Scope and objectives
The Auditing standards that provides guidance to auditors on using external confirmation procedures to obtain relevant and reliable audit evidence. External confirmation procedures involve the auditor obtaining direct written responses from third parties (known as confirming parties) in paper form, electronic form, or another medium. The purpose of this SA 505 is to help auditors design and perform external confirmation procedures to obtain relevant and reliable audit evidence.
The reliability of audit evidence is influenced by its source and nature and by individual circumstances. Generally, audit evidence is considered more reliable when it is obtained from independent sources outside the entity, obtained directly by the auditor rather than indirectly or by inference, and exists in documentary form (whether paper, electronic, or other medium). Depending on the circumstances of the audit, evidence obtained in the form of external confirmations received directly by the auditor from confirming parties may be more reliable than evidence generated internally by the entity.
SA 505 also mentions that other SAs acknowledge the importance of external confirmations as audit evidence. For example, SA 330 requires the auditor to design and perform substantive procedures for each material class of transactions, account balance, and disclosure, and consider whether external confirmation procedures are to be performed as substantive audit procedures. SA 240 notes that the auditor may design confirmation requests to obtain additional corroborative information as a response to address the assessed risks of material misstatement, whether due to fraud or error. SA 500 indicates that corroborating information obtained from a source independent of the entity, such as external confirmations, may increase the assurance the auditor obtains from evidence existing within the accounting records or from the representations made by management.
The objective of the auditor when using external confirmation procedures is to design and perform such procedures to obtain relevant and reliable audit evidence. It also provides definitions for terms used in the SA 505, such as external confirmation, positive confirmation request, negative confirmation request, non-response, and exception. Finally, the text notes that this SA 505 is effective for audits of financial statements for periods beginning on or after April 1, 2010.
External Confirmation Procedures
The requirements and considerations for external confirmation procedures in auditing. External confirmation procedures involve requesting information or confirmation from parties outside of the audited entity, such as banks, vendors, or customers, in order to obtain audit evidence that supports the financial statement assertions.
There are four key steps that the auditor must follow to maintain control over external confirmation procedures:
- Determine the information to be confirmed or requested.
- Select the appropriate confirming party.
- Design the confirmation requests, including addressing, content, and format.
- Send the requests, including follow-up requests, when necessary, to the confirming party.
SA 505 also highlights several factors that should be considered when designing confirmation requests, such as the assertions being addressed, identified risks of material misstatement, prior audit experience, and the ability of the intended confirming party to provide the requested information. Additionally, the text distinguishes between positive and blank confirmation requests, and notes that while positive requests can provide reliable evidence, there is a risk that the confirming party may reply without verifying the information, whereas blank requests may result in lower response rates.
Overall, it emphasizes the importance of maintaining control over external confirmation procedures in order to obtain reliable audit evidence that supports the financial statement assertions.
Management’s Refusal to Allow the Auditor to Send a Confirmation Request
The procedures an auditor should follow if management refuses to allow the auditor to send a confirmation request. According to the guidelines, if such a situation arises, the auditor should first inquire about the reasons for the refusal and evaluate the implications on the risks of material misstatement and other audit procedures. The auditor should then perform alternative audit procedures to obtain relevant and reliable audit evidence.
If the auditor concludes that management’s refusal is unreasonable or unable to obtain reliable audit evidence, the auditor should communicate with those charged with governance and determine the implications for the audit and the auditor’s opinion. The auditor should follow the relevant standards outlined in SA 260 and SA 705.
The reason for management’s refusal to allow the auditor to send a confirmation request could be the existence of a legal dispute or ongoing negotiation, and the resolution of such matters could be affected by an untimely confirmation request. The auditor should seek audit evidence as to the validity and reasonableness of the reasons provided by management. If the auditor finds that management’s refusal is unreasonable, it may indicate a fraud risk factor that requires further evaluation.
An auditor should follow when faced with a situation where management refuses to allow the auditor to send a confirmation request, including evaluating the reasons for the refusal, performing alternative audit procedures, communicating with those charged with governance, and determining the implications for the audit and the auditor’s opinion.
Reliability of Responses to Confirmation Requests
The reliability of responses to confirmation requests during an audit. If an auditor has doubts about the reliability of a response, they must obtain further audit evidence to address those doubts. Responses to confirmation requests carry some risk of interception, alteration, or fraud, regardless of whether they are received in paper form or electronically. Factors that may indicate doubts about the reliability of a response include receiving it indirectly or it not appearing to come from the originally intended confirming party.
SA 505 also notes that responses received electronically, such as by facsimile or email, may be particularly risky in terms of reliability. However, if the auditor is satisfied that a secure and properly controlled electronic confirmation process is used, the reliability of the related responses is enhanced. The process might involve various techniques for validating the identity of the sender of information in electronic form, such as encryption, electronic digital signatures, and procedures to verify website authenticity.
