7052 External confirmation procedures

Jun-2021

OAG Guidance

Other examples of situations where external confirmations may be used include the following:

• Contract terms and collateral
• Investments in debt and equity securities
• Share information

OAG Guidance

Maintaining control of the confirmation process

We need to maintain control over the entire external confirmation process to minimize the risk of requests and responses being intercepted and altered. We need to send confirmation requests directly to and receive returned confirmations directly from the confirming parties and not allow the client or any party that is not part of the engagement team to send or receive them on our behalf. Maintaining control of the confirmation request process generally includes the following core elements:

• selecting appropriate confirming party;

• providing a format for the confirmation request that outlines the information to be requested;

• testing the validity of the address details provided;

• sending the confirmations directly to the confirming party;

• where sending through the postal mail service, providing a self‑addressed envelope with the confirmation requests to enable the confirming party to return the confirmation directly to us; and

• performing additional follow-up procedures in circumstances where the confirmation request is returned to the entity’s premises or received via email and subsequently provided to the engagement team (e.g., requesting the confirming party to send a new response directly to us).

This guidance details the considerations relevant to maintaining control of the external confirmation process, as required by CAS 505, and obtaining relevant and reliable substantive audit evidence. The judgments we make regarding these considerations will vary depending upon engagement specific facts and circumstances, but typically the judgments are made as part of three key elements of the external confirmation process, as follows:

• Selecting the appropriate confirming party (see 'Selecting the appropriate confirming party' section below)

• Testing the validity of the mailing address to be used to send the confirmation request to (see 'Testing the validity of addresses on confirmation requests' section below)

• Assessing the reliability of the confirmation response, including considering the need to perform additional procedures based on factors such as the method of receiving the confirmation responses (see OAG Audit 7053)

Selecting the appropriate confirming party

As noted in CAS 505.A2, responses to confirmation requests provide more relevant and reliable audit evidence when confirmation requests are sent to a confirming party we believe is knowledgeable about the information to be confirmed.

Within certain entities, confirmation requests may be completed by one person or a limited number of people. For example, a confirming party may have a policy that all confirmation requests are to be completed by an accounts payable manager or supervisor rather than a group of accounts payable clerks. Care needs to be taken to address the confirmation request to the individual (or individuals) who is knowledgeable about the information to be confirmed and who is authorized to complete the confirmation on behalf of the confirming party's entity (in the example above that would be the manager or supervisor, rather than one of the clerks).

Although we are required to maintain control over the external confirmation requests, including remaining responsible for selecting the appropriate confirming party, in practice we may require assistance from client management to obtain information needed. For example, we may need management to provide us with information when obtaining an understanding of the position and responsibilities of the confirming party entity official to whom we are proposing to send the request. We also consider whether our prior experience on the audit or on similar engagements assists us in selecting the appropriate confirming party.

If we encounter difficulties in identifying the appropriate confirming party or if we have questions about the appropriateness of the confirming party suggested by client management, we need to perform additional procedures. For example, reviewing the confirming entity's corporate website to determine if an appropriate confirming party is identified or calling the proposed confirming party directly to determine whether they are the appropriate party (the telephone inquiry could also be used to test the validity of the address to which the confirmation request is to be sent). We document the results of any such additional procedures performed in the workpapers.

Appropriate conforming party—fiduciary relationships

There may be situations where the entity we are auditing engages another party to manage assets on their behalf. For example, the entity may engage a third party such as an investment manager to manage an asset portfolio that belongs to the entity. In situations such as this it is important that we understand the fiduciary arrangement, including the business rationale and the resulting responsibilities, rights and obligations between the parties to understand the risks arising from this fiduciary relationship. For confirmation purposes this is important for selecting the right confirming party because it can impact the reliability and persuasiveness of the audit evidence we intend to obtain through confirmation.

To select the appropriate confirming party when multiple parties form part of a fiduciary arrangement, we need to consider which party is best positioned to be knowledgeable about the information we seek to confirm and assertions we plan to address. For example, if cash or other assets are held directly by a trustee, it would be appropriate to obtain a confirmation from the trustee. However, in situations where a trustee engages other parties (e.g., investment managers, custodians) to hold the assets, it would be more appropriate to obtain the confirmation from those other parties. Typically, the party that has custody of the assets is the appropriate confirming party to confirm completeness and existence of the assets and the party that is responsible for managing the assets (e.g, investment managers) would be best placed to confirm valuation of the assets. However, the appropriate conforming party for the existence, completeness and valuation assertions may be different depending on the responsibilities, rights and obligations of the parties to fiduciary arrangement. If we obtain confirmations addressing relevant assertions about the same assets from different parties (e.g., custodian for completeness and existence and investment manager for valuation), we need to compare the information underlying each confirmation to verify that they agree and reconcile (e.g., the individual asset descriptions and quantities included in the investment manager's confirmation of asset values agrees to the asset descriptions and quantities confirmed by the custodian) and address any identified differences, as appropriate.

