Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on the Auditor's Use of Confirmation, and Other Amendments to Related PCAOB Standards, 71684-71724 [2023-22491]
Download as PDF
<![CDATA[
71684
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
A. Board’s Statement of the Purpose of,
and Statutory Basis for, the Proposed
Rules
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–98689; File No. PCAOB–
2023–02]
(a) Purpose
Public Company Accounting Oversight
Board; Notice of Filing of Proposed
Rules on the Auditor’s Use of
Confirmation, and Other Amendments
to Related PCAOB Standards
October 5, 2023.
Pursuant to Section 107(b) of the
Sarbanes-Oxley Act of 2002 (the ‘‘Act’’),
notice is hereby given that on October
4, 2023, the Public Company
Accounting Oversight Board (the
‘‘Board’’ or ‘‘PCAOB’’) filed with the
Securities and Exchange Commission
(the ‘‘Commission’’ or ‘‘SEC’’) the
proposed rules described in Items I and
II below, which items have been
prepared by the Board. The Commission
is publishing this notice to solicit
comments on the proposed rules from
interested persons.
lotter on DSK11XQN23PROD with NOTICES2
I. Board’s Statement of the Terms of
Substance of the Proposed Rules
On September 28, 2023, the Board
adopted amendments to auditing
standards for the auditor’s use of
confirmation, and amendments to
related PCAOB standards (collectively,
the ‘‘proposed rules’’), including the
retitling and replacement of an existing
standard with a new standard. The text
of the proposed rules appears in Exhibit
A to the SEC Filing Form 19b–4 and is
available on the Board’s website at
https://pcaobus.org/about/rulesrulemaking/rulemaking-dockets/docket028-proposed-auditing-standardrelated-to-confirmation and at the
Commission’s Public Reference Room.
II. Board’s Statement of the Purpose of,
and Statutory Basis for, the Proposed
Rules
In its filing with the Commission, the
Board included statements concerning
the purpose of, and basis for, the
proposed rules and discussed comments
it received on the proposed rules. The
text of these statements may be
examined at the places specified in Item
IV below. The Board has prepared
summaries, set forth in sections A, B,
and C below, of the most significant
aspects of such statements. In addition,
the Board is requesting that the
Commission approve the proposed
rules, pursuant to Section 103(a)(3)(C) of
the Act, for application to audits of
emerging growth companies (‘‘EGCs’’),
as that term is defined in Section
3(a)(80) of the Securities Exchange Act
of 1934 (‘‘Exchange Act’’). The Board’s
request is set forth in section D.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
Summary
The Board is replacing AS 2310, The
Confirmation Process, in its entirety
with a new standard, AS 2310, The
Auditor’s Use of Confirmation (‘‘new
standard’’) to strengthen and modernize
the requirements for the confirmation
process. As described in the new
standard, the confirmation process
involves selecting one or more items to
be confirmed, sending a confirmation
request directly to a confirming party
(e.g., a financial institution), evaluating
the information received, and
addressing nonresponses and
incomplete responses to obtain audit
evidence about one or more financial
statement assertions. If properly
designed and executed by an auditor,
the confirmation process may provide
important evidence that the auditor
obtains as part of an audit of a
company’s financial statements.
Why the Board Is Adopting These
Changes Now
AS 2310 is an important standard for
audit quality and investor protection, as
the audit confirmation process touches
nearly every audit. The standard was
initially written over 30 years ago and
has had minimal amendments since its
adoption by the PCAOB in 2003.
The Board adopted the new standard
after substantial outreach, including
several rounds of public comment. The
PCAOB previously considered updating
AS 2310 by issuing a concept release in
2009 and a proposal in 2010 for a new
auditing standard that would supersede
AS 2310. While the PCAOB did not
amend or replace AS 2310 at that time,
subsequent developments—including
the increasing use of electronic
communications and third-party
intermediaries in the confirmation
process—led the Board to conclude that
enhancements to AS 2310 and
modifications to the approach proposed
in 2010 could improve the quality of
audit evidence obtained by auditors. In
addition, the Board has observed
continued inspection findings related to
auditors’ use of confirmation, as well as
enforcement actions involving failures
to adhere to requirements in the existing
auditing standard regarding
confirmation, such as the requirement
for the auditor to maintain control over
the confirmation process.
Accordingly, having considered these
developments and input from
commenters, the Board revisited the
PO 00000
Frm 00002
Fmt 4701
Sfmt 4703
previously proposed changes and issued
a new proposed standard to replace AS
2310, along with conforming
amendments to other PCAOB auditing
standards, in December 2022.
Commenters generally supported the
Board’s objective of improving the
confirmation process, and suggested
areas to further improve the new
standard, modify proposed
requirements that would not likely
improve audit quality, and clarify the
application of the new standard. In
adopting the new standard and related
amendments, the Board has taken into
account all of these comments, as well
as observations from PCAOB oversight
activities.
Key Provisions of the New Standard
The new standard and related
amendments are intended to enhance
the PCAOB’s requirements on the use of
confirmation by describing principlesbased requirements that apply to all
methods of confirmation, including
paper-based and electronic means of
communications. In addition, the new
standard is more expressly integrated
with the PCAOB’s risk assessment
standards by incorporating certain riskbased considerations and emphasizing
the auditor’s responsibilities for
obtaining relevant and reliable audit
evidence through the confirmation
process. Among other things, the new
standard:
• Includes a new requirement
regarding confirming cash and cash
equivalents held by third parties
(‘‘cash’’), or otherwise obtaining
relevant and reliable audit evidence by
directly accessing information
maintained by a knowledgeable external
source;
• Carries forward the existing
requirement regarding confirming
accounts receivable, while addressing
situations where it would not be feasible
for the auditor to perform confirmation
procedures or obtain relevant and
reliable audit evidence for accounts
receivable by directly accessing
information maintained by a
knowledgeable external source;
• States that the use of negative
confirmation requests alone does not
provide sufficient appropriate audit
evidence (and includes examples of
situations where the auditor may use
negative confirmation requests to
supplement other substantive audit
procedures);
• Emphasizes the auditor’s
responsibility to maintain control over
the confirmation process and provides
that the auditor is responsible for
selecting the items to be confirmed,
E:\FR\FM\17OCN2.SGM
17OCN2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
sending confirmation requests, and
receiving confirmation responses; and
• Identifies situations in which
alternative procedures should be
performed by the auditor (and includes
examples of such alternative procedures
that may provide relevant and reliable
audit evidence for a selected item).
(b) Statutory Basis
The statutory basis for the proposed
rules is Title I of the Act.
B. Board’s Statement on Burden on
Competition
Not applicable. The Board’s
consideration of the economic impacts
of the proposed rules is discussed in
section D below.
C. Board’s Statement on Comments on
the Proposed Rules Received From
Members, Participants or Others
The Board released the proposed rules
for public comment in PCAOB Release
No. 2022–009 (Dec. 20, 2022) (‘‘2022
Proposal’’). The Board previously issued
a concept release for public comment in
PCAOB Release No. 2009–002 (Apr. 14,
2009) (‘‘2009 Concept Release’’) and a
proposed auditing standard related to
confirmation and related amendments
to PCAOB standards in PCAOB Release
No. 2010–003 (July 13, 2010) (‘‘2010
Proposal’’). The Board received 98
written comment letters relating to the
2022 Proposal, the 2009 Concept
Release, and the 2010 Proposal. The
Board has carefully considered all
comments received. The Board’s
response to the comments it received
and the changes made to the rules in
response to the comments received are
discussed below.
lotter on DSK11XQN23PROD with NOTICES2
Background
Information obtained by the auditor
directly from knowledgeable external
sources, including through
confirmation, can be an important
source of evidence obtained as part of
an audit of a company’s financial
statements.1 Confirmation has long been
used by auditors. For example, one early
auditing treatise noted the importance
of confirmation for cash deposits,
accounts receivable, and demand
notes.2 In addition, confirmation of
accounts receivable has been a required
audit procedure in the United States
1 See, e.g., paragraph 08 of AS 1105, Audit
Evidence (providing that, in general, ‘‘[e]vidence
obtained from a knowledgeable source that is
independent of the company is more reliable than
evidence obtained only from internal company
sources’’).
2 Robert H. Montgomery, Auditing Theory and
Practice 91 (confirmation of cash deposits), 263
(confirmation of accounts receivable), and 353
(confirmation of demand notes) (1912).
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
since 1939, when the American Institute
of Accountants 3 adopted Statement on
Auditing Procedure No. 1 (‘‘SAP No. 1’’)
as a direct response to the McKesson &
Robbins fraud case, which involved
fraudulently reported inventories and
accounts receivable that the
independent auditors failed to detect
after performing other procedures that
did not involve confirmation.4
SAP No. 1 required confirmation of
accounts receivable by direct
communication with customers in all
independent audits of financial
statements, subject to the auditor’s
ability to overcome the presumption to
confirm accounts receivable for certain
reasons. Following the adoption of SAP
No. 1, the accounting profession also
adopted a requirement in 1942, which
remained in effect until the early 1970s,
that auditors should disclose in the
auditor’s report when confirmation of
accounts receivable was not performed.
The AICPA’s subsequent revisions to its
auditing standards included the
promulgation of AU sec. 330, The
Confirmation Process, which was
adopted in 1991 and took effect in 1992.
The PCAOB adopted AU sec. 330 (now
AS 2310) as an interim standard in
2003.5
The amendments to the standards for
the auditor’s use of confirmation are
intended to improve audit quality
through principles-based requirements
that apply to all methods of
confirmation and are more expressly
integrated with the Board’s risk
assessment standards. These
enhancements should also lead to
improvements in practice,
commensurate with the associated risk,
among audit firms of all sizes. The
expected increase in audit quality
should also enhance the credibility of
information provided in a company’s
financial statements.
Rulemaking History
The final amendments to the auditing
standards reflect public comments on a
3 The American Institute of Accountants was the
predecessor to the American Institute of CPAs
(‘‘AICPA’’).
4 See In the Matter of McKesson & Robbins, Inc.,
SEC Rel. No. 34–2707 (Dec. 5, 1940).
5 Shortly after the Board’s inception, the Board
adopted the existing standards of the AICPA, as in
existence on Apr. 16, 2003, as the Board’s interim
auditing standards. See Establishment of Interim
Professional Auditing Standards, PCAOB Rel. No.
2003–006 (Apr. 18, 2003). AU sec. 330 was one of
these auditing standards. As of Dec. 31, 2016, the
PCAOB reorganized its auditing standards using a
topical structure and a single, integrated number
system, at which time AU sec. 330 was designated
AS 2310. See Reorganization of PCAOB Auditing
Standards and Related Amendments to PCAOB
Standards and Rules, PCAOB Rel. No. 2015–002
(Mar. 31, 2015).
PO 00000
Frm 00003
Fmt 4701
Sfmt 4703
71685
concept release and two proposals. In
April 2009, the PCAOB issued a concept
release seeking public comment on the
potential direction of a standard-setting
project that could result in amendments
to the PCAOB’s existing standard on the
confirmation process or a new auditing
standard that would supersede the
existing standard.6 The 2009 Concept
Release discussed existing requirements
and posed questions about potential
amendments to those requirements.
In July 2010, the PCAOB proposed an
auditing standard that, if adopted,
would have superseded the existing
confirmation standard.7 The 2010
Proposal was informed by comments on
the 2009 Concept Release and was
intended to strengthen the existing
standard by, among other things,
expanding certain requirements and
introducing new requirements. In
general, commenters on the 2010
Proposal supported updating the
existing standard to address relevant
developments in audit practice,
including greater use of emailed
confirmation requests and responses
and the involvement of third-party
intermediaries. At the same time, some
commenters asserted that the proposed
requirements in the 2010 Proposal were
unduly prescriptive (i.e., included too
many presumptively mandatory
requirements) and would result in a
significant increase in the volume of
confirmation requests without a
corresponding increase in the quality of
audit evidence obtained by the auditor.
The PCAOB did not adopt the 2010
Proposal.
In December 2022, the Board issued a
proposed auditing standard to improve
the quality of audits when confirmation
is used by the auditor and to reflect
changes in the means of communication
and in business practice since the
standard was originally issued.8 The
2022 Proposal was informed by
comments on the 2009 Concept Release
and 2010 Proposal and specified the
auditor’s responsibilities regarding the
confirmation process. The Board
received 46 comment letters on the 2022
Proposal from commenters across a
range of affiliations. Those comments
6 Concept Release on Possible Revisions to the
PCAOB’s Standard on Audit Confirmations, PCAOB
Rel. No. 2009–002 (Apr. 14, 2009).
7 Proposed Auditing Standard Related to
Confirmation and Related Amendments to PCAOB
Standards, PCAOB Rel. No. 2010–003 (July 13,
2010).
8 Proposed Auditing Standard—The Auditor’s
Use of Confirmation, and Other Proposed
Amendments to PCAOB Standards, PCAOB Rel.
No. 2022–009 (Dec. 20, 2022). In this exhibit, the
term ‘‘proposed standard’’ refers to the proposed
auditing standard relating to the auditor’s use of
confirmation as described in the 2022 Proposal.
E:\FR\FM\17OCN2.SGM
17OCN2
71686
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
are discussed throughout this release.
Commenters on the 2022 Proposal
generally expressed support for the
project’s objective and suggested ways
to revise or clarify the proposed
standard. The Board considered the
comments on the 2022 Proposal, as well
as on the 2009 Concept Release and the
2010 Proposal, in developing the final
amendments.9 The Board also
considered observations from PCAOB
oversight activities.
lotter on DSK11XQN23PROD with NOTICES2
Existing Standard
This section discusses key provisions
of the existing PCAOB auditing standard
on the confirmation process.
In 2003, the PCAOB adopted the
standard now known as AS 2310 (at that
time, AU sec. 330), when it adopted the
AICPA’s standards then in existence.
Existing AS 2310 indicates that
confirmation is the process of obtaining
and evaluating a direct communication
from a third party in response to a
request for information about a
particular item affecting financial
statement assertions.10 For example, an
auditor might request a company’s
customers to confirm balances owed at
a certain date, or request confirmation of
a company’s accounts or loans payable
to a bank at a certain date.
Key provisions of existing AS 2310
include the following:
• A presumption that the auditor will
request confirmation of accounts
receivable. The standard states that
confirmation of accounts receivable is a
generally accepted auditing procedure
and provides the situations in which the
auditor may overcome the presumption.
• Procedures for designing the
confirmation request, including the
requirement that the auditor direct the
confirmation request to a third party
who the auditor believes is
knowledgeable about the information to
be confirmed.
• Procedures relating to the use of
both positive and negative confirmation
requests. A positive confirmation
request directs the recipient to send a
response back to the auditor stating the
recipient’s agreement or disagreement
with information stated in the request,
or furnishing requested information. A
negative confirmation request directs
the recipient to respond back to the
auditor only when the recipient
9 The comment letters received on the 2009
Concept Release, 2010 Proposal, and 2022 Proposal
are available in the docket for this rulemaking on
the PCAOB’s website (https://pcaobus.org/
Rulemaking/Pages/Docket028Comments.aspx).
10 Under PCAOB standards, financial statement
assertions can be classified into the following
categories: existence or occurrence, completeness,
valuation or allocation, rights and obligations, and
presentation and disclosure. See, e.g., AS 1105.11.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
disagrees with information in the
auditor’s request. The standard states
that ‘‘[n]egative confirmation requests
may be used to reduce audit risk to an
acceptable level when (a) the combined
assessed level of inherent and control
risk is low, (b) a large number of small
balances is involved, and (c) the auditor
has no reason to believe that the
recipients of the requests are unlikely to
give them consideration.’’ 11 If negative
confirmation requests are used, the
auditor should consider performing
other substantive procedures to
supplement their use.12
• A requirement for the auditor to
maintain control over confirmation
requests and responses by establishing
direct communication between the
intended recipient and the auditor.
• Procedures to consider when the
auditor does not receive a written
confirmation response via return mail,
including how the auditor should
evaluate the reliability of oral and
facsimile responses to written
confirmation requests. The standard
provides that, when confirmation
responses are in other than a written
format mailed to the auditor, additional
evidence may be necessary to establish
the validity of the respondent.
• A requirement that the auditor
should perform alternative procedures
when the auditor has not received a
response to a positive confirmation
request.
• Requirements for the auditor’s
evaluation of the results of confirmation
procedures and any alternative
procedures performed by the auditor.
These provisions include the
requirement that, if the combined
evidence provided by confirmation,
alternative procedures, and other
procedures is not sufficient, the auditor
should request additional confirmations
or extend other tests, such as tests of
details or analytical procedures.
Current Practice
This section discusses the Board’s
understanding of current practice based
on, among other things, observations
from oversight activities of the Board
and SEC enforcement actions.
Overview of Current Practice
The audit confirmation process
touches nearly every financial statement
audit conducted under PCAOB auditing
standards. This is due in part to the
presumption in existing AS 2310 that
the auditor will confirm accounts
receivable, which include claims against
customers that have arisen from the sale
11 See
AS 2310.20.
12 Id.
PO 00000
Frm 00004
Fmt 4701
Sfmt 4703
of goods or services in the normal
course of business and a financial
institution’s loans, unless certain
exemptions apply. In addition, audit
methodologies of many larger audit
firms affiliated with global networks
recommend or require confirming cash
accounts. In the past, the use of
confirmation was a common practice for
auditing a financial institution’s
customer deposits. In recent years,
however, there has been an increased
wariness about phishing attempts by
unauthorized parties aimed at obtaining
sensitive personal or financial
information of customers. As a result,
some customers might not understand
or trust an -unsolicited confirmation
request from an auditor and, indeed,
many financial institutions and other
companies now advise customers not to
reply to unsolicited correspondence
concerning their accounts or other
customer relationships.13
Existing AS 2310 was written at a
time when paper-based confirmation
requests and responses were the
prevailing means of communication.
Since then, emailed confirmation
requests and responses, and the use of
technology-enabled confirmation tools,
including the use of intermediaries to
facilitate the confirmation process, have
become commonplace. For example,
numerous financial institutions in the
United States, and an increasing number
of international banks, mandate the use
of an intermediary as part of the
confirmation process and will not
otherwise respond to an auditor’s
confirmation request.
As noted above, existing AS 2310
provides that the auditor should
maintain control over the confirmation
process. In practice, complying with
this requirement involves the auditor
directly sending the confirmation
request to the confirming party via mail
or email, without involving company
personnel. The auditor’s confirmation
request generally specifies that any
correspondence should be sent directly
to the auditor’s location (or email
address) to minimize the risk of
interference by company personnel.
When an intermediary facilitates direct
electronic communications between the
auditor and the confirming party, the
auditor is still required to maintain
control over the confirmation process.
Procedures performed by audit firms to
address this requirement vary
depending on facts and circumstances.
