Case Study: Simply Soups Inc. Version 1.8

Transcription

1 Simply Soups Inc.: A Teaching Case Designed to Integrate the Electronic Confirmation Process into an Auditing Curriculum Instructional Guide for Students 1

2 Table of Contents Student Instructions Case Study Highlights Audit Procedure Checklist Trial Balance Cash Lead Sheet Bank Reconciliation Summary Bank Account Listing Confirmation Testing Workpaper edu.confirmation.com Shortcuts Glossary Terms Addendum: Technical Guide

3 Student Instructions Purpose The purpose of this case study is to allow you to gain experience with the audit of cash, in particular the confirmation of cash balances using electronic confirmations. This exercise will challenge you to think critically about the confirmation process, applicable auditing standards, and risk. As you go through the case you will become familiar with Confirmation.com and the electronic confirmation process. For the purpose of this case study you will be using edu.confirmation.com. The Importance of Confirming Cash The auditor obtains comfort over management s assertions of existence, completeness, and accuracy by confirming the reported balances directly with external parties (i.e., banks). Because management may have incentives to misstate the cash balance in order to achieve a stronger balance sheet, hide overstated revenues or increase financial ratios, confirming cash is an important audit step. In the past 10 years over 44 confirmation frauds have been perpetrated on public company audits worldwide. Recent Confirmation Frauds: PFG Best Longtop Parmalat Kmart Olympus Ahold Satyam Refco China Biotics HealthSouth Sino-Forest Safescript Boshiwa ZZZZ Best About edu.confirmation.com Confirmation.com, creator of the edu.confirmation.com application, is the world s leading provider of online audit confirmation services. Our multi-patented solution processes more than $1 trillion in confirmation information annually, helping reduce financial fraud and bringing efficiency to the 90-year-old paper based audit confirmation process. Confirmation.com is utilized by over 11,000 accounting firms in more than 100 countries to process cash, debt, AR and more than 40 other audit confirmation types. 3

4 Case Background Assume the following: 1. You are an Audit Staff with the CPA firm Putnam and Jacobs LLP (P&J) in January The firm has assigned you to the audit of Simply Soups Inc., an international manufacturer of soups, for the year ending on December 31, The Audit Manager on the engagement asks you to complete the audit step Confirm Cash Balances. 4. The primary contacts for this audit setup are: Lou Jennings and Chuck Rogers who are both managers in the treasury department. 5. Putnam & Jacobs, like many audit firms, relies on edu.confirmation.com to process confirmations. NOTE: You MUST start the confirmation process at least FOUR days prior to the due date, as you will need to send multiple confirmation requests to successfully complete the case and confirmation responses take hours to be returned. 4

5 Step 1: Sign Up at edu.confirmation.com (ALL STUDENTS): To get started, go to and click on the New User Registration: Sign up button. Ex. 1 User login / Sign up page 1. Enter your school address (e.g., yourname@university.edu), and click next. 2. Select the Student option from the Type of User page, click next. Ex. 2 User type selection page 3. Complete all of the required fields on the online form, including selecting your Instructors name from the Class Name dropdown. The designated Team Lead will need to choose Staff I from the Job Title dropdown. All other members of the workgroup need to select the Staff II Job Title. Click next to continue. 5

6 NOTE: Duties of Staff I & Staff II: The role of Staff I (Lead) will complete the data entry & process confirmations through edu.confirmation.com. The role of Staff II (Shared) will be to review confirmations for any discrepancies, errors, documentation & preparing the summary of results. Ex. 3 User registration page 4. Accept the User Agreement and select finish. 5. The edu.confirmation.com system will generate an automated from systems.administrator@confirmation.com to the address you supplied. This provides a link to activate your account and set up your password. Step 2: Watch Online Training Videos: Login to edu.confirmation.com using your new login credentials. 1. Watch the 2 minute welcome video to familiarize yourself with the application. 2. Click on the orange Help tab on the right portion of the screen. From the Guides, watch each of the 1-2 minute tutorial videos for creating Clients, Adding Accounts, Confirmations & Reconfirmations NOTE: Tutorials for the exercises can be found within the Guides section of the Help tab of edu.confirmation.com. 6

7 Ex. 4 Video tutorials from the Help tab Step 3: Creating the Client (Team Lead / 1 person): 1. Set up Simply Soups Inc. as a new client by selecting the Add New Client link located within the Quick Links area of the main Dashboard. 1 Ex. 5 Main Dashboard / Adding a New Client 1 Refer to Case Study Highlights on page 4 for all relevant information regarding Simply Soups Inc. 7

