AS 2310: The Auditor’s Use of Confirmation
An overview of AS 2310, detailing the auditor's structured process for verifying financial information directly with external parties to ensure reliability.
An overview of AS 2310, detailing the auditor's structured process for verifying financial information directly with external parties to ensure reliability.
The confirmation process is a procedure in financial audits where auditors obtain external validation of information from a company’s records. For public companies in the United States, the Public Company Accounting Oversight Board (PCAOB) governs this process through standard AS 2310, The Auditor’s Use of Confirmation. Updated rules for this standard are effective for fiscal years ending on or after June 15, 2025, to address modern changes in technology and business.
The confirmation process involves an auditor obtaining and evaluating a direct communication from a third party about specific financial information. This procedure gathers evidence regarding financial statement assertions, which are management’s claims about the company’s financial performance and position. Confirmations are effective for verifying assertions like existence, that an asset or liability exists, and rights and obligations, that the company controls an asset or owes a liability.
Auditors use two forms of confirmation requests. A positive confirmation asks the third party to reply in all circumstances, either by verifying the information provided or by supplying it themselves. This request is used when the risk of misstatement is high or when strong evidence is needed, such as for large or unusual accounts receivable balances.
A negative confirmation requests a response only if the third party disagrees with the information provided. This method is less persuasive, as a non-response does not confirm accuracy. Under the updated AS 2310, negative confirmations alone are not sufficient to address significant risks and must be supplemented. They are reserved for situations with low risk, a large number of small balances, and when the recipient is expected to consider the request.
Auditors use confirmations to verify a wide array of financial information by seeking validation from knowledgeable external sources. Common applications include:
Executing confirmation procedures begins with designing the request. Auditors tailor each request to the specific assertion and information being tested. For example, a request to a bank about a loan will differ from one sent to a customer about a receivable.
Next, the auditor selects which items to confirm based on a risk assessment. This selection focuses on items with a higher risk of misstatement, such as large balances, overdue accounts, or related-party transactions. For populations of many smaller items, an auditor may use sampling to select a representative group.
The auditor must maintain control over the entire process, from preparation to receipt of the response. This involves sending requests directly to the third party to prevent management from altering them. While traditionally done by mail, the process now includes electronic communications and intermediaries, provided the auditor verifies the intermediary’s reliability.
The auditor tracks all responses. If a reply to a positive confirmation is not received, follow-up procedures are required, which involves sending a second or even a third request. The auditor’s direct receipt of the response is also controlled to ensure the integrity of the evidence.
The auditor evaluates all replies for reliability, looking for signs of interception or alteration. Unreliable responses are treated as non-responses. If a reliable response contains a discrepancy, known as an exception, the auditor investigates its cause, which could be a timing difference or an error.
A non-response to a positive confirmation request provides no audit evidence. Under AS 2310, a non-response includes a lack of reply, an undelivered request, or a third party’s refusal to respond. In these cases, the auditor must perform alternative procedures to obtain the necessary evidence.
Alternative procedures are different tests used to substantiate the information. For unconfirmed accounts receivable, this may involve examining subsequent cash receipts from the customer. The auditor can also vouch for the original transaction by reviewing supporting documents, such as purchase orders, shipping documents, and sales invoices.
Finally, the results of all confirmations and alternative procedures are evaluated together. The auditor considers the nature of any exceptions and the evidence from all tests. This evaluation determines if sufficient evidence has been obtained to support the financial statement assertions or if more work is needed.