If a confirming party uses a third party to coordinate and provide responses to confirmation requests, the auditor may perform procedures to address the risks that the response may not be from the proper source, a respondent may not be authorized to respond, or the integrity of the transmission may have been compromised.
If the auditor determines that a response to a confirmation request is not reliable, they must evaluate the implications on the assessment of the relevant risks of material misstatement, including the risk of fraud, and on the related nature, timing, and extent of other audit procedures. Depending on the circumstances, the auditor may need to revise the assessment of the risks of material misstatement at the assertion level and modify planned audit procedures accordingly.
An auditor should take in the event of non-responses or lack of confirmation to audit requests. In the case of non-response, the auditor must perform alternative audit procedures to obtain reliable and relevant evidence. The text gives examples of alternative audit procedures, such as examining subsequent cash receipts, shipping documentation, sales records, and goods received notes. The nature and extent of alternative procedures depend on the account and assertion being audited.
If a response to a positive confirmation request is necessary to obtain sufficient appropriate audit evidence, alternative procedures will not be enough. In this case, if the auditor does not receive confirmation, they must determine the implications for the audit and their opinion in accordance with SA 705. Circumstances where a response to a positive confirmation request may be necessary include where the information to corroborate management’s assertions is only available outside the entity or when specific fraud risk factors prevent the auditor from relying on evidence from the entity.
The auditor should investigate exceptions when reviewing responses to confirmation requests. An exception is a discrepancy between the information provided in the confirmation response and the recorded balance in the financial statements. The auditor is required to investigate exceptions to determine if they indicate a misstatement or potential misstatement in the financial statements.
If a misstatement is identified, the auditor must evaluate whether it is indicative of fraud. Exceptions may also indicate deficiencies in the entity’s internal control over financial reporting. However, some exceptions do not represent misstatements and can be due to timing, measurement, or clerical errors in the external confirmation procedures.
The auditor must carefully investigate exceptions to determine if they indicate misstatements or deficiencies in internal control, and if necessary, evaluate if they indicate the possibility of fraud.
The negative confirmations provide less reliable audit evidence than positive confirmations. Therefore, the auditor should not rely solely on negative confirmations as a substantive audit procedure to address an assessed risk of material misstatement at the assertion level unless certain conditions are met.
These conditions are that the auditor has assessed the risk of material misstatement as low, obtained sufficient appropriate audit evidence regarding the operating effectiveness of controls relevant to the assertion, and the population of items subject to negative confirmation procedures comprises a large number of small, homogeneous, account balances, transactions or conditions.
Additionally, a very low exception rate is expected, and the auditor is not aware of circumstances or conditions that would cause recipients of negative confirmation requests to disregard such requests.
In that failure to receive a response to a negative confirmation request does not necessarily indicate receipt by the intended confirming party of the confirmation request or verification of the accuracy of the information contained in the request. Therefore, negative confirmations are less persuasive than positive confirmations.
Confirming parties may be more likely to respond indicating their disagreement with a confirmation request when the information in the request is not in their favour, and less likely to respond otherwise. Therefore, sending negative confirmation requests to holders of bank deposit accounts may be a useful procedure in considering whether such balances may be understated, but is unlikely to be effective if the auditor is seeking evidence regarding overstatement.
Evaluating the Evidence Obtained
The auditor’s responsibility to evaluate the results of the external confirmation procedures performed during the audit, to determine whether the evidence obtained is relevant and reliable, and whether additional audit procedures are necessary.
The auditor is required to assess the results of individual external confirmation requests, and categorize them into four categories:
(a) Responses that indicate agreement with the information provided in the confirmation request or provide requested information without exception.
(b) Responses that are deemed unreliable.
(d) Responses indicating an exception.
The auditor’s evaluation of the results obtained from external confirmation procedures, along with other audit procedures performed, will assist in determining whether sufficient appropriate audit evidence has been obtained, or whether additional audit procedures are necessary.
Overall, it emphasizes the importance of evaluating the results of external confirmation procedures and using them in conjunction with other audit procedures to arrive at appropriate audit conclusions.
Quiz: External Confirmations (SA 505)
1. What are external confirmation procedures in auditing?
a) Procedures performed by the entity’s management to confirm financial information internally.
b) Procedures performed by the auditor to obtain relevant and reliable audit evidence from third parties.
c) Procedures performed by the confirming parties to validate the audit evidence.
d) Procedures performed by the audit committee to review the auditor’s confirmation requests.
2. Which of the following factors contributes to the reliability of audit evidence obtained through external confirmations?
a) Obtained indirectly or by inference from the entity.
b) Generated internally by the entity.
c) Obtained from independent sources outside the entity.
d) Exists in non-documentary form.