13 Situations that involve using audit procedures
other than confirmation and situations where
companies adopt the policy of responding to
electronic confirmation requests from auditors only
through an intermediary are discussed later in this
exhibit.
E:\FR\FM\17OCN2.SGM
17OCN2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES2
Some auditors have used a report on
controls at a service organization (‘‘SOC
report’’) to evaluate the design and
operating effectiveness of the
intermediary’s controls relevant to
sending and receiving confirmations.
Under the existing standard, auditors
can use positive confirmation requests
and, provided certain conditions are
met, negative confirmation requests. A
positive confirmation request either asks
the recipient to respond directly to the
auditor about whether the recipient
agrees with information that is stated in
the request or asks the recipient to
provide the requested information by
filling in a blank form. In comparison,
a negative confirmation request directs
the recipient to respond only when the
recipient disagrees with the information
included in the request. In practice,
negative confirmation requests have
typically been used to obtain audit
evidence related to the completeness of
deposit liabilities and other accounts of
a similar nature and, less frequently, to
obtain evidence related to the existence
of accounts receivable. In some cases,
auditors use a combination of positive
and negative confirmation requests.
Observations From Inspections and
Enforcement Actions
This section discusses observations
from PCAOB oversight activities and
SEC enforcement actions, including (1)
PCAOB inspections of registered public
accounting firms (‘‘firms’’) and (2)
enforcement actions relating to deficient
confirmation procedures performed by
the auditor. These observations have
informed the Board’s view that
providing greater clarity as the Board
strengthens the requirements could
result in improved compliance by
auditors.
Inspections. Over the past several
years, PCAOB inspections indicated that
some auditors did not fulfill their
responsibilities under the existing
standard when performing confirmation
procedures. The shortcomings have
been noted at large and small domestic
firms, and at large firms with domestic
and international practices. For
example, some auditors did not: (1)
consider performing procedures to
verify the source of confirmation
responses received electronically; (2)
perform sufficient alternative
procedures; (3) restrict the use of
negative confirmation requests to
situations where the risk of material
misstatement was assessed as low; or (4)
maintain appropriate control over the
confirmation process, including
instances where company personnel
were involved in either sending or
receiving confirmations.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
The PCAOB has also continued to
monitor developments relating to the
use of confirmation through its other
oversight and research activities. For
example, in 2021, the PCAOB staff
issued a Spotlight discussing, among
other things, the use of technology in
the confirmation process.14 In addition,
in 2022, the PCAOB staff issued a
Spotlight that specifically discussed
observations and reminders on the use
of a service provider in the confirmation
process.15
Enforcement actions. Over the years,
there have been a number of
enforcement actions by the PCAOB and
the SEC alleging that auditors failed to
comply with PCAOB standards related
to the confirmation process.
Enforcement actions have been brought
against large and small firms, and
against U.S. and non-U.S. firms.
For example, PCAOB enforcement
cases have involved allegations that
auditors failed to: (1) perform
appropriate confirmation procedures to
address a fraud risk; 16 (2) adequately
respond to contradictory audit evidence
obtained from confirmation
procedures; 17 (3) perform appropriate
confirmation procedures and alternative
procedures for accounts receivable; 18 or
(4) maintain proper control over the
confirmation process.19
In several confirmation-related
enforcement cases, the SEC alleged that
the deficient confirmation procedures
by the auditors involved companies that
had engaged in widespread fraud, where
14 See Spotlight: Data and Technology Research
Project Update (May 2021), available at https://
pcaobus.org/resources/staff-publications.
15 See Spotlight: Observations and Reminders on
the Use of a Service Provider in the Confirmation
Process (Mar. 2022), available at https://
pcaobus.org/resources/staff-publications.
16 See, e.g., In the Matter of Marcum LLP, PCAOB
Rel. No. 105–2020–012 (Sept. 24, 2020); In the
Matter of Whitley Penn LLP, PCAOB Rel. No. 105–
2020–002 (Mar. 24, 2020); In the Matter of PMB
Helin Donovan, LLP, PCAOB Rel. No. 105–2019–
031 (Dec. 17, 2019); In the Matter of Ronald R.
Chadwick, P.C., PCAOB Rel. No. 105–2015–009
(Apr. 28, 2015).
17 See, e.g., In the Matter of Marcum LLP, PCAOB
Rel. No. 105–2020–012 (Sept. 24, 2020); In the
Matter of Ronald R. Chadwick, P.C., PCAOB Rel.
No. 105–2015–009 (Apr. 28, 2015); In the Matter of
Price Waterhouse, Bangalore, PCAOB Rel. No. 105–
2011–002 (Apr. 5, 2011).
18 See, e.g., In the Matter of Whitley Penn LLP,
PCAOB Rel. No. 105–2020–002 (Mar. 24, 2020); In
the Matter of PMB Helin Donovan, LLP, PCAOB Rel.
No. 105–2019–031 (Dec. 17, 2019); In the Matter of
Wander Rodrigues Teles, PCAOB Rel. No. 105–
2017–007 (Mar. 20, 2017); In the Matter of Ronald
R. Chadwick, P.C., PCAOB Rel. No. 105–2015–009
(Apr. 28, 2015); In the Matter of Price Waterhouse,
Bangalore, PCAOB Rel. No. 105–2011–002 (Apr. 5,
2011).
19 See, e.g., In the Matter of Marcum LLP, PCAOB
Rel. No. 105–2020–012 (Sept. 24, 2020); In the
Matter of Price Waterhouse, Bangalore, PCAOB Rel.
No. 105–2011–002 (Apr. 5, 2011).
PO 00000
Frm 00005
Fmt 4701
Sfmt 4703
71687
properly performed confirmation
procedures might have led to the
detection of the fraudulent activity.20
Further, in a number of proceedings, the
SEC alleged that confirmation
procedures were not properly
designed 21 or, more frequently, that the
auditors failed to adequately evaluate
responses to confirmation requests and
perform alternative or additional
procedures in light of exceptions,
nonresponses, or responses that should
have raised issues as to their reliability
or the existence of undisclosed related
parties.22 Several of these proceedings
were brought in recent years, suggesting
that problems persist in this area.
Reasons To Improve Auditing Standards
The amendments to PCAOB standards
being adopted are intended to enhance
audit quality by clarifying and
strengthening the requirements for the
auditor’s use of confirmation. The final
amendments are also more expressly
integrated with the PCAOB’s risk
assessment standards by incorporating
certain risk-based considerations and
emphasizing the auditor’s
responsibilities for obtaining relevant
and reliable audit evidence through the
confirmation process. The Board
believes that these improvements will
enhance both audit quality and the
credibility of the information provided
in a company’s financial statements.
Areas of Improvement
The Board has identified two
important areas where improvements
are warranted to existing standards,
discussed below: (1) updating the
standards to reflect developments in
20 See, e.g., In the Matter of CohnReznick LLP,
SEC Rel. No.34–95066 (June 8, 2022); In the Matter
of Ravindranathan Raghunathan, CPA, SEC Rel.
No. 34–93133 (Sept. 27, 2021); In the Matter of
Mancera, S.C., SEC Rel. No. 34–90699 (Dec. 17,
2020); In the Matter of Schulman Lobel Zand
Katzen Williams & Blackman, LLP A/K/A Schulman
Lobel LLP, SEC Rel. No. 34–88653 (Apr. 15, 2020);
In the Matter of William Joseph Kouser Jr., CPA,
SEC Rel. No. 34–80370 (Apr. 4, 2017).
21 See, e.g., In the Matter of RSM US LLP, SEC Rel.
No. 34–95948 (Sept. 30, 2022); In the Matter of
Ravindranathan Raghunathan, CPA, SEC Rel. No.
34–93133 (Sept. 27, 2021); In the Matter of Winter,
Kloman, Moter & Repp, S.C., SEC Rel. No. 34–83168
(May 4, 2018); In the Matter of Edward Richardson,
Jr., CPA, SEC Rel. No. 34–80918 (June 14, 2017).
22 See, e.g., In the Matter of Jason Jianxun Tang,
CPA, SEC Rel. No. 34–96347 (Nov. 17, 2022); In the
Matter of Steven Kirn, CPA, SEC Rel. No. 34–95949
(Sept. 30, 2022); In the Matter of Friedman LLP, SEC
Rel. No. 34–95887 (Sept. 23, 2022); In the Matter
of Mancera, S.C., SEC Rel. No. 34–90699 (Dec. 17,
2020); In the Matter of Schulman Lobel Zand
Katzen Williams & Blackman, LLP A/K/A Schulman
Lobel LLP, SEC Rel. No. 34–88653 (Apr. 15, 2020);
In the Matter of Anton & Chia, LLP, SEC Rel. No.
34–87033 (Sept. 20, 2019); In the Matter of Edward
Richardson, Jr., CPA, SEC Rel. No. 34–80918 (June
14, 2017); In the Matter of William Joseph Kouser
Jr., CPA, SEC Rel. No. 34–80370 (Apr. 4, 2017).
E:\FR\FM\17OCN2.SGM
17OCN2
71688
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
practice and (2) clarifying the auditor’s
responsibilities to evaluate the
reliability of evidence obtained through
confirmation responses.
lotter on DSK11XQN23PROD with NOTICES2
Updating the Standards To Reflect
Developments in Practice
The new standard supports the
auditor’s use of electronic forms of
communication between the auditor and
the confirming party. Since the AICPA
standard on the confirmation process
adopted by the PCAOB took effect in
1992, there has been a significant
change in the auditing environment and
the means by which an auditor
communicates with confirming parties.
Emails and other forms of electronic
communications between auditors and
confirming parties have become
ubiquitous, and third-party
intermediaries now often facilitate the
electronic transmission of confirmation
requests and responses between
auditors and confirming parties.
In addition, the Board believes its
auditing standards should allow for
continued innovation by auditors in the
ways they obtain audit evidence.
Traditionally, auditors have used
confirmation in circumstances where
reliable evidence about financial
statement assertions could be obtained
directly from a third party that transacts
with the company (e.g., to confirm the
existence of cash or accounts
receivable). Generally, audit evidence
obtained directly from knowledgeable
external sources, including through
confirmation, has been viewed as more
reliable than evidence obtained through
other audit procedures available to the
auditor,23 especially where the auditor
identified a risk of fraud, chose not to
test controls, or determined that
controls could not be relied on.24
The PCAOB staff’s research indicates
that some audit firms may have
developed or may yet develop audit
23 The confirmation process involves obtaining
audit evidence from a confirming party. Under
PCAOB standards, in general, evidence obtained
from a knowledgeable source that is independent
from the company is more reliable than evidence
obtained only from internal company sources. See,
e.g., AS 1105.08.
24 See, e.g., Staff Audit Practice Alert No. 8, Audit
Risks in Certain Emerging Markets (Oct. 3, 2011)
(‘‘SAPA No. 8’’) at 11 (stating that, when an auditor
has identified fraud risks relating to a company’s
bank accounts or amounts due from customers, ‘‘it
is important for the auditor to confirm amounts
included in the company’s financial statements
directly with a knowledgeable individual from the
bank or customer who is objective and free from
bias with respect to the audited entity rather than
rely solely on information provided by the
company’s management’’). The requirements of the
new standard are consistent with the guidance in
SAPA No. 8, which auditors should continue to
consider when using confirmations to address fraud
risks in emerging markets.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
techniques that enable the auditor to
obtain relevant and reliable audit
evidence for the same assertions by
performing substantive audit procedures
that do not include confirmation, as
discussed in more detail below. To
reflect these developments, the new
standard allows the performance of
other procedures in lieu of confirmation
for cash and accounts receivable in
situations where the auditor can obtain
relevant and reliable audit evidence by
directly accessing information
maintained by knowledgeable external
sources. Further, the new standard
acknowledges that, in certain situations,
it may not be feasible for the auditor to
obtain audit evidence for accounts
receivable directly from a
knowledgeable external source and
provides that in those situations the
auditor should obtain external
information indirectly by performing
other substantive procedures, including
tests of details.
Clarifying the Auditor’s Responsibilities
To Evaluate the Reliability of
Confirmation Responses
While information obtained through
the confirmation process can be an
important source of audit evidence, the
confirmation process must be properly
executed for the evidence obtained to be
relevant and reliable. The enforcement
actions discussed above and other
recent high-profile financial reporting
frauds have also called attention to the
importance of well-executed
confirmation procedures, including the
confirmation of cash.25 In addition,
PCAOB oversight activities have
identified instances in which auditors
did not obtain sufficient appropriate
audit evidence when using
confirmation. Accordingly, the new
standard includes a new requirement to
confirm certain cash balances and
clarifies the auditor’s responsibilities to
evaluate the reliability of evidence
obtained through confirmation
responses (and, when necessary, to
obtain audit evidence through
alternative procedures).
25 See, e.g., In the Matter of Mancera, S.C., SEC
Rel. No. 34–90699 (Dec. 17, 2020) (failure by
auditors to properly evaluate confirmation
responses to requests for information on cash
balances of a Mexican homebuilder subsequently
found to have engaged in a ‘‘multi-billion dollar
financial fraud’’). See also Olaf Storbeck, Tabby
Kinder, and Stefania Palma, EY failed to check
Wirecard bank statements for 3 years, Financial
Times (June 26, 2020) (potential failure by auditors
to confirm cash balances purportedly held by
Wirecard AG, a German company whose securities
were not registered with the SEC, directly with a
Singapore-based bank).
PO 00000
Frm 00006
Fmt 4701
Sfmt 4703
Comments on the Reasons for Standard
Setting
Many commenters on the 2022
Proposal broadly expressed support for
revisions to the Board’s standard on the
auditor’s use of confirmation to reflect
developments in practice since the
AICPA standard on the confirmation
process adopted by the PCAOB took
effect in 1992. A number of commenters
also agreed that the standard on the
auditor’s use of confirmation should be
more closely aligned with the Board’s
risk assessment standards. In addition,
some commenters stated that updates to
the PCAOB’s standard on the auditor’s
use of confirmation would be generally
consistent with their prior
recommendations to the Board that the
Board modernize its interim auditing
standards. Other commenters suggested
that the Board should also engage in
additional outreach with investors or
that it consider other mechanisms to
engage with stakeholders prior to the
adoption of standards, such as
roundtables and pre-implementation
‘‘field testing’’ of proposed standards.
In addition, several commenters
expressed support for the proposition
that the PCAOB’s auditing standards
should allow for continued innovation
by auditors in the ways they obtain
audit evidence. These commenters
generally stated that standards should
be written to evolve with future
technologies, including new methods of
confirmation that may arise from
technological changes in auditing in the
future. A few commenters stated that
the 2022 Proposal provided flexibility to
respond to the current use of technology
in the audit process, or left enough room
for judgment-based application for
further advances in technology. In
comparison, some commenters stated
that the proposed standard was not
sufficiently forward-looking. Several
commenters cautioned against more
explicitly addressing the use of
technology (i.e., by adding prescriptive
requirements), noting that doing so
might not allow the standard to age
effectively with time and innovation.
Several commenters broadly
expressed support for the Board’s goal,
as described in the 2022 Proposal, of
improving the quality of audit evidence
obtained by auditors when using
confirmation. One of these commenters
stated that it was critical that
confirmation requests are properly
designed and that confirmation
responses are appropriately evaluated,
especially when there are confirmation
exceptions or concerns about their
reliability. In addition, other
commenters generally expressed
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
support for the proposed requirements
and stated they would lead to
improvements in audit quality. A
number of commenters, primarily firms
and firm-related groups, asserted that
certain requirements in the 2022
Proposal were unduly prescriptive and
that the final standard should be more
principles-based and risk-based to allow
for more auditor judgment. In
comparison, an investor-related group
suggested that the Board remind
auditors that, in exercising professional
judgment, their judgments must be
reasonable, careful, documented, and
otherwise in compliance with
applicable professional requirements.
In adopting the new standard, the
Board has considered these comments
on the 2022 Proposal, as well as the
comments received on the 2010
Proposal and the 2009 Concept Release.
Based on the information available to
the Board—including the current
regulatory baseline, observations from
our oversight activities, academic
literature, and comments—the Board
believes that investors will benefit from
strengthened and clarified auditing
standards in this area. To the extent that
commenters provided comments or
expressed concerns about specific
aspects of the proposed revisions to the
Board’s existing standard on the
auditor’s use of confirmation, the
Board’s consideration of these
comments is discussed further below
and elsewhere in this exhibit. While the
Board does not expect that the new
standard will eliminate inspection
deficiencies observed in practice, it is
intended to clarify the auditor’s
responsibilities and align the
requirements for the use of confirmation
more closely with the PCAOB’s risk
assessment standards.
The new standard also reflects several
changes that were made after the
Board’s consideration of comments
received about the potential impact of
the proposed new standard on auditors,
issuers, and intermediaries. In addition,
some commenters called for a broader
alignment of PCAOB standards with
standards issued by other standard
setters, namely the International
Auditing and Assurance Standards
Board (‘‘IAASB’’) and the AICPA’s
Auditing Standards Board (‘‘ASB’’). A
few commenters stated that PCAOB
standards should be harmonized with
IAASB standards, in the interest of
global comparability, and, in the view of
one commenter, with ASB standards. A
few commenters stated that the Board
should provide robust and detailed
explanations of differences between
PCAOB standards and the standards of
other standard setters. One commenter
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
indicated that the dual standard-setting
structure in the United States (i.e., the
existence of both PCAOB and ASB
standards) creates issues that could
erode audit quality.
The Board carefully considered the
approaches of other standard setters
when developing the 2022 Proposal,
and the new standard reflects the
approach that the Board believes best
protects investors and furthers the
public interest. As a result, certain
differences will continue to exist
between the Board’s new standard and
those of other standard setters,
including a number of provisions that
the Board believes are appropriate and
consistent with its statutory mandate to
protect the interests of investors and
further the public interest.
Discussion of Final Rules
Overview of New Standard
The new standard replaces existing
AS 2310 in its entirety. The provisions
of the new standard the Board has
adopted are intended to strengthen
existing requirements for the auditor’s
use of confirmation. Key aspects of the
new standard:
• Include principles-based
requirements that are designed to apply
to all methods of confirmation. The new
standard is designed to enhance
requirements that apply to longstanding
methods, such as the use of paper-based
confirmation requests and responses
sent via regular mail; methods that
involve electronic means of
communications, such as the use of
email or an intermediary to facilitate
direct electronic transmission of
confirmation requests and responses;
and methods that are yet to emerge, thus
encouraging audit innovation.
• Expressly integrate the
requirements for the auditor’s use of
confirmation with the requirements of
the Board’s risk assessment standards,
including AS 1105. The new standard
specifies certain risk-based
considerations and emphasizes the
auditor’s responsibilities for obtaining
relevant and reliable audit evidence
when performing confirmation
procedures.
