TMCnet News
The External Confirmation Process [CPA Journal, The](CPA Journal, The Via Acquire Media NewsEdge) New Guidance under the Clarified Audit Standards The Auditing Standards Board (ASB) issued its long-anticipated Clarity Project standards, effective for audits of financial periods ending on or after December 15,2012, in order to achieve two goals. First, the ASB wanted to continue tie convergence of U.S. auditing standards with international auditing standards. Second, it sought to make auditing standards more readable and to provide enhanced application and explanatory guidance. Although the ASB considers the clarified standards' changes to be fundamentally nonsubstantive (other than the changes for audit reports), it has provided a considerable amount of useful new implementation guidance in several areas, including the use of external confirmations. Because confirmation procedures could represent a substantial portion of an audit engagement, auditors should be familiar with the changes enact- ed by AU-C section 505, "External Confirmations." Considerations in Designing Confirmations Tbe use of external third-party confirmations has been an integral procedure since the issuance of the first professional auditing standards by the Committee on Auditing Procedure in 1939, which required the confirmation of accounts receivable. Starting in 1991, Statement on Auditing Standards (SAS) 67, The Confirmation Process, required auditors to confirm accounts receivable, unless they were immaterial or the use of confirmations would be ineffective. External confirmations are ordinarily obtained (in writing) directly from sources outside an audited entity, and they represent relatively persuasive forms of audit evidence. When risk is assessed as being high, auditors should use more persuasive positive confirmations. The clarified standards now include a fourth criterion to apply when considering whether to use less persuasive negative confirmations: auditors must anticipate a very low exception rate. It is improbable that an auditor could use negative accounts receivable confirmations, because it is highly unlikely that the combined inherent and control risk (risk of material misstatement) for key assertions could ever be low. In an audit of bank deposit liabilities, however, auditors can often employ negative confirmation requests because the remaining criteria are typically met. For example, there are a large number of small, homogenous balances; recipients are unlikely to disregard the requests; the assessed risk of material misstatement is low; and an auditor has likely obtained sufficient appropriate evidence relating to the effectiveness of relevant controls for key assertions. But implicit in the use of negative confirmations is the assumption that the addressee received the confirmation request and agreed with the information shown. The clarified auditing standards were the first authoritative standards to address the efficacy of e-mail and other kinds of electronic confirmations. In the fast-paced audit environment, responses to confirmation requests sent and received via e-mail can provide quicker response times. Auditors are increasingly using e-mail confirmationspreferably with the capability for electronic digital signatures-with the proviso that some or all of the e-mail addresses provided by management be verified. In addition, auditors sometimes use web portals to access and obtain needed information from a third-party service provider, such as a broker. The service provider sets up the portal and provides a unique login ID and password for temporary (often until the anticipated audit report date) access to an entity's detailed account statements. The clarified standards caution auditors to apply additional or more extensive procedures if the assertions are higher risk or if e-mail addresses appear potentially less reliable and easier to falsify (e.g., [email protected] versus [email protected]). The use of encryption, electronic digital signatures, and procedures to verify the authenticity of a website provides evidence that the confirmation is legitimate when received through e-mail. Some auditors affix a unique code to individual confirmation requests; this code serves as a distinguishing mark to authenticate responses received, and it may be applied via stickers or manually handwritten after the entity has provided the confirmation. (The code's complexity is a matter of auditor judgment.) The paper confirmation is then scanned and sent by e-mail or fax to the intended respondent. Electronic confirmations can provide reliable audit evidence if generated in a secure environment that mitigates the risks of interception or alteration. For example, auditors routinely confirm cash and loan balances under the oftentight timelines of the audit process. Bank and client account information is entered in a secure, closed, password-protected, and data-encrypted system via an intermediary online link between the auditor and financial institution. This service is especially useful because some financial institutions will no longer accept paper confirmation requests received via postal mail. To rely on an electronic confirmation process, auditors must be satisfied with the integrity of the process. When confirmations are received electronically, auditors should perform procedures to verify the respondent's authenticity and authority to provide the information. Although assurance trust services reports or another service auditor's Service Organization Control (SOC) 2 report are not required, they can address the operating effectiveness of the service provider's controls over the process. It is important to note that when management provides the auditor with access codes or information needed to confirm data, such evidence does not meet the definition of external confirmation. If management refuses to allow an auditor to perform confirmation procedures, there must be a legitimate basis for the refusal-for example, a legal dispute or an ongoing negotiation, the resolution of which might be affected by the receipt of an untimely confirmation request by the intended confirming party. In such cases, an auditor must seek evidence about the validity and reasonableness of the reasons for management's refusal. An unreasonable refusal might suggest a fraud risk that requires auditor evaluation. New Issues Involving Confirmation Responses Confirmation responses might contain restrictive disclaimer language; however, this doesn't necessarily affect the reliability of the information being confirmed. The following are examples of such innocuous disclaimers: * Information is furnished as a matter of courtesy, without a duty to do so and without responsibility, liability, or warranty (either express or implied). * The reply is given solely for the purpose of the audit, without any responsibility on the part of the respondent, its employees, or its agents, and the reply does not relieve the auditor from any other inquiry or the performance of any other duty. Moreover, restrictive language might not be problematic if it doesn't relate to an assertion being tested. For example, disclaimer language regarding the valuation assertion for investments would not affect reliability of the response if the existence assertion were being tested. Conversely, some restrictive language might raise questions about the completeness or accuracy of the information in the response, such as in the following cases: * The information is not guaranteed to be accurate or current, and it might be a matter of opinion. * The recipient may not rely upon the information in the confirmation. * Information is obtained from electronic data sources, which might not contain all of