Determining the Information to Be Confirmed or Requested (Ref: Para. 7(a))

External confirmation procedures frequently are performed to confirm or request information regarding account balances and their elements.  They may also be used to confirm terms of agreements, contracts, or transactions between an entity and other parties, or to confirm the absence of certain conditions, such as a “side agreement.”

Selecting the Appropriate Confirming Party (Ref: Para. 7(b))

Responses to confirmation requests provide more relevant and reliable audit evidence when confirmation requests are sent to a confirming party the auditor believes is knowledgeable about the information to be confirmed. For example, a financial institution official who is knowledgeable about the transactions or arrangements for which confirmation is requested may be the most appropriate person at the financial institution from whom to request confirmation. 

Designing Confirmation Requests (Ref: Para. 7(c))

The design of a confirmation request may directly affect the confirmation response rate, and the reliability and the nature of the audit evidence obtained from responses.

Factors to consider when designing confirmation requests include: 

• The assertions being addressed.  
• Specific identified risks of material misstatement, including fraud risks.  
• The layout and presentation of the confirmation request.  
• Prior experience on the audit or similar engagements.  
• The method of communication (for example, in paper form, or by electronic or other medium). 
• Management’s authorisation or encouragement to the confirming parties to respond to the auditor. 
• Confirming parties may only be willing to respond to a confirmation request containing management’s authorisation. 
• The ability of the intended confirming party to confirm or provide the requested information (for example, individual invoice amount versus total balance). 

A positive external confirmation request asks the confirming party to reply to the auditor in all cases, either by indicating the confirming party’s agreement with the given information, or by asking the confirming party to provide information.  A response to a positive confirmation request ordinarily is expected to provide reliable audit evidence.  There is a risk, however, that a confirming party may reply to the confirmation request without verifying that the information is correct.  The auditor may reduce this risk by using positive confirmation requests that do not state the amount (or other information) on the confirmation request, and ask the confirming party to fill in the amount or furnish other information.  On the other hand, use of this type of “blank” confirmation request may result in lower response rates because additional effort is required of the confirming parties. 

Determining that requests are properly addressed includes testing the validity of some or all of the addresses on confirmation requests before they are sent out.

Follow-Up on Confirmation Requests (Ref: Para. 7(d))

The auditor may send an additional confirmation request when a reply to a previous request has not been received within a reasonable time.  For example, the auditor may, having re-verified the accuracy of the original address, send an additional or follow-up request. 

Reasonableness of Management’s Refusal (Ref: Para. 8(a))

A refusal by management to allow the auditor to send a confirmation request is a limitation on the audit evidence the auditor may wish to obtain.  The auditor is therefore required to enquire as to the reasons for the limitation.  A common reason advanced is the existence of a legal dispute or ongoing negotiation with the intended confirming party, the resolution of which may be affected by an untimely confirmation request.  The auditor is required to seek audit evidence as to the validity and reasonableness of the reasons because of the risk that management may be attempting to deny the auditor access to audit evidence that may reveal fraud or error.

Implications for the Assessment of Risks of Material Misstatement (Ref: Para. 8(b))

The auditor may conclude from the evaluation in paragraph 8(b) that it would be appropriate to revise the assessment of the risks of material misstatement at the assertion level and modify planned audit procedures in accordance with ASA 315. ^[14] For example, if management’s request to not confirm is unreasonable, this may indicate a fraud risk factor that requires evaluation in accordance with ASA 240. ^[15]

Alternative Audit Procedures (Ref: Para. 8(c))

The alternative audit procedures performed may be similar to those appropriate for a non-response as set out in paragraphs A18-A19 of this Auditing Standard. Such procedures also would take account of the results of the auditor’s evaluation in paragraph 8(b) of this Auditing Standard.

Reliability of Responses to Confirmation Requests (Ref: Para. 10)

ASA 500 indicates that even when audit evidence is obtained from sources external to the entity, circumstances may exist that affect its reliability.^[16] All responses carry some risk of interception, alteration or fraud. Such risk exists regardless of whether a response is obtained in paper form, or by electronic or other medium. Factors that may indicate doubts about the reliability of a response include that it:

• Was received by the auditor indirectly; or
• Appeared not to come from the originally intended confirming party.

Responses received electronically, for example by facsimile or electronic mail, involve risks as to reliability because proof of origin and authority of the respondent may be difficult to establish, and alterations may be difficult to detect.  A process used by the auditor and the respondent that creates a secure environment for responses received electronically may mitigate these risks.  If the auditor is satisfied that such a process is secure and properly controlled, the reliability of the related responses is enhanced.  An electronic confirmation process might incorporate various techniques for validating the identity of a sender of information in electronic form, for example, through the use of encryption, electronic digital signatures, and procedures to verify web site authenticity.

If a confirming party uses a third party to coordinate and provide responses to confirmation requests, the auditor may perform procedures to address the risks that: 

1. The response may not be from the proper source; 
2. A respondent may not be authorised to respond; and 
3. The integrity of the transmission may have been compromised.

