When using external confirmation procedures, the auditor shall maintain control over external confirmation requests, including: 

1. Determining the information to be confirmed or requested; (Ref: Para. A1)
2. Selecting the appropriate confirming party; (Ref: Para. A2)
3. Designing the confirmation requests, including determining that requests are properly addressed and contain return information for responses to be sent directly to the auditor; and (Ref: Para. A3-A6)
4. Sending the requests, including follow-up requests when applicable, to the confirming party. (Ref: Para. A7)

If management refuses to allow the auditor to send a confirmation request, the auditor shall: 

1. Enquire as to management’s reasons for the refusal, and seek audit evidence as to their validity and reasonableness; (Ref: Para. A8)
2. Evaluate the implications of management’s refusal on the auditor’s assessment of the relevant risks of material misstatement, including the risk of fraud, and on the nature, timing and extent of other audit procedures; and (Ref: Para. A9)
3. Perform alternative audit procedures designed to obtain relevant and reliable audit evidence. (Ref: Para. A10)

If the auditor concludes that management’s refusal to allow the auditor to send a confirmation request is unreasonable, or the auditor is unable to obtain relevant and reliable audit evidence from alternative audit procedures, the auditor shall communicate with those charged with governance in accordance with ASA 260. ^[12] The auditor also shall determine the implications for the audit and the auditor’s opinion in accordance with ASA 705. ^[13]

Reliability of Responses to Confirmation Requests

If the auditor identifies factors that give rise to doubts about the reliability of the response to a confirmation request, the auditor shall obtain further audit evidence to resolve those doubts. (Ref: Para. A11-A16)

If the auditor determines that a response to a confirmation request is not reliable, the auditor shall evaluate the implications on the assessment of the relevant risks of material misstatement, including the risk of fraud, and on the related nature, timing and extent of other audit procedures.  (Ref: Para. A17)

Non-Responses

In the case of each non-response, the auditor shall perform alternative audit procedures to obtain relevant and reliable audit evidence. (Ref: Para A18-A19)

When a Response to a Positive Confirmation Request Is Necessary to Obtain Sufficient Appropriate Audit Evidence

If the auditor has determined that a response to a positive confirmation request is necessary to obtain sufficient appropriate audit evidence, alternative audit procedures will not provide the audit evidence the auditor requires. If the auditor does not obtain such confirmation, the auditor shall determine the implications for the audit and the auditor’s opinion in accordance with ASA 705. (Ref: Para A20)

Exceptions

The auditor shall investigate exceptions to determine whether or not they are indicative of misstatements. (Ref: Para. A21-A22)

Negative confirmations provide less persuasive audit evidence than positive confirmations. Accordingly, the auditor shall not use negative confirmation requests as the sole substantive audit procedure to address an assessed risk of material misstatement at the assertion level unless all of the following are present: (Ref: Para. A23)

1. The auditor has assessed the risk of material misstatement as low and has obtained sufficient appropriate audit evidence regarding the operating effectiveness of controls relevant to the assertion; 
2. The population of items subject to negative confirmation procedures comprises a large number of small, homogeneous, account balances, transactions or conditions; 
3. A very low exception rate is expected; and 
4. The auditor is not aware of circumstances or conditions that would cause recipients of negative confirmation requests to disregard such requests.

The auditor shall evaluate whether the results of the external confirmation procedures provide relevant and reliable audit evidence, or whether further audit evidence is necessary.  (Ref: Para A24-A25)