8 2. If working in workgroups, enter a unique Team Name in the Team Name field when setting up the new Client. 3. Give the members of your audit team access to the client by selecting the modify/share link located next to the Lead Auditor label within the Client Profile. 2 NOTE: The Client Sharing feature gives the audit team View Only access. If you need further help, please refer to the edu.confirmation.com shortcuts for directions on how to complete this task. Ex. 6 Client Sharing for workgroup members Step 4: Adding accounts (Team Lead / 1 person): 1. From within the Client Information Tab, you will now add the first four bank accounts for Simply Soups Inc Select the Add button from the Accounts area. 3. Select the Financial confirmation type. 2 For additional instructions on this, refer to Client Sharing on page 22 of this document. Staff II will need to follow the guide for Client Sharing (Staff II) on page Refer to Adding a New Bank Account on page 19. Video tutorials are also available within the Guides section of Help. 8

9 4. Search for and select the Financial Institution 5. Choose the appropriate confirmation form from the dropdown menu; the Asset form. Fill in the account information for each of the Simply Soups Inc s accounts. 6. Note that from the Review screen you have the option to Add More Accounts for Simply Soups. Ex. 7 Adding Bank Accounts for the Client ADVANCED: Also, set up the last two accounts; one of which is with an out-of-network bank. That means it has not been authenticated in the electronic confirmation service offered by edu.confirmation.com. For this bank, edu.confirmation.com mails a paper confirmation to the bank for you and the bank will mail the completed confirmation directly back to you. For help setting up an out-of-network bank refer to the edu.confirmation.com shortcuts. 9

10 Step 5: Requesting Confirmations (Team Lead / 1 person): 1. On the Client Information tab, click the Request button located within the Authorization Codes section. Ex. 8 Requesting Authorization for Confirmation 2. In the Authorization Code Request window, check the check box for the signer Lou Jennings then click the send button. Your request should move from Pending to Received within about 1 minute. 3. Once the Client Authorization has been received, initiate your first confirmations. 4 a. Use positive blank confirmations. 5 To reduce the risk that the confirming party fails to verify that the information contained within the confirmation is correct, your firm Putnam & Jacobs, uses blank confirmations. Specifically, when preparing the confirmations, include the account number but do not fill in the balance amount. Instead, you will rely on the confirming party to fill in that information. 4 Refer to Initiating a New Confirmation on page 23. Video tutorials are also available within the Guides section of the Help tab. 5 Defined by ISA 500 as a request that the confirming party respond directly to the auditor indicating whether the confirming party agrees or disagrees with the information in the request, or providing the requested information. 10

11 NOTE: To avoid issues with the client s Authorization Code, initiate all confirmations at the same time and confirm balances as of 12/31/2012. Authorization Codes are valid for 3 uses or 30 days, whichever comes first. 4. Once you and your team members assess the responses to the first confirmations from the Confirmation Log, initiate second confirmations if needed: a. What are Denied Confirmations? i. Information incorrectly entered - correct the information and then initiate a new confirmation. ii. Incorrect authorized signer - identify the correct authorized signer, add him/her to the system, then request a new Authorization Code and send a new confirmation with the proper signer. 6 b. What are Reconfirmations? i. For any confirmation response that does not agree to client work papers - send a reconfirmation to the bank asking them to verify their initial response Complete the Audit Procedure Checklist Submit all case study deliverables: a. Completed Confirmation Testing Workpaper 9 b. Confirmation Log 10 c. Received Confirmations 11 d. Completed Audit Procedure Checklist Audit Staff II Responsibilities (1-4 people): 1. Obtain an understanding of the controls. 12 NOTE: The most efficient way to get comfort over the controls used by the intermediary, (i.e., edu.confirmation.com) is to rely on a SOC report. 13 From the site determine the controls in place and what type of testing is performed. 6 Refer to Adding a New Authorized Signer on Page 21 and Initiating a New Confirmation on page Refer to Reconfirmation on page See the Audit Procedures Checklist on Page See the Confirmation Testing Workpaper on page Refer to Reviewing Confirmations on page Refer to Reviewing Confirmations on page Reference proposed PCAOB paragraphs 34 and 35 in the Addendum: Technical Guide or online. 13 SOC (Service Organization Controls) On a SOC engagement an independent CPA examines and reports on a service organization s controls to give the user comfort. 11

