Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

7054 Bank confirmations—Specific considerations
Jun-2021

In This Section

Rebuttable presumption to confirm

Overcoming the rebuttable presumption to confirm

Scope of confirmations

Practical considerations for design and execution of a bank confirmation

Third party service providers

Evaluating responses

Alternative procedures

Use of Capital Confirmation Inc. Confirm Service

Overview

This topic explains:

  • OAG Policy for requesting bank confirmations
  • Rebuttable presumption to confirm
  • Overcoming the rebuttable presumption to confirm
  • Scope of confirmations
  • Practical considerations for design and execution of a bank confirmation
  • Use of third party service providers
  • Application of alternative procedures
  • Evaluating results
Rebuttable presumption to confirm

OAG Policy

There is a rebuttable presumption that bank confirmations covering balances, facilities, terms of agreement and other banking arrangements shall be requested from all financial institutions where the client has a banking relationship, unless the client is itself a bank or similar financial institution. If bank confirmations are not sent, or are sent on a selective basis, the rationale shall be documented on the audit file. [Dec‑2011]

Where our client is itself a bank or similar financial institution which has a large number of correspondents or settlement/clearing relationships with other financial institutions, confirmations from all such counterparties shall be requested if the appropriate level of assurance cannot be obtained from alternative methods. [Dec‑2011]

OAG Guidance

The rebuttable presumption to request bank confirmation is based on bank confirmations being the primary and ordinarily the most reliable source of audit evidence to verify the existence and accuracy of bank account balances, and to address the completeness, cutoff, accuracy, rights and obligations and presentation and disclosure assertions for facilities, terms of agreement and other banking arrangements (“other information”). The policy also assumes that banks will ordinarily respond to confirmation requests with information on which we can rely.

While it may be possible to perform alternative procedures to verify certain bank account balances, it is difficult to perform alternative procedures to audit the “other information,” in particular to confirm its completeness; thus bank confirmations may represent the most effective and efficient way to obtain audit evidence, and in some cases may be the only source to obtain audit evidence for the completeness assertion with regards to “other information”. If we conclude it is not necessary to confirm a particular banking relationship, we still need to obtain sufficient audit evidence about relevant assertions relating to certain unconfirmed bank account balances and “other information”. We apply professional judgment in determining the alternative procedures needed to obtain this audit evidence. Further guidance and examples of alternative procedures are provided at OAG Audit 7054.

Audit Tip

Include the decision in relation to sending bank confirmations as an agenda item at a team meeting so the team, particularly the team member charged with completing the related Procedure steps, understands the rationale behind the decisions made and can take ownership for documenting the rationale appropriately on the file.
Overcoming the rebuttable presumption to confirm

OAG Guidance

In determining whether to send confirmation requests to confirm banking relationships we principally consider the risk that undisclosed obligations and/or deposits exist. This consideration may be impacted by management’s adequate disclosure of obligations and/or deposit accounts in prior year audits, our understanding and testing of controls over capturing and reporting of deposit account balances and “other information” for banking relationships entered into throughout the organization, and our assessed risk of material misstatement, including fraud risks as discussed below.

We need to apply judgment when considering whether it is appropriate to rebut the presumption to confirm all banking relationships. Also consider if sending confirmation requests may be more effective and efficient in the engagement circumstances.

There may be circumstances where it is not necessary to send confirm requests in every case where a banking relationship exists. Such circumstances would include:

  • Where the risk of material misstatement is assessed as low (i.e., combined level of inherent and control risk over the existence assertion of deposit account balances, including consideration of fraud risks beyond the general risk of management override of controls), we might confirm only a few selected accounts with material balances, and limit other substantive procedures to primarily inspecting bank statements and testing related bank reconciliations rather than confirming all bank account balances. This would ordinarily apply to clients with many accounts and where we have determined controls over bank accounts and other banking relationships are designed and operating effectively.

  • For retail or other clients with a significant number of locations where each location has a local bank account with a small cash balance, a bank facility confirmation would be sent to the central bank (confirming either the existence or absence of facility arrangements); a deposit account confirmation would be sent on the central bank account balance, and we would use professional judgment in sending additional deposit account confirmations to selected bank branches.