• Emphasize the use of confirmation
procedures in certain situations. The
new standard adds a new requirement
that the auditor should perform
confirmation procedures for cash held
by third parties, carries forward an
existing requirement that the auditor
should perform confirmation
procedures for accounts receivable, and
adds a new provision that the auditor
may otherwise obtain audit evidence by
directly accessing information
PO 00000
Frm 00007
Fmt 4701
Sfmt 4703
71689
maintained by a knowledgeable external
source for cash and accounts receivable.
In addition, the new standard carries
forward an existing requirement to
consider confirming the terms of certain
other transactions.
• Address situations in which it
would not be feasible for the auditor to
obtain information directly from a
knowledgeable external source. The
new standard provides that if it would
not be feasible for the auditor to obtain
audit evidence directly from a
knowledgeable external source for
accounts receivable, the auditor should
perform other substantive audit
procedures, including tests of details,
that involve obtaining audit evidence
from external sources indirectly.
• Communicate to the audit
committee certain audit responses to
significant risks. Under the new
standard, for significant risks associated
with cash or accounts receivable, the
auditor is required to communicate with
the audit committee when the auditor
did not perform confirmation
procedures or otherwise obtain audit
evidence by directly accessing
information maintained by a
knowledgeable external source.
• Reflect the relatively insignificant
amount of audit evidence obtained
when using negative confirmation
requests. Under the new standard, the
use of negative confirmation requests
may provide sufficient appropriate audit
evidence only when combined with
other substantive audit procedures. The
new standard includes examples of
situations in which the use of negative
confirmation requests in combination
with other substantive audit procedures
may provide sufficient appropriate audit
evidence.
• Emphasize the auditor’s
responsibility to maintain control over
the confirmation process. The new
standard states that the auditor should
select the items to be confirmed, send
confirmation requests, and receive
confirmation responses.
• Provide more specific direction for
circumstances where the auditor is
unable to obtain relevant and reliable
audit evidence through confirmation.
The new standard identifies situations
where other procedures should be
performed by the auditor as an
alternative to confirmation. The new
standard also includes examples of
alternative procedures that individually
or in combination may provide relevant
and reliable audit evidence.
Introduction and Objective
(See paragraphs .01 and .02 of the
new standard).
E:\FR\FM\17OCN2.SGM
17OCN2
71690
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
The 2022 Proposal included
requirements for the auditor’s use of
confirmation. As discussed in the
proposal, the confirmation process
involves selecting one or more items to
be confirmed, sending a confirmation
request directly to a confirming party,
evaluating the information received, and
addressing nonresponses and
incomplete responses to obtain audit
evidence about one or more financial
statement assertions. Confirmation is
one of the specific audit procedures
described in PCAOB standards that an
auditor could perform when addressing
a risk of material misstatement.26 As is
the case with other audit procedures,
information obtained through
confirmation may support and
corroborate management’s assertions or
it may contradict such assertions.27
Under the 2022 Proposal, the
auditor’s objective in designing and
executing the confirmation process was
to obtain relevant and reliable audit
evidence about one or more relevant
financial statement assertions of a
significant account or disclosure.28
Existing AS 2310 does not include an
objective.
As discussed below, the Board has
modified the introduction and objective
in the proposed standard in several
respects.
A number of commenters stated that
the objective of the proposed standard
was clear. One commenter stated that
the objective should be to provide
requirements and guidance in situations
where the auditor, as a result of its riskassessment procedures, determines that
confirmation procedures provide an
appropriate response to one or more
assertions related to an identified risk of
material misstatement. Another
commenter asserted that the objective in
the proposed standard did not result in
greater clarity than the proposed
objective in the 2010 Proposal and
created a wider gap between the
PCAOB’s standards and the equivalent
standard of the IAASB.
Having considered these comments,
the Board has revised the introduction
to provide that the new standard
establishes requirements regarding
26 See,
e.g., AS 1105.14 and .18.
AS 1105.02.
28 An account or disclosure is a significant
account or disclosure if there is a reasonable
possibility that the account or disclosure could
contain a misstatement that, individually or when
aggregated with others, has a material effect on the
financial statements, considering the risks of both
overstatement and understatement. See footnote 33
of AS 2110, Identifying and Assessing Risks of
Material Misstatement; paragraph .A10 of AS 2201,
An Audit of Internal Control Over Financial
Reporting That Is Integrated with An Audit of
Financial Statements.
lotter on DSK11XQN23PROD with NOTICES2
27 See
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
obtaining audit evidence from a
knowledgeable external source through
the auditor’s use of confirmation. The
introduction further states that the new
standard includes additional
requirements regarding obtaining audit
evidence for cash, accounts receivable,
and terms of certain transactions. The
Board believes that this language more
clearly aligns with the approach to the
auditor’s use of confirmation in the new
standard and the inclusion of specific
requirements in the new standard with
respect to cash, accounts receivable, and
terms of certain transactions.
In addition, the Board has added the
phrase ‘‘from a knowledgeable external
source’’ to the objective, such that the
new standard provides that the objective
of the auditor in designing and
executing the confirmation process is to
obtain relevant and reliable audit
evidence from a knowledgeable external
source about one or more relevant
financial statement assertions of a
significant account or disclosure. This
language underscores that, when
properly designed and executed, the
confirmation process involves obtaining
audit evidence regarding specific items
from a knowledgeable external source.
A knowledgeable external source, as
referred to in the new standard,
generally is a third party who the
auditor believes has knowledge of the
information that may be used as audit
evidence. To the extent that this
objective differs from the objective in
standards adopted by other standardsetting bodies on the auditor’s use of
confirmation, the Board believes it
appropriately reflects the Board’s
approach in the new standard and is
consistent with its statutory mandate to
protect the interests of investors and
further the public interest. The next
section of this exhibit further discusses
the relationship of the confirmation
process to the auditor’s identification
and assessment of, and response to, the
risks of material misstatement.
Relationship of the Confirmation
Process to the Auditor’s Identification
and Assessment of and Response to the
Risks of Material Misstatement
(See paragraphs .03–.07 of the new
standard).
When an auditor uses confirmation,
the auditor should be mindful of, and
comply with, the existing obligation to
exercise due professional care in all
matters relating to the audit.29 Due
29 See AS 1015, Due Professional Care in the
Performance of Work. The Board currently has a
separate standard-setting project to reorganize and
consolidate a group of interim standards adopted by
the Board in Apr. 2003, including AS 1015. See
Proposed Auditing Standard—General
PO 00000
Frm 00008
Fmt 4701
Sfmt 4703
professional care requires the auditor to
exercise professional skepticism, which
is an attitude that includes a
questioning mind and a critical
assessment of audit evidence.
Professional skepticism should be
exercised throughout the audit
process,30 including when identifying
information to confirm, identifying
confirming parties, evaluating
confirmation responses, and addressing
nonresponses. The requirements related
to exercising professional skepticism, in
combination with requirements in other
PCAOB standards, are designed to
reduce the risk of confirmation bias, a
phenomenon wherein decision makers
have been shown to actively seek out
and assign more weight to evidence that
confirms their hypothesis, and ignore or
assign less weight to evidence that
could disconfirm their hypothesis.31
The 2022 Proposal described how the
proposed standard would work in
conjunction with the PCAOB standards
on risk assessment. AS 2110 establishes
requirements regarding the process of
identifying and addressing the risks of
material misstatement of the financial
statements, and AS 2301, The Auditor’s
Responses to the Risks of Material
Misstatement, establishes requirements
regarding designing and implementing
appropriate responses to the risks of
material misstatement. Fundamental to
the PCAOB’s risk assessment standards
is the concept that as risk increases, so
does the amount of evidence that the
auditor should obtain.32 Further,
evidence obtained from a
knowledgeable external source generally
is more reliable than evidence obtained
only from internal company sources.33
Where the auditor uses confirmation
as part of the auditor’s response, the
2022 Proposal addressed the auditor’s
responsibilities for designing and
executing the confirmation process to
obtain relevant and reliable audit
evidence. When properly designed and
executed, the confirmation process can
be an effective and efficient way of
obtaining relevant and reliable external
audit evidence, including in situations
where the auditor identifies an elevated
risk of material misstatement due to
error or fraud.
Responsibilities of the Auditor in Conducting an
Audit and Proposed Amendments to PCAOB
Standards, PCAOB Rel. No. 2023–001 (Mar. 28,
2023).
30 See AS 1015.07–.08.
31 For a discussion of confirmation bias, see, e.g.,
Raymond S. Nickerson, Confirmation Bias: A
Ubiquitous Phenomenon in Many Guises, 2 Review
of General Psychology, 175 (1998).
32 See AS 1105.05.
33 See AS 1105.08.
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
The 2022 Proposal also recognized
that performing confirmation
procedures can effectively and
efficiently provide evidential matter
about certain financial statement
assertions, including existence,
occurrence, completeness, and rights
and obligations. For example,
confirmation may provide audit
evidence related to the existence of
cash, accounts receivable, and financial
instruments, or the completeness of
debt. However, the confirmation process
generally provides less relevant
evidence about the valuation assertion
(e.g., the confirming party may not
intend to repay in full the amount owed,
or the custodian may not know the
value of shares held in custody).
Confirmation could also be used to
obtain audit evidence about the terms of
contractual arrangements (e.g., by
verifying supplier discounts or
concessions, corroborating sales
practices, or substantiating oral
arrangements and guarantees).
Information in confirmation responses
may indicate the existence of related
parties, or relationships or transactions
with related parties, previously
undisclosed to the auditor.
The Board also observed in the 2022
Proposal that, in some situations, an
auditor may determine that evidence
obtained through confirmation may
constitute sufficient appropriate audit
evidence for a particular assertion,
while in other situations performing
other audit procedures in addition to
confirmation may be necessary to obtain
sufficient appropriate audit evidence.
For example, for significant unusual
sales transactions and the resulting
accounts receivable balances, an auditor
might confirm significant terms of the
transactions and the receivable balances
with the transaction counterparties and
perform additional substantive
procedures, such as examination of
shipping documents and subsequent
cash receipts. Determining the nature,
timing, and extent of confirmation
procedures, and any other additional
audit procedures, is part of designing
and implementing the auditor’s
response to the assessed risk of material
misstatement.
The Board adopted the provisions in
the 2022 Proposal that address the
relationship of the confirmation process
to the auditor’s identification and
assessment of and response to the risks
of material misstatement, with certain
modifications discussed below.
Overall, commenters expressed
support for aligning the proposed
standard on confirmation with the
PCAOB’s existing risk assessment
standards. Several commenters stated
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
that they had not identified changes
needed to the proposed standard to
align further with the PCAOB’s risk
assessment standards. Other
commenters, as discussed below, called
for various changes to the proposed
provisions:
• Several commenters suggested that
there could be further alignment of the
2022 Proposal with the risk assessment
standards to enable the level of risk to
drive the nature of the audit response.
A number of commenters asserted that
the 2022 Proposal included certain
prescriptive requirements for the
confirmation process, regardless of the
assessed level of risk, and that those
provisions could detract from the
auditor’s ability to apply professional
judgment to determine the appropriate
audit response. Consistent with the
objective of the new standard, the
requirements under the new standard
apply to a significant account or
disclosure.34 The new standard thus
does not establish a presumption to
confirm cash or accounts receivable if
the auditor has not determined cash or
accounts receivable to be a significant
account. The auditor may choose to
perform confirmation procedures,
however, in situations other than those
specifically addressed in paragraphs .24
through .30 of the new standard. The
new standard does not otherwise
prescribe the timing or extent of
confirmation procedures, which are
discussed as part of the auditor’s
response to the risks of material
misstatement in AS 2301.
• Several commenters stated that
paragraphs .06 and .07 of the proposed
standard overly emphasized
confirmation as being the most
persuasive substantive audit procedure,
with any other procedure thereby
viewed as being less persuasive. One
commenter asserted that that the 2022
Proposal appeared to be premised on an
assumption that third-party
confirmations represent ‘‘first best’’
audit evidence, regardless of the facts
and circumstances. In addition, one
commenter questioned whether the
Board intended for confirmation to be
used whenever possible to obtain
evidence. Having considered these
comments, the Board has made several
changes in the new standard to clarify
certain provisions. In the new standard,
the Board has revised paragraph .06,
which discusses obtaining audit
evidence from knowledgeable external
sources, to emphasize the source of the
audit evidence, rather than the type of
34 AS 2110.59e directs the auditor to identify
significant accounts and disclosures and their
relevant assertions.
PO 00000
Frm 00009
Fmt 4701
Sfmt 4703
71691
audit procedure performed. The Board
understands that advances in
technology, as well as changes in
attitudes towards confirmation (e.g., the
potential hesitation of confirming
parties to reply to a confirmation
request from auditors because of the
concern of falling victim to a phishing
attack), have led auditors to perform
other types of audit procedures that can
provide relevant and reliable external
evidence.
• Some commenters stated that the
proposed standard could give rise to
unrealistic expectations about
confirmation procedures effectively
addressing the risk of material
misstatement due to fraud in all
circumstances. While the Board does
not believe that the new standard
creates an unrealistic expectation about
audit evidence obtained through
confirmation, the appropriate focus of
the auditor should be the obligation to
obtain relevant and reliable audit
evidence. Accordingly, the Board did
not adopt paragraph .07 of the proposed
standard, which had provided that ‘‘in
situations involving fraud risks and
significant unusual transactions, audit
evidence obtained through the
confirmation process generally is more
persuasive than audit evidence obtained
solely through other procedures.’’
• Several commenters recommended
that the standard address the current
and anticipated use of technology to
enable auditors to obtain sufficient
appropriate audit evidence through
performing audit procedures other than
confirmation. Some commenters
provided examples of using technologybased procedures in lieu of
confirmations, including accessing
company balances directly at the
relevant financial institution and testing
internal data against external data
sources using audit data analytics. The
Board considered these comments in
developing the new standard. In
particular, as discussed below, the new
standard includes a presumption for the
auditor to confirm cash and accounts
receivable, or otherwise obtain relevant
and reliable audit evidence for these
accounts by directly accessing
information maintained by a
knowledgeable external source.
• One commenter suggested that the
note to paragraph .05 of the proposed
standard should also direct the auditor
to take into account internal controls
over cash, including segregation of
duties, when there are side agreements
to revenue transactions. The Board did
not make this change in the new
standard. The Board notes that internal
control considerations are addressed by
existing PCAOB standards, which
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
71692
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
require obtaining an understanding of
the company’s controls when assessing
the risk of material misstatement and
identifying and testing certain controls
when the auditor plans to rely on
controls to respond to the assessed
risk.35 The auditor would consider
controls over cash when performing
these procedures.
• With respect to the examples of
assertions in paragraph .06 of the
proposed standard, one commenter
asserted that a final standard should
more fully explain that a confirmation
generally serves to test the assertion of
existence, but does not serve to test
other assertions such as valuation,
including collectability. The Board did
not incorporate such language in the
new standard because it believes that
limiting the use of confirmation to the
existence assertion would be overly
prescriptive and might disallow use of
confirmation in other situations where
the auditor has determined that
confirmation could be used to obtain
relevant and reliable information to test
other assertions.
As discussed below, the Board
continues to believe that confirmation
procedures generally would provide
relevant and reliable audit evidence for
cash and accounts receivable.
Accordingly, under the new standard
the auditor should perform confirmation
procedures or otherwise obtain relevant
and reliable audit evidence by directly
accessing information maintained by a
knowledgeable external source when
the auditor determines that these
accounts are significant accounts. In
addition, the new standard specifies
that when the auditor has identified a
significant risk of material misstatement
associated with either a complex
transaction or a significant unusual
transaction, the auditor should consider
confirming those terms of the
transaction that are associated with a
significant risk of material
misstatement, including a fraud risk.
Other Use of Confirmation
Procedures. The 2022 Proposal
requested commenters’ views on
whether there were additional accounts
or financial statement assertions for
which the auditor should be required to
perform confirmation procedures. In
addition, the 2022 Proposal requested
views on whether the proposal was
sufficiently flexible to accommodate
situations where an auditor chooses to
confirm information about newer types
of assets (e.g., digital assets based on
blockchain or similar technologies).
Two investor-related groups
identified specific types of additional
35 See,
e.g., AS 2110 and AS 2301.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
transactions that should be subject to
confirmation, including transactions (1)
with unusual terms and conditions, (2)
with related parties, (3) where the
auditor has concern about whether side
letters may exist, (4) where financing is
obtained, including bank debt or
supplier-provided financing, (5)
involving certain sales practices, such as
bill-and-hold arrangements or supplier
discounts or concessions, (6) involving
certain oral arrangements or guarantees,
or (7) involving sales, lending, or
liability for custodianship of digital
assets. Another commenter suggested
that confirmation of accounts payable
should be considered, but not required,
when auditors assess controls over the
recording of liabilities to be ineffective.
This commenter also suggested that the
Board state that the use of confirmation
is not limited to the circumstances
discussed in the proposed standard.
In comparison, many firms and firmrelated groups stated that the proposed
standard should not prescribe
additional other presumptive
requirements to use confirmation. These
commenters noted that doing so would
be unduly prescriptive. Several
commenters stated that the proposed
standard provided for an appropriate
amount of auditor judgment in
determining when to perform
confirmation procedures in situations
other than those specifically addressed
in the standard. In addition, several
commenters indicated that the 2022
Proposal offered sufficient flexibility to
accommodate situations where an
auditor confirms information about
newer types of assets.
Several commenters asserted that the
effectiveness of confirmation procedures
is negatively affected by the fact that
third parties are not obligated, under
legislation or regulation, to reply to an
auditor’s confirmation request.
The new standard does not specify
additional accounts or transactions for
which confirmation procedures are
presumptively required beyond those in
the 2022 Proposal. The PCAOB’s risk
assessment standards are foundational
and are used by the auditor to determine
the appropriate response to identified
risks of material misstatement. The
Board believes that confirmation can be
an important tool for addressing certain
risks for cash and accounts receivable,
and for obtaining audit evidence about
other financial relationships, and
certain terms of complex transactions or
significant unusual transactions, as
discussed below. However, identifying
additional accounts or scenarios that
require the auditor to use confirmation,
without regard to the specific facts and
circumstances of the audit including the
PO 00000
Frm 00010
Fmt 4701
Sfmt 4703
assessed risk of material misstatement
and whether other audit procedures
would provide sufficient appropriate
audit evidence, would be overly
prescriptive.
The auditor’s responsibilities relevant
to the use of confirmation are also
addressed in several other PCAOB
standards. AS 2315, Audit Sampling,
which discusses planning, performing,
and evaluating audit samples, is used if
the auditor uses sampling in the
confirmation process. AS 2510,
Auditing Inventories, addresses
confirmation of inventories in the hands
of public warehouses or other outside
custodians. Additionally, the new
standard does not address auditor
responsibilities regarding inquiries
concerning litigation, claims, and
assessments, which are addressed in AS
2505, Inquiry of a Client’s Lawyer
Concerning Litigation, Claims, and
Assessments.