3. Which auditing standard acknowledges the importance of external confirmations as audit evidence?
a) SA 505
b) SA 330
c) SA 240
d) SA 500
4. What are the key steps that an auditor must follow to maintain control over external confirmation procedures?
a) Determine, select, design, and send confirmation requests.
b) Assess, select, review, and verify confirmation responses.
c) Inquire, evaluate, communicate, and revise confirmation procedures.
d) Investigate, evaluate, assess, and conclude confirmation outcomes.
5. How should an auditor respond if management refuses to allow the auditor to send a confirmation request?
a) Continue with the audit procedures without considering the refusal.
b) Report the refusal as a significant audit finding.
c) Inquire about the reasons for the refusal and perform alternative audit procedures.
d) Reject the engagement and terminate the audit.
6. What should an auditor do if they have doubts about the reliability of a response to a confirmation request?
a) Accept the response as reliable and proceed with the audit.
b) Obtain further audit evidence to address the doubts.
c) Discard the response and seek alternative confirmation sources.
d) Ignore the doubts and rely on other audit procedures.
7. Which type of confirmation requests provide less reliable audit evidence?
a) Positive confirmation requests.
b) Negative confirmation requests.
c) Blank confirmation requests.
d) Partial confirmation requests.
8. Under what conditions can an auditor rely solely on negative confirmations as a substantive audit procedure?
a) When the auditor has a high exception rate.
b) When the auditor assesses the risk of material misstatement as low.
c) When the population of items subject to negative confirmations is large and heterogeneous.
d) When the auditor is aware of circumstances that would cause recipients to disregard negative confirmations.
9. What should an auditor do if they receive a non-response to a positive confirmation request?
a) Assume that the confirming party agrees with the information provided.
b) Treat it as an exception and consider it a misstatement.
c) Perform alternative audit procedures to obtain relevant evidence.
d) Send a follow-up request to the confirming party.
10. How should an auditor evaluate the results of external confirmation procedures?
a) Categorize the responses into agreement, reliability, non-response, and exception.
b) Reject the responses that indicate exceptions and rely on the rest.
c) Accept all responses as reliable without further evaluation.
d) Seek validation from multiple confirming parties for each request.
11. What is the purpose of SA 505 regarding external confirmation procedures?
a) To provide guidance on designing internal control systems.
b) To help auditors obtain relevant and reliable audit evidence.
c) To outline the responsibilities of management in the confirmation process.
d) To establish standards for communication between auditors and confirming parties.
12. How can the reliability of audit evidence obtained through external confirmations be enhanced?
a) By obtaining evidence from internal sources within the entity.
b) By relying solely on electronic confirmation requests.
c) By verifying the authenticity of the confirming party’s website.
d) By obtaining responses directly from independent sources outside the entity.
13. Which auditing standard emphasizes the importance of external confirmations as audit evidence for material classes of transactions, account balances, and disclosures?
a) SA 330
b) SA 240
c) SA 500
d) SA 505
14. In the context of external confirmations, what does “non-response” refer to?
a) A response that indicates an exception or discrepancy.
b) The refusal of management to allow the auditor to send confirmation requests.
c) The absence of a response from the intended confirming party.
d) A response that provides requested information without exception.
15. What actions should an auditor take when they encounter non-responses or a lack of confirmation to audit requests?
a) Ignore the non-responses and proceed with the audit.
b) Perform alternative audit procedures to obtain reliable evidence.
c) Conclude that the account balances or transactions are materially misstated.
d) Communicate with management to resolve the non-response issue.
16. When reviewing responses to confirmation requests, what should the auditor investigate?
a) The identity of the confirming party.
b) Exceptions or discrepancies between the response and the financial statements.
c) The reasons provided by management for refusing confirmation requests.
d) The level of risk associated with the assertions being addressed.
17. What does it indicate if an auditor receives a response indicating an exception to a confirmation request?
a) There is a misstatement or potential misstatement in the financial statements.
b) The confirming party disagrees with the information provided in the request.
c) The auditor should disregard the response and seek alternative confirmation sources.
d) The entity’s internal control over financial reporting is deficient.
18. Under what circumstances should an auditor rely solely on negative confirmations as a substantive audit procedure?
a) When the auditor wants to identify overstatements in account balances.
b) When the auditor has a low exception rate and assessed risk of material misstatement.
c) When the auditor wants to obtain evidence from internal sources within the entity.
d) When the population of items subject to negative confirmations is small and heterogeneous.
19. If an auditor has doubts about the reliability of a response to a confirmation request, what should they do?
a) Accept the response as reliable and proceed with the audit.
b) Obtain further audit evidence to address the doubts.
c) Reject the response and seek confirmation from a different confirming party.
d) Communicate the doubts to management and request additional documentation.
20. What is the auditor’s responsibility regarding the evaluation of external confirmation procedures performed during the audit?
a) To rely solely on the results of the confirmation requests for audit conclusions.
b) To categorize the responses into reliable and unreliable without further evaluation.
c) To assess the implications of the confirmation responses on the risks of material misstatement.
d) To communicate the confirmation results to those charged with governance without analysis.