Electronic Confirmation Process
22
To make the external confirmation process more efficient and effective, auditors and banks have been increasingly relying on new technologies to facilitate the bank confirmation process. ASA 505 does not preclude the use of an electronic confirmation process or the acceptance of electronic confirmations as audit evidence.
23
Electronic confirmations in the context of this Guidance Statement, refers to the auditor using a technological resource which automates the entire, or part of, the confirmation process. Examples of these technologies include, service providers who establish a secure platform through which the confirming party and auditor communicate directly, or other technological resource which directly interfaces with the confirming party’s systems such as an Application Programming Interface (API).
24
Email and facsimile are largely paper-based confirmation processes using technology, they have been excluded from electronic confirmations in the context of this Guidance Statement and are captured under paper-based confirmations.
Maintaining Control of an Electronic Confirmation Request
25
When an electronic confirmation process is used, the auditor may be relying on the processes and controls of an external party or the firm to maintain control over the external confirmation process.
26
The procedures the auditor performs to maintain control over the confirmation process may be dependent on whether the electronic confirmation resource is a technological resource that has been approved for use by the firm. Where the technological resource is not approved for use by the firm, additional procedures may need to be performed to evidence that the auditor has maintained control over the confirmation process.
Electronic Confirmation Resources Approved by the Firm
27
An electronic confirmation resource whether developed or obtained by the firm, or from a service provider, is a technological resource that is used directly by the engagement team in the performance of the engagement. Where the auditor is using an electronic confirmation resource approved for use by the firm, the firm, in accordance with the quality objective of ASQM 1[11], has been through a quality management process so that the technological resource is appropriate for the use in the performance of engagements.
28
When making a technological resource available to engagement teams[12], a firm may consider a number of matters including:
- The technological resource operates as designed and achieves the purpose for which it is intended;
- Confidentiality of the data is preserved;
- The need to develop procedures that set out how the technological resource operates.
29
Where the technological resource made available to the engagement team for use in the performance of engagements comes from a service provider[13], there are further considerations that the firm may consider, including:
- The nature and scope of the use of the technological resource;
- The extent to which the technological resource is used;
- How the service provider intends to maintain the technological resources.
30
In meeting the quality objective that appropriate technological resources are used in the performance of engagements, the firm may consider obtaining control reports[14] for the technological resource and reviewing areas that address relevant areas to maintaining control of the confirmation process.
31
Where a report is expected to be used as audit evidence, the requirements of ASA 402[15] may provide an appropriate framework for the firm’s evaluation of the appropriateness of the resource.
32
Once a firm considers that the technological resource is appropriate for use in the performance of engagements, the firm may monitor for changes in the environment since the report was issued and consider whether those changes in the environment would impact on the firm’s ability to rely on the report.
33
Where a report is not able to be provided or is not sufficiently reliable for the intended purpose, as an alternative the firm may perform direct testing of the design and operating effectiveness of the technological resource’s relevant controls.
34
Once the technological resource is approved by the firm, the firm may establish policies and procedures for the engagement team’s use of the technological resource. For example the firm may have a policy limiting use to specifically approved personnel, or have a policy that only resources on a firm approved list can be used.
The Engagement Partner’s Responsibility where the Technological Resource is Approved by the Firm
36
When using technological resources approved by the firm, the engagement partner is ordinarily able to rely on the firm’s policies and procedures to approve that resource for use. To be able to rely on the firm’s approval of the resource, the engagement team follows the firm’s policies and procedures around the use of the technological resource, including whether specialist expertise is required and remains alert for any information throughout the engagement that may indicate that the firm’s policies and procedures related to the resource are not operating effectively.
The Engagement Partner’s Responsibility where the Technological Resource is Not Approved by the Firm
37
Not all technological resources used by the engagement team in the performance of an engagement will be a resource approved by the firm. Where a technological resource is used in the confirmation process and it is not approved by the firm, the engagement partner is responsible for performing procedures to obtain sufficient appropriate evidence that the technological resource is appropriate for use in the circumstances.
38
The engagement team may perform procedures based on paragraphs 28-34.
See ASQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements, paragraph 32 (f) and 32 (h).
See ASQM 1, paragraphs A100.
See ASQM 1, paragraph A107.
For example, ASAE 3402 Assurance Reports on Controls at a Service Organisation reports or Independent Service Auditor’s Reports on Service Organisation Controls (SOC reports).
See ASA 402 Auditing Considerations Relating to an Entity Using a Service Organisation.
See ASA 220, paragraphs 25–28.