  • Where bank accounts have no ending balance and no activity during the period under audit, we would use professional judgment when considering whether a deposit or bank facility confirmation would need to be sent. Document the reason for the existence of those bank accounts in the client file.

  • Where accounts are “swept” or “zeroed” at the end of each day because the client’s centralized treasury function utilizes daily clearing accounts and funding accounts for payroll and payables activities, we would send a deposit account and/or bank facility confirmation request to the bank into which those accounts are “swept” and we would use professional judgment in sending bank confirmation requests related to the accounts that are “swept.”

  • Where a client uses a common bank for many locations, entities or business units we could send one bank facility confirmation request, which covers any mortgage debt, lines of credit, compensating balance arrangement, and contingent liabilities including guarantees ("other information") for many banking relationships. We would use professional judgment in sending deposit account confirmation requests for individual accounts held by the common bank. Note that in some cases banks may confirm all balances and facilities for the client even though we only requested confirmation of some balances and/or facilities. In such cases we would use all the information confirmed in evaluating the audit evidence obtained.

  • Where accounts or disclosures at locations or business units do not present a risk of material misstatement (due to error or fraud), it is unlikely that a deposit account or bank facility confirmation request would need to be sent unless there is a specific statutory audit requirement for those locations or business units.

If any of the above circumstances apply, we ordinarily select banking relationships to send confirmation requests using targeted testing taking into consideration the following:

  • the size and nature of the account balance

  • complexity of arrangements/ agreements

  • prior audit evidence

  • assessment of the entity level controls including, where applicable, the entity level controls at the local division or branch level

  • the risk of management override of controls surrounding the capture and reporting of bank accounts and relationships

  • the potential risk associated with the nature or location of the financial institution

  • nature of other audit evidence available

  • sending confirmation requests for at least some deposit accounts is typically expected.

It is not appropriate to send confirmation requests based only on the value of the bank account balance (i.e., quantitative factor) as this approach would not address the risk of the entity manipulating accounts within a location or at a particular bank.

Given the risks of material misstatement for assertions relevant to facilities, confirmation of facilities is typically needed. If we have an expectation in a jurisdiction that a bank, or the banks in general, will not reply to confirmation requests, this does not provide a sufficient reason in itself to refrain from requesting confirmations.

Where our client is a bank or similar financial institution alternative approaches to testing would ordinarily include testing the internal controls relating to the operation of these accounts, including controls over reconciliations and the recording of "other information" to verify that we can place reliance on those controls.

Examples

Note: The following examples illustrate how the guidance provided earlier in this section can be applied. These examples are solely provided for illustrative purposes. To the extent that facts and circumstances of a particular audit engagement differ from those in the illustrative examples, including additional facts and circumstances, the appropriate judgments of the engagement team may differ from those applied in these illustrations. Note that references are made to ‘locations.’ This reference refers to client location but is not intended to refer to ‘components’ as used for purposes of group audit scoping.

Scenario 1: Example application of the guidance for Company A

Location Bank Deposit Account Facilities

1

A

Yes

Term debt, Line of credit

2

 B

Yes

 Guarantee

3

 C

Yes

 Term debt, Contingencies

4

 D

Yes

 Term debt

5

 C

Yes

 Term debt, Line of credit

Additional information:

  • Cash and term debt are deemed material FSLIs on a consolidated basis

  • Locations 1, 3 and 5 are deemed to be locations that present a risk of material misstatement

  • The deposit account balance at location 2 is slightly greater than overall materiality

  • The deposit account balance at location 4 is less than performance materiality

  • In prior years, management’s disclosure of facilities to OAG has been accurate. The client has a strong treasury function which monitors such facilities at all locations and the risk of material misstatement related to disclosure of bank facilities is assessed as low (i.e., combined level of inherent and control risk over such disclosures)

Application of the Policy/Guidance:

Policy/Guidance

Impact

Rebuttable presumption

Send banking relationship confirmations for all banking relationships (i.e., deposit accounts and facilities) at locations 1, 2, 3, 4 & 5.

Application of Professional Judgment:

Facilities confirmations—Consider risk of undisclosed obligations

Risk deemed low as noted in “Additional information”. All four types of facilities confirmations may not need to be sent.

