Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
7053 Evaluating results of external confirmation procedures
Jun-2021
In This Section
Overview
This topic explains:
- Assessing reliability of responses
- Alternative procedures where confirmations not returned
- Assessing exceptions
- Evaluating results from the confirmation process
CAS Requirement
If the auditor identifies factors that give rise to doubts about the reliability of the response to a confirmation request, the auditor shall obtain further audit evidence to resolve those doubts (CAS 505.10).
If the auditor determines that a response to a confirmation request is not reliable, the auditor shall evaluate the implications on the assessment of the relevant risks of material misstatement, including the risk of fraud, and on the related nature, timing and extent of other audit procedures (CAS 505.11).
CAS Guidance
CAS 500 Audit Evidence indicates that even when audit evidence is obtained from sources external to the entity, circumstances may exist that affect its reliability. All responses carry some risk of interception, alteration or fraud. Such risk exists regardless of whether a response is obtained in paper form, or by electronic or other medium. Factors that may indicate doubts about the reliability of a response include that it (CAS 505.A11):
- Was received by the auditor indirectly
- Appeared not to come from the originally intended confirming party
Responses received electronically, for example by facsimile or electronic mail, involve risks as to reliability because proof of origin and authority of the respondent may be difficult to establish, and alterations may be difficult to detect. A process used by the auditor and the respondent that creates a secure environment for responses received electronically may mitigate these risks. If the auditor is satisfied that such a process is secure and properly controlled, the reliability of the related responses is enhanced. An electronic confirmation process might incorporate various techniques for validating the identity of a sender of information in electronic form, for example, through the use of encryption, electronic digital signatures, and procedures to verify web site authenticity (CAS 505.A12).
The auditor is required by CAS 500 Audit Evidence to determine whether to modify or add procedures to resolve doubts over the reliability of information to be used as audit evidence. The auditor may choose to verify the source and contents of a response to a confirmation request by contacting the confirming party. For example, when a confirming party responds by electronic mail, the auditor may telephone the confirming party to determine whether the confirming party did, in fact, send the response. When a response has been returned to the auditor indirectly (for example, because the confirming party incorrectly addressed it to the entity rather than to the auditor), the auditor may request the confirming party to respond in writing directly to the auditor (CAS 505.A14).
On its own, an oral response to a confirmation request does not meet the definition of an external confirmation because it is not a direct written response to the auditor. However, upon obtaining an oral response to a confirmation request, the auditor may, depending on the circumstances, request the confirming party to respond in writing directly to the auditor. If no such response is received, in accordance with paragraph 12, the auditor seeks other audit evidence to support the information in the oral response (CAS 505.A15).
A response to a confirmation request may contain restrictive language regarding its use. Such restrictions do not necessarily invalidate the reliability of the response as audit evidence (CAS 505.A16).
When the auditor concludes that a response is unreliable, the auditor may need to revise the assessment of the risks of material misstatement at the assertion level and modify planned audit procedures accordingly, in accordance with CAS 315. For example, an unreliable response may indicate a fraud risk factor that requires evaluation in accordance with CAS 240 The Auditor’s Responsibilities Relating to Fraud in and Audit of Financial Statements (CAS 505.A17).
OAG Guidance
We consider for all confirmation responses, irrespective of the format of receipt, whether there is indications that the response may not be reliable, for example:
- Bank confirmation does not include the official bank stamp.
- Electronic documents are not in an unalterable PDF format.
- Named account holder on bank confirmation is inconsistent with entity name.
- Source email address or facsimile details inconsistent with expectations.
- Confirmation is hand delivered.
Refer also to OAG Audit 1051 for further considerations related to the reliability of audit evidence.
Be alert to heightened risk of receiving a fraudulent response to a confirmation request, particularly when an external confirmation is a significant source of planned audit evidence for a material financial statement line item. Circumstances requiring specific consideration include:
-
The circumstances in which the confirmation process is conducted. Confirmation is hand delivered
-
For example, there may be a higher risk of collusion between management and the confirming party where entities are experiencing challenges such as the ability to continue as a going concern
-
The characteristics of the confirming party, particularly its independence, objectivity, motivation and authority to respond. For example, the extent of influence the entity and its management has over the confirming party will be higher if the respondent is a related party of the entity or is economically dependent on the entity.
-
The nature of the information requested. For example, when requesting a confirmation about assets such as investment securities from a confirming party that is both the custodian and investment manager, improper segregation of duties between the two functions may give rise to a fraud risk factor.
