Notice2023-22491
Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on the Auditor's Use of Confirmation, and Other Amendments to Related PCAOB Standards
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
October 17, 2023
Issuing agencies
Securities and Exchange Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 199 (Tuesday, October 17, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 199 (Tuesday, October 17, 2023)]
[Notices]
[Pages 71684-71724]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-22491]
[[Page 71683]]
Vol. 88
Tuesday,
No. 199
October 17, 2023
Part III
Securities and Exchange Commission
-----------------------------------------------------------------------
Public Company Accounting Oversight Board; Notice of Filing of Proposed
Rules on the Auditor's Use of Confirmation, and Other Amendments to
Related PCAOB Standards; Notice
��Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 /
Notices��
[[Page 71684]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-98689; File No. PCAOB-2023-02]
Public Company Accounting Oversight Board; Notice of Filing of
Proposed Rules on the Auditor's Use of Confirmation, and Other
Amendments to Related PCAOB Standards
October 5, 2023.
Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 (the
``Act''), notice is hereby given that on October 4, 2023, the Public
Company Accounting Oversight Board (the ``Board'' or ``PCAOB'') filed
with the Securities and Exchange Commission (the ``Commission'' or
``SEC'') the proposed rules described in Items I and II below, which
items have been prepared by the Board. The Commission is publishing
this notice to solicit comments on the proposed rules from interested
persons.
I. Board's Statement of the Terms of Substance of the Proposed Rules
On September 28, 2023, the Board adopted amendments to auditing
standards for the auditor's use of confirmation, and amendments to
related PCAOB standards (collectively, the ``proposed rules''),
including the retitling and replacement of an existing standard with a
new standard. The text of the proposed rules appears in Exhibit A to
the SEC Filing Form 19b-4 and is available on the Board's website at
<a href="https://pcaobus.org/about/rules-rulemaking/rulemaking-dockets/docket-028-proposed-auditing-standard-related-to-confirmation">https://pcaobus.org/about/rules-rulemaking/rulemaking-dockets/docket-028-proposed-auditing-standard-related-to-confirmation</a> and at the
Commission's Public Reference Room.
II. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
In its filing with the Commission, the Board included statements
concerning the purpose of, and basis for, the proposed rules and
discussed comments it received on the proposed rules. The text of these
statements may be examined at the places specified in Item IV below.
The Board has prepared summaries, set forth in sections A, B, and C
below, of the most significant aspects of such statements. In addition,
the Board is requesting that the Commission approve the proposed rules,
pursuant to Section 103(a)(3)(C) of the Act, for application to audits
of emerging growth companies (``EGCs''), as that term is defined in
Section 3(a)(80) of the Securities Exchange Act of 1934 (``Exchange
Act''). The Board's request is set forth in section D.
A. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
(a) Purpose
Summary
The Board is replacing AS 2310, The Confirmation Process, in its
entirety with a new standard, AS 2310, The Auditor's Use of
Confirmation (``new standard'') to strengthen and modernize the
requirements for the confirmation process. As described in the new
standard, the confirmation process involves selecting one or more items
to be confirmed, sending a confirmation request directly to a
confirming party (e.g., a financial institution), evaluating the
information received, and addressing nonresponses and incomplete
responses to obtain audit evidence about one or more financial
statement assertions. If properly designed and executed by an auditor,
the confirmation process may provide important evidence that the
auditor obtains as part of an audit of a company's financial
statements.
Why the Board Is Adopting These Changes Now
AS 2310 is an important standard for audit quality and investor
protection, as the audit confirmation process touches nearly every
audit. The standard was initially written over 30 years ago and has had
minimal amendments since its adoption by the PCAOB in 2003.
The Board adopted the new standard after substantial outreach,
including several rounds of public comment. The PCAOB previously
considered updating AS 2310 by issuing a concept release in 2009 and a
proposal in 2010 for a new auditing standard that would supersede AS
2310. While the PCAOB did not amend or replace AS 2310 at that time,
subsequent developments--including the increasing use of electronic
communications and third-party intermediaries in the confirmation
process--led the Board to conclude that enhancements to AS 2310 and
modifications to the approach proposed in 2010 could improve the
quality of audit evidence obtained by auditors. In addition, the Board
has observed continued inspection findings related to auditors' use of
confirmation, as well as enforcement actions involving failures to
adhere to requirements in the existing auditing standard regarding
confirmation, such as the requirement for the auditor to maintain
control over the confirmation process.
Accordingly, having considered these developments and input from
commenters, the Board revisited the previously proposed changes and
issued a new proposed standard to replace AS 2310, along with
conforming amendments to other PCAOB auditing standards, in December
2022. Commenters generally supported the Board's objective of improving
the confirmation process, and suggested areas to further improve the
new standard, modify proposed requirements that would not likely
improve audit quality, and clarify the application of the new standard.
In adopting the new standard and related amendments, the Board has
taken into account all of these comments, as well as observations from
PCAOB oversight activities.
Key Provisions of the New Standard
The new standard and related amendments are intended to enhance the
PCAOB's requirements on the use of confirmation by describing
principles-based requirements that apply to all methods of
confirmation, including paper-based and electronic means of
communications. In addition, the new standard is more expressly
integrated with the PCAOB's risk assessment standards by incorporating
certain risk-based considerations and emphasizing the auditor's
responsibilities for obtaining relevant and reliable audit evidence
through the confirmation process. Among other things, the new standard:
<bullet> Includes a new requirement regarding confirming cash and
cash equivalents held by third parties (``cash''), or otherwise
obtaining relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source;
<bullet> Carries forward the existing requirement regarding
confirming accounts receivable, while addressing situations where it
would not be feasible for the auditor to perform confirmation
procedures or obtain relevant and reliable audit evidence for accounts
receivable by directly accessing information maintained by a
knowledgeable external source;
<bullet> States that the use of negative confirmation requests
alone does not provide sufficient appropriate audit evidence (and
includes examples of situations where the auditor may use negative
confirmation requests to supplement other substantive audit
procedures);
<bullet> Emphasizes the auditor's responsibility to maintain
control over the confirmation process and provides that the auditor is
responsible for selecting the items to be confirmed,
[[Page 71685]]
sending confirmation requests, and receiving confirmation responses;
and
<bullet> Identifies situations in which alternative procedures
should be performed by the auditor (and includes examples of such
alternative procedures that may provide relevant and reliable audit
evidence for a selected item).
(b) Statutory Basis
The statutory basis for the proposed rules is Title I of the Act.
B. Board's Statement on Burden on Competition
Not applicable. The Board's consideration of the economic impacts
of the proposed rules is discussed in section D below.
C. Board's Statement on Comments on the Proposed Rules Received From
Members, Participants or Others
The Board released the proposed rules for public comment in PCAOB
Release No. 2022-009 (Dec. 20, 2022) (``2022 Proposal''). The Board
previously issued a concept release for public comment in PCAOB Release
No. 2009-002 (Apr. 14, 2009) (``2009 Concept Release'') and a proposed
auditing standard related to confirmation and related amendments to
PCAOB standards in PCAOB Release No. 2010-003 (July 13, 2010) (``2010
Proposal''). The Board received 98 written comment letters relating to
the 2022 Proposal, the 2009 Concept Release, and the 2010 Proposal. The
Board has carefully considered all comments received. The Board's
response to the comments it received and the changes made to the rules
in response to the comments received are discussed below.
Background
Information obtained by the auditor directly from knowledgeable
external sources, including through confirmation, can be an important
source of evidence obtained as part of an audit of a company's
financial statements.\1\ Confirmation has long been used by auditors.
For example, one early auditing treatise noted the importance of
confirmation for cash deposits, accounts receivable, and demand
notes.\2\ In addition, confirmation of accounts receivable has been a
required audit procedure in the United States since 1939, when the
American Institute of Accountants \3\ adopted Statement on Auditing
Procedure No. 1 (``SAP No. 1'') as a direct response to the McKesson &
Robbins fraud case, which involved fraudulently reported inventories
and accounts receivable that the independent auditors failed to detect
after performing other procedures that did not involve confirmation.\4\
---------------------------------------------------------------------------
\1\ See, e.g., paragraph 08 of AS 1105, Audit Evidence
(providing that, in general, ``[e]vidence obtained from a
knowledgeable source that is independent of the company is more
reliable than evidence obtained only from internal company
sources'').
\2\ Robert H. Montgomery, Auditing Theory and Practice 91
(confirmation of cash deposits), 263 (confirmation of accounts
receivable), and 353 (confirmation of demand notes) (1912).
\3\ The American Institute of Accountants was the predecessor to
the American Institute of CPAs (``AICPA'').
\4\ See In the Matter of McKesson & Robbins, Inc., SEC Rel. No.
34-2707 (Dec. 5, 1940).
---------------------------------------------------------------------------
SAP No. 1 required confirmation of accounts receivable by direct
communication with customers in all independent audits of financial
statements, subject to the auditor's ability to overcome the
presumption to confirm accounts receivable for certain reasons.
Following the adoption of SAP No. 1, the accounting profession also
adopted a requirement in 1942, which remained in effect until the early
1970s, that auditors should disclose in the auditor's report when
confirmation of accounts receivable was not performed. The AICPA's
subsequent revisions to its auditing standards included the
promulgation of AU sec. 330, The Confirmation Process, which was
adopted in 1991 and took effect in 1992. The PCAOB adopted AU sec. 330
(now AS 2310) as an interim standard in 2003.\5\
---------------------------------------------------------------------------
\5\ Shortly after the Board's inception, the Board adopted the
existing standards of the AICPA, as in existence on Apr. 16, 2003,
as the Board's interim auditing standards. See Establishment of
Interim Professional Auditing Standards, PCAOB Rel. No. 2003-006
(Apr. 18, 2003). AU sec. 330 was one of these auditing standards. As
of Dec. 31, 2016, the PCAOB reorganized its auditing standards using
a topical structure and a single, integrated number system, at which
time AU sec. 330 was designated AS 2310. See Reorganization of PCAOB
Auditing Standards and Related Amendments to PCAOB Standards and
Rules, PCAOB Rel. No. 2015-002 (Mar. 31, 2015).
---------------------------------------------------------------------------
The amendments to the standards for the auditor's use of
confirmation are intended to improve audit quality through principles-
based requirements that apply to all methods of confirmation and are
more expressly integrated with the Board's risk assessment standards.
These enhancements should also lead to improvements in practice,
commensurate with the associated risk, among audit firms of all sizes.
The expected increase in audit quality should also enhance the
credibility of information provided in a company's financial
statements.
Rulemaking History
The final amendments to the auditing standards reflect public
comments on a concept release and two proposals. In April 2009, the
PCAOB issued a concept release seeking public comment on the potential
direction of a standard-setting project that could result in amendments
to the PCAOB's existing standard on the confirmation process or a new
auditing standard that would supersede the existing standard.\6\ The
2009 Concept Release discussed existing requirements and posed
questions about potential amendments to those requirements.
---------------------------------------------------------------------------
\6\ Concept Release on Possible Revisions to the PCAOB's
Standard on Audit Confirmations, PCAOB Rel. No. 2009-002 (Apr. 14,
2009).
---------------------------------------------------------------------------
In July 2010, the PCAOB proposed an auditing standard that, if
adopted, would have superseded the existing confirmation standard.\7\
The 2010 Proposal was informed by comments on the 2009 Concept Release
and was intended to strengthen the existing standard by, among other
things, expanding certain requirements and introducing new
requirements. In general, commenters on the 2010 Proposal supported
updating the existing standard to address relevant developments in
audit practice, including greater use of emailed confirmation requests
and responses and the involvement of third-party intermediaries. At the
same time, some commenters asserted that the proposed requirements in
the 2010 Proposal were unduly prescriptive (i.e., included too many
presumptively mandatory requirements) and would result in a significant
increase in the volume of confirmation requests without a corresponding
increase in the quality of audit evidence obtained by the auditor. The
PCAOB did not adopt the 2010 Proposal.
---------------------------------------------------------------------------
\7\ Proposed Auditing Standard Related to Confirmation and
Related Amendments to PCAOB Standards, PCAOB Rel. No. 2010-003 (July
13, 2010).
---------------------------------------------------------------------------
In December 2022, the Board issued a proposed auditing standard to
improve the quality of audits when confirmation is used by the auditor
and to reflect changes in the means of communication and in business
practice since the standard was originally issued.\8\ The 2022 Proposal
was informed by comments on the 2009 Concept Release and 2010 Proposal
and specified the auditor's responsibilities regarding the confirmation
process. The Board received 46 comment letters on the 2022 Proposal
from commenters across a range of affiliations. Those comments
[[Page 71686]]
are discussed throughout this release. Commenters on the 2022 Proposal
generally expressed support for the project's objective and suggested
ways to revise or clarify the proposed standard. The Board considered
the comments on the 2022 Proposal, as well as on the 2009 Concept
Release and the 2010 Proposal, in developing the final amendments.\9\
The Board also considered observations from PCAOB oversight activities.
---------------------------------------------------------------------------
\8\ Proposed Auditing Standard--The Auditor's Use of
Confirmation, and Other Proposed Amendments to PCAOB Standards,
PCAOB Rel. No. 2022-009 (Dec. 20, 2022). In this exhibit, the term
``proposed standard'' refers to the proposed auditing standard
relating to the auditor's use of confirmation as described in the
2022 Proposal.
\9\ The comment letters received on the 2009 Concept Release,
2010 Proposal, and 2022 Proposal are available in the docket for
this rulemaking on the PCAOB's website (<a href="https://pcaobus.org/Rulemaking/Pages/Docket028Comments.aspx">https://pcaobus.org/Rulemaking/Pages/Docket028Comments.aspx</a>).
---------------------------------------------------------------------------
Existing Standard
This section discusses key provisions of the existing PCAOB
auditing standard on the confirmation process.
In 2003, the PCAOB adopted the standard now known as AS 2310 (at
that time, AU sec. 330), when it adopted the AICPA's standards then in
existence. Existing AS 2310 indicates that confirmation is the process
of obtaining and evaluating a direct communication from a third party
in response to a request for information about a particular item
affecting financial statement assertions.\10\ For example, an auditor
might request a company's customers to confirm balances owed at a
certain date, or request confirmation of a company's accounts or loans
payable to a bank at a certain date.
---------------------------------------------------------------------------
\10\ Under PCAOB standards, financial statement assertions can
be classified into the following categories: existence or
occurrence, completeness, valuation or allocation, rights and
obligations, and presentation and disclosure. See, e.g., AS 1105.11.
---------------------------------------------------------------------------
Key provisions of existing AS 2310 include the following:
<bullet> A presumption that the auditor will request confirmation
of accounts receivable. The standard states that confirmation of
accounts receivable is a generally accepted auditing procedure and
provides the situations in which the auditor may overcome the
presumption.
<bullet> Procedures for designing the confirmation request,
including the requirement that the auditor direct the confirmation
request to a third party who the auditor believes is knowledgeable
about the information to be confirmed.
<bullet> Procedures relating to the use of both positive and
negative confirmation requests. A positive confirmation request directs
the recipient to send a response back to the auditor stating the
recipient's agreement or disagreement with information stated in the
request, or furnishing requested information. A negative confirmation
request directs the recipient to respond back to the auditor only when
the recipient disagrees with information in the auditor's request. The
standard states that ``[n]egative confirmation requests may be used to
reduce audit risk to an acceptable level when (a) the combined assessed
level of inherent and control risk is low, (b) a large number of small
balances is involved, and (c) the auditor has no reason to believe that
the recipients of the requests are unlikely to give them
consideration.'' \11\ If negative confirmation requests are used, the
auditor should consider performing other substantive procedures to
supplement their use.\12\
---------------------------------------------------------------------------
\11\ See AS 2310.20.
\12\ Id.
---------------------------------------------------------------------------
<bullet> A requirement for the auditor to maintain control over
confirmation requests and responses by establishing direct
communication between the intended recipient and the auditor.
<bullet> Procedures to consider when the auditor does not receive a
written confirmation response via return mail, including how the
auditor should evaluate the reliability of oral and facsimile responses
to written confirmation requests. The standard provides that, when
confirmation responses are in other than a written format mailed to the
auditor, additional evidence may be necessary to establish the validity
of the respondent.
<bullet> A requirement that the auditor should perform alternative
procedures when the auditor has not received a response to a positive
confirmation request.
<bullet> Requirements for the auditor's evaluation of the results
of confirmation procedures and any alternative procedures performed by
the auditor. These provisions include the requirement that, if the
combined evidence provided by confirmation, alternative procedures, and
other procedures is not sufficient, the auditor should request
additional confirmations or extend other tests, such as tests of
details or analytical procedures.
Current Practice
This section discusses the Board's understanding of current
practice based on, among other things, observations from oversight
activities of the Board and SEC enforcement actions.
Overview of Current Practice
The audit confirmation process touches nearly every financial
statement audit conducted under PCAOB auditing standards. This is due
in part to the presumption in existing AS 2310 that the auditor will
confirm accounts receivable, which include claims against customers
that have arisen from the sale of goods or services in the normal
course of business and a financial institution's loans, unless certain
exemptions apply. In addition, audit methodologies of many larger audit
firms affiliated with global networks recommend or require confirming
cash accounts. In the past, the use of confirmation was a common
practice for auditing a financial institution's customer deposits. In
recent years, however, there has been an increased wariness about
phishing attempts by unauthorized parties aimed at obtaining sensitive
personal or financial information of customers. As a result, some
customers might not understand or trust an -unsolicited confirmation
request from an auditor and, indeed, many financial institutions and
other companies now advise customers not to reply to unsolicited
correspondence concerning their accounts or other customer
relationships.\13\
---------------------------------------------------------------------------
\13\ Situations that involve using audit procedures other than
confirmation and situations where companies adopt the policy of
responding to electronic confirmation requests from auditors only
through an intermediary are discussed later in this exhibit.
---------------------------------------------------------------------------
Existing AS 2310 was written at a time when paper-based
confirmation requests and responses were the prevailing means of
communication. Since then, emailed confirmation requests and responses,
and the use of technology-enabled confirmation tools, including the use
of intermediaries to facilitate the confirmation process, have become
commonplace. For example, numerous financial institutions in the United
States, and an increasing number of international banks, mandate the
use of an intermediary as part of the confirmation process and will not
otherwise respond to an auditor's confirmation request.
As noted above, existing AS 2310 provides that the auditor should
maintain control over the confirmation process. In practice, complying
with this requirement involves the auditor directly sending the
confirmation request to the confirming party via mail or email, without
involving company personnel. The auditor's confirmation request
generally specifies that any correspondence should be sent directly to
the auditor's location (or email address) to minimize the risk of
interference by company personnel. When an intermediary facilitates
direct electronic communications between the auditor and the confirming
party, the auditor is still required to maintain control over the
confirmation process. Procedures performed by audit firms to address
this requirement vary depending on facts and circumstances.
[[Page 71687]]
Some auditors have used a report on controls at a service organization
(``SOC report'') to evaluate the design and operating effectiveness of
the intermediary's controls relevant to sending and receiving
confirmations.
Under the existing standard, auditors can use positive confirmation
requests and, provided certain conditions are met, negative
confirmation requests. A positive confirmation request either asks the
recipient to respond directly to the auditor about whether the
recipient agrees with information that is stated in the request or asks
the recipient to provide the requested information by filling in a
blank form. In comparison, a negative confirmation request directs the
recipient to respond only when the recipient disagrees with the
information included in the request. In practice, negative confirmation
requests have typically been used to obtain audit evidence related to
the completeness of deposit liabilities and other accounts of a similar
nature and, less frequently, to obtain evidence related to the
existence of accounts receivable. In some cases, auditors use a
combination of positive and negative confirmation requests.
Observations From Inspections and Enforcement Actions
This section discusses observations from PCAOB oversight activities
and SEC enforcement actions, including (1) PCAOB inspections of
registered public accounting firms (``firms'') and (2) enforcement
actions relating to deficient confirmation procedures performed by the
auditor. These observations have informed the Board's view that
providing greater clarity as the Board strengthens the requirements
could result in improved compliance by auditors.
Inspections. Over the past several years, PCAOB inspections
indicated that some auditors did not fulfill their responsibilities
under the existing standard when performing confirmation procedures.
The shortcomings have been noted at large and small domestic firms, and
at large firms with domestic and international practices. For example,
some auditors did not: (1) consider performing procedures to verify the
source of confirmation responses received electronically; (2) perform
sufficient alternative procedures; (3) restrict the use of negative
confirmation requests to situations where the risk of material
misstatement was assessed as low; or (4) maintain appropriate control
over the confirmation process, including instances where company
personnel were involved in either sending or receiving confirmations.
The PCAOB has also continued to monitor developments relating to
the use of confirmation through its other oversight and research
activities. For example, in 2021, the PCAOB staff issued a Spotlight
discussing, among other things, the use of technology in the
confirmation process.\14\ In addition, in 2022, the PCAOB staff issued
a Spotlight that specifically discussed observations and reminders on
the use of a service provider in the confirmation process.\15\
---------------------------------------------------------------------------
\14\ See Spotlight: Data and Technology Research Project Update
(May 2021), available at <a href="https://pcaobus.org/resources/staff-publications">https://pcaobus.org/resources/staff-publications</a>.
\15\ See Spotlight: Observations and Reminders on the Use of a
Service Provider in the Confirmation Process (Mar. 2022), available
at <a href="https://pcaobus.org/resources/staff-publications">https://pcaobus.org/resources/staff-publications</a>.
---------------------------------------------------------------------------
Enforcement actions. Over the years, there have been a number of
enforcement actions by the PCAOB and the SEC alleging that auditors
failed to comply with PCAOB standards related to the confirmation
process. Enforcement actions have been brought against large and small
firms, and against U.S. and non-U.S. firms.
For example, PCAOB enforcement cases have involved allegations that
auditors failed to: (1) perform appropriate confirmation procedures to
address a fraud risk; \16\ (2) adequately respond to contradictory
audit evidence obtained from confirmation procedures; \17\ (3) perform
appropriate confirmation procedures and alternative procedures for
accounts receivable; \18\ or (4) maintain proper control over the
confirmation process.\19\
---------------------------------------------------------------------------
\16\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Whitley Penn LLP, PCAOB
Rel. No. 105-2020-002 (Mar. 24, 2020); In the Matter of PMB Helin
Donovan, LLP, PCAOB Rel. No. 105-2019-031 (Dec. 17, 2019); In the
Matter of Ronald R. Chadwick, P.C., PCAOB Rel. No. 105-2015-009
(Apr. 28, 2015).
\17\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Ronald R. Chadwick,
P.C., PCAOB Rel. No. 105-2015-009 (Apr. 28, 2015); In the Matter of
Price Waterhouse, Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5,
2011).
\18\ See, e.g., In the Matter of Whitley Penn LLP, PCAOB Rel.
No. 105-2020-002 (Mar. 24, 2020); In the Matter of PMB Helin
Donovan, LLP, PCAOB Rel. No. 105-2019-031 (Dec. 17, 2019); In the
Matter of Wander Rodrigues Teles, PCAOB Rel. No. 105-2017-007 (Mar.
20, 2017); In the Matter of Ronald R. Chadwick, P.C., PCAOB Rel. No.
105-2015-009 (Apr. 28, 2015); In the Matter of Price Waterhouse,
Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5, 2011).
\19\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Price Waterhouse,
Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5, 2011).
---------------------------------------------------------------------------
In several confirmation-related enforcement cases, the SEC alleged
that the deficient confirmation procedures by the auditors involved
companies that had engaged in widespread fraud, where properly
performed confirmation procedures might have led to the detection of
the fraudulent activity.\20\ Further, in a number of proceedings, the
SEC alleged that confirmation procedures were not properly designed
\21\ or, more frequently, that the auditors failed to adequately
evaluate responses to confirmation requests and perform alternative or
additional procedures in light of exceptions, nonresponses, or
responses that should have raised issues as to their reliability or the
existence of undisclosed related parties.\22\ Several of these
proceedings were brought in recent years, suggesting that problems
persist in this area.
---------------------------------------------------------------------------
\20\ See, e.g., In the Matter of CohnReznick LLP, SEC Rel.
No.34-95066 (June 8, 2022); In the Matter of Ravindranathan
Raghunathan, CPA, SEC Rel. No. 34-93133 (Sept. 27, 2021); In the
Matter of Mancera, S.C., SEC Rel. No. 34-90699 (Dec. 17, 2020); In
the Matter of Schulman Lobel Zand Katzen Williams & Blackman, LLP A/
K/A Schulman Lobel LLP, SEC Rel. No. 34-88653 (Apr. 15, 2020); In
the Matter of William Joseph Kouser Jr., CPA, SEC Rel. No. 34-80370
(Apr. 4, 2017).
\21\ See, e.g., In the Matter of RSM US LLP, SEC Rel. No. 34-
95948 (Sept. 30, 2022); In the Matter of Ravindranathan Raghunathan,
CPA, SEC Rel. No. 34-93133 (Sept. 27, 2021); In the Matter of
Winter, Kloman, Moter & Repp, S.C., SEC Rel. No. 34-83168 (May 4,
2018); In the Matter of Edward Richardson, Jr., CPA, SEC Rel. No.
34-80918 (June 14, 2017).
\22\ See, e.g., In the Matter of Jason Jianxun Tang, CPA, SEC
Rel. No. 34-96347 (Nov. 17, 2022); In the Matter of Steven Kirn,
CPA, SEC Rel. No. 34-95949 (Sept. 30, 2022); In the Matter of
Friedman LLP, SEC Rel. No. 34-95887 (Sept. 23, 2022); In the Matter
of Mancera, S.C., SEC Rel. No. 34-90699 (Dec. 17, 2020); In the
Matter of Schulman Lobel Zand Katzen Williams & Blackman, LLP A/K/A
Schulman Lobel LLP, SEC Rel. No. 34-88653 (Apr. 15, 2020); In the
Matter of Anton & Chia, LLP, SEC Rel. No. 34-87033 (Sept. 20, 2019);
In the Matter of Edward Richardson, Jr., CPA, SEC Rel. No. 34-80918
(June 14, 2017); In the Matter of William Joseph Kouser Jr., CPA,
SEC Rel. No. 34-80370 (Apr. 4, 2017).
---------------------------------------------------------------------------
Reasons To Improve Auditing Standards
The amendments to PCAOB standards being adopted are intended to
enhance audit quality by clarifying and strengthening the requirements
for the auditor's use of confirmation. The final amendments are also
more expressly integrated with the PCAOB's risk assessment standards by
incorporating certain risk-based considerations and emphasizing the
auditor's responsibilities for obtaining relevant and reliable audit
evidence through the confirmation process. The Board believes that
these improvements will enhance both audit quality and the credibility
of the information provided in a company's financial statements.
Areas of Improvement
The Board has identified two important areas where improvements are
warranted to existing standards, discussed below: (1) updating the
standards to reflect developments in
[[Page 71688]]
practice and (2) clarifying the auditor's responsibilities to evaluate
the reliability of evidence obtained through confirmation responses.
Updating the Standards To Reflect Developments in Practice
The new standard supports the auditor's use of electronic forms of
communication between the auditor and the confirming party. Since the
AICPA standard on the confirmation process adopted by the PCAOB took
effect in 1992, there has been a significant change in the auditing
environment and the means by which an auditor communicates with
confirming parties. Emails and other forms of electronic communications
between auditors and confirming parties have become ubiquitous, and
third-party intermediaries now often facilitate the electronic
transmission of confirmation requests and responses between auditors
and confirming parties.
In addition, the Board believes its auditing standards should allow
for continued innovation by auditors in the ways they obtain audit
evidence. Traditionally, auditors have used confirmation in
circumstances where reliable evidence about financial statement
assertions could be obtained directly from a third party that transacts
with the company (e.g., to confirm the existence of cash or accounts
receivable). Generally, audit evidence obtained directly from
knowledgeable external sources, including through confirmation, has
been viewed as more reliable than evidence obtained through other audit
procedures available to the auditor,\23\ especially where the auditor
identified a risk of fraud, chose not to test controls, or determined
that controls could not be relied on.\24\
---------------------------------------------------------------------------
\23\ The confirmation process involves obtaining audit evidence
from a confirming party. Under PCAOB standards, in general, evidence
obtained from a knowledgeable source that is independent from the
company is more reliable than evidence obtained only from internal
company sources. See, e.g., AS 1105.08.
\24\ See, e.g., Staff Audit Practice Alert No. 8, Audit Risks in
Certain Emerging Markets (Oct. 3, 2011) (``SAPA No. 8'') at 11
(stating that, when an auditor has identified fraud risks relating
to a company's bank accounts or amounts due from customers, ``it is
important for the auditor to confirm amounts included in the
company's financial statements directly with a knowledgeable
individual from the bank or customer who is objective and free from
bias with respect to the audited entity rather than rely solely on
information provided by the company's management''). The
requirements of the new standard are consistent with the guidance in
SAPA No. 8, which auditors should continue to consider when using
confirmations to address fraud risks in emerging markets.
---------------------------------------------------------------------------
The PCAOB staff's research indicates that some audit firms may have
developed or may yet develop audit techniques that enable the auditor
to obtain relevant and reliable audit evidence for the same assertions
by performing substantive audit procedures that do not include
confirmation, as discussed in more detail below. To reflect these
developments, the new standard allows the performance of other
procedures in lieu of confirmation for cash and accounts receivable in
situations where the auditor can obtain relevant and reliable audit
evidence by directly accessing information maintained by knowledgeable
external sources. Further, the new standard acknowledges that, in
certain situations, it may not be feasible for the auditor to obtain
audit evidence for accounts receivable directly from a knowledgeable
external source and provides that in those situations the auditor
should obtain external information indirectly by performing other
substantive procedures, including tests of details.
Clarifying the Auditor's Responsibilities To Evaluate the Reliability
of Confirmation Responses
While information obtained through the confirmation process can be
an important source of audit evidence, the confirmation process must be
properly executed for the evidence obtained to be relevant and
reliable. The enforcement actions discussed above and other recent
high-profile financial reporting frauds have also called attention to
the importance of well-executed confirmation procedures, including the
confirmation of cash.\25\ In addition, PCAOB oversight activities have
identified instances in which auditors did not obtain sufficient
appropriate audit evidence when using confirmation. Accordingly, the
new standard includes a new requirement to confirm certain cash
balances and clarifies the auditor's responsibilities to evaluate the
reliability of evidence obtained through confirmation responses (and,
when necessary, to obtain audit evidence through alternative
procedures).
---------------------------------------------------------------------------
\25\ See, e.g., In the Matter of Mancera, S.C., SEC Rel. No. 34-
90699 (Dec. 17, 2020) (failure by auditors to properly evaluate
confirmation responses to requests for information on cash balances
of a Mexican homebuilder subsequently found to have engaged in a
``multi-billion dollar financial fraud''). See also Olaf Storbeck,
Tabby Kinder, and Stefania Palma, EY failed to check Wirecard bank
statements for 3 years, Financial Times (June 26, 2020) (potential
failure by auditors to confirm cash balances purportedly held by
Wirecard AG, a German company whose securities were not registered
with the SEC, directly with a Singapore-based bank).
---------------------------------------------------------------------------
Comments on the Reasons for Standard Setting
Many commenters on the 2022 Proposal broadly expressed support for
revisions to the Board's standard on the auditor's use of confirmation
to reflect developments in practice since the AICPA standard on the
confirmation process adopted by the PCAOB took effect in 1992. A number
of commenters also agreed that the standard on the auditor's use of
confirmation should be more closely aligned with the Board's risk
assessment standards. In addition, some commenters stated that updates
to the PCAOB's standard on the auditor's use of confirmation would be
generally consistent with their prior recommendations to the Board that
the Board modernize its interim auditing standards. Other commenters
suggested that the Board should also engage in additional outreach with
investors or that it consider other mechanisms to engage with
stakeholders prior to the adoption of standards, such as roundtables
and pre-implementation ``field testing'' of proposed standards.
In addition, several commenters expressed support for the
proposition that the PCAOB's auditing standards should allow for
continued innovation by auditors in the ways they obtain audit
evidence. These commenters generally stated that standards should be
written to evolve with future technologies, including new methods of
confirmation that may arise from technological changes in auditing in
the future. A few commenters stated that the 2022 Proposal provided
flexibility to respond to the current use of technology in the audit
process, or left enough room for judgment-based application for further
advances in technology. In comparison, some commenters stated that the
proposed standard was not sufficiently forward-looking. Several
commenters cautioned against more explicitly addressing the use of
technology (i.e., by adding prescriptive requirements), noting that
doing so might not allow the standard to age effectively with time and
innovation.
Several commenters broadly expressed support for the Board's goal,
as described in the 2022 Proposal, of improving the quality of audit
evidence obtained by auditors when using confirmation. One of these
commenters stated that it was critical that confirmation requests are
properly designed and that confirmation responses are appropriately
evaluated, especially when there are confirmation exceptions or
concerns about their reliability. In addition, other commenters
generally expressed
[[Page 71689]]
support for the proposed requirements and stated they would lead to
improvements in audit quality. A number of commenters, primarily firms
and firm-related groups, asserted that certain requirements in the 2022
Proposal were unduly prescriptive and that the final standard should be
more principles-based and risk-based to allow for more auditor
judgment. In comparison, an investor-related group suggested that the
Board remind auditors that, in exercising professional judgment, their
judgments must be reasonable, careful, documented, and otherwise in
compliance with applicable professional requirements.
In adopting the new standard, the Board has considered these
comments on the 2022 Proposal, as well as the comments received on the
2010 Proposal and the 2009 Concept Release. Based on the information
available to the Board--including the current regulatory baseline,
observations from our oversight activities, academic literature, and
comments--the Board believes that investors will benefit from
strengthened and clarified auditing standards in this area. To the
extent that commenters provided comments or expressed concerns about
specific aspects of the proposed revisions to the Board's existing
standard on the auditor's use of confirmation, the Board's
consideration of these comments is discussed further below and
elsewhere in this exhibit. While the Board does not expect that the new
standard will eliminate inspection deficiencies observed in practice,
it is intended to clarify the auditor's responsibilities and align the
requirements for the use of confirmation more closely with the PCAOB's
risk assessment standards.
The new standard also reflects several changes that were made after
the Board's consideration of comments received about the potential
impact of the proposed new standard on auditors, issuers, and
intermediaries. In addition, some commenters called for a broader
alignment of PCAOB standards with standards issued by other standard
setters, namely the International Auditing and Assurance Standards
Board (``IAASB'') and the AICPA's Auditing Standards Board (``ASB''). A
few commenters stated that PCAOB standards should be harmonized with
IAASB standards, in the interest of global comparability, and, in the
view of one commenter, with ASB standards. A few commenters stated that
the Board should provide robust and detailed explanations of
differences between PCAOB standards and the standards of other standard
setters. One commenter indicated that the dual standard-setting
structure in the United States (i.e., the existence of both PCAOB and
ASB standards) creates issues that could erode audit quality.
The Board carefully considered the approaches of other standard
setters when developing the 2022 Proposal, and the new standard
reflects the approach that the Board believes best protects investors
and furthers the public interest. As a result, certain differences will
continue to exist between the Board's new standard and those of other
standard setters, including a number of provisions that the Board
believes are appropriate and consistent with its statutory mandate to
protect the interests of investors and further the public interest.
Discussion of Final Rules
Overview of New Standard
The new standard replaces existing AS 2310 in its entirety. The
provisions of the new standard the Board has adopted are intended to
strengthen existing requirements for the auditor's use of confirmation.
Key aspects of the new standard:
<bullet> Include principles-based requirements that are designed to
apply to all methods of confirmation. The new standard is designed to
enhance requirements that apply to longstanding methods, such as the
use of paper-based confirmation requests and responses sent via regular
mail; methods that involve electronic means of communications, such as
the use of email or an intermediary to facilitate direct electronic
transmission of confirmation requests and responses; and methods that
are yet to emerge, thus encouraging audit innovation.
<bullet> Expressly integrate the requirements for the auditor's use
of confirmation with the requirements of the Board's risk assessment
standards, including AS 1105. The new standard specifies certain risk-
based considerations and emphasizes the auditor's responsibilities for
obtaining relevant and reliable audit evidence when performing
confirmation procedures.
<bullet> Emphasize the use of confirmation procedures in certain
situations. The new standard adds a new requirement that the auditor
should perform confirmation procedures for cash held by third parties,
carries forward an existing requirement that the auditor should perform
confirmation procedures for accounts receivable, and adds a new
provision that the auditor may otherwise obtain audit evidence by
directly accessing information maintained by a knowledgeable external
source for cash and accounts receivable. In addition, the new standard
carries forward an existing requirement to consider confirming the
terms of certain other transactions.