The auditor is required by ASA 500 to determine whether to modify or add procedures to resolve doubts over the reliability of information to be used as audit evidence.^[17] The auditor may choose to verify the source and contents of a response to a confirmation request by contacting the confirming party.  For example, when a confirming party responds by electronic mail, the auditor may telephone the confirming party to determine whether the confirming party did, in fact, send the response.  When a response has been returned to the auditor indirectly (for example, because the confirming party incorrectly addressed it to the entity rather than to the auditor), the auditor may request the confirming party to respond in writing directly to the auditor.

On its own, an oral response to a confirmation request does not meet the definition of an external confirmation because it is not a direct written response to the auditor. However, upon obtaining an oral response to a confirmation request, the auditor may, depending on the circumstances, request the confirming party to respond in writing directly to the auditor. If no such response is received, in accordance with paragraph 12, the auditor seeks other audit evidence to support the information in the oral response.

A response to a confirmation request may contain restrictive language regarding its use.  Such restrictions do not necessarily invalidate the reliability of the response as audit evidence.

Unreliable Responses (Ref: Para. 11)

When the auditor concludes that a response is unreliable, the auditor may need to revise the assessment of the risks of material misstatement at the assertion level and modify planned audit procedures accordingly, in accordance with ASA 315.^[18] For example, an unreliable response may indicate a fraud risk factor that requires evaluation in accordance with ASA 240.^[19]

Non-Responses (Ref: Para. 12)

Examples of alternative audit procedures the auditor may perform include: 

• For accounts receivable balances – examining specific subsequent cash receipts, shipping documentation, and sales near the period-end.  
• For accounts payable balances – examining subsequent cash disbursements or correspondence from third parties, and other records, such as goods received notes.

The nature and extent of alternative audit procedures are affected by the account and assertion in question.  A non-response to a confirmation request may indicate a previously unidentified risk of material misstatement.  In such situations, the auditor may need to revise the assessed risk of material misstatement at the assertion level, and modify planned audit procedures, in accordance with ASA 315.^[20]  For example, fewer responses to confirmation requests than anticipated, or a greater number of responses than anticipated, may indicate a previously unidentified fraud risk factor that requires evaluation in accordance with ASA 240.^[21]

When a Response to a Positive Confirmation Request Is Necessary to Obtain Sufficient Appropriate Audit Evidence (Ref. Para. 13)

In certain circumstances, the auditor may identify an assessed risk of material misstatement at the assertion level for which a response to a positive confirmation request is necessary to obtain sufficient appropriate audit evidence.  Such circumstances may include where: 

• The information available to corroborate management’s assertion(s) is only available outside the entity. 
• Specific fraud risk factors, such as the risk of management override of controls, or the risk of collusion which can involve employee(s) and/or management, prevent the auditor from relying on evidence from the entity.

Exceptions (Ref: Para. 14)

Exceptions noted in responses to confirmation requests may indicate misstatements or potential misstatements in the financial statements.  When a misstatement is identified, the auditor is required by ASA 240 to evaluate whether such misstatement is indicative of fraud.^[22]  Exceptions may provide a guide to the quality of responses from similar confirming parties or for similar accounts.  Exceptions also may indicate a deficiency, or deficiencies, in the entity’s internal control over financial reporting. 

Some exceptions do not represent misstatements.  For example, the auditor may conclude that differences in responses to confirmation requests are due to timing, measurement, or clerical errors in the external confirmation procedures. 

(Ref: Para. 15)

The failure to receive a response to a negative confirmation request does not explicitly indicate receipt by the intended confirming party of the confirmation request or verification of the accuracy of the information contained in the request.  Accordingly, a failure of a confirming party to respond to a negative confirmation request provides significantly less persuasive audit evidence than does a response to a positive confirmation request.  Confirming parties also may be more likely to respond indicating their disagreement with a confirmation request when the information in the request is not in their favour, and less likely to respond otherwise.  For example, holders of bank deposit accounts may be more likely to respond if they believe that the balance in their account is understated in the confirmation request, but may be less likely to respond when they believe the balance is overstated.  Therefore, sending negative confirmation requests to holders of bank deposit accounts may be a useful procedure in considering whether such balances may be understated, but is unlikely to be effective if the auditor is seeking evidence regarding overstatement.

(Ref: Para. 16)

When evaluating the results of individual external confirmation requests, the auditor may categorise such results as follows: 

1. A response by the appropriate confirming party indicating agreement with the information provided in the confirmation request, or providing requested information without exception;  
2. A response deemed unreliable; 
3. A non-response; or 
4. A response indicating an exception.

The auditor’s evaluation, when taken into account with other audit procedures the auditor may have performed, may assist the auditor in concluding whether sufficient appropriate audit evidence has been obtained or whether further audit evidence is necessary, as required by ASA 330.^[23]