Designing Confirmation Requests
(See paragraphs .08–.13 of the new
standard).
A properly designed and executed
confirmation process may provide
relevant and reliable audit evidence.
Auditor responsibilities regarding
designing a confirmation request are
described in paragraphs .08–.13, as
follows:
• Paragraph .08 discusses identifying
information to confirm;
• Paragraphs .09 through .11 discuss
identifying the confirming parties for
confirmation requests; and
• Paragraphs .12 through .13 discuss
using negative confirmation requests.
The new standard does not prescribe
a particular format for a confirmation
request. For example, requests could be
paper-based or electronic, specifying the
information to be confirmed or
providing a blank response form, or sent
with or without the involvement of an
intermediary that facilitates electronic
transmission. As a practical matter, the
auditor determines the format of a
confirmation request to increase the
likelihood that the request is received
and clearly understood by the
confirming party, taking into
consideration, among other things, the
facts and circumstances of the company
and the confirming party.
Identifying Information To Confirm
The 2022 Proposal provided that the
auditor should, as part of designing
confirmation requests, identify
information related to the relevant
assertions that the auditor plans to
verify with confirming parties or (when
using a blank form) obtain from
confirming parties. Such information
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
could include transaction amounts,
transaction dates, significant terms of
transactions, and balances due to or
from the confirming party as of a
specific date. In addition, the 2022
Proposal discussed that using a blank
confirmation request generally provides
more reliable audit evidence than using
a confirmation request that includes
information the auditor is seeking to
confirm (e.g., a customer account
balance). In the latter scenario, it is
possible that a confirming party could
agree to the information without
verifying it against the confirming
party’s records.
The Board adopted the proposed
requirement relating to identifying
information to confirm with certain
modifications discussed below.
Several commenters indicated that the
provisions of the 2022 Proposal related
to identifying information to confirm
were clear and appropriate. A few
commenters requested retaining a
statement analogous to a statement in
existing AS 2310 to emphasize in the
standard that responding to blank form
confirmation requests generally requires
additional effort, which might lower the
response rates and lead auditors to
perform alternative procedures. One
commenter expressed concern that
fraudsters could use fake confirmation
requests and, in particular, fake blank
form confirmation requests, to defraud
bank customers (e.g., by soliciting their
bank details).
Existing AS 2310 includes details
regarding the form of confirmation
requests, which includes general
information regarding blank form
positive confirmation requests. This
information has been included in the
new standard in a note to paragraph .08.
Further, after considering the comments
received, the new standard includes
language not included in the proposed
standard that is similar to language in
existing AS 2310. This language
explains that responding to blank form
confirmation requests generally requires
additional effort, which might lower the
response rates and lead auditors to
perform alternative procedures for more
selected items. Despite the possibility of
lower response rates, responses to blank
form confirmation requests may provide
more reliable audit evidence than
responses to confirmation requests
using pre-filled forms.
Paragraph .17 of the proposed
standard also included a reminder of an
existing requirement in AS 1105.10,
pursuant to which the auditor should
test the accuracy and completeness of
information produced by the company
that the auditor uses as audit evidence.
The reminder emphasized that, in the
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
confirmation process, the requirement
in AS 1105.10 applies to the
information produced by the company
(e.g., populations from which items are
selected for confirmation, such as
detailed account listings, vendor
listings, and contractual agreements)
that the auditor uses in selecting the
items to confirm.
Several firms and firm-related groups
indicated that the existing requirement
in AS 1105.10 for the auditor to evaluate
information produced by a company as
audit evidence was sufficient and that
paragraph .17 of the proposed standard
was duplicative. A few commenters
stated that confirmation requests are
often designed to test the accuracy of a
given account balance or disclosure and,
accordingly, that the requirement
should only focus on testing
completeness. Finally, a few
commenters suggested that the standard,
consistent with AS 1105.10, should
allow for the auditor to test controls
over the accuracy and completeness of
information produced by the company
that the auditor uses in selecting items
to confirm.
After considering these comments, in
order to avoid duplication with other
PCAOB standards, the new standard
does not include paragraph .17 of the
proposed standard.
Identifying Confirming Parties for
Confirmation Requests
The 2022 Proposal provided that, to
obtain reliable audit evidence from the
confirmation process, the auditor
should direct the confirmation requests
to third parties (individuals or
organizations) who are knowledgeable
about the information to be confirmed.
That provision was similar to existing
AS 2310.26, which directs the auditor to
send confirmation requests to third
parties who the auditor believes are
knowledgeable about the information to
be confirmed, such as a counterparty
who is knowledgeable about a
transaction or arrangement.
When designing confirmation
requests, an auditor may become aware
of information about a potential
confirming party’s motivation, ability,
or willingness to respond, or about the
potential confirming party’s objectivity
and freedom from bias with respect to
the audited entity. Because this type of
information can affect the reliability of
audit evidence provided by the
confirming party to the auditor, the
2022 Proposal, similar to existing AS
2310.27, provided that the auditor
should consider any such information
that comes to the auditor’s attention
when selecting the confirming parties.
The note to paragraph .19 of the
PO 00000
Frm 00011
Fmt 4701
Sfmt 4703
71693
proposed standard further emphasized
that such information may indicate that
the potential confirming party has
incentives or pressures to provide
responses that are inaccurate or
otherwise misleading.36
The 2022 Proposal also provided that
the auditor should consider the source
of any such information. For example, if
management indicates to the auditor
that a potential confirming party is
unlikely to respond to a confirmation
request, management may have other
reasons to avoid a confirmation request
being sent (e.g., concealing
management’s fraudulent
understatement of the amount the
company owes to that party).
In addition, the 2022 Proposal
provided more specific direction than
existing AS 2310 for situations in which
the auditor is unable to identify a
confirming party who, in response to a
confirmation request, would provide
relevant and reliable audit evidence
about a selected item. In such a
scenario, the 2022 Proposal prescribed
that the auditor should perform
alternative procedures.
The 2022 Proposal also provided that
the auditor should determine that
confirmation requests are properly
addressed, thus increasing the
likelihood that they are received by the
confirming party. The 2022 Proposal did
not prescribe the nature or extent of
procedures to be performed by the
auditor when making this
determination, thereby allowing the
auditor to tailor the procedures to the
facts and circumstances of the audit. For
example, in practice, some auditors
compare some or all confirming party
addresses, which are typically provided
by the company, to physical addresses
or email domains included on the
confirming party’s website.
Alternatively, when using an
intermediary to facilitate direct
electronic transmission of confirmation
requests and responses, Appendix B of
the proposed standard required the
36 See also paragraph .10 of AS 2401,
Consideration of Fraud in a Financial Statement
Audit (stating that fraud may be concealed through
collusion among management, employees, or third
parties, and that an auditor may receive a false
confirmation from a third party that is in collusion
with management); SAPA No. 8 at 12 (stating that,
when using confirmation to address fraud risks in
emerging markets, ‘‘the auditor should evaluate
who the intended recipient of the confirmation
request is and whether the company’s management
has an influence over this individual to provide
false or misleading information to the auditor’’ and
that ‘‘[f]or example, if the company is the only or
a significant customer or supplier of the confirming
entity, the staff of that entity may be more
susceptible to pressure from the company’s
management to falsify documentation provided to
the auditor’’).
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
71694
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
auditor to obtain an understanding of
the intermediary’s controls that address
the risk of interception and alteration of
the confirmation requests and responses
and determine whether the relevant
controls used by the intermediary are
designed and operating effectively. The
Board noted in the 2022 Proposal that,
where an auditor determines that
controls that address the risk of
interception and alteration also include
controls related to validating the
addresses of confirming parties, the
auditor may be able to determine that
audit procedures performed in
accordance with Appendix B are
sufficient to determine that
confirmation requests are properly
addressed. In situations where the
auditor determines that the
intermediary’s controls that address the
risk of interception and alteration do not
also include controls related to
validating the addresses of confirming
parties, the Board also noted that the
auditor would need to perform other
procedures to comply with the
requirements of the proposed standard.
The Board adopted the requirements
relating to identifying confirming
parties for confirmation requests as
proposed, with certain modifications
discussed below.
Several commenters indicated that the
provisions of the proposed standard
related to identifying confirming parties
were sufficiently clear and appropriate.
One commenter indicated that the
Board should require the auditor to send
confirmation requests directly to an
individual, rather than allow the auditor
to choose between sending the request
either to an individual or an
organization. In this commenter’s view,
sending a confirmation request directly
to an individual could increase the
reliability of audit evidence obtained
through the confirmation process. One
commenter indicated that the Board
should amend paragraph .18 of the
proposed standard to read ‘‘the auditor
should direct confirmation requests to
confirming parties (individuals or
organizations) who are expected to be
knowledgeable about the information to
be confirmed and determine that the
confirmation requests are appropriately
addressed.’’
Because auditors often may have no
or limited interaction with the
personnel of confirming organizations,
they may not be able to select an
individual addressee for the
confirmation request. As a result, the
Board believes that allowing the auditor
to address a confirmation request to an
organization that is knowledgeable
about the information to be confirmed is
practicable and appropriate. Paragraph
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
.20 of the proposed standard stated that
the auditor should perform alternative
procedures when the auditor is unable
to identify a confirming party who, in
response to a confirmation request,
would provide relevant and reliable
audit evidence about the selected item.
The Board has modified this language,
which appears in paragraph .11 of the
new standard, to emphasize that if the
auditor is unable to identify a
confirming party for a selected item who
would provide relevant and reliable
audit evidence in response to a
confirmation request, including
considering any information about the
potential confirming party discussed in
paragraph .10, the auditor should
perform alternative procedures in
accordance with Appendix C. In
addition, the Board has added a note to
paragraph .11 of the new standard to
reiterate that AS 1105.08 provides that
the reliability of evidence depends on
the nature and source of the evidence
and the circumstances under which it is
obtained.
These revisions are intended to
underscore that auditors should
consider information that may indicate
that a potential confirming party has
incentives or pressures to provide
responses that are inaccurate or
misleading, and remind auditors that
the reliability of audit evidence depends
not only on its nature and source, but
also the circumstances under which it is
obtained. For example, restrictions on
access to a potential confirming party
that cause the auditor to identify and
send a confirmation request to a
different confirming party or to perform
alternative procedures may themselves
raise questions as to the reliability of the
audit evidence that the auditor
subsequently obtains from the other
confirming party or through performing
alternative procedures. In addition, the
revisions to paragraph .11 clarify that
the paragraph applies to a confirming
party for an individual item selected for
confirmation, rather than more broadly
to a group of confirming parties that
might provide audit evidence with
respect to relevant assertions for an
entire account, such as accounts
receivable.
Several commenters on the 2022
Proposal also indicated that the
requirement to send a confirmation
request directly to the confirming party
and determine that the request is
properly addressed was sufficiently
clear and appropriate. One of these
commenters indicated that the standard
should address procedures to verify the
recipient’s mailing or email address
while the other commenters indicated
there was no need to include specific
PO 00000
Frm 00012
Fmt 4701
Sfmt 4703
procedures in the standard. Another
commenter requested more guidance
around verifying email addresses. One
commenter indicated that there should
be no specific requirement to check
addresses, as such a requirement would
not, in the commenter’s view, deter
those intent on deceiving auditors.
Lastly, one commenter requested
clarification as to whether an auditor
should send either an initial
confirmation request or a second request
when the auditor is aware of
information that indicates that the
confirming party would be unlikely to
respond.
The Board continues to believe that
requiring auditors to determine that
confirmation requests are appropriately
addressed is critically important to the
effectiveness of the confirmation
process. The Board has noted above
some of the ways in which an auditor
might comply with this requirement but
is not including such examples in the
text of the new standard to avoid the
possible misinterpretation that the
examples describe the only steps an
auditor could take in determining
whether a confirmation request is
properly addressed.
With respect to one commenter’s
suggestion that the Board clarify
whether an auditor should send a
confirmation request if the auditor is
aware of information indicating that the
confirming party would not respond,
the Board believes the new standard is
sufficiently clear. Paragraph .10 of the
new standard states, in part, that if the
auditor is aware of information about a
potential confirming party’s
‘‘willingness to respond,’’ the auditor
should consider this information,
including its source, in selecting the
confirming parties. Further, paragraph
.11 of the new standard states that, if the
auditor is unable to identify a
confirming party for a selected item who
would provide relevant and reliable
audit evidence in response to a
confirmation request, the auditor should
perform alternative procedures for the
selected item in accordance with
Appendix C of the new standard.
Using Negative Confirmation Requests
There are ‘‘positive’’ and ‘‘negative’’
types of confirmation requests. A
positive confirmation request is a
confirmation request in which the
auditor requests a confirmation
response. With a negative confirmation
request, the auditor requests a
confirmation response only if the
confirming party disagrees with the
information provided in the request.
The auditor generally obtains
significantly less audit evidence when
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
using negative confirmation requests
than when using positive confirmation
requests. A confirming party might not
respond to a negative confirmation
request because it did not receive or
open the request, or alternatively the
confirming party might have read the
request and agreed with the information
included therein.
Because of the limited evidence
provided when using negative
confirmation requests, the 2022
Proposal provided that the auditor may
not use negative confirmation requests
as the sole substantive procedure for
addressing the risk of material
misstatement to a financial statement
assertion. Instead, the 2022 Proposal
provided that the auditor may use
negative confirmation requests only to
supplement audit evidence provided by
other substantive procedures (e.g.,
examining subsequent cash receipts,
including comparing the receipts with
the amounts of respective invoices being
paid; examining shipping documents;
examining subsequent cash
disbursements; or sending positive
confirmation requests). In addition,
Appendix B to the proposed standard
provided examples of situations in
which the use of negative confirmation
requests, in combination with the
performance of other substantive audit
procedures, may provide sufficient
appropriate audit evidence. In contrast,
under existing AS 2310, the auditor may
use negative confirmation requests
where certain criteria are present and
should consider performing other
substantive procedures to supplement
their use.
The Board adopted the requirements
for using negative confirmation requests
as proposed. Most commenters on this
aspect of the 2022 Proposal expressed
support for the proposed prohibition on
using negative confirmation requests as
the sole substantive procedure with a
number of commenters stating that
negative confirmation requests alone do
not provide sufficient appropriate audit
evidence.
Another commenter suggested that
the word ‘‘generally’’ should be
removed from paragraph .21 of the
proposed standard to emphasize that a
negative confirmation is not as
persuasive as a positive confirmation.
This commenter indicated that, in
situations where the use of negative
confirmation requests, in combination
with the performance of other
substantive audit procedures, may
provide sufficient appropriate audit
evidence, auditors should be required to
specifically document their
consideration of certain examples
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
included in paragraph .B1 of the
proposed standard.
Lastly, a few commenters indicated
that additional guidance on the use of
negative confirmations, and specifically
on the use of substantive analytical
procedures to supplement the use of
negative confirmations, was needed
while another commenter indicated that
the examples in Appendix B would
assist auditors in applying the
requirements related to the use of
negative confirmation requests.
After considering the comments on
the 2022 Proposal, the Board has
determined that the requirements in the
2022 Proposal relating to the use of
negative confirmation requests are both
appropriate and sufficiently clear. For
ease of reference, the examples of
situations in which the use of negative
confirmation requests, in combination
with the performance of other
substantive audit procedures, may
provide sufficient appropriate audit
evidence now appear in paragraph .13
of the new standard rather than
Appendix B. The Board is not including
in the new standard additional
examples of other substantive
procedures that may be used to
supplement negative confirmation
requests, as some commenters had
suggested. While such procedures may
be appropriate in some circumstances,
including such examples in the new
standard could be misperceived as
establishing a formal checklist, whereas
determining the necessary nature,
timing, and extent of audit procedures
that provide sufficient appropriate audit
evidence would depend on the facts and
circumstances of each audit.
Paragraph .12 of the new standard
retains the word ‘‘generally’’ (i.e.,
‘‘[g]enerally, the auditor obtains
significantly less audit evidence when
using negative confirmation requests
than when using positive confirmation
requests’’) to acknowledge that in some
circumstances using positive
confirmations may not provide the
auditor with the amount of evidence
that the auditor planned to obtain (e.g.,
if the auditor does not receive responses
to some or all positive confirmation
requests).
Maintaining Control Over the
Confirmation Process
(See paragraphs .14–.17 and .B1–.B2
of the new standard).
The Requirement for the Auditor To
Maintain Control Over the Confirmation
Process
The 2022 Proposal included a
provision, consistent with AS 2310, that
the auditor should maintain control
PO 00000
Frm 00013
Fmt 4701
Sfmt 4703
71695
over the confirmation process to
minimize the likelihood that
information exchanged between the
auditor and the confirming party is
intercepted and altered. This is because
the reliability of audit evidence
provided by confirmation depends in
large part on the auditor’s ability to
control the integrity of confirmation
requests and responses. The 2022
Proposal also provided that, as part of
maintaining control, the auditor should
send confirmation requests directly to
the confirming party and receive
confirmation responses directly from
the confirming party.
The Board adopted the requirements
for maintaining control over the
confirmation process as proposed, with
one modification.
Commenters on this topic largely
agreed that the auditor should maintain
control over the confirmation process.
One commenter stated that setting forth
the requirement to maintain control
over the confirmation process and the
requirement to send confirmation
requests directly to the confirming party
in separate paragraphs might suggest
that there are different responsibilities
for the auditor. This commenter
recommended combining the
requirements to clarify that the auditor’s
responsibility is to send the
confirmation directly while maintaining
control of the process.
After considering the comments on
the 2022 Proposal, the Board has
determined that the proposed
requirements are both appropriate and
sufficiently clear, and adopted them as
proposed, with the addition of a new
paragraph that clarifies how an external
auditor can use internal auditors in a
direct assistance capacity as part of the
confirmation process, as further
discussed below. Paragraph .14 of the
new standard establishes the auditor’s
responsibility for maintaining control
over the confirmation process, and the
other paragraphs in this section of the
new standard specify auditor
responsibilities regarding certain
aspects of maintaining control, as
discussed below. For example,
consistent with the definition of
‘‘confirmation process,’’ 37 paragraph .15
of the new standard requires that the
auditor select the items to be confirmed,
send the confirmation requests and
receive the confirmation responses.
37 The term ‘‘confirmation process’’ is defined in
paragraph .A3 of the new standard as ‘‘[t]he process
that involves selecting one of more items to be
confirmed, sending a confirmation request directly
to a confirming party, evaluating the information
received, and addressing nonresponses and
incomplete responses to obtain audit evidence
about one or more financial statement assertions.’’
E:\FR\FM\17OCN2.SGM
17OCN2
71696
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
Selecting an item involves the auditor
identifying the information to be
included on the confirmation request.
Paragraph .16 of the new standard
specifies that maintaining control over
the confirmation process by the auditor
involves sending the confirmation
request directly to and obtaining the
confirmation response directly from the
confirming party.