12 2. Login to edu.confirmation.com and select the view client list link within the Client List area. Select Simply Soups Inc. from the available list. 3. From the Client Information tab for Simply Soups Inc., select the view log button located within the Confirmation Statuses area. 4. Review initial confirmations received. NOTE: The system sends a nightly when confirmations are completed, but you can log in at any point to see if the bank has returned the confirmation requests. a. Reconcile the confirmed account details to the cash listing, and the confirmed balance to the reported bank balance on the bank reconciliation testing summary. 14 If differences exist, consider reconfirming the account or sending a second request Notify the Audit Staff I of any discrepancies or issues noted in the initial confirmation. 6. Review any additional confirmations received. 16 a. Secondary confirmations - evaluate the information and assess its appropriateness as persuasive audit evidence. b. Consider whether alternative audit procedures are necessary. Document this conclusion and your rationale in the Confirmation Testing Workpaper. ADVANCED: Perform alternative procedures for the Tenth National Bank account. Obtain additional information via the bank s website. Consider the appropriateness and persuasiveness of the evidence, refer to the Addendum: Technical Guide. 7. Document findings (including the understanding/comfort obtained over intermediary controls) on Confirmation Testing Workpaper. 17 This will help you summarize your findings for the Summary of Results. 8. Case Study Deliverables: Submit Audit Evidence to the Audit Staff I: a. Completed Confirmation Testing Workpaper b. Confirmation Log (Export from Confirmation Log) 18 c. Received confirmations (Download from Reports Tab) Even if the confirmed account details and book balance agree, is it persuasive audit evidence? Applicable considerations are specifically outlined in the Addendum: Technical Guide on page Refer to Reconfirmations on page Refer to Non Responses on page Documentation should meet the standards in the Technical Guide under Auditing Standard No Refer to Reviewing Confirmations on page Refer to Reviewing Confirmations on page

13 Audit Procedure Checklist Date Initial Audit Procedures Go to the educational platform created by Confirmation.com, and sign up as a new user. Watch the 2 minute narrated tutorial of the edu.confirmation.com service presented at log in and also under Help. Review the video tutorials from the Guides section under the Help tab. Obtain an understanding of the controls in place around the edu.confirmation.com service and assess the impact such controls on the audit evidence obtained. Add Simply Soups Inc. as a new client. Add a Team Name to represent your workgroup (if workgroups are used). From the Bank Account Listing, add the first four cash accounts you will be confirming for Simply Soups Inc. ADVANCED: Also add the last two cash accounts, one of which is Out-of-Network. Send the Client Authorization Code request to client contact. Initiate first confirmations. Evaluate the information received and assess its appropriateness as persuasive audit evidence. As necessary, prepare and send reconfirmations or second confirmation requests. For reconfirmations or second requests, evaluate the information received and assess its appropriateness as persuasive audit evidence. Document your work and prepare case study deliverables. (See page 11) It is important to note that confirmation responses will take from hours to be returned by the banks in this case study as in real practice. As such, you must begin the case at least four days before the due date in order to complete everything on time. 13

14 Trial Balance 14

15 Cash Lead Sheet 15

16 Bank Reconciliation Summary 16

17 Bank Account Listing 17

18 Confirmation Testing Workpaper NOTE: Your final tick mark legend can be added to this sheet using the editable file available through your professor or alternatively can be turned in on a separate document/sheet. 18

19 edu.confirmation.com Shortcuts Adding a New Bank Account Ex. 1 Client Information tab, adding a Bank Account 1. Adding Bank Accounts for the Client can be done from the Client Information Tab. Click on the add button from the Accounts Area. (Ex. 1) Ex. 2 electing the Financial Type of confirmation 2. The Choose Type screen will display options for what types of Confirmations will be initiated. Select the Financial type of confirmations for these exercises. (Ex. 2) Ex. 3 Searching & selecting the appropriate Bank 3. The Select Responder screen allows you to search for the desired Bank. Search, then select the appropriate Bank, then click next. (Ex. 3) 19

20 Ex. 4 Review the Bank information screen 4. The details area shows the Banks address information as well as the types of confirmations that they support. Click next at the Review screen. (Ex. 4) Ex. 5 Selecting the account type for confirmations 5. On the Add Account screen, select the appropriate Form type from the available dropdown. For this exercise we will be using the Asset form. (Ex. 5) Ex. 6 Entering account information for the selected type of account 6. Complete the required account information in the fields for the selected form. Click save to complete this process. (Ex. 6) 20