<bullet> Address situations in which it would not be feasible for
the auditor to obtain information directly from a knowledgeable
external source. The new standard provides that if it would not be
feasible for the auditor to obtain audit evidence directly from a
knowledgeable external source for accounts receivable, the auditor
should perform other substantive audit procedures, including tests of
details, that involve obtaining audit evidence from external sources
indirectly.
<bullet> Communicate to the audit committee certain audit responses
to significant risks. Under the new standard, for significant risks
associated with cash or accounts receivable, the auditor is required to
communicate with the audit committee when the auditor did not perform
confirmation procedures or otherwise obtain audit evidence by directly
accessing information maintained by a knowledgeable external source.
<bullet> Reflect the relatively insignificant amount of audit
evidence obtained when using negative confirmation requests. Under the
new standard, the use of negative confirmation requests may provide
sufficient appropriate audit evidence only when combined with other
substantive audit procedures. The new standard includes examples of
situations in which the use of negative confirmation requests in
combination with other substantive audit procedures may provide
sufficient appropriate audit evidence.
<bullet> Emphasize the auditor's responsibility to maintain control
over the confirmation process. The new standard states that the auditor
should select the items to be confirmed, send confirmation requests,
and receive confirmation responses.
<bullet> Provide more specific direction for circumstances where
the auditor is unable to obtain relevant and reliable audit evidence
through confirmation. The new standard identifies situations where
other procedures should be performed by the auditor as an alternative
to confirmation. The new standard also includes examples of alternative
procedures that individually or in combination may provide relevant and
reliable audit evidence.
Introduction and Objective
(See paragraphs .01 and .02 of the new standard).
[[Page 71690]]
The 2022 Proposal included requirements for the auditor's use of
confirmation. As discussed in the proposal, the confirmation process
involves selecting one or more items to be confirmed, sending a
confirmation request directly to a confirming party, evaluating the
information received, and addressing nonresponses and incomplete
responses to obtain audit evidence about one or more financial
statement assertions. Confirmation is one of the specific audit
procedures described in PCAOB standards that an auditor could perform
when addressing a risk of material misstatement.\26\ As is the case
with other audit procedures, information obtained through confirmation
may support and corroborate management's assertions or it may
contradict such assertions.\27\
---------------------------------------------------------------------------
\26\ See, e.g., AS 1105.14 and .18.
\27\ See AS 1105.02.
---------------------------------------------------------------------------
Under the 2022 Proposal, the auditor's objective in designing and
executing the confirmation process was to obtain relevant and reliable
audit evidence about one or more relevant financial statement
assertions of a significant account or disclosure.\28\ Existing AS 2310
does not include an objective.
---------------------------------------------------------------------------
\28\ An account or disclosure is a significant account or
disclosure if there is a reasonable possibility that the account or
disclosure could contain a misstatement that, individually or when
aggregated with others, has a material effect on the financial
statements, considering the risks of both overstatement and
understatement. See footnote 33 of AS 2110, Identifying and
Assessing Risks of Material Misstatement; paragraph .A10 of AS 2201,
An Audit of Internal Control Over Financial Reporting That Is
Integrated with An Audit of Financial Statements.
---------------------------------------------------------------------------
As discussed below, the Board has modified the introduction and
objective in the proposed standard in several respects.
A number of commenters stated that the objective of the proposed
standard was clear. One commenter stated that the objective should be
to provide requirements and guidance in situations where the auditor,
as a result of its risk-assessment procedures, determines that
confirmation procedures provide an appropriate response to one or more
assertions related to an identified risk of material misstatement.
Another commenter asserted that the objective in the proposed standard
did not result in greater clarity than the proposed objective in the
2010 Proposal and created a wider gap between the PCAOB's standards and
the equivalent standard of the IAASB.
Having considered these comments, the Board has revised the
introduction to provide that the new standard establishes requirements
regarding obtaining audit evidence from a knowledgeable external source
through the auditor's use of confirmation. The introduction further
states that the new standard includes additional requirements regarding
obtaining audit evidence for cash, accounts receivable, and terms of
certain transactions. The Board believes that this language more
clearly aligns with the approach to the auditor's use of confirmation
in the new standard and the inclusion of specific requirements in the
new standard with respect to cash, accounts receivable, and terms of
certain transactions.
In addition, the Board has added the phrase ``from a knowledgeable
external source'' to the objective, such that the new standard provides
that the objective of the auditor in designing and executing the
confirmation process is to obtain relevant and reliable audit evidence
from a knowledgeable external source about one or more relevant
financial statement assertions of a significant account or disclosure.
This language underscores that, when properly designed and executed,
the confirmation process involves obtaining audit evidence regarding
specific items from a knowledgeable external source. A knowledgeable
external source, as referred to in the new standard, generally is a
third party who the auditor believes has knowledge of the information
that may be used as audit evidence. To the extent that this objective
differs from the objective in standards adopted by other standard-
setting bodies on the auditor's use of confirmation, the Board believes
it appropriately reflects the Board's approach in the new standard and
is consistent with its statutory mandate to protect the interests of
investors and further the public interest. The next section of this
exhibit further discusses the relationship of the confirmation process
to the auditor's identification and assessment of, and response to, the
risks of material misstatement.
Relationship of the Confirmation Process to the Auditor's
Identification and Assessment of and Response to the Risks of Material
Misstatement
(See paragraphs .03-.07 of the new standard).
When an auditor uses confirmation, the auditor should be mindful
of, and comply with, the existing obligation to exercise due
professional care in all matters relating to the audit.\29\ Due
professional care requires the auditor to exercise professional
skepticism, which is an attitude that includes a questioning mind and a
critical assessment of audit evidence. Professional skepticism should
be exercised throughout the audit process,\30\ including when
identifying information to confirm, identifying confirming parties,
evaluating confirmation responses, and addressing nonresponses. The
requirements related to exercising professional skepticism, in
combination with requirements in other PCAOB standards, are designed to
reduce the risk of confirmation bias, a phenomenon wherein decision
makers have been shown to actively seek out and assign more weight to
evidence that confirms their hypothesis, and ignore or assign less
weight to evidence that could disconfirm their hypothesis.\31\
---------------------------------------------------------------------------
\29\ See AS 1015, Due Professional Care in the Performance of
Work. The Board currently has a separate standard-setting project to
reorganize and consolidate a group of interim standards adopted by
the Board in Apr. 2003, including AS 1015. See Proposed Auditing
Standard--General Responsibilities of the Auditor in Conducting an
Audit and Proposed Amendments to PCAOB Standards, PCAOB Rel. No.
2023-001 (Mar. 28, 2023).
\30\ See AS 1015.07-.08.
\31\ For a discussion of confirmation bias, see, e.g., Raymond
S. Nickerson, Confirmation Bias: A Ubiquitous Phenomenon in Many
Guises, 2 Review of General Psychology, 175 (1998).
---------------------------------------------------------------------------
The 2022 Proposal described how the proposed standard would work in
conjunction with the PCAOB standards on risk assessment. AS 2110
establishes requirements regarding the process of identifying and
addressing the risks of material misstatement of the financial
statements, and AS 2301, The Auditor's Responses to the Risks of
Material Misstatement, establishes requirements regarding designing and
implementing appropriate responses to the risks of material
misstatement. Fundamental to the PCAOB's risk assessment standards is
the concept that as risk increases, so does the amount of evidence that
the auditor should obtain.\32\ Further, evidence obtained from a
knowledgeable external source generally is more reliable than evidence
obtained only from internal company sources.\33\
---------------------------------------------------------------------------
\32\ See AS 1105.05.
\33\ See AS 1105.08.
---------------------------------------------------------------------------
Where the auditor uses confirmation as part of the auditor's
response, the 2022 Proposal addressed the auditor's responsibilities
for designing and executing the confirmation process to obtain relevant
and reliable audit evidence. When properly designed and executed, the
confirmation process can be an effective and efficient way of obtaining
relevant and reliable external audit evidence, including in situations
where the auditor identifies an elevated risk of material misstatement
due to error or fraud.
[[Page 71691]]
The 2022 Proposal also recognized that performing confirmation
procedures can effectively and efficiently provide evidential matter
about certain financial statement assertions, including existence,
occurrence, completeness, and rights and obligations. For example,
confirmation may provide audit evidence related to the existence of
cash, accounts receivable, and financial instruments, or the
completeness of debt. However, the confirmation process generally
provides less relevant evidence about the valuation assertion (e.g.,
the confirming party may not intend to repay in full the amount owed,
or the custodian may not know the value of shares held in custody).
Confirmation could also be used to obtain audit evidence about the
terms of contractual arrangements (e.g., by verifying supplier
discounts or concessions, corroborating sales practices, or
substantiating oral arrangements and guarantees). Information in
confirmation responses may indicate the existence of related parties,
or relationships or transactions with related parties, previously
undisclosed to the auditor.
The Board also observed in the 2022 Proposal that, in some
situations, an auditor may determine that evidence obtained through
confirmation may constitute sufficient appropriate audit evidence for a
particular assertion, while in other situations performing other audit
procedures in addition to confirmation may be necessary to obtain
sufficient appropriate audit evidence. For example, for significant
unusual sales transactions and the resulting accounts receivable
balances, an auditor might confirm significant terms of the
transactions and the receivable balances with the transaction
counterparties and perform additional substantive procedures, such as
examination of shipping documents and subsequent cash receipts.
Determining the nature, timing, and extent of confirmation procedures,
and any other additional audit procedures, is part of designing and
implementing the auditor's response to the assessed risk of material
misstatement.
The Board adopted the provisions in the 2022 Proposal that address
the relationship of the confirmation process to the auditor's
identification and assessment of and response to the risks of material
misstatement, with certain modifications discussed below.
Overall, commenters expressed support for aligning the proposed
standard on confirmation with the PCAOB's existing risk assessment
standards. Several commenters stated that they had not identified
changes needed to the proposed standard to align further with the
PCAOB's risk assessment standards. Other commenters, as discussed
below, called for various changes to the proposed provisions:
<bullet> Several commenters suggested that there could be further
alignment of the 2022 Proposal with the risk assessment standards to
enable the level of risk to drive the nature of the audit response. A
number of commenters asserted that the 2022 Proposal included certain
prescriptive requirements for the confirmation process, regardless of
the assessed level of risk, and that those provisions could detract
from the auditor's ability to apply professional judgment to determine
the appropriate audit response. Consistent with the objective of the
new standard, the requirements under the new standard apply to a
significant account or disclosure.\34\ The new standard thus does not
establish a presumption to confirm cash or accounts receivable if the
auditor has not determined cash or accounts receivable to be a
significant account. The auditor may choose to perform confirmation
procedures, however, in situations other than those specifically
addressed in paragraphs .24 through .30 of the new standard. The new
standard does not otherwise prescribe the timing or extent of
confirmation procedures, which are discussed as part of the auditor's
response to the risks of material misstatement in AS 2301.
---------------------------------------------------------------------------
\34\ AS 2110.59e directs the auditor to identify significant
accounts and disclosures and their relevant assertions.
---------------------------------------------------------------------------
<bullet> Several commenters stated that paragraphs .06 and .07 of
the proposed standard overly emphasized confirmation as being the most
persuasive substantive audit procedure, with any other procedure
thereby viewed as being less persuasive. One commenter asserted that
that the 2022 Proposal appeared to be premised on an assumption that
third-party confirmations represent ``first best'' audit evidence,
regardless of the facts and circumstances. In addition, one commenter
questioned whether the Board intended for confirmation to be used
whenever possible to obtain evidence. Having considered these comments,
the Board has made several changes in the new standard to clarify
certain provisions. In the new standard, the Board has revised
paragraph .06, which discusses obtaining audit evidence from
knowledgeable external sources, to emphasize the source of the audit
evidence, rather than the type of audit procedure performed. The Board
understands that advances in technology, as well as changes in
attitudes towards confirmation (e.g., the potential hesitation of
confirming parties to reply to a confirmation request from auditors
because of the concern of falling victim to a phishing attack), have
led auditors to perform other types of audit procedures that can
provide relevant and reliable external evidence.
<bullet> Some commenters stated that the proposed standard could
give rise to unrealistic expectations about confirmation procedures
effectively addressing the risk of material misstatement due to fraud
in all circumstances. While the Board does not believe that the new
standard creates an unrealistic expectation about audit evidence
obtained through confirmation, the appropriate focus of the auditor
should be the obligation to obtain relevant and reliable audit
evidence. Accordingly, the Board did not adopt paragraph .07 of the
proposed standard, which had provided that ``in situations involving
fraud risks and significant unusual transactions, audit evidence
obtained through the confirmation process generally is more persuasive
than audit evidence obtained solely through other procedures.''
<bullet> Several commenters recommended that the standard address
the current and anticipated use of technology to enable auditors to
obtain sufficient appropriate audit evidence through performing audit
procedures other than confirmation. Some commenters provided examples
of using technology-based procedures in lieu of confirmations,
including accessing company balances directly at the relevant financial
institution and testing internal data against external data sources
using audit data analytics. The Board considered these comments in
developing the new standard. In particular, as discussed below, the new
standard includes a presumption for the auditor to confirm cash and
accounts receivable, or otherwise obtain relevant and reliable audit
evidence for these accounts by directly accessing information
maintained by a knowledgeable external source.
<bullet> One commenter suggested that the note to paragraph .05 of
the proposed standard should also direct the auditor to take into
account internal controls over cash, including segregation of duties,
when there are side agreements to revenue transactions. The Board did
not make this change in the new standard. The Board notes that internal
control considerations are addressed by existing PCAOB standards, which
[[Page 71692]]
require obtaining an understanding of the company's controls when
assessing the risk of material misstatement and identifying and testing
certain controls when the auditor plans to rely on controls to respond
to the assessed risk.\35\ The auditor would consider controls over cash
when performing these procedures.
---------------------------------------------------------------------------
\35\ See, e.g., AS 2110 and AS 2301.
---------------------------------------------------------------------------
<bullet> With respect to the examples of assertions in paragraph
.06 of the proposed standard, one commenter asserted that a final
standard should more fully explain that a confirmation generally serves
to test the assertion of existence, but does not serve to test other
assertions such as valuation, including collectability. The Board did
not incorporate such language in the new standard because it believes
that limiting the use of confirmation to the existence assertion would
be overly prescriptive and might disallow use of confirmation in other
situations where the auditor has determined that confirmation could be
used to obtain relevant and reliable information to test other
assertions.
As discussed below, the Board continues to believe that
confirmation procedures generally would provide relevant and reliable
audit evidence for cash and accounts receivable. Accordingly, under the
new standard the auditor should perform confirmation procedures or
otherwise obtain relevant and reliable audit evidence by directly
accessing information maintained by a knowledgeable external source
when the auditor determines that these accounts are significant
accounts. In addition, the new standard specifies that when the auditor
has identified a significant risk of material misstatement associated
with either a complex transaction or a significant unusual transaction,
the auditor should consider confirming those terms of the transaction
that are associated with a significant risk of material misstatement,
including a fraud risk.
Other Use of Confirmation Procedures. The 2022 Proposal requested
commenters' views on whether there were additional accounts or
financial statement assertions for which the auditor should be required
to perform confirmation procedures. In addition, the 2022 Proposal
requested views on whether the proposal was sufficiently flexible to
accommodate situations where an auditor chooses to confirm information
about newer types of assets (e.g., digital assets based on blockchain
or similar technologies).
Two investor-related groups identified specific types of additional
transactions that should be subject to confirmation, including
transactions (1) with unusual terms and conditions, (2) with related
parties, (3) where the auditor has concern about whether side letters
may exist, (4) where financing is obtained, including bank debt or
supplier-provided financing, (5) involving certain sales practices,
such as bill-and-hold arrangements or supplier discounts or
concessions, (6) involving certain oral arrangements or guarantees, or
(7) involving sales, lending, or liability for custodianship of digital
assets. Another commenter suggested that confirmation of accounts
payable should be considered, but not required, when auditors assess
controls over the recording of liabilities to be ineffective. This
commenter also suggested that the Board state that the use of
confirmation is not limited to the circumstances discussed in the
proposed standard.
In comparison, many firms and firm-related groups stated that the
proposed standard should not prescribe additional other presumptive
requirements to use confirmation. These commenters noted that doing so
would be unduly prescriptive. Several commenters stated that the
proposed standard provided for an appropriate amount of auditor
judgment in determining when to perform confirmation procedures in
situations other than those specifically addressed in the standard. In
addition, several commenters indicated that the 2022 Proposal offered
sufficient flexibility to accommodate situations where an auditor
confirms information about newer types of assets.
Several commenters asserted that the effectiveness of confirmation
procedures is negatively affected by the fact that third parties are
not obligated, under legislation or regulation, to reply to an
auditor's confirmation request.
The new standard does not specify additional accounts or
transactions for which confirmation procedures are presumptively
required beyond those in the 2022 Proposal. The PCAOB's risk assessment
standards are foundational and are used by the auditor to determine the
appropriate response to identified risks of material misstatement. The
Board believes that confirmation can be an important tool for
addressing certain risks for cash and accounts receivable, and for
obtaining audit evidence about other financial relationships, and
certain terms of complex transactions or significant unusual
transactions, as discussed below. However, identifying additional
accounts or scenarios that require the auditor to use confirmation,
without regard to the specific facts and circumstances of the audit
including the assessed risk of material misstatement and whether other
audit procedures would provide sufficient appropriate audit evidence,
would be overly prescriptive.
The auditor's responsibilities relevant to the use of confirmation
are also addressed in several other PCAOB standards. AS 2315, Audit
Sampling, which discusses planning, performing, and evaluating audit
samples, is used if the auditor uses sampling in the confirmation
process. AS 2510, Auditing Inventories, addresses confirmation of
inventories in the hands of public warehouses or other outside
custodians. Additionally, the new standard does not address auditor
responsibilities regarding inquiries concerning litigation, claims, and
assessments, which are addressed in AS 2505, Inquiry of a Client's
Lawyer Concerning Litigation, Claims, and Assessments.
Designing Confirmation Requests
(See paragraphs .08-.13 of the new standard).
A properly designed and executed confirmation process may provide
relevant and reliable audit evidence. Auditor responsibilities
regarding designing a confirmation request are described in paragraphs
.08-.13, as follows:
<bullet> Paragraph .08 discusses identifying information to
confirm;
<bullet> Paragraphs .09 through .11 discuss identifying the
confirming parties for confirmation requests; and
<bullet> Paragraphs .12 through .13 discuss using negative
confirmation requests.
