External Confirmations
External confirmations are among the most powerful forms of audit evidence because they are obtained directly from independent third parties. By requesting a knowledgeable outside party to confirm account balances, transactions, or terms, the auditor obtains evidence that is independent of the entity's own records. Understanding the types, procedures, and evaluation of external confirmations is essential for the CPA exam (blueprint topic III.D.3) and is one of the most frequently tested areas in the AUD section.
Why External Confirmations Are Important
External confirmations provide high-quality audit evidence because they originate from sources independent of the entity being audited. Under both AICPA and PCAOB standards, the auditor is required to consider using external confirmations as a substantive procedure, particularly for significant account balances and transactions where the risk of material misstatement is elevated.
Evidence obtained directly from independent external parties is generally more reliable than evidence generated internally by the entity. A bank's written confirmation of a cash balance is stronger evidence than management's general ledger printout showing the same balance—because the bank has no incentive to misstate the entity's account information.
Types of External Confirmations
External confirmations fall into two primary categories: positive and negative. Each type differs in how the third party is asked to respond.
Positive Confirmations
A positive confirmation requests the recipient to respond in all cases—whether they agree or disagree with the information presented.
| Subtype | Description | When to Use |
|---|---|---|
| Blank (open) form | Asks the recipient to fill in the balance or information without providing the auditor's figure | When the auditor wants the most reliable response—the respondent must independently determine the amount |
| Formatted (closed) form | Provides the account balance and asks the recipient to confirm agreement or state any differences | When the auditor expects fewer exceptions and wants to increase the response rate |
Blank confirmations are more reliable than formatted confirmations because the respondent must independently generate the balance rather than simply agreeing with a number provided by the auditor. However, blank confirmations typically yield lower response rates because they require more effort from the recipient. The CPA exam frequently tests this tradeoff.
Negative Confirmations
A negative confirmation asks the recipient to respond only if they disagree with the information provided. If no response is received, the auditor assumes the information is correct.
Negative confirmations provide less persuasive evidence than positive confirmations because the auditor cannot distinguish between a recipient who agreed with the balance and one who simply did not respond (perhaps because the confirmation was never received, was ignored, or was discarded). Use negative confirmations only when all of the following conditions are met:
- The risk of material misstatement is assessed as low
- A large number of small balances is involved
- The auditor has no reason to believe recipients will disregard the request
- The auditor expects a very low exception rate
Comparison of Confirmation Types
| Feature | Positive — Blank | Positive — Formatted | Negative |
|---|---|---|---|
| Reliability | Highest | High | Lowest |
| Response rate | Lower | Higher | N/A (non-response assumed as agreement) |
| Respondent effort | High (must look up balance) | Low (review and agree/disagree) | Minimal (respond only if disagreement) |
| Best for | High-risk balances, material accounts | Moderate-risk balances | Large populations of small, low-risk balances |
| Follow-up required | Yes, for all non-responses | Yes, for all non-responses | No (but auditor must evaluate overall non-response implications) |
Accounts Commonly Confirmed
External confirmations are used across many account areas. The following table summarizes the most common applications.
| Account / Balance | Confirmed With | Typical Information Confirmed |
|---|---|---|
| Cash and bank balances | Banks and financial institutions | Account balances, loan balances, lines of credit, compensating balance arrangements, collateral |
| Accounts receivable | Customers | Outstanding invoice amounts, payment terms, disputed amounts |
| Accounts payable | Vendors / suppliers | Outstanding balances, purchase terms, credits owed |
| Loans and notes payable | Lenders | Principal balance, interest rate, maturity date, collateral, covenants, guarantees |
| Investments | Custodians, brokers, counterparties | Securities held, quantities, fair values, restrictions |
| Insurance coverage | Insurance companies | Policy terms, coverage amounts, claims outstanding |
| Legal matters | Attorneys (inquiry letters) | Pending or threatened litigation, probable outcomes, estimated liabilities |
While auditing Bear Co., the engagement team sends positive confirmations to all three of the company's banks to confirm cash balances, outstanding loans, and lines of credit. The team also sends positive blank-form confirmations to Bear Co.'s 25 largest customers (representing 78% of total accounts receivable) and negative confirmations to the remaining 340 customers with balances under $5,000.
