PCAOB’s revised AS 2310 is adopted for fiscal years ending June 15, 2025, and beyond. Here is what CPAs need to act on, precisely.
PCAOB audit standards: a standard that outlived its era
PCAOB AS 2310: The Auditor’s Use of Confirmation was initially written well over thirty years ago and has had few changes since its adoption in 2003 by the PCAOB, which received the standard from the AICPA’s AU section. It was created in an environment of paper correspondence and faxes, but it did not include the concept of electronic intermediaries or the associated fraud risks.
The PCAOB adopted the updated standard to improve audit quality, given changes in how communication takes place and how business is conducted, particularly in the confirmation process. While the update can be viewed as more than just a facelift, the PCAOB has comprehensively revised and replaced the previous version of AS 2310.
This standard will become effective for audits of fiscal years ending on or after June 15, 2025, including audits for the calendar year ending December 31, 2025.
PCAOB confirmation rules: What this looks like on a real engagement
Now imagine an audit of a medium-sized issuer. Negative confirmations have been sent to the same high-volume customer list for accounts receivable in three consecutive years. Response rates are poor but consistent with past years. Cash is substantiated using bank statements obtained from management. No findings regarding the confirmation process were found in last year’s file.
In accordance with the updated standard AS 2310, this methodology is flawed in two ways. First, cash confirmed only by the client’s statement will not meet the requirements under the updated standard. The other flaw concerns the negative confirmations, which alone cannot be used as evidence for accounts receivable. Both methodologies will need to be altered: The bank statement methodology should be replaced with direct confirmation of the bank records, while the negative confirmation process needs to be supported by other substantive tests.
The prior-year file is not a safe baseline. It reflects a standard that no longer applies.
PCAOB audit confirmation requirements: Five provisions that change day-to-day audit work
Let’s understand how PCAOB confirmation rules affect auditors since they’ve changed:
1. Cash confirmation is now mandatory.
The revised standard generally requires auditors to obtain third-party audit evidence to confirm cash and cash equivalents held by external parties or gather sufficient evidence through external confirmations in auditing. While confirming cash balances was already a common audit practice, the revised standard formalizes and strengthens the requirement.
2. Negative confirmations alone are insufficient.
The revised standard states that negative confirmations alone ordinarily do not provide sufficient appropriate audit evidence. It provides examples of cases in which the auditor uses negative confirmations in conjunction with other substantive tests of transactions and account balances. In this case, the use of negative confirmations is considered an adjunctive technique, rather than the primary means.
According to the PCAOB audit standards, it applies in rare instances where such a technique, combined with other techniques, constitutes adequate evidence when the level of risk assessment is relatively low, and there is adequate evidence of controls’ design and effectiveness; the population consists of numerous identical small units; and the expected exception rate is relatively low.
3. Auditor control is an explicit, enumerated requirement.
PCAOB updates for audit confirmations highlight the auditor’s responsibility to monitor the entire confirmation process. It is the auditor’s responsibility to select the items to be confirmed and to send the confirmation requests.
According to the PCAOB adopting release (Release No. 2023-008), there is a series of enforcement actions in which the auditors failed to fulfill their obligations under the standards of confirmations. Cases where the violations occurred in relation to confirmations include “In the Matter of PMB Helin Donovan, LLP” (Rel. No. 105-2019-031, December 2019). There have been several such cases in recent years, suggesting that this problem is still unsolved. Previously, it was more of an implicit obligation, but now it is an explicit one, with an inspection standard to follow.
4. Intermediaries require active, documented evaluation.
The auditor should gain knowledge of the controls in place at the intermediary to assess the possibility of interception and modification of the confirmation request and reply, and ascertain the effectiveness of such controls.
Appendix B of the revised standard governs this analysis and includes a requirement the PCAOB designed specifically to address fraud risk: the auditor must assess whether the intermediary has a relationship with the audited company that could compromise the independence of the confirmation process. Using a familiar confirmation platform without conducting this evaluation is not compliant. If the intermediary cannot be adequately assessed, confirmations must be sent without it, or alternative procedures performed under Appendix C.
5. Alternative procedures must match the assertion being tested.
If there is a refusal to respond or a partial response, the auditor should undertake other audit procedures related to the selected item in accordance with Appendix C. The use of standard audit procedures that do not appropriately address the specific assertion under examination, in lieu of an unsuccessful confirmation request, is considered unacceptable.
PCAOB updates for audit confirmations: the risk assessment and fraud connections
PCAOB updates for audit confirmations link the guidelines on auditors’ application of confirmations on assessing risks by applying a risk-based approach to confirmations, while also emphasizing the auditor’s responsibility to seek reliable audit evidence. The revised standard emphasizes that confirmation procedures should be designed in response to assessed risks, rather than applied as a routine or carry-forward exercise. Historical carry-over methods that have disregarded this reasoning have caused problems during inspections.