The new standard does not prescribe a particular format for a
confirmation request. For example, requests could be paper-based or
electronic, specifying the information to be confirmed or providing a
blank response form, or sent with or without the involvement of an
intermediary that facilitates electronic transmission. As a practical
matter, the auditor determines the format of a confirmation request to
increase the likelihood that the request is received and clearly
understood by the confirming party, taking into consideration, among
other things, the facts and circumstances of the company and the
confirming party.
Identifying Information To Confirm
The 2022 Proposal provided that the auditor should, as part of
designing confirmation requests, identify information related to the
relevant assertions that the auditor plans to verify with confirming
parties or (when using a blank form) obtain from confirming parties.
Such information
[[Page 71693]]
could include transaction amounts, transaction dates, significant terms
of transactions, and balances due to or from the confirming party as of
a specific date. In addition, the 2022 Proposal discussed that using a
blank confirmation request generally provides more reliable audit
evidence than using a confirmation request that includes information
the auditor is seeking to confirm (e.g., a customer account balance).
In the latter scenario, it is possible that a confirming party could
agree to the information without verifying it against the confirming
party's records.
The Board adopted the proposed requirement relating to identifying
information to confirm with certain modifications discussed below.
Several commenters indicated that the provisions of the 2022
Proposal related to identifying information to confirm were clear and
appropriate. A few commenters requested retaining a statement analogous
to a statement in existing AS 2310 to emphasize in the standard that
responding to blank form confirmation requests generally requires
additional effort, which might lower the response rates and lead
auditors to perform alternative procedures. One commenter expressed
concern that fraudsters could use fake confirmation requests and, in
particular, fake blank form confirmation requests, to defraud bank
customers (e.g., by soliciting their bank details).
Existing AS 2310 includes details regarding the form of
confirmation requests, which includes general information regarding
blank form positive confirmation requests. This information has been
included in the new standard in a note to paragraph .08. Further, after
considering the comments received, the new standard includes language
not included in the proposed standard that is similar to language in
existing AS 2310. This language explains that responding to blank form
confirmation requests generally requires additional effort, which might
lower the response rates and lead auditors to perform alternative
procedures for more selected items. Despite the possibility of lower
response rates, responses to blank form confirmation requests may
provide more reliable audit evidence than responses to confirmation
requests using pre-filled forms.
Paragraph .17 of the proposed standard also included a reminder of
an existing requirement in AS 1105.10, pursuant to which the auditor
should test the accuracy and completeness of information produced by
the company that the auditor uses as audit evidence. The reminder
emphasized that, in the confirmation process, the requirement in AS
1105.10 applies to the information produced by the company (e.g.,
populations from which items are selected for confirmation, such as
detailed account listings, vendor listings, and contractual agreements)
that the auditor uses in selecting the items to confirm.
Several firms and firm-related groups indicated that the existing
requirement in AS 1105.10 for the auditor to evaluate information
produced by a company as audit evidence was sufficient and that
paragraph .17 of the proposed standard was duplicative. A few
commenters stated that confirmation requests are often designed to test
the accuracy of a given account balance or disclosure and, accordingly,
that the requirement should only focus on testing completeness.
Finally, a few commenters suggested that the standard, consistent with
AS 1105.10, should allow for the auditor to test controls over the
accuracy and completeness of information produced by the company that
the auditor uses in selecting items to confirm.
After considering these comments, in order to avoid duplication
with other PCAOB standards, the new standard does not include paragraph
.17 of the proposed standard.
Identifying Confirming Parties for Confirmation Requests
The 2022 Proposal provided that, to obtain reliable audit evidence
from the confirmation process, the auditor should direct the
confirmation requests to third parties (individuals or organizations)
who are knowledgeable about the information to be confirmed. That
provision was similar to existing AS 2310.26, which directs the auditor
to send confirmation requests to third parties who the auditor believes
are knowledgeable about the information to be confirmed, such as a
counterparty who is knowledgeable about a transaction or arrangement.
When designing confirmation requests, an auditor may become aware
of information about a potential confirming party's motivation,
ability, or willingness to respond, or about the potential confirming
party's objectivity and freedom from bias with respect to the audited
entity. Because this type of information can affect the reliability of
audit evidence provided by the confirming party to the auditor, the
2022 Proposal, similar to existing AS 2310.27, provided that the
auditor should consider any such information that comes to the
auditor's attention when selecting the confirming parties. The note to
paragraph .19 of the proposed standard further emphasized that such
information may indicate that the potential confirming party has
incentives or pressures to provide responses that are inaccurate or
otherwise misleading.\36\
---------------------------------------------------------------------------
\36\ See also paragraph .10 of AS 2401, Consideration of Fraud
in a Financial Statement Audit (stating that fraud may be concealed
through collusion among management, employees, or third parties, and
that an auditor may receive a false confirmation from a third party
that is in collusion with management); SAPA No. 8 at 12 (stating
that, when using confirmation to address fraud risks in emerging
markets, ``the auditor should evaluate who the intended recipient of
the confirmation request is and whether the company's management has
an influence over this individual to provide false or misleading
information to the auditor'' and that ``[f]or example, if the
company is the only or a significant customer or supplier of the
confirming entity, the staff of that entity may be more susceptible
to pressure from the company's management to falsify documentation
provided to the auditor'').
---------------------------------------------------------------------------
The 2022 Proposal also provided that the auditor should consider
the source of any such information. For example, if management
indicates to the auditor that a potential confirming party is unlikely
to respond to a confirmation request, management may have other reasons
to avoid a confirmation request being sent (e.g., concealing
management's fraudulent understatement of the amount the company owes
to that party).
In addition, the 2022 Proposal provided more specific direction
than existing AS 2310 for situations in which the auditor is unable to
identify a confirming party who, in response to a confirmation request,
would provide relevant and reliable audit evidence about a selected
item. In such a scenario, the 2022 Proposal prescribed that the auditor
should perform alternative procedures.
The 2022 Proposal also provided that the auditor should determine
that confirmation requests are properly addressed, thus increasing the
likelihood that they are received by the confirming party. The 2022
Proposal did not prescribe the nature or extent of procedures to be
performed by the auditor when making this determination, thereby
allowing the auditor to tailor the procedures to the facts and
circumstances of the audit. For example, in practice, some auditors
compare some or all confirming party addresses, which are typically
provided by the company, to physical addresses or email domains
included on the confirming party's website.
Alternatively, when using an intermediary to facilitate direct
electronic transmission of confirmation requests and responses,
Appendix B of the proposed standard required the
[[Page 71694]]
auditor to obtain an understanding of the intermediary's controls that
address the risk of interception and alteration of the confirmation
requests and responses and determine whether the relevant controls used
by the intermediary are designed and operating effectively. The Board
noted in the 2022 Proposal that, where an auditor determines that
controls that address the risk of interception and alteration also
include controls related to validating the addresses of confirming
parties, the auditor may be able to determine that audit procedures
performed in accordance with Appendix B are sufficient to determine
that confirmation requests are properly addressed. In situations where
the auditor determines that the intermediary's controls that address
the risk of interception and alteration do not also include controls
related to validating the addresses of confirming parties, the Board
also noted that the auditor would need to perform other procedures to
comply with the requirements of the proposed standard.
The Board adopted the requirements relating to identifying
confirming parties for confirmation requests as proposed, with certain
modifications discussed below.
Several commenters indicated that the provisions of the proposed
standard related to identifying confirming parties were sufficiently
clear and appropriate. One commenter indicated that the Board should
require the auditor to send confirmation requests directly to an
individual, rather than allow the auditor to choose between sending the
request either to an individual or an organization. In this commenter's
view, sending a confirmation request directly to an individual could
increase the reliability of audit evidence obtained through the
confirmation process. One commenter indicated that the Board should
amend paragraph .18 of the proposed standard to read ``the auditor
should direct confirmation requests to confirming parties (individuals
or organizations) who are expected to be knowledgeable about the
information to be confirmed and determine that the confirmation
requests are appropriately addressed.''
Because auditors often may have no or limited interaction with the
personnel of confirming organizations, they may not be able to select
an individual addressee for the confirmation request. As a result, the
Board believes that allowing the auditor to address a confirmation
request to an organization that is knowledgeable about the information
to be confirmed is practicable and appropriate. Paragraph .20 of the
proposed standard stated that the auditor should perform alternative
procedures when the auditor is unable to identify a confirming party
who, in response to a confirmation request, would provide relevant and
reliable audit evidence about the selected item.
The Board has modified this language, which appears in paragraph
.11 of the new standard, to emphasize that if the auditor is unable to
identify a confirming party for a selected item who would provide
relevant and reliable audit evidence in response to a confirmation
request, including considering any information about the potential
confirming party discussed in paragraph .10, the auditor should perform
alternative procedures in accordance with Appendix C. In addition, the
Board has added a note to paragraph .11 of the new standard to
reiterate that AS 1105.08 provides that the reliability of evidence
depends on the nature and source of the evidence and the circumstances
under which it is obtained.
These revisions are intended to underscore that auditors should
consider information that may indicate that a potential confirming
party has incentives or pressures to provide responses that are
inaccurate or misleading, and remind auditors that the reliability of
audit evidence depends not only on its nature and source, but also the
circumstances under which it is obtained. For example, restrictions on
access to a potential confirming party that cause the auditor to
identify and send a confirmation request to a different confirming
party or to perform alternative procedures may themselves raise
questions as to the reliability of the audit evidence that the auditor
subsequently obtains from the other confirming party or through
performing alternative procedures. In addition, the revisions to
paragraph .11 clarify that the paragraph applies to a confirming party
for an individual item selected for confirmation, rather than more
broadly to a group of confirming parties that might provide audit
evidence with respect to relevant assertions for an entire account,
such as accounts receivable.
Several commenters on the 2022 Proposal also indicated that the
requirement to send a confirmation request directly to the confirming
party and determine that the request is properly addressed was
sufficiently clear and appropriate. One of these commenters indicated
that the standard should address procedures to verify the recipient's
mailing or email address while the other commenters indicated there was
no need to include specific procedures in the standard. Another
commenter requested more guidance around verifying email addresses. One
commenter indicated that there should be no specific requirement to
check addresses, as such a requirement would not, in the commenter's
view, deter those intent on deceiving auditors. Lastly, one commenter
requested clarification as to whether an auditor should send either an
initial confirmation request or a second request when the auditor is
aware of information that indicates that the confirming party would be
unlikely to respond.
The Board continues to believe that requiring auditors to determine
that confirmation requests are appropriately addressed is critically
important to the effectiveness of the confirmation process. The Board
has noted above some of the ways in which an auditor might comply with
this requirement but is not including such examples in the text of the
new standard to avoid the possible misinterpretation that the examples
describe the only steps an auditor could take in determining whether a
confirmation request is properly addressed.
With respect to one commenter's suggestion that the Board clarify
whether an auditor should send a confirmation request if the auditor is
aware of information indicating that the confirming party would not
respond, the Board believes the new standard is sufficiently clear.
Paragraph .10 of the new standard states, in part, that if the auditor
is aware of information about a potential confirming party's
``willingness to respond,'' the auditor should consider this
information, including its source, in selecting the confirming parties.
Further, paragraph .11 of the new standard states that, if the auditor
is unable to identify a confirming party for a selected item who would
provide relevant and reliable audit evidence in response to a
confirmation request, the auditor should perform alternative procedures
for the selected item in accordance with Appendix C of the new
standard.
Using Negative Confirmation Requests
There are ``positive'' and ``negative'' types of confirmation
requests. A positive confirmation request is a confirmation request in
which the auditor requests a confirmation response. With a negative
confirmation request, the auditor requests a confirmation response only
if the confirming party disagrees with the information provided in the
request. The auditor generally obtains significantly less audit
evidence when
[[Page 71695]]
using negative confirmation requests than when using positive
confirmation requests. A confirming party might not respond to a
negative confirmation request because it did not receive or open the
request, or alternatively the confirming party might have read the
request and agreed with the information included therein.
Because of the limited evidence provided when using negative
confirmation requests, the 2022 Proposal provided that the auditor may
not use negative confirmation requests as the sole substantive
procedure for addressing the risk of material misstatement to a
financial statement assertion. Instead, the 2022 Proposal provided that
the auditor may use negative confirmation requests only to supplement
audit evidence provided by other substantive procedures (e.g.,
examining subsequent cash receipts, including comparing the receipts
with the amounts of respective invoices being paid; examining shipping
documents; examining subsequent cash disbursements; or sending positive
confirmation requests). In addition, Appendix B to the proposed
standard provided examples of situations in which the use of negative
confirmation requests, in combination with the performance of other
substantive audit procedures, may provide sufficient appropriate audit
evidence. In contrast, under existing AS 2310, the auditor may use
negative confirmation requests where certain criteria are present and
should consider performing other substantive procedures to supplement
their use.
The Board adopted the requirements for using negative confirmation
requests as proposed. Most commenters on this aspect of the 2022
Proposal expressed support for the proposed prohibition on using
negative confirmation requests as the sole substantive procedure with a
number of commenters stating that negative confirmation requests alone
do not provide sufficient appropriate audit evidence.
Another commenter suggested that the word ``generally'' should be
removed from paragraph .21 of the proposed standard to emphasize that a
negative confirmation is not as persuasive as a positive confirmation.
This commenter indicated that, in situations where the use of negative
confirmation requests, in combination with the performance of other
substantive audit procedures, may provide sufficient appropriate audit
evidence, auditors should be required to specifically document their
consideration of certain examples included in paragraph .B1 of the
proposed standard.
Lastly, a few commenters indicated that additional guidance on the
use of negative confirmations, and specifically on the use of
substantive analytical procedures to supplement the use of negative
confirmations, was needed while another commenter indicated that the
examples in Appendix B would assist auditors in applying the
requirements related to the use of negative confirmation requests.
After considering the comments on the 2022 Proposal, the Board has
determined that the requirements in the 2022 Proposal relating to the
use of negative confirmation requests are both appropriate and
sufficiently clear. For ease of reference, the examples of situations
in which the use of negative confirmation requests, in combination with
the performance of other substantive audit procedures, may provide
sufficient appropriate audit evidence now appear in paragraph .13 of
the new standard rather than Appendix B. The Board is not including in
the new standard additional examples of other substantive procedures
that may be used to supplement negative confirmation requests, as some
commenters had suggested. While such procedures may be appropriate in
some circumstances, including such examples in the new standard could
be misperceived as establishing a formal checklist, whereas determining
the necessary nature, timing, and extent of audit procedures that
provide sufficient appropriate audit evidence would depend on the facts
and circumstances of each audit.
Paragraph .12 of the new standard retains the word ``generally''
(i.e., ``[g]enerally, the auditor obtains significantly less audit
evidence when using negative confirmation requests than when using
positive confirmation requests'') to acknowledge that in some
circumstances using positive confirmations may not provide the auditor
with the amount of evidence that the auditor planned to obtain (e.g.,
if the auditor does not receive responses to some or all positive
confirmation requests).
Maintaining Control Over the Confirmation Process
(See paragraphs .14-.17 and .B1-.B2 of the new standard).
The Requirement for the Auditor To Maintain Control Over the
Confirmation Process
The 2022 Proposal included a provision, consistent with AS 2310,
that the auditor should maintain control over the confirmation process
to minimize the likelihood that information exchanged between the
auditor and the confirming party is intercepted and altered. This is
because the reliability of audit evidence provided by confirmation
depends in large part on the auditor's ability to control the integrity
of confirmation requests and responses. The 2022 Proposal also provided
that, as part of maintaining control, the auditor should send
confirmation requests directly to the confirming party and receive
confirmation responses directly from the confirming party.
The Board adopted the requirements for maintaining control over the
confirmation process as proposed, with one modification.
Commenters on this topic largely agreed that the auditor should
maintain control over the confirmation process. One commenter stated
that setting forth the requirement to maintain control over the
confirmation process and the requirement to send confirmation requests
directly to the confirming party in separate paragraphs might suggest
that there are different responsibilities for the auditor. This
commenter recommended combining the requirements to clarify that the
auditor's responsibility is to send the confirmation directly while
maintaining control of the process.
After considering the comments on the 2022 Proposal, the Board has
determined that the proposed requirements are both appropriate and
sufficiently clear, and adopted them as proposed, with the addition of
a new paragraph that clarifies how an external auditor can use internal
auditors in a direct assistance capacity as part of the confirmation
process, as further discussed below. Paragraph .14 of the new standard
establishes the auditor's responsibility for maintaining control over
the confirmation process, and the other paragraphs in this section of
the new standard specify auditor responsibilities regarding certain
aspects of maintaining control, as discussed below. For example,
consistent with the definition of ``confirmation process,'' \37\
paragraph .15 of the new standard requires that the auditor select the
items to be confirmed, send the confirmation requests and receive the
confirmation responses.
[[Page 71696]]
Selecting an item involves the auditor identifying the information to
be included on the confirmation request. Paragraph .16 of the new
standard specifies that maintaining control over the confirmation
process by the auditor involves sending the confirmation request
directly to and obtaining the confirmation response directly from the
confirming party.
---------------------------------------------------------------------------
\37\ The term ``confirmation process'' is defined in paragraph
.A3 of the new standard as ``[t]he process that involves selecting
one of more items to be confirmed, sending a confirmation request
directly to a confirming party, evaluating the information received,
and addressing nonresponses and incomplete responses to obtain audit
evidence about one or more financial statement assertions.''
---------------------------------------------------------------------------
Using and Intermediary To Facilitate Direct Electronic Transmission of
Confirmation Requests and Responses
Background and Requirements
As discussed above, certain financial institutions and other
companies have adopted the policy of responding to electronic
confirmation requests from auditors only through another party that
they, or the auditor, engage as an intermediary to facilitate the
direct transmission of information between the auditor and the
confirming party. The Board understands that such policies are intended
to facilitate the timeliness and quality of confirmation responses
provided by the confirming party to the auditor.