21 Adding a New Authorized Signer Ex. 7 Adding a new signer 1. An authorized signer can be added from within the Client Profile area for the selected client. Click the add signer button. Complete the required fields and select save. Ex. 8 Reassigning signer for an account 2. To reassign a bank account from one signer to a different signer, return to the Client Information tab for the selected client. Click the view all button located in the Accounts area. The list of available accounts will display. Check the box located next to the Account ID you wish to modify. Select the new signer from the dropdown, then click re-assign. 21

22 Client Sharing (Staff I) Ex. 9 Sharing Client for additional auditors Select the modify/share link located next to the Lead Auditor label within the Client Profile area. Use the add or remove buttons to select the appropriate auditors (Staff II) needing View Only access to this client. Client Sharing (Staff II) Ex. 10 Sharing Client for additional auditors Select the view client list link located within the Client List area of the Dashboard. On the Select a Client window, click Simply Soups Inc. to view the Client Information. 22

23 Editing Bank Account Information Your confirmation may be denied if you incorrectly entered the bank account number or bank information. Ex. 11 Editing Bank Account information To correct information entered in error, click the view all button located within the Accounts area. To edit an account click the Account ID for the desired account. If you are not editing the responder information, select next to continue. Modify any necessary account information and select Save. Initiating a New Confirmation If a new confirmation is warranted, add or modify the necessary bank account information before sending a confirmation request again. To send a confirmation request for one account only, click the Initiate Confirmations button located on the Client Information tab for the selected client. Ex. 12 Initiating a new confirmation Choose the appropriate client signer(s). All accounts for the selected signer(s) will be checked by default. Use the deselect all check box to uncheck all accounts, then place a check beside the account(s) you want to initiate. Enter the As of Date, and then click the Submit button. Review the billing information, then click Initiate. 23

24 Out-of-Network Banks Confirmations can be sent to any financial institution or company not already listed. To add an Out-of-Network responder, follow the steps of Adding an Account. Ex. 13 Adding an Out-of-Network Bank 1. If the search for the Responder Name does not appear in the window, select the option to Add New Responder. Ex.14 Completing the Add Out-of-Network Bank process 2. Enter the Responder Name, choose the desired delivery format (electronic and/or paper), and complete the required fields. Click save and this responder will now be available within the Responder list. 24

25 Address Lookup: One way to obtain evidence that the confirmation was sent to the proper source is to use the Address Lookup function when adding the Out-of-Network confirmation. Ex. 15 Using the Address Lookup function to verify the Address of a Bank 3. After entering the bank address, simply click the Address Lookup button to produce the report. Out-of-Network responders can also be added from the dashboard by selecting the Manage Out-of-Network Responders link located within the Quick Links area. In-Network electronic confirmations require no additional authentication and authorization procedures by the auditor. edu.confirmation.com maintains a contractual arrangement with the responding entity and performs these validations on behalf of the auditor. Reconfirmation Use reconfirmation if a confirmation is received back from the bank and you want to clarify the information obtained. A reconfirmation cannot be sent when a confirmation was denied; if a confirmation is denied then a new confirmation must be sent. 25

26 Ex. 16 Initiating a re-confirmation To send a reconfirmation, click the view log button located within the Confirmation Statuses area for the selected client. From within the log, click the [view] link next to the confirmation you would like to reconfirm. A reconfirm button will be located at the base of the form. Selecting this option allows you to enter a question for the bank, which may or may not be answered depending on the legal staff at the bank. If the question is not answered you should document your open concerns in your case study deliverables. Reviewing Confirmations The Confirmation Statuses section of the Client Information tab contains a list of: Pending, Completed, Need More Info, Denied and Future Dated confirmations. Ex. 17 Client Information tab- View Confirmation Log To review the status of any of your confirmations, click the view log button. 26

27 Ex. 18 Confirmation Log (list) To view any responder comments for the confirmations, click the [view] link on any of the confirmations. The Reports tab at the top of the dashboard also has reports that can be run to view statuses of confirmations. From the Select Report dropdown menu, select the appropriate report for your exercise. You can both view and export any or all of the completed transactions from this log window. NOTE: Video tutorials for all of these procedures can be found within the Guides section of the Help tab of edu.confirmation.com. 27

