Auditing and Assurance Standard (AAS) 30

External Confirmations

The following is the text of the Auditing and Assurance Standard (AAS) 30 * , "External Confirmations", issued by the Council of the Institute of Chartered Accountants of India. This Standard should be read in conjunction with the "Preface to the Statements on Standard Auditing Practices", issued by the Institute. ¹

Introduction

The purpose of this Auditing and Assurance Standard (AAS) is to establish standards on the auditor's use of external confirmations as a means of obtaining audit evidence.

The auditor should determine whether the use of external confirmations is necessary to obtain sufficient appropriate audit evidence to support certain financial statement assertions. In making this determination, the auditor should consider materiality, the assessed level of inherent and control risk, and how the evidence from other planned audit procedures will reduce audit risk to an acceptably low level for the applicable financial statement assertions. The auditor should employ external confirmation procedures in consultation with the management.

Auditing and Assurance Standard (AAS) 5, "Audit Evidence" states that the reliability of audit evidence is influenced by its source and nature. It indicates that, in general, audit evidence from external sources is more reliable than audit evidence generated internally, and that written (documentary) audit evidence is more reliable than audit evidence in oral form. Accordingly, audit evidence in the form of written responses to confirmation requests received directly by the auditor from third parties who are not related to the entity being audited, when considered individually or cumulatively with audit evidence from other procedures, may assist in reducing audit risk for the related financial statement assertions to an acceptably low level.

External confirmation is the process of obtaining and evaluating audit evidence through a direct communication from a third party in response to a request for information about a particular item affecting assertions made by management in the financial statements. In deciding to what extent to use external confirmations, the auditor considers the characteristics of the environment in which the entity being audited operates and the practice of potential respondents in dealing with requests for direct confirmation.

The process of external confirmations, ordinarily, consists of the following:

• Selecting the items for which confirmations are needed.
  
   

• Designing the form of the confirmation request.
  
   

• Communicating the confirmation request to the appropriate third party.
  
   

• Obtaining response from the third party.
  
   

• Evaluating the information or absence thereof.

External confirmations are frequently used in relation to account balances and their components, but need not be restricted to these items. For example, the auditor may request external confirmation of the terms of agreements or transactions an entity has with third parties. The confirmation request is designed to ask if any modifications have been made to the agreement, and if so, the relevant details thereof. Other examples of situations where external confirmations may be used include the following:

• Bank balances and other information from bankers.
  
   

• Accounts receivable balances.
  
   

• Stocks held by third parties.
  
   

• Property title deeds held by third parties.
  
   

• Investments purchased but delivery not taken.
  
   

• Loans from lenders.
  
   

• Accounts payable balances.
  
   

• Long outstanding share application money.

The reliability of the evidence obtained by external confirmations depends, among other factors, upon the application of appropriate procedures by the auditor in designing the external confirmation request, performing the external confirmation procedures, and evaluating the results of the external confirmation procedures. Factors affecting the reliability of confirmations include the control which the auditor exercises over confirmation requests and responses, the characteristics of the respondents, and any restrictions included in the response or imposed by management.

Relationship of External Confirmation Procedures to the Auditor's Assessments of Inherent Risk and Control Risk

Auditing and Assurance Standard (AAS) 6 (Revised), "Risk Assessments and Internal Control" discusses audit risk and the relationship between its components: inherent risk, control risk, and detection risk. It outlines the process of assessing inherent and control risk to determine the nature, timing, and extent of substantive procedures to reduce detection risk, and therefore, audit risk, to an acceptable level.

AAS 6 (Revised) also indicates that the nature and extent of evidence to be obtained from the performance of substantive procedures varies depending on the assessment of inherent and control risks, and that the assessed levels of inherent and control risk cannot be sufficiently low to eliminate the need to perform any substantive procedures. These substantive procedures may include the use of external confirmations for specific financial statement assertions.