Regarding the fraud issue, it is covered explicitly. As mentioned by Erica Williams, the Chair of PCAOB, “The new standard will assist auditors in detecting fraud and protecting investors now and for years to come.”
A specific provision —AS 2310 in section .30 — requires that for significant risks of material misstatement associated with complex or unusual transactions, the auditor should consider confirming the terms of that transaction associated with a significant risk, including a fraud risk — examples include terms related to oral side agreements, bill and hold sales, and supplier discounts or concessions. Engagements with material related-party activity or non-standard transaction structures require evaluating whether this provision applies before the engagement closes.
The accounts receivable feasibility exception
In fact, the requirement regarding the confirmation of accounts receivable remains the same, while it provides more precise guidance on when such confirmation is not considered feasible. The revised standard retains the longstanding requirement to confirm accounts receivable unless the auditor concludes that confirmation is ineffective or impracticable. The update provides clearer guidance on when confirmation may not be feasible, including situations in which prior experience with the entity or similar entities indicates that responses are unlikely to be obtained and that alternative procedures would provide more reliable evidence.
It is worth noting that both criteria should be met: the one related to experience and the other to expectations. Such an approach is especially relevant to business-to-consumer-oriented issuers and e-commerce entities.
What the inspection data tells CPAs
According to the PCAOB’s 2024 Inspection Spotlight, Part I.A deficiency rates declined year over year. The overall rate decreased to 39 percent in 2024, down from 46 percent in 2023. The Big Four rate decreased to 20 percent from 26 percent. For annually inspected non-affiliated firms, the rate decreased only marginally — to 52 percent in 2024 from 53 percent in 2023.
These inspections covered fiscal years ending in 2023, before the revised AS 2310 took effect. The first inspection cycle subject to the new confirmation standard covers fiscal years ending on or after June 15, 2025. Inspectors will have a more precise standard to test against. While the PCAOB does not expect the new standard to eliminate inspection deficiencies, it is intended to clarify auditor responsibilities. That clarity will likely increase consistency in inspection and enforcement evaluations. The five provisions above are exactly where that map points.
Conclusion: the standard is precise, your process should be too
The revised PCAOB confirmation rules raise the standard of care required to execute confirmation procedures — and provide a specific, enumerated framework for inspectors to evaluate that rigor.
The operational concerns for certified public accountants at this point are practical: Is the confirmation method based on the risk assessment process? Is the confirmation method used to replace the client-supplied bank statements? Have negative confirmation methods been reassessed in light of the three criteria? Does the intermediary system provide an evaluation of its interaction with the audited company beyond that of its performance? Do alternative procedures being applied correspond to the particular assertions that they replace? If receivables confirmation is not considered feasible, is that rationale captured?
These are not abstract compliance questions. They are the questions a PCAOB inspector will ask when reviewing the first wave of fiscal year 2025 engagements.
AuditConfirm is designed to support audit teams navigating the revised AS 2310 environment by enabling auditor-controlled confirmation workflows, centralized documentation, and transparency assessments for intermediaries. Its intermediary transparency framework supports the Appendix B evaluation, including the relationship-with-company assessment required by the standard. And its documentation infrastructure is aligned with the evidentiary standards PCAOB inspectors will now apply. Not just that, it also follows the PCAOB AS 1105 standards.
The standard is precise. The platform built to meet it should be too.
FAQs
This new standard emphasizes the requirement that reflects the increasing use of electronic communication and intermediaries in the confirmation process. The auditor should evaluate whether the electronic confirmation process produces sufficiently reliable audit evidence, including consideration of intermediary controls and fraud risks.
Test your previous year’s confirmation procedures against the requirements of the newly issued AS 2310, which comprises five items, before the end of your next audit. It is advisable to conduct an internal training program on the new standard requirements. Also, organize your evidence centrally.
The new approach will be principles-based and applicable to both paper-based and electronic confirmations. The auditor should consider the controls of the intermediary for intercepting communications and examine any connection between the intermediary and the client firm. The auditor should ensure that the electronic response achieves the same level of reliability as a paper response.
Yes, without exception. The PCAOB determined that applying the amendments to audits of emerging growth companies is necessary or appropriate in the public interest. EGC auditors are subject to the same revised AS 2310 requirements as those auditing large accelerated filers.
The non-response situation necessitates an alternative process rather than just noting it down. In the case of non-response, the auditor should conduct alternative procedures in accordance with the guidelines in Appendix C and consider the consequences for assessing the risks of material misstatement, including fraud risk.