A new standard, AS 2310, The Auditor’s Use of Confirmation, has been adopted by the PCAOB and approved by the U.S. Securities and Exchange Commission. The new standard will replace AS 2310, The Confirmation Process, in its entirety and will be effective for audits of financial statements for fiscal years ending on or after June 15, 2025. See PCAOB Release No. 2023-008, SEC Release No. 34-99060. View the new standard.
.01 This section provides guidance about the confirmation process in audits performed in accordance with the standards of the PCAOB. This section—
.02 This section does not address the extent or timing of confirmation procedures. Guidance on the extent of audit procedures (that is, considerations involved in determining the number of items to confirm) is found in AS 2315, Audit Sampling, and AS 2301, The Auditor's Responses to the Risks of Material Misstatement. Guidance on the timing of audit procedures is included in AS 2301.
.03 In addition, this section does not address matters described in AS 2505, Inquiry of a Client's Lawyer Concerning Litigation, Claims, and Assessments.
.04 Confirmation is the process of obtaining and evaluating a direct communication from a third party in response to a request for information about a particular item affecting financial statement assertions. The process includes—
.05 AS 1101, Audit Risk, discusses the audit risk model. It describes the concept of assessing inherent and control risks, determining the acceptable level of detection risk, and designing an audit program to achieve an appropriately low level of audit risk. The auditor uses the audit risk assessment in determining the audit procedures to be applied, including whether they should include confirmation.
.06 Confirmation is undertaken to obtain evidence from third parties about financial statement assertions made by management. See paragraph .08 of AS 1105, Audit Evidence, which discusses the reliability of audit evidence.
.07 The greater the combined assessed level of inherent and control risk, the greater the assurance that the auditor needs from substantive tests related to a financial statement assertion. Consequently, as the combined assessed level of inherent and control risk increases, the auditor designs substantive tests to obtain more or different evidence about a financial statement assertion. In these situations, the auditor might use confirmation procedures rather than or in conjunction with tests directed toward documents or parties within the entity.
.08 Unusual or complex transactions may be associated with high levels of inherent risk and control risk. If the entity has entered into an unusual or complex transaction and the combined assessed level of inherent and control risk is high, the auditor should consider confirming the terms of the transaction with the other parties in addition to examining documentation held by the entity. For example, if the combined assessed level of inherent and control risk over the occurrence of revenue related to an unusual, year-end sale is high, the auditor should consider confirming the terms of that sale.
.09 The auditor should assess whether the evidence provided by confirmations reduces audit risk for the related assertions to an acceptably low level. In making that assessment, the auditor should consider the materiality of the account balance and his or her inherent and control risk assessments. When the auditor concludes that evidence provided by confirmations alone is not sufficient, additional procedures should be performed. For example, to achieve an appropriately low level of audit risk related to the completeness and existence assertions for accounts receivable, an auditor may perform sales cutoff tests in addition to confirming accounts receivable.
.10 The lower the combined assessed level of inherent and control risk, the less assurance the auditor needs from substantive tests to form a conclusion about a financial statement assertion. Consequently, as the combined assessed level of inherent and control risk decreases for a particular assertion, the auditor may modify substantive tests by changing their nature from more effective (but costly) tests to less effective (and less costly) tests. For example, if the combined assessed level of inherent and control risk over the existence of cash is low, the auditor might limit substantive procedures to inspecting client-provided bank statements rather than confirming cash balances.
.11 For the evidence obtained to be appropriate, it must be reliable and relevant. Factors affecting the reliability of confirmations are discussed in paragraphs .16 through .27. The relevance of evidence depends on its relationship to the financial statement assertion being addressed. AS 1105 classifies financial statement assertions into five categories:
.12 Confirmation requests, if properly designed by the auditor, may address any one or more of those assertions. However, confirmations do not address all assertions equally well. Confirmation of goods held on consignment with the consignee would likely be more effective for the existence and the rights-and-obligations assertions than for the valuation assertion. Accounts receivable confirmations are likely to be more effective for the existence assertion than for the completeness and valuation assertions. Thus, when obtaining evidence for assertions not adequately addressed by confirmations, auditors should consider other audit procedures to complement confirmation procedures or to be used instead of confirmation procedures.
.13 Confirmation requests can be designed to elicit evidence that addresses the completeness assertion: that is, if properly designed, confirmations may provide evidence to aid in assessing whether all transactions and accounts that should be included in the financial statements are included. Their effectiveness in addressing the completeness assertion depends, in part, on whether the auditor selects from an appropriate population for testing. For example, when using confirmations to provide evidence about the completeness assertion for accounts payable, the appropriate population might be a list of vendors rather than the amounts recorded in the accounts payable subsidiary ledger.
.14 Some confirmation requests are not designed to elicit evidence regarding the completeness assertion. For example, the AICPA Standard Form to Confirm Account Balance Information With Financial Institutions is designed to substantiate information that is stated on the confirmation request; the form is not designed to provide assurance that information about accounts not listed on the form will be reported.
