One of the most powerful tools available to a CPA during an audit is the audit confirmation. This procedure enables CPAs to verify financial information independently. This technique increases the reliability of the audit evidence that a CPA uses to certify financial statements.
In today’s environment of cyber threats and an ever-changing regulatory landscape, audit confirmations have evolved from simple paper mail to secure, web-based electronic communications. Likewise, their initial intent remains the same: to procure valid evidence for the independent auditor’s opinions.
This guide defines:
- What is an audit confirmation
- Objectives of audit confirmation
- Types of audit confirmations
- Examples of each type of audit confirmation
- The impact of technology on this vital activity
What Is an Audit Confirmation
An audit confirmation is a procedure auditors follow to obtain evidence of a third party’s account balance or financial information.
In other words, it occurs when an auditor requires a third party, such as a bank, customer, or supplier, to verify specific information.
The goal is independence. Instead of relying solely on the company’s internal records, the auditor validates information by consulting external sources to ensure it is accurate and complete.
Formal Definition:
Auditing standards define an audit confirmation procedure as “the process of obtaining and evaluating a direct communication from a third party in response to a request for information about a particular item affecting financial statement assertions.”
This procedure for the U.S. follows guidance provided by the Public Company Accounting Oversight Board Auditing Standard 2310 (PCAOB AS 2310), ‘The Auditor’s Use of Confirmation.’ PCAOB updated AS 2310 to include further secure confirmation procedures and to help counter cyber threats by being more data-centric.
Why Audit Confirmations Matter
Auditing confirmations can enhance the reliability of financial statement audits by providing verifiable and objective evidence. This procedure can directly substantiate the principal account balances.
Here’s why they’re so important:
- Independent Verification: They confirm information from outside the entity, reducing management bias.
- Detection of Misstatement or Fraud: Differences between internal records and third-party confirmations may indicate misstatement or fraud.
- Regulatory Compliance: The PCAOB, AICPA, and IAASB support the importance of confirmations as a reliable source of audit evidence.
- Quality of Audit: A robust confirmation system consistently improves audit quality.
- Fraud Prevention: Confirmations can uncover fictitious balances or round-tripping schemes that internal data might hide.
PCAOB Auditing Standard AS 2310
PCAOB AS 2310, ‘The Auditor’s Use of Confirmation’, was adopted by the Public Company Accounting Oversight Board on September 28, 2023, and subsequently approved by the Securities and Exchange Commission on December 1, 2023. The standard was later updated and is effective for audits of financial statements for fiscal years ending on or after June 15, 2025. It replaces the prior interim confirmation standard (AS 2310, The Confirmation Process).
AS 2310 emphasizes:
- Auditor control
- Risk assessment of confirmation channels
- Professional skepticism
- Validation of respondent identity
Auditors are now required to demonstrate control over the confirmation procedure, independence, and to obtain responses directly from trustworthy third-party sources.
The shift also accounts for the fact that portal-driven and technology-mediated confirmations can be equally or even more persuasive than conventional techniques when properly secured.
Purpose of Audit Confirmations
Under AU-C Section 505, external confirmation procedures are used to obtain relevant and reliable audit evidence from knowledgeable third parties. Audit evidence is generally more reliable when obtained from independent sources outside the entity; however, reliability depends on the circumstances under which the evidence is obtained. Accordingly, external confirmations received directly by the auditor may be more reliable than evidence generated internally by the entity, depending on the circumstances. 
The primary objective of audit confirmations is to obtain sufficient appropriate audit evidence by addressing relevant financial statement assertions, which commonly include existence/occurrence, rights and obligations, completeness, and accuracy/valuation (depending on what is being confirmed and how the confirmation request is structured).
External confirmations are considered among the most reliable forms of audit evidence because they originate from independent sources. Audit confirmations can help provide evidence about relevant financial statement assertions, commonly including:
- Existence / Occurrence — assets and liabilities exist at the date, and recorded transactions/events occurred during the period (depending on what is being confirmed).
- Rights and Obligations — the entity holds rights to assets, and liabilities represent obligations of the entity.
- Completeness — all items that should have been recorded or disclosed are included (often a key objective for certain liability-related confirmations).
- Accuracy / Valuation (Valuation or Allocation) — amounts are recorded appropriately in accordance with the applicable financial reporting framework.
- Cutoff — transactions are recorded in the correct accounting period (typically addressed only when confirmations are structured around period-end activity, not as a blanket claim).
For instance, when auditing cash, the auditor may confirm the balance directly with the client’s bank. If the bank confirms the amount, it provides strong evidence supporting both the existence and accuracy assertions.
Types of Audit Confirmations
Knowledge of the types of audit confirmations can help one plan their procedures accordingly.
Traditionally, audit confirmations fall into two types: positive and negative. However, with digital transformation, new categories such as electronic and portal-based confirmations have emerged.
1. Positive Confirmations
A positive confirmation always requires a response from the receiver, regardless of whether the receiver agrees with the information presented.
“Please acknowledge that as of December 31, 2025, the outstanding balance due to you from the ABC Company is $50,000.”