the information in the respondent's possession. Such responses can raise concerns about whether the respondent is being forthcoming about critical transaction "side deals," as was the case with Enron, to cite a high-profile example. Other nonrestrictive language may not be problematic if it does not relate to an assertion being tested-for example, disclaiming language regarding the valuation assertion for investments would not affect reliability of the response if the existence assertion is being tested. External evidence is inherently more reliable than most other sources of evidence, but all confirmation responseswhether paper or electronic-carry some risk of interception, alteration, or fraud. The following factors raise questions about the reliability of confirmation responses: * The information was received electronically via an insecure process or system; its proof of origin or identity might be difficult to establish and alterations difficult to detect. * The information was erroneously provided to the client, as opposed to the auditor. * The information appears not to have come from the intended confirming party. In the case of questionable paper responses (e.g., the confirmation was addressed to the client), auditors may request the confirming party to respond directly to the author in writing. The auditor's concerns about the reliability of electronic responses can be minimized through a system or process that validates the respondent or by directly phoning the alleged sender and making sure that the information the auditor received corresponds to the information transmitted. During a telephone verification, auditors should independently verify the phone numbers of intended respondents, rather than calling extensions provided by the client or included in correspondence received by the client. If, despite these procedures, a response is determined to be unreliable or otherwise unable to be corroborated, an auditor might need to revise the assessment of the risk of material misstatement at the assertion level, modify planned audit procedures, and consider whether the situation suggests a fraud risk factor that requires evaluation. Furthermore, an auditor should communicate the issue to those charged with governance and should determine implications for tiie audit approach and the auditor's opinion. Although oral responses to confirmations do not meet the definition of an external confirmation, auditors may take an oral response into consideration when determining the nature and extent of additional audit procedures, provided that a direct written response is determined to be unnecessary. Such additional procedures would include telephoning the respondent using a phone number that the auditor has verified as legitimate, combined with a statement or other correspondence received by the entity related to the assertions being confirmed. Having performed these additional steps, an auditor may conclude that sufficient appropriate evidence has been obtained. In addition, an auditor should document the respondent's name and position, as well as the date and time of the conversation, in order to enable other experienced auditors who review the work to understand the extent of the procedures performed and repeat those procedures with substantially the same results. A large number of responses to negative confirmation requests (e.g., bank deposit liabilities) might indicate a previously unidentified fraud risk factor that requires evaluation. Although most exceptions reported on confirmation requests turn out to be timing differences or clerical errors, auditors are required to evaluate whether any actual identified misstatements could indicate deficiencies in internal controls or fraud. New Issues Involving Nonresponses to Confirmations Auditors must realize that nonresponses to negative confirmations do not indicate successful receipt by the intended confirming party or the party's verification of the information. In addition, intended respondents might be less likely to respond regarding disagreements that are in their favor, such as an understated accounts receivable balance or an overstated bank account balance. A significant number of nonresponses to a positive confirmation request might indicate a previously unidentified risk of material misstatement. In such cases, the auditor might need to revise the assessed risk of material misstatement at the assertion level and modify planned audit testing. Alternative procedures should be applied when testing nonresponding positive requests, unless both 1) the nonresponding positives, projected to the population as being 100% misstated, are immaterial when added to the sum of other unadjusted differences in the audit, and 2) there is no identifiable bias in the nonresponding positive requests (recognizing that an obvious bias is not always evident). An auditor may decide that a written response to a positive confirmation request is imperative. This can occur, for example, when- * tiie evidence obtained from the entity cannot be relied upon, due to specific fraud risk factors, such as management override or risk of collusion, whether involving employees or management, or * the information needed to corroborate management's assertions is available only outside the entity, such as when a third party holds investments in a limited partnership arrangement and the company must obtain from the general partner the cost basis to calculate gains or losses. If the auditor has determined that a written response to a positive confirmation request is necessary but it has not been received, or if the auditor has only received an oral response (akin to a nonresponse), the next step would be to verify the accuracy of the original addresses and send second requests. If the auditor still does not receive necessary confirmation requests, alternative procedures will not provide the necessary level of persuasive audit evidence. Consequently, the auditor must determine the implications for the audit and auditor's opinion. Conversely, the auditor may decide that alternative procedures should be applied, despite receipt of positive confirmationsfor example, to test the collectability of material receivables or to address cases where there are cut-off risks. What Does It All Mean? In the new clarified standards, the ASB provided a wealth of useful implementation guidance for the external confirmation process, especially with respect to the expanding use of electronic audit confirmations, to appropriately resolving doubts about the reliability of confirmation responses, and to properly responding to potentially restrictive language in confirmation responses. As previously mentioned, confirmation procedures could represent a substantial portion of time spent on the audit; thus, auditors should consider designing and controlling a well-thought-out confirmation process to enhance both audit effectiveness and efficiency. Recognizing the importance of the persuasiveness of the audit evidence obtained through confirmations and appropriately addressing the nature of responses or nonresponses and disclaimer language will help auditors maximize the value of confirmations in providing audit assurances. ? By Donald K. McConnell Jr., Charles H. (Chip) Schweiger, and Stephanie C. McConnell Donald K. McConnell Jr., PhD, CPA, CFE, is a professor of accounting and a University Distinguished Teaching Professor at the University of Texas at Arlington. Charles H. (Chip) Schweiger, CPA, is a partner of assurance and advisory services at Whitley Penn LLP, Houston, Tex. Stephanie C McConnell, CPA, is a senior manager of assurance services at Ernst & Young LLP, Dallas, Tex. (c) 2014 New York State Society of Certified Public Accountants |