In July, the PCAOB (the Board) issued a proposed revision to AU 330, The Confirmation Process, that if approved will modernize and expand the requirements of audit confirmations. Today, auditors use audit confirmations to obtain reliable audit evidence from third parties, which is an important part of the audit process. Since the current standard AU 330 was written more than 15 years ago, the Board agreed that the standard needed to reflect advances in technology—acknowledging that while technology can improve efficiency, it can also be used to perpetrate fraud, such as intercept confirmation requests and change confirmation responses before they reach the auditor.
The proposed standard also addresses the continued deficiencies seen within the confirmation process itself by defining what a confirmation response is and isn’t, and expanding the types of accounts that are confirmed during an audit. Here are some key changes that will take place if the proposed standard is adopted by the Board:
1. Expands Receivables Requirement expands the requirement of confirmation procedures to receivables that arise from credit sales, loans, or other transactions.
2. Requires Confirmation for Cash requires auditors to perform confirmation procedures for cash and other relationships with financial institutions, such as:
a. Lines of credit;
b. Other indebtedness;
c. Compensating balance; and
d. Contingent liabilities including guarantees.
3. Definition of Confirmation Responses—a confirmation response is audit evidence obtained as a direct communication to the auditor from a third party, either in paper form or by electronic or other medium.
4. Confirm Validity of Addresses—requires an auditor to determine the validity of addresses in confirmation requests.
5. Oral Confirmation Responses—An oral response to a confirmation request is audit evidence, but it does NOT meet the definition of a confirmation response.
6. Internal Auditors Cannot Send Confirmations—To evaluate audit evidence obtained, auditors cannot use internal auditors to send confirmation requests, receive confirmation responses, or evaluate the audit evidence obtained from performing confirmation procedures.
7. Negative Confirmations may be used to reduce audit risk to an acceptable level when:
a. The combined assessed level of inherent and control risk is low;
b. A large number of small balances is involved;
c. The auditor reasonably expects a low exception rate;
d. Auditor has no reason to believe that the recipients of the requests are unlikely to give them consideration.
An auditor should perform other substantive procedures to supplement the use of negative confirmations.
8. Alternative Procedures for Non-Responses requires the auditor to perform appropriate alternative procedures for all non-responses to positive confirmation requests.
9. Investigate All Exceptions requires the auditor to investigate all exceptions in confirmation responses to determine why each exception occurred and whether any exceptions, individually or in the aggregate, are indicative of a misstatement or of a previously unidentified risk of material misstatement.
10. Reliability of Electronic Confirmations—In assessing the reliability of electronic confirmation responses, the auditor should take into account the following risks:
- Process might not be secure or properly controlled;
- Not from a proper source; and
- Integrity of the data may have been compromised.
11. Direct Access—If account access codes are given to the auditor by management of the company and not the confirming party, evidence obtained by the auditor does NOT meet the definition of a confirmation response. It’s only considered audit evidence. If access codes are given to the auditor by the confirming party, the confirming party must also represent its acknowledgement of the use of the direct access by the auditor and that the files to be accessed are responsive to the auditor’s request.
12. Disclaimer or Restrictive Language—If a disclaimer or restrictive language causes doubts about the reliability of a confirmation response, the auditor should obtain additional appropriate audit evidence.
To learn more about the PCAOB, AICPA and IAASB proposed/new standards for audit confirmations, listen to our September 27 recorded webinar “Understanding the New Standards for Audit Confirmations” with speaker Brian Fox, CPA.
For more about standardizing your firm’s audit confirmation process, reducing your exposure to fraud, and increasing efficiency visit www.CPA2Biz.com/Confirmations today.