As with other third-party confirmations, we need to maintain control over the confirmation process and obtain confirmations directly from the confirming parties. In some cases, the entity or the trustee may need to communicate with the confirming parties to authorize them to provide information directly to us. For example, if the trustee engages a bank to act as a custodian, information protection regulations may prohibit the bank from sharing information with us without consent from the trustee or entity we audit. To facilitate our control of the confirmation process, in this example, the entity's (or trustee's) authorization communication to the bank needs to be clear that the authorization communication is not a confirmation request and the entity's auditor will be sending a confirmation request directly to the confirming party.

An understanding of the fiduciary arrangement may also be important when considering the appropriate confirming party and the persuasiveness of evidence the confirmation provides. For example, if a trustee receives fees based on the value of the assets they manage on behalf of the entity we are auditing, this could indicate an incentive for the trustee to overstate the value of assets, in which case we consider whether there is another appropriate confirming party and/or we may need to obtain additional evidence about the existence and valuation of the assets confirmed by the trustee. Examples of procedures that we might consider include, but are not limited to, obtaining a service organization auditor's report for an investment manager to obtain evidence on their controls over existence and valuation of investments, and/or verifying the investment valuation by independently obtaining evidence over the market value of quoted investments.

Determining the method for sending external confirmation requests

When sending external confirmation requests, we consider the most appropriate method, taking into account the engagement specific circumstances, including identified material fraud risks and susceptibility to interception and/or alteration of the confirmation. Some considerations when selecting the appropriate method include, but are not limited to, the following:

• Sending a hardcopy request to the confirming party's physical mailing address through postal mail service, with an expectation of receiving an original hardcopy response through the postal mail service

  • Any form of confirmation is subject to a risk of interception and alteration. However, typically this risk is  lower for hard copy confirmations than for electronic or facsimile responses, because an original hardcopy confirmation response provides the most effective format for considering whether there are indicators that the confirmation may not be reliable (e.g., where official stamps, seals or chops are used by the confirming party). Irrespective of the format of receipt, we are always required to consider whether there is an indication that external confirmations received may not be reliable as described in OAG Audit 7053.
  • When using hardcopy confirmations, the external confirmation plan needs to allow sufficient time for the request and any follow‑up requests to be sent, and response received, through the postal mail system.

• Sending a request electronically using a secure Assurance Software Tool designed to support the external confirmation process, with an expectation of receiving a response directly through the tool

  • Tools that provide a secure environment for sending and receiving confirmations from confirming parties, mitigate reliability risks related to proof of origin for confirmation responses.
  • The secure environment also mitigates the heightened risks related to interception/alteration of electronic confirmation responses, subject to testing the validity of the confirming party's email address used to invite the confirming party to respond to the confirmation. Where such a tool is used, additional procedures to address proof of origin, interception and alteration risks may not be necessary, although we are always required to consider whether there are indications that external confirmations received may not be reliable as described in OAG Audit 7053.
  • In light of cybersecurity risks such as phishing schemes, confirming parties may be reluctant to respond to the automated email inviting them to access tools to respond to the confirmation. Consider whether steps can be taken to increase the confirming party's confidence without compromising our control of the confirmation process (e.g., client management sending a letter or email to the confirming party advising them that they should expect an email confirmation request with an image of the email format and sender details).

• Request sent using a OAG email account, with an expectation of receiving a response in a OAG email account

  • Responses received electronically involve risks as to reliability because proof of origin and authority of the respondent may be difficult to establish, and interception and alterations may be difficult to detect. When sending or receiving confirmations by email rather than using a secured tool designed to support the external confirmation process, these risks are not mitigated by a secure environment between us and the confirming party. As a result, when a response is received in an OAG email account, we need to perform additional procedures to determine the authenticity of the confirming party as described in OAG Audit 7053.
  • Some data protection laws and regulations include protections for client data that may need to be adhered to when sending and receiving external confirmations using email. Adherence to data protection requirements may impact, for example, whether client consent to release information is needed, the form and content of the confirmation request and/or whether the confirmation request or response need to be sent using encrypted emails.

If a confirmation request is sent with an expectation of receiving an original hardcopy response or a response using an Assurance Software Tool designed to support the external confirmation process, but instead the confirming party sends the confirmation response to an OAG email account, then upon receipt of the confirmation our considerations related to determining the authenticity of the confirming party are the same as if we had originally sent the request expecting to receive an email response (i.e., we need to perform additional procedures to determine the authenticity of the confirming party as described in OAG Audit 7053.

Test the validity of addresses on confirmation requests

As noted in CAS 505.A6, we need to test the validity of some or all of the addresses on confirmation requests before they are sent out. We may use a variety of approaches in performing procedures to test the validity of addresses, including referring to third party sources such as  confirming party's website to determine whether the confirming party's physical address or the domain portion of their email address (e.g., abc.com) is consistent with the address details found in the "Contact us" or "About us" (or equivalent) section of the website. When performing this procedure, we apply professional skepticism in evaluating whether the website appears to be a legitimate corporate website of the confirming party. The nature and extent of our procedures depend on the risks associated with the particular type of confirmation or address. For example, a confirmation addressing a higher‑risk assertion or a confirmation party address that is not typical of similar confirming parties (e.g., residential address) may necessitate different or more extensive procedures (such as testing the validity of all addresses on confirmation requests by referring to third party sources or calling the confirming party directly) to determine that the request is directed to the intended recipient.