28 edu.confirmation.com Glossary Terms Acronyms AICPA American Institute of Certified Public Accountants ASB Auditing Standards Board IAASB International Auditing and Assurance Standards Board ISA International Standard on Auditing PCAOB Public Company Accounting Oversight Board SAS Statement on Auditing Standards SOC Service Organization Controls Book vs. Bank Balance If you review the confirmed account balances and conclude that none reconcile to the Simply Soups Inc. materials provided; it is likely that you are unclear about the difference between the book and the bank balance. Remember, the confirmed bank balance should agree to the bank balance reported in the Bank Reconciliation Summary. You should not be attempting to reconcile the confirmed account balance from the bank to the book balance reported by the client. Confirmation.com versus edu.confirmation.com Please be sure to register as a new user on Do not register as a new user on using these case materials. Confirmation Date For this case study, your confirmation will be denied if you incorrectly enter the wrong date for the balance request date, instead of the correct balance sheet date of 12/31/2012. Before it is denied, you can recall the confirmation from within the Confirmation Log and initiate a new one for the correct date. Liability Accounts The account information provided to you in this case study does not include information regarding any type of liability accounts. If you receive information about a liability account during your testing, you will not be able to confirm it during this case study. If you feel it warrants further consideration you should document such concerns in your case deliverables. Non Responses If you reconfirm an account balance or account information with a bank and you do not 28

29 hear back from the bank within the expected time frame, this may be considered a non response. A non response is when the confirming party does not answer your confirmation request. In such cases, auditors must first check to make sure the confirmation was correctly filled out and sent. Your next step should then be to make your Audit Manager aware of the issue. For the purposes of this case study you will alert your Audit Manager (Instructor) of the issue by documenting the open item and your concerns in the workpapers. Out of Network An out-of-network confirmation does not include authentication and authorization of the respondent. edu.confirmation.com has performed no procedures to validate either the entity or the individual responding to the confirmation. That responsibility falls to the auditor, who is required to determine that the confirmation was sent to the proper source and that the respondent was authorized to respond. Addendum: Technical Guide I. AICPA Service Organization Controls Select Information 20 SOC 1 Report (Type 1 or Type 2) SOC 2 Report (Type 1 or Type 2) Purpose Report on controls for Report on controls financial statement related to compliance audits and operations Kinds of controls Controls likely to be Controls over the addressed by the relevant to user entities security, availability and report financial statements processing integrity of a system and the confidentiality and privacy of information processed by the system Report Use Restricted Use Report Generally a Restricted Use Report Content of report Description of service Description of service organization s system organization s system CPA s opinion on fairness of presentation of the description, suitability of design and CPA s opinion on the fairness of presentation of the description, suitability of design and SOC 3 Report Report on controls related to compliance and operations Controls over the security, availability and processing integrity of a system, and the confidentiality and privacy of information processed by the system General Use Report An unaudited system description used to delineate the boundaries of the system CPA s opinion on 20 American Institute of Certified Public Accountants (AICPA) Service Organization Controls: Managing Risks by Obtaining a Service Auditor s Report. Available at: %20soc%20whitepaper.pdf 29

30 in a type 2 report, the operating effectiveness of controls. in a type 2 report, the operating effectiveness of controls. whether the entity maintained effective controls over its system Standards under which the SOC engagement is performed A type 2 report includes a description of the CPA s test of controls and results SSAE No. 16, Reporting on Controls at a Service Organization A type 2 report includes a description of the CPA s test of controls and results AT 101, Attestation Engagements AT 101, Attestation Engagements II. Auditing Standard No. 3 Select Paragraphs 21 Audit Documentation Requirements Paragraph 4 The auditor must prepare audit documentation in connection with each engagement conducted pursuant to the standards of the PCAOB. Audit documentation should be prepared in sufficient detail to provide a clear understanding of its purpose, source, and the conclusions reached. Also, the documentation should be appropriately organized to provide a clear link to the significant findings or issues. Examples of audit documentation include memoranda, confirmations, correspondence, schedules, audit programs, and letters of representation. Audit documentation may be in the form of paper, electronic files, or other media. Paragraph 5 Because audit documentation is the written record that provides the support for the representations in the auditor's report, it should: a. Demonstrate that the engagement complied with the standards of the PCAOB, b. Support the basis for the auditor's conclusions concerning every relevant financial statement assertion, and c. Demonstrate that the underlying accounting records agreed or reconciled with the financial statements. Paragraph 6 The auditor must document the procedures performed, evidence obtained, and conclusions reached with respect to relevant financial statement assertions. Audit documentation must clearly demonstrate that the work was in fact performed. This documentation requirement applies to the work of all those who participate in the engagement as well as to the work of specialists the auditor uses as evidential matter in evaluating relevant financial statement assertions. Audit documentation must contain sufficient information to enable an experienced auditor, having no previous connection with the engagement: a. To understand the nature, timing, extent, and results of the procedures performed, evidence obtained, and conclusions reached, and b. To determine who performed the work and the date such work was completed as well as the person who reviewed the work and the date of such review. NOTE: An experienced auditor has a reasonable understanding of audit activities and has studied the company's industry as well as the accounting and auditing issues relevant to the industry. 21 Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 3, Audit Documentation. Washington, DC. 30

