Compiled Auditing Standard | ASA 505 (December 2021) |
Auditing Standard ASA 505
External Confirmations
This compilation was prepared on 10 November 2021 taking into account amendments made by ASA 2018‑1 and ASA 2020-1.
Compilation Number: 2
Compilation Date: 14 December 2021
Prepared by the Auditing and Assurance Standards Board
The most recently compiled versions of Auditing Standards, original Standards and amending Standards (see Compilation Details) are available on the AUASB website: www.auasb.gov.au
Auditing and Assurance Standards Board Podium Level 14, 530 Collins Street Melbourne Victoria 3000 AUSTRALIA | Phone: (03) 8080 7400 E-mail: enquiries@auasb.gov.au Postal Address: PO Box 204 Collins Street West Melbourne Victoria 8007 AUSTRALIA |
© 2021 Commonwealth of Australia. The text, graphics and layout of this Auditing Standard are protected by Australian copyright law and the comparable law of other countries. Reproduction within Australia in unaltered form (retaining this notice) is permitted for personal and non‑commercial use subject to the inclusion of an acknowledgment of the source as being the Australian Auditing and Assurance Standards Board (AUASB).
Requests and enquiries concerning reproduction and rights for commercial purposes within Australia should be addressed to the Technical Director, Auditing and Assurance Standards Board, PO Box 204, Collins Street West, Melbourne, Victoria 8007 or sent to enquiries@auasb.gov.au. Otherwise, no part of this Auditing Standard may be reproduced, stored or transmitted in any form or by any means without the prior written permission of the AUASB except as permitted by law.
This Auditing Standard reproduces substantial parts of the corresponding International Standard on Auditing issued by the International Auditing and Assurance Standards Board (IAASB) and published by the International Federation of Accountants (IFAC), in the manner described in the statement on Conformity with International Standards on Auditing. The AUASB acknowledges that IFAC is the owner of copyright in the International Standard on Auditing incorporated in this Auditing Standard throughout the world.
All existing rights in this material are reserved outside Australia. Reproduction outside Australia in unaltered form (retaining this notice) is permitted for personal and non-commercial use only.
Further information and requests for authorisation to reproduce this Auditing Standard for commercial purposes outside Australia should be addressed to the Technical Director, Auditing and Assurance Standards Board, PO Box 204, Collins Street West, Melbourne, Victoria 8007 or sent to enquiries@auasb.gov.au. Any decision to approve a request may also require the agreement of IFAC.
ISSN 1833-4393
COMPILATION DETAILS
AUTHORITY STATEMENT
CONFORMITY WITH INTERNATIONAL STANDARDS ON AUDITING
Paragraphs
Application......................................................Aus 0.1-Aus 0.2
Operative Date............................................................Aus 0.3
Introduction
Scope of this Auditing Standard..................................................1
External Confirmation Procedures to Obtain Audit Evidence............................2-3
Effective Date...............................................................4
Objective..................................................................5
Definitions.................................................................6
Requirements
External Confirmation Procedures.................................................7
Management’s Refusal to Allow the Auditor to Send a Confirmation Request................8-9
Results of the External Confirmation Procedures...................................10-14
Negative Confirmations.......................................................15
Evaluating the Evidence Obtained................................................16
Application and Other Explanatory Material
External Confirmation Procedures.............................................A1-A7
Management’s Refusal to Allow the Auditor to Send a Confirmation Request............A8-A10
Results of the External Confirmation Procedures................................A11-A22
Negative Confirmations......................................................A23
Evaluating the Evidence Obtained...........................................A24-A25
This compilation takes into account amendments made up to and including 3 March 2020 and was prepared on 10 November 2021 by the Auditing and Assurance Standards Board (AUASB).
This compilation is not a separate Auditing Standard made by the AUASB. Instead, it is a representation of ASA 505 (October 2009) as amended by other Auditing Standards which are listed in the Table below.
