process. This guidance statement provides guidance on the auditor’s responsibilities where the auditor has used:

1. An electronic confirmation process (paragraphs 22-38); or
2. A paper-based confirmation process (paragraphs 39-42).

To make the external confirmation process more efficient and effective, auditors and banks have been increasingly relying on new technologies to facilitate the bank confirmation process. ASA 505 does not preclude the use of an electronic confirmation process or the acceptance of electronic confirmations as audit evidence.

Electronic confirmations in the context of this Guidance Statement, refers to the auditor using a technological resource which automates the entire, or part of, the confirmation process. Examples of these technologies include, service providers who establish a secure platform through which the confirming party and auditor communicate directly, or other technological resource which directly interfaces with the confirming party’s systems such as an Application Programming Interface (API).

Email and facsimile are largely paper-based confirmation processes using technology, they have been excluded from electronic confirmations in the context of this Guidance Statement and are captured under paper-based confirmations.

When an electronic confirmation process is used, the auditor may be relying on the processes and controls of an external party or the firm to maintain control over the external confirmation process.

The procedures the auditor performs to maintain control over the confirmation process may be dependent on whether the electronic confirmation resource is a technological resource that has been approved for use by the firm. Where the technological resource is not approved for use by the firm, additional procedures may need to be performed to evidence that the auditor has maintained control over the confirmation process.

Electronic Confirmation Resources Approved by the Firm

An electronic confirmation resource whether developed or obtained by the firm, or from a service provider, is a technological resource that is used directly by the engagement team in the performance of the engagement. Where the auditor is using an electronic confirmation resource approved for use by the firm, the firm, in accordance with the quality objective of ASQM 1^[11], has been through a quality management process so that the technological resource is appropriate for the use in the performance of engagements.

When making a technological resource available to engagement teams^[12], a firm may consider a number of matters including:

1. The technological resource operates as designed and achieves the purpose for which it is intended;
2. Confidentiality of the data is preserved;
3. The need to develop procedures that set out how the technological resource operates.

Where the technological resource made available to the engagement team for use in the performance of engagements comes from a service provider^[13], there are further considerations that the firm may consider, including:

1. The nature and scope of the use of the technological resource;
2. The extent to which the technological resource is used;
3. How the service provider intends to maintain the technological resources.

In meeting the quality objective that appropriate technological resources are used in the performance of engagements, the firm may consider obtaining control reports^[14] for the technological resource and reviewing areas that address relevant areas to maintaining control of the confirmation process.

Where a report is expected to be used as audit evidence, the requirements of ASA 402^[15] may provide an appropriate framework for the firm’s evaluation of the appropriateness of the resource.

Once a firm considers that the technological resource is appropriate for use in the performance of engagements, the firm may monitor for changes in the environment since the report was issued and consider whether those changes in the environment would impact on the firm’s ability to rely on the report.

Where a report is not able to be provided or is not sufficiently reliable for the intended purpose, as an alternative the firm may perform direct testing of the design and operating effectiveness of the technological resource’s relevant controls.

Once the technological resource is approved by the firm, the firm may establish policies and procedures for the engagement team’s use of the technological resource. For example the firm may have a policy limiting use to specifically approved personnel, or have a policy that only resources on a firm approved list can be used.

The Engagement Partner’s Responsibility where the Technological Resource is Approved by the Firm

ASA 220 Quality Management for an Audit of a Financial Report and Other Historical Financial Information addresses the engagement partner’s responsibility to use the resources provided by the firm, including technological resources.^[16]

When using technological resources approved by the firm, the engagement partner is ordinarily able to rely on the firm’s policies and procedures to approve that resource for use. To be able to rely on the firm’s approval of the resource, the engagement team follows the firm’s policies and procedures around the use of the technological resource, including whether specialist expertise is required and remains alert for any information throughout the engagement that may indicate that the firm’s policies and procedures related to the resource are not operating effectively.

The Engagement Partner’s Responsibility where the Technological Resource is Not Approved by the Firm

Not all technological resources used by the engagement team in the performance of an engagement will be a resource approved by the firm. Where a technological resource is used in the confirmation process and it is not approved by the firm, the engagement partner is responsible for performing procedures to obtain sufficient appropriate evidence that the technological resource is appropriate for use in the circumstances.

The engagement team may perform procedures based on paragraphs 28-34.

As outlined in paragraphs 23 and 24, in the context of this Guidance Statement, paper-based confirmations refers to confirmation procedures which do not use a technological resource to automate the entire, or part of, the confirmation process.

