A long-established ritual among public accountants involves writing and signing a confirmation letter, printing the letter, putting it in an envelope, and mailing it to an outside third party â whether that means a bank, a debtor, or even legal counsel. Then comes the waiting period.
This process is often seen as routine. That assumption is misleading.
Beneath the surface of the seemingly harmless ritual lies a system that is extremely vulnerable to human error, that fraudsters can actively exploit, and that runs counter to the regulatory requirements the profession now faces. All CPAs know about that, at least intuitively. Few talk about it openly.
This article attempts to break this silence.
The manual confirmation process that auditors rely too much on
According to AU-C section 505 of the AICPA, external confirmations are an important audit procedure for verifying certain account balances and transactions, particularly where third-party evidence is relevant.
The logic behind this is clear: an independent third party either confirms or denies a specific transaction or balance in question. The evidence obtained is external and, in theory, objective.
The problem starts with the manual process.
Sending confirmations via mail or fax introduces challenges in maintaining control over the process, particularly around ensuring the request reaches the intended recipient and that responses are authentic.
At some point in this process, something can go wrong.
Error risks in the manual confirmation process
Any manual process is inherently flawed because it lacks automation to ensure accuracy.
Consider just the journey of a single manual paper confirmation request:
– The auditor prepares the letter. It might contain a simple transposition error. The senior reviewer has too much on their plate. The letter goes out with this error untouched. The responding entityâa bank, sayâmatches it to a slightly different account. The response comes in. It seems right. No one makes sure that the account in question matches the trial balance.
That error becomes part of the audit file.
This scenario is not hypothetical. Audit regulators and professional bodies, including the AICPA and PCAOB, have repeatedly highlighted common issues with external confirmations, such as:
– Confirmation requests sent to addresses controlled by or favorable to management.
– Responses received orally without being documented correctly.
– No follow-up on non-responses. Such responses have been improperly assumed to confirm the information in question.
– Responses containing discrepancies left uninvestigated.
Each of these is an individual failure. Combined, these are symptoms of a systemic problem.
A manual process cannot ensure that those problems don’t arise automatically. An auditor needs to be attentive to those risksâand all people, including auditors, are imperfect. Especially when deadlines are approaching and budget constraints loom large.
Confirmation fraud: A known problem with a specific mechanism
There is a type of fraud that specifically exploits the weakness of the manual confirmation process. It is called confirmation fraud, or more commonly, response interception.
This scamming technique isn’t particularly elaborate. A client or a co-conspirator intercepts the confirmation request on the way out, and either responds on behalf of the third party or diverts it to another address.
The result is that the auditor receives a document that appears to be a third-party confirmation, but isn’t. The document is fake.
This type of fraud has been employed in some of the biggest scams in recent history. The Parmalat fraud scheme, which resulted in losses estimated at nearly âŹ14 billion, included the fabrication of bank confirmations. The audit firm received papers confirming billions worth of cash holdings in Parmalat’s accounts. The papers were counterfeit.
The case highlighted significant audit failures, including over-reliance on falsified confirmation evidence. They used the process as prescribed. The process failed them, and the investors who trusted their opinions.
Parmalat may be an extreme example, but the vulnerability the scheme exploited is common to all manual confirmations, regardless of the size of an engagement.
Manual confirmations typically lack built-in security features such as encryption, automated validation, and traceable audit trails. There is no way to verify that the confirmation has indeed been generated by the responding third party using cryptography or other means. There is no auditable transmission record. There is no tamper-proof evidence in the confirmation letter.
Fraud always finds vulnerabilities. A manual process is one of them.
The new requirements for confirmations from auditors
Audit standards have evolved. The regulatory framework in which those standards apply is evolving even faster.
The PCAOB, which oversees public company audits in the United States, has increasingly emphasized the quality of the confirmation process. Many of the PCAOB inspection reports feature the same criticisms: failure to ensure that external confirmations were properly performed, lack of follow-up on exceptions discovered during the process, and acceptance of informal, possibly invalid responses.
The International Auditing and Assurance Standards Board (IAASB) approved revisions to ISA 505 in 2023, with the updated standard effective for audits of financial statements for periods beginning on or after December 15, 2024.
One of the most important changes introduced by the standard regards electronic confirmations. The standard describes the criteria necessary to make sure that electronic confirmations are processed using systems “with sufficient controls.”
These controls include proper validation of the responses. In other words, the standard explicitly acknowledges the necessity of a process that ensures the validity and reliability of the responses.
Implementing such controls manually is theoretically possible, but difficult to execute consistently and reliably in practice.
For US based firms, the IAASB report represents an important reference point even when dealing with PCAOB standards. The message is clear: an informal manual process isn’t enough anymore.
Not every firm understands this. The gap between the current regulatory requirements and a manual confirmation process widens.
The problem with the manual process and time limitations
There is an often-ignored aspect of the confirmation process that shapes every real-life audit engagement: time constraint.
