The objective of the auditor, when using external confirmation procedures, is to design and perform such procedures to obtain relevant and reliable audit evidence.
For purposes of the ISAs, the following terms have the meanings attributed below:
- External confirmation – Audit evidence obtained as a direct written response to the auditor from a third-party (the confirming party), in paper form, or by electronic or other medium.
- Positive confirmation request – A request that the confirming party respond directly to the auditor indicating whether the confirming party agrees or disagrees with the information in the request, or providing the requested information.
- Negative confirmation request – A request that the confirming party respond directly to the auditor only if the confirming party disagrees with the information provided in the request.
- Non-response – A failure of the confirming party to respond, or fully respond, to a positive confirmation request, or a confirmation request returned undelivered.
- Exception – A response that indicates a difference between information requested to be confirmed, or contained in the entity’s records, and information provided by the confirming party.
External Confirmation Procedures
When using external confirmation procedures, the auditor shall maintain control over external confirmation requests, including:
- Determining the information to be confirmed or requested;
- Selecting the appropriate confirming party;
- Designing the confirmation requests, including determining that requests are properly addressed and contain return information for responses to be sent directly to the auditor; and
- Sending the requests, including follow-up requests when applicable, to the confirming party.
Management’s Refusal to Allow the Auditor to Send a Confirmation Request
If management refuses to allow the auditor to send a confirmation request, the auditor shall:
- Inquire as to management’s reasons for the refusal, and seek audit evidence as to their validity and reasonableness;
- Evaluate the implications of management’s refusal on the auditor’s assessment of the relevant risks of material misstatement, including the risk of fraud, and on the nature, timing and extent of other audit procedures; and
- Perform alternative audit procedures designed to obtain relevant and reliable audit evidence.
If the auditor concludes that management’s refusal to allow the auditor to send a confirmation request is unreasonable, or the auditor is unable to obtain relevant and reliable audit evidence from alternative audit procedures, the auditor shall communicate with those charged with governance in accordance with ISA 260. The auditor also shall determine the implications for the audit and the auditor’s opinion in accordance with ISA 705.
Results of the External Confirmation Procedures
Reliability of Responses to Confirmation Requests
If the auditor identifies factors that give rise to doubts about the reliability of the response to a confirmation request, the auditor shall obtain further audit evidence to resolve those doubts.
If the auditor determines that a response to a confirmation request is not reliable, the auditor shall evaluate the implications on the assessment of the relevant risks of material misstatement, including the risk of fraud, and on the related nature, timing and extent of other audit procedures.
In the case of each non-response, the auditor shall perform alternative audit procedures to obtain relevant and reliable audit evidence.
When a Response to a Positive Confirmation Request Is Necessary to Obtain Sufficient Appropriate Audit Evidence
If the auditor has determined that a response to a positive confirmation request is necessary to obtain sufficient appropriate audit evidence, alternative audit procedures will not provide the audit evidence the auditor requires. If the auditor does not obtain such confirmation, the auditor shall determine the implications for the audit and the auditor’s opinion in accordance with ISA 705.
The auditor shall investigate exceptions to determine whether or not they are indicative of misstatements.
Negative confirmations provide less persuasive audit evidence than positive confirmations. Accordingly, the auditor shall not use negative confirmation requests as the sole substantive audit procedure to address an assessed risk of material misstatement at the assertion level unless all of the following are present:
- The auditor has assessed the risk of material misstatement as low and has obtained sufficient appropriate audit evidence regarding the operating effectiveness of controls relevant to the assertion;
- The population of items subject to negative confirmation procedures comprises a large number of small, homogeneous account balances, transactions or conditions;
- A very low exception rate is expected; and
- The auditor is not aware of circumstances or conditions that would cause recipients of negative confirmation requests to disregard such requests.
Evaluating the Evidence Obtained
The auditor shall evaluate whether the results of the external confirmation procedures provide relevant and reliable audit evidence, or whether further audit evidence is necessary.