Both parties must acknowledge that amount or identify the correct one.
- Pros: Provides strong audit evidence. Reduces the risk of undetected misstatements.
- Cons: Time-consuming and costly. Lower response rates due to non-response to requests.
Blank Positive Confirmations
A positive confirmation in which, instead of stating the amount owed, the format requires the respondent to enter it.
It eliminates the issue of ‘auto-approval’ and may reveal discrepancies that prefilled estimates could cover. Response rates will be lower.
2. Negative Confirmations
A negative confirmation requires the addressee to reply only if they disagree with the specified information.
“If the amount due from you to the ABC Company as of December 31, 2025, is not $50,000, notify us.”
Otherwise, the auditor considers the information provided to be accurate.
- Pros: Faster and cheaper. Efficient with many small accounts with little risk.
- Cons: Provides weaker evidence. Banks on the notion that non-response equals agreement. Not suited for high-risk accounts and material balances.
3. Electronic Confirmations
Electronic confirmations involve sending and receiving confirmation requests by electronic means.
This method reduces mailing delays, improves tracking, and can automate responses. However, the auditor must ensure that:
- This system is safe and auditable.
- The respondent’s identity is confirmed.
- The auditor must evaluate whether the communication method provides sufficient security and reliability.
Electronic confirmations are becoming more common as regulators encourage digitalization and cyber-secure processes.
4. Portal-Based or Direct Source Confirmations
Portal-based confirmations represent the next generation of electronic confirmations. They enable auditors to access information directly from the primary source—for instance, a bank or other institution—via a controlled portal.
For example, instead of emailing a bank contact, the auditor retrieves the balance directly from the bank’s secure system.
Consistent with the principles of PCAOB AS 2310, when auditor control and source reliability are appropriately designed.
Portal-based confirmations significantly reduce fraud risk. However, auditors still must evaluate exceptions and evidence.
Examples of Auditing Confirmations
Audit confirmations may relate to almost every account on the balance sheet and the income statement. Let’s break down some examples.
1. Bank and Cash Confirmations
Auditors confirm cash balances and bank loan arrangements. It verifies both the existence of cash and the accuracy of related liabilities.
“Please verify the balances of all deposit and loan accounts held by the ABC Company as of December 31, 2025.”
2. Account Receivable Confirmations
Auditors verify customer receivable balances to ensure the recorded amounts are collectible and legitimate.
You can request both negative and positive confirmations, depending on materiality and risk.
3. Accounts Payable Confirmations
While being less common, auditors may confirm payables with suppliers in cases of suspected fraud risk or cut-off problems.
4. Debt and Lease Confirmations
Lenders or lessors verify principal amounts due, interest rates, and maturities to ensure the accuracy of liabilities on the balance sheet.
5. Legal Confirmations
Auditors require letters from the legal counsel of the audited entity to obtain information about litigation matters that may affect the financial statements.
6. Inventory and Third-Party Holdings
When inventories are held at off-site warehouses or by third-party owners, auditors physically verify their existence and ownership.
Traditional v/s Modern Audit Confirmation
Historically, audit confirmations were sent by mail or, more recently, by email.
While these methods provided some level of assurance, they also carried significant risks:
- Paper mail: Slow; liable to loss or misplacement
- Email: Prone to spoofing and interference
- Fax: Archaic and insecure
- Spreadsheets created: Risk of data entry errors
- Relying on intermediaries: Breaks auditor control
With cybercrime on the rise, auditors increasingly face challenges proving that a confirmation response is authentic and unaltered.
It has led to the emergence of technology companies that provide safe, reliable evidence platforms for the future.
Risks and Challenges in Audit Confirmations
Even a single compromised confirmation can undermine an audit’s credibility. Common risks include:
- Interception and Forgery – Attackers can intercept and forge email confirmations.
- Response Delays – Paper technology results in slower auditing.
- Identity Verification – Auditors may not always recognize the identity of the responder.
- Incomplete Responses – Missing or incomplete confirmations can weaken the reliability of evidence.
- Lack of Control – Third-party intermediaries acting on the requests undermine auditor independence.
AS 2310 addresses many of these weaknesses by encouraging the use of auditor-controlled, technology-secured confirmations.
Best Practices for CPAs When Designing Confirmation Procedures
Assess Risk Before Type Choice
Choose between positive, negative, or electronic confirmations based on materiality, fraud risk, and internal control effectiveness.
Maintaining Auditor Control
All requests and responses should go through auditor-controlled systems, not management.
Guarantee Respondent Authenticity
Verify contact details independently and ensure responses originate from a legitimate source.
Document Every Step
Record all requests and responses. Also, follow up.
Use Secure Channels
Encryption, authentication, and access control aren’t optional.
Assess Non-Response
Verify follow-up on missing responses and their impact on the sufficiency of audit evidence.
Leverage Technology for Efficiency
Use PCAOB AS 2310-compliant confirmation platforms that also comply with global data privacy requirements.
How Technology Is Transforming Audit Confirmations
Today’s auditing environment requires speed, accuracy, and tangible evidence. Manual confirmations do not meet this requirement.