.15 The auditor should exercise an appropriate level of professional skepticism throughout the confirmation process (see AS 1015, Due Professional Care in the Performance of Work). Professional skepticism is important in designing the confirmation request, performing the confirmation procedures, and evaluating the results of the confirmation procedures.
.16 Confirmation requests should be tailored to the specific audit objectives. Thus, when designing the confirmation requests, the auditor should consider the assertion(s) being addressed and the factors that are likely to affect the reliability of the confirmations. Factors such as the form of the confirmation request, prior experience on the audit or similar engagements, the nature of the information being confirmed, and the intended respondent should affect the design of the requests because these factors have a direct effect on the reliability of the evidence obtained through confirmation procedures.
.17 There are two types of confirmation requests: the positive form and the negative form. Some positive forms request the respondent to indicate whether he or she agrees with the information stated on the request. Other positive forms, referred to as blank forms, do not state the amount (or other information) on the confirmation request, but request the recipient to fill in the balance or furnish other information.
.18 Positive forms provide audit evidence only when responses are received from the recipients; nonresponses do not provide audit evidence about the financial statement assertions being addressed.
.19 Since there is a risk that recipients of a positive form of confirmation request with the information to be confirmed contained on it may sign and return the confirmation without verifying that the information is correct, blank forms may be used as one way to mitigate this risk. Thus, the use of blank confirmation requests may provide a greater degree of assurance about the information confirmed. However, blank forms might result in lower response rates because additional effort may be required of the recipients; consequently, the auditor may have to perform more alternative procedures.
.20 The negative form requests the recipient to respond only if he or she disagrees with the information stated on the request. Negative confirmation requests may be used to reduce audit risk to an acceptable level when ( a ) the combined assessed level of inherent and control risk is low, ( b ) a large number of small balances is involved, and ( c ) the auditor has no reason to believe that the recipients of the requests are unlikely to give them consideration. For example, in the examination of demand deposit accounts in a financial institution, it may be appropriate for an auditor to include negative confirmation requests with the customers' regular statements when the combined assessed level of inherent and control risk is low and the auditor has no reason to believe that the recipients will not consider the requests. The auditor should consider performing other substantive procedures to supplement the use of negative confirmations.
.21 Negative confirmation requests may generate responses indicating misstatements, and are more likely to do so if the auditor sends a large number of negative confirmation requests and such misstatements are widespread. The auditor should investigate relevant information provided on negative confirmations that have been returned to the auditor to determine the effect such information may have on the audit. If the auditor's investigation of responses to negative confirmation requests indicates a pattern of misstatements, the auditor should reconsider his or her combined assessed level of inherent and control risk and consider the effect on planned audit procedures.
.22 Although returned negative confirmations may provide evidence about the financial statement assertions, unreturned negative confirmation requests rarely provide significant evidence concerning financial statement assertions other than certain aspects of the existence assertion. For example, negative confirmations may provide some evidence of the existence of third parties if they are not returned with an indication that the addressees are unknown. However, unreturned negative confirmations do not provide explicit evidence that the intended third parties received the confirmation requests and verified that the information contained on them is correct.
.23 In determining the effectiveness and efficiency of employing confirmation procedures, the auditor may consider information from prior years' audits or audits of similar entities. This information includes response rates, knowledge of misstatements identified during prior years' audits, and any knowledge of inaccurate information on returned confirmations. For example, if the auditor has experienced poor response rates to properly designed confirmation requests in prior audits, the auditor may instead consider obtaining audit evidence from other sources.
.24 When designing confirmation requests, the auditor should consider the types of information respondents will be readily able to confirm, since the nature of the information being confirmed may directly affect the appropriateness of the evidence obtained as well as the response rate. For example, certain respondents' accounting systems may facilitate the confirmation of single transactions rather than of entire account balances. In addition, respondents may not be able to confirm the balances of their installment loans, but they may be able to confirm whether their payments are up-to-date, the amount of the payment, and the key terms of their loans.
.25 The auditor's understanding of the client's arrangements and transactions with third parties is key to determining the information to be confirmed. The auditor should obtain an understanding of the substance of such arrangements and transactions to determine the appropriate information to include on the confirmation request. The auditor should consider requesting confirmation of the terms of unusual agreements or transactions, such as bill and hold sales, 1 in addition to the amounts. The auditor also should consider whether there may be oral modifications to agreements, such as unusual payment terms or liberal rights of return. When the auditor believes there is a moderate or high degree of risk that there may be significant oral modifications, he or she should inquire about the existence and details of any such modifications to written agreements. One method of doing so is to confirm both the terms of the agreements and whether any oral modifications exist.
.26 The auditor should direct the confirmation request to a third party who the auditor believes is knowledgeable about the information to be confirmed. For example, to confirm a client's oral and written guarantees with a financial institution, the auditor should direct the request to a financial institution official who is responsible for the financial institution's relationship with the client or is knowledgeable about the transactions or arrangements.
