What is external confirmation?

ISA 505 defines it as an audit evidence obtained as a direct written response to the auditor from a third
party (the confirming party), in paper form, or by electronic or other medium. Let us review what
auditing standards have to say for these external confirmation procedures. Under traditional audit, we
select the financial institutions where the entity has a banking relationship for bank confirmation. As per
ISA 505 – External Confirmations, when using external confirmation procedures, the auditor shall
maintain control over external confirmation requests, including:

(a) Determining the information to be confirmed or requested; (Ref: Para. A1)

(b) Selecting the appropriate confirming party; (Ref: Para. A2)
(c) Designing the confirmation requests, including determining that requests are properly addressed and
contain return information for responses to be sent directly to the auditor; and (Ref: Para. A3–A6)
(d) Sending the requests, including follow-up requests when applicable, to the confirming party. (Ref:
Para. A7)

If management refuses to allow the auditor to send a confirmation request, the

auditor shall:

(a) Inquire as to management’s reasons for the refusal, and seek audit evidence as to their validity and
reasonableness; (Ref: Para. A8)
(b) Evaluate the implications of management’s refusal on the auditor’s assessment of the relevant risks of
material misstatement, including the risk of fraud, and on the nature, timing and extent of other audit
procedures; and (Ref: Para. A9)
(c) Perform alternative audit procedures designed to obtain relevant and reliable audit evidence. (Ref:
Para. A10)

In addition to bank confirmations,

Evaluating the results of the external confirmation responses poses a challenge to auditors to verify its
authenticity, the authority of the person who completed the information and other details stated in the
confirmation reply. ISA 500 indicates that the reliability of audit evidence is influenced by its source and
by its nature, and is dependent on the individual circumstances under which it is obtained. Please refer to
the “Verify Reliability” tab as it was discussed extensively.

Obtaining audit confirmations from third parties can be a tricky and time-consuming process for us -
auditors. Non-responses are common, creating additional work, and causing delays to audit completion.

With the advancement of technology, it seems that the firm's way of sending out confirmation requests
and receiving confirmation replies have been left behind. Apparently, we have not taken the higher
ground in changing the way we perform our confirmation procedures. We are all caged in the fact that
receiving replies in its original form is the best way to obtain reasonable assurance that no risk of
material misstatement exists. Is this really the ideal way? Is there a way to simplify it - to the requestor
(auditors), the confirming parties (banks, law firm, etc.) and client – without compromising quality,
sacrificing effectiveness & efficiency, disrupting functionality? As we venture towards virtual audit in
probably one of the most difficult times of our lifetime, there is no way that we can be allowed to go the
office and do the tedious work of folding letters, writing delivery form for it, and forwarding it to GOS for
sending. We cannot risk to let any of our people be in danger just to perform this tiresome sending out of
confirmation procedures.