Using external confirmations in an ISA (UK) audit

Why is it important?

A number of high-profile corporate financial failures raised the profile of external confirmations as audit evidence. In particular, they highlighted issues around reliability and the need for a questioning mind when conducting confirmations.

Despite some of the potential weaknesses in the process, external confirmations can provide strong audit evidence. In fact, sometimes this is the best evidence available.  ISA 505 is intended to help the auditor design and perform external confirmation procedures to obtain relevant and reliable audit evidence. 

Requirements and challenges

When do auditors conduct external confirmations?

ISA 505 does not set out the particular circumstances in which confirmations are required, or even suggested. Rather, it refers to the requirements in other ISAs, particularly ISA 330 The auditor’s responses to assessed risks and ISA 240 The auditor’s responsibilities relating to fraud in an audit of financial statements, to design audit procedures to respond to the assessed risks of material misstatement. ISA 330 specifically requires the auditor to consider whether external confirmation procedures are to be performed as substantive audit procedures [ISA 330.19]. ISA 330 also requires the auditor to obtain more persuasive audit evidence where the assessment of risk is higher [ISA 330.7(b)] and suggests external confirmations as a means of achieving this [ISA 330.A53].

Where the auditor has determined that an external confirmation is necessary to obtain sufficient appropriate audit evidence, ISA 505 requires that the auditor determines the implications of not obtaining those confirmations [ISA 505.13]. Auditors could be challenged on whether they have obtained sufficient appropriate audit evidence if they rely on a weaker form of evidence for something that could have been subject to direct confirmation.

What if management refuses to allow auditors to send a confirmation request?

Even though the auditor may determine that external confirmation is an appropriate means of obtaining audit evidence, management may refuse to allow particular confirmation requests to be sent. This may be for a variety of reasons, some potentially acceptable, such as the existence of a sensitive legal dispute that could be impacted by the receipt of a confirmation request. Some may be more worrying though since management could be attempting to deny the auditor access to information that could reveal fraud or error [ISA 505.A8]. It is critical to follow up any such refusal.

If management refuses to allow the auditor to send a confirmation request, the auditor is required to:

• inquire about the reasons for the refusal and seek audit evidence as to whether the reasons are valid and reasonable;
• evaluate the implications of the refusal for the risk assessment, including the risk of fraud, and consider the impact on other audit procedures; and
• perform other audit procedures to obtain relevant and reliable audit evidence [ISA 505.8].

If the auditor concludes that the refusal is unreasonable, or if the auditor is unable to obtain appropriate audit evidence from other procedures, the auditor is required to consider the implications for the audit and the audit opinion and communicate those matters with those charged with governance [ISA 505.9].

How do auditors control the confirmation process?

The auditor is required to maintain control over external confirmation requests [ISA 505.7]. This includes:

• determining what information is to be confirmed, which may include the terms or absence of conditions, as well as specific balances;
• selecting who will be asked to provide the confirmation. More relevant and reliable evidence, as well as a better chance of a successful response, will be obtained by contacting a named individual who is knowledgeable about the information to be confirmed;
• designing the confirmation requests, including mailing addresses and the auditor’s return information. This is an area where thought is needed in order to maximise the opportunity for the respondent to provide the appropriate information; and
• sending the requests, and any follow-up requests, and receiving responses directly.

How does the design of requests affect the response rate?

The design of the confirmation request may directly affect the response rate and the nature and reliability of the evidence obtained [ISA 505.A3]. As well as cosmetic factors such as the layout of the request, previous experience or knowledge of the business will be relevant. This may include knowledge of whether the confirming party is able to confirm a specific balance, or whether requesting confirmation of an individual invoice amount is a more appropriate option. The auditor also needs to make sure that the requests are properly addressed. This includes testing the validity of some or all of the addresses used in the confirmation requests before they are sent out [ISA 505.A6].

Generally, positive confirmations are requested by the auditor where the confirming party is asked to reply to the auditor in all cases, either by indicating agreement with the information provided, or by providing specific information. This is expected to provide reliable audit evidence, although there is a risk that the respondent may agree with information provided without performing checks. The risk can be mitigated by asking the respondent to provide information. However, this may reduce the response rate due to the effort required of the respondent [ISA 505.A5].

Paper or electronic requests?

ISA 505 recognises that confirmation requests may take many forms ranging from more traditional confirmation request letters through to fax, email and other electronic or online methods. The risk of interception, alteration or fraud is present with any form of confirmation request. Automating the process can introduce factors that may reduce the reliability of the evidence obtained, but may also provide safeguards that are not possible in a paper environment that could increase reliability. For example, the origin or authority of the respondent to an email confirmation request may be difficult to establish. However, incorporating techniques such as encryption, website authenticity and electronic digital signatures into the electronic confirmation process could enhance the reliability of the evidence [ISA 505. A12].

Can negative confirmations be used?

Negative confirmations, where the recipient is only requested to respond in the event of disagreement with the information provided, are often used in relatively restricted areas of specialised engagements such as the understatement of retail bank deposits. They provide less persuasive evidence than positive confirmations [ISA505.15].

Negative confirmations should not be used as the sole substantive audit procedure unless all of the following conditions are present [ISA 505.15]:

• the auditor has assessed the risk of material misstatement as low and satisfactorily tested the operating effectiveness of the controls relevant to the assertion;
• the population comprises a large number of small, homogeneous account balances, transactions or conditions;
• a very low exception rate is expected; and
• the auditor is not aware of circumstances or conditions that would cause recipients to disregard the requests.

What do auditors do with responses?

The auditor needs to consider the reliability of the responses received. If there are doubts over reliability, either due to the risks associated with the confirmation process generally, or to specific matters in an individual response, further evidence is obtained to resolve those doubts [ISA 505.10].

The reliability of a response may be called into question if it is received by the auditor indirectly or appears not to have come from the intended respondent [ISA 505.A11]. If the confirmation is received indirectly, the auditor may choose to contact the respondent by telephone, or to request that the confirmation is re-sent directly [ISA 505.A14]. If the respondent has used a third party to provide the response, procedures will be needed to confirm that the response is from the proper source, was authorised and has been accurately transmitted [ISA 505.A13].

Restrictive language added by a respondent regarding the use of the information supplied does not necessarily invalidate the reliability of the response [ISA 505.A16].

If a response is not considered reliable, the auditor needs to consider the implications for the risk assessment, including the risk of fraud, and for other audit procedures.

What about non-responses and exceptions?

Since evidence has not been obtained, alternative procedures need to be performed for each non-response. These might include examining originating documents, correspondence and subsequent cash transactions [ISA 505.12, A18]. In addition, the impact on the risk assessment needs to be considered. An example could be where a lower than expected response rate seems to indicate a previously unidentified fraud risk [ISA 505.A19].

In some cases, a response to a positive confirmation may be seen to be critical when considering whether sufficient appropriate evidence has been obtained. This could be the case when considering particular fraud risk factors that render internal evidence unreliable [ISA 505.A20]. If the confirmation is not received, the auditor needs to consider the impact on the audit opinion [ISA 505.13].

Some responses will not agree with the information provided by the client. This may be because of a misstatement. However, it could also be due to other factors such as timing differences or clerical errors [ISA 505.A22]. Each exception should be investigated in order to establish whether it is in fact a misstatement [ISA 505.14]. If it is, the auditor should consider whether it suggests fraud and/or a deficiency in internal control [ISA 505.A21].