The guarantee at location 2 was in place and confirmed in the prior year. Apply judgment to confirm the following:

  • Bank A—Term debt & line of credit
  • Bank B—No confirmation
  • Bank C—Term debt, line of credit and contingencies
  • Bank D—Term debt

Document rationale for not sending facility confirmation to Bank B.

Accounts at locations or business units that do not present a risk of material misstatement unless there is a separate statutory audit requirement at those locations or business units

Location 2, deposit account balance is slightly greater than overall materiality. Professional judgment considering quantitative and qualitative considerations may indicate that no deposit account confirmation is necessary. If deposit account and facilities confirmations are not sent to Bank B, document the rationale for not sending a banking relationship confirmation (i.e., deposit account and facilities).

Location 4, deposit account balance is less than performance materiality. Based on quantitative and qualitative considerations, deposit account confirmation may be deemed unnecessary. Document rationale for not sending deposit account confirmation to Bank D.

Scenario 2: Additional information for Company A

Same information above except that Location 2 Bank B has 25 deposit accounts. There is a main operating account, 9 other deposit accounts and 15 deposit accounts which sweep into the main operating account.

Application of the Policy/Guidance specific to Location 2 Bank B deposit accounts:

Policy/Guidance

Impact

Rebuttable presumption

Send banking relationship confirmations for deposit accounts at Bank B.

Application of Professional Judgment:

Deposit account confirmations—Accounts which are “swept” or “zeroed” at the end of each day because of a centralized treasury function that utilizes daily clearing accounts and centralized funding accounts for payroll and payables activities.

Confirm the banking relationship and main operating account. Confirmation of the 15 “sweep” accounts may not be necessary based on the quantitative and qualitative factors that exist. For example, if this sweep relationship is new, consider confirming some of the underlying 15 accounts. However, if this has been the procedure for a period of time, account reconciliations are tested and we have reviewed bank statements noting the amounts were swept from some of the underlying accounts, no confirmation may be necessary.

Deposit account confirmations—Consider the risk of undisclosed deposits.

Risk deemed low as noted in “additional information”; therefore judgment can be applied in selecting which (if any) of the remaining 9 deposit accounts to confirm utilizing targeted testing.

Scenario 3: Example application of the guidance for Company X

Location Bank Deposit Account Facilities

1

X

Yes

Term debt, Line of credit

2

 Y

Yes

 None

3

 Z

Yes

 None

Additional information:

  • Company X is a smaller non‑PIE manufacturing company that operates as a single legal entity. Cash and term debt are considered material FSLIs.

  • In prior years, management’s disclosure of facilities to OAG has been accurate. The risk of material misstatement related to disclosure of bank facilities is assessed as low (i.e., combined level of inherent and control risk over such disclosures).

  • Location 2 is a research cost center in another jurisdiction. The purpose of the account at bank Y is to facilitate payment of the payroll and operating expenses of the research cost center. The balance of the deposit account at location 2 will be just above performance materiality when cash is transferred into the account from bank X at the beginning of the month to facilitate payment of payroll and other operating expenses. The deposit account balance will drop below materiality after payroll is paid at both mid‑month and month‑end.

  • Location 3 is a small sales office in another jurisdiction with only one sales employee. Cash is transferred into the account at bank Z from bank X at the beginning of each month to fund local operating expenses. The balance of the deposit account at location 3 has been below performance materiality throughout the year, and is expected to remain below performance materiality at the end of the year.

Application of the Policy/Guidance:

Policy/Guidance

Impact

Rebuttable presumption

Send banking relationship confirmations for all banking relationships (i.e., deposit accounts and facilities) at locations 1, 2 & 3.

Application of Professional Judgment:

Facilities confirmations—Consider risk of undisclosed obligations

Risk deemed low based on the fact that there are only three accounts and the purpose of the accounts at locations 2 and 3 is to receive monthly transfers from location 1 necessary to fund operations. The risk of material misstatement in locations 2 and 3 is considered low and we did not identify any issues related to cash as a result of our prior period procedures. All banking relationships may not need to be confirmed.

Apply judgment to confirm the following:

  • Bank X—Term debt & line of credit
  • Bank Y—No confirmation
  • Bank Z—No confirmation

Document rationale for not sending facility confirmation to Banks Y and Z— based on our understanding of the purpose of the Bank Y and Z relationships and considering our prior audit experience, we determine that the risk of undisclosed obligation is sufficiently low that a confirmation is not required.