Electronic confirmation responses (e.g., received by email or facsimile) have increased interception and alteration risks and proof of origin risks. Some examples of specific risks of this type when an electronic confirmation response is received via email or facsimile, include:
-
Someone such as a hacker may intercept the confirmation response before it is received by the auditor and may alter the response before sending it to the auditor.
-
The confirmation may not be authentic because it comes from a source other than the purported confirming party sender. For example, a client employee might find a way to disguise e-mails from the employee’s own computer so that they appear to have come from the confirming party.
Based on the method of receipt of a confirmation response, we consider the following when determining the additional procedures to be performed when assessing reliability/authenticity of a confirmation response:
-
It is our preference to obtain original signed confirmations directly from the confirming party, because an original hardcopy response provides the most effective format for considering whether there are indicators that the confirmation may not be reliable (e.g., where official stamps, seals or chops are used by the confirming party). Although it may be easier to assess reliability of a hardcopy confirmation, we still need to remain alert to possible indicators that it has been altered or is otherwise not authentic.
-
Where a confirmation response is received electronically using an Assurance Software Tool designed to support the external confirmation process that creates a secure environment for receiving confirmations from third parties, risks of interception/alteration and proof of origin of the response are mitigated. However, we still need to review the electronic response received using the tool (including any attachments included with the response) to consider whether there are indicators that it may not be reliable.
-
When it is not feasible to obtain an original signed confirmation or to use the type of tool described above, and other electronic (e.g., email or facsimile) confirmations are received, consider the authenticity of the confirming party and confirmation information and document in the workpaper our reasons for being satisfied, including considering how we are satisfied that interception and alteration risks and proof of origin risks have been addressed. We remain alert to possible indicators of fraudulent responses, for example, if a large number of confirmations are received via email or facsimile at the same time or from different confirming parties but sent from what appears to be the same source. Where we are unable to perform procedures to satisfy ourselves that these risks have been addressed or where there is uncertainty as to the authenticity of the response, we need to verify the electronic or facsimile response by calling the confirming party and documenting the communication in the workpaper.
If we have doubts about the authenticity of a response, perform procedures to address any concern. Such procedures may include:
-
telephoning the confirming party to confirm the information provided in the response;
-
when there are doubts about the level of authority or appropriateness of the confirming party, telephoning their supervisor to confirm the confirming party’s independence, competence, knowledge of the matter and authority to respond; and
-
performing additional follow up procedures for electronic confirmations.
A telephone call may not be required when a third party electronic confirmation service provider has provided sufficient evidence of an effective technique for validating the identity of a sender of information.
If a telephone call is considered necessary, documentation of the call would include
-
the name of the person contacted;
-
the name of the person who completed the confirmation;
-
our evaluation, based on the telephone discussion, of whether there are any indications that the confirming party may not be independent, competent, knowledgeable or authorized to respond;
-
that there were no changes to the information included in the confirmation response since it was sent to the auditor;
-
verification of certain key client-specific information contained in the response (e.g., the report has XX line items, account balances, specific terms); and
- conclusion reached that the source and contents of the response were verified and the response was received from an authorized individual.
Restrictive language
When reviewing confirmation responses, we may note that the confirming party has included disclaimers or restrictive language such as:
-
information is obtained from electronic data sources, which may not contain all information in the respondent’s possession;
-
information is not guaranteed to be accurate nor current and may be a matter of opinion;
-
information is furnished as a matter of courtesy without a duty to do so and without responsibility, liability or warranty, express or implied; and
-
the recipient may not rely upon information in the confirmation.
The nature and substance of the restrictions may need to be considered if it relates to the assertion being tested through external confirmation. Additional procedures may be necessary to obtain sufficient appropriate audit evidence. We are not expected to make determinations as to the legal implications of the restrictions but may need to consult Audit Services as necessary to determine the impact of such restrictions on the reliability of the confirmation response as audit evidence.
Related guidance
See guidance on electronic confirmations in relation to use of a third party service provider at OAG Audit 7054.
CAS Requirement
In the case of each non-response, the auditor shall perform alternative audit procedures to obtain relevant and reliable audit evidence (CAS 505.12).
If the auditor has determined that a response to a positive confirmation request is necessary to obtain sufficient appropriate audit evidence, alternative audit procedures will not provide the audit evidence the auditor requires. If the auditor does not obtain such confirmation, the auditor shall determine the implications for the audit and the auditor’s opinion in accordance with CAS 705 Modifications to the Opinion in the Independent Auditor’s Report (CAS 505.13).
CAS Guidance
Examples of alternative audit procedures the auditor may perform include (CAS 505.A18):
-
For accounts receivable balances – examining specific subsequent cash receipts, shipping documentation, and sales near the period-end.