Technology has revolutionized confirmations in three main ways:
1. Automation and Real-Time Access
Today, audit teams can send and manage hundreds of confirmations simultaneously. Real-time dashboards provide better visibility, reducing response times from weeks to hours.
2. Data Integrity through Blockchain and Metadata
Blockchain technology enables tamper-proof evidence by anchoring digital fingerprints (hashes) of confirmation data on public ledgers.
Metadata — such as timestamps, IP addresses, and authentication details — ensures each confirmation is auditable and legally defensible (jurisdiction-dependent).
Disclaimer: While blockchain-based confirmations enhance data integrity, they remain emerging practices, and neither the PCAOB nor the AICPA auditing standards prescribe them. PCAOB has not endorsed blockchain anchoring.
3. Global Compliance
Leading confirmation services providers are SOC 2 Type II and ISO 27001 compliant, enabling auditors to obtain assurance on the safety and reliability of their information.
This harmonization not only supports PCAOB AS 2310 guidance but also enables firms operating in the EU, UK, and Asia to comply with GDPR and other data privacy legislation.
Illustrative Example: From Email to Portal-Based Confirmations
A middle-tier audit firm in the U.S. was utilizing email-based bank confirmations.
Every cycle, it made hundreds of requests and waited weeks for responses. And then it validated signatures by hand. Naturally, this led to a backlog of reports.
The migration to a secure portal-conformation system reduced the turnaround time by 83%. Feedback was automatically verified, with every transaction recorded on the blockchain.
The company’s audit partners found increased confidence in the evidence and compliance with the PCAOB inspection requirements.
The Global Perspective on Audit Confirmations
In the international context, the IAASB’s ISA 505, ‘External Confirmations,’ provides equivalent guidance to PCAOB AS 2310. Both emphasize auditor control, reliability, and third-party validation.
Globally active audit firms increasingly use standardized electronic systems that can manage confirmations across multiple jurisdictions and currencies. Today’s confirmation technology methods simplify international auditing procedures; CPAs can instantly obtain verified information from global banks and law firms.
Integrating Audit Confirmations into the Audit Workflow
Audit confirmations are most effective when strategically integrated into the audit process:
- Planning Phase: Identify balances and assertions that need substantiation.
- Execution Phase: Designing confirmation requests, identifying types of audit confirmations, and timing of the procedure.
- Evaluation Phase: Test the responses for exceptions and note results.
- Reporting Phase: Use confirmation results to support the audit opinion disclosures.
Use of technology at every step eliminates friction, improves the integrity of information presented to audit committees and regulators, and enhances transparency.
The Future of Audit Confirmations
The accountancy profession is moving toward continuous assurance, where confirmation and reconciliation occur in near-real time. Upcoming confirmation cases may involve:
- API Integration with financial institutions
- Automated fraud-detection algorithms
- Immutable Blockchain Anchors for All Confirmation Data
- AI analytics for pattern recognition and outlier analysis
It means CPAs need to do less manual work and that their audit evidence is of higher quality when rendered under PCAOB AS 2310.
Disclaimer: These are emerging trends, not standards.
Conclusion — Audit Confirmation: Modern Evidence for a Modern Audit
Confirmations have always remained a key area for quality auditing. But changes in the profession call for changes in methodologies. Paper and email confirmations may present heightened risks and require additional safeguards to meet modern auditing standards.
Regulators, including the PCAOB, are aware of changes that have enabled secure, independent evidence to be obtained directly from the source.
AuditConfirm, the global digital confirmation platform, is at the forefront of this transformation.
- It provides auditor-controlled access to original financial data sources.
- Its blockchain-anchored Internet original documents support tamper-proof, verifiable evidence.
- While the PCAOB does not mandate SOC 2 Type II or ISO 27001 certifications, it supports the information security and operational integrity of confirmation platforms.
- Operating in over 195 countries and connecting to 50,000+ trusted sources, it helps auditors to verify financial information instantly and globally.
- Aligning with PCAOB AS 2310, it helps firms meet compliance requirements while enhancing efficiency and reliability.
In conclusion, the future of audit confirmation is digital, decentralized, and secure, and Audit Confirmation is leading that future.
FAQs
An audit confirmation is a formal verification process used by auditors to confirm the accuracy of financial information with third parties. It helps ensure that the figures reported in financial statements are correct and reliable.
Audit confirmations provide independent evidence of account balances and transactions. They reduce the risk of errors and fraud and help CPAs comply with auditing standards, including GAAS and PCAOB guidelines.
There are several types of audit confirmations: positive, negative, and blank. Auditors can also divide these by account type, including accounts receivable, accounts payable, cash, inventory, and legal confirmations.
Auditors can send confirmations via traditional mail, email, or secure electronic platforms. Modern audit confirmation services streamline the process, making it faster, more reliable, and easier to track responses.
Yes, audit confirmations can help detect discrepancies, misstatements, or potential fraud in financial statements. However, auditors use them as one part of a comprehensive audit, alongside other audit procedures.