Bank statements play an important role in practically any audit process. Bank statements provide independent evidence of cash activity and balances during the audit period. Despite that, the audit of bank statements is perceived as a procedural task – just something to tick off the list, instead of an investigation. That approach can weaken audit quality.
The risks associated with weak cash auditing procedures are significant. As indicated by ACFE’s Occupational Fraud 2024: A Report to the Nations – the largest research on occupational fraud ever performed – a regular company loses 5% of its annual income due to fraud. Asset misappropriation, including both cash theft and cash account manipulation, accounts for 89% of all reported fraud cases, with a median loss per case of $120,000. If we are talking about financial statement fraud, the median loss is up to $766,000.
For accounting firms handling large-scale audits – whether for private enterprises, NGOs, or governments – a proper framework for bank statement review becomes imperative. It is what distinguishes sound audit conclusions from those that are unsubstantiated.
This blog guides you, step-by-step, on how accounting firms audit bank statements. It describes the requirements stated by the standards, what good firms actually do, and where the process tends to break down.
Why are bank statements audited separately?
A general ledger can be manipulated. Journal entries can be altered after the fact. Account balances can be restated.
Bank statements and bank confirmations obtained directly from financial institutions are generally considered more reliable than internally generated client records because they originate from independent external sources. That is why auditors treat them as an independent corroboration tool rather than just a supporting document.
Under AU-C Section 505, auditors are required to design and perform external confirmation procedures when responsive to assessed risks of material misstatement and when confirmations are expected to provide relevant and reliable audit evidence. Cash and cash-equivalent balances are often considered higher-risk areas because of their susceptibility to misappropriation and fraud.
The underlying logic: if the bank says the balance is X and the client says it is Y, something needs to be explained.
For firms conducting audits under International Standards on Auditing, the governing standard is ISA 505, issued by the International Auditing and Assurance Standards Board (IAASB). While ISA 505 and AU-C 505 differ in certain procedural requirements, the core principle is identical: confirmation evidence must come directly from the third party to the auditor, not through the client.
The bank statement audit process: stage by stage
Stage 1: Planning and risk assessment
No audit procedure stands alone. Before even looking at one bank statement, auditors need to consider where the risk lies in the financial statements. That requires reviewing the client’s internal controls for cash, identifying who is responsible for making payments and performing the reconciliation, and whether those duties are segregated.
It means identifying which accounts are important. A big corporation might have many bank accounts, including operating accounts, payroll accounts, escrow accounts, and foreign-currency accounts. It’s up to the auditor to decide which to test in full, which by analysis, and which aren’t risky.
For registered firms working with US public company clients, PCAOB AS 2310 governs the confirmation process. PCAOB AS 2301 provides the broader planning framework, linking the assessment of fraud risks to the design of substantive procedures — including those involving cash.
Stage 2: Evaluating evidence under SAS 142
Audit teams need to be aware of the standards for the quality of evidence to be collected before they send out confirmation requests. The updated SAS 142, which became effective for periods ending on or after December 15, 2022, improved on AU-C 500 and modified how auditors evaluate the sufficiency and appropriateness of audit evidence.
This standard is highly relevant to bank statement verification audits. The new SAS 142 states that the auditor’s role goes beyond simply collecting evidence, since the auditor must evaluate the reliability of the evidence, depending on its source, circumstances, and methods used to collect it.
Bank confirmations sent via a controlled platform are reliable in a manner different from those sent via an uncontrolled email system.
Stage 3: Requesting bank confirmations
The confirmation process is a central component of substantive cash testing.
The audit confirmation letter is sent by the auditor rather than the client, which makes all the difference. Where the client controls the confirmation process, there is no independence of evidence.
A common practice when conducting audits in the United States includes sending confirmation letters to the bank of the client and asking it to verify:
– Balances as at the audit date
– Balances and terms of loans
– Lines of credit and collateral
– Contingencies or guarantees
– Accounts that have been closed down
Standardized bank confirmation forms, including those commonly used in AICPA-based engagements, are frequently used in practice. Many companies use online confirmation services, which are much more convenient and secure than paper-based confirmations.
To preserve reliability, confirmation responses should be returned directly to the auditor through controlled channels.
Stage 4: Reconciliation of the confirmed balances to the general ledger
Once confirmations are completed, the reconciliation process begins. It is uncommon for a confirmed bank balance to exactly match the corresponding book balance, and such differences are generally expected.
Differences in timing, especially outstanding checks and deposits in transit, explain most of the difference. Nonetheless, the reconciliation still needs to be tested thoroughly.
Auditors look for:
Outstanding checks that are suspiciously old: A check outstanding for six months on a reconciliation is a red flag. It may indicate a fraudulent disbursement that was never cashed or a fictitious liability.
Deposits in transit that don’t clear promptly: If a deposit recorded in December doesn’t appear on the January bank statement, that warrants explanation. Lapping — a form of fraud where funds from one account are used to cover another — often surfaces here.
Reconciling items that are round numbers: Round-number reconciling items may warrant additional scrutiny because unusual or fabricated transactions can sometimes appear less operationally granular than routine activity. A $10,000 reconciling item deserves more scrutiny than a $9,847.32 one.
Journal entries are made to the cash account near the end of the period. Top-side adjustments to cash accounts without supporting documentation are a consistent indicator of manipulation.
