AS 2310: The Auditor’s Use of Confirmation

The confirmation process is a procedure in financial audits where auditors obtain external validation of information from a company’s records. For public companies in the United States, the Public Company Accounting Oversight Board (PCAOB) governs this process through standard AS 2310, The Auditor’s Use of Confirmation. Updated rules for this standard are effective for fiscal years ending on or after June 15, 2025, to address modern changes in technology and business.

Understanding the Audit Confirmation Process

The confirmation process involves an auditor obtaining and evaluating a direct communication from a third party about specific financial information. This procedure gathers evidence regarding financial statement assertions, which are management’s claims about the company’s financial performance and position. Confirmations are effective for verifying assertions like existence, that an asset or liability exists, and rights and obligations, that the company controls an asset or owes a liability.

Auditors use two forms of confirmation requests. A positive confirmation asks the third party to reply in all circumstances, either by verifying the information provided or by supplying it themselves. This request is used when the risk of misstatement is high or when strong evidence is needed, such as for large or unusual accounts receivable balances.

A negative confirmation requests a response only if the third party disagrees with the information provided. This method is less persuasive, as a non-response does not confirm accuracy. Under the updated AS 2310, negative confirmations alone are not sufficient to address significant risks and must be supplemented. They are reserved for situations with low risk, a large number of small balances, and when the recipient is expected to consider the request.

Information Subject to Confirmation

Auditors use confirmations to verify a wide array of financial information by seeking validation from knowledgeable external sources. Common applications include:

• Accounts Receivable: Requests are sent to a company’s customers to confirm the amounts they owe as of a specific date. This procedure directly tests the existence of the receivables and helps uncover potential overstatements.
• Bank Balances and Loans: Financial institutions confirm a company’s cash balances, loan amounts, lines of credit, and assets pledged as collateral, providing evidence of liquidity and debt. The updated AS 2310 specifically requires confirming cash held by third parties.
• Accounts Payable and Inventory: Auditors may confirm balances owed to vendors to detect unrecorded liabilities. They also confirm inventory held by third parties, like in a public warehouse, to verify its existence and condition when it cannot be physically observed.
• Significant Agreements: The terms of unusual or complex transactions, such as sales contracts or legal settlements, are confirmed with the other parties involved. This helps the auditor understand the transaction’s substance and ensure it is accounted for correctly.

Executing the Confirmation Procedures

Executing confirmation procedures begins with designing the request. Auditors tailor each request to the specific assertion and information being tested. For example, a request to a bank about a loan will differ from one sent to a customer about a receivable.

Next, the auditor selects which items to confirm based on a risk assessment. This selection focuses on items with a higher risk of misstatement, such as large balances, overdue accounts, or related-party transactions. For populations of many smaller items, an auditor may use sampling to select a representative group.

The auditor must maintain control over the entire process, from preparation to receipt of the response. This involves sending requests directly to the third party to prevent management from altering them. While traditionally done by mail, the process now includes electronic communications and intermediaries, provided the auditor verifies the intermediary’s reliability.

The auditor tracks all responses. If a reply to a positive confirmation is not received, follow-up procedures are required, which involves sending a second or even a third request. The auditor’s direct receipt of the response is also controlled to ensure the integrity of the evidence.

Evaluating Responses and Performing Alternative Procedures

The auditor evaluates all replies for reliability, looking for signs of interception or alteration. Unreliable responses are treated as non-responses. If a reliable response contains a discrepancy, known as an exception, the auditor investigates its cause, which could be a timing difference or an error.

A non-response to a positive confirmation request provides no audit evidence. Under AS 2310, a non-response includes a lack of reply, an undelivered request, or a third party’s refusal to respond. In these cases, the auditor must perform alternative procedures to obtain the necessary evidence.

Alternative procedures are different tests used to substantiate the information. For unconfirmed accounts receivable, this may involve examining subsequent cash receipts from the customer. The auditor can also vouch for the original transaction by reviewing supporting documents, such as purchase orders, shipping documents, and sales invoices.

Finally, the results of all confirmations and alternative procedures are evaluated together. The auditor considers the nature of any exceptions and the evidence from all tests. This evaluation determines if sufficient evidence has been obtained to support the financial statement assertions or if more work is needed.