Using and Intermediary To Facilitate
Direct Electronic Transmission of
Confirmation Requests and Responses
lotter on DSK11XQN23PROD with NOTICES2
Background and Requirements
As discussed above, certain financial
institutions and other companies have
adopted the policy of responding to
electronic confirmation requests from
auditors only through another party that
they, or the auditor, engage as an
intermediary to facilitate the direct
transmission of information between the
auditor and the confirming party. The
Board understands that such policies
are intended to facilitate the timeliness
and quality of confirmation responses
provided by the confirming party to the
auditor.
While the involvement of
intermediaries is not discussed in
existing AS 2310, the use of an
intermediary does not relieve the
auditor of the responsibility under
PCAOB standards to maintain control
over confirmation requests and
responses. Because an intermediary’s
involvement may affect the integrity of
information transmitted between the
confirming party and the auditor, the
2022 Proposal provided that the auditor
should evaluate the implications of such
involvement for the reliability of
confirmation requests and responses.
Specifically, paragraphs .B2 and .B3 of
the proposed standard provided that:
• The auditor’s evaluation should
address certain aspects of the
intermediary’s controls that address the
risk of interception and alteration of
communications between the auditor
and the confirming party;
• The auditor’s evaluation should
assess whether circumstances exist that
give the company the ability to override
the intermediary’s controls (e.g.,
through financial or other
relationships); and
• The auditor should not use an
intermediary if information obtained by
the auditor indicates that (i) the
intermediary has not implemented
controls that are necessary to address
the risk of interception and alteration of
the confirmation requests and
responses, (ii) the necessary controls are
not designed or operating effectively, or
(iii) circumstances exist that give the
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
company the ability to override the
intermediary’s controls.
The Board adopted the proposed
requirements substantially as proposed,
with certain modifications discussed
below.
A few commenters on the 2022
Proposal indicated that it is not clear
what an ‘‘intermediary’’ is and
requested clarification. The Board is not
adding a definition of the term
‘‘intermediary’’ in the new standard as
it simply intends to use the term in
describing a particular scenario under
the new standard where a third party is
engaged by the auditor or a confirming
party to facilitate direct electronic
transmission of confirmation requests
and responses between the auditor and
the confirming party. The Board
believes that its intent in using the term
‘‘intermediary’’ is sufficiently clear.
Overall, several commenters indicated
that the requirements in the 2022
Proposal to evaluate the implications of
using an intermediary to facilitate direct
electronic transmission of confirmation
requests and responses were
appropriate. However, as discussed
below, a number of these commenters
and other commenters stated that
additional clarity may be required to
ensure that the proposed revisions are
operational in practice, or otherwise
requested additional guidance.
Conversely, a few commenters
expressed the view that requirements in
the 2022 Proposal regarding the
implications of using an intermediary
were not appropriate or sufficiently
clear. One of those commenters asserted
that the requirement to assess the
intermediary would result in significant
additional work for auditors and that it
is not currently common practice to
directly assess intermediaries in this
manner. As discussed in Section IV of
the 2022 Proposal, firm methodologies
reviewed by the staff generally include
guidance on maintaining control over
the confirmation process, using
intermediaries to facilitate the electronic
transmission of confirmation requests
and responses, and assessing controls at
the intermediaries. The evidence from
the PCAOB staff’s review does not
suggest that the requirements in
Appendix B of the new standard would
create significant additional work for
auditors, nor did the commenters
provide evidence to the contrary.
Separately, as the 2022 Proposal
provided that the auditor should not use
an intermediary if information obtained
by the auditor indicates that certain
conditions are present, several
commenters stated that the presence of
indicators would not necessarily mean
that the intermediary is not fit for use.
PO 00000
Frm 00014
Fmt 4701
Sfmt 4703
For example, these commenters stated
that in a situation where an
intermediary’s control is not designed or
operating effectively, an auditor may be
able to obtain an understanding of
whether a specific control failure
impacts the confirmation process and
perform tests of other controls or other
procedures at the intermediary to
address the control failure.
Having considered the comments, the
Board is clarifying in paragraph .B2 of
the new standard that the auditor
should not use an intermediary to send
confirmation requests or receive
confirmation responses if the auditor
determines that (1) the intermediary has
not implemented controls that are
designed or operating effectively to
address the risk of interception and
alteration of the confirmation requests
and responses and the auditor cannot
address such risk by performing other
procedures beyond inquiry, or (2)
circumstances exist that give the
company the ability to override the
intermediary’s controls. In the 2022
Proposal, the prohibition was based on
an indication, rather than
determination, that such circumstances
exist.
For example, when performing an
evaluation required by paragraphs .17
and .B1 of the new standard, an auditor
could obtain a SOC report stating that a
particular access control at an
intermediary is not designed or
operating effectively. The auditor may
then be able to identify and test other
controls that could mitigate the control
failure described in the SOC report. In
this scenario, if the auditor determines
that the identified controls are designed
and operating effectively and mitigate
the control failure, or the auditor has
performed other procedures such as
obtaining computer systems event logs
generated by the intermediary that
provide evidence there was no
unauthorized access during the relevant
period, the information in the SOC
report in this scenario would not
necessarily mean that the auditor is not
allowed to use the intermediary under
the new standard.
In addition, several commenters
asserted that, if an auditor were not
allowed to use an intermediary under
proposed paragraph .B3 and the
confirming party had a policy requiring
the use of an intermediary for receiving
and responding to auditor confirmation
requests, an auditor may be unable to
comply with the proposed requirement
to confirm cash, even if relevant and
reliable audit evidence were otherwise
available. Considering these comments,
the Board has modified paragraph .B2 of
the new standard to state that in
E:\FR\FM\17OCN2.SGM
17OCN2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES2
circumstances where the auditor, under
paragraph .B2, should not use an
intermediary to send confirmation
requests or receive confirmation
responses, the auditor should send
confirmation requests without the use of
an intermediary or, if unable to do so,
perform alternative procedures in
accordance with Appendix C of the new
standard. The Board believes that this
modification and the adoption of a
provision regarding obtaining audit
evidence by directly accessing
information maintained by a
knowledgeable external source (see
discussion below), address commenters’
concerns that an auditor may not be able
to comply with the requirement to
confirm cash.
Certain commenters asked for
additional guidance on what procedures
an auditor should or could perform to
comply with the requirements in
Appendix B. Having considered these
comments, the Board determined that
the new standard, consistent with the
2022 Proposal, will not specify how the
auditor should perform the particular
procedures required by paragraphs .B1
and .B2 regarding evaluating the
implications of using an intermediary.
The new standard thus allows auditors
to customize their approach based on
the facts and circumstances of the audit
engagement and the audit firm. For
example, in obtaining an understanding
of the intermediary’s controls that
address the risk of interception and
alteration of confirmation requests and
responses and determining whether
they are designed and operating
effectively, the auditor could (i) use,
where available, a SOC report that
evaluates the design and operating
effectiveness of the relevant controls at
the intermediary; or (ii) test the
intermediary’s controls that address the
risk of interception and alteration
directly.38
Some commenters asked for guidance
related to an acceptable window of time
to be covered by ‘‘bridge letters.’’ 39
Where an auditor uses an independent
service auditor’s report on a service
organization’s controls, such procedures
may involve using a bridge letter. The
new standard does not specify an
appropriate window of time to be
covered by a bridge letter or a
38 See Spotlight: Observations and Reminders on
the Use of a Service Provider in the Confirmation
Process (Mar. 2022), available at https://
pcaobus.org/resources/staff-publications.
39 Some intermediaries provide a ‘‘bridge letter’’
or ‘‘gap letter’’ issued by the independent service
auditor that addresses the period from the date of
the service auditor’s SOC report through a
subsequent date, typically the most recent calendar
year end.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
permissible window of time between
the date covered by a bridge letter and
the period when the auditor uses the
intermediary to facilitate direct
electronic transmission of confirmation
requests and responses. Auditors should
use their professional judgment based
upon the facts and circumstances of the
audit to determine the nature of
procedures required to comply with
paragraph .B1 of the new standard,
including the note to paragraph .B1(b).
One commenter stated that paragraph
.B2(b) of the proposed standard should
have a specific documentation
requirement. The Board believes that
adding a specific documentation
requirement is not necessary, as the
auditor is required to document
compliance with PCAOB standards
under existing documentation
requirements.40
Lastly, the new standard modifies the
language of the 2022 Proposal to
provide in the note to paragraph .B1(b)
of the new standard that, if the auditor
performs procedures to determine that
the controls used by the intermediary to
address the risk of interception and
alteration are designed and operating
effectively at an interim date, the
auditor should evaluate whether the
results of the procedures can be used
‘‘during the period in which the auditor
uses the intermediary’’—rather than at
‘‘period end,’’ as described in the
proposed standard—or whether
additional procedures need to be
performed to update the results. The
Board believes that the modified
provision more accurately describes the
timeframe during which the results of
the procedures may be used by an
auditor. In addition, the modified
provision clarifies that the auditor
should consider the nature and extent of
any changes in the intermediary’s
process and controls during the period
between the auditor’s procedures and
the period the auditor uses the
intermediary.
Interaction of New Standard and
Proposed QC 1000
In November 2022 the Board issued
for public comment a proposed quality
control standard, referred to as proposed
QC 1000, A Firm’s System of Quality
Control.41 Proposed QC 1000 addresses
resources used by a registered public
accounting firm that are sourced from
third-party providers. An intermediary
that facilitates direct electronic
40 See, e.g., paragraph .05 of AS 1215, Audit
Documentation.
41 See A Firm’s System of Quality Control and
Other Proposed Amendments to PCAOB Standards,
Rules, and Forms, PCAOB Rel. No. 2022–006 (Nov.
18, 2022).
PO 00000
Frm 00015
Fmt 4701
Sfmt 4703
71697
transmission of confirmation requests
and responses is one example of a
‘‘third-party provider’’ under proposed
QC 1000.
Under proposed QC 1000, a firm
would consider the nature and extent of
resources or services obtained from
third-party providers in its risk
assessment process and whether the use
of third-party providers poses any
quality risks to the firm in achieving its
quality objectives. One of the required
quality objectives relates to obtaining an
understanding of how such resources or
services are developed and maintained
and whether they need to be
supplemented and adapted as
necessary, such that their use enables
the performance of the firm’s
engagements in accordance with
applicable professional and legal
requirements and the firm’s policies and
procedures.42
As noted above, the proposed
standard on the auditor’s use of
confirmation included specific
procedures related to the use of an
intermediary, which included obtaining
an understanding of the intermediary’s
controls that address the risk of
interception and alteration of a
confirmation request and response and
determining whether such controls are
designed and operating effectively.
A few commenters on the 2022
Proposal observed that firms may obtain
and evaluate SOC reports centrally,
rather than requiring that individual
engagement teams obtain and evaluate
the reports. One of these commenters
suggested clarifying in the standard that
the evaluations required by Appendix B
may be performed, and the
documentation may be retained
centrally, as part of the firm’s quality
control system. Another of these
commenters suggested that the
requirements related to the use of an
intermediary be removed entirely from
the proposed confirmation standard and
instead be dealt with solely in the
proposed quality control standards. One
commenter stated that, depending on
the identified quality risks, procedures
performed in accordance with QC 1000
need not align with the financial
statement period-end of each audit
engagement performed by the firm,
which the commenter asserted was
implied by paragraph .B2(b) and a
related note in the proposed standard.
Lastly, a few commenters indicated that
it would be beneficial to explicitly link
the provisions of the confirmation
standard regarding the use of an
intermediary with QC 1000.
42 See
E:\FR\FM\17OCN2.SGM
paragraph .44.j of proposed QC 1000.
17OCN2
71698
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES2
Having considered these comments,
the Board believes that the requirements
in the new standard related to the
auditor’s use of intermediaries, with the
modifications discussed above to the
requirements in the proposed standard,
are sufficiently clear and appropriate.
The auditor’s evaluation of the
intermediary’s controls could be
performed by an engagement team, an
audit firm’s national office, or a
combination of both. Where the national
office performs procedures relating to
the intermediary (either as part of the
firm’s quality control activities or
specifically to comply with the new
standard), the engagement team would
still need to consider the procedures
performed by the national office and
include in its audit documentation
considerations specific to the individual
audit engagement. For example, if a
national office evaluated an
intermediary’s controls at an interim
date, the engagement team would need
to, in accordance with the note
accompanying paragraph .B1(b) of the
new standard, evaluate whether the
results of the interim procedures could
be used during the period in which the
auditor uses the intermediary to
facilitate direct electronic transmission
of confirmation requests and responses
or whether they needed to be updated.
Using Internal Audit in the
Confirmation Process
The 2022 Proposal identified certain
activities in the confirmation process
where the auditor may not use the
assistance of the company’s internal
audit function. Under the 2022
Proposal, the auditor was not permitted
to use internal auditors for selecting
items to be confirmed, sending
confirmation requests, and receiving
confirmation responses, because using
internal audit in a direct assistance
capacity for such activities would not be
consistent with the auditor’s
responsibility to maintain control over
the confirmation process.
Existing AS 2310 does not include
analogous provisions. It states instead
that the auditor’s need to maintain
control does not preclude the use of
internal auditors and that AS 2605,
Consideration of the Internal Audit
Function, provides guidance on
considering the work of internal
auditors and on using internal auditors
to provide direct assistance to the
auditor.43
The Board adopted the proposed
requirements substantially as proposed,
with certain modifications discussed
below.
43 See
footnote 3 of AS 2310.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
A number of commenters, including
investor-related groups, firms, and firmrelated groups, agreed with the
requirements proposed in the 2022
Proposal as being in line with the
auditor’s responsibility to maintain
control over the confirmation process.
Additionally, a few commenters
observed that it is not current practice
for auditors to use internal audit in a
direct assistance capacity for selecting
items to be confirmed, sending
confirmation requests, or receiving
confirmation responses and, therefore,
that the requirements in the 2022
Proposal would not result in a
significant change in practice.
Conversely, one commenter stated that
the proposed restrictions would impact
current practice as it relates to direct
assistance.
A significant number of commenters,
including internal auditors and
companies with internal audit
functions, took exception to the
provision in the 2022 Proposal to limit
the external auditor’s use of internal
auditors in a direct assistance capacity
in the confirmation process, and in
some instances asserted that such
limitations would be inconsistent with
AS 2605. Many of these commenters
also challenged the statement in the
2022 Proposal that ‘‘[i]nvolving internal
auditors or other company employees in
these activities [selecting items to be
confirmed, sending confirmation
requests, and receiving confirmation
responses] would create a risk that
information exchanged between the
auditor and the confirming party is
intercepted and altered.’’ These
commenters asserted that this language
called into question internal auditors’
competence, objectivity, and
independence. Additionally, a few
commenters expressed concern with the
prescriptiveness of the proposed
restrictions on the use of internal
auditors in the confirmation process.
Having considered the comments
received, the Board notes that the
discussion in the 2022 Proposal was not
intended to cast doubt on the
qualifications, competence, or
objectivity of internal auditors. Internal
auditors can and often do play an
important role in enhancing the quality
of a company’s financial reporting. At
the same time, the Board continues to
believe that in order to maintain control
over the confirmation process the
auditor should select items to be
confirmed, send confirmation requests,
and receive confirmation responses.
In addition, after considering the
comments received, the Board is (i)
relocating the requirements related to
the auditor’s use of internal audit in the
PO 00000
Frm 00016
Fmt 4701
Sfmt 4703
confirmation process to the section of
the new standard on maintaining
control over the confirmation process
and (ii) rephrasing the requirements in
terms of the auditor’s affirmative
responsibilities, by describing
procedures the auditor is required to
perform. In contrast, the proposed
standard described procedures that
internal auditors were not allowed to
perform. As stated in footnote 7 of the
new standard, auditors are permitted to
use internal auditors in accordance with
AS 2605, except for selecting items to
confirm, sending confirmation requests,
and receiving confirmation responses.
The new standard does not impose any
new limitations on how the internal
auditors’ work may affect the external
auditor’s audit procedures.44 Instead,
the new standard clarifies how an
external auditor can use internal
auditors in a direct assistance capacity
as part of the confirmation process.45
Evaluating Confirmation Responses and
Confirmation Exceptions, and
Addressing Nonresponses and
Incomplete Responses
(See paragraphs .18–.23 of the new
standard).
Overall Approach
Under the 2022 Proposal, the
auditor’s responsibilities related to the
confirmation process included
evaluating the information received in
confirmation responses and addressing
nonresponses and incomplete
responses. The 2022 Proposal provided
that if the auditor is unable to determine
whether the confirmation response is
reliable, or in the case of a nonresponse
or an incomplete response (i.e., one that
does not provide the audit evidence the
auditor seeks to obtain), the auditor
should perform alternative
procedures.46 The 2022 Proposal built
upon requirements in existing AS 2310
that discuss addressing information
obtained from the performance of
confirmation procedures.
The relevant requirements in the new
standard include certain modifications
to the approach in the 2022 Proposal, as
discussed in the sections below.
44 AS 2605.12 states that ‘‘the internal auditor’s
work may affect the nature, timing, and extent of
the audit,’’ including ‘‘procedures the auditor
performs when obtaining an understanding of the
entity’s internal control (paragraph .13),’’
‘‘procedures the auditor performs when assessing
risk (paragraphs .14 through .16),’’ and ‘‘substantive
procedures the auditor performs (paragraph .17).’’
45 AS 2605.27 discusses how the auditor may use
internal auditors to provide direct assistance.
46 Alternative procedures, including the relevant
exception described in Appendix C of the new
standard, are discussed below.
E:\FR\FM\17OCN2.SGM
17OCN2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES2
Evaluating the Reliability of
Confirmation Reponses
The 2022 Proposal was intended to
provide additional direction beyond
what is set forth in existing AS 2310 to
assist the auditor’s evaluation of the
reliability of confirmation responses.
Specifically, the 2022 Proposal (i)
described information that the auditor
should take into account when
performing the evaluation, and (ii)
provided examples of indicators that a
confirmation response may have been
intercepted or altered and thus may not
be reliable. In particular, the 2022
Proposal provided that the auditor
should take into account any
information about events, conditions, or
other information the auditor becomes
aware of in assessing the reliability of
the confirmation response.
Under existing PCAOB standards, the
auditor is not expected to be an expert
in document authentication but, if
conditions indicate that a document
(e.g., a confirmation response) may not
be authentic or may have been altered,
the auditor should modify the planned
audit procedures or perform additional
audit procedures to respond to those
conditions and should evaluate the
effect, if any, on the other aspects of the
audit.47 The 2022 Proposal did not alter
these requirements, but specified for the
confirmation process that, if the auditor
were unable to determine that the
confirmation response is reliable, the
auditor’s response should include
performing alternative procedures.
The requirements for evaluating the
reliability of confirmation responses
were adopted substantially as proposed.
