Attestation Update – A&A for CPAs

Technical stuff for CPAs providing attestation services

Auditors need to verify the addresses on confirmations. Oops.

with 2 comments

Clarified section 505, which you can find here, discusses external confirmations.  One thing I missed previously is a new requirement to verify the address used on confirmations. I looked in the pre-clarity standards and couldn’t find that requirement there.

Put simply, we as auditors need to make sure confirmations are using good addresses.

For cash, there is a commercial service,, that can be used to make sure your confirm gets to where you want it to go.

This issue also applies to:

  • Accounts receivable
  • Notes receivable
  • Investments
  • Accounts Payable
  • Notes Payable

If you use confirms in those areas, AU-C 505 calls on you make sure the request is getting where you intended.

Charles Hall discusses this issue in his post, Fake Bank Confirmation Responses.

The use of “should” in 505.07 makes that a presumptively mandatory requirement. It isn’t ‘if you feel like it’ or ‘just think about it.’

The oops in the title above is because I’ve, um, not quite, aah, been doing as well, um, as I ought. Documentation in my workpapers is, aah, not quite as good as it needs to be, shall we say.

That changes on Monday, when I start a new audit.

It’s just a wild guess, but I’m probably not the only auditor that didn’t notice that little requirement. Or maybe I am the only one.

Professional literature

Don’t take my word for it.  Here’s the text:

.07 When using external confirmation procedures, the auditor should maintain control over external confirmation requests, including

a. determining the information to be confirmed or requested; (Ref: par. .A2)

b. selecting the appropriate confirming party; (Ref: par. .A3)

c. designing the confirmation requests, including determining that requests are properly directed to the appropriate confirming party and provide for being responded to directly to the auditor; and (Ref: par. .A4–.A7)

d. sending the requests, including follow-up requests, when applicable, to the confirming party. (Ref: par. .A8)

Check out the reference to other explanatory material on point ‘c’. Here’s the detail comment:

.A7 Determining that requests are properly addressed includes verifying the accuracy of the addresses, including testing the validity of some or all of the addresses on the confirmation requests before they are sent out, regardless of the confirmation method used. When a confirmation request is sent by email, the auditor’s determination that the request is being properly directed to the appropriate confirming party may include performing procedures to test the validity of some or all of the e-mail addresses supplied by management. The nature and extent of the necessary procedures is dependent on the risks associated with the particular type of confirmation or address. For example, a confirmation addressing a higher risk assertion or a confirmation address that appears to be potentially less reliable (for example, an electronic confirmation addressed in a manner that appears easier to falsify) may necessitate different or more extensive procedures to determine that the request is directed to the intended recipient. See further guidance in paragraphs .A14–.A15.

Verifying the addresses is now just as much a part of maintaining control over the confirmation as mailing the request yourself, using your envelopes, and providing your BREs for the reply. Oh, that envelope thingie we’ve done forever? It is also a presumptively mandatory requirement.

You will have to figure out what verifying addresses looks like in practice. There will need to be some documentation in your audit files that you validated or verified the addresses.

Monitoring of quality control

And yes, in case you were wondering, this issue will go into my monitoring notes as something I need to improve in my workpapers. Will also note that I realized it and corrected it on my own.

That, by the way, is the purpose of monitoring – figure out what you missed and correct it.

Next post – 3 examples of confirmation fraud.

Written by Jim Ulvog

August 2, 2013, 9:12 am at 9:12 am

2 Responses

Subscribe to comments with RSS.

  1. I did not see the “should” in my reading, but you are right. I was focusing on .A7 rather than .07.

    Charles B. Hall

    August 2, 2013, 12:59 pm at 12:59 pm

  2. […] Previously mentioned that AU-C 505.07 requires auditors to look at the address used on confirmations. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: