At the end of May 2023, the FRC issued an amended version of the International Standard on Auditing known as ‘ISA (UK) 505 - External Confirmations’ (hereinafter ‘ISA 505’).
Apart from some conforming amendments made in 2022, the actual core standard has not been revised since 2016. In the intervening period, digital confirmation tools (such as Circit) have become much more popular.
The proposal includes guidance on the use of digital platforms to verify information and puts the spotlight on digital tools to help improve the reliability and credibility of audit evidence obtained via the confirmation process.
The ISA points out that the reliability of audit evidence is influenced by three important features, namely:
• Audit evidence is more reliable when it is obtained from independent sources outside the entity;
• Audit evidence obtained directly by the auditor is more reliable than audit evidence obtained indirectly or by inference; and
• Audit evidence is more reliable when it exists in documentary form, such as paper, electronic or other medium.
The proposed revisions address:
A. The use of digital platforms;
B. Strengthened requirements for investigating exceptions; and
C. A ban on negative confirmations.
Recent disciplinary findings in the UK show that the work undertaken by some auditors in the confirmation process was not sufficiently thorough, especially when it comes to investigating exceptions and that there was an over-reliance on negative confirmations when they were unlikely to provide sufficient evidence to support a conclusion. The working party that produced the draft felt that better alternatives exist to obtain audit evidence.
A. Using digital platforms
The FRC has introduced a measure to ensure that confirmations can be obtained by directly accessing information held by third parties through web portals or software interfaces, as the legacy use of letters has been superseded by digital confirmations.
Platforms like Circit can improve the efficiency of response rates and where the auditor is satisfied that such a process is secure and properly controlled, the reliability of the related responses is enhanced.
The ISA 505 draft alerts auditors to the dangers associated with various issues that can surround obtaining confirmation responses either in paper or electronic format:
• The response may be from an improper source;
• A respondent may be unauthorised to respond; and
• The integrity of the transmission may be compromised.
Confirmation platforms can and do alleviate a lot of these problems:
• They improve the security of transmission, especially over the assertions of accuracy or valuation;
• They provide transparency on completeness;
• The above workflows, combined with the auditor’s additional checks help to ensure that the collected evidence supports all relevant assertions.
The standard suggests that the electronic confirmation process might incorporate various techniques for validating the identity of a sender of information in electronic form which may include the use of:
• Encryption;
• Electronic digital signatures; and
• Procedures to verify web site authenticity.
Leveraging a secure platform like Circit creates a secure environment for responses received electronically and can mitigate such credibility risks.
B. Investigating exceptions
The draft standard addresses the treatment of exceptions arising from confirmation responses that come to the auditor’s attention, by reminding auditors that they are required by ISA 240 (Revised May 2021) to evaluate whether such misstatements are indicative of fraud and therefore deserve closer attention.
The draft standard introduces three mandatory factors for auditors to consider when dealing with exceptions that arise in the confirmation process. The conclusions based on the consideration of these three factors will determine the timing and extent of any additional and follow-up audit procedures. The use of electronic tools to arrive at this decision will often be of crucial importance, given the tight audit reporting timelines and budgets.
The three mandatory steps are to consider:
• Whether the exception is indicative of an increased risk of fraud;
• Whether the exception is indicative of a deficiency in the entity’s system of internal control;
• How any additional procedures will allow the auditor to obtain sufficient appropriate audit evidence.
Digital platforms, such as Circit, can assist in implementing these steps by:
• Raising exceptions;
• Communication on them; and
• Finally resolving them.
Exceptions may also provide a guide to the quality of responses from similar confirming parties or for similar accounts and indicate a deficiency, or deficiencies, in the entity's internal control over financial reporting.
C. Banning negative confirmations
A negative confirmation is where the confirming party responds directly to the auditor only if the confirming party disagrees with the information provided in the request. The proposal prohibits negative confirmations, because they are not as effective as positive ones.
The standard prohibits negative confirmations for two reasons:
• The failure to receive a response to a negative confirmation request doesn't explicitly indicate receipt by the intended confirming party of the confirmation request or verification of the accuracy of the information contained in the request;
• Confirming parties are more likely to respond to a request, indicating their disagreement when the information in the request is not in their favour and are less likely to respond otherwise.
Electronic confirmations can improve reliability
To conclude, the FRC has included specific guidelines on the usage of digital platforms for confirmations because of the advantages they bring, such as:
• Increased efficiency;
• Immutability of responses obtained and
• The assurance that responses come from a proper, authorised source.
This is an important indicator for firms that implementing the right technology can help them stay ahead ofthe curve when it comes to assessing and improving audit processes.
Once finalised, it’s intended that the revised ISA 505 will be effective for audits of financial statements in the UK for periods beginning on or after 15 December2024. The closing date for comment to theFinancial Reporting Council is 1 September 2023.
In Ireland the policy of the IAASA is to consult on a standard’s adoption, once it is approved in the UK and then adopt the UK standards for use here, with appropriate changes for Irish law/market conditions.
Circit's role
Learn more about Circit's Confirmations product and how it can help your firm comply with ISA 505 here.