Tools and Techniques for Confirmations
Electronic Confirmations
Electronic confirmation services (such as Confirmation.com / Confirmation by Thomson Reuters) provide a secure, automated platform for sending, tracking, and receiving confirmations.
| Advantage | Description |
|---|---|
| Speed | Responses are received in days rather than weeks |
| Security | Encrypted transmission reduces the risk of interception or alteration |
| Audit trail | Complete digital record of when confirmations were sent, received, and responded to |
| Higher response rates | Automated reminders and streamlined processes improve recipient compliance |
| Reduced fraud risk | Responses are sent directly to the confirmation service rather than routed through the client |
Electronic confirmations are increasingly the standard practice for bank and receivable confirmations. The PCAOB has emphasized that electronic confirmations can be more reliable than traditional paper confirmations because they reduce the risk of management intercepting or altering responses. However, the auditor must still evaluate the reliability of the electronic confirmation service itself.
Manual (Paper) Confirmations
Traditional paper confirmations are mailed directly to the third party with a prepaid return envelope addressed to the auditor. While increasingly replaced by electronic methods, paper confirmations are still used in some circumstances.
Key controls over paper confirmations:
- The auditor must maintain control over the confirmation process from start to finish
- Confirmations should be mailed directly by the auditor—not given to the client to mail
- Return envelopes should be addressed to the auditor's office, not the client's address
- The auditor should verify the accuracy of the recipient's address independently (e.g., using a phone directory or the entity's website rather than relying solely on management-provided addresses)
A critical exam topic: the auditor must maintain control over the entire confirmation process. If the client insists on mailing the confirmations or if responses are returned to the client's address, the reliability of the evidence is severely compromised because management could intercept, alter, or suppress unfavorable responses.
Intermediary Services
Some confirmations are processed through intermediary services—third-party providers that facilitate the confirmation process between the auditor and the responding party. The auditor must evaluate:
- The intermediary's independence from the entity being audited
- The security of the intermediary's systems and processes
- Whether the intermediary has direct access to the respondent's records
- The intermediary's reputation and track record
The Confirmation Process
Step-by-Step Procedure
| Step | Activity | Key Considerations |
|---|---|---|
| 1. Determine the need | Assess whether confirmations are appropriate for the account and assertion | Consider risk level, materiality, nature of the balance, and availability of alternative evidence |
| 2. Select items | Choose specific balances or transactions to confirm | Use statistical or judgmental sampling; focus on large, unusual, or high-risk items |
| 3. Design the confirmation | Choose positive/negative, blank/formatted, and draft the request | Tailor the request to the information needed; include clear instructions |
| 4. Obtain management approval | Request management's agreement to send confirmations | Required by standards; management's refusal triggers special procedures (see below) |
| 5. Maintain control | Mail or transmit confirmations directly to the third party | Never allow the client to handle the confirmation mailing or transmission |
| 6. Track responses | Monitor which confirmations have been returned and which are outstanding | Send second (and sometimes third) requests for non-responses |
| 7. Evaluate responses | Analyze confirmed amounts, exceptions, and non-responses | Investigate all differences; perform alternative procedures for non-responses |
| 8. Document results | Record the confirmation process, results, and conclusions in the workpapers | Include the selection methodology, response rate, exceptions investigated, and audit conclusions |
Management's Refusal to Allow Confirmations
If management refuses to allow the auditor to send confirmations, the auditor must:
- Inquire about the reasons — Understand why management is refusing (e.g., ongoing dispute with the customer, pending litigation, business relationship concerns)
- Evaluate the reasonableness — Assess whether management's reasons are legitimate and reasonable under the circumstances
- Consider the implications — A refusal may indicate a fraud risk factor or a scope limitation
- Perform alternative procedures — If the refusal is reasonable, perform other substantive procedures to obtain sufficient appropriate evidence (e.g., examine subsequent cash receipts, review shipping documents, inspect contracts)
- Assess the impact on the audit opinion — If the auditor cannot obtain sufficient evidence through alternative procedures, the refusal constitutes a scope limitation that may require a qualified opinion or disclaimer of opinion
Management's refusal to allow confirmations is a significant event that must be carefully evaluated. Under PCAOB standards, if management's refusal is not reasonable, the auditor should consider this a scope limitation and evaluate the implications for the audit report. The auditor should also consider whether the refusal indicates a risk of material misstatement due to fraud. This is a high-frequency CPA exam topic.
