Clarified section 505, which you can find here, discusses external confirmations. One thing I missed previously is a new requirement to verify the address used on confirmations. I looked in the pre-clarity standards and couldn’t find that requirement there.
Put simply, we as auditors need to make sure confirmations are using good addresses.
For cash, there is a commercial service, Confirmation.com, that can be used to make sure your confirm gets to where you want it to go.
This issue also applies to:
- Accounts receivable
- Notes receivable
- Accounts Payable
- Notes Payable
If you use confirms in those areas, AU-C 505 calls on you make sure the request is getting where you intended.
Charles Hall discusses this issue in his post, Fake Bank Confirmation Responses.
The use of “should” in 505.07 makes that a presumptively mandatory requirement. It isn’t ‘if you feel like it’ or ‘just think about it.’
The oops in the title above is because I’ve, um, not quite, aah, been doing as well, um, as I ought. Documentation in my workpapers is, aah, not quite as good as it needs to be, shall we say.
That changes on Monday, when I start a new audit.
It’s just a wild guess, but I’m probably not the only auditor that didn’t notice that little requirement. Or maybe I am the only one.
Don’t take my word for it. Here’s the text:
.07 When using external confirmation procedures, the auditor should maintain control over external confirmation requests, including
a. determining the information to be confirmed or requested; (Ref: par. .A2)
b. selecting the appropriate confirming party; (Ref: par. .A3)
c. designing the confirmation requests, including determining that requests are properly directed to the appropriate confirming party and provide for being responded to directly to the auditor; and (Ref: par. .A4–.A7)
d. sending the requests, including follow-up requests, when applicable, to the confirming party. (Ref: par. .A8)
Check out the reference to other explanatory material on point ‘c’. Here’s the detail comment:
.A7 Determining that requests are properly addressed includes verifying the accuracy of the addresses, including testing the validity of some or all of the addresses on the confirmation requests before they are sent out, regardless of the confirmation method used. When a confirmation request is sent by email, the auditor’s determination that the request is being properly directed to the appropriate confirming party may include performing procedures to test the validity of some or all of the e-mail addresses supplied by management. The nature and extent of the necessary procedures is dependent on the risks associated with the particular type of confirmation or address. For example, a confirmation addressing a higher risk assertion or a confirmation address that appears to be potentially less reliable (for example, an electronic confirmation addressed in a manner that appears easier to falsify) may necessitate different or more extensive procedures to determine that the request is directed to the intended recipient. See further guidance in paragraphs .A14–.A15.
Verifying the addresses is now just as much a part of maintaining control over the confirmation as mailing the request yourself, using your envelopes, and providing your BREs for the reply. Oh, that envelope thingie we’ve done forever? It is also a presumptively mandatory requirement.
You will have to figure out what verifying addresses looks like in practice. There will need to be some documentation in your audit files that you validated or verified the addresses.
Monitoring of quality control
And yes, in case you were wondering, this issue will go into my monitoring notes as something I need to improve in my workpapers. Will also note that I realized it and corrected it on my own.
That, by the way, is the purpose of monitoring – figure out what you missed and correct it.
Next post – 3 examples of confirmation fraud.