On December 20th, 2022, the PCAOB released a proposed auditing standard, "AS2310: The Auditor's Use of Confirmation." This new standard would replace "AS2310: The Confirmation Process", which was initially written over 30 years ago and has had minimal amendments since its adoption by the PCAOB in 2003.
According to the PCAOB, the standard modifications are being proposed to "further support the auditor's use of electronic forms of communication between the auditor and the confirming party… and allow for continued innovation by auditors in the ways they obtain audit evidence."
Given the significant changes in the auditing landscape since the standard was first adopted – such as electronic communications and third-party intermediaries routinely used as part of the confirmation process – updating AS2310 makes sense. Not only to keep the standard current with the technology and practices being used but to encourage innovative auditing methods and practices.
A quick overview of the PCAOB's proposed new AS2310 standard
Confirmation, as described by the PCAOB, is the process of obtaining and evaluating a direct communication from a third party in response to a request for information about a particular item affecting financial statement assertions. In short, confirmations are intended to ensure that the financial statements – and the information contained therein – are accurate.
This new standard – if adopted as currently written – will require auditors to change how they perform audit confirmations. While the proposed new standard makes many substantial changes to the original, this article discusses how the changes provide an opportunity for auditors to take up the PCAOB's challenge and innovate.
New requirement for confirmation of cash held by third parties
The new standard took notice of larger firms' best practice audit methodologies, who recommend or require confirming cash accounts despite not being required under the current AS2310 standard.
The new proposed standard would require that the auditor perform confirmation procedures for cash held by third parties. More specifically, the new proposed standard would emphasize that, in selecting the individual items of cash to confirm, the auditor should take into account the auditor's understanding of the company's cash management and treasury function and the substance of the company's arrangements and transactions with third parties.
For example, an auditor might select bank accounts with balances over a certain amount, accounts with a high volume of transactions, accounts opened or closed during the period under audit, or accounts the auditor identifies as particularly risk-prone. Alternatively, the auditor might determine it is appropriate to confirm all cash accounts.
The auditor would also follow the direction in PCAOB standards when determining whether performing procedures in addition to confirmation is necessary to address the assessed risk of material misstatement relating to cash.
Guidance on the use of 'negative confirmations'
Under the current standard, auditors may use 'negative confirmations,' whereby they request the confirming party to inform them only if they disagree with the expected balance. In the case of a negative confirmation, silence is confirmation that the information submitted is correct.
The difficulty with a negative confirmation in today's world is that the almost overwhelming amount of communication – physical and electronic – that it could easily be lost. Given the ease with which these confirmations can be overlooked, it's enough to understand why the PCAOB is moving to require additional, substantive procedures to be considered sufficient.
Distinctly different from a negative confirmation is the 'positive confirmation,' when the bank or other queried party responds to the inquiry, confirming whether they do or disagree with the expected balance.
Under the new proposed standard, the use of negative confirmation requests may provide sufficient and appropriate audit evidence only when combined with other substantive audit procedures.
Regardless of the PCAOB's reasoning, this change in how negative confirmations must be handled means a couple of things for auditors. Those who wish to continue to use negative confirmations in their audits must increase their substantive testing to provide the required evidence, increasing the complexity and range of the audit.
For those auditors who, based on the requirements in the new AS2310 standard, switch from negative to positive confirmations, it means additional work, additional scrutiny, and additional resources committed to a basic step in the auditing process.
What these changes mean for the auditor – and innovation in auditing
The additional requirements imposed by this new standard can greatly impact an audit's timeline, depending on how the auditor – and the firm – handles confirmations.
Whether it's adding a requirement for auditors to confirm cash and cash equivalent accounts or changing guidance on the suitability of negative confirmations, the result is additional work for the auditor and expense for the client. However, the proposed standard AS2310 is not without its silver lining.
The proposed standard now addresses third-party intermediaries during the confirmation process – something that, while commonplace in auditing, has previously existed in a grey area when it comes to confirmations.
Specifically, concerning third-party intermediaries, the proposed standard:
- Requires the auditor to evaluate the implications of the involvement of an intermediary, including addressing certain aspects of the intermediary's controls over interception and alteration of communications with the auditor.
- Applies the principles-based requirements to all methods of confirmation, whether longstanding (think paper-based confirmations), methods developed since the original AS2310 was developed (electronic verification and the use of intermediaries), and methods yet to come.
It's commonplace for auditors to use an intermediary to facilitate confirmation requests. Certain financial institutions and other companies have adopted the policy of responding to electronic confirmation requests from auditors only through another party.
Why do they do so? Because financial institutions know that the weak link in the confirmation process is the human factor, which can affect the reliability of the process in terms of trust and completeness.
Financial institutions would rather work with an intermediary that can expedite the process and add that additional level of automation necessary to reduce potential errors – and protect their client's personal and sensitive information.
With tools on the market today, auditors have the power to innovate by using third-party intermediaries who are leveraging the latest advances in technology.
Consider, for example, CCH AxcessTM Validate, a blockchain-based confirmation solution that securely routes requests and replies between the participating parties without storing client data. All the information exchanged as part of a confirmation process is stored in secure, immutable storage, with access to that data exclusively administered by the participating parties.
With a confirmation tool that's built on blockchain, auditors have a non-repudiable secure log of operations, and the participating parties will be able to "prove" to clients, investors, and the authorities:
- When the requests were made and when replies were provided
- What was asked and what was returned
- Who approved access to the data
- That the data has not been tampered with
In short, CCH Axcess Validate is transforming the confirmation process, making it simpler, faster, and more reliable.
Conclusion
With the new proposed standard AS2310, auditors no longer have to rely on the tacit approval of the AICPA and PCAOB to use third-party intermediaries in the confirmation process. Indeed, with the specific inclusion of intermediaries in the standard itself, the PCAOB seems to be encouraging auditors to take advantage of tools like CCH Axcess Validate to reduce the manual workload of their auditors.
With an automated, streamlined, and secure confirmation process that takes less than five clicks – and as little as five minutes – auditors can focus on substantive testing and data-driven insights without worrying if their confirmations are accurate – or if a reply got stuck in someone's junk bin.