Paragraph 48 of AAS 6 (Revised) indicates that the higher the assessment of inherent and control risk, the more audit evidence the auditor needs to obtain from the performance of substantive procedures. Consequently, as the assessed level of inherent and control risk increases, the auditor designs substantive procedures to obtain more evidence, or more persuasive evidence, about a financial statement assertion. In these situations, the use of confirmation procedures may be effective in providing sufficient appropriate audit evidence.

The auditor should assess whether the evidence provided by the confirmations reduces audit risks for the related assertions to an acceptably low level. In making that assessment, the auditor should consider the materiality of the account balance and the auditor's assessment of the inherent and control risk. If the auditor concludes that the evidence provided by the confirmations alone is not sufficient, he should perform additional procedures.

The lower the assessed level of inherent and control risk, the less assurance the auditor needs from substantive procedures to form a conclusion about a financial statement assertion. For example, an entity may have a loan that it is repaying according to an agreed repayment schedule, the terms of which the auditor has confirmed in previous years. If the other work carried out by the auditor (including such tests of controls as are necessary) indicates that the terms of the loan have not changed and has lead to the level of inherent and control risk over the balance of the loan outstanding being assessed as low, the auditor might limit substantive procedures to testing details of the payments made, rather than again confirming the balance directly with the lender.

Unusual or complex transactions may be associated with higher levels of inherent or control risk than simple transactions. If the entity has entered into an unusual or complex transaction and the level of inherent and control risk is assessed as high, the auditor considers confirming the terms of transaction with the other parties in addition to examining documentation held by the entity.

Assertions Addressed by External Confirmations

AAS 5, "Audit Evidence", categorises the assertions contained in the financial statements as existence, rights and obligations, occurrence, completeness, valuation, measurement, and presentation and disclosure. While external confirmations may provide audit evidence regarding these assertions, the ability of an external confirmation to provide evidence relevant to a particular financial statement assertion varies.

External confirmation of an account receivable provides strong evidence regarding the existence of the account as at a certain date. Confirmation also provides evidence regarding the operation of cut-off procedures. However, such confirmation does not ordinarily provide all the necessary audit evidence relating to the assertion regarding valuation, since it is not practicable to ask the debtor to confirm detailed information relating to its ability to pay the account.

Similarly, in the case of goods held on consignment, external confirmation is likely to provide strong evidence to support the assertions related to existence and the rights and obligations, but might not provide evidence that supports the assertions related to valuation.

The relevance of external confirmations to auditing a particular financial statement assertion is also affected by the objective of the auditor in selecting information for confirmation. For example, when auditing the assertion regarding the completeness of accounts payable, the auditor also needs to obtain evidence that there is no material unrecorded liability. Accordingly, sending confirmation requests to an entity's principal suppliers, asking them to provide copies of their statements of account directly to the auditor, even if the entity's records show no amount currently owing to them, will usually be more effective in detecting unrecorded liabilities than selecting accounts for confirmation based on the larger amounts recorded in the accounts payable subsidiary ledger.

When obtaining evidence for assertions not adequately addressed by confirmations, the auditor considers other audit procedures to complement confirmation procedures or to be used instead of confirmation procedures.

Timing of External Confirmations

The auditor may request external confirmations either as at the date of the financial statements or as at any other selected date which is reasonably close to the date of financial statements. The date may be, alternatively, settled by the auditor in consultation with the management. Where the auditor decides to request for confirmations as at date which is other than the date of the financial statements, the auditor would need to examine the movement in the concerned account(s) that occur between the date of the confirmations and the date of the financial statements. For example, when the auditor uses confirmation as at a date prior to the balance sheet to obtain evidence to support a financial statement assertion, the auditor would obtain sufficient appropriate audit evidence that transactions relevant to the assertions in the intervening period have not been materially misstated. For practical reasons, when the level of inherent and control risk is assessed at less than high, the auditor may decide to confirm balances at a date other than the period end, for example, when the audit is to be completed within a short time after the balance sheet date. As with all types of pre-year-end work, the auditor would consider the need to obtain further audit evidence relating to the remainder of the period also.