While the involvement of intermediaries is not discussed in
existing AS 2310, the use of an intermediary does not relieve the
auditor of the responsibility under PCAOB standards to maintain control
over confirmation requests and responses. Because an intermediary's
involvement may affect the integrity of information transmitted between
the confirming party and the auditor, the 2022 Proposal provided that
the auditor should evaluate the implications of such involvement for
the reliability of confirmation requests and responses. Specifically,
paragraphs .B2 and .B3 of the proposed standard provided that:
<bullet> The auditor's evaluation should address certain aspects of
the intermediary's controls that address the risk of interception and
alteration of communications between the auditor and the confirming
party;
<bullet> The auditor's evaluation should assess whether
circumstances exist that give the company the ability to override the
intermediary's controls (e.g., through financial or other
relationships); and
<bullet> The auditor should not use an intermediary if information
obtained by the auditor indicates that (i) the intermediary has not
implemented controls that are necessary to address the risk of
interception and alteration of the confirmation requests and responses,
(ii) the necessary controls are not designed or operating effectively,
or (iii) circumstances exist that give the company the ability to
override the intermediary's controls.
The Board adopted the proposed requirements substantially as
proposed, with certain modifications discussed below.
A few commenters on the 2022 Proposal indicated that it is not
clear what an ``intermediary'' is and requested clarification. The
Board is not adding a definition of the term ``intermediary'' in the
new standard as it simply intends to use the term in describing a
particular scenario under the new standard where a third party is
engaged by the auditor or a confirming party to facilitate direct
electronic transmission of confirmation requests and responses between
the auditor and the confirming party. The Board believes that its
intent in using the term ``intermediary'' is sufficiently clear.
Overall, several commenters indicated that the requirements in the
2022 Proposal to evaluate the implications of using an intermediary to
facilitate direct electronic transmission of confirmation requests and
responses were appropriate. However, as discussed below, a number of
these commenters and other commenters stated that additional clarity
may be required to ensure that the proposed revisions are operational
in practice, or otherwise requested additional guidance. Conversely, a
few commenters expressed the view that requirements in the 2022
Proposal regarding the implications of using an intermediary were not
appropriate or sufficiently clear. One of those commenters asserted
that the requirement to assess the intermediary would result in
significant additional work for auditors and that it is not currently
common practice to directly assess intermediaries in this manner. As
discussed in Section IV of the 2022 Proposal, firm methodologies
reviewed by the staff generally include guidance on maintaining control
over the confirmation process, using intermediaries to facilitate the
electronic transmission of confirmation requests and responses, and
assessing controls at the intermediaries. The evidence from the PCAOB
staff's review does not suggest that the requirements in Appendix B of
the new standard would create significant additional work for auditors,
nor did the commenters provide evidence to the contrary.
Separately, as the 2022 Proposal provided that the auditor should
not use an intermediary if information obtained by the auditor
indicates that certain conditions are present, several commenters
stated that the presence of indicators would not necessarily mean that
the intermediary is not fit for use. For example, these commenters
stated that in a situation where an intermediary's control is not
designed or operating effectively, an auditor may be able to obtain an
understanding of whether a specific control failure impacts the
confirmation process and perform tests of other controls or other
procedures at the intermediary to address the control failure.
Having considered the comments, the Board is clarifying in
paragraph .B2 of the new standard that the auditor should not use an
intermediary to send confirmation requests or receive confirmation
responses if the auditor determines that (1) the intermediary has not
implemented controls that are designed or operating effectively to
address the risk of interception and alteration of the confirmation
requests and responses and the auditor cannot address such risk by
performing other procedures beyond inquiry, or (2) circumstances exist
that give the company the ability to override the intermediary's
controls. In the 2022 Proposal, the prohibition was based on an
indication, rather than determination, that such circumstances exist.
For example, when performing an evaluation required by paragraphs
.17 and .B1 of the new standard, an auditor could obtain a SOC report
stating that a particular access control at an intermediary is not
designed or operating effectively. The auditor may then be able to
identify and test other controls that could mitigate the control
failure described in the SOC report. In this scenario, if the auditor
determines that the identified controls are designed and operating
effectively and mitigate the control failure, or the auditor has
performed other procedures such as obtaining computer systems event
logs generated by the intermediary that provide evidence there was no
unauthorized access during the relevant period, the information in the
SOC report in this scenario would not necessarily mean that the auditor
is not allowed to use the intermediary under the new standard.
In addition, several commenters asserted that, if an auditor were
not allowed to use an intermediary under proposed paragraph .B3 and the
confirming party had a policy requiring the use of an intermediary for
receiving and responding to auditor confirmation requests, an auditor
may be unable to comply with the proposed requirement to confirm cash,
even if relevant and reliable audit evidence were otherwise available.
Considering these comments, the Board has modified paragraph .B2 of the
new standard to state that in
[[Page 71697]]
circumstances where the auditor, under paragraph .B2, should not use an
intermediary to send confirmation requests or receive confirmation
responses, the auditor should send confirmation requests without the
use of an intermediary or, if unable to do so, perform alternative
procedures in accordance with Appendix C of the new standard. The Board
believes that this modification and the adoption of a provision
regarding obtaining audit evidence by directly accessing information
maintained by a knowledgeable external source (see discussion below),
address commenters' concerns that an auditor may not be able to comply
with the requirement to confirm cash.
Certain commenters asked for additional guidance on what procedures
an auditor should or could perform to comply with the requirements in
Appendix B. Having considered these comments, the Board determined that
the new standard, consistent with the 2022 Proposal, will not specify
how the auditor should perform the particular procedures required by
paragraphs .B1 and .B2 regarding evaluating the implications of using
an intermediary. The new standard thus allows auditors to customize
their approach based on the facts and circumstances of the audit
engagement and the audit firm. For example, in obtaining an
understanding of the intermediary's controls that address the risk of
interception and alteration of confirmation requests and responses and
determining whether they are designed and operating effectively, the
auditor could (i) use, where available, a SOC report that evaluates the
design and operating effectiveness of the relevant controls at the
intermediary; or (ii) test the intermediary's controls that address the
risk of interception and alteration directly.\38\
---------------------------------------------------------------------------
\38\ See Spotlight: Observations and Reminders on the Use of a
Service Provider in the Confirmation Process (Mar. 2022), available
at <a href="https://pcaobus.org/resources/staff-publications">https://pcaobus.org/resources/staff-publications</a>.
---------------------------------------------------------------------------
Some commenters asked for guidance related to an acceptable window
of time to be covered by ``bridge letters.'' \39\ Where an auditor uses
an independent service auditor's report on a service organization's
controls, such procedures may involve using a bridge letter. The new
standard does not specify an appropriate window of time to be covered
by a bridge letter or a permissible window of time between the date
covered by a bridge letter and the period when the auditor uses the
intermediary to facilitate direct electronic transmission of
confirmation requests and responses. Auditors should use their
professional judgment based upon the facts and circumstances of the
audit to determine the nature of procedures required to comply with
paragraph .B1 of the new standard, including the note to paragraph
.B1(b).
---------------------------------------------------------------------------
\39\ Some intermediaries provide a ``bridge letter'' or ``gap
letter'' issued by the independent service auditor that addresses
the period from the date of the service auditor's SOC report through
a subsequent date, typically the most recent calendar year end.
---------------------------------------------------------------------------
One commenter stated that paragraph .B2(b) of the proposed standard
should have a specific documentation requirement. The Board believes
that adding a specific documentation requirement is not necessary, as
the auditor is required to document compliance with PCAOB standards
under existing documentation requirements.\40\
---------------------------------------------------------------------------
\40\ See, e.g., paragraph .05 of AS 1215, Audit Documentation.
---------------------------------------------------------------------------
Lastly, the new standard modifies the language of the 2022 Proposal
to provide in the note to paragraph .B1(b) of the new standard that, if
the auditor performs procedures to determine that the controls used by
the intermediary to address the risk of interception and alteration are
designed and operating effectively at an interim date, the auditor
should evaluate whether the results of the procedures can be used
``during the period in which the auditor uses the intermediary''--
rather than at ``period end,'' as described in the proposed standard--
or whether additional procedures need to be performed to update the
results. The Board believes that the modified provision more accurately
describes the timeframe during which the results of the procedures may
be used by an auditor. In addition, the modified provision clarifies
that the auditor should consider the nature and extent of any changes
in the intermediary's process and controls during the period between
the auditor's procedures and the period the auditor uses the
intermediary.
Interaction of New Standard and Proposed QC 1000
In November 2022 the Board issued for public comment a proposed
quality control standard, referred to as proposed QC 1000, A Firm's
System of Quality Control.\41\ Proposed QC 1000 addresses resources
used by a registered public accounting firm that are sourced from
third-party providers. An intermediary that facilitates direct
electronic transmission of confirmation requests and responses is one
example of a ``third-party provider'' under proposed QC 1000.
---------------------------------------------------------------------------
\41\ See A Firm's System of Quality Control and Other Proposed
Amendments to PCAOB Standards, Rules, and Forms, PCAOB Rel. No.
2022-006 (Nov. 18, 2022).
---------------------------------------------------------------------------
Under proposed QC 1000, a firm would consider the nature and extent
of resources or services obtained from third-party providers in its
risk assessment process and whether the use of third-party providers
poses any quality risks to the firm in achieving its quality
objectives. One of the required quality objectives relates to obtaining
an understanding of how such resources or services are developed and
maintained and whether they need to be supplemented and adapted as
necessary, such that their use enables the performance of the firm's
engagements in accordance with applicable professional and legal
requirements and the firm's policies and procedures.\42\
---------------------------------------------------------------------------
\42\ See paragraph .44.j of proposed QC 1000.
---------------------------------------------------------------------------
As noted above, the proposed standard on the auditor's use of
confirmation included specific procedures related to the use of an
intermediary, which included obtaining an understanding of the
intermediary's controls that address the risk of interception and
alteration of a confirmation request and response and determining
whether such controls are designed and operating effectively.
A few commenters on the 2022 Proposal observed that firms may
obtain and evaluate SOC reports centrally, rather than requiring that
individual engagement teams obtain and evaluate the reports. One of
these commenters suggested clarifying in the standard that the
evaluations required by Appendix B may be performed, and the
documentation may be retained centrally, as part of the firm's quality
control system. Another of these commenters suggested that the
requirements related to the use of an intermediary be removed entirely
from the proposed confirmation standard and instead be dealt with
solely in the proposed quality control standards. One commenter stated
that, depending on the identified quality risks, procedures performed
in accordance with QC 1000 need not align with the financial statement
period-end of each audit engagement performed by the firm, which the
commenter asserted was implied by paragraph .B2(b) and a related note
in the proposed standard. Lastly, a few commenters indicated that it
would be beneficial to explicitly link the provisions of the
confirmation standard regarding the use of an intermediary with QC
1000.
[[Page 71698]]
Having considered these comments, the Board believes that the
requirements in the new standard related to the auditor's use of
intermediaries, with the modifications discussed above to the
requirements in the proposed standard, are sufficiently clear and
appropriate. The auditor's evaluation of the intermediary's controls
could be performed by an engagement team, an audit firm's national
office, or a combination of both. Where the national office performs
procedures relating to the intermediary (either as part of the firm's
quality control activities or specifically to comply with the new
standard), the engagement team would still need to consider the
procedures performed by the national office and include in its audit
documentation considerations specific to the individual audit
engagement. For example, if a national office evaluated an
intermediary's controls at an interim date, the engagement team would
need to, in accordance with the note accompanying paragraph .B1(b) of
the new standard, evaluate whether the results of the interim
procedures could be used during the period in which the auditor uses
the intermediary to facilitate direct electronic transmission of
confirmation requests and responses or whether they needed to be
updated.
Using Internal Audit in the Confirmation Process
The 2022 Proposal identified certain activities in the confirmation
process where the auditor may not use the assistance of the company's
internal audit function. Under the 2022 Proposal, the auditor was not
permitted to use internal auditors for selecting items to be confirmed,
sending confirmation requests, and receiving confirmation responses,
because using internal audit in a direct assistance capacity for such
activities would not be consistent with the auditor's responsibility to
maintain control over the confirmation process.
Existing AS 2310 does not include analogous provisions. It states
instead that the auditor's need to maintain control does not preclude
the use of internal auditors and that AS 2605, Consideration of the
Internal Audit Function, provides guidance on considering the work of
internal auditors and on using internal auditors to provide direct
assistance to the auditor.\43\
---------------------------------------------------------------------------
\43\ See footnote 3 of AS 2310.
---------------------------------------------------------------------------
The Board adopted the proposed requirements substantially as
proposed, with certain modifications discussed below.
A number of commenters, including investor-related groups, firms,
and firm-related groups, agreed with the requirements proposed in the
2022 Proposal as being in line with the auditor's responsibility to
maintain control over the confirmation process. Additionally, a few
commenters observed that it is not current practice for auditors to use
internal audit in a direct assistance capacity for selecting items to
be confirmed, sending confirmation requests, or receiving confirmation
responses and, therefore, that the requirements in the 2022 Proposal
would not result in a significant change in practice. Conversely, one
commenter stated that the proposed restrictions would impact current
practice as it relates to direct assistance.
A significant number of commenters, including internal auditors and
companies with internal audit functions, took exception to the
provision in the 2022 Proposal to limit the external auditor's use of
internal auditors in a direct assistance capacity in the confirmation
process, and in some instances asserted that such limitations would be
inconsistent with AS 2605. Many of these commenters also challenged the
statement in the 2022 Proposal that ``[i]nvolving internal auditors or
other company employees in these activities [selecting items to be
confirmed, sending confirmation requests, and receiving confirmation
responses] would create a risk that information exchanged between the
auditor and the confirming party is intercepted and altered.'' These
commenters asserted that this language called into question internal
auditors' competence, objectivity, and independence. Additionally, a
few commenters expressed concern with the prescriptiveness of the
proposed restrictions on the use of internal auditors in the
confirmation process.
Having considered the comments received, the Board notes that the
discussion in the 2022 Proposal was not intended to cast doubt on the
qualifications, competence, or objectivity of internal auditors.
Internal auditors can and often do play an important role in enhancing
the quality of a company's financial reporting. At the same time, the
Board continues to believe that in order to maintain control over the
confirmation process the auditor should select items to be confirmed,
send confirmation requests, and receive confirmation responses.
In addition, after considering the comments received, the Board is
(i) relocating the requirements related to the auditor's use of
internal audit in the confirmation process to the section of the new
standard on maintaining control over the confirmation process and (ii)
rephrasing the requirements in terms of the auditor's affirmative
responsibilities, by describing procedures the auditor is required to
perform. In contrast, the proposed standard described procedures that
internal auditors were not allowed to perform. As stated in footnote 7
of the new standard, auditors are permitted to use internal auditors in
accordance with AS 2605, except for selecting items to confirm, sending
confirmation requests, and receiving confirmation responses. The new
standard does not impose any new limitations on how the internal
auditors' work may affect the external auditor's audit procedures.\44\
Instead, the new standard clarifies how an external auditor can use
internal auditors in a direct assistance capacity as part of the
confirmation process.\45\
---------------------------------------------------------------------------
\44\ AS 2605.12 states that ``the internal auditor's work may
affect the nature, timing, and extent of the audit,'' including
``procedures the auditor performs when obtaining an understanding of
the entity's internal control (paragraph .13),'' ``procedures the
auditor performs when assessing risk (paragraphs .14 through .16),''
and ``substantive procedures the auditor performs (paragraph .17).''
\45\ AS 2605.27 discusses how the auditor may use internal
auditors to provide direct assistance.
---------------------------------------------------------------------------
Evaluating Confirmation Responses and Confirmation Exceptions, and
Addressing Nonresponses and Incomplete Responses
(See paragraphs .18-.23 of the new standard).
Overall Approach
Under the 2022 Proposal, the auditor's responsibilities related to
the confirmation process included evaluating the information received
in confirmation responses and addressing nonresponses and incomplete
responses. The 2022 Proposal provided that if the auditor is unable to
determine whether the confirmation response is reliable, or in the case
of a nonresponse or an incomplete response (i.e., one that does not
provide the audit evidence the auditor seeks to obtain), the auditor
should perform alternative procedures.\46\ The 2022 Proposal built upon
requirements in existing AS 2310 that discuss addressing information
obtained from the performance of confirmation procedures.
---------------------------------------------------------------------------
\46\ Alternative procedures, including the relevant exception
described in Appendix C of the new standard, are discussed below.
---------------------------------------------------------------------------
The relevant requirements in the new standard include certain
modifications to the approach in the 2022 Proposal, as discussed in the
sections below.
[[Page 71699]]
Evaluating the Reliability of Confirmation Reponses
The 2022 Proposal was intended to provide additional direction
beyond what is set forth in existing AS 2310 to assist the auditor's
evaluation of the reliability of confirmation responses. Specifically,
the 2022 Proposal (i) described information that the auditor should
take into account when performing the evaluation, and (ii) provided
examples of indicators that a confirmation response may have been
intercepted or altered and thus may not be reliable. In particular, the
2022 Proposal provided that the auditor should take into account any
information about events, conditions, or other information the auditor
becomes aware of in assessing the reliability of the confirmation
response.
Under existing PCAOB standards, the auditor is not expected to be
an expert in document authentication but, if conditions indicate that a
document (e.g., a confirmation response) may not be authentic or may
have been altered, the auditor should modify the planned audit
procedures or perform additional audit procedures to respond to those
conditions and should evaluate the effect, if any, on the other aspects
of the audit.\47\ The 2022 Proposal did not alter these requirements,
but specified for the confirmation process that, if the auditor were
unable to determine that the confirmation response is reliable, the
auditor's response should include performing alternative procedures.
---------------------------------------------------------------------------
\47\ See AS 1105.09.
---------------------------------------------------------------------------
The requirements for evaluating the reliability of confirmation
responses were adopted substantially as proposed.
Several commenters indicated that the provisions of the 2022
Proposal related to evaluating the reliability of confirmation
responses were clear and appropriate. One commenter proposed
modifications to the proposed requirements, including replacing the
words ``taking into account'' with ``considering'' in paragraph .25 of
the proposed standard to reflect the commenter's perceived intent of
the Board. One commenter asserted that paragraph .25 of the proposed
standard could result in onerous documentation requirements in
situations where there is a clear reason why a particular indicator is
not necessarily indicative of interception or alteration of a
confirmation request or confirmation response (e.g., a confirmation
request is sent to a general email account but returned from an email
account belonging to an individual monitoring the general email
account). Another commenter proposed that the Board remove one of the
examples of indicators that a confirmation response may have been
intercepted or altered because it appeared to create a de facto
requirement that an auditor treat a confirmation response as not
reliable if the original confirmation request is not returned with the
confirmation response.
In addition, one commenter suggested modifying proposed paragraph
.26 of the proposed standard to provide that the auditor should perform
alternative procedures if the auditor became aware of any of the
factors identified in paragraph .25 and was unable to overcome those
factors to determine that the confirmation response is reliable.
