• Related Information
• Regulations & Guidance
• AICPA Standards
• International Standards
• Legislation

---

• Audit Expectations Gap

International Standards

INTERNATIONAL STANDARDS & GUIDANCE ON CONFIRMATIONS

Receiving a mailing address or any other contact information without validating the information or evaluating the intended recipient does not meet the ISA standards of performing an external confirmation. According to ISA:

• Confirmations are a Direct Communication from a third party
• Auditors should Maintain Control over the process from start to finish

Factors effecting the reliability of confirmations include:

1. Control of the Process
2. Characteristics of Respondents: Competence, Independence, Authority to Respond, Knowledge of Subject Matter and Objectivity

"For this reason, the auditor attempts to ensure, where practicable, that the confirmation request is directed to an appropriate individual."

"The auditor also assesses whether certain parties may not provide an objective or unbiased response to a confirmation request."

ISA 240: The Auditor’s Responsibility to Consider Fraud and Error in an Audit of Financial Statements – Discusses the auditor’s responsibility to consider fraud in an audit of financial statements.

ISA 500: Audit Evidence – states that:

• Audit evidence from external resources is more reliable than audit evident generated internally
• Written responses to confirmation requests received directly by the auditor from third parties who are not related to the entity being audited may assist in reducing audit risk

ISA 505: External Confirmations, Sec. 28 Characteristics of Respondents - encourages the auditor to assess "whether certain parties (may or) may not provide an objective or unbiased response to a confirmation request" noting that "the reliability of evidence provided by a confirmation is affected by the respondent’s competence, independence, authority to respond, knowledge of the matter being confirmed, and objectivity." The ISA requires:

• Direct Communication from a Third Party
• Maintain Control over the Confirmation Process
• Ensure that the confirmation request is directed to an appropriate individual
• Assess whether the responder is unbiased
• Evaluate the response’s authenticity
• Perform procedures to validate the response’s authenticity

ISA 400: Risk Assessments and Internal Controls – States that the inherent and control risk cannot be sufficiently low to eliminate the need to perform any substantive procedures. These substantive procedures may include the use of external confirmations.