In consultation with the Australian Bankers’ Association (ABA), the AUASB previously developed three standard paper-based bank confirmation request forms. The forms are:

1. Appendix 1 – Bank Confirmation—Audit Request (General) – the information to be confirmed or requested relates to normal banking activities and is substantially the same for a range of entities;
2. Appendix 2 – Bank Confirmation—Audit Request (Treasury and Other Operations) – the information to be confirmed or requested relates to the entity’s treasury operations and use of treasury management instruments; and
3. Appendix 3 – Example letter – Customer Request and Authority to Disclose Information.

These forms are also available as separate documents on the AUASB website^[17], to facilitate their use in the confirmation process, if required.

While the standard bank confirmation request forms will generally provide the information required by the auditor in a range of audit engagements, there may be instances where the standard forms are not appropriate. For example, the auditor may require confirmation of matters not covered by the standard bank confirmation request forms and may write a separate letter requesting confirmation of specific matters.

When using paper-based bank confirmations, the auditor maintains control over the process through:^[18]

1. determining the bank information to be requested;
2. selecting the appropriate confirming party(parties);
3. designing the bank confirmation request, ensuring that it:
   1. is properly addressed;
   2. is clear, accurate and sufficiently detailed; and
   3. contains an accurate return address, for responses to be sent directly to the auditor.
4. considering the timing of the lodgement of the request and the date by which a response is required; and
5. taking follow-up action when a response is overdue.

The auditor evaluates the bank’s response to a bank confirmation request, whether electronic or paper-based, and determines whether the response provides relevant and reliable audit evidence, or whether further audit evidence is required.^[19]

The auditor may need to carry out additional audit procedures. For example, it is generally unwarranted for the auditor to place sole reliance on the information obtained through a bank confirmation request to satisfy the completeness assertion. This may be due to various factors such as:

1. other audit procedures indicate doubt as to the completeness of the information provided by the bank;
2. a question on the bank confirmation request remains unanswered by the bank;
3. the auditor considers there is a risk that material accounts, agreements or transactions exist, that have not been disclosed in the bank confirmation;
4. the bank’s disclaimer regarding the information provided; or
5. limitations arising from the bank’s ability to gather all information in respect of an entity’s banking activities.

The auditor may consider performing additional audit procedures to obtain audit evidence over the completeness of information about the entity’s banking activities, including treasury operations. The appropriateness of performing such procedures is dependent on the entity’s circumstances and the assessed level of risk, and may include:

1. requesting separate confirmation of the completeness of the information directly from the entity’s relationship manager at the bank;
2. contacting the bank separately about specific issues of concern;
3. performing additional journal entry test work around cash and disbursements and reviewing cash transactions for unusual flows of funds;
4. asking the entity to include a paragraph in the management representation letter confirming that the bank information is complete;
5. reviewing minutes of meetings where new bank accounts or arrangements may have been agreed; or
6. enquiring of the entity’s treasury department, or other appropriate personnel in the entity, whether they are aware of any additional banking arrangements.

On its own, an oral response to a bank confirmation request does not meet the definition of an external confirmation because it is not a direct written response to the auditor in paper form or by electronic or other medium^[20]. However, upon obtaining an oral response to a bank confirmation request, the auditor may, depending on the circumstances, request the bank to respond in writing directly to the auditor in paper form, or by electronic or other medium. If no such response is received, in accordance with ASA 505,^[21] the auditor seeks other audit evidence to support the information in the oral response.

The auditor may receive a confirmation response containing a disclaimer or restrictive language. Such restrictions do not necessarily invalidate the reliability of the response as audit evidence^[22]. In general, the auditor may reasonably rely upon information given by the bank provided it corroborates the assertions made by management and is not clearly wrong, suspicious, inconsistent in itself, ambiguous, or in conflict with other evidence gathered during the course of the audit, even where the response includes a standard disclaimer of liability.

However, certain restrictive language may cast doubt on the completeness or accuracy of the information contained in the response, or the auditor’s ability to rely on that information. Examples of such restrictive language include statements such as:

1. Information is obtained from electronic data sources, which may not contain all information in the bank’s possession.
2. Information is not guaranteed to be accurate nor current and may be a matter of opinion.
3. The recipient may not rely upon the information in the bank confirmation.

Whether the auditor may rely on the information confirmed and the degree of such reliance depends on the nature and substance of the restrictive language. Where the practical effect of the restrictive language is difficult to ascertain in the particular circumstances, the auditor may consider it appropriate to seek clarification from the bank or seek legal advice.

If restrictive language limits the extent to which the auditor can rely on the bank confirmation response as audit evidence, additional or alternative audit procedures may need to be performed^[23]. The nature and extent of such procedures depends on factors such as the nature of the item being confirmed, the assertion being tested, the nature and substance of the restrictive language, and relevant information obtained through other audit procedures. If the auditor is unable to obtain sufficient appropriate audit evidence through alternative or additional audit procedures, the auditor is required to consider the implications for the auditor’s report in accordance with ASA 705^[24].