31 Paragraph 7 In determining the nature and extent of the documentation for a financial statement assertion, the auditor should consider the following factors: Nature of the auditing procedure; Risk of material misstatement associated with the assertion; Extent of judgment required in performing the work and evaluating the results, for example, accounting estimates require greater judgment and commensurately more extensive documentation; Significance of the evidence obtained to the assertion being tested; and Responsibility to document a conclusion not readily determinable from the documentation of the procedures performed or evidence obtained. Application of these factors determines whether the nature and extent of audit documentation is adequate. Paragraph 8 In addition to the documentation necessary to support the auditor's final conclusions, audit documentation must include information the auditor has identified relating to significant findings or issues that is inconsistent with or contradicts the auditor's final conclusions. The relevant records to be retained include, but are not limited to, procedures performed in response to the information, and records documenting consultations on, or resolutions of, differences in professional judgment among members of the engagement team or between the engagement team and others consulted. III. PCAOB Proposed Auditing Standards Related to Confirmations Select Paragraphs 22 Paragraph 18 The auditor should design confirmation requests to establish direct communication between the confirming party and the auditor to minimize the possibility that the audit evidence resulting from the confirmation procedures might not be reliable as a result of interception, alteration, or fraud. Determining that Confirmation Requests are Properly Addressed Paragraph 19 The auditor should perform procedures to determine the validity of the addresses on the confirmation requests, including substantive procedures or tests of controls. The nature and extent of the procedures depend on the associated risks and materiality of the items being confirmed. For example, the auditor should perform substantive procedures to determine the validity of addresses on the confirmation requests for transactions or accounts that involve significant risks or are material to the financial statements. Other factors to consider in determining the nature and extent of procedures to perform to validate addresses on confirmation request include the following: The company has a new customer base; An address is a post office box; or An address is not consistent with the confirming party s web site address (e.g., situations in which the address has a domain name that differs from the domain name of the Web site). Paragraph 20 If the auditor identifies an invalid address, the auditor should perform the following procedures: Investigate the reasons for the invalid address and attempt to obtain a valid address; Evaluate the implications of the invalid address on the auditor s planned confirmation procedures and the auditor s assessment of the relevant risk of material misstatement, including fraud risk, and on the nature, timing, and extent of other audit procedures; and 22 Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 3, Audit Documentation. Washington, DC. 31

