CAS 505 External Confirmations

CAS 505

External confirmation – Audit evidence obtained as a direct written response to the auditor from a third party (the confirming party) in paper/electronic form
Positive confirmation request – A request that the confirming party respond directly to the auditor indicating whether the confirming party agrees or disagrees with the information in the request, or providing the requested information
Negative confirmation request – A request that the confirming party respond directly to the auditor only if the confirming party disagrees with the information provided in the request

When using external confirmation procedures, the auditor shall do the following:
- Determining the information to be confirmed or requested
- Selecting the appropriate confirming party (to someone who has knowledge of the info)
- Designing the confirmation requests, including determining that requests are properly addressed and contain return information for responses to be sent directly to the auditor
- Sending the requests, including follow-up requests to the confirming party
If management refuses to allow the auditor to send a confirmation request:
- Evaluate if management’s reasons for the refusal are valid and reasonable
  - Management may have a valid reason such as a legal dispute or ongoing negotiation with the confirming party, which may be disrupted by an untimely confirmation request by the auditor
- Evaluate the implications of refusal on the risks of material misstatement, the risk of fraud, and on the nature, timing and extent of other audit procedures; and
- Perform alternative audit procedures
If the auditor concludes that management’s refusal to allow the auditor to send a confirmation request is unreasonable or the auditor is unable to obtain audit evidence from alternative audit procedures, the auditor shall communicate with those charged with governance and determine the implications on the auditor’s opinion

If the auditor identifies factors that puts to doubt the reliability of the response to a confirmation request, obtain further audit evidence to resolve those doubts
- Confirmations can be intercepted or altered by the client (to minimise such risks create a secure environment for responses received electronically)
- One procedure is to verify the source and contents of a response to a confirmation request by contacting the confirming party (i.e. phone the confirming party to determine whether the confirming party did, in fact, send the response)
- The auditor should also re-assess the risks of material misstatement, risk of fraud, and the nature, extent and timing of further procedures

If non-responses to confirmations occurs, perform alternative audit procedures
Investigate exceptions to determine whether or not they are indicative of misstatements

Negative confirmations provide less persuasive audit evidence than positive confirmations
Do not use negative confirmation requests as the sole substantive audit procedure, unless all of the following are present:
1. When the risk of material misstatement is low and the operating effectiveness of controls have been tested
2. The population of items subject to negative confirmation procedures comprises a large number of small, homogeneous account balances, transactions or conditions
3. A very low exception rate is expected
4. The auditor is not aware of conditions that would cause recipients of negative confirmation requests to disregard such requests