The auditor of Kingfisher Industries requests permission to send receivable confirmations to the company's five largest customers. Management refuses, stating that these customers have threatened to take their business elsewhere if they receive audit confirmations. The auditor evaluates this explanation, determines it is not reasonable (audit confirmations are standard business practice), and communicates the matter to those charged with governance. The auditor performs alternative procedures—examining subsequent cash receipts, reviewing shipping documents, and inspecting contracts—but ultimately concludes that the inability to confirm these material balances represents a scope limitation that results in a qualified opinion.
Analyzing Confirmation Responses
Confirmed Without Exception
When the third party confirms the balance without exception, the auditor has strong evidence supporting the recorded amount. However, the auditor should still consider:
- Whether the response appears authentic (e.g., on the respondent's letterhead, from the expected contact)
- Whether the response was returned to the auditor directly (not through the client)
- Whether the confirmed amount is mathematically consistent with the entity's records
Exceptions
An exception occurs when the third party's response differs from the amount recorded in the entity's books. Not all exceptions indicate misstatements.
| Type of Exception | Common Cause | Auditor's Response |
|---|---|---|
| Timing difference | Payment in transit; goods shipped but not yet received | Verify the timing of the transaction; determine if the cutoff is correct |
| Disputed amount | Customer disputes an invoice or claims a credit not yet recorded | Examine the nature of the dispute; determine if the entity's recorded balance is correct |
| Actual misstatement | The entity recorded an incorrect amount or a fictitious transaction | Propose an audit adjustment; evaluate the nature and cause of the misstatement |
| Respondent error | The third party made a mistake in its response | Investigate and resolve with the respondent; confirm the correct amount |
Gies Co.'s auditor sends positive confirmations to 30 customers. Twenty-five respond without exception. Three responses identify timing differences (payments mailed before year-end but not received until January), which the auditor verifies by examining the subsequent cash receipts log. One response identifies a $12,000 disputed invoice that the customer claims was for defective merchandise returned in November—the auditor examines shipping records and confirms the return was received but not yet recorded by Gies Co. The auditor proposes an adjustment to reduce accounts receivable by $12,000. The fifth exception reveals a $45,000 balance confirmed by the customer at $0—investigation reveals the sales manager recorded a fictitious sale. This finding triggers expanded fraud procedures.
Non-Responses
When a positive confirmation is not returned, the auditor cannot conclude that the balance is correct. The auditor must:
- Send follow-up requests — Typically a second and sometimes a third request
- Attempt direct contact — Call or email the respondent to encourage a response
- Perform alternative procedures — If no response is received after reasonable efforts, perform alternative procedures to obtain evidence about the balance
Alternative procedures for receivable non-responses include:
- Examining subsequent cash receipts — If the customer paid the balance after year-end, this provides evidence of existence and valuation
- Reviewing shipping documents — Confirms that goods were shipped to the customer
- Inspecting sales contracts or purchase orders — Provides evidence that the transaction was authorized
- Examining customer correspondence — Emails, order confirmations, or complaint records that corroborate the relationship and balance
On the CPA exam, the most commonly tested alternative procedure for accounts receivable non-responses is examining subsequent cash receipts. If a customer pays the outstanding balance in January, this provides strong evidence that the receivable existed at December 31 and was collectible.
Incomplete Responses
Sometimes a third party responds but provides incomplete information—for example, confirming some items on the confirmation but not others, or providing a partial balance.
The auditor should:
- Follow up with the respondent to obtain the missing information
- Perform alternative procedures for the unconfirmed portion
- Evaluate whether the incomplete response provides any useful evidence for the confirmed portion
Electronic vs. Paper Confirmations — Reliability Considerations
| Factor | Electronic | Paper |
|---|---|---|
| Speed of response | Days | Weeks |
| Risk of interception | Lower (encrypted, direct to service) | Higher (physical mail can be intercepted) |
| Risk of alteration | Lower (digital audit trail) | Higher (responses can be physically altered) |
| Authentication | Stronger (verified respondent credentials on platform) | Weaker (signatures can be forged) |
| Audit trail | Complete digital log | Manual tracking required |
| Cost | Moderate (service fees) | Lower (postage only) but higher in labor |
| Acceptance | Widely accepted for banks and large vendors | Still used for smaller entities or entities not on electronic platforms |
When using electronic confirmations, the auditor should evaluate the confirmation service provider's controls, including data security, access controls, and the process for authenticating respondents. The auditor's assessment of the electronic platform's reliability is analogous to evaluating ITGCs over any data-generating system.