Accounts at locations or business units that do not present a risk of Material misstatement unless there is a separate statutory audit requirement at those locations or business units

Location 2, bank Y deposit account balance may be slightly greater than performance materiality depending on timing but by period end is typically below performance materiality. We have read Bank Y statements to corroborate our understanding that cash is transferred into this account from Bank X, that only operating and payroll disbursements are made from the account and that transfers have not been made from this account to either of the other two accounts. Professional judgment considering quantitative and qualitative considerations may indicate that no deposit account confirmation is necessary. If deposit account and facilities confirmations are not sent to Bank Y, document the rationale for not sending a banking relationship confirmation (i.e., deposit account and facilities).

Location 3, deposit account balance is less than performance materiality. Based on quantitative and qualitative considerations, deposit account confirmation may be deemed unnecessary. Document rationale for not sending deposit account confirmation to Bank Z.

Note: although a judgment might be made not to send a confirmation for the location 2 and 3 deposit accounts, consideration needs to be given to whether performing any necessary substantive testing procedures (e.g., inspecting bank statements) may be less efficient than confirming the balance.
Scope of confirmations

OAG Guidance

A banking relationship exists where the client has one or more bank accounts and/or any facility with a financial institution. For this purpose, bank accounts include those that are “swept” or “zeroed” at the end of each day. Facilities include mortgage debt, lines of credit, compensating balance arrangements, and contingent liabilities including guarantees or any other commitment.

Money market and similar inter‑bank lending and transactions with professional counterparties which are banks do not represent “banking relationships” for this purpose.

Consider what the bank confirmation request needs to include. Where more complex banking arrangements exist supplementary information will likely be required. Sending a confirmation request tailored to the specific type of “other information” may be easier for the bank to respond to. In addition to the account balance the bank confirmation may request specific details of other arrangements and facilities such as:

  • Promissory notes
  • Bills of exchange
  • Letters of credit
  • Foreign exchange contracts and other treasury items
  • Items held as security
  • Accounts opened and closed during the year
  • Guarantees
  • Credit limits, available facilities and amount unused
  • Safe deposit boxes

However, it is preferable not to limit the bank confirmation to only the specific information requested. Always request banks to provide all information available to address the completeness assertion in relation to bank balances and other banking arrangements.

Practical considerations for design and execution of a bank confirmation

OAG Guidance

The following practical tips will assist teams in the design and execution of a bank confirmation request:

  • At least six weeks prior to the audit confirmation date work with the client to obtain all the necessary information to assist with the bank confirmation process.

  • Send all bank letters no later than six weeks prior to the audit confirmation date—some banks will no longer respond if they are received later than six weeks before.

  • Some banks will not accept follow up telephone calls or answer any queries by telephone, therefore it is advisable to follow up any call with a fax, email or letter confirming any discussions and requests for further information.

  • Verify that all audit confirmations include a contact name and telephone number in case of queries.

  • Consider providing the entity’s account number and other details to assist the bank with the identification of the customer as entity names are often similar and identification of the relevant customer by name is not always straightforward.

  • Where an authorization form from the client is sent, obtain a copy in case of queries or non receipt as most banks will accept this faxed to them if they do not have the original on file.

  • If we are aware that audit requests are processed by specialized teams based in banks’ regional service centers, rather than at the branch level, send the confirmation request to the service center, thus avoiding the need for the bank to redirect it from the branch.

  • Use professional judgment to determine the appropriate date of the confirmation. Normally, we would confirm both balances and “other information” at the year end date. Where information is confirmed at an earlier date, consider the sufficiency of audit evidence that is obtainable from specific roll‑forward procedures, both for the balances and “other information,” as applicable.

  • The confirmation date and the date that we test the bank reconciliation and/or test “other information” that is referred to in the accounts need to be the same. If there is more than one financial institution, all confirmations are generally sent as at the same date, unless the company has effective controls over cash transfers which we have tested, or we have otherwise substantively tested cash transfers for the intervening period.