Standard | Date made | Operative Date |
ASA 505 [A] | Financial reporting periods commencing on or after 1 January 2010. | |
5 December 2018 | Financial reporting periods commencing on or after 15 December 2019, with early adoption permitted[*]. | |
ASA 2020-1 [C] | 3 March 2020 | Financial reporting periods commencing on or after 15 December 2021[#] |
[A] Federal Register of Legislation – registration number F2009L04088, 12 November 2009
[B] Federal Register of Legislation – registration number F2019L00016, 3 January 2019
[C] Federal Register of Legislation – registration number F2020L00252, 13 March 2020
Paragraph affected | How affected | By … [paragraph] |
2 | Amended | ASA 2018-1 [50] |
2 | Amended | ASA 2018-1 [51] |
3 | Amended | ASA 2018-1 [52] |
A9 | Amended | ASA 2020-1 [130] |
A17 | Amended | ASA 2020-1 [131] |
A19 | Amended | ASA 2020-1 [132] |
Auditing Standard ASA 505 External Confirmations (as amended to 3 March 2020) is set out in paragraphs Aus 0.1 to A25.
This Auditing Standard is to be read in conjunction with ASA 101 Preamble to AUASB Standards, which sets out how AUASB Standards are to be understood, interpreted and applied. This Auditing Standard is to be read also in conjunction with ASA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Australian Auditing Standards.
This Auditing Standard conforms with International Standard on Auditing ISA 505 External Confirmations, issued by the International Auditing and Assurance Standards Board (IAASB), an independent standard‑setting board of the International Federation of Accountants (IFAC).
Paragraphs that have been added to this Auditing Standard (and do not appear in the text of the equivalent ISA) are identified with the prefix “Aus”.
Compliance with this Auditing Standard enables compliance with ISA 505.
Auditing Standard ASA 505
The Auditing and Assurance Standards Board (AUASB) made Auditing Standard ASA 505 External Confirmations pursuant to section 227B of the Australian Securities and Investments Commission Act 2001 and section 336 of the Corporations Act 2001, on 27 October 2009.
This compiled version of ASA 505 incorporates subsequent amendments contained in other Auditing Standards made by the AUASB up to and including 3 March 2020 (see Compilation Details).
Aus 0.1 This Auditing Standard applies to:
(a) an audit of a financial report for a financial year, or an audit of a financial report for a half-year, in accordance with the Corporations Act 2001; and
(b) an audit of a financial report, or a complete set of financial statements, for any other purpose.
Aus 0.2 This Auditing Standard also applies, as appropriate, to an audit of other historical financial information.
Aus 0.3 This Auditing Standard is operative for financial reporting periods commencing on or after 1 January 2010. [Note: For operative dates of paragraphs changed or added by an Amending Standard, see Compilation Details.]
2. ASA 500 indicates that the reliability of audit evidence is influenced by its source and by its nature, and is dependent on the individual circumstances under which it is obtained.[4] That Auditing Standard also includes the following generalisations applicable to audit evidence:[5]
Accordingly, depending on the circumstances of the audit, audit evidence in the form of external confirmations received directly by the auditor from confirming parties may be more reliable than evidence generated internally by the entity. This Auditing Standard is intended to assist the auditor in designing and performing external confirmation procedures to obtain relevant and reliable audit evidence.
3. Other Auditing Standards recognise the importance of external confirmations as audit evidence, for example:
4. [Deleted by the AUASB. Refer Aus 0.3]
5. The objective of the auditor, when using external confirmation procedures, is to design and perform such procedures to obtain relevant and reliable audit evidence.
6. For purposes of the Australian Auditing Standards, the following terms have the meanings attributed below:
(a) External confirmation means audit evidence obtained as a direct written response to the auditor from a third party (the confirming party), in paper form, or by electronic or other medium.
(b) Positive confirmation request means a request that the confirming party respond directly to the auditor indicating whether the confirming party agrees or disagrees with the information in the request, or providing the requested information.
(c) Negative confirmation request means a request that the confirming party respond directly to the auditor only if the confirming party disagrees with the information provided in the request.
(d) Non-response means a failure of the confirming party to respond, or fully respond, to a positive confirmation request, or a confirmation request returned undelivered.
(e) Exception means a response that indicates a difference between information requested to be confirmed, or contained in the entity’s records, and information provided by the confirming party.