32 Perform other audit procedures designed to obtain relevant and reliable audit evidence with respect to the account, balance, or other item if a valid address cannot be obtained for the confirmation request. Requesting Responses Directly from the Confirming Parties Paragraph 22 When performing confirmation procedures, the auditor should request that the confirming parties or intended intermediaries respond directly to the auditor and not to the company or any other party. If a confirming party sends a confirmation response to anyone other than the auditor, the auditor should contact the confirming party and request that the confirming party re-send the response directly to the auditor. Exceptions Paragraph 30 The auditor should investigate all exceptions in confirmation responses to determine why each exception occurred and whether any exceptions, individually or in the aggregate, are indicative of a misstatement or of a previously unidentified risk of material misstatement. NOTE: The item being confirmed, the account, the assertion in question, and the risk of material misstatement affect the nature of the procedures that the auditor should perform to investigate exceptions in confirmation responses. Reliability of Confirmation Responses Paragraph 31 The auditor should assess the reliability of confirmation responses. Any confirmation response carries some risk of interception, alteration, or fraud although such risks are mitigated by properly designing confirmation requests and properly performing confirmation procedures. Such risk exists regardless of whether a response is obtained in paper form or by electronic or other medium. Factors that the auditor should take into account in assessing the reliability of confirmation responses include, but are not limited to, whether confirmation responses: Are returned to the auditor indirectly because the confirming parties forwarded the confirmation responses to the company (paragraph 22). Appear not to have come from the originally intended confirming parties. Contradict other information obtained during the audit. Come from addresses other than the address to which the auditor sent the confirmation requests. Are not the original confirmation requests that were sent to the confirming parties. Do not include the signatures of or acknowledgements by the confirming parties. Reflect local customs that may affect the confirmation responses, such as customs that create an environment in which confirmation responses are inherently unreliable. Paragraph 32 When evaluating the reliability of the response received from a confirming party, the auditor should assess any indication that the confirming party: Is not competent, or knowledgeable. Has questionable motives. Is not objective or free from bias with respect to the company. NOTE: Circumstances might indicate the need for additional audit evidence to conclude whether the confirmation request is being sent to or received from a confirming party from who the auditor can expect the response to provide relevant and reliable audit evidence. Such circumstances could include significant, unusual period-end transactions that have a material effect on the financial statements; when management of the company has significant influence over the confirming party; when the confirming party has significant influence over management of the company; when the confirming party is the custodian and servicer of a material amount of the company s assets; or when a confirmation response is from an affiliated party. 32

33 Paragraph 33 If conditions indicate that a confirmation response might not be reliable, the auditor should obtain additional evidence. Additional Procedures for Electronic Confirmation Responses Paragraph 34 As indicated in paragraph 31, any confirmation response involves risks relating to the reliability because proof of origin might be difficult to establish and alterations can be difficult to detect. Confirmation responses received electronically (e.g., by facsimile, , through an intermediary, or direct access) might involve additional risks relating to reliability. The auditor should assess the reliability of the information obtained through the electronic confirmation response. In assessing the reliability of the confirmation response, the auditor should take into account risks that: The confirmation process might not be secure or might not be properly controlled; The information obtained might not be from a proper source; and The integrity of the transmission might have been compromised. Paragraph 35 The auditor should perform procedures to address the risks that electronic confirmation responses might not be reliable. Such procedures depend on the form of electronic communication and include the following: If information is provided via facsimile response, the auditor should verify the source and contents of the facsimile response by directly contacting the intended confirming party (e.g., by a telephone call to the intended confirming party). If information is provided via response, the auditor should verify the source and contents of the response, such as verifying the address of the intended confirming party or contacting the intended confirming party by telephone. If an intermediary is used to facilitate confirmation, the auditor should obtain an understanding of the controls over the procedures used by the intermediary to process the confirmation requests and responses. The auditor should perform procedures to determine whether the auditor can use the intermediary s process. Risk to consider in performing the procedures and making this determination include (1) the process might not be secure or might not be properly controlled, (2) the information obtained might not be from a proper source, and (3) the integrity of the transmission might have been compromised. In addition, the auditor should determine whether the intermediary is authorized to respond on behalf of the intended confirming party. If information is provided via direct access, the auditor should evaluate whether direct access is an appropriate means to confirm information about the particular item that is the subject of the confirming request. Direct access is not an appropriate confirming procedure in all cases. For example, when confirming revenue agreements, the auditor should evaluate whether the revenue agreements could include terms and oral modifications that would make direct access an inappropriate mechanism for confirmation. NOTE: Direct access to information held by a confirming party constitutes a confirmation response only if (1) the auditor s access is provided by the confirming party rather than the company, and (2) the confirming party represents to the auditor, in writing, that (a) it is aware of the auditor s request for and intended use of the information, and (b) the files to be accessed contain information responsive to the auditor s request. Disclaimers and Restrictive Language Paragraph 36 A response to a confirmation request might contain disclaimers or restrictive language. For example, a response might include a disclaimer as to its accuracy and appropriateness for use in the preparation of financial statements, which has a negative effect on the reliability of the response as audit evidence. Paragraph 37 The auditor should evaluate the effect of a disclaimer or restrictive language on the reliability of a confirmation response. If a disclaimer or restrictive language causes doubts about the reliability of a confirmation response the auditor should obtain additional appropriate audit evidence. 33

34 Paragraph 38 If disclaimers or restrictive language preclude the auditor from treating the response as a confirmation response, the auditor should treat such a response as a non-response and perform appropriate alternative procedures to obtain relevant and reliable audit evidence. 34