The manual confirmation process is inherently time-consuming. A confirmation letter sent out by mail can take weeks to get a reply, if ever. Non-response rates can be significant in practice, particularly for certain types of confirmations.Â
Non-responses need follow-ups. Follow-up confirmation requests take additional time. Sometimes, they generate alternative evidence of inferior value compared to direct confirmation.
This creates a perverse incentive structure. When time is of the essence, an auditor may choose inferior evidence simply because going after a non-response is prohibitively expensive.
It lowers audit quality. At the same time, the audit file indicates that a confirmation process was followed, without noting the lower quality of the obtained evidence.
Electronic confirmation systems greatly reduce the non-response rate, provide time stamps for delivery and receipt of responses, and structure the data so it’s easier to verify. None of this can happen with a manual process.
The time problem is, in addition, a risk problem. The longer the confirmation window, the more time for management to intervene. A fraudster aware that confirmation requests are on the way has plenty of time to intercept, divert, or fake a response. The electronic system that sends the confirmation and receives the response within hours eliminates the window.
The documentation issue in manual confirmations
There are two functions an audit file fulfills. The first is obvious: it is meant to support the audit opinion. The second is less obvious: it is required to prove, in the event of a future inspection, that all procedures were carried out appropriately.
In the context of the manual confirmation process, this second function presents serious difficulties. The original confirmation request is typically kept as a file copy. The response is a scanned paper copy saved in the file. There is virtually no information in an audit file to help determine who handled it and when, or when and where it was delivered and received.
If an auditor is asked by a peer reviewer from the AICPA or an inspector from the PCAOB how the audit firm ensured the response was truly from the third party, the best response would be “we just assumed that.”
That is not a valid response.
By contrast, the electronic confirmation systems create an automatic chain of custody. The timestamped delivery record, the response validation status, and encryption records are generated by default.
It takes no effort. This data is always accessible for future reference and, most importantly, passes the scrutiny of regulators and peer reviews. While this chain of custody could theoretically be created manually, it is rarely done with appropriate attention to detail in real life.
The cumulative effect of multiple weaknesses
All of the risks mentioned aboveâerrors, the possibility of fraud, regulatory requirements that don’t align with the process used, a high non-response rate, and deficient documentationâcan be addressed individually.
However, more importantly, the above risks compound. Using a manual confirmation system with a moderate error rate, limited fraud protection, poor regulatory fit, a low response rate, and deficient documentation means accepting increased risk for each audit engagement.
Not all engagements experience all failure modes. Yet in the course of a large audit practice, the cumulative effect of the multiple risks is inevitable.
This risk is not theoretical. It is a calculable probability.
Audit inspections and enforcement actions have, in several cases, cited deficiencies in confirmation procedures as contributing factors. Fraud and misstatement are rare in these cases, as are large-scale schemes. Far more frequent are smaller mistakes that result in misstatements, which eventually cause significant professional, financial, and reputational harm to the CPA.
Conclusion: Facing the threat head-on
No one designed a manual confirmation process to fail. The technology wasn’t available at the time.
Keeping a manual confirmation process in this day and age isn’t a neutral choice. By using a manual process, a CPA consciously accepts all risks of error, fraud, regulatory sanctions, and malpractice claims.
AuditConfirm was created to tackle this exact problem. It is an electronic confirmation management system that controls the transmission and response processes and provides all necessary documentation and verification in accordance with the latest standards and best practices.
Those risks discussed above aren’t new. Each manual confirmation request sent this year, last year, or over the past decade contained these risks.
The question a CPA managing an audit engagement has to ask him- or herself is no longer whether these risks exist. It is whether the CPA is still willing to accept them.
FAQs
Audit standards do not prohibit manual confirmations. However, auditors must demonstrate control over the confirmation process, regardless of the method used. In this context, both ISA 505 (revised) and the PCAOBâs inspection standards require proof that the auditor controls three key aspects: transmission, authentication, and documentation. Where manual confirmation fails to control these factors, it faces considerable problems proving its value during regulatory scrutiny.
The reality of confirmation fraud is far greater than most people acknowledge. Confirmation fraud doesn’t require an elaborate scheme; it only demands access to the outgoing request. This is precisely the type of risk that manual confirmations struggle to mitigate because they cannot provide a controlled, authenticated channel for the process.
The CPA should understand that such a response is considered unreliable external evidence. According to AU-C Section 505, a response that does not come directly from the confirming party is considered invalid. This means that the response can be classified as a non-response. At this point, the CPA needs to use additional audit techniques to collect sufficient evidence and ensure that everything is recorded in the working papers.
A non-response is much more than nothing happening because it creates an absence of evidence that forms the core of audit evidence. To counter this, you would need to implement higher-level alternative procedures. According to AU-C 505, the auditor must consider whether the alternative evidence supports the assertion under consideration. The issue of non-response becomes a broader problem in a portfolio of audits because it is associated with traditional confirmation methods.
Perform an evaluation of your confirmation process based on the following three dimensions: controls over the delivery of confirmations, authentication of replies received, and detailed record keeping of transactions. If your confirmation process is negative on any of the three mentioned dimensions, only manual corrections will not guarantee accuracy. Thatâs where technology comes in handy, like AuditConfirm.