Several commenters indicated that the
provisions of the 2022 Proposal related
to evaluating the reliability of
confirmation responses were clear and
appropriate. One commenter proposed
modifications to the proposed
requirements, including replacing the
words ‘‘taking into account’’ with
‘‘considering’’ in paragraph .25 of the
proposed standard to reflect the
commenter’s perceived intent of the
Board. One commenter asserted that
paragraph .25 of the proposed standard
could result in onerous documentation
requirements in situations where there
is a clear reason why a particular
indicator is not necessarily indicative of
interception or alteration of a
confirmation request or confirmation
response (e.g., a confirmation request is
sent to a general email account but
returned from an email account
belonging to an individual monitoring
the general email account). Another
47 See
AS 1105.09.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
commenter proposed that the Board
remove one of the examples of
indicators that a confirmation response
may have been intercepted or altered
because it appeared to create a de facto
requirement that an auditor treat a
confirmation response as not reliable if
the original confirmation request is not
returned with the confirmation
response.
In addition, one commenter suggested
modifying proposed paragraph .26 of
the proposed standard to provide that
the auditor should perform alternative
procedures if the auditor became aware
of any of the factors identified in
paragraph .25 and was unable to
overcome those factors to determine that
the confirmation response is reliable.
Another commenter stated that the
proposed standard should acknowledge
that, in certain specified circumstances,
an unreliable confirmation would likely
result in a scope limitation.
Having considered the comments
received, the Board notes that assessing
the reliability of confirmation responses
is a critical component of the
confirmation process. If indicators of
interception or alteration are present, it
is important for the auditor to address
them. When the auditor follows up on
a particular indicator, an auditor may
determine that the confirmation
requests and responses have not been
intercepted or altered. For example, an
auditor could verify that a difference in
the confirming party’s email address
between the confirmation request and
confirmation response occurred because
the confirming party responds to
confirmation requests from one central
email address. The note to paragraph .18
of the new standard (paragraph .25 of
the proposed standard) provides
examples of information that the auditor
should take into account if the auditor
becomes aware of it. Under PCAOB
standards, the auditor would document
the procedures performed in response to
information that indicates that a
confirmation request or response may
have been intercepted or altered. To
minimize any confusion, the Board
replaced the word ‘‘indicator’’ in the
note with the phrase ‘‘information that
indicates,’’ which has the same
meaning.
In addition, to clarify that the auditor
performs alternative procedures for the
selected item if the auditor is unable to
determine that a confirmation response
regarding that item is reliable, the Board
has added the phrase ‘‘for the selected
item’’ after the words ‘‘alternative
procedures’’ in paragraph .19 of the new
standard. The Board also revised the
reference in paragraph .26 of the
proposed standard to performing
PO 00000
Frm 00017
Fmt 4701
Sfmt 4703
71699
alternative procedures ‘‘as discussed in
paragraph .31’’ to ‘‘in accordance with
Appendix C’’ in paragraph .19 of the
new standard to reflect that alternative
procedures for a selected item may not
be necessary under certain
circumstances, as discussed below, and
to reflect the relocation of the more
detailed discussion of alternative
procedures from the body of the
standard to Appendix C.
AS 3105, Departures from
Unqualified Opinions and Other
Reporting Circumstances, sets forth
requirements regarding limitations on
the scope of an audit,48 including scope
limitations relating to confirmation
procedures with respect to accounts
receivable.49 One example of such a
scope limitation would be the auditor’s
inability to confirm accounts receivable
balances combined with an inability to
perform other procedures in respect of
accounts receivable to obtain sufficient
appropriate audit evidence. The new
standard does not repeat such existing
requirements, as doing so would merely
duplicate those requirements.
Evaluating Confirmation Exceptions and
Addressing Nonresponses and
Incomplete Responses
For various reasons, information in a
confirmation response received by the
auditor could differ from other
information in the company’s records
obtained by the auditor. The 2022
Proposal provided that the auditor
should evaluate the confirmation
exceptions and determine their
implications for certain aspects of the
audit, as discussed below. The direction
in the 2022 Proposal was more detailed
than in existing AS 2310.
In particular, the 2022 Proposal
provided that the auditor should
evaluate whether confirmation
exceptions individually or in the
aggregate indicate a misstatement that
should be evaluated in accordance with
AS 2810. The 2022 Proposal did not,
however, require investigating all
confirmation exceptions to determine
the cause of each confirmation
exception. The 2022 Proposal also
included a provision that the auditor
should evaluate whether the
confirmation exceptions individually, or
in the aggregate, indicate a deficiency in
the company’s internal control over
financial reporting (‘‘ICFR’’).
With regards to nonresponses and
potential nonresponses, the 2022
Proposal provided that the auditor
should send a second positive
confirmation request to the confirming
48 See
49 See
E:\FR\FM\17OCN2.SGM
AS 3105.05–.15.
AS 3105.07.
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
71700
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
party unless the auditor has become
aware of information that indicates that
the confirming party would be unlikely
to respond to the auditor. Additionally,
the 2022 Proposal specified that if a
confirmation response is returned by the
confirming party to anyone other than
the auditor, the auditor should contact
the confirming party and request that
the response be re-sent directly to the
auditor. If the auditor does not
subsequently receive a confirmation
response from the intended confirming
party, the 2022 Proposal provided that
the auditor should treat the situation as
a nonresponse.
Further, in contrast with existing AS
2310, which does not address the
auditor’s responsibilities regarding
incomplete responses, the 2022
Proposal provided that the auditor
should perform alternative procedures if
a confirmation response is not received
or is incomplete.
The Board adopted the requirements
for evaluating confirmation exceptions
and addressing nonresponses as
proposed, with certain modifications
discussed below.
Some commenters indicated that the
proposed provisions regarding
evaluating confirmation exceptions and
addressing nonresponses were
sufficiently clear and appropriate. A few
commenters stated that the Board
should include requirements that limit
an auditor’s ability to assess
confirmation exceptions as merely
‘‘isolated exceptions.’’ Similarly, one
commenter asserted that the Board
should require auditors to resolve any
confirmation exceptions by examining
other third-party evidence such as
purchase orders. In light of these
comments, the Board has added a new
note to paragraph .20 of the new
standard that states that determining
that a confirmation exception does not
represent a misstatement that should be
evaluated in accordance with AS 2810
generally involves examining external
information, which may include
information that the company received
from knowledgeable external sources.
In the Board’s view, in many
circumstances examining external
evidence under the above provision is
necessary, as doing so is consistent with
both the goal of obtaining relevant and
reliable audit evidence and the type of
audit evidence sought from
confirmation. For example, an auditor
might send a confirmation request for a
selected item to a knowledgeable
confirming party regarding a $20,000
accounts receivable invoice and the
confirming party (i.e., the customer)
indicates that the outstanding balance
for this invoice at the date specified in
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
the confirmation request is $18,000.
Having investigated the $2,000
difference, the auditor learns that it does
not represent a misstatement, as the
customer overpaid for a different
invoice but applied the overpayment to
the invoice selected for confirmation
and the company applied the
overpayment differently. In this
scenario, determining that there is not a
$2,000 misstatement for the selected
item would involve the auditor
examining audit evidence from
knowledgeable external sources, such as
applicable purchase orders and
customer cash payments, in addition to
information generated by the company,
such as customer invoices.
The note to paragraph .20 of the new
standard uses the word ‘‘generally’’ to
acknowledge that in some
circumstances examining external audit
evidence may not be necessary. For
example, an auditor may have included
an incorrect figure in the confirmation
request and later determined that the
amount confirmed by the confirming
party agrees to the amount in the
company’s general ledger. Determining
that such a confirmation exception does
not represent a misstatement to be
evaluated in accordance with AS 2810
would not require examining audit
evidence from external sources.
One commenter suggested that the
Board consider reminding auditors that,
when using audit sampling, the auditor
should project the misstatement results
of the sample to the items from which
the sample was selected in accordance
with AS 2315. The Board considered
this comment, but did not add a
reminder regarding projecting the
results of a sample as the new standard
states in footnote 4 that AS 2315
addresses evaluating audit samples.
One commenter suggested that the
Board restructure paragraph .27 of the
proposed standard, as the auditor
generally considers whether a
confirmation exception is a
misstatement and then determines
whether there is a deficiency in internal
control. In consideration of this
comment, the Board has restructured
paragraph .20 of the new standard to
align with the typical order in which the
auditor considers the two matters
discussed therein (i.e., an auditor
typically considers whether a
confirmation exception indicates a
misstatement that should be evaluated
in accordance with AS 2810, Evaluating
Audit Results, and then considers
whether the confirmation exception
represents a deficiency in the
company’s ICFR).
One commenter expressed the view
that the Board should not require
PO 00000
Frm 00018
Fmt 4701
Sfmt 4703
auditors to evaluate whether a
confirmation exception constitutes a
control deficiency if the exception was
a result of a clerical error or caused by
a timing difference. The Board
continues to believe that requiring the
auditor to evaluate exceptions in such
circumstances is appropriate and the
auditor should consider whether all
confirmation exceptions are control
deficiencies. A clerical error or timing
difference could be indicative of a
deficiency in a company’s ICFR.
One commenter indicated that the
proposed requirement about sending a
second positive confirmation request
unless the auditor has become aware of
information that indicates that the
confirming party would be unlikely to
respond to the auditor was sufficiently
clear and appropriate. However, several
firms commented that the requirement
was too prescriptive, with one
commenter asserting that the
requirement could result in unnecessary
and potentially ineffective
administrative effort. Additionally, a
few commenters expressed concern that
following up on a confirmation request
would not constitute sending a second
confirmation request under the
proposed standard, but asserted that it
should be so treated.
The Board considered the comments
about the requirement to send a second
positive confirmation request. The use
of confirmation is not required under
the new standard other than for cash
and accounts receivable when they are
significant accounts or disclosures.
Under the new standard, for cash and
accounts receivable, the auditor may
perform other audit procedures to
obtain audit evidence by directly
accessing information maintained by a
knowledgeable external source. Further,
for accounts receivable, in certain
situations the new standard allows the
auditor to obtain external information
indirectly (see discussion of cash and
accounts receivable below).
Because the auditor may have a
choice of the audit procedure to
perform, the Board believes that the
auditor will select confirmation in those
situations where confirming parties will
be more likely to respond to the auditor.
In situations where a confirming party
does not respond to a confirmation
request, the Board has concluded it is
appropriate to require the auditor, in the
case of a nonresponse to a positive
confirmation request, to follow up with
the confirming party. The requirement
to follow up with the confirming party
is included in paragraph .21 of the new
standard. The new standard does not
prescribe a form of the auditor’s followup. For example, following up using the
E:\FR\FM\17OCN2.SGM
17OCN2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES2
same form of communication as in the
original confirmation request (e.g.,
email, direct electronic transmission
facilitated by an intermediary) would be
appropriate under the new standard. In
the case of an electronic confirmation
request, a follow-up request could be in
the form of a reminder or automated
reminder.
If the auditor subsequently receives a
confirmation response, the new
standard provides that the auditor
should evaluate that response in
accordance with paragraphs .18–.19 and
evaluate any confirmation exception in
accordance with paragraph .20. If the
auditor’s follow-up does not elicit a
confirmation response, paragraph .23 of
the new standard instructs the auditor
to perform alternative procedures for the
selected item in accordance with
Appendix C of the new standard.
To clarify that the auditor performs
alternative procedures for the selected
item, the Board has added the phrase
‘‘for the selected item’’ after the words
‘‘alternative procedures’’ in paragraph
.23 of the new standard. The Board also
revised the reference in paragraph .30 of
the proposed standard to performing
alternative procedures ‘‘as discussed in
paragraph .31’’ to refer to ‘‘in
accordance with Appendix C’’ in
paragraph .19 of the new standard to
reflect that alternative procedures for a
selected item may not be necessary
under certain circumstances, as
discussed below, and to reflect the
relocation of the more detailed
discussion of alternative procedures
from the body of the standard to
Appendix C.
Additional Considerations for Cash,
Accounts Receivable, and Terms of
Certain Transactions
(See paragraphs .24–.30 of the new
standard).
In general, evidence obtained from a
knowledgeable external source is more
reliable than evidence obtained only
from internal company sources. When
cash or accounts receivable are
significant accounts, there is a
presumption in the new standard that
the auditor should obtain audit
evidence from a knowledgeable external
source by performing confirmation
procedures or using other means to
obtain audit evidence by directly
accessing information maintained by
knowledgeable external sources. In
addition, the new standard addresses
other situations in which the auditor
should consider the use of confirmation.
The Board discusses below the
provisions of the new standard relating
to confirming cash held by third parties,
confirming accounts receivable,
performing other audit procedures for
accounts receivable when obtaining
audit evidence directly from a
knowledgeable external source would
not be feasible, communicating with the
audit committee in certain situations,
and confirming the terms of certain
other transactions. To improve the flow
of the requirements in the new standard,
these provisions have been placed after
the general provisions that describe the
auditor’s responsibilities related to the
confirmation process (i.e., after
paragraphs .08–.23).
Figure 1 depicts the relationship of
the requirements in the new standard
for cash and accounts receivable when
they are significant accounts
(paragraphs .24–.28) to the general
provisions of the new standard
applicable to the confirmation process
(paragraphs .08–.23).50
BILLING CODE 8011–01–P
50 The information in Figure 1 is intended to be
for illustrative purposes and is not a substitute for
the new standard; only the new standard provides
the auditor with the definitive requirements.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
PO 00000
Frm 00019
Fmt 4701
Sfmt 4703
71701
E:\FR\FM\17OCN2.SGM
17OCN2
71702
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
Figure 1 - Additional Considerations for Cash and Accounts Receivable
Cash
NO
"
M'. ~ ~~l~t1li1am
.
~ceui~e:t:ll!iditii!i:!tly: ll<!<e'Slsins; •
~ali(m maintta•d ~ a l!'t;S
The audito, is unable to idenlify a confirming
The auditor sends confirman·on requests for
palty for the selected item (para .ll)
the selected items
-- ~
-~
~
=
---
',;
-
=-- -
'-,.:
llleauditm; ~~s:alte~llallille ~lffi•~ ill
lliim1mll!:~tt~iffi¢fl
.
BILLING CODE 8011–01–C
Cash Held by Third Parties
lotter on DSK11XQN23PROD with NOTICES2
Confirming Cash
The 2022 Proposal provided that the
auditor should perform confirmation
procedures when auditing cash and
cash equivalents held by a third party.
Existing AS 2310 does not address
auditor responsibilities for confirming
cash.
The Board noted in the 2022 Proposal
that an auditor need not necessarily
confirm all cash accounts in all cases.
Under PCAOB standards, the alternative
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
if/11,,.~ele~dit~s ffl ll!liltlltllll W:dkovis:
_. •
! l ~ ta illit,il;llil~$llllfJiii\1'1eli\l~ auliff t~e:Jllf~
«ln!irm• 11'$ ~ , i i p;l\m;:Ui adili,illt,tffll\Militllt;®:rf.litffl.S
i \ f f l ~ w;oc~aes ill ll€CGN!llllt«;l'ffll0\'pM!l!I\ I .
means of selecting items for testing are
selecting all items, selecting specific
items, and audit sampling.51 An auditor
selects individual cash items to confirm
following the relevant direction in
PCAOB standards, including identifying
and assessing the risk of misstatement
and developing an audit response.52 The
particular means or combination of
means of selecting cash items to confirm
depend on, for example, the
characteristics of the cash items and the
51 See
AS 1105.22.
e.g., AS 2110 and AS 2301.
52 See,
PO 00000
Frm 00020
Fmt 4701
Sfmt 4703
evidence necessary to address the
assessed risk of material misstatement.53
The 2022 Proposal emphasized that,
in selecting the individual items of cash
to confirm, the auditor should take into
account the auditor’s understanding of
the company’s cash management and
treasury function, and the substance of
the company’s arrangements and
transactions with third parties. For
example, an auditor might select bank
accounts with balances over a certain
amount, accounts with a high volume of
53 See
E:\FR\FM\17OCN2.SGM
AS 1105.23 and AS 2301.03.
17OCN2
EN17OC23.008</GPH>
•
lotter on DSK11XQN23PROD with NOTICES2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
transactions, accounts opened or closed
during the period under audit, or
accounts the auditor identifies as
particularly risk-prone. Alternatively,
the auditor might determine it is
appropriate to confirm all cash
accounts. The auditor also follows the
direction in PCAOB standards when
determining whether performing
procedures in addition to confirmation
is necessary to address the assessed risk
of material misstatement relating to
cash.54
The Board adopted the proposed
requirements to confirm cash, with
certain modifications discussed below.
A number of commenters supported
the proposed requirement for the
auditor to confirm cash held by third
parties. Some of these commenters
stated that confirming cash has long
been an audit best practice and that
requiring cash confirmation would lead
to more consistency in practice. In
addition, several commenters stated that
the standard was sufficiently risk-based
(i.e., by allowing the auditor to select
cash accounts and other financial
relationships to confirm based on the
risk of material misstatement associated
with cash).
Several commenters asserted that a
requirement to confirm cash was not
sufficiently risk-based, despite the
provisions in the 2022 Proposal that
described that the auditor should take
into account their understanding of the
company’s operations in making
selections of individual cash items to
confirm. In particular, several
commenters stated that the proposed
standard would require an auditor to
confirm cash without regard to the level
of risk that the auditor had determined
for cash in their risk assessment or
when other audit procedures could
produce sufficient appropriate audit
evidence. Other commenters expressed
the view that the requirement to confirm
cash, as well as accounts receivable,
should be removed, with some of these
commenters suggesting that the auditor
should be able to determine the audit
procedure that would be most effective
in obtaining relevant and reliable audit
evidence, without confirmation being
the ‘‘default’’ procedure.
The Board continues to believe that a
presumption to confirm cash is
appropriate. As discussed above, this
presumption to confirm cash is
consistent with current practice.
Consistent with the objective of the new
standard, the requirement to confirm
cash, as well as accounts receivable,
only applies when the auditor has
54 See,
e.g., AS 2301.09.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
determined that that these accounts are
significant accounts.
With respect to confirming cash,
many commenters, primarily firms and
firm-related groups, expressed concern
that the 2022 Proposal did not contain
a provision about overcoming the
presumption to confirm cash. A number
of commenters also expressed the view
that auditors could obtain direct-access
view of bank information (or would be
able to do so in the future), which could
provide a more effective means of
directly obtaining external evidence
than sending a confirmation.
The Board agrees that if the auditor is
able to perform other audit procedures
that allow the auditor to obtain audit
evidence by directly accessing
information maintained by
knowledgeable external sources, such
audit evidence would be at least as
persuasive as audit evidence obtained
through confirmation procedures. The
Board therefore added to the
presumption to confirm cash (and
accounts receivable) in the new
standard the phrase ‘‘or otherwise
obtain relevant and reliable audit
evidence by directly accessing
information maintained by a
knowledgeable external source.’’