7. When using external confirmation procedures, the auditor shall maintain control over external confirmation requests, including:
(a) Determining the information to be confirmed or requested; (Ref: Para. A1)
(b) Selecting the appropriate confirming party; (Ref: Para. A2)
(c) Designing the confirmation requests, including determining that requests are properly addressed and contain return information for responses to be sent directly to the auditor; and (Ref: Para. A3-A6)
(d) Sending the requests, including follow-up requests when applicable, to the confirming party. (Ref: Para. A7)
8. If management refuses to allow the auditor to send a confirmation request, the auditor shall:
(a) Enquire as to management’s reasons for the refusal, and seek audit evidence as to their validity and reasonableness; (Ref: Para. A8)
(b) Evaluate the implications of management’s refusal on the auditor’s assessment of the relevant risks of material misstatement, including the risk of fraud, and on the nature, timing and extent of other audit procedures; and (Ref: Para. A9)
(c) Perform alternative audit procedures designed to obtain relevant and reliable audit evidence. (Ref: Para. A10)
9. If the auditor concludes that management’s refusal to allow the auditor to send a confirmation request is unreasonable, or the auditor is unable to obtain relevant and reliable audit evidence from alternative audit procedures, the auditor shall communicate with those charged with governance in accordance with ASA 260.[12] The auditor also shall determine the implications for the audit and the auditor’s opinion in accordance with ASA 705.[13]
10. If the auditor identifies factors that give rise to doubts about the reliability of the response to a confirmation request, the auditor shall obtain further audit evidence to resolve those doubts.
(Ref: Para. A11-A16)
11. If the auditor determines that a response to a confirmation request is not reliable, the auditor shall evaluate the implications on the assessment of the relevant risks of material misstatement, including the risk of fraud, and on the related nature, timing and extent of other audit procedures. (Ref: Para. A17)
12. In the case of each non-response, the auditor shall perform alternative audit procedures to obtain relevant and reliable audit evidence. (Ref: Para A18-A19)
13. If the auditor has determined that a response to a positive confirmation request is necessary to obtain sufficient appropriate audit evidence, alternative audit procedures will not provide the audit evidence the auditor requires. If the auditor does not obtain such confirmation, the auditor shall determine the implications for the audit and the auditor’s opinion in accordance with ASA 705. (Ref: Para A20)
14. The auditor shall investigate exceptions to determine whether or not they are indicative of misstatements. (Ref: Para. A21-A22)
15. Negative confirmations provide less persuasive audit evidence than positive confirmations. Accordingly, the auditor shall not use negative confirmation requests as the sole substantive audit procedure to address an assessed risk of material misstatement at the assertion level unless all of the following are present: (Ref: Para. A23)
(a) The auditor has assessed the risk of material misstatement as low and has obtained sufficient appropriate audit evidence regarding the operating effectiveness of controls relevant to the assertion;
(b) The population of items subject to negative confirmation procedures comprises a large number of small, homogeneous, account balances, transactions or conditions;
(c) A very low exception rate is expected; and
(d) The auditor is not aware of circumstances or conditions that would cause recipients of negative confirmation requests to disregard such requests.
16. The auditor shall evaluate whether the results of the external confirmation procedures provide relevant and reliable audit evidence, or whether further audit evidence is necessary.
(Ref: Para A24-A25)
* * *
A1. External confirmation procedures frequently are performed to confirm or request information regarding account balances and their elements. They may also be used to confirm terms of agreements, contracts, or transactions between an entity and other parties, or to confirm the absence of certain conditions, such as a “side agreement.”
A2. Responses to confirmation requests provide more relevant and reliable audit evidence when confirmation requests are sent to a confirming party the auditor believes is knowledgeable about the information to be confirmed. For example, a financial institution official who is knowledgeable about the transactions or arrangements for which confirmation is requested may be the most appropriate person at the financial institution from whom to request confirmation.
A3. The design of a confirmation request may directly affect the confirmation response rate, and the reliability and the nature of the audit evidence obtained from responses.
A4. Factors to consider when designing confirmation requests include:
A5. A positive external confirmation request asks the confirming party to reply to the auditor in all cases, either by indicating the confirming party’s agreement with the given information, or by asking the confirming party to provide information. A response to a positive confirmation request ordinarily is expected to provide reliable audit evidence. There is a risk, however, that a confirming party may reply to the confirmation request without verifying that the information is correct. The auditor may reduce this risk by using positive confirmation requests that do not state the amount (or other information) on the confirmation request, and ask the confirming party to fill in the amount or furnish other information. On the other hand, use of this type of “blank” confirmation request may result in lower response rates because additional effort is required of the confirming parties.