  • In situations where the same individual at a financial institution has the capability to confirm the bank account balances as well as the “other information,” we may combine the confirmation of banking relationships into a single or otherwise combined confirmation request or letter. However, some financial institutions, may not have relationship management systems that enable a single individual to confirm bank account balances and "other information" using one confirmation. In these circumstances, multiple confirmations may be required.

Related guidance

See guidance on substantive procedures prior to balance sheet date at OAG Audit 7015

Third party service providers

CAS Guidance

If a confirming party uses a third party to coordinate and provide responses to confirmation requests, the auditor may perform procedures to address the risks that (CAS 505.A13):

a) The response may not be from the proper source;

b) A respondent may not be authorized to respond; and

c) The integrity of the transmission may have been compromised.

OAG Guidance

A number of banks have announced that their confirmation process for deposit and commercial loan accounts will be electronic. In some cases, confirmation requests must be submitted, and will only be responded to, via the Capital Confirmations, Inc.’s (“CCI”) Confirmation.com website.

CCI’s process incorporates a web-based application that allows engagement teams to confirm accounts of participating financial institutions electronically. CCI is a third party service provider and essentially acts in the role of an "electronic post office" by facilitating the transmission of the confirmation request and response. However, the response is still completed by authorized representatives of the bank.

Related Guidance

See the section below for guidance on using CCI services.

Evaluating responses

OAG Guidance

Always agree the bank balance per the bank confirmation to the bank reconciliation to confirm consistency with other audit evidence obtained.

When a response from a bank is other than expected (e.g., the reply indicates balances or facilities not previously communicated to us by management), resolve the exception by identifying its implications and extending audit procedures if necessary. In particular, consider the implications of identifying balances or facilities not communicated to us by management on our fraud risk assessment.

Apply professional skepticism when reviewing bank confirmation responses and follow up any unexpected information or questions about the reliability of the information, including, as applicable, following up directly with the confirming bank or performing alternative procedures to corroborate the information confirmed (see the list of alternative procedures below).

Depending on the nature and materiality of the information obtained, consider whether our approach to requesting bank confirmations requires amendment, for example by selecting remaining banking relationships.

Related guidance

See OAG Audit 7053 for additional guidance on evaluating results.

Alternative procedures

OAG Guidance

In circumstances where the presumption to confirm has not been rebutted, ordinarily the use of alternative procedures would only be acceptable after all efforts to receive a confirmation have been exhausted. This will particularly be the case when either we have a reasonable expectation that confirmations will be received or the request is sent to a bank, for example, in a foreign jurisdiction, where based on our understanding of the nature of the entity’s relationship with the bank we consider the third party evidence a significant source of audit evidence and there is a concern that alternative procedures may not provide us with the evidence that we need. Where we do not receive a confirmation from a bank, we apply professional skepticism when considering the reason(s) the bank has not responded to our request and consider whether we need to perform alternative procedures.

Before designing and performing alternative audit procedures, therefore, consider the circumstances and risk in determining whether the procedures are likely to provide us with sufficient appropriate audit evidence. This will take into account our knowledge and experience of bank processes within the relevant jurisdiction.

It will be necessary to design and perform alternative procedures to obtaining responses to bank confirmation requests when the presumption is not rebutted but

  • a timely response to a confirmation request has not been received,

  • the response from a bank is considered unreliable, and

  • it is considered unlikely a bank will respond to the confirmation request because of practices in the jurisdiction in which it operates.

Alternative procedures may also be considered when the rebuttable presumption to confirm has been overcome.

When performing alternative procedures in respect of banks with which the entity has a banking relationship, consideration needs to be given to obtaining evidence in respect of all the assertions that are relevant for both the account balances and other facilities, terms of agreement and arrangements. The following are possible alternative procedures, and the assertions addressed by those procedures, that can be performed. A combination of these procedures may be appropriate to obtain sufficient appropriate audit evidence about balances, facilities, terms of agreement and other banking arrangements:

  • Agree the bank balance per the reconciliation to the bank statement (A,E).

  • Obtain an understanding of and test the controls relating to the treasury function, including the opening and closing of bank accounts, authorization levels, access to on‑line banking facilities, approval of new facilities, capturing all facilities and arrangements and monitoring of compliance with terms and arrangements (C,E,R&O).