By way of example, the auditor might
satisfy this requirement to obtain
relevant and reliable audit evidence
under the new standard by obtaining
read-only access to information
maintained by a financial institution
concerning its transactions or balances
with the company directly online
through a secure website of the financial
institution using credentials provided to
the auditor by the financial institution.
The Term ‘‘Cash and Cash Equivalents
Held by Third Parties’’
The 2022 Proposal provided that the
term ‘‘cash’’ comprised both cash and
cash equivalents. Cash equivalents
generally refer to short-term, highly
liquid investments that are readily
convertible to known amounts of cash
and are so near their maturity that they
present insignificant risk of changes in
value because of changes in interest
rates.55 Such assets are commonly used
by companies to manage their cash
holdings. The 2022 Proposal also
described that the requirements for
confirming cash would apply to cash
held by third parties, and not limited to
cash held by financial institutions. In
the Board’s view, this expansion of
55 See, e.g., definition of ‘‘cash equivalents’’ in the
Master Glossary of the Financial Accounting
Standards Board (‘‘FASB’’) Accounting Standards
Codification and of ‘‘cash equivalents’’ in the
International Financial Reporting Standards
(‘‘IFRS’’).
PO 00000
Frm 00021
Fmt 4701
Sfmt 4703
71703
confirmation requirements was
appropriate, as company funds can be
held by third parties other than
financial institutions, such as money
transfer providers.
The Board adopted this provision as
proposed in the 2022 Proposal.
There was one comment related to
this aspect of the 2022 Proposal,
suggesting that the new standard should
specify that ‘‘third parties’’ are not
limited to financial institutions. The
Board believes the reference to ‘‘third
parties’’ was sufficiently clear as
proposed and, accordingly, has not
expanded this description.
Confirming Other Financial
Relationships
The 2022 Proposal provided that the
auditor should consider confirming
other financial relationships with the
third parties with which the auditor
determines to confirm cash. Such
relationships can include lines of credit,
other indebtedness, compensating
balance arrangements, or contingent
liabilities, including guarantees. As
proposed, the auditor would be required
under PCAOB standards to document
the consideration given to the
confirmation of other financial
relationships and the conclusions
reached.56 Existing AS 2310 does not
have an analogous requirement to
confirm other financial relationships.
The Board adopted this provision as
proposed, with certain modifications
discussed below.
Several commenters stated that the
requirements for the auditor to consider
confirming other financial relationships
were clear. One commenter suggested
that confirming other financial
relationships should be required, and
that overcoming the presumption to
confirm should be available only when
the financial entity with which the
company does business does not offer
services that would give rise to other
financial relationships.
A number of commenters asserted
that auditors would be required to
56 See Note to PCAOB Rule 3101(a)(3), which
states that ‘‘(i)f a Board standard provides that the
auditor ‘‘should consider’’ an action or procedure,
consideration of the action or procedure is
presumptively mandatory, while the action or
procedure is not,’’ and AS 1215.05–.06 (audit
documentation should ‘‘[d]emonstrate that the
engagement complied with the standards of the
PCAOB’’ and must ‘‘document the procedures
performed . . . with respect to relevant financial
statement assertions’’). See also Audit
Documentation and Amendment to Interim
Auditing Standards, PCAOB Rel. No. 2004–006
(June 9, 2004), at 3 (‘‘the auditor documents not
only the nature, timing, and extent of the work
performed, but also the professional judgments
made by members of the engagement team and
others’’).
E:\FR\FM\17OCN2.SGM
17OCN2
71704
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
produce additional documentation of
their considerations, even when a
financial relationship(s) is not an area of
significant risk of material
misstatement. Some commenters
recommended that the provision that
the auditor ‘‘should consider’’ other
financial relationships be changed to
‘‘may consider,’’ in order to allow for
more auditor judgment in determining
the audit procedures to perform.
The Board continues to believe that
information about financial
relationships, including off-balance
sheet relationships, could be important
for the audit, as it could be part of
significant disclosures in a company’s
financial statements. Accordingly,
paragraph .29 of the new standard
provides that, in addition to obtaining
audit evidence from a knowledgeable
external source regarding cash in
accordance with paragraph .24, the
auditor should consider sending
confirmation requests to that source
about other financial relationships with
the company, based on the assessed risk
of material misstatement. The phrase
‘‘based on the assessed risk of material
misstatement’’ was added to clarify that
the auditor has flexibility in tailoring
audit procedures to the level of assessed
risk (e.g., by including or not including
confirmation in the audit response
based on the auditor’s assessed risk of
material misstatement of other financial
relationships). In addition, paragraph
.29 retains the examples of other
financial relationships that were
included in the 2022 Proposal.
Accounts Receivable
lotter on DSK11XQN23PROD with NOTICES2
Confirming Accounts Receivable
The 2022 Proposal carried forward the
requirement in existing AS 2310 to
confirm accounts receivable. Similar to
existing AS 2310, the 2022 Proposal did
not specify the extent of confirmation
procedures for accounts receivable. As
noted above, the timing and extent of
confirmation procedures are part of the
auditor’s response to the risks of
material misstatement under PCAOB
risk assessment standards. The 2022
Proposal instead required the auditor to
take into account the auditor’s
understanding of the substance of the
company’s arrangements and
transactions with third parties and the
nature of the items that make up the
company’s account balances in selecting
the individual accounts receivable to
confirm. For example, an auditor might
assess the risk of material misstatement
relating to accounts receivable higher
for a company that is being audited for
the first time by the auditor, or for
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
accounts receivable from a newly
acquired operation in a foreign location.
The Board adopted the proposed
requirements to confirm accounts
receivable, with certain modifications
discussed below.
Most commenters on this aspect of the
2022 Proposal generally supported the
retention of a presumption to confirm
accounts receivable, and most of those
commenters stated that the requirement
for the auditor to confirm accounts
receivable was sufficiently clear and
appropriate. Two investor-related
groups stated that confirmation of cash
and accounts receivable was necessary,
in their view, to obtain persuasive,
sufficient, and competent audit
evidence.
On the other hand, a number of
commenters, primarily firms and firmrelated groups, expressed concerns
about carrying forward the presumption
for auditors to confirm accounts
receivable from existing AS 2310. The
common theme of those commenters
was that requiring the auditor to use
confirmation for certain accounts may
not allow the auditor to exercise
professional judgment in determining
an appropriate response to the assessed
risk of material misstatement for those
accounts.
Regarding the selection of accounts
receivable to confirm, several
commenters agreed that the 2022
Proposal was sufficiently principlesbased to allow auditors to use
professional judgment in determining
the extent of confirmation of accounts
receivable.
The Board continues to believe that a
presumption to confirm accounts
receivable is appropriate to emphasize
that audit evidence obtained from a
knowledgeable external source is
generally more reliable than evidence
obtained only from internal company
sources. Consistent with the objective of
the new standard, the requirement to
confirm cash and accounts receivable,
or otherwise obtain relevant and reliable
audit evidence by directly accessing
information maintained by a
knowledgeable external source, only
applies when the auditor has
determined that these accounts are
significant accounts.
As with cash balances discussed
above, the Board believes that when the
auditor is able to perform other audit
procedures to obtain audit evidence
about accounts receivable by directly
accessing information maintained by
knowledgeable external sources (e.g.,
information maintained by the
receivable counterparty), such evidence
would be at least as persuasive as audit
evidence through confirmation
PO 00000
Frm 00022
Fmt 4701
Sfmt 4703
procedures. The Board therefore added
to the presumption to confirm cash and
accounts receivable in the new standard
the phrase ‘‘or otherwise obtain relevant
and reliable audit evidence by directly
accessing information maintained by a
knowledgeable external source.’’
Audit evidence that an auditor
obtains by accessing a third party’s
information directly can be at least as
persuasive as audit evidence obtained
through confirmation procedures
because the auditor is able to observe
first-hand the information providing
such evidence. As technology continues
to develop, The Board believes it is
important for the new standard to reflect
that there may be additional
opportunities for the auditor to obtain
audit evidence directly beyond sending
a confirmation request. The new
standard would allow for future
innovations in audit techniques that
might involve the auditor obtaining
evidence for accounts receivable by
directly accessing information
maintained by a counterparty or other
knowledgeable external source. As
noted in the new standard, consistent
with selecting a confirming party, when
selecting the knowledgeable external
source providing the auditor with access
to information directly, the auditor
would be required to consider whether
the knowledgeable external source
would have any incentive or pressure to
provide the auditor with access to
information directly that is inaccurate or
otherwise misleading.
Situations where it would not be
feasible for the auditor to obtain audit
evidence for accounts receivable
directly from a knowledgeable external
source, through confirmation
procedures or other means, are
discussed below.
The Term ‘‘Accounts Receivable’’
The 2022 Proposal described
‘‘accounts receivable’’ as comprising
receivables arising from the transfer of
goods or services to a customer or from
a financial institution’s loans. Existing
AS 2310 describes accounts receivable
as the entity’s claims against customers
that have arisen from the sale of goods
or services in the normal course of
business, and a financial institution’s
loans. The 2022 Proposal was designed
to apply to the same types of items as
existing AS 2310, with a modified
description to align more closely with
the terminology of current accounting
requirements, which have been updated
since existing AS 2310 was written.57
57 See, e.g., FASB Accounting Standards
Codification Topic 606, Revenue from Contracts
E:\FR\FM\17OCN2.SGM
17OCN2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
The Board adopted this provision as
proposed.
Commenters on this aspect of the
2022 Proposal stated that the
description of accounts receivable was
clear. These commenters also noted that
there was no need to further broaden the
description to include additional types
of receivables.
The description of accounts
receivable in the new standard includes
receivables that arise from the transfer
of goods or services to a customer.
These types of receivables generally
arise from the company’s ordinary
revenue-generating activities, and
include items for which revenue has
been or will be recognized by a
company, such as receivables from
selling manufactured products or
providing a service to customers. The
description of accounts receivable also
includes a financial institution’s loans,
including loans to customers that the
institution has originated or purchased
from another institution. Examples of
financial institutions are banks, nonbank lenders, and mortgage companies
that provide financing to customers.
lotter on DSK11XQN23PROD with NOTICES2
Situations When Obtaining Audit
Evidence for Accounts Receivable
Directly Would Not Be Feasible
Performing Other Substantive
Procedures, Including Tests of Details
In the 2022 Proposal, the presumption
to confirm accounts receivable could be
overcome when the auditor determined
that an audit response that only
included substantive audit procedures
other than confirmation would provide
audit evidence that is at least as
persuasive as evidence the auditor
might expect to obtain through
performing confirmation procedures.
The 2022 Proposal did not carry forward
the provisions in existing AS 2310
addressing overcoming the presumption
to confirm accounts receivable under
certain conditions, which are (i)
immateriality, (ii) ineffectiveness of
confirmation, or (iii) a certain
combination of the assessed risk and
expected results from other auditing
procedures.58
As discussed below, the new standard
includes a provision to address
situations when obtaining audit
evidence directly from knowledgeable
external sources, whether through
confirmation procedures or other
means, would not be feasible to execute.
Many commenters addressed the
provision in the 2022 Proposal to
overcome the presumption to confirm
with Customers, and IFRS 15, Revenue from
Contracts with Customers.
58 See AS 2310.34.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
accounts receivable. A few commenters
noted that the ability to overcome the
presumption to confirm accounts
receivable was clear and appropriate. As
discussed below, many commenters
focused on the proposed provision that
evidence obtained through other
substantive procedures should be ‘‘at
least as persuasive as’’ evidence
obtained through confirmation:
• A number of investor-related groups
stated that the provision gave too much
leeway to auditors to overcome the
presumption to confirm accounts
receivable. These commenters asserted
that exceptions to confirming accounts
receivable should only be available
when other audit procedures would
provide more persuasive or greater
accumulated evidence than that
obtained through confirmation. These
commenters recommended additional
requirements, such as allowing the
auditor to overcome the presumption
only if they document the evidence and
basis for their conclusion and have
communicated the conclusion to the
audit committee and investors.
• Several firms and firm-related
groups stated that the relevant
provisions were not clear or more
guidance would be needed about
overcoming the presumption to confirm
accounts receivable when other
substantive procedures would be ‘‘at
least as persuasive as’’ the evidence
expected to be obtained through
confirmation. A few commenters
observed that the absence of a definition
of the term ‘‘persuasive’’ in AS 1105
contributed to a lack of clarity as to the
Board’s expectations and requested
more guidance about how to measure or
evaluate persuasiveness. Several
commenters emphasized that, rather
than focus the requirement for
overcoming the presumption to confirm
accounts receivable on whether audit
evidence obtained through audit
procedures other than confirmation is
‘‘at least as persuasive as’’ evidence
expected to be obtained through
confirmation, the Board should focus
the requirement on obtaining evidence
that is sufficient and appropriate to
address the assessed risk of material
misstatement or, as one commenter
suggested, on the reliability of the audit
evidence.
• Several commenters suggested that
the Board retain provisions similar to
those in existing AS 2310.34 for
allowing the auditor to overcome the
presumption to confirm accounts
receivable. In addition, several firms
and firm-related groups suggested that
the auditor’s ability to overcome the
presumption to confirm should be based
on risk assessment, similar to the
PO 00000
Frm 00023
Fmt 4701
Sfmt 4703
71705
provision in existing AS 2310
addressing when the assessed level of
inherent and control risk is low.
• Many firms and firm-related groups
expressed concern that the criteria for
overcoming the presumption would
result in auditors having to use
confirmation even in situations where
historically confirmations were
determined by the auditor to be
ineffective and not to provide
persuasive audit evidence.
• One commenter stated that, if the
proposed language were adopted,
auditors would likely default to
confirming accounts receivable over
other audit procedures to avoid secondguessing of their determinations of the
persuasiveness of audit evidence.
• Several commenters, primarily
firms and firm-related groups, stated
that the 2022 Proposal imposed a higher
threshold than the existing standard for
auditors to overcome the presumption
to confirm accounts receivable without
a corresponding increase to audit
quality.
As previously discussed, the new
standard creates a presumption that the
auditor performs confirmation
procedures or otherwise obtains
relevant and reliable audit evidence by
directly accessing information
maintained by a knowledgeable external
source. Under PCAOB standards, in
general, evidence obtained directly by
the auditor from a knowledgeable
external source is more reliable than
evidence obtained indirectly.59
However, the Board appreciates that
there are instances where the auditor
determines that performing
confirmation procedures in response to
a risk of material misstatement related
to accounts receivable would not be
feasible. For example, commenters
described situations involving a history
of low response rates to confirmation
requests in certain industries (e.g.,
healthcare, utilities), or where
customers have been advised by a
government agency to avoid providing
personal or financial information in
response to an unexpected request. The
Board further understands that
companies in other industries (e.g., large
retailers, defense and aerospace
companies that contract with the federal
government) do not, as a matter of
policy, respond to confirmation
requests. There may also be instances in
which the performance of confirmation
procedures would not result in reliable
audit evidence.
Accordingly, paragraph .25 allows the
auditor to perform other substantive
procedures in response to a risk of
59 See
E:\FR\FM\17OCN2.SGM
AS 1105.08.
17OCN2
71706
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
material misstatement, as long as such
procedures include tests of details, if the
auditor determines it is not feasible to
obtain audit evidence directly from a
knowledgeable external source pursuant
to paragraph .24. Paragraph .25
specifically provides that the auditor’s
determination should be based on the
auditor’s experience, such as prior
years’ audit experience with the
company or experience with similar
engagements where the auditor did not
receive confirmation responses, and the
auditor’s expectation of similar results if
procedures were performed pursuant to
paragraph .24. Any such determination
would be performed as part of
conducting the audit based on the
available facts and circumstances at that
time and properly supported in the
audit documentation for the
engagement.60 In addition, as described
below, for significant risks associated
with accounts receivable, the auditor
would be required to communicate with
the audit committee when the auditor
did not perform confirmation
procedures or otherwise obtain audit
evidence by directly accessing
information maintained by a
knowledgeable external source.
This provision replaces the concept in
the 2022 Proposal about obtaining audit
evidence that was ‘‘at least as persuasive
as’’ the evidence expected to be
obtained through confirmation
procedures. It also specifies that the
auditor should perform other
substantive procedures, including tests
of details, in these situations to make
clear that performing only substantive
analytical procedures would not be
sufficient to overcome the presumption
to confirm. These other substantive
procedures should involve obtaining
external information indirectly.
For accounts receivable, the auditor
may be able to satisfy this requirement
by obtaining information that is in the
company’s possession that the company
received from one or more
knowledgeable external sources.61
Examples of such external information
may include, for example, subsequent
cash receipts, shipping documents from
third-party carriers, customer purchase
orders, or signed contracts and
amendments thereto. This information
may be in electronic form (e.g., a
60 See
AS 1215.05.
also Proposed Amendments Related to
Aspects of Designing and Performing Audit
Procedures that Involve Technology-Assisted
Analysis of Information in Electronic Form, PCAOB
Rel. No. 2023–004 (June 26, 2023) (proposing
amendments to PCAOB auditing standards to
specify auditor responsibilities regarding certain
company-provided information that the auditor
uses as audit evidence, including information that
the company received from external sources).
lotter on DSK11XQN23PROD with NOTICES2
61 See
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
purchase order initiated by a customer
through a company’s website) or in
paper form (e.g., a signed contract).
Conversely, when performing other
substantive procedures under this
provision, it would not satisfy the
requirements of the new standard to use
or rely solely on the company’s
internally produced information. For
example, an audit procedure that
involves an automated matching
analysis of a company’s revenue,
accounts receivable, and cash journal
entries recorded by the company would
be insufficient on its own because such
an analysis only involves the company’s
internally produced information. On the
other hand, when such internally
produced information is evaluated in
conjunction with external information
that the company received from a
knowledgeable external source, such as
checks that the company received
directly from customers or information
on subsequent cash receipts that the
company received from a financial
institution, the procedures would
involve audit evidence from a
knowledgeable external source.
Under existing PCAOB standards, the
quantity of audit evidence needed is
affected by its quality, including its
reliability, and in general evidence
obtained directly by the auditor is more
reliable than evidence obtained
indirectly. This applies to all
information (including external
information) used by the auditor in
arriving at the conclusions on which the
auditor’s opinion is based. For example,
as the quality of the evidence increases,
the need for additional corroborating
evidence decreases. The auditor should
be mindful of these requirements when
determining an appropriate audit
response to a risk of material
misstatement that involves obtaining
external information indirectly under
the new standard.
Further, when performing audit
procedures that involve obtaining
external information, the auditor should
be mindful of other relevant PCAOB
standards that address the
documentation of the procedures
performed and the relevance and
reliability of the audit evidence
obtained.62 Audit documentation must
clearly demonstrate the work performed
by the auditor. In addition, the
reliability of that audit evidence
depends on the nature and source of the
evidence and the circumstances under
which it is obtained.
