Vendor balances lie quietly in the general ledger. They look clean. They reconcile. Then, during litigation, a regulatory review, or a routine accounts payable confirmation audit, a discrepancy surfaces. It was always there. Nobody bothered to confirm it.
Accounts payable confirmations are not glamorous. They sit in the background of audit planning, often reduced to a procedural formality. But for CPAs conducting financial statement audits, especially in the US, where PCAOB and AICPA standards demand substantive testing, this process is a material risk control. Get it wrong, and the consequences run from qualified opinions to regulatory penalties.
This guide walks through a practical checklist and sample templates for conducting accounts payable confirmations. No boilerplate. No theory padded with filler. Just what you actually need.
Why accounts payable confirmations matter
Accounts payable carries a distinct audit risk profile compared to receivables. With receivables, the bias is overstatement. With payables, the risk runs the other way: understatement.
Companies, knowingly or unknowingly, may:
- Omit vendor invoices received close to year-end
- Delay recording accruals to manage reported liabilities
- Exclude related-party payables from disclosed balances
- Misclassify short-term obligations as long-term
Intentional understatement of liabilities is a common financial reporting fraud risk, particularly in periods of earnings pressure. Accounts payable confirmations primarily address the completeness assertion, but may also provide insight into cutoff and accuracy where discrepancies arise.
Under AU-C Section 505 (AICPA) and AS 2310 (PCAOB), external confirmation is one of the most reliable forms of audit evidence available. It comes from a source independent of the client. That independence is precisely its value.
Accounts payable confirmation audit checklist
The following checklist is structured by audit phase. CPAs can adapt it to engagements of any size, from mid-market private companies to publicly listed entities filing with the SEC.
Phase 1: pre-confirmation planning
1. Assess confirmation necessity
Not every audit requires external AP confirmations. Consider:
- Materiality of accounts payable to total liabilities
- Results of prior-year audit procedures
- Risk of management override or fraud indicators
- Effectiveness of internal controls over the procure-to-pay cycle
If controls are weak or fraud risk is elevated, external confirmation should be strongly considered as a primary substantive procedure.
2. Identify the population
Define what constitutes the confirmation population. Standard options:
- All vendors with balances above a dollar threshold
- All vendors active in the final 60 days of the fiscal year
- Zero-balance vendors with significant prior-year activity (a common omission)
- Related parties: always confirm regardless of balance
A critical audit note: zero-balance accounts deserve specific attention. An unrecorded liability hides best when the ledger shows nothing.
3. Select the sample
Sampling methodology should be defensible and documented. Common approaches for accounts payable confirmations include:
- Monetary Unit Sampling (MUS) for large populations
- Judgmental selection for high-risk or related-party vendors
- Stratified random sampling for mixed-risk populations
For US audits under PCAOB standards, document the rationale for any exclusions from the confirmation population.
4. Obtain vendor contact details
Verify mailing addresses and email addresses directly against source documents β not management-provided lists. This is non-negotiable. Sending confirmations using client-provided contact data undermines independence.
5. Prepare confirmation letters
Use blank-form confirmations wherever practical. Blank-form requests ask vendors to report the balance they carry for the client. Blank-form requests generally provide more persuasive evidence than standard positive confirmations, particularly when testing for completeness.
Phase 2: sending confirmations
6. Maintain control of the process
The auditor, not the client, must control the dispatch and receipt of confirmation requests. This means:
- Using the auditor’s return address on all correspondence
- Sending directly from the audit firm’s email or postal address
- Never routing confirmation requests through client staff
7. Document dispatch
Record the date, method, and recipient details for every confirmation sent. This is your evidence trail.
8. Set a response deadline
Standard practice: 10 to 15 business days for initial response. Include a clear deadline in the letter.
9. Follow up on non-responses
A non-response is not audit evidence. It is an absence of evidence. For material balances with no response:
- Send a second request
- Follow up by phone and document the conversation
- If still unresolved, apply alternative procedures
Phase 3: alternative procedures for non-responses
When vendors do not respond, alternative procedures must be rigorous. Common procedures:
- Examine subsequent cash disbursements and trace them to invoices
- Review vendor statements received independently
- Inspect receiving reports, purchase orders, and contracts
- Compare recorded payable to invoice amounts and delivery documentation
The alternative procedure must test the same assertion that the confirmation was designed to address.
Phase 4: analyzing responses and exceptions
10. Record all responses
Log every response, including the vendor-reported balance and any differences from the client’s ledger.
11. Investigate exceptions
An exception is any discrepancy between the confirmed balance and the recorded balance. Categories include:
- Timing differences: invoices or payments in transit at year-end (often benign, but document)
- Unrecorded invoices: potential understatement of liabilities
- Pricing or quantity disputes: may indicate accrual errors
- Related-party adjustments: always escalate for management and auditor review
12. Evaluate aggregate misstatement
Apply your materiality framework. Individually immaterial exceptions may aggregate to a material misstatement. This requires judgment and documentation.
Phase 5: documentation and wrap-up
13. Prepare the confirmation control schedule
A complete confirmation control schedule includes:
- Vendor name
- Confirmation type (positive/negative/blank)
- Date sent
- Date of response (if any)
- Balance per client ledger
- Balance per vendor response
- Difference
- Disposition (resolved / alternative procedure applied / exception reported)
14. Retain all correspondence
Original confirmation letters, envelopes, and email chains are audit evidence. Retain them in the permanent or current audit file in accordance with your firm’s retention policy. Under PCAOB AS 1215, audit documentation must be complete before the report release date.