A6. Determining that requests are properly addressed includes testing the validity of some or all of the addresses on confirmation requests before they are sent out.
A7. The auditor may send an additional confirmation request when a reply to a previous request has not been received within a reasonable time. For example, the auditor may, having re-verified the accuracy of the original address, send an additional or follow-up request.
A8. A refusal by management to allow the auditor to send a confirmation request is a limitation on the audit evidence the auditor may wish to obtain. The auditor is therefore required to enquire as to the reasons for the limitation. A common reason advanced is the existence of a legal dispute or ongoing negotiation with the intended confirming party, the resolution of which may be affected by an untimely confirmation request. The auditor is required to seek audit evidence as to the validity and reasonableness of the reasons because of the risk that management may be attempting to deny the auditor access to audit evidence that may reveal fraud or error.
A9. The auditor may conclude from the evaluation in paragraph 8(b) that it would be appropriate to revise the assessment of the risks of material misstatement at the assertion level and modify planned audit procedures in accordance with ASA 315.[14] For example, if management’s request to not confirm is unreasonable, this may indicate a fraud risk factor that requires evaluation in accordance with ASA 240.[15]
A10. The alternative audit procedures performed may be similar to those appropriate for a non-response as set out in paragraphs A18-A19 of this Auditing Standard. Such procedures also would take account of the results of the auditor’s evaluation in paragraph 8(b) of this Auditing Standard.
A11. ASA 500 indicates that even when audit evidence is obtained from sources external to the entity, circumstances may exist that affect its reliability.[16] All responses carry some risk of interception, alteration or fraud. Such risk exists regardless of whether a response is obtained in paper form, or by electronic or other medium. Factors that may indicate doubts about the reliability of a response include that it:
A12. Responses received electronically, for example by facsimile or electronic mail, involve risks as to reliability because proof of origin and authority of the respondent may be difficult to establish, and alterations may be difficult to detect. A process used by the auditor and the respondent that creates a secure environment for responses received electronically may mitigate these risks. If the auditor is satisfied that such a process is secure and properly controlled, the reliability of the related responses is enhanced. An electronic confirmation process might incorporate various techniques for validating the identity of a sender of information in electronic form, for example, through the use of encryption, electronic digital signatures, and procedures to verify web site authenticity.
A13. If a confirming party uses a third party to coordinate and provide responses to confirmation requests, the auditor may perform procedures to address the risks that:
(a) The response may not be from the proper source;
(b) A respondent may not be authorised to respond; and
(c) The integrity of the transmission may have been compromised.
A14. The auditor is required by ASA 500 to determine whether to modify or add procedures to resolve doubts over the reliability of information to be used as audit evidence.[17] The auditor may choose to verify the source and contents of a response to a confirmation request by contacting the confirming party. For example, when a confirming party responds by electronic mail, the auditor may telephone the confirming party to determine whether the confirming party did, in fact, send the response. When a response has been returned to the auditor indirectly (for example, because the confirming party incorrectly addressed it to the entity rather than to the auditor), the auditor may request the confirming party to respond in writing directly to the auditor.
A15. On its own, an oral response to a confirmation request does not meet the definition of an external confirmation because it is not a direct written response to the auditor. However, upon obtaining an oral response to a confirmation request, the auditor may, depending on the circumstances, request the confirming party to respond in writing directly to the auditor. If no such response is received, in accordance with paragraph 12, the auditor seeks other audit evidence to support the information in the oral response.
A16. A response to a confirmation request may contain restrictive language regarding its use. Such restrictions do not necessarily invalidate the reliability of the response as audit evidence.
