How To Respond to Audit Confirmation Requests
Audit confirmations are requests for information sent by auditors to third parties or business associates of auditees to confirm or corroborate information presented by the auditees.
The information received is evaluated by the auditors and together with other factors form a basis for concluding on an account balance or audit area.
Audit confirmations are specifically required for accounts receivable balances (with certain exceptions) but are also typically used to confirm other accounts like bank balances.
How to respond to audit confirmations
- Verify the validity of the request
If you have not already been alerted by the entity under audit, do reach out to your contact to verify that the request is valid i.e. it is from their auditors in respect of an ongoing audit. Do this especially if the request appears to be system generated.
There is always a chance that such a request could be a phishing attempt from individuals or organizations seeking to obtain and exploit vital information for their own purposes.
To limit the risk of your organization sharing information of your business associates with unauthorized parties, always confirm the validity and source of the request.
- Review the instructions
Audit confirmations can either be positive - confirming specified information in the request or negative - responding only to register disagreement with the requested information. Review the request and be clear about what is being requested of you. (See the section below for details on positive versus negative confirmations)
You should reach out to the contact provided in the request if you are unsure of exactly what is required of you. In reviewing the request, also be mindful of the dates or period and specific transactions seeking to be confirmed.
Please bear in mind that an inaccurate response from you may ultimately revert to you as the auditee may seek to reconcile the differences after the auditor evaluates the response. You can save yourself time and energy by aligning your response to the specific request.
- Prepare the response
To the extent possible, your response should be direct and should not divulge more information than necessary. Stick to template, transactions, time period and other criteria stipulated in the request to limit follow up questions or requests in an attempt to reconcile any differences.
However, when faced with a request for which a straightforward response is not possible or may be misleading, feel free to reach out to the requester for clarity or add an addendum, explanatory note or any other additional relevant information which will provide context to your response.
I was once listed as contact for audit confirmations and had to assist respondents if they had any questions about the process and what was required of them. The account balances being confirmed related to a federal government funded program which had a number of reconciling items at any given time. This was because the program allowed funds to be paid directly to the program beneficiaries or directly to the service provider on behalf of the program beneficiary or a split between both.
Therefore the respondents were not clear about which amounts to confirm i.e. the full account attributable to them or report only the amounts actually paid to them excluding the portions paid fully or partly to service providers on their behalf etc.
This confusion and the associated inertia had resulted in very low response rates in prior audits. I asked respondents who reached out to add explanatory notes to responses they felt may not be entirely accurate. This positively impacted the response rates and limited reconciling items. The auditors subsequently revised the confirmations for greater clarity.
- Endorse the responses
It is common for audit confirmation requests to include sections for individual respondents to fill out certain information about themselves. Information such as name and title is helpful in assessing the weight that can be placed on the response. This becomes particularly vital if there are differences in the between the information confirmed and the information carried in the books of the auditee.
Fill in the requested information, provide contact details if you would like to be reached via a channel different from the channel by which the request was received and properly sign the response.
- Send the response without auditee interference
The validity and level of assurance that can be placed on audit confirmations depends on whether or not the confirmations were handled or intercepted by the auditees.
Evidence sent directly to the independent auditor generally holds more validity because it is requested and received directly by the auditors. The auditees have no role in the preparation and transmission of the responses from the respondents to the auditors. However, before the confirmations are sent, auditees may provide the information which needs to be corroborated (e.g. bank balances on the books) and the auditors prepare and send the requests. Bank confirmations typically fall in this category.
Evidence received or handled by the auditee is considered less valid because of the risk of the auditees’ interference in the confirmation process.
Do well to send the response without the involvement of the auditee and send it by the due date. Be sure to notify your business associate to avoid the persistent follow up emails/reminders sent to non-respondents if your response gets lost in transit. Also, remember to retain a copy of your response.
Types of audit confirmations
- Positive Audit Confirmations
This type of confirmations may either ask you as the respondent to indicate whether or not you agree with the information stated on the request or furnish the information (including amounts) you have regarding the particular audit area.
It is important to note that positive audit confirmations provide audit evidence only when responses are received from the recipients. Therefore if you do not respond, the auditor may decide to perform substantive tests to gain assurance on the account balance or audited area.
- Negative Audit Confirmations
Negative confirmations will ask you as the respondent to respond only if you disagree with the information stated on the request. This type of confirmations are favored when the audited area is considered to be an inherently low risk area and also when a large number of confirmations is involved.
Negative confirmations are usually supplemented by additional audit procedures because a lack of response does not provide concrete evidence that you received the confirmation request and verified that the information contained on them is correct.
Why you should respond to audit confirmation requests
When it comes to reliability of audit evidence, audit confirmations and externally generated information in general are only topped by evidence about which the auditor has direct personal knowledge e.g. through observation, recalculation, etc.
In general, the higher the level of assurance obtained by the auditors from confirmations, the lower the amount of substantive testing required for the specific account balance or audit area. This means the burden on your business associate to provide supporting information to substantiate the account balance or audited area will be reduced if there are no discrepancies between your information and theirs.
Because auditors prefer externally obtained evidence to internally generated information or oral evidence, your responses are invaluable and should be prioritized to the extent possible.