15. Summarize findings for the workpaper
The summary should include the population, sample size, response rate, exceptions identified, and the auditor’s conclusion on the completeness assertion.
Sample template: blank-form accounts payable confirmation letter
<Audit firm letterhead>
<Date>
<Vendor name> <Vendor address>
RE: Audit confirmation request β <client name> β fiscal year ended <date>
Dear Sir or Madam,
We are the independent auditors for <client name>. In connection with our audit of the financial statements for the year ended <date>, we are performing procedures relating to amounts payable to your organization.
Please furnish directly to our firm, not to our client, the following information as of <confirmation date>:
- The total amount owed to you by <client name> as of the date above
- A description of any open invoices, credits, or disputes
- The terms of payment applicable to the outstanding balance
Please return your response in the enclosed pre-addressed envelope, or email directly to: <auditor email address>
This request is for audit purposes only. Your response is requested regardless of whether the balance is in agreement or dispute.
Please respond by <response deadline>.
<Authorized signatory β audit firm> <title, firm name, contact details>
Sample template: confirmation control schedule
| # | Vendor name | Balance per ledger (USD) | Conf. sent | Response received | Balance per vendor (USD) | Difference | Disposition |
| 1 | Vendor A | 142,500 | MM/DD | MM/DD | 142,500 | β | Agreed |
| 2 | Vendor B | 87,300 | MM/DD | MM/DD | 94,100 | 6,800 | Timing β invoice in transit |
| 3 | Vendor C | 213,000 | MM/DD | No response | N/A | N/A | Alternative procedures |
| 4 | Vendor D | 0 | MM/DD | MM/DD | 18,400 | 18,400 | Unrecorded liability escalated |
| 5 | Vendor E | 55,000 | MM/DD | MM/DD | 55,000 | β | Agreed |
Note: Vendor D’s unrecorded liability of $18,400 requires assessment against materiality and management inquiry.
Practical notes for US-based CPAs
There are nuances specific to accounts payable confirmations in a US-based context.
PCAOB requirements for audits of public companies: AS 2310 does not establish a presumption in favor of accounts payable confirmations (unlike accounts receivable), but emphasizes the need for sufficient, appropriate evidence in response to assessed risks.
AICPA requirements for audits of private companies: AU-C 505 applies to non-issuer (private company) audits and carries similar principles, though it is subject to AICPA rather than PCAOB oversight.
State CPA board requirements: Some state boards require additional documentation for sole practitioners and small firms that conduct compilation engagements near audit engagements. It is best to check state requirements.
Electronic confirmations: Many electronic confirmation platforms are acceptable under both PCAOB and AICPA standards, provided the auditor maintains control over the process and can validate the reliability of the response source. They are more efficient and increase response rates. However, they still require auditor control, dispatch, and receipt.
Conclusion: precision is the standard
An accounts payable confirmations audit is not a checkbox. It is a substantive test. The level of evidence is only as good as the level of process: the selection of the population, dispatch control, intensive follow-up, and disciplined exception analysis.
In this process, any shortcuts can result in significant liability risk. For CPAs, particularly those auditing public companies or in heavily regulated industries, issues in this process can result in scrutiny by the PCAOB, the SEC, and state licensing boards.
AuditConfirm is for the audit professional who understands the importance of this process. It is built specifically for managing external confirmations, such as accounts payable confirmations, with the level of control and documentation required by professional standards. It eliminates the operational complexity of the process while maintaining the independence and rigor necessary for reliable evidence.
For CPAs who desire a faster, more efficient, and more effective process for confirmations, the workflow belongs in AuditConfirm.
FAQs
What is the purpose of accounts payable confirmations in an audit?
Accounts payable confirmations provide the auditor with independent evidence that the general ledger is complete and accurate with respect to the companyβs liabilities. Itβs done by asking the vendors directly how much they believe the company owes them. It is one of the few procedures that can identify unrecorded liabilities that would never be discovered through company documents.
Are accounts payable confirmations required under US auditing standards?
While neither AS 2310 nor AU-C Section 505 mandates accounts payable confirmations, auditors must be able to justify their audit approach and demonstrate that sufficient appropriate evidence was obtained through alternative procedures when confirmations are not used. In cases where fraud is suspected, controls are weak, and related-party payables are significant, the decision not to perform an accounts payable confirmation is hard to justify.
What is the difference between a positive and a blank-form confirmation of accounts payable?
A positive confirmation is when the auditor sends the vendor a request to agree or disagree with the presented balance. A blank-form confirmation is when the auditor simply sends the vendor a request for the balance without providing any information. In the case of accounts payable confirmations, the auditor is better off using the blank-form confirmation because the risk is unrecorded debt, not overstatement.
How do CPAs deal with vendors who do not respond to confirmations?
A non-response does not provide audit evidence in an accounts payable confirmation audit. The CPA must take further steps to address vendors who do not respond to confirmations. Moreover, the CPA must look for additional transactions, independently obtain vendor statements, and receive reports and contracts. The non-responses and alternative procedures have to be documented.
Can CPAs use electronic means to confirm accounts payable?
Yes, CPAs can use electronic means to confirm accounts payable. Both the PCAOB and the AICPA standards allow the use of electronic means for accounts payable confirmations. The CPA must ensure they have full control over dispatch and receipt. The client must be denied any opportunity to intercept or influence, irrespective of how the client receives them. The use of electronic means is advantageous to CPAs who deal with large numbers, as it is likely to produce high response rates and documentation.