PCAOB vs. AICPA Requirements
While both the PCAOB and AICPA require auditors to consider external confirmations, there are important differences in emphasis and application.
| Requirement | PCAOB (Public Company Audits) | AICPA (Non-Public Company Audits) |
|---|---|---|
| Receivable confirmations | Presumptively mandatory — AS 2310 presumes the auditor will confirm receivables unless specific conditions are met (receivables are immaterial, confirmations would be ineffective, or the auditor's assessed risk is low and other procedures provide sufficient evidence) | Recommended but not presumptively required — AU-C 505 requires the auditor to consider confirmations but does not create a presumption |
| Bank confirmations | Standard practice; typically confirmed for all bank accounts | Standard practice; AICPA standard bank confirmation form is widely used |
| Management's refusal | Must evaluate reasonableness; unreasonable refusal is a scope limitation and potential fraud indicator | Similar requirements; must evaluate and consider implications |
| Electronic confirmations | PCAOB has encouraged use of electronic confirmations for improved reliability | AICPA permits; no specific preference stated |
| Documentation | Extensive documentation of the confirmation process, results, and conclusions required | Documentation requirements are similar but may be less prescriptive |
For the CPA exam, remember that PCAOB standards create a presumption that the auditor will confirm accounts receivable. This means the auditor must perform receivable confirmations unless the auditor documents why one of the specific exceptions applies. AICPA standards, while encouraging confirmations, do not create this same presumption for non-public company audits.
Confirmation Best Practices
The following practices help ensure that the confirmation process produces reliable audit evidence:
- Maintain control at all times — The auditor, not the client, should control the sending and receiving of confirmations
- Verify recipient addresses independently — Do not rely solely on management-provided contact information
- Customize confirmation requests — Tailor the information requested to the specific audit objectives
- Consider the respondent's ability and willingness — Some third parties may not have the information requested or may not respond to audit confirmations
- Evaluate the form of response — Faxed or emailed responses may be less reliable than responses received through a secure electronic platform or original signed letters
- Follow up promptly — Send second requests within two to three weeks of the first mailing
- Document everything — Record the selection methodology, mailing dates, response tracking, exception investigation, alternative procedures, and conclusions
While auditing BIF Partners, the engagement team sends 40 positive formatted receivable confirmations and 15 bank confirmations. After three weeks, eight receivable confirmations remain outstanding. The team sends second requests and directly contacts three of the largest non-responding customers by phone. Ultimately, five customers respond to the second request, and alternative procedures (examination of subsequent cash receipts and shipping documents) are performed for the remaining three. All 15 bank confirmations are returned without exception. The team documents the entire process, including the response rate (92.5%), exceptions investigated, alternative procedures performed, and the conclusion that sufficient appropriate evidence was obtained.
Summary
| Topic | Key Takeaway |
|---|---|
| Purpose | Obtain audit evidence directly from independent third parties to confirm account balances and transactions |
| Positive vs. negative | Positive confirmations require a response in all cases; negative confirmations request a response only if the recipient disagrees |
| Blank vs. formatted | Blank confirmations are more reliable (respondent provides the balance); formatted confirmations have higher response rates |
| Common accounts | Cash, receivables, payables, loans, investments, insurance, and legal matters |
| Electronic confirmations | Faster, more secure, and increasingly the standard—but the auditor must evaluate the platform's reliability |
| Management's refusal | Must be evaluated for reasonableness; unreasonable refusal is a scope limitation and potential fraud indicator |
| Exceptions | Investigate every difference—timing differences, disputes, actual misstatements, or respondent errors |
| Non-responses | Send follow-up requests; if no response, perform alternative procedures (e.g., examine subsequent cash receipts) |
| PCAOB vs. AICPA | PCAOB presumes receivable confirmation; AICPA recommends but does not presume |
| Control | The auditor must maintain control over the entire confirmation process from start to finish |