Design of the External Confirmation Request

The auditor should design external confirmation requests to the specific audit objective. When designing the request, the auditor considers the assertions being addressed and the factors that are likely to affect the reliability of the confirmations. Factors such as the form of the external confirmation request, prior experience on the audit or similar engagements, the nature of the information being confirmed, and the intended respondent, affect the design of the requests because these factors have a direct effect on the reliability of the evidence obtained through external confirmation procedures. The other factors which have an effect on the design of an external confirmation request include effectiveness of the internal control system of the entity, apparent possibility of disputes, inaccuracies and irregularities in the accounts, the possibility that the request will receive a consideration and the materiality of the amount involved.

Nature of Information Being Confirmed

In designing the request, the auditor considers the type of information respondents will be able to confirm readily since this may affect the response rate and the nature of the evidence obtained. For example, certain respondents' accounting systems may facilitate the external confirmation of single transactions rather than of entire account balances. In addition, respondents may not always be able to confirm certain types of information, such as the overall accounts receivable balance, but may be able to confirm individual invoice amounts within the total balance.

The auditor's understanding of the client's arrangements and transactions with the third parties is important in determining the information to be confirmed. The auditor should obtain an understanding of the substance of such transactions and arrangements to decide about the information to be included in the request for confirmation. The auditor also considers the possibility of oral modifications in the arrangements and transactions and, accordingly, requests the management to provide him the details thereof.

Confirmation requests ordinarily include authorization of the entity's management to the respondent to disclose the information to the auditor. Respondents may be more willing to respond to a confirmation request containing management's authorization, and in some cases may be unable to respond unless the request contains such authorization.

Prior Experience

The auditor should consider the information from audits of earlier years. This information would, normally, include the misstatements, inaccuracies or irregularities identified by the auditor or those pointed out by the third parties in the earlier years, the response rate etc.

Form of Confirmation Request-Use of Positive and Negative Confirmations

The auditor may use positive or negative external confirmation requests or a combination of both.

A positive external confirmation request asks the respondent to reply to the auditor in all cases either by indicating the respondent's agreement with the given information, or by asking the respondent to fill in information. The use of a positive confirmation is preferable when individual account balances are large, or where the internal controls are weak, or where the auditor has reasons to believe that there may be a substantial number of accounts in dispute or inaccurate or irregular. A response to a positive confirmation request is ordinarily expected to provide reliable audit evidence. There is a risk, however, that a respondent may reply to the confirmation request without verifying that the information is correct. The auditor is not ordinarily able to detect whether this has occurred. The auditor may reduce this risk, however, by using positive confirmation requests that do not state the amount (or other information) on the confirmation request, but ask the respondent to fill in the amount or furnish other information. On the other hand, use of this type of "blank" confirmation request may result in lower response rates because additional effort is required of the respondents.

A negative external confirmation request asks the respondent to reply only in the event of disagreement with the information provided in the request. However, when no response has been received to a negative confirmation request, the auditor remains aware that there will be no explicit evidence that intended third parties have received the confirmation requests and verified that the information contained therein is correct or that the confirmation was sent by the respondent but not received by him. Accordingly, the use of negative confirmation requests ordinarily provides less reliable evidence than the use of positive confirmation requests, and the auditor considers performing other substantive procedures to supplement the use of negative confirmations.

Negative confirmation requests may be used to reduce audit risk to an acceptable level when:

1. the assessed level of inherent and control risk is low;
   
    

2. a large number of small balances is involved;
   
    

3. a substantial number of errors is not expected; and
   
    

4. the auditor has no reason to believe that respondents will disregard these requests.

A combination of positive and negative external confirmations may be used. For example, where the total accounts receivable balance comprises a small number of large balances and a large number of small balances, the auditor may decide that it is appropriate to confirm all or a sample of the large balances with positive confirmation requests and a sample of the small balances using negative confirmation requests.

