Balance confirmation is one of the most powerful—and frequently misapplied—tools in an auditor’s toolkit. It has been established in auditing as an accepted procedure for quite some time now. Indeed, the AICPA and the PCAOB have both formalized their applications.
In the United States, it has become an expected practice for accounting firms. But, despite being so commonplace, the implementation of the balance confirmation procedure tends to be rather inconsistent in practice. Many accounting firms cut corners in the process.
Indeed, the consequences of failing to implement the balance confirmation procedure properly can range from minor inconveniences to major risks. That’s why it is imperative to ensure that this procedure is implemented with discipline and precision during the audit.
This step-by-step guide on executing balance confirmation is designed specifically for CPAs and auditors who want to learn the ins and outs of this critical procedure.
Understanding what balance confirmation does
First, let us define the purpose of balance confirmation in auditing. As per AU-C Section 505 and applicable PCAOB auditing standards on confirmations, balance confirmation is used as a method to obtain direct audit evidence of the existence and accuracy of an item.
This procedure involves requesting a third party—whether a bank, a creditor, a debtor, or a counterparty—to verify the details reported by the client on their financial statements. Since the verifying party is a third party, not affiliated with the client, the process ensures independence in the validation.
The independence of this procedure has made it an effective source of direct audit evidence. As per the AICPA and the PCAOB, the results of a confirmation serve as direct audit evidence in the examination of accounting records. Thus, the balance confirmation process does not rely on the client for validation purposes.
However, the benefits that this procedure can provide are limited to the extent of its execution. A badly managed balance confirmation process yields low-quality audit evidence.
Indeed, courts, regulators, and even peer reviewers have criticized auditors for relying too heavily on inadequate balance confirmations in their work.
How to implement balance confirmation properly
Step 1: Assess whether balance confirmation is required
Balance confirmation might be an accepted procedure in auditing, but it is not necessarily required for all engagements. Certain criteria determine whether this procedure must be performed.
For starters, the first thing you have to consider is the nature of the item under examination. Accounts receivable, bank balances, loans payable, and investment accounts are the most common items used to confirm balances.
Second, the item’s risk assessment must be taken into account. For example, if the object in question has been identified as high-risk for the audit, then the balance confirmation is typically expected or strongly considered for the auditor.
Third, it is important to factor in the client’s control environment. Poor internal controls make it more likely that the auditor will use balance confirmation in the audit.
Finally, you need to document your choice. Even if you decide not to conduct the balance confirmation for a significant item, you need to document the rationale for that in your work file, along with the associated risk documentation.
Step 2: Choose the appropriate type of confirmation
There are two types of balance confirmation: positive and negative. The former is more common and preferred over the latter. You should use positive confirmation whenever the account in question is assessed to be high-risk for the audit.
Positive confirmation requests that the recipient respond with whether they agree or disagree with the client’s reported account balance. On the other hand, negative confirmation assumes that the recipient will agree with the reported balance unless they specify otherwise.
Negative confirmation is usually reserved for situations where:
- The item in question poses little to no risk for the audit
- The population contains many small accounts
- There is no reason to assume that the recipient will not respond to the confirmation request.
Indeed, negative confirmations are becoming less popular in the United States. Recent PCAOB inspections have raised concerns regarding overreliance on negative confirmations. In practice, it is safer to opt for the positive confirmation whenever you are unsure which type to choose.
A blank confirmation is a type of positive confirmation where no balance is stated in the request, and the recipient is asked to independently provide the amount.
Since the confirming party needs to confirm the actual balance themselves, a blank confirmation can provide stronger evidence when responses are received. Still, it may result in lower response rates than the regular positive confirmation.
Step 3: Choose the population for balance confirmation
The confirmation population refers to the group of items to be confirmed. This population can include accounts receivable, bank accounts, and other account types.
The selection of the population has to be based on sound judgment. In other words, the items that make up the population must be selected using appropriate sampling techniques, which may be statistical or judgmental, based on audit risk to prevent bias and fraud.
When dealing with accounts receivable, the population consists of all accounts outstanding as of the confirmation date. Among the accounts comprising the population, the auditor performs sampling to identify which accounts will be confirmed.
It is possible to apply 100 percent confirmation to large accounts, while smaller accounts can be selected using statistical or non-statistical sampling.