  • Observe authorized personnel access on‑line banking and compare recorded bank balances and arrangements with details shown on‑line (C,A,E).

  • Perform inquiries with individuals responsible for banking relationships to identify changes in banking arrangements during the period and to assist with assessment of completeness of facilities and arrangements (C).

  • Obtain evidence from the entity to identify and support the terms and conditions of banking arrangements. This may include:

    • Banking contracts (C/A/E/R&O&PD)
    • Correspondence from financial institutions (E/R&O)
    • Board minutes (C)
    • Legal correspondence (R&O)
    • Other supporting information

  • Scanning bank transactions (G/L accounts and/or bank statements) (C,C/O) Refer to OAG Audit 7032 for guidance on how to apply scanning analytics.

  • Performing substantive analytical procedures directed at account balances, interest calculations and other related items (The assertion(s) addressed will depend upon the design of the analytic performed).

  • Reviewing reconciling items in the bank reconciliation may identify facilities and other arrangements (C).

In addition to a combination of the above procedures, consider obtaining representations specific to banking facilities from management in the representation letter to corroborate our conclusions reached through the alternative procedures performed.

As noted in the examples of alternative procedures above, we may observe the entity’s personnel accessing their banking information online using the relevant bank’s site and verify the entity’s recorded bank balances and other arrangements with the details shown online. This may include review of the online bank statement (or equivalent) and other evidence available through the bank’s online banking system. Similarly, we may request the entity to download and provide an electronic or printed copy of the online bank statement (or equivalent).

When using such information, consider if it is reliable. In particular, if we were not present to observe the entity accessing all of the information on our behalf we consider observing the entity’s personnel accessing the information on the bank’s site and agreeing the online information to the information provided to us by the entity. If we are not able to observe the entity accessing the information, we apply professional skepticism when evaluating the authenticity of any information provided to us by the entity that they assert to be from the banking site. Some examples of considerations when evaluating authenticity include, but are not limited to:

  • Is the bank statement downloaded by the entity in an unalterable PDF format?

  • Is the format of the bank statement the same as that we observed when we observed the entity accessing the information online and/or is it in a format different from what was provided to us on other occasions?

Apply similar skepticism when the entity asserts the bank statements provided to us for alternative procedures were sent by mail (post) to the entity from the bank. Apply the considerations described in OAG Audit 7053 on assessing reliability of responses.

Related Guidance

See OAG Audit 7053 for additional guidance on alternative procedures.

Use of Capital Confirmation Inc. Confirm Service

OAG Guidance

When utilizing Capital Confirmation Inc.’s Confirm SM Service (CCI), it is not necessary to call the confirming financial institution to verify the authenticity of the confirming party, as is normally considered when electronic or facsimile confirmations are received, as discussed in OAG Audit 7053. This section provides background on the CCI service and additional guidance that we need to consider when utilizing the CCI service.

Background

CCI is a third party electronic communications platform that facilitates delivery of our communications using a secure environment. The CCI service allows engagement teams to electronically confirm accounts held at participating financial institutions and, for in‑network entities, the response is completed by authorized representatives of the bank. Many banks and other financial institutions request us to electronically transmit confirmation requests for deposit account balances, lending facilities and other banking relationships through CCI. As part of the confirmation process, our clients provide authorization of the confirmation electronically to the bank through CCI’s system.

Considerations When Using CCI’s Service

We treat the electronic response obtained through the CCI service no differently than a paper confirmation response, and as such may still be required to contact the responding party in certain circumstances (e.g., unexpected information appears on the confirmation). CASs require the evaluation of the results of confirmation procedures, regardless of whether confirmation procedures are performed via paper or electronic media. As discussed in OAG Audit 7053, even in the traditional paper confirmation process, we evaluate whether sufficient evidence has been obtained related to the applicable financial statement assertions, including evaluation of any exceptions. We may consider performing additional procedures, including a follow‑up telephone call to the financial institution holding the account, if additional evidence is required due to higher levels of risk.