Sending confirmation requests to email addresses – Additional considerations

As noted in CAS 505.A12, sending confirmation requests to email addresses with a view to also receiving a response via email introduces risks as to reliability because proof of origin and authority of the respondent may be difficult to establish, and alterations may be difficult to detect. To help mitigate these risks, where electronic requests are to be sent, consider using a secure Assurance Software Tool designed to support the external confirmation process by creating a secure environment for receiving confirmations from third parties. When such a tool is not available, and confirmation requests are to be sent by email, consider the nature of the confirming party's email address to be used when determining the nature and extent of address validation procedures, including as follows:

• Individual corporate email addresses are associated with the intended confirming party's entity and are expected to be accessed and utilized by a single individual within an entity (e.g., john.doe@oag-bvg.gc.ca). As risks, such as those related to proof of origin, associated with this type of email address are normally considered lower than for the other types of email addresses described below, we apply professional judgment to decide whether to test the validity of some of these types of addresses or whether to test all of them.

• Group-corporate email addresses use a single email address associated with the confirming party's entity that can be accessed and utilized by multiple individuals employed within a function or department of the entity (e.g., accountspayable@oag-bvg.gc.ca). We test the validity of group‑corporate email addresses in two steps:

  • We perform procedures over the validity of all group-corporate email domains prior to sending the confirmation requests. For example, by referring to third party sources such as the confirming party's website to determine whether the domain portion of the confirming party's email address (e.g., abc.com) is consistent with  the address details found in the "Contact us" or "About us" (or equivalent) section of the website; and
  • Following receipt of the confirmation response, we perform the same procedures we would need to   perform for "other than original" confirmation responses (See OAG Audit 7053). These procedures include, considering the authenticity of the confirming party and the information included in the confirmation response and either documenting in the workpaper our reasons for being satisfied or, where there is uncertainty, verifying the electronic response by calling the confirming party and documenting the communication in the workpaper.

• Non-corporate email addresses use email domains that are not owned by the confirming party's entity, such as those available from a freeware domain (e.g., john.doe@gmail.com) or a pay‑to‑use email domain that is not owned by the confirming party. Because there may be heightened risk related to proof of origin associated with receiving confirmation responses from this type of email address, for all non‑corporate email addresses we perform additional validation procedures, contacting the confirming party by telephone in an attempt to verify that the email address is an appropriate destination for our confirmation request.

Sending confirmation requests to Post Office boxes—Additional considerations

The confirming party's address on the confirmation request may be a post office (PO) box. Typically, we test the validity of all PO box addresses in the same manner as any physical address (e.g., referring to third party sources such as the "Contact us" or "About us" (or equivalent) section of the website confirming party's website). However, in some cases there may not be a source available to the general public to verify that the PO box is the appropriate address for the confirming party. In these instances, we may use procedures such as determining the post office location in which the PO box is located and comparing its proximity to the confirming party's and the client's physical address for consistency and reasonableness. We may also contact the confirming party in a manner similar to that followed when a response is received electronically. In instances where multiple confirmation requests are addressed to PO boxes, we may compare the post office location(s) of the PO boxes looking for any patterns of PO box addresses or their physical locations that might suggest the address is not valid.

OAG Guidance

Our conclusions with regards to management refusal to allow a confirmation request to be sent are documented in the related workpaper.

If we conclude management’s refusal may indicate fraud risk, reflect that conclusion in the related workpaper on fraud risk assessment as appropriate. If we revise our assessment of risk as a result, consider whether changes are necessary to the nature, timing and extent of procedures to address the risk.

Consider if these circumstances are so significant as to require discussion with the engagement leader and treatment as a significant matter, and communication to those charged with governance.

In circumstances where we are unable to obtain sufficient appropriate audit evidence through use of alternative procedures to address the risk and assertions the confirmation request was designed to test, this may give rise to a limitation of scope and have implications for our audit opinion. For further guidance with respect to scope limitations see OAG Audit 8013.

Related guidance

See guidance on communicating with those charged with governance at OAG Audit 2210.

See guidance on action on discovery of possible fraud at OAG Audit 5506.

OAG Guidance

When we use confirmations as at a date prior to the balance sheet to obtain evidence to support a financial statement assertion, we need to obtain sufficient appropriate audit evidence that transactions relevant to the assertion in the intervening period have not been materially misstated. As with all types of interim work, we consider the need to obtain further audit evidence relating to the remainder of the period.

Related guidance

See guidance on substantive procedures prior to balance sheet date at OAG Audit 7015.