It is vital to note that the auditor must retain control over selection, even if the client assists in preparing data. If that doesn’t happen, the audit firm risks compromising the independence of the procedure.
Step 4: Write the confirmation request
The next step is to prepare the confirmation request. Each request should include:
- The account balance as of the confirmation date
- Adequate identification data to help the recipient locate the account—account numbers, reference numbers, contract terms, etc.
- Straightforward wording to ensure clarity
The contact details provided in the request must always belong to the auditor, not the client. Every response must be received directly by the auditor. If the client receives the response on the auditor’s behalf, the evidence is compromised.
The client’s letterhead should be used on the confirmation request. However, the return address must be the auditor’s.
The confirmation date must coincide with the balance sheet date or the date of the account balance being confirmed.
Step 5: Control the distribution of the confirmation requests
This step can easily cause issues for careless auditors. If the client distributes confirmation requests independently, they can manipulate the process.
Indeed, the distribution of requests should be handled solely by the auditor. If the client is distributing the requests, the entire process becomes flawed. Moreover, if the client can access the requests before mailing them, this is a potential avenue for fraud.
Fraud risk is at its highest in this phase. A client planning to defraud can try to hijack outgoing messages, replace the correct contact information with incorrect data, and even generate an entire response. There have been cases in which management provided fictitious third-party contact details—diverting confirmation requests to colluding parties rather than to the true counterparts. It is imperative to verify contact information separately rather than relying solely on information provided by the client.
In practice, this step can involve taking control of the envelopes addressed to the recipients and sending the confirmation requests electronically.
Step 6: Track responses and follow up on non-responses
Auditors should actively monitor responses, in case there are none. To start, set a practical deadline for receiving responses by which you would like to receive responses. This is a reasonable deadline, typically based on engagement timelines.
Track all the responses that you receive and document the date received, the account balance, and whether it matches the stated balance.
The threat of a low response rate is a significant risk factor that often receives less weight in the evaluation process. It not only raises the possibility of using other verification methods but is itself an important indicator. If a considerable number of confirmations receive no replies, particularly where there are large or irregular amounts, it would be advisable for the auditor to examine whether this low response rate could be indicative of problems within the accounting records.
If you have not received a response to a request by the deadline, follow up by sending another confirmation request. Sometimes, you may need to make more attempts to receive a response.
Remember that non-responses to positive confirmations should never be interpreted as agreement.
Sometimes, the recipient may be unable to respond to the confirmation request. In such cases, you should move to the alternative procedures listed below.
Step 7: Investigate exceptions
If the respondent disagrees with the stated balance, this creates an exception. Possible reasons for this include:
- The difference in the timing
- Payments in transit
- The goods that the recipient has not received
- Disagreements between the client and the recipient.
Some exceptions are harmless, but others can indicate deeper problems. Therefore, it is crucial to investigate each of them.
To start the investigation, ask the client to explain. Then, examine the evidence in the client’s work papers. Make sure that the explanation fits the available evidence.
Auditors must also be on the lookout for fabricated confirmations – responses that appear authentic but are actually false. Several indicators may indicate that a confirmation is fraudulent: confirmations received far too quickly, a confirmation without any exceptions at all from a considerable number of individuals or transactions, emails sent from addresses that are not affiliated with the company issuing the confirmation, or language that does not fit the normal tone for correspondence between a bank and its counterparties.
When any of these signs are present, the auditor needs to authenticate the confirmation separately. This can be accomplished by calling the individual or organization that issued the confirmation using contact information that was obtained independently of the client.
Sometimes, multiple respondents point out the same discrepancy. In such cases, it is advisable to expand the scope of testing and reassess the account’s risk level.
Step 8: Perform alternative procedures for non-response
When the positive confirmation fails to yield a result after several attempts, the auditor should use alternative procedures to validate the account balance.
These procedures are intended to generate evidence as reliable and robust as the results of confirmation. Some examples of alternative procedures for accounts receivable include:
- Examining subsequent cash receipts
- Examining shipment documents
- Examining sales contracts
For instance, if a client’s debtor paid their invoice in full after the balance sheet date, this is persuasive evidence that the balance was accurate as of the date of examination.
Step 9: Electronic confirmation controls
It is now common practice to use electronic confirmations. This is because they provide faster service, better record-keeping, and are ideal for large-volume transactions. While these benefits are improved, the controls cannot be avoided, but their application points will change.