Another commenter stated that the proposed standard should acknowledge
that, in certain specified circumstances, an unreliable confirmation
would likely result in a scope limitation.
Having considered the comments received, the Board notes that
assessing the reliability of confirmation responses is a critical
component of the confirmation process. If indicators of interception or
alteration are present, it is important for the auditor to address
them. When the auditor follows up on a particular indicator, an auditor
may determine that the confirmation requests and responses have not
been intercepted or altered. For example, an auditor could verify that
a difference in the confirming party's email address between the
confirmation request and confirmation response occurred because the
confirming party responds to confirmation requests from one central
email address. The note to paragraph .18 of the new standard (paragraph
.25 of the proposed standard) provides examples of information that the
auditor should take into account if the auditor becomes aware of it.
Under PCAOB standards, the auditor would document the procedures
performed in response to information that indicates that a confirmation
request or response may have been intercepted or altered. To minimize
any confusion, the Board replaced the word ``indicator'' in the note
with the phrase ``information that indicates,'' which has the same
meaning.
In addition, to clarify that the auditor performs alternative
procedures for the selected item if the auditor is unable to determine
that a confirmation response regarding that item is reliable, the Board
has added the phrase ``for the selected item'' after the words
``alternative procedures'' in paragraph .19 of the new standard. The
Board also revised the reference in paragraph .26 of the proposed
standard to performing alternative procedures ``as discussed in
paragraph .31'' to ``in accordance with Appendix C'' in paragraph .19
of the new standard to reflect that alternative procedures for a
selected item may not be necessary under certain circumstances, as
discussed below, and to reflect the relocation of the more detailed
discussion of alternative procedures from the body of the standard to
Appendix C.
AS 3105, Departures from Unqualified Opinions and Other Reporting
Circumstances, sets forth requirements regarding limitations on the
scope of an audit,\48\ including scope limitations relating to
confirmation procedures with respect to accounts receivable.\49\ One
example of such a scope limitation would be the auditor's inability to
confirm accounts receivable balances combined with an inability to
perform other procedures in respect of accounts receivable to obtain
sufficient appropriate audit evidence. The new standard does not repeat
such existing requirements, as doing so would merely duplicate those
requirements.
---------------------------------------------------------------------------
\48\ See AS 3105.05-.15.
\49\ See AS 3105.07.
---------------------------------------------------------------------------
Evaluating Confirmation Exceptions and Addressing Nonresponses and
Incomplete Responses
For various reasons, information in a confirmation response
received by the auditor could differ from other information in the
company's records obtained by the auditor. The 2022 Proposal provided
that the auditor should evaluate the confirmation exceptions and
determine their implications for certain aspects of the audit, as
discussed below. The direction in the 2022 Proposal was more detailed
than in existing AS 2310.
In particular, the 2022 Proposal provided that the auditor should
evaluate whether confirmation exceptions individually or in the
aggregate indicate a misstatement that should be evaluated in
accordance with AS 2810. The 2022 Proposal did not, however, require
investigating all confirmation exceptions to determine the cause of
each confirmation exception. The 2022 Proposal also included a
provision that the auditor should evaluate whether the confirmation
exceptions individually, or in the aggregate, indicate a deficiency in
the company's internal control over financial reporting (``ICFR'').
With regards to nonresponses and potential nonresponses, the 2022
Proposal provided that the auditor should send a second positive
confirmation request to the confirming
[[Page 71700]]
party unless the auditor has become aware of information that indicates
that the confirming party would be unlikely to respond to the auditor.
Additionally, the 2022 Proposal specified that if a confirmation
response is returned by the confirming party to anyone other than the
auditor, the auditor should contact the confirming party and request
that the response be re-sent directly to the auditor. If the auditor
does not subsequently receive a confirmation response from the intended
confirming party, the 2022 Proposal provided that the auditor should
treat the situation as a nonresponse.
Further, in contrast with existing AS 2310, which does not address
the auditor's responsibilities regarding incomplete responses, the 2022
Proposal provided that the auditor should perform alternative
procedures if a confirmation response is not received or is incomplete.
The Board adopted the requirements for evaluating confirmation
exceptions and addressing nonresponses as proposed, with certain
modifications discussed below.
Some commenters indicated that the proposed provisions regarding
evaluating confirmation exceptions and addressing nonresponses were
sufficiently clear and appropriate. A few commenters stated that the
Board should include requirements that limit an auditor's ability to
assess confirmation exceptions as merely ``isolated exceptions.''
Similarly, one commenter asserted that the Board should require
auditors to resolve any confirmation exceptions by examining other
third-party evidence such as purchase orders. In light of these
comments, the Board has added a new note to paragraph .20 of the new
standard that states that determining that a confirmation exception
does not represent a misstatement that should be evaluated in
accordance with AS 2810 generally involves examining external
information, which may include information that the company received
from knowledgeable external sources.
In the Board's view, in many circumstances examining external
evidence under the above provision is necessary, as doing so is
consistent with both the goal of obtaining relevant and reliable audit
evidence and the type of audit evidence sought from confirmation. For
example, an auditor might send a confirmation request for a selected
item to a knowledgeable confirming party regarding a $20,000 accounts
receivable invoice and the confirming party (i.e., the customer)
indicates that the outstanding balance for this invoice at the date
specified in the confirmation request is $18,000. Having investigated
the $2,000 difference, the auditor learns that it does not represent a
misstatement, as the customer overpaid for a different invoice but
applied the overpayment to the invoice selected for confirmation and
the company applied the overpayment differently. In this scenario,
determining that there is not a $2,000 misstatement for the selected
item would involve the auditor examining audit evidence from
knowledgeable external sources, such as applicable purchase orders and
customer cash payments, in addition to information generated by the
company, such as customer invoices.
The note to paragraph .20 of the new standard uses the word
``generally'' to acknowledge that in some circumstances examining
external audit evidence may not be necessary. For example, an auditor
may have included an incorrect figure in the confirmation request and
later determined that the amount confirmed by the confirming party
agrees to the amount in the company's general ledger. Determining that
such a confirmation exception does not represent a misstatement to be
evaluated in accordance with AS 2810 would not require examining audit
evidence from external sources.
One commenter suggested that the Board consider reminding auditors
that, when using audit sampling, the auditor should project the
misstatement results of the sample to the items from which the sample
was selected in accordance with AS 2315. The Board considered this
comment, but did not add a reminder regarding projecting the results of
a sample as the new standard states in footnote 4 that AS 2315
addresses evaluating audit samples.
One commenter suggested that the Board restructure paragraph .27 of
the proposed standard, as the auditor generally considers whether a
confirmation exception is a misstatement and then determines whether
there is a deficiency in internal control. In consideration of this
comment, the Board has restructured paragraph .20 of the new standard
to align with the typical order in which the auditor considers the two
matters discussed therein (i.e., an auditor typically considers whether
a confirmation exception indicates a misstatement that should be
evaluated in accordance with AS 2810, Evaluating Audit Results, and
then considers whether the confirmation exception represents a
deficiency in the company's ICFR).
One commenter expressed the view that the Board should not require
auditors to evaluate whether a confirmation exception constitutes a
control deficiency if the exception was a result of a clerical error or
caused by a timing difference. The Board continues to believe that
requiring the auditor to evaluate exceptions in such circumstances is
appropriate and the auditor should consider whether all confirmation
exceptions are control deficiencies. A clerical error or timing
difference could be indicative of a deficiency in a company's ICFR.
One commenter indicated that the proposed requirement about sending
a second positive confirmation request unless the auditor has become
aware of information that indicates that the confirming party would be
unlikely to respond to the auditor was sufficiently clear and
appropriate. However, several firms commented that the requirement was
too prescriptive, with one commenter asserting that the requirement
could result in unnecessary and potentially ineffective administrative
effort. Additionally, a few commenters expressed concern that following
up on a confirmation request would not constitute sending a second
confirmation request under the proposed standard, but asserted that it
should be so treated.
The Board considered the comments about the requirement to send a
second positive confirmation request. The use of confirmation is not
required under the new standard other than for cash and accounts
receivable when they are significant accounts or disclosures. Under the
new standard, for cash and accounts receivable, the auditor may perform
other audit procedures to obtain audit evidence by directly accessing
information maintained by a knowledgeable external source. Further, for
accounts receivable, in certain situations the new standard allows the
auditor to obtain external information indirectly (see discussion of
cash and accounts receivable below).
Because the auditor may have a choice of the audit procedure to
perform, the Board believes that the auditor will select confirmation
in those situations where confirming parties will be more likely to
respond to the auditor. In situations where a confirming party does not
respond to a confirmation request, the Board has concluded it is
appropriate to require the auditor, in the case of a nonresponse to a
positive confirmation request, to follow up with the confirming party.
The requirement to follow up with the confirming party is included in
paragraph .21 of the new standard. The new standard does not prescribe
a form of the auditor's follow-up. For example, following up using the
[[Page 71701]]
same form of communication as in the original confirmation request
(e.g., email, direct electronic transmission facilitated by an
intermediary) would be appropriate under the new standard. In the case
of an electronic confirmation request, a follow-up request could be in
the form of a reminder or automated reminder.
If the auditor subsequently receives a confirmation response, the
new standard provides that the auditor should evaluate that response in
accordance with paragraphs .18-.19 and evaluate any confirmation
exception in accordance with paragraph .20. If the auditor's follow-up
does not elicit a confirmation response, paragraph .23 of the new
standard instructs the auditor to perform alternative procedures for
the selected item in accordance with Appendix C of the new standard.
To clarify that the auditor performs alternative procedures for the
selected item, the Board has added the phrase ``for the selected item''
after the words ``alternative procedures'' in paragraph .23 of the new
standard. The Board also revised the reference in paragraph .30 of the
proposed standard to performing alternative procedures ``as discussed
in paragraph .31'' to refer to ``in accordance with Appendix C'' in
paragraph .19 of the new standard to reflect that alternative
procedures for a selected item may not be necessary under certain
circumstances, as discussed below, and to reflect the relocation of the
more detailed discussion of alternative procedures from the body of the
standard to Appendix C.
Additional Considerations for Cash, Accounts Receivable, and Terms of
Certain Transactions
(See paragraphs .24-.30 of the new standard).
In general, evidence obtained from a knowledgeable external source
is more reliable than evidence obtained only from internal company
sources. When cash or accounts receivable are significant accounts,
there is a presumption in the new standard that the auditor should
obtain audit evidence from a knowledgeable external source by
performing confirmation procedures or using other means to obtain audit
evidence by directly accessing information maintained by knowledgeable
external sources. In addition, the new standard addresses other
situations in which the auditor should consider the use of
confirmation.
The Board discusses below the provisions of the new standard
relating to confirming cash held by third parties, confirming accounts
receivable, performing other audit procedures for accounts receivable
when obtaining audit evidence directly from a knowledgeable external
source would not be feasible, communicating with the audit committee in
certain situations, and confirming the terms of certain other
transactions. To improve the flow of the requirements in the new
standard, these provisions have been placed after the general
provisions that describe the auditor's responsibilities related to the
confirmation process (i.e., after paragraphs .08-.23).
Figure 1 depicts the relationship of the requirements in the new
standard for cash and accounts receivable when they are significant
accounts (paragraphs .24-.28) to the general provisions of the new
standard applicable to the confirmation process (paragraphs
.08-.23).\50\
---------------------------------------------------------------------------
\50\ The information in Figure 1 is intended to be for
illustrative purposes and is not a substitute for the new standard;
only the new standard provides the auditor with the definitive
requirements.
---------------------------------------------------------------------------
BILLING CODE 8011-01-P
[[Page 71702]]
[GRAPHIC] [TIFF OMITTED] TN17OC23.008
BILLING CODE 8011-01-C
Cash Held by Third Parties
Confirming Cash
The 2022 Proposal provided that the auditor should perform
confirmation procedures when auditing cash and cash equivalents held by
a third party. Existing AS 2310 does not address auditor
responsibilities for confirming cash.
The Board noted in the 2022 Proposal that an auditor need not
necessarily confirm all cash accounts in all cases. Under PCAOB
standards, the alternative means of selecting items for testing are
selecting all items, selecting specific items, and audit sampling.\51\
An auditor selects individual cash items to confirm following the
relevant direction in PCAOB standards, including identifying and
assessing the risk of misstatement and developing an audit
response.\52\ The particular means or combination of means of selecting
cash items to confirm depend on, for example, the characteristics of
the cash items and the evidence necessary to address the assessed risk
of material misstatement.\53\
---------------------------------------------------------------------------
\51\ See AS 1105.22.
\52\ See, e.g., AS 2110 and AS 2301.
\53\ See AS 1105.23 and AS 2301.03.
---------------------------------------------------------------------------
The 2022 Proposal emphasized that, in selecting the individual
items of cash to confirm, the auditor should take into account the
auditor's understanding of the company's cash management and treasury
function, and the substance of the company's arrangements and
transactions with third parties. For example, an auditor might select
bank accounts with balances over a certain amount, accounts with a high
volume of
[[Page 71703]]
transactions, accounts opened or closed during the period under audit,
or accounts the auditor identifies as particularly risk-prone.
Alternatively, the auditor might determine it is appropriate to confirm
all cash accounts. The auditor also follows the direction in PCAOB
standards when determining whether performing procedures in addition to
confirmation is necessary to address the assessed risk of material
misstatement relating to cash.\54\
---------------------------------------------------------------------------
\54\ See, e.g., AS 2301.09.
---------------------------------------------------------------------------
The Board adopted the proposed requirements to confirm cash, with
certain modifications discussed below.
A number of commenters supported the proposed requirement for the
auditor to confirm cash held by third parties. Some of these commenters
stated that confirming cash has long been an audit best practice and
that requiring cash confirmation would lead to more consistency in
practice. In addition, several commenters stated that the standard was
sufficiently risk-based (i.e., by allowing the auditor to select cash
accounts and other financial relationships to confirm based on the risk
of material misstatement associated with cash).
Several commenters asserted that a requirement to confirm cash was
not sufficiently risk-based, despite the provisions in the 2022
Proposal that described that the auditor should take into account their
understanding of the company's operations in making selections of
individual cash items to confirm. In particular, several commenters
stated that the proposed standard would require an auditor to confirm
cash without regard to the level of risk that the auditor had
determined for cash in their risk assessment or when other audit
procedures could produce sufficient appropriate audit evidence. Other
commenters expressed the view that the requirement to confirm cash, as
well as accounts receivable, should be removed, with some of these
commenters suggesting that the auditor should be able to determine the
audit procedure that would be most effective in obtaining relevant and
reliable audit evidence, without confirmation being the ``default''
procedure.
The Board continues to believe that a presumption to confirm cash
is appropriate. As discussed above, this presumption to confirm cash is
consistent with current practice. Consistent with the objective of the
new standard, the requirement to confirm cash, as well as accounts
receivable, only applies when the auditor has determined that that
these accounts are significant accounts.
With respect to confirming cash, many commenters, primarily firms
and firm-related groups, expressed concern that the 2022 Proposal did
not contain a provision about overcoming the presumption to confirm
cash. A number of commenters also expressed the view that auditors
could obtain direct-access view of bank information (or would be able
to do so in the future), which could provide a more effective means of
directly obtaining external evidence than sending a confirmation.
The Board agrees that if the auditor is able to perform other audit
procedures that allow the auditor to obtain audit evidence by directly
accessing information maintained by knowledgeable external sources,
such audit evidence would be at least as persuasive as audit evidence
obtained through confirmation procedures. The Board therefore added to
the presumption to confirm cash (and accounts receivable) in the new
standard the phrase ``or otherwise obtain relevant and reliable audit
evidence by directly accessing information maintained by a
knowledgeable external source.''
By way of example, the auditor might satisfy this requirement to
obtain relevant and reliable audit evidence under the new standard by
obtaining read-only access to information maintained by a financial
institution concerning its transactions or balances with the company
directly online through a secure website of the financial institution
using credentials provided to the auditor by the financial institution.
The Term ``Cash and Cash Equivalents Held by Third Parties''
The 2022 Proposal provided that the term ``cash'' comprised both
cash and cash equivalents. Cash equivalents generally refer to short-
term, highly liquid investments that are readily convertible to known
amounts of cash and are so near their maturity that they present
insignificant risk of changes in value because of changes in interest
rates.\55\ Such assets are commonly used by companies to manage their
cash holdings. The 2022 Proposal also described that the requirements
for confirming cash would apply to cash held by third parties, and not
limited to cash held by financial institutions. In the Board's view,
this expansion of confirmation requirements was appropriate, as company
funds can be held by third parties other than financial institutions,
such as money transfer providers.
---------------------------------------------------------------------------
\55\ See, e.g., definition of ``cash equivalents'' in the Master
Glossary of the Financial Accounting Standards Board (``FASB'')
Accounting Standards Codification and of ``cash equivalents'' in the
International Financial Reporting Standards (``IFRS'').
---------------------------------------------------------------------------
The Board adopted this provision as proposed in the 2022 Proposal.
There was one comment related to this aspect of the 2022 Proposal,
suggesting that the new standard should specify that ``third parties''
are not limited to financial institutions. The Board believes the
reference to ``third parties'' was sufficiently clear as proposed and,
accordingly, has not expanded this description.
Confirming Other Financial Relationships
The 2022 Proposal provided that the auditor should consider
confirming other financial relationships with the third parties with
which the auditor determines to confirm cash. Such relationships can
include lines of credit, other indebtedness, compensating balance
arrangements, or contingent liabilities, including guarantees. As
proposed, the auditor would be required under PCAOB standards to
document the consideration given to the confirmation of other financial
relationships and the conclusions reached.\56\ Existing AS 2310 does
not have an analogous requirement to confirm other financial
relationships.
---------------------------------------------------------------------------
\56\ See Note to PCAOB Rule 3101(a)(3), which states that ``(i)f
a Board standard provides that the auditor ``should consider'' an
action or procedure, consideration of the action or procedure is
presumptively mandatory, while the action or procedure is not,'' and
AS 1215.05-.06 (audit documentation should ``[d]emonstrate that the
engagement complied with the standards of the PCAOB'' and must
``document the procedures performed . . . with respect to relevant
financial statement assertions''). See also Audit Documentation and
Amendment to Interim Auditing Standards, PCAOB Rel. No. 2004-006
(June 9, 2004), at 3 (``the auditor documents not only the nature,
timing, and extent of the work performed, but also the professional
judgments made by members of the engagement team and others'').