A17. When the auditor concludes that a response is unreliable, the auditor may need to revise the assessment of the risks of material misstatement at the assertion level and modify planned audit procedures accordingly, in accordance with ASA 315.[18] For example, an unreliable response may indicate a fraud risk factor that requires evaluation in accordance with ASA 240.[19]
A18. Examples of alternative audit procedures the auditor may perform include:
A19. The nature and extent of alternative audit procedures are affected by the account and assertion in question. A non-response to a confirmation request may indicate a previously unidentified risk of material misstatement. In such situations, the auditor may need to revise the assessed risk of material misstatement at the assertion level, and modify planned audit procedures, in accordance with ASA 315.[20] For example, fewer responses to confirmation requests than anticipated, or a greater number of responses than anticipated, may indicate a previously unidentified fraud risk factor that requires evaluation in accordance with ASA 240.[21]
A20. In certain circumstances, the auditor may identify an assessed risk of material misstatement at the assertion level for which a response to a positive confirmation request is necessary to obtain sufficient appropriate audit evidence. Such circumstances may include where:
A21. Exceptions noted in responses to confirmation requests may indicate misstatements or potential misstatements in the financial statements. When a misstatement is identified, the auditor is required by ASA 240 to evaluate whether such misstatement is indicative of fraud.[22] Exceptions may provide a guide to the quality of responses from similar confirming parties or for similar accounts. Exceptions also may indicate a deficiency, or deficiencies, in the entity’s internal control over financial reporting.
A22. Some exceptions do not represent misstatements. For example, the auditor may conclude that differences in responses to confirmation requests are due to timing, measurement, or clerical errors in the external confirmation procedures.
A23. The failure to receive a response to a negative confirmation request does not explicitly indicate receipt by the intended confirming party of the confirmation request or verification of the accuracy of the information contained in the request. Accordingly, a failure of a confirming party to respond to a negative confirmation request provides significantly less persuasive audit evidence than does a response to a positive confirmation request. Confirming parties also may be more likely to respond indicating their disagreement with a confirmation request when the information in the request is not in their favour, and less likely to respond otherwise. For example, holders of bank deposit accounts may be more likely to respond if they believe that the balance in their account is understated in the confirmation request, but may be less likely to respond when they believe the balance is overstated. Therefore, sending negative confirmation requests to holders of bank deposit accounts may be a useful procedure in considering whether such balances may be understated, but is unlikely to be effective if the auditor is seeking evidence regarding overstatement.
A24. When evaluating the results of individual external confirmation requests, the auditor may categorise such results as follows:
(a) A response by the appropriate confirming party indicating agreement with the information provided in the confirmation request, or providing requested information without exception;
(b) A response deemed unreliable;
(c) A non-response; or
(d) A response indicating an exception.
A25. The auditor’s evaluation, when taken into account with other audit procedures the auditor may have performed, may assist the auditor in concluding whether sufficient appropriate audit evidence has been obtained or whether further audit evidence is necessary, as required by ASA 330.[23]
[*] Early adoption, in conjunction with ASA 540 Auditing Accounting Estimates and Related Disclosures, permitted.
[#] Early adoption, in conjunction with ASA 315 Identifying and Assessing the Risks of Material Misstatement, permitted.
[1] See ASA 330 The Auditor’s Responses to Assessed Risks.
[2] See ASA 500 Audit Evidence.
[3] See ASA 502 Audit Evidence—Specific Considerations for Litigation and Claims.
[4] See ASA 500, paragraph A9.
[5] See ASA 500, paragraph A35.
[6] See ASA 330, paragraphs 5-6.
[7] See ASA 330, paragraphs 18-19.
[8] See ASA 330, paragraph 7(b).
[9] See ASA 330, paragraph A53.
[10] See ASA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report, paragraph A37.
[11] See ASA 500, paragraphs A12-A13.
[12] See ASA 260 Communication with Those Charged with Governance, paragraph 16.
[13] See ASA 705 Modifications to the Opinion in the Independent Auditor’s Report.
[14] See ASA 315 Identifying and Assessing the Risks of Material Misstatement, paragraph 37.
[15] See ASA 240, paragraph 24.
[16] See ASA 500, paragraph A31.
[17] See ASA 500, paragraph 11.
[18] See ASA 315, paragraph 37.
[19] See ASA 240, paragraph 24.
[20] See ASA 315, paragraph 37.
[21] See ASA 240, paragraph 24.
[22] See ASA 240, paragraph 35.
[23] See ASA 330, paragraphs 26-27.