Auditors should consider both the outcomes and the integrity of the confirmation platform when using one. Platform vendor SOC 2 Type II compliance is a preferred requirement. It means that the platform has been independently and continuously evaluated for its security, availability, and confidentiality over an extended period, rather than through a point-in-time examination. Always request a SOC 2 Type II report before using the electronic confirmation platform and review its findings.
Both data in transit and data at rest must be encrypted. The platform should implement TLS encryption for the former and AES-256 (or another equally robust algorithm) for the latter. Insecure confirmation data includes account balances, counterparties, and financial records. As such, all data must be encrypted; otherwise, they pose a considerable confidentiality threat and cannot be used in audits.
Access control is just as crucial as encryption. The platform should ensure that clients do not have access to or tamper with the confirmations until the auditors obtain them. Role-based access control, audit trail, and session logging are technical ways to accomplish this. Check the platform’s documentation on access controls and confirm that the client-side is not able to tamper with the confirmations.
Furthermore, auditors should assess the authentication controls that the confirmation platform applies to respondents. If a respondent can send in the confirmation without having their identity verified, the platform will be vulnerable to the same risks that paper confirmation faces. Multi-factor authentication, domain verification, and digital signature features significantly reduce this risk.
Step 10: Evaluate the results and document the results
Once the auditor has completed the analysis of the responses and exceptions, they need to evaluate the overall results of the balance confirmation process:
- Has the objective been achieved?
- Do the results of balance confirmation support the evidence collected by the auditor?
- Is there a need to change the item’s risk assessment based on the results obtained?
As always, the last step in balance confirmation involves documentation. The auditor needs to compile and organize all the evidence obtained from the process into a coherent package.
Under PCAOB rules, the confirmation results must be included in the final audit file. The documentation of the results must be completed within 45 days of report release (for PCAOB engagements).
The need for purpose-built tools in high-volume confirmation work
High-volume balance confirmation can pose serious challenges for many accounting firms. Tracking dozens or hundreds of responses, managing follow-ups, and documenting everything thoroughly becomes increasingly difficult as the volume grows.
That is why purpose-built tools like AuditConfirm are highly useful for accounting firms and audit professionals. By leveraging software designed specifically for balance confirmation, CPAs can streamline the process significantly and reduce errors in their documentation.
AuditConfirm is designed for those auditors who would like to use balance confirmations as their main audit technique. It will enable you to control the entire process, from issuing the confirmation request to collecting the required evidence, such as reports.
AuditConfirm allows you to see clearly what’s going on with each task related to confirming balances. You will be able to track client-related responses or monitor confirmation status, handle exceptions, and apply an alternative approach when necessary.
AuditConfirm offers robust security features that are vital for managing confidential financial information. At the same time, the software is fully customizable and scalable. Thus, it is suitable for individual auditors, boutique firms, and international organizations alike. Book a demo now!
FAQs
Positive confirmations are inquiries to which a reply is required, whether the addressee agrees or disagrees with the amount shown on the request. On the other hand, negative confirmations require a reply only when the addressee disagrees. The absence of a reply is considered. Positive confirmations usually result in more procedures and audit evidence and are generally more suitable for high-risk or material accounts. Only in defined situations are negative confirmations applicable.
If no positive confirmation is received, it means sufficient evidence has not yet been obtained. The auditor must make an additional attempt to obtain an answer. If the additional attempt fails to produce a reply, the auditor needs to conduct alternative procedures and document the procedure used.
The client can authorize the issuance of the confirmation. However, the client is not allowed to engage further in the process, which involves preparing and sending the letters and receiving replies. If any responses are delivered via the client, they are deemed unreliable
Each discrepancy must be examined, and the auditor is supposed to find out what caused it. This process includes receiving the client’s explanations and verifying them against other evidence. Similar discrepancies in various confirmation replies suggest expanding the testing to include additional amounts. Every investigation needs to be carefully recorded in the audit file.
Yes. Electronic confirmations are acceptable provided that the auditor controls the process, the system provides the possibility to ensure that responses reach the auditor directly, and does not provide access to the client. The quality of electronic evidence is contingent on the system’s reliability. Auditors need to consider possible risks and select an appropriate system.