-
For accounts payable balances – examining subsequent cash disbursements or correspondence from third parties, and other records, such as goods received notes
The nature and extent of alternative audit procedures are affected by the account and assertion in question. A non-response to a confirmation request may indicate a previously unidentified risk of material misstatement. In such situations, the auditor may need to revise the assessed risk of material misstatement at the assertion level, and modify planned audit procedures, in accordance with CAS 315. For example, fewer responses to confirmation requests than anticipated, or a greater number of responses than anticipated, may indicate a previously unidentified fraud risk factor that requires evaluation in accordance with CAS 240 The Auditor’s Responsibilities Relating to Fraud in and Audit of Financial Statements (CAS 505.A19).
In certain circumstances, the auditor may identify an assessed risk of material misstatement at the assertion level for which a response to a positive confirmation request is necessary to obtain sufficient appropriate audit evidence. Such circumstances may include where (CAS 505.A20):
-
The information available to corroborate management’s assertion(s) is only available outside the entity.
-
Specific fraud risk factors, such as the risk of management override of controls, or the risk of collusion which can involve employee(s) and/or management, prevent the auditor from relying on evidence from the entity.
OAG Guidance
Alternative procedures need to be directed at the same assertion(s) that the confirmation request was intended to address, to obtain sufficient appropriate audit evidence.
Circumstances such as:
- A significant change in the number or timeliness of responses to confirmation requests relative to prior audits.
- A non-response when one would be expected.
may indicate previously unidentified risks of material misstatement due to fraud.
In such cases, the assessed risk of material misstatement at the assertion level may need to be revised and planned audit procedures modified.
Also consider if non-replies to confirmation requests may indicate a higher risk of material misstatement and evaluate reasons why confirmations were not returned. If particular risks are identified, more extensive or different procedures may need to be performed.
Related guidance
See guidance on modifications to audit opinion at OAG Audit 8013.
See accounts receivable—alternative procedures at OAG Audit 7055.
See guidance on identification and assessment of fraud risk at OAG Audit 5505 and OAG Audit 5506.
CAS Requirement
The auditor shall investigate exceptions to determine whether or not they are indicative of misstatements (CAS 505.14).
CAS Guidance
Exceptions noted in responses to confirmation requests may indicate misstatements or potential misstatements in the financial statements. When a misstatement is identified, the auditor is required by CAS 240 The Auditor’s Responsibilities Relating to Fraud in and Audit of Financial Statements to evaluate whether such misstatement is indicative of fraud. Exceptions may provide a guide to the quality of responses from similar confirming parties or for similar accounts. Exceptions also may indicate a deficiency, or deficiencies, in the entity’s internal control over financial reporting (CAS 505.A21).
Some exceptions do not represent misstatements. For example, the auditor may conclude that differences in responses to confirmation requests are due to timing, measurement, or clerical errors in the external confirmation procedures (CAS 505.A22).
OAG Guidance
As part of our planning procedures in relation to confirmations it is good practice to determine in advance what type of exceptions might be indicative of a misstatement.
Related guidance
See guidance on identification and assessment of fraud risk at OAG Audit 5505 and OAG Audit 5506.
CAS Requirement
The auditor shall evaluate whether the results of the external confirmation procedures provide relevant and reliable audit evidence, or whether further audit evidence is necessary (CAS 505.16).
CAS Guidance
When evaluating the results of individual external confirmation requests, the auditor may categorize such results as follows (CAS 505.A24):
(a) A response by the appropriate confirming party indicating agreement with the information provided in the confirmation request, or providing requested information without exception;
(b) A response deemed unreliable;
(c) A non-response; or
(d) A response indicating an exception.
The auditor’s evaluation, when taken into account with other audit procedures the auditor may have performed, may assist the auditor in concluding whether sufficient appropriate audit evidence has been obtained or whether further audit evidence is necessary, as required by CAS 330 The Auditor’s Responses to Assessed Risks (CAS 505.A25).
OAG Guidance
When we form a conclusion that the confirmation process and alternative procedures have not provided sufficient appropriate audit evidence regarding an assertion, we design and perform additional procedures to obtain sufficient appropriate audit evidence.
In forming the conclusion, we consider the
-
reliability of the confirmations and alternative procedures;
-
nature and frequency of any exceptions, including the implications, both quantitative and qualitative of those exceptions; and
-
evidence provided by other procedures.
Based on this evaluation, we determine whether additional audit procedures are needed to obtain sufficient appropriate audit evidence.
Consider if these circumstances are so significant as to require discussion with the engagement leader and treatment as a significant matter, and possibly communication to those charged with governance.