Background
The audit guides have defined confirmation as obtaining a written communication from a person independent of the company examined and who is in a position to know the nature and conditions of the operation. The confirmation can be:
- Positive confirmation. Data is sent and asked to answer, whether they are satisfied or not. It is preferably used for the asset.
- Negative confirmation. Data is sent and requested only if they are dissatisfied. Generally used for the asset.
- Indirect, blind or blank confirmation. No data is sent and information on balances, movements or any other data necessary for the audit is requested. Generally used for liabilities.
Bulletin 3060 "Relevance and reliability of audit evidence" establishes:
• The reliability of audit evidence increases when it is obtained from recognized independent sources outside the entity.
• Audit evidence obtained directly by the auditor is more reliable than audit evidence obtained indirectly or by inference.
• Documentary audit evidence, whether on paper, electronic device, or other means, is more reliable than that obtained verbally.
What is new?
p7. When the auditor uses external confirmation procedures, he must maintain control over external confirmation requests, this means that the client of the auditor should not participate in the sending or receiving of confirmations.
1. Auditor provides format and samples for confirmation.
2. Audited company delivers confirmations on letterhead and with an authorized signature.
3. Auditor sends confirmations to clients and suppliers.
4. Selected customers and suppliers answer directly to the auditor.
A4. Factors to consider when designing confirmation requests:
• The assertions that are confirmed (Existence, Rights and obligations, integrity, valuation and accommodation).
• The method of communication (paper or electronic media *).
• The confirming party's ability to confirm (individual invoice amount vs. total balance).
* A12. Responses received electronically, for example by fax or email, involve reliability risks because proof of origin and authority of the respondent can be difficult to establish, and alterations can be difficult to detect. These risks can be mitigated with a process that is used by the auditor and the respondent to create a secure environment for electronically received responses… An electronic confirmation process could incorporate various techniques to validate the identity of an information sender electronically, for example, through the use of encryption, electronic digital signatures, and procedures to verify the authenticity of the website.
Positive confirmations
TO 5. A positive external confirmation request… There is a risk that a confirming party may respond to the confirmation request without verifying that the information is correct. The auditor can reduce this risk by using positive confirmation requests that do not include the amount (or other information) in the confirmation request, and requesting the confirming party to enter the amount or provide other information. Furthermore, the use of this type of “blank” confirmation request may result in lower response rates, since additional effort is required from the confirming parties.
Negative confirmations
Q15. Negative confirmations provide less persuasive audit evidence than positive confirmations.
Accordingly, the auditor should not use negative confirmation requests as the only substantive audit procedure to respond to a significant risk assessed at the assertion level, unless all of the following factors are present:
a) The auditor has evaluated the significant risk as low and has obtained sufficient adequate audit evidence regarding the operational effectiveness of the controls relevant to the assertion;
b) The universe of items subject to negative confirmation procedures, comprises a large number of account balances or small and homogeneous transactions;
c) A low exception rate is expected; and
d) The auditor is not aware of circumstances or conditions that cause recipients of negative confirmation requests to reject those requests.
A23. Failure to receive a response to a negative confirmation request does not explicitly indicate receipt by the alleged confirming party of the confirmation request or verification of the accuracy of the information contained in the request… It may also be more likely that confirming parties will respond indicating your disagreement with a confirmation request when the information in the request is not in your favor, and less likely to respond if it is otherwise.
Unanswered confirmations
p12. In the case of each unanswered confirmation, the auditor should perform supplemental audit procedures to obtain adequate and reliable audit evidence.
A18. Examples of supplemental audit procedures that the auditor may perform include:
• For accounts receivable balances- Examine subsequent cash inflows, shipping documentation, and sales near the end of the period.
• For accounts payable balances - Examine subsequent cash disbursements or third-party correspondence, and other records, such as merchandise receipt notes.
Exceptions in confirmations
p14. The auditor should investigate the exceptions to determine whether or not they are indicators of error.
A21. Exceptions noted in responses to confirmation requests may indicate significant errors, or potential errors, in the financial statements. When a misstatement is identified, Bulletin 3070 requires the auditor to assess whether such misstatement is indicative of fraud. Exceptions can provide guidance to the quality of responses from similar confirming parties or similar accounts. Exceptions may also indicate a deficiency, or deficiencies, in the entity's internal control over financial reporting.
A22. Some exceptions do not mean significant errors. For example, the auditor may conclude that differences in responses to confirmation requests are due to timeliness, measurement, or errors in external confirmation procedures.
conclusion
The new 3200 standard establishes guidelines not previously covered in our Mexican auditing standards, specifies the risks associated with confirmations, the adoption of the new standard is part of the process of convergence with international auditing standards, specifically with ISA 505 External confirmations.