Characteristics of Respondents

The reliability of evidence provided by a confirmation is affected by the respondent's competence, independence, authority to respond, knowledge of the matter being confirmed, and objectivity. For this reason, the auditor attempts to ensure, where practicable, that the confirmation request is directed to an appropriate individual. For example, when confirming that a covenant related to an entity's long-term debt has been waived, the auditor directs the request to an official of the creditor who has knowledge about the waiver and has the authority to provide the information.

The auditor also assesses whether certain parties may not provide an objective or unbiased response to a confirmation request. Information about the respondent's competence, knowledge, motivation, ability or willingness to respond may come to the auditor's attention. The auditor considers the effect of such information on designing the confirmation request and evaluating the results, including determining whether additional procedures are necessary. The auditor also considers whether there is sufficient basis for concluding that the confirmation request is being sent to a respondent from whom the auditor can expect a response that will provide sufficient appropriate evidence. For example, the auditor may encounter significant unusual year-end transactions that have a material effect on the financial statements, the transactions being with a third party that is economically dependent upon the entity. In such circumstances, the auditor considers whether the third party may be motivated to provide an inaccurate response.

The External Confirmation Process

When performing confirmation procedures, the auditor should maintain control over the process of selecting those to whom a request will be sent, the preparation and sending of confirmation requests, and the responses to those requests. Maintaining control means maintaining direct communications between the intended recipients and the auditor to minimize the possibility that the results of the confirmation process will be biased because of the interception and alteration of confirmation requests or responses. The auditor may give a list of accounts selected for confirmation to the management for preparing requests for confirmations, which should be properly addressed and stamped, alternatively, the auditor may request the management to furnish duly authorised confirmation letters and fill in the names, addresses and other relevant details relating to the accounts selected by him. The auditor should, however, ensure that it is the auditor who sends out the confirmation requests, that the requests are properly addressed, and that it is requested that all replies and the undelivered confirmations are delivered directly to the auditor. The auditor considers whether replies have come from the purported senders.

No Response to a Positive Confirmation Request

The auditor should perform alternative procedures where no response is received to a positive external confirmation request. The alternative audit procedures should be such as to provide the evidence about the financial statement assertions that the confirmation request was intended to provide.

When using a confirmation request other than a negative confirmation request, the auditor, generally, follows up with a second and sometimes third request to those parties from whom replies have not been received or, alternatively, contact the recipient of the request to elicit a response. Where the auditor is unable to obtain a response, the auditor would need to use alternative audit procedures. The nature of alternative procedures varies according to the account and assertion in question. In the examination of accounts receivable, alternative procedures may include examination of subsequent cash receipts, examination of shipping documentation or other client documentation to provide evidence for the existence assertion, and sales cut-off tests to provide evidence for the assertion related to completeness. In the examination of accounts payable, alternative procedures may include examination of subsequent cash disbursements or correspondence from third parties to provide evidence of the existence assertion, and examination of other records, such as goods received notes, to provide evidence of the assertion regarding completeness.

Reliability of Responses Received

The auditor should consider whether there is any indication that external confirmations received may not be reliable. The auditor should also consider the authenticity of the response and perform appropriate procedures to dispel any doubts. The auditor may choose to verify the source and contents of a response in a telephone call to the purported sender. In addition, the auditor would also request the purported sender to mail the original confirmation directly to the auditor. With ever-increasing use of technology, the auditor needs to consider validating the source of replies received in electronic format (for example, fax or electronic mail). Oral confirmations should be documented in the work papers. If the information in the oral confirmations or that received though a fax is significant, the auditor requests the parties involved to submit written confirmation of the specific information directly to the auditor since in such cases it is difficult to ascertain the source of the response.

Causes and Frequency of Exceptions

When the auditor forms a conclusion that the confirmation process and alternative procedures have not provided sufficient appropriate audit evidence regarding an assertion, the auditor should undertake additional procedures to obtain sufficient appropriate audit evidence. In forming the conclusion, the auditor considers the:

1. reliability of the confirmations and alternative procedures;
   
    

2. nature of any exceptions, including the implications, both quantitative and qualitative of those exceptions; and
   
    

3. evidence provided by other procedures.

