The case for audit confirmations: Compliance, cost, and confidence
November 6, 2025
As audit professionals face mounting pressure from new PCAOB standards, fraud risks, and inefficiencies, a smarter, secure confirmation strategy is no longer optional; it’s essential.
You’re staring at your laptop screen, the glow illuminating your exhausted face. It’s 2:00 AM on a Tuesday in March, the heart of busy season, and three confirmation requests have gone unanswered for two weeks.
One client’s bank won’t respond to your emails. Another confirmation has been intercepted, raising red flags about fraud. Your audit deadline is in 72 hours. And then comes the email that makes your stomach drop: a reminder from your firm’s compliance team about the new PCAOB confirmation standards that went into effect last December.
You’re not alone. Across the country, thousands of audit professionals are facing the same perfect storm: new regulatory requirements, mounting fraud risks, talent shortages, and margin compression.
But here’s what you might not know yet: there’s a better way.
The new rules of the game: Why confirmations just got serious
The PCAOB raised the bar and the stakes. On December 15, 2024, the PCAOB adopted AS 2310, The Auditor’s Use of Confirmation, which redefined what “adequate confirmation evidence” means for auditors. This new standard is effective for audits of fiscal years ending on or after June 15, 2025.
Here’s what you must now prove:
Precision matters: You must identify exactly what information needs verification—no more vague requests
The right person matters: Your confirmations must go to knowledgeable external source who can provide reliable responses
Skepticism matters: Every response, exception, and non-response must be evaluated with heightened professional skepticism
The message is clear. Positive confirmations are in; shortcuts are out. When confirmations aren’t feasible or reliable, you must perform time-consuming alternative procedures.
What all of this means for you is that the days of “set it and forget it” confirmations are over. You must demonstrate active management, maintain impeccable documentation, and ensure the right people are responding.
The fraud lens: What AS 2401 means for your confirmation strategy
While AS 2401 governs the auditor’s responsibility to detect material misstatements due to fraud, its principles extend beyond planning and risk assessment—they shape how you gather and evaluate audit evidence. One of the core tenets of AS 2401 is the requirement to maintain professional skepticism throughout the audit, especially when evaluating the reliability of evidence.
That’s where confirmations come in. They’re not just a routine step—they’re a critical response to fraud risk because they provide independent, third-party evidence. Under AS 2401, auditors are expected to consider the authenticity and reliability of all evidence, particularly when fraud risk is elevated.
So, the hidden question behind every confirmation you send is this: Can you demonstrate that this evidence is authentic, secure, and free from tampering?
Because in today’s audit environment, the quality and traceability of your confirmation evidence matter more than ever.
The AICPA’s cash confirmation standard
The AICPA’s recent exposure draft signals clear alignment with PCAOB standards, particularly when it comes to confirming cash. While the PCAOB’s AS 2310 establishes a presumptive requirement to confirm cash and accounts receivable, the AICPA is now echoing that expectation in its proposed updates.
This isn’t just a procedural suggestion. It’s heightened expectations. The exposure draft reinforces that confirmations are a default, not an optional step, especially for high-risk accounts like cash. If you choose not to confirm, you’ll need strong, well-documented justification.
So, what does that mean for you? Your confirmation process must be defensible.
If challenged, you should be able to clearly demonstrate why confirmations were sent, or why they weren’t, and how your approach still meets the standard of sufficient appropriate audit evidence.
The hidden confirmation-related costs nobody talks about
Let’s go over what happens when your confirmations go wrong.
When fraud strikes: The domino effect
A notable example of audit confirmation fraud involves BF Borgers CPA PC, a U.S.-based audit firm, and its owner Benjamin F. Borgers. In May 2024, the SEC charged the firm and its owner with widespread audit failures that impacted over 1,500 SEC filings between January 2021 and June 2023. Here is a basic breakdown of what happened and the impact this incident had:
Nature of the fraud -The firm falsified audit documentation, including fabricated confirmations, to make it appear that audits complied with PCAOB standards, when in fact they did not.
Violations – They failed to:
Properly prepare and maintain audit workpapers.
Obtain required engagement quality reviews.
Supervise audit teams adequately.
Impact – Over 75% of filings that incorporated BF Borgers’s audits during that period were found to be noncompliant with PCAOB standards.
Consequences – The firm was permanently barred from practicing before the SEC, and penalties included $12 million for the firm and $2 million for Benjamin Borgers personally.
This case is considered one of the largest audit failures in recent history and underscores the importance of authentic, traceable, and tamper-proof confirmation evidence in combating fraud, directly aligning with the expectations set forth in PCAOB AS 2401.
Fraud causes time delays regarding the audit in question, as well as future engagements and deadlines. It also damages the auditor’s reputation and credibility, which are central to their role and difficult to repair afterward.
The efficiency tax of manual confirmations
Consider how your “routine” bank confirmation process typically unfolds:
Spend time hunting for the right bank contact
Multiple emails back and forth (often lost in spam filters)
Follow-up calls to track down responses
Manual documentation scattered across email threads
Training burden for new staff learning different procedures for different banks
Repeat that to-do list for 1,500 confirmations per year, and you’re looking at a whole lot of staff time spent on this piece alone. Now imagine getting that process done in half the time.
The four pillars of fraud-resistant confirmation management
To reduce exposure and reinforce trust in your audit process, modern confirmation management is built on four key pillars:
Security
Protect against spoofing, interception, and impersonation with:
End-to-end encryption
Verified bank networks
Direct, authenticated connections to financial institutions
Efficiency
Streamlined workflows reduce the temptation to cut corners:
Confirmations completed in days, not weeks
Fewer manual steps means fewer opportunities for error
Control
Centralized oversight ensures nothing slips through:
Real-time tracking of every request
Automated reminders and escalation paths
Role-based access and approval workflows
Audit Trail
Every action is logged and time-stamped:
Full visibility into who sent what, when, and how
Essential for defending against fraud allegations or regulatory scrutiny
Reinforces professional skepticism with verifiable documentation
What’s next for you? The choice is clear
What starts as your solution to a compliance headache could become your competitive advantage—a way for you to do more with less, to deliver faster, and to sleep better at night.
The regulatory environment is more demanding for you. The risks are higher. The margins are tighter. You can keep chasing emails, hunting for bank contacts, and hoping nothing falls through the cracks. Or you can join the firms that are already working smarter.
Learn more about Thomson Reuters Confirmation, the only online confirmation service with a global validated network today and experience the immediate benefits of a streamlined and secure confirmation process that could transform your practice.
[Thomson Reuters]
