Confirmation is the process of obtaining and evaluating a direct communication
|
In the publication, the PCAOB noted that confirmation, as defined under PCAOB standards, “is the process of obtaining and evaluating a direct communication from a third party in response to a request for information about a particular item affecting financial statement assertions. The process includes: selecting items for which confirmations are to be requested; designing the confirmation request; communicating the confirmation request to the appropriate third party; obtaining the response from the third party; and evaluating the information, or lack thereof, provided by the third party about the audit objectives, including the reliability of that information.” Show The PCAOB observed that “many audit firms use a service provider to send and receive electronic audit confirmations to and from third parties, such as financial institutions, investment and brokerage firms, and law firms (‘confirming party’) to independently verify or validate balances, terms of arrangements, or other information under audit. These audit firms rely on the service provider, including its related processes and technologies, to initiate the third-party request, establish a direct communication with the confirming party, and ultimately obtain the information from the confirming party. The PCAOB understands that the use of such service providers is becoming more common, partially due to certain confirming parties only replying to auditor confirmation requests through a specific service provider.” The PCAOB cautioned that “the requirement to maintain control over the confirmation process is important to ensure confirmation responses are reliable. … Therefore, it is necessary for auditors to determine that they can rely on the service provider’s processes and controls when establishing direct communication between the auditor and the confirming party.” The PCAOB publication cited auditing standard AS 2310, The Confirmation Process, which “requires that the auditor maintain control over the confirmation requests and responses during the performance of confirmation procedures.” The PCAOB observed that “maintaining control means establishing direct communication between the intended recipient and the auditor to minimize the possibility that the results will be biased because of interception and alteration of the confirmation requests or responses. Although the standard does not specifically address using a service provider for establishing direct communication, the requirement in the standard still applies when such service provider assists an audit firm in maintaining control over confirmation requests and responses.” The PCAOB emphasized that the service provider’s technology should "create a secure confirmation environment that may mitigate the risks of interception or alteration. We expect auditors to support that they maintained control over the confirmation requests and responses in audits where a service provider assisted in the confirmation process. Simply, the use of a service provider does not relieve the auditor of the responsibility under PCAOB standards to maintain control over the confirmation requests and responses.” Yet, the PCAOB reported, “When auditors use a service provider to send and receive confirmations, we observed that the procedures performed by audit firms to support that the auditor maintained control over the confirmation requests and responses vary depending on a number of factors including the size of the audit firm, engagement-specific facts and circumstances, and the extent to which the provider is used. Many of these procedures are performed at the audit firm level, rather than by individual engagement teams.” The PCAAB provided examples of “situations we observed in which audit firms did not perform, or sufficiently perform, procedures to support their use of a service provider to send and receive confirmations." They are: • Performing insufficient evaluation of Service Auditor’s Report on Service Organization Controls (“SOC reports”) • Lack of consideration of the period covered • Lacking consideration of other controls • Insufficiently coordinating procedures performed The publication concludes by providing examples of procedures that “an audit firm may perform to support—in accordance with professional standards— the use of a service provider to maintain control over the confirmation requests and responses when such service provider sends and receives confirmations.” The PCAOB urged that audit firms “give consideration as to how these examples may apply to their audit engagements and whether they need to implement changes to their current policies and procedures.” Those examples are: • Assessing the design and operating effectiveness of a service provider’s processes and controls • Reviewing and timely evaluating SOC reports to consider factors that may affect the risk of misstatement What is direct confirmation procedure?Direct confirmation: Direct confirmation of balances due from customers are obtained to satisfy the objective of ensuring that the customer exists and owes the specified amount to the company at a certain date. Confirmation Design.
What are confirmations in auditing?Confirmation is undertaken to obtain evidence from third parties about financial statement assertions made by management. See paragraph 8 of Auditing Standard No. 15, Audit Evidence, which discusses the reliability of audit evidence.
What are the types of confirmation?The three types of confirmation forms are positive confirmation, blank confirmation forms, and negative confirmation.
How does the auditor ensure control over the confirmation process?Such control may include ensuring that the auditor sends out the confirmation requests, that the requests are properly addressed, that the auditor's return information is included in the request, and that all replies are requested to be sent directly to the auditor.
|