Based on this evaluation, the auditor would determine whether additional audit procedures are needed to obtain sufficient appropriate audit evidence.

Any discrepancies revealed by the external confirmations received or by the additional procedures carried out by the auditor might have a bearing on the assertions and the accounts within the given assertion not selected for external confirmation. The auditor, in such a case, should request the management to verify and reconcile the discrepancies. The auditor should also consider what further tests can be carried out to satisfy himself as to the correctness of related assertion.

The auditor should also consider the causes and frequency of exceptions reported by respondents. An exception might indicate a misstatement in the entity's records, in which case, the auditor determines the reasons for the misstatement and assesses whether it has a material effect on the financial statements. If an exception indicates a misstatement, the auditor would reconsider the nature, timing and extent of audit procedures necessary to provide the evidence required. If the responses received indicate a pattern of misstatements, the auditor should reconsider his assessment of inherent and control risk and also consider the effect on his audit procedures.

Evaluating the Results of the Confirmation Process

The auditor should evaluate whether the results of the external confirmation process together with the results from any other procedures performed, provide sufficient appropriate audit evidence regarding the financial statement assertion being audited. In conducting this evaluation, the auditor considers the guidance provided by AAS 15, "Audit Sampling".

Management Requests

When the auditor seeks to confirm certain balances or other information, and management requests the auditor not to do so, the auditor should consider whether there are valid grounds for such a request and obtain evidence to support the validity of management's requests. The auditor should also ask the management to submit its request in a written form, detailing therein the reasons for such request. The management, for example, might make such a request on the grounds that due to a dispute with the particular debtor, the request for confirmation might aggravate the sensitive negotiations between the entity and the debtor. The auditor, in such a case, would examine any available evidence to support management's request, say, examining the correspondence between the management and the debtor. If the auditor agrees to management's request not to seek external confirmation regarding a particular matter, the auditor should document the reasons for acceding to the management's request and should apply alternative procedures to obtain sufficient appropriate evidence regarding that matter.

If the auditor does not accept the validity of management's request and is prevented from carrying out the confirmations, there has been a limitation on the scope of the auditor's work and the auditor should consider the possible impact on the auditor's report. The auditor should, however, in this case also, document the request made by the management along with the reasons given by the management therefor as well as his own reasons for not acceding to the management's request.

When considering the reasons provided by management, the auditor would apply professional skepticism and consider whether the request has any implications regarding management's integrity. The auditor would also consider whether management's request might indicate the possible existence of fraud or error. If the auditor believes that fraud or error exists, the auditor would consider the requirements of AAS 4, "The Auditor's Responsibility to Consider Fraud and Error in an Audit of Financial Statements". The auditor would also need to consider whether the alternative procedures will provide sufficient appropriate evidence regarding that matter.

Effective Date

This Auditing and Assurance Standard is effective for audits related to accounting periods beginning on or after 1st April, 2003.

Compatibility with International Standard on Auditing (ISA) 505

The auditing standards established in this AAS are generally consistent in all material respects with the International Standard on Auditing (ISA) 505, "External Confirmations", except the following:

1. The AAS requires the auditor to obtain an understanding of the substance of transactions and agreement with the third parties to decide about the information to be included in the request for confirmation (see paragraph 22). ISA 505 does not contain any requirements in this regard.
   
    

2. The AAS requires the auditor to consider the information from audits of earlier years (see paragraph 24). This requirement is not present in ISA 505.
   
    

3. The AAS requires the auditor to request the management to verify and reconcile the discrepancies revealed by the external confirmations received or by the additional procedures carried out by the auditor. The AAS further requires the auditor to consider what further tests can be carried out to satisfy him self as to the correctness of related assertions (see paragraph 37). This requirement is not present in ISA 505.