Stage 5: Testing cut-off
Cut-off testing evaluates whether transactions were recorded in the appropriate accounting period. In relation to the bank statement, this will involve analyzing transactions that occur before and after the balance sheet date.
In most cases, auditors analyze transactions related to the bank account in the last five to ten days of the current accounting period and the first five to ten days of the next accounting period.
This is intended to determine whether any manipulation occurs during the recording of these transactions.
Stage 6: Tracing to supporting documentation
It is crucial to confirm and reconcile balances; however, it is not sufficient on its own. As per the bank statement audit process, important transactions should always be backed by supporting documents.
Either invoices or contracts should back transactions above the threshold limit, whereas cash payments should be supported by customer invoices or sales contracts. It may be quite challenging for accounting firms to audit organizations involved in construction, real estate, or finance.
However, there is no other way to ensure that the transactions shown in the bank statement are genuine.
Stage 7: Evaluating intercompany and related-party transfers
Bank statements frequently reveal transactions that are not apparent in the general ledger. Transfers between related entities, payments to parties with undisclosed relationships, and unusual wire activity all tend to surface here.
Auditors are required under AU-C Section 550 to evaluate whether related-party transactions are identified, properly authorized, and disclosed in the financial statements.
A wire transfer to an entity not listed on the client’s disclosed related-party schedule requires explanation. So does a pattern of transfers to the same third party around period-end.
Where the process most often breaks down
Even experienced firms encounter failures in the bank statement audit process. The most common:
Over-reliance on client-prepared reconciliations: Accepting a reconciliation without verifying the underlying transactions constitutes inadequate audit evidence. Reconciliation itself needs to be verified.
Confirmation for accounts other than those known to the auditor: Confirmation requests should specifically ask the bank to disclose any other accounts they may have with the entity during the year, regardless of whether they were opened or closed during the period.
No action taken when no reply from the bank: If confirmation responses are not received, auditors are generally required to perform alternative procedures, such as inspecting subsequent bank statements, reviewing reconciliations, examining canceled checks, or inspecting other supporting bank documentation.
Not testing the completeness of the reconciliation population: An agreement to reconcile items alone is not adequate. Auditors need to verify that all items that should appear on the reconciliation are present.
Treating SAS 142 as merely a documentation exercise: It is necessary to evaluate the reliability of the evidence according to how it was obtained. An unsecured method of obtaining bank confirmation via email would be unreliable compared to a controlled, secure method.
A note on digital confirmation platforms
There are many recognized shortcomings associated with the paper confirmation system. Interception, modification, and delay are all valid threats. The use of digital confirmation systems reduces many of these weaknesses by enabling safe, direct communication between the auditor and the financial institution.
The AICPA has already acknowledged the use of electronic confirmation systems provided proper controls are in place, and SAS 142 provides clear guidelines regarding the interpretation of what constitutes “proper controls” when assessing the credibility of electronically obtained evidence.
Many savings are achieved for companies dealing with large numbers of bank confirmations. However, the core audit principle remains unchanged: auditors must maintain control over the confirmation process.
Conclusion
The bank statement audit process for accounting firms involves far more than simply verifying balances. A proper bank statement verification audit evaluates whether reported cash activity is complete, accurate, and supported by reliable external evidence.
When performed correctly, the bank statement audit process helps auditors identify reconciliation issues, detect unusual transactions, uncover potential fraud risks, and strengthen the overall quality of audit evidence supporting the financial statements.
As accounting firms modernize how they audit bank statements, digital confirmation platforms are becoming an increasingly important part of the audit workflow. AuditConfirm enables auditors to obtain bank statements and balance confirmations directly from financial institutions while maintaining auditor control over the confirmation process.
By streamlining bank confirmation requests, organizing audit evidence, and supporting secure documentation workflows, AuditConfirm helps make the bank statement audit process for accounting firms more efficient while preserving the professional skepticism and auditor judgment that remain essential throughout the engagement.Note: This blog is informational only and does not constitute audit, accounting, or legal advice. Audit requirements vary depending on the type of engagement, jurisdiction, and standards applicable. Professional standard-setting bodies such as AICPA, PCAOB, and IAASB are good sources for audit standards.
FAQs
The accounting firm verifies bank statements by sending direct confirmation letters to the bank where the accounts are held, rather than asking the client to verify. The reconciliations are done after confirming the balances and checking them against the supporting documents. The bank statement verification audit is regulated in the USA by AU-C Section 505 and globally by ISA 505.
A bank statement verification audit requires bank statements for all periods being audited, direct confirmation of bank balances, client-prepared reconciliations, and general ledger cash detail. Authorization documents for material disbursements, loan agreement documents, and transfer documents between entities must also be provided where relevant.
In reviewing the bank statements, the accounting firm examines stale outstanding checks, un-cleared deposits in transit, reconciling items that appear to be rounded, and top-side journal entries near the end of the period. An unusual wire transfer to an undisclosed related party is another major clue.
The auditing procedure that accounting firms perform when auditing bank statements includes external verification, reconciliation tests, cut-off tests, transaction tracing, and examination of related-party transfers. Auditors often examine transactions occurring immediately before and after period-end to evaluate cut-off accuracy, although the specific testing window varies based on risk and engagement circumstances.
In the case of simple auditing, the bank statement audit process takes a couple of days after the confirmations have been received. For complex customers with many accounts and large transaction amounts, the bank statement audit process can take weeks, especially when there are no responses.