---------------------------------------------------------------------------
The Board adopted this provision as proposed, with certain
modifications discussed below.
Several commenters stated that the requirements for the auditor to
consider confirming other financial relationships were clear. One
commenter suggested that confirming other financial relationships
should be required, and that overcoming the presumption to confirm
should be available only when the financial entity with which the
company does business does not offer services that would give rise to
other financial relationships.
A number of commenters asserted that auditors would be required to
[[Page 71704]]
produce additional documentation of their considerations, even when a
financial relationship(s) is not an area of significant risk of
material misstatement. Some commenters recommended that the provision
that the auditor ``should consider'' other financial relationships be
changed to ``may consider,'' in order to allow for more auditor
judgment in determining the audit procedures to perform.
The Board continues to believe that information about financial
relationships, including off-balance sheet relationships, could be
important for the audit, as it could be part of significant disclosures
in a company's financial statements. Accordingly, paragraph .29 of the
new standard provides that, in addition to obtaining audit evidence
from a knowledgeable external source regarding cash in accordance with
paragraph .24, the auditor should consider sending confirmation
requests to that source about other financial relationships with the
company, based on the assessed risk of material misstatement. The
phrase ``based on the assessed risk of material misstatement'' was
added to clarify that the auditor has flexibility in tailoring audit
procedures to the level of assessed risk (e.g., by including or not
including confirmation in the audit response based on the auditor's
assessed risk of material misstatement of other financial
relationships). In addition, paragraph .29 retains the examples of
other financial relationships that were included in the 2022 Proposal.
Accounts Receivable
Confirming Accounts Receivable
The 2022 Proposal carried forward the requirement in existing AS
2310 to confirm accounts receivable. Similar to existing AS 2310, the
2022 Proposal did not specify the extent of confirmation procedures for
accounts receivable. As noted above, the timing and extent of
confirmation procedures are part of the auditor's response to the risks
of material misstatement under PCAOB risk assessment standards. The
2022 Proposal instead required the auditor to take into account the
auditor's understanding of the substance of the company's arrangements
and transactions with third parties and the nature of the items that
make up the company's account balances in selecting the individual
accounts receivable to confirm. For example, an auditor might assess
the risk of material misstatement relating to accounts receivable
higher for a company that is being audited for the first time by the
auditor, or for accounts receivable from a newly acquired operation in
a foreign location.
The Board adopted the proposed requirements to confirm accounts
receivable, with certain modifications discussed below.
Most commenters on this aspect of the 2022 Proposal generally
supported the retention of a presumption to confirm accounts
receivable, and most of those commenters stated that the requirement
for the auditor to confirm accounts receivable was sufficiently clear
and appropriate. Two investor-related groups stated that confirmation
of cash and accounts receivable was necessary, in their view, to obtain
persuasive, sufficient, and competent audit evidence.
On the other hand, a number of commenters, primarily firms and
firm-related groups, expressed concerns about carrying forward the
presumption for auditors to confirm accounts receivable from existing
AS 2310. The common theme of those commenters was that requiring the
auditor to use confirmation for certain accounts may not allow the
auditor to exercise professional judgment in determining an appropriate
response to the assessed risk of material misstatement for those
accounts.
Regarding the selection of accounts receivable to confirm, several
commenters agreed that the 2022 Proposal was sufficiently principles-
based to allow auditors to use professional judgment in determining the
extent of confirmation of accounts receivable.
The Board continues to believe that a presumption to confirm
accounts receivable is appropriate to emphasize that audit evidence
obtained from a knowledgeable external source is generally more
reliable than evidence obtained only from internal company sources.
Consistent with the objective of the new standard, the requirement to
confirm cash and accounts receivable, or otherwise obtain relevant and
reliable audit evidence by directly accessing information maintained by
a knowledgeable external source, only applies when the auditor has
determined that these accounts are significant accounts.
As with cash balances discussed above, the Board believes that when
the auditor is able to perform other audit procedures to obtain audit
evidence about accounts receivable by directly accessing information
maintained by knowledgeable external sources (e.g., information
maintained by the receivable counterparty), such evidence would be at
least as persuasive as audit evidence through confirmation procedures.
The Board therefore added to the presumption to confirm cash and
accounts receivable in the new standard the phrase ``or otherwise
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source.''
Audit evidence that an auditor obtains by accessing a third party's
information directly can be at least as persuasive as audit evidence
obtained through confirmation procedures because the auditor is able to
observe first-hand the information providing such evidence. As
technology continues to develop, The Board believes it is important for
the new standard to reflect that there may be additional opportunities
for the auditor to obtain audit evidence directly beyond sending a
confirmation request. The new standard would allow for future
innovations in audit techniques that might involve the auditor
obtaining evidence for accounts receivable by directly accessing
information maintained by a counterparty or other knowledgeable
external source. As noted in the new standard, consistent with
selecting a confirming party, when selecting the knowledgeable external
source providing the auditor with access to information directly, the
auditor would be required to consider whether the knowledgeable
external source would have any incentive or pressure to provide the
auditor with access to information directly that is inaccurate or
otherwise misleading.
Situations where it would not be feasible for the auditor to obtain
audit evidence for accounts receivable directly from a knowledgeable
external source, through confirmation procedures or other means, are
discussed below.
The Term ``Accounts Receivable''
The 2022 Proposal described ``accounts receivable'' as comprising
receivables arising from the transfer of goods or services to a
customer or from a financial institution's loans. Existing AS 2310
describes accounts receivable as the entity's claims against customers
that have arisen from the sale of goods or services in the normal
course of business, and a financial institution's loans. The 2022
Proposal was designed to apply to the same types of items as existing
AS 2310, with a modified description to align more closely with the
terminology of current accounting requirements, which have been updated
since existing AS 2310 was written.\57\
---------------------------------------------------------------------------
\57\ See, e.g., FASB Accounting Standards Codification Topic
606, Revenue from Contracts with Customers, and IFRS 15, Revenue
from Contracts with Customers.
---------------------------------------------------------------------------
[[Page 71705]]
The Board adopted this provision as proposed.
Commenters on this aspect of the 2022 Proposal stated that the
description of accounts receivable was clear. These commenters also
noted that there was no need to further broaden the description to
include additional types of receivables.
The description of accounts receivable in the new standard includes
receivables that arise from the transfer of goods or services to a
customer. These types of receivables generally arise from the company's
ordinary revenue-generating activities, and include items for which
revenue has been or will be recognized by a company, such as
receivables from selling manufactured products or providing a service
to customers. The description of accounts receivable also includes a
financial institution's loans, including loans to customers that the
institution has originated or purchased from another institution.
Examples of financial institutions are banks, non-bank lenders, and
mortgage companies that provide financing to customers.
Situations When Obtaining Audit Evidence for Accounts Receivable
Directly Would Not Be Feasible
Performing Other Substantive Procedures, Including Tests of Details
In the 2022 Proposal, the presumption to confirm accounts
receivable could be overcome when the auditor determined that an audit
response that only included substantive audit procedures other than
confirmation would provide audit evidence that is at least as
persuasive as evidence the auditor might expect to obtain through
performing confirmation procedures. The 2022 Proposal did not carry
forward the provisions in existing AS 2310 addressing overcoming the
presumption to confirm accounts receivable under certain conditions,
which are (i) immateriality, (ii) ineffectiveness of confirmation, or
(iii) a certain combination of the assessed risk and expected results
from other auditing procedures.\58\
---------------------------------------------------------------------------
\58\ See AS 2310.34.
---------------------------------------------------------------------------
As discussed below, the new standard includes a provision to
address situations when obtaining audit evidence directly from
knowledgeable external sources, whether through confirmation procedures
or other means, would not be feasible to execute.
Many commenters addressed the provision in the 2022 Proposal to
overcome the presumption to confirm accounts receivable. A few
commenters noted that the ability to overcome the presumption to
confirm accounts receivable was clear and appropriate. As discussed
below, many commenters focused on the proposed provision that evidence
obtained through other substantive procedures should be ``at least as
persuasive as'' evidence obtained through confirmation:
<bullet> A number of investor-related groups stated that the
provision gave too much leeway to auditors to overcome the presumption
to confirm accounts receivable. These commenters asserted that
exceptions to confirming accounts receivable should only be available
when other audit procedures would provide more persuasive or greater
accumulated evidence than that obtained through confirmation. These
commenters recommended additional requirements, such as allowing the
auditor to overcome the presumption only if they document the evidence
and basis for their conclusion and have communicated the conclusion to
the audit committee and investors.
<bullet> Several firms and firm-related groups stated that the
relevant provisions were not clear or more guidance would be needed
about overcoming the presumption to confirm accounts receivable when
other substantive procedures would be ``at least as persuasive as'' the
evidence expected to be obtained through confirmation. A few commenters
observed that the absence of a definition of the term ``persuasive'' in
AS 1105 contributed to a lack of clarity as to the Board's expectations
and requested more guidance about how to measure or evaluate
persuasiveness. Several commenters emphasized that, rather than focus
the requirement for overcoming the presumption to confirm accounts
receivable on whether audit evidence obtained through audit procedures
other than confirmation is ``at least as persuasive as'' evidence
expected to be obtained through confirmation, the Board should focus
the requirement on obtaining evidence that is sufficient and
appropriate to address the assessed risk of material misstatement or,
as one commenter suggested, on the reliability of the audit evidence.
<bullet> Several commenters suggested that the Board retain
provisions similar to those in existing AS 2310.34 for allowing the
auditor to overcome the presumption to confirm accounts receivable. In
addition, several firms and firm-related groups suggested that the
auditor's ability to overcome the presumption to confirm should be
based on risk assessment, similar to the provision in existing AS 2310
addressing when the assessed level of inherent and control risk is low.
<bullet> Many firms and firm-related groups expressed concern that
the criteria for overcoming the presumption would result in auditors
having to use confirmation even in situations where historically
confirmations were determined by the auditor to be ineffective and not
to provide persuasive audit evidence.
<bullet> One commenter stated that, if the proposed language were
adopted, auditors would likely default to confirming accounts
receivable over other audit procedures to avoid second-guessing of
their determinations of the persuasiveness of audit evidence.
<bullet> Several commenters, primarily firms and firm-related
groups, stated that the 2022 Proposal imposed a higher threshold than
the existing standard for auditors to overcome the presumption to
confirm accounts receivable without a corresponding increase to audit
quality.
As previously discussed, the new standard creates a presumption
that the auditor performs confirmation procedures or otherwise obtains
relevant and reliable audit evidence by directly accessing information
maintained by a knowledgeable external source. Under PCAOB standards,
in general, evidence obtained directly by the auditor from a
knowledgeable external source is more reliable than evidence obtained
indirectly.\59\ However, the Board appreciates that there are instances
where the auditor determines that performing confirmation procedures in
response to a risk of material misstatement related to accounts
receivable would not be feasible. For example, commenters described
situations involving a history of low response rates to confirmation
requests in certain industries (e.g., healthcare, utilities), or where
customers have been advised by a government agency to avoid providing
personal or financial information in response to an unexpected request.
The Board further understands that companies in other industries (e.g.,
large retailers, defense and aerospace companies that contract with the
federal government) do not, as a matter of policy, respond to
confirmation requests. There may also be instances in which the
performance of confirmation procedures would not result in reliable
audit evidence.
---------------------------------------------------------------------------
\59\ See AS 1105.08.
---------------------------------------------------------------------------
Accordingly, paragraph .25 allows the auditor to perform other
substantive procedures in response to a risk of
[[Page 71706]]
material misstatement, as long as such procedures include tests of
details, if the auditor determines it is not feasible to obtain audit
evidence directly from a knowledgeable external source pursuant to
paragraph .24. Paragraph .25 specifically provides that the auditor's
determination should be based on the auditor's experience, such as
prior years' audit experience with the company or experience with
similar engagements where the auditor did not receive confirmation
responses, and the auditor's expectation of similar results if
procedures were performed pursuant to paragraph .24. Any such
determination would be performed as part of conducting the audit based
on the available facts and circumstances at that time and properly
supported in the audit documentation for the engagement.\60\ In
addition, as described below, for significant risks associated with
accounts receivable, the auditor would be required to communicate with
the audit committee when the auditor did not perform confirmation
procedures or otherwise obtain audit evidence by directly accessing
information maintained by a knowledgeable external source.
---------------------------------------------------------------------------
\60\ See AS 1215.05.
---------------------------------------------------------------------------
This provision replaces the concept in the 2022 Proposal about
obtaining audit evidence that was ``at least as persuasive as'' the
evidence expected to be obtained through confirmation procedures. It
also specifies that the auditor should perform other substantive
procedures, including tests of details, in these situations to make
clear that performing only substantive analytical procedures would not
be sufficient to overcome the presumption to confirm. These other
substantive procedures should involve obtaining external information
indirectly.
For accounts receivable, the auditor may be able to satisfy this
requirement by obtaining information that is in the company's
possession that the company received from one or more knowledgeable
external sources.\61\ Examples of such external information may
include, for example, subsequent cash receipts, shipping documents from
third-party carriers, customer purchase orders, or signed contracts and
amendments thereto. This information may be in electronic form (e.g., a
purchase order initiated by a customer through a company's website) or
in paper form (e.g., a signed contract).
---------------------------------------------------------------------------
\61\ See also Proposed Amendments Related to Aspects of
Designing and Performing Audit Procedures that Involve Technology-
Assisted Analysis of Information in Electronic Form, PCAOB Rel. No.
2023-004 (June 26, 2023) (proposing amendments to PCAOB auditing
standards to specify auditor responsibilities regarding certain
company-provided information that the auditor uses as audit
evidence, including information that the company received from
external sources).
---------------------------------------------------------------------------
Conversely, when performing other substantive procedures under this
provision, it would not satisfy the requirements of the new standard to
use or rely solely on the company's internally produced information.
For example, an audit procedure that involves an automated matching
analysis of a company's revenue, accounts receivable, and cash journal
entries recorded by the company would be insufficient on its own
because such an analysis only involves the company's internally
produced information. On the other hand, when such internally produced
information is evaluated in conjunction with external information that
the company received from a knowledgeable external source, such as
checks that the company received directly from customers or information
on subsequent cash receipts that the company received from a financial
institution, the procedures would involve audit evidence from a
knowledgeable external source.
Under existing PCAOB standards, the quantity of audit evidence
needed is affected by its quality, including its reliability, and in
general evidence obtained directly by the auditor is more reliable than
evidence obtained indirectly. This applies to all information
(including external information) used by the auditor in arriving at the
conclusions on which the auditor's opinion is based. For example, as
the quality of the evidence increases, the need for additional
corroborating evidence decreases. The auditor should be mindful of
these requirements when determining an appropriate audit response to a
risk of material misstatement that involves obtaining external
information indirectly under the new standard.
Further, when performing audit procedures that involve obtaining
external information, the auditor should be mindful of other relevant
PCAOB standards that address the documentation of the procedures
performed and the relevance and reliability of the audit evidence
obtained.\62\ Audit documentation must clearly demonstrate the work
performed by the auditor. In addition, the reliability of that audit
evidence depends on the nature and source of the evidence and the
circumstances under which it is obtained.
---------------------------------------------------------------------------
\62\ See e.g., AS 1215.05-.06 and AS 1105.07-.08.
---------------------------------------------------------------------------
Communicating With the Audit Committee About the Auditor's Response to
Significant Risks for Cash and Accounts Receivable
The 2022 Proposal included a requirement for the auditor to
communicate to the audit committee \63\ instances where the auditor had
determined that the presumption to confirm accounts receivable had been
overcome. In proposing that requirement, the Board considered the long-
standing practice by auditors in the United States to confirm accounts
receivable, and noted that a communication requirement when the
presumption to confirm is overcome could enhance the audit committee's
understanding of the auditor's strategy. In this regard, existing
standards require the auditor to communicate to the audit committee
about the auditor's overall audit strategy, significant risks
identified during risk assessment procedures, significant changes to
the planned audit strategy, and significant difficulties encountered
during the audit.\64\ Existing AS 2310 does not have a requirement to
communicate to the audit committee about overcoming the presumption to
confirm accounts receivable.
---------------------------------------------------------------------------
\63\ The term ``audit committee,'' as used in the new standard,
has the same meaning as defined in Appendix A of AS 1301,
Communications with Audit Committees.
\64\ See AS 1301.09, .11, .23.
---------------------------------------------------------------------------
The new standard contains a requirement for the auditor to
communicate with the audit committee about the auditor's response to
significant risks associated with cash or accounts receivable when the
auditor did not perform confirmation procedures or otherwise obtain
audit evidence by directly accessing information maintained by a
knowledgeable external source.
Several commenters, primarily investor-related groups, supported
the proposed requirement in the 2022 Proposal that the auditor
communicate to the audit committee when an auditor overcomes the
presumption to confirm accounts receivable. One of the commenters
referred to a statement in the 2022 Proposal that a requirement to
communicate to the audit committee when overcoming the presumption to
confirm accounts receivable ``may reinforce the auditor's obligation to
exercise due professional care in making that determination.'' This
commenter also noted that overcoming the presumption could result in a
critical audit matter under AS 3101, The Auditor's Report on an Audit
of
[[Page 71707]]
Financial Statements When the Auditor Expresses an Unqualified
Opinion.\65\
---------------------------------------------------------------------------
\65\ A critical audit matter is defined in AS 3101.A2 as ``[a]ny
matter arising from the audit of the financial statements that was
communicated or required to be communicated to the audit committee
and that: (1) relates to accounts or disclosures that are material
to the financial statements and (2) involved especially challenging,
subjective, or complex auditor judgment.''
---------------------------------------------------------------------------
Many commenters on this aspect of the 2022 Proposal, primarily
firms and firm-related groups, disagreed with a specific requirement to
communicate with the audit committee on this matter. These commenters
asserted that such a requirement did not align with principles in AS
1301 to communicate with the audit committee about significant risks,
including audit matters arising from the audit that are significant to
the oversight of the company's financial reporting process. A number of
these commenters also noted that, if there were a significant risk in
accounts receivable or associated with a critical audit matter, the
auditor would already be required to communicate these matters under AS
1301. Several other commenters indicated that they did not object to a
more targeted requirement to communicate with the audit committee about
overcoming the presumption to confirm when accounts receivable was
assessed as a significant risk.