In addition to the above items, we also consider the following items when utilizing CCI’s service:

  • We are responsible for evaluating all of the information that is included within the electronic confirmation response received through CCI. We need to evaluate the potential impact of any language that may be included by the responding party in confirmation responses, such as a disclaimer on the completeness, accuracy, or our ability to use/rely on the information contained in the confirmation, to determine the sufficiency of the responses in relation to the procedures being performed. We generally do not expect to see any disclaimer language included in confirmation responses with the exception of a disclaimer to inform us of changes to the information beyond the date of our request or their response. Verify that this evaluation is separately performed for each confirmation response received, regardless of whether received electronically or in paper form.

  • CCI’s web-based application provides confirmation forms ("CCI Forms") applicable to banking relationships (including certain CCI Forms requested by major financial institutions) and other account balances and information. Depending on the type of confirmation, CCI Forms may not be comparable to OAG templates available, including formats used for requesting information related to other account balances and information (e.g., derivatives, interest rate swaps). Therefore, use professional judgment to evaluate whether CCI Forms not related to banking relationships provide sufficient appropriate audit evidence to address all risks of material misstatement.

  • Retain an electronic copy of the confirmation response as part of the engagement work papers (i.e., by attaching the PDF file obtained through the CCI website). It is not appropriate to refer to the copy of a completed confirmation on CCI’s website.

  • When sending confirmation requests to in‑network respondents, CCI automatically transmits (via CCI’s web‑based application) confirmation requests only to ’authorized persons’ designated by those in‑network entities. Therefore, for in‑network respondents, engagement teams do not need to further evaluate whether designated authorized persons are knowledgeable about the information to be confirmed or responsible for the respondent’s relationship with the client. Further, since only those authorized persons can receive confirmation requests and submit confirmation responses on behalf of in‑network respondents (by using appropriate identification codes and passwords) engagement teams also do not need to test the validity of the in‑network confirming party’s email address before sending the confirmation request via CCI. CCI’s confirmation service also permits us to send confirmation requests to out‑of‑network confirming parties. Because these out‑of‑network confirming parties have not been authenticated by CCI, engagement teams will need to determine if respondents are the appropriate confirming parties and will also need to test the validity of some or all such out‑of‑network confirming party email addresses in line with OAG Audit 7052.

  • Consider whether local territory laws and regulations permit electronic digitally signed confirmations. While risks inherently exist when utilizing paper and electronic confirmation processes, Audit Services has obtained a service organization report from CCI  to reduce the risks associated with using CCI’s service to no more than what would be present when utilizing paper confirmations. As a result additional procedures are not required to be performed at the engagement team level.

Consider consulting Audit Services if any issues are identified with regards to considerations above.

Using CCI’s Service

Instructions on using CCI’s service are summarized below. Additionally, various training resources to assist engagement teams in learning to use CCI’s service are available to registered users on CCI’s website (https://www.confirmation.com).

It is recommended that engagement team members who will utilize the CCI service take the training prior to using the service. The training tool provides details on the process to be followed to obtain a confirmation, including how to:

  • Create client profiles;
  • Add/edit client accounts;
  • Initiate, obtain client approval for and track confirmations;
  • Use the reconfirmation process; and
  • Download client confirmation reports including confirmation control logs to assist in ensuring that responses for all accounts have been received.

Registration on the CCI’s website

In order to register to use the CCI service, perform the steps below. User accounts are set up for each individual who will be utilizing CCI’s service as part of the registration process, and are not engagement specific. Each individual who registers will have a unique account and password that they individually maintain.

  • Go to www.confirmation.com.
  • Click on the "Sign In" Button, then select "Sign up" to access the "New User Registration" view.
  • Enter your email address.
  • Select Type of User to be "Requestor"
  • Select Type of Organization to be "Accounting Firm"
  • Select your office from the drop tab, or add your office to the list if it is not present, and complete your profile information.
  • Click the "Create New Account" at the bottom of the page.
  • You will receive an email from systems.administrator@confirmation.com.
  • Click on the link in the email to activate your account and to set up your password.
  • Log into www.confirmation.com using your ID and Password.

In the event of an interruption in CCI’s service that is not immediately resolvable through contact with CCI, engagement teams may need to send a traditional paper confirmation.

Questions regarding the account information provided in an electronic confirmation response received through the CCI service need to be directed to the responding party. For customer/technical support or billing inquiries regarding the CCI service, contact CCI directly through the CCI website.