.27 If information about the respondent's competence, knowledge, motivation, ability, or willingness to respond, or about the respondent's objectivity and freedom from bias with respect to the audited entity 2 comes to the auditor's attention, the auditor should consider the effects of such information on designing the confirmation request and evaluating the results, including determining whether other procedures are necessary. In addition, there may be circumstances (such as for significant, unusual year-end transactions that have a material effect on the financial statements or where the respondent is the custodian of a material amount of the audited entity's assets) in which the auditor should exercise a heightened degree of professional skepticism relative to these factors about the respondent. In these circumstances, the auditor should consider whether there is sufficient basis for concluding that the confirmation request is being sent to a respondent from whom the auditor can expect the response will provide meaningful and appropriate evidence.
.28 During the performance of confirmation procedures, the auditor should maintain control over the confirmation requests and responses. Maintaining control 3 means establishing direct communication between the intended recipient and the auditor to minimize the possibility that the results will be biased because of interception and alteration of the confirmation requests or responses.
.29 There may be situations in which the respondent, because of timeliness or other considerations, responds to a confirmation request other than in a written communication mailed to the auditor. When such responses are received, additional evidence may be required to support their validity. For example, facsimile responses involve risks because of the difficulty of ascertaining the sources of the responses. To restrict the risks associated with facsimile responses and treat the confirmations as valid audit evidence, the auditor should consider taking certain precautions, such as verifying the source and contents of a facsimile response in a telephone call to the purported sender. In addition, the auditor should consider requesting the purported sender to mail the original confirmation directly to the auditor. Oral confirmations should be documented in the workpapers. If the information in the oral confirmations is significant, the auditor should request the parties involved to submit written confirmation of the specific information directly to the auditor.
.30 When using confirmation requests other than the negative form, the auditor should generally follow up with a second and sometimes a third request to those parties from whom replies have not been received.
.31 When the auditor has not received replies to positive confirmation requests, he or she should apply alternative procedures to the nonresponses to obtain the evidence necessary to reduce audit risk to an acceptably low level. However, the omission of alternative procedures may be acceptable ( a ) when the auditor has not identified unusual qualitative factors or systematic characteristics related to the nonresponses, such as that all nonresponses pertain to year-end transactions, and ( b ) when testing for overstatement of amounts, the nonresponses in the aggregate, when projected as 100 percent misstatements to the population and added to the sum of all other unadjusted differences, would not affect the auditor's decision about whether the financial statements are materially misstated.
.32 The nature of alternative procedures varies according to the account and assertion in question. In the examination of accounts receivable, for example, alternative procedures may include examination of subsequent cash receipts (including matching such receipts with the actual items being paid), shipping documents, or other client documentation to provide evidence for the existence assertion. In the examination of accounts payable, for example, alternative procedures may include examination of subsequent cash disbursements, correspondence from third parties, or other records to provide evidence for the completeness assertion.
.33 After performing any alternative procedures, the auditor should evaluate the combined evidence provided by the confirmations and the alternative procedures to determine whether sufficient evidence has been obtained about all the applicable financial statement assertions. In performing that evaluation, the auditor should consider ( a ) the reliability of the confirmations and alternative procedures; ( b ) the nature of any exceptions, including the implications, both quantitative and qualitative, of those exceptions; ( c ) the evidence provided by other procedures; and ( d ) whether additional evidence is needed. If the combined evidence provided by the confirmations, alternative procedures, and other procedures is not sufficient, the auditor should request additional confirmations or extend other tests, such as tests of details or analytical procedures.
.34 For the purpose of this section, accounts receivable means—
Confirmation of accounts receivable is a generally accepted auditing procedure. As discussed in paragraph .06, it is generally presumed that evidence obtained from third parties will provide the auditor with higher-quality audit evidence than is typically available from within the entity. Thus, there is a presumption that the auditor will request the confirmation of accounts receivable during an audit unless one of the following is true:
.35 An auditor who has not requested confirmations in the examination of accounts receivable should document how he or she overcame this presumption.
.36 This section is effective for audits of fiscal periods ending after June 15, 1992. Early application of this section is permissible.
1 Bill and hold sales are sales of merchandise that are billed to customers before delivery and are held by the entity for the customers.
2 AS 2410, Related Parties, establishes requirements regarding the auditor's evaluation of relationships and transactions between the company and its related parties.
3 The need to maintain control does not preclude the use of internal auditors in the confirmation process. AS 2605, Consideration of the Internal Audit Function, provides guidance on considering the work of internal auditors and on using internal auditors to provide direct assistance to the auditor.
4 For example, if, based on prior years' audit experience or on experience with similar engagements, the auditor concludes that response rates to properly designed confirmation requests will be inadequate, or if responses are known or expected to be unreliable, the auditor may determine that the use of confirmations would be ineffective.