In addition, several commenters asserted that a requirement to
communicate to the audit committee about overcoming the presumption to
confirm would not improve audit quality, and could be detrimental if
this communication became a compliance exercise for auditors,
detracting them from performing effective audit procedures. A few
commenters also stated there would not be a benefit to audit quality if
the Board were to mandate that auditors treat instances of overcoming
the presumption to confirm as a critical audit matter.
The 2022 Proposal stated that there may be some expectation by
audit committees that the auditor would use confirmation as part of a
planned audit response. One commenter encouraged the Board to perform
outreach with audit committees to understand whether this expectation
was, in fact, widespread and whether the proposed communication
requirement would be relevant and meaningful.
Having considered the comments received, the Board does not believe
it is necessary to require the auditor to inform the audit committee in
every instance where the auditor performed substantive audit procedures
other than confirmation to address the risk of material misstatement of
cash or accounts receivable. However, the Board believes the auditor
should inform the audit committee when the auditor did not perform
confirmation procedures or otherwise obtain audit evidence by directly
accessing information maintained by a knowledgeable external source
when responding to significant risks associated with either cash or
accounts receivable.
This targeted requirement is consistent with the views expressed by
several commenters, as discussed above. It is also consistent with the
existing obligation of auditors under PCAOB standards to communicate to
the audit committee an overview of the overall audit strategy and to
discuss with the audit committee the significant risks of material
misstatement identified during the auditor's risk assessment
procedures.\66\ In addition, as with other matters arising from the
audit of financial statements and communicated or required to be
communicated to the audit committee, the auditor is required to
determine whether these matters are critical audit matters in
accordance with AS 3101.\67\
---------------------------------------------------------------------------
\66\ See AS 1301.09.
\67\ See AS 3101.11-.12.
---------------------------------------------------------------------------
Confirming Terms of Certain Transactions
The 2022 Proposal provided that, for significant risks of material
misstatement associated with either a complex transaction or a
significant unusual transaction, the auditor should consider confirming
terms of the transaction with the counterparty to the transaction. This
provision updates a requirement in existing AS 2310.08 that the auditor
should consider confirming the terms of certain transactions that are
associated with high levels of risk. The 2022 Proposal used the
terminology ``significant risk'' and ``significant unusual
transactions,'' but the provision was intended to be similar to that in
existing AS 2310.
The Board adopted the proposed requirements to consider confirming
terms of certain transactions, with certain modifications discussed
below.
Several commenters noted that the provision in the 2022 Proposal
was sufficiently clear and appropriate. Other commenters suggested
various modifications to the provision that they asserted would improve
its clarity, such as elaborating on the meaning of the term ``complex
transaction'' and stating that the provision applies when the
assertions related to the significant risk of material misstatement can
be adequately addressed through confirmation. Several commenters
indicated that other audit procedures, not including confirmation, may
adequately address an assessed significant risk over the existence
assertion, such as obtaining and reviewing an original executed
contract and verifying the execution of its terms over a period of
time.
To provide additional clarity, the new standard provides that the
auditor should consider confirming those terms of a complex transaction
or significant unusual transaction that are associated with a
significant risk of material misstatement, including a fraud risk.
Under the new standard, examples of such terms may include terms
relating to (i) oral side agreements, or undisclosed written or oral
side agreements, where the auditor has reason to believe that such
agreements exist, (ii) bill and hold sales, and (iii) supplier
discounts or concessions. When such arrangements or agreements are part
of a complex transaction or significant unusual transaction identified
by the auditor, there may be a heightened risk that the transaction has
been entered into to engage in fraudulent financial reporting or
conceal misappropriation of assets. Likewise, a complex transaction or
a significant unusual transaction could have a heightened risk of error
whereby confirmation could lead to identification of an additional term
that, under an accounting standard, might have accounting implications
not previously recognized by either the company or the auditor.
Accordingly, the auditor's confirmation of terms related to such
arrangements or agreements may assist the auditor in evaluating the
business purpose, or lack thereof, of the transaction.\68\ These
examples are not intended to be an exhaustive list. An auditor may
identify other terms to confirm relating to a complex transaction or a
significant unusual transaction if the auditor decides that
confirmation could result in obtaining relevant and reliable audit
evidence about that transaction.
---------------------------------------------------------------------------
\68\ See AS 2401.67.
---------------------------------------------------------------------------
One investor-related group recommended that the provision in the
2022 Proposal addressing the terms of complex transactions and
significant unusual transactions should be mandatory and read
``should'' instead of ``should consider.'' In contrast, other
commenters asserted that the provision was unduly prescriptive. Several
commenters recommended that the Board change the phrase ``should
consider'' to ``may consider'' to allow for more auditor judgment in
[[Page 71708]]
determining the audit procedures to perform to address significant
unusual transactions or other complex transactions. The Board believes
that the provision stating that the auditor ``should consider''
confirming terms of complex transactions or significant unusual
transactions associated with a significant risk of material
misstatement is sufficiently risk-based for the auditor to have
flexibility in selecting the audit procedures that are best suited to
address significant risks of material misstatement, depending on the
facts and circumstances of individual transactions.
Another commenter suggested that the Board place additional
emphasis on the auditor having a heightened degree of professional
skepticism, similar to a provision in existing AS 2310.27, and that
doing so would allow auditors to make appropriate judgments in
determining whether facts and circumstances indicate that confirmation
procedures may not produce sufficient appropriate evidence to address
the assessed risks. The Board did not include additional language in
the new standard about the auditor's potential need to exercise a
heightened degree of professional skepticism related to confirmation
because the auditor's obligation to apply professional skepticism is
relevant to all aspects of the audit.\69\
---------------------------------------------------------------------------
\69\ See AS 1015.07.
---------------------------------------------------------------------------
Performing Alternative Procedures for Selected Items
(See paragraphs .C1-.C2 of the new standard).
The 2022 Proposal provided that the auditor should perform
alternative procedures in certain scenarios involving identifying
confirming parties or evaluating the reliability of confirmation
responses, as well as in scenarios involving nonresponses and
incomplete responses.\70\ This range of scenarios was broader than
under existing AS 2310, which provides that, with certain exceptions,
the auditor should apply alternative procedures where the auditor has
not received replies to positive confirmation requests. In addition,
existing AS 2310 provides examples of alternative procedures, and
requires the auditor to evaluate the combined evidence provided by
confirmation and any alternative procedures and send additional
confirmation requests or perform other audit tests, as needed, to
obtain sufficient appropriate audit evidence.
---------------------------------------------------------------------------
\70\ See paragraphs .20 (inability to identify a confirming
party), .26 (unreliable response), and .30 (nonresponse or
incomplete response) of the proposed standard.
---------------------------------------------------------------------------
The 2022 Proposal provided examples of alternative procedures that
may provide relevant and reliable audit evidence regarding accounts
receivable, accounts payable, and the terms of a transaction or
agreement. These provisions expanded upon the examples of alternative
procedures discussed in existing AS 2310.
The 2022 Proposal did not specify whether performing alternative
procedures for the items the auditor was unable to confirm, alone or in
combination with other audit procedures, is necessary to obtain
sufficient appropriate audit evidence. Under the 2022 Proposal, the
auditor would make that determination based on the facts and
circumstances of the audit. Further, an auditor might determine that,
without obtaining a reliable confirmation response, the auditor is
unable to obtain sufficient appropriate audit evidence for a relevant
assertion through performing alternative procedures for the items the
auditor could not confirm, other audit procedures, or both (e.g., if
the auditor observes conditions during the confirmation process that
indicate a heightened fraud risk). In such scenarios, the 2022 Proposal
provided that the auditor would consider the impact on the audit
opinion in accordance with AS 3105.
The 2022 Proposal also provided that performing alternative
procedures may not be necessary where items selected for confirmation
for which the auditor was not able to complete audit procedures would
not--if misstated--change the outcome of the auditor's evaluation of
the effect of uncorrected misstatements performed in accordance with AS
2810.17.\71\ For example, following the direction in AS 2810.17, under
the 2022 Proposal an auditor may have determined that an item that the
auditor was unable to confirm would not be material individually or in
combination with other misstatements. In such situations, the auditor
would not have been required to perform alternative procedures.\72\
Existing AS 2310 includes an analogous exception.
---------------------------------------------------------------------------
\71\ The auditor's evaluation of materiality under AS 2810.17
takes into account both relevant quantitative and qualitative
factors.
\72\ In certain circumstances, auditors may have obligations
independent of the Board's auditing standards to perform either
confirmation procedures or other auditing procedures. See, e.g.,
Section 30(g) of the Investment Company Act of 1940, 15 U.S.C. 80a-
29(g) (providing that the auditor's report on the financial
statements of a registered investment company ``shall state that
such independent public accountants have verified securities owned,
either by actual examination, or by receipt of a certificate from
the custodian, as the Commission may prescribe by rules and
regulations'').
---------------------------------------------------------------------------
The Board adopted the requirements substantially as proposed, with
certain modifications discussed below.
In the 2022 Proposal, the additional discussion of alternative
procedures appeared in the main body of the proposed standard
(paragraph .31). To enhance the readability of these provisions and
facilitate their implementation, the Board has relocated them to
Appendix C, which includes one paragraph that describes when performing
other audit procedures may be necessary (paragraph .C1) and a second
paragraph that provides further direction as to when alternative
procedures are required under the new standard and includes examples of
alternative procedures (paragraph .C2).
In addition, to remind auditors that the auditor's assessment of
risks of material misstatement, including fraud risks, should continue
throughout the audit, including the confirmation process, paragraph .C1
of the new standard states that, when the auditor is unable to obtain
relevant and reliable audit evidence about the selected item through
confirmation, the auditor should evaluate the implications for the
auditor's assessment of the relevant risks of material misstatement,
including fraud risks.
Several commenters indicated that the circumstances in the 2022
Proposal under which the auditor generally would be required to perform
alternative procedures were sufficiently clear and appropriate.
However, multiple commenters suggested that the Board include an
example of an alternative procedure for cash. In consideration of these
comments, the Board has incorporated an example of an alternative
procedure that may provide relevant and reliable audit evidence
regarding cash, which involves the auditor verifying information about
the company's cash account maintained in a financial institution's
information system by viewing this information directly on a secure
website of the financial institution. In this example, the auditor
might verify such information by determining the validity of the
financial institution's website and viewing the information directly on
the secure website. The information viewed by the auditor could be
accessed either by the auditor, using login credentials provided by the
company, or by company personnel. This additional example is intended
to address some commenters' misperception that the 2022 Proposal would
not allow the
[[Page 71709]]
auditor to perform alternative procedures in the event that a positive
confirmation request related to cash does not result in a confirmation
response.
Several commenters asserted that the note in the 2022 Proposal
identifying situations where alternative procedures may not be
necessary was not clear, with one commenter indicating that the
analogous exception in existing AS 2310 was clearer because it
addressed audit sampling. In consideration of these comments, the Board
has revised the note to paragraph .C2 of the new standard to clarify
how the exception from performing alternative procedures for selected
items should be applied and revised the footnote in the paragraph to
further explain how the exception is applied in scenarios involving
audit sampling.
The following example further illustrates applying this provision
in an audit: An auditor selects a sample of 50 accounts receivable
invoices for confirmation and receives confirmation responses for 45
invoices that do not indicate a need for the auditor to perform
alternative procedures. For two nonresponses, the auditor performs
alternative procedures and obtains relevant and reliable audit evidence
identifying no misstatements. For the three remaining nonresponses, the
auditor does not perform alternative procedures because the auditor
appropriately determines that, even if the amounts associated with the
invoices were projected as 100 percent misstatements to the population
from which the sample was selected and added to any other accounts
receivable misstatements (i.e., accounts receivable misstatements
identified through audit procedures other than confirmation), the
outcome of the auditor's evaluation performed in accordance with AS
2810.17 would not change.
Another commenter recommended that, for nonresponses, the Board
require that the auditor ``must'' perform alternative procedures that
include examining third-party evidence. This commenter also suggested
that the Board revise the example of alternative procedures for
accounts receivable by removing the phrase ``one or more,'' such that
the auditor would perform all of the procedures identified in the
example (i.e., examining subsequent cash receipts, shipping documents,
and other supporting documentation).
Having considered these comments, the Board believes that, with the
modifications discussed above, the requirements in paragraph .C1 of the
new standard provide appropriate direction regarding when alternative
procedures are required. Additionally, the Board believes that
including examples in paragraph .C2 of alternative procedures that may
provide relevant and reliable audit evidence about selected items,
without mandating specific procedures, is appropriate, as it is
impracticable to describe specific procedures for all scenarios that
could occur in an audit.
Additionally, as discussed above, the Board has modified paragraph
.B2 of the new standard to provide that in circumstances where the
auditor should not use an intermediary to send confirmation requests or
receive confirmation responses, the auditor should send confirmation
requests without the use of an intermediary or, if unable to do so,
perform alternative procedures in accordance with Appendix C of the new
standard. In light of this modification, the Board has added a
reference to paragraph .B2 to Appendix C of the new standard.
Evaluating Results
(See paragraph .31 of the new standard).
The 2022 Proposal did not carry forward a requirement, included in
existing AS 2310, for the auditor to evaluate in the aggregate audit
evidence obtained from performing confirmation procedures and any
alternative procedures. Excluding this requirement from the 2022
Proposal was intended to avoid the duplication of certain requirements
of AS 2810 that discuss the auditor's responsibilities for evaluating
audit results and determining whether the auditor has obtained
sufficient appropriate audit evidence.
As discussed above, however, paragraph .24 of the new standard
allows the auditor to perform audit procedures other than confirmation
for cash and accounts receivable to obtain relevant and reliable audit
evidence by directly accessing information maintained by a
knowledgeable external source. The Board therefore decided to remind
the auditor in paragraph .31 of the new standard that the auditor
should evaluate the combined audit evidence provided by confirmation
procedures, alternative procedures, and other procedures to determine
whether sufficient appropriate audit evidence has been obtained in
accordance with AS 2810.
Other Matters
This section addresses certain additional matters that were also
discussed in the 2022 Proposal. In addition, this section discusses
definitions included in the new standard and related amendments to
PCAOB auditing standards.
Management Requests Not To Confirm
Consistent with existing AS 2310, the 2022 Proposal did not
address, nor does the new standard address, situations in which
management requests that the auditor not confirm one or more items.
Several commenters agreed with the approach in the 2022 Proposal
and indicated that auditor responsibilities in such situations are
already addressed by existing PCAOB standards. One commenter suggested
that the Board consider adding a requirement that, if management
requests an auditor not to confirm a certain item, the auditor should
both request management to indicate the reason for the request and, as
appropriate, consider whether the request is indicative of a risk of
material misstatement. Another commenter agreed that the potential
scope limitation or fraud risk from a management request not to confirm
is addressed in other PCAOB standards, but expressed the view that
including guidance in the new standard unique to confirmation would be
appropriate. A different commenter did not suggest changes to the
Board's approach, but observed that management requests not to confirm
are primarily relevant in the financial services industry and that it
had experienced infrequent management requests not to confirm in other
industries.
Having considered the comments received, the Board believes that
existing PCAOB standards appropriately address situations involving
management requests not to confirm. In particular, AS 1301 requires
that the auditor communicate to the audit committee disagreements with
management \73\ and difficulties encountered in performing the audit,
including unreasonable management restrictions encountered by the
auditor on the conduct of the audit (e.g., an unreasonable restriction
on confirming transactions or balances).\74\ AS 3105 also sets forth
requirements regarding limitations on the scope of an audit,\75\
including scope limitations relating to confirmation.\76\
---------------------------------------------------------------------------
\73\ See AS 1301.22.
\74\ See AS 1301.23.
\75\ See AS 3105.05-.17.
\76\ See AS 3105.07.
---------------------------------------------------------------------------
Further, AS 2110 and AS 2401 describe the auditor's
responsibilities regarding identifying, assessing, and responding to
fraud risks. For example, AS 2401.09 states that fraud may be concealed
by withholding evidence. A management request to limit audit
[[Page 71710]]
testing by not obtaining external audit evidence through confirmation
could be relevant to the auditor's consideration of fraud risk factors,
including the consideration of management incentives, opportunities,
and rationalization for perpetrating fraud. Considering the
applicability of existing provisions to situations involving management
requests not to confirm, as discussed above, the Board believes that
including analogous requirements in the new standard could lead to
unnecessary duplication of existing requirements and potential
confusion.
Restrictions and Disclaimers
The requirements in the proposed standard relating to the auditor's
evaluation of the reliability of confirmation responses included a
reminder, in the form of a footnote, of the auditor's responsibilities
under AS 1105 as they relate to restrictions and disclaimers. A similar
reminder does not exist in existing AS 2310.
The Board is including this reference to AS 1105.08 as proposed, in
a footnote to paragraph .18 of the new standard. No comments were
received on this aspect of the 2022 Proposal. In accordance with AS
1105.08, the auditor should evaluate the effect of restrictions,
limitations, or disclaimers in confirmation responses on the
reliability of audit evidence.\77\
---------------------------------------------------------------------------
\77\ See AS 1105.08.
---------------------------------------------------------------------------
Direct Access
The 2022 Proposal did not describe direct access as a confirmation
procedure. Existing AS 2310 currently does not address such a
procedure, but the 2010 Proposal had provided that direct access could
be considered a confirmation procedure in certain circumstances.
A few commenters on the 2022 Proposal either agreed with, or
indicated that they did not object to, the Board's stated position that
direct access does not constitute a confirmation procedure. However,
several firms and firm-related groups stated that, when properly
executed, audit evidence obtained by the auditor through direct access
can provide persuasive evidence about the existence of cash. One
commenter recommended that the PCAOB consider aligning with the AICPA's
position on this matter by acknowledging that the auditor's direct
access to information held by a confirming party may meet the
definition of a confirmation procedure when, for example, the
confirming party provides the auditor with the electronic access codes
or other information necessary to access a secure website where data
that addresses the subject matter of the confirmation is held.
Having considered these comments, the Board adopted the new
standard as proposed in relation to direct access.
While direct access does not constitute a confirmation procedure
under the new standard, the new standard provides that the auditor may
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source, as discussed
above.
Definitions
To operationalize the requirements included in the 2022 Proposal,
the proposal included definitions for ``confirmation exception,''
``confirmation process,'' ``confirmation request,'' ``confirmation
response,'' ``confirming party,'' ``negative confirmation request,''
``nonresponse,'' and ``positive confirmation request.''
The Board adopted the definitions as proposed,
[…truncated; see source link]Indexed from Federal Register on October 17, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.