62 See
PO 00000
e.g., AS 1215.05–.06 and AS 1105.07–.08.
Frm 00024
Fmt 4701
Sfmt 4703
Communicating With the Audit
Committee About the Auditor’s
Response to Significant Risks for Cash
and Accounts Receivable
The 2022 Proposal included a
requirement for the auditor to
communicate to the audit committee 63
instances where the auditor had
determined that the presumption to
confirm accounts receivable had been
overcome. In proposing that
requirement, the Board considered the
long-standing practice by auditors in the
United States to confirm accounts
receivable, and noted that a
communication requirement when the
presumption to confirm is overcome
could enhance the audit committee’s
understanding of the auditor’s strategy.
In this regard, existing standards require
the auditor to communicate to the audit
committee about the auditor’s overall
audit strategy, significant risks
identified during risk assessment
procedures, significant changes to the
planned audit strategy, and significant
difficulties encountered during the
audit.64 Existing AS 2310 does not have
a requirement to communicate to the
audit committee about overcoming the
presumption to confirm accounts
receivable.
The new standard contains a
requirement for the auditor to
communicate with the audit committee
about the auditor’s response to
significant risks associated with cash or
accounts receivable when the auditor
did not perform confirmation
procedures or otherwise obtain audit
evidence by directly accessing
information maintained by a
knowledgeable external source.
Several commenters, primarily
investor-related groups, supported the
proposed requirement in the 2022
Proposal that the auditor communicate
to the audit committee when an auditor
overcomes the presumption to confirm
accounts receivable. One of the
commenters referred to a statement in
the 2022 Proposal that a requirement to
communicate to the audit committee
when overcoming the presumption to
confirm accounts receivable ‘‘may
reinforce the auditor’s obligation to
exercise due professional care in making
that determination.’’ This commenter
also noted that overcoming the
presumption could result in a critical
audit matter under AS 3101, The
Auditor’s Report on an Audit of
63 The term ‘‘audit committee,’’ as used in the
new standard, has the same meaning as defined in
Appendix A of AS 1301, Communications with
Audit Committees.
64 See AS 1301.09, .11, .23.
E:\FR\FM\17OCN2.SGM
17OCN2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES2
Financial Statements When the Auditor
Expresses an Unqualified Opinion.65
Many commenters on this aspect of
the 2022 Proposal, primarily firms and
firm-related groups, disagreed with a
specific requirement to communicate
with the audit committee on this matter.
These commenters asserted that such a
requirement did not align with
principles in AS 1301 to communicate
with the audit committee about
significant risks, including audit matters
arising from the audit that are
significant to the oversight of the
company’s financial reporting process.
A number of these commenters also
noted that, if there were a significant
risk in accounts receivable or associated
with a critical audit matter, the auditor
would already be required to
communicate these matters under AS
1301. Several other commenters
indicated that they did not object to a
more targeted requirement to
communicate with the audit committee
about overcoming the presumption to
confirm when accounts receivable was
assessed as a significant risk.
In addition, several commenters
asserted that a requirement to
communicate to the audit committee
about overcoming the presumption to
confirm would not improve audit
quality, and could be detrimental if this
communication became a compliance
exercise for auditors, detracting them
from performing effective audit
procedures. A few commenters also
stated there would not be a benefit to
audit quality if the Board were to
mandate that auditors treat instances of
overcoming the presumption to confirm
as a critical audit matter.
The 2022 Proposal stated that there
may be some expectation by audit
committees that the auditor would use
confirmation as part of a planned audit
response. One commenter encouraged
the Board to perform outreach with
audit committees to understand whether
this expectation was, in fact,
widespread and whether the proposed
communication requirement would be
relevant and meaningful.
Having considered the comments
received, the Board does not believe it
is necessary to require the auditor to
inform the audit committee in every
instance where the auditor performed
substantive audit procedures other than
confirmation to address the risk of
65 A critical audit matter is defined in AS 3101.A2
as ‘‘[a]ny matter arising from the audit of the
financial statements that was communicated or
required to be communicated to the audit
committee and that: (1) relates to accounts or
disclosures that are material to the financial
statements and (2) involved especially challenging,
subjective, or complex auditor judgment.’’
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
material misstatement of cash or
accounts receivable. However, the Board
believes the auditor should inform the
audit committee when the auditor did
not perform confirmation procedures or
otherwise obtain audit evidence by
directly accessing information
maintained by a knowledgeable external
source when responding to significant
risks associated with either cash or
accounts receivable.
This targeted requirement is
consistent with the views expressed by
several commenters, as discussed above.
It is also consistent with the existing
obligation of auditors under PCAOB
standards to communicate to the audit
committee an overview of the overall
audit strategy and to discuss with the
audit committee the significant risks of
material misstatement identified during
the auditor’s risk assessment
procedures.66 In addition, as with other
matters arising from the audit of
financial statements and communicated
or required to be communicated to the
audit committee, the auditor is required
to determine whether these matters are
critical audit matters in accordance with
AS 3101.67
Confirming Terms of Certain
Transactions
The 2022 Proposal provided that, for
significant risks of material
misstatement associated with either a
complex transaction or a significant
unusual transaction, the auditor should
consider confirming terms of the
transaction with the counterparty to the
transaction. This provision updates a
requirement in existing AS 2310.08 that
the auditor should consider confirming
the terms of certain transactions that are
associated with high levels of risk. The
2022 Proposal used the terminology
‘‘significant risk’’ and ‘‘significant
unusual transactions,’’ but the provision
was intended to be similar to that in
existing AS 2310.
The Board adopted the proposed
requirements to consider confirming
terms of certain transactions, with
certain modifications discussed below.
Several commenters noted that the
provision in the 2022 Proposal was
sufficiently clear and appropriate. Other
commenters suggested various
modifications to the provision that they
asserted would improve its clarity, such
as elaborating on the meaning of the
term ‘‘complex transaction’’ and stating
that the provision applies when the
assertions related to the significant risk
of material misstatement can be
adequately addressed through
66 See
67 See
PO 00000
AS 1301.09.
AS 3101.11–.12.
Frm 00025
Fmt 4701
confirmation. Several commenters
indicated that other audit procedures,
not including confirmation, may
adequately address an assessed
significant risk over the existence
assertion, such as obtaining and
reviewing an original executed contract
and verifying the execution of its terms
over a period of time.
To provide additional clarity, the new
standard provides that the auditor
should consider confirming those terms
of a complex transaction or significant
unusual transaction that are associated
with a significant risk of material
misstatement, including a fraud risk.
Under the new standard, examples of
such terms may include terms relating
to (i) oral side agreements, or
undisclosed written or oral side
agreements, where the auditor has
reason to believe that such agreements
exist, (ii) bill and hold sales, and (iii)
supplier discounts or concessions.
When such arrangements or agreements
are part of a complex transaction or
significant unusual transaction
identified by the auditor, there may be
a heightened risk that the transaction
has been entered into to engage in
fraudulent financial reporting or conceal
misappropriation of assets. Likewise, a
complex transaction or a significant
unusual transaction could have a
heightened risk of error whereby
confirmation could lead to
identification of an additional term that,
under an accounting standard, might
have accounting implications not
previously recognized by either the
company or the auditor. Accordingly,
the auditor’s confirmation of terms
related to such arrangements or
agreements may assist the auditor in
evaluating the business purpose, or lack
thereof, of the transaction.68 These
examples are not intended to be an
exhaustive list. An auditor may identify
other terms to confirm relating to a
complex transaction or a significant
unusual transaction if the auditor
decides that confirmation could result
in obtaining relevant and reliable audit
evidence about that transaction.
One investor-related group
recommended that the provision in the
2022 Proposal addressing the terms of
complex transactions and significant
unusual transactions should be
mandatory and read ‘‘should’’ instead of
‘‘should consider.’’ In contrast, other
commenters asserted that the provision
was unduly prescriptive. Several
commenters recommended that the
Board change the phrase ‘‘should
consider’’ to ‘‘may consider’’ to allow
for more auditor judgment in
68 See
Sfmt 4703
71707
E:\FR\FM\17OCN2.SGM
AS 2401.67.
17OCN2
71708
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
determining the audit procedures to
perform to address significant unusual
transactions or other complex
transactions. The Board believes that the
provision stating that the auditor
‘‘should consider’’ confirming terms of
complex transactions or significant
unusual transactions associated with a
significant risk of material misstatement
is sufficiently risk-based for the auditor
to have flexibility in selecting the audit
procedures that are best suited to
address significant risks of material
misstatement, depending on the facts
and circumstances of individual
transactions.
Another commenter suggested that
the Board place additional emphasis on
the auditor having a heightened degree
of professional skepticism, similar to a
provision in existing AS 2310.27, and
that doing so would allow auditors to
make appropriate judgments in
determining whether facts and
circumstances indicate that
confirmation procedures may not
produce sufficient appropriate evidence
to address the assessed risks. The Board
did not include additional language in
the new standard about the auditor’s
potential need to exercise a heightened
degree of professional skepticism
related to confirmation because the
auditor’s obligation to apply
professional skepticism is relevant to all
aspects of the audit.69
lotter on DSK11XQN23PROD with NOTICES2
Performing Alternative Procedures for
Selected Items
(See paragraphs .C1–.C2 of the new
standard).
The 2022 Proposal provided that the
auditor should perform alternative
procedures in certain scenarios
involving identifying confirming parties
or evaluating the reliability of
confirmation responses, as well as in
scenarios involving nonresponses and
incomplete responses.70 This range of
scenarios was broader than under
existing AS 2310, which provides that,
with certain exceptions, the auditor
should apply alternative procedures
where the auditor has not received
replies to positive confirmation
requests. In addition, existing AS 2310
provides examples of alternative
procedures, and requires the auditor to
evaluate the combined evidence
provided by confirmation and any
alternative procedures and send
additional confirmation requests or
perform other audit tests, as needed, to
69 See
AS 1015.07.
paragraphs .20 (inability to identify a
confirming party), .26 (unreliable response), and .30
(nonresponse or incomplete response) of the
proposed standard.
70 See
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
obtain sufficient appropriate audit
evidence.
The 2022 Proposal provided examples
of alternative procedures that may
provide relevant and reliable audit
evidence regarding accounts receivable,
accounts payable, and the terms of a
transaction or agreement. These
provisions expanded upon the examples
of alternative procedures discussed in
existing AS 2310.
The 2022 Proposal did not specify
whether performing alternative
procedures for the items the auditor was
unable to confirm, alone or in
combination with other audit
procedures, is necessary to obtain
sufficient appropriate audit evidence.
Under the 2022 Proposal, the auditor
would make that determination based
on the facts and circumstances of the
audit. Further, an auditor might
determine that, without obtaining a
reliable confirmation response, the
auditor is unable to obtain sufficient
appropriate audit evidence for a
relevant assertion through performing
alternative procedures for the items the
auditor could not confirm, other audit
procedures, or both (e.g., if the auditor
observes conditions during the
confirmation process that indicate a
heightened fraud risk). In such
scenarios, the 2022 Proposal provided
that the auditor would consider the
impact on the audit opinion in
accordance with AS 3105.
The 2022 Proposal also provided that
performing alternative procedures may
not be necessary where items selected
for confirmation for which the auditor
was not able to complete audit
procedures would not—if misstated—
change the outcome of the auditor’s
evaluation of the effect of uncorrected
misstatements performed in accordance
with AS 2810.17.71 For example,
following the direction in AS 2810.17,
under the 2022 Proposal an auditor may
have determined that an item that the
auditor was unable to confirm would
not be material individually or in
combination with other misstatements.
In such situations, the auditor would
not have been required to perform
alternative procedures.72 Existing AS
2310 includes an analogous exception.
71 The auditor’s evaluation of materiality under
AS 2810.17 takes into account both relevant
quantitative and qualitative factors.
72 In certain circumstances, auditors may have
obligations independent of the Board’s auditing
standards to perform either confirmation
procedures or other auditing procedures. See, e.g.,
Section 30(g) of the Investment Company Act of
1940, 15 U.S.C. 80a–29(g) (providing that the
auditor’s report on the financial statements of a
registered investment company ‘‘shall state that
such independent public accountants have verified
securities owned, either by actual examination, or
PO 00000
Frm 00026
Fmt 4701
Sfmt 4703
The Board adopted the requirements
substantially as proposed, with certain
modifications discussed below.
In the 2022 Proposal, the additional
discussion of alternative procedures
appeared in the main body of the
proposed standard (paragraph .31). To
enhance the readability of these
provisions and facilitate their
implementation, the Board has relocated
them to Appendix C, which includes
one paragraph that describes when
performing other audit procedures may
be necessary (paragraph .C1) and a
second paragraph that provides further
direction as to when alternative
procedures are required under the new
standard and includes examples of
alternative procedures (paragraph .C2).
In addition, to remind auditors that
the auditor’s assessment of risks of
material misstatement, including fraud
risks, should continue throughout the
audit, including the confirmation
process, paragraph .C1 of the new
standard states that, when the auditor is
unable to obtain relevant and reliable
audit evidence about the selected item
through confirmation, the auditor
should evaluate the implications for the
auditor’s assessment of the relevant
risks of material misstatement,
including fraud risks.
Several commenters indicated that the
circumstances in the 2022 Proposal
under which the auditor generally
would be required to perform
alternative procedures were sufficiently
clear and appropriate. However,
multiple commenters suggested that the
Board include an example of an
alternative procedure for cash. In
consideration of these comments, the
Board has incorporated an example of
an alternative procedure that may
provide relevant and reliable audit
evidence regarding cash, which involves
the auditor verifying information about
the company’s cash account maintained
in a financial institution’s information
system by viewing this information
directly on a secure website of the
financial institution. In this example,
the auditor might verify such
information by determining the validity
of the financial institution’s website and
viewing the information directly on the
secure website. The information viewed
by the auditor could be accessed either
by the auditor, using login credentials
provided by the company, or by
company personnel. This additional
example is intended to address some
commenters’ misperception that the
2022 Proposal would not allow the
by receipt of a certificate from the custodian, as the
Commission may prescribe by rules and
regulations’’).
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
auditor to perform alternative
procedures in the event that a positive
confirmation request related to cash
does not result in a confirmation
response.
Several commenters asserted that the
note in the 2022 Proposal identifying
situations where alternative procedures
may not be necessary was not clear,
with one commenter indicating that the
analogous exception in existing AS 2310
was clearer because it addressed audit
sampling. In consideration of these
comments, the Board has revised the
note to paragraph .C2 of the new
standard to clarify how the exception
from performing alternative procedures
for selected items should be applied and
revised the footnote in the paragraph to
further explain how the exception is
applied in scenarios involving audit
sampling.
The following example further
illustrates applying this provision in an
audit: An auditor selects a sample of 50
accounts receivable invoices for
confirmation and receives confirmation
responses for 45 invoices that do not
indicate a need for the auditor to
perform alternative procedures. For two
nonresponses, the auditor performs
alternative procedures and obtains
relevant and reliable audit evidence
identifying no misstatements. For the
three remaining nonresponses, the
auditor does not perform alternative
procedures because the auditor
appropriately determines that, even if
the amounts associated with the
invoices were projected as 100 percent
misstatements to the population from
which the sample was selected and
added to any other accounts receivable
misstatements (i.e., accounts receivable
misstatements identified through audit
procedures other than confirmation), the
outcome of the auditor’s evaluation
performed in accordance with AS
2810.17 would not change.
Another commenter recommended
that, for nonresponses, the Board
require that the auditor ‘‘must’’ perform
alternative procedures that include
examining third-party evidence. This
commenter also suggested that the
Board revise the example of alternative
procedures for accounts receivable by
removing the phrase ‘‘one or more,’’
such that the auditor would perform all
of the procedures identified in the
example (i.e., examining subsequent
cash receipts, shipping documents, and
other supporting documentation).
Having considered these comments,
the Board believes that, with the
modifications discussed above, the
requirements in paragraph .C1 of the
new standard provide appropriate
direction regarding when alternative
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
procedures are required. Additionally,
the Board believes that including
examples in paragraph .C2 of alternative
procedures that may provide relevant
and reliable audit evidence about
selected items, without mandating
specific procedures, is appropriate, as it
is impracticable to describe specific
procedures for all scenarios that could
occur in an audit.
Additionally, as discussed above, the
Board has modified paragraph .B2 of the
new standard to provide that in
circumstances where the auditor should
not use an intermediary to send
confirmation requests or receive
confirmation responses, the auditor
should send confirmation requests
without the use of an intermediary or,
if unable to do so, perform alternative
procedures in accordance with
Appendix C of the new standard. In
light of this modification, the Board has
added a reference to paragraph .B2 to
Appendix C of the new standard.
Evaluating Results
(See paragraph .31 of the new
standard).
The 2022 Proposal did not carry
forward a requirement, included in
existing AS 2310, for the auditor to
evaluate in the aggregate audit evidence
obtained from performing confirmation
procedures and any alternative
procedures. Excluding this requirement
from the 2022 Proposal was intended to
avoid the duplication of certain
requirements of AS 2810 that discuss
the auditor’s responsibilities for
evaluating audit results and determining
whether the auditor has obtained
sufficient appropriate audit evidence.
As discussed above, however,
paragraph .24 of the new standard
allows the auditor to perform audit
procedures other than confirmation for
cash and accounts receivable to obtain
relevant and reliable audit evidence by
directly accessing information
maintained by a knowledgeable external
source. The Board therefore decided to
remind the auditor in paragraph .31 of
the new standard that the auditor
should evaluate the combined audit
evidence provided by confirmation
procedures, alternative procedures, and
other procedures to determine whether
sufficient appropriate audit evidence
has been obtained in accordance with
AS 2810.
Other Matters
This section addresses certain
additional matters that were also
discussed in the 2022 Proposal. In
addition, this section discusses
definitions included in the new
PO 00000
Frm 00027
Fmt 4701
Sfmt 4703
71709
standard and related amendments to
PCAOB auditing standards.
Management Requests Not To Confirm
Consistent with existing AS 2310, the
2022 Proposal did not address, nor does
the new standard address, situations in
which management requests that the
auditor not confirm one or more items.
Several commenters agreed with the
approach in the 2022 Proposal and
indicated that auditor responsibilities in
such situations are already addressed by
existing PCAOB standards. One
commenter suggested that the Board
consider adding a requirement that, if
management requests an auditor not to
confirm a certain item, the auditor
should both request management to
indicate the reason for the request and,
as appropriate, consider whether the
request is indicative of a risk of material
misstatement. Another commenter
agreed that the potential scope
limitation or fraud risk from a
management request not to confirm is
addressed in other PCAOB standards,
but expressed the view that including
guidance in the new standard unique to
confirmation would be appropriate. A
different commenter did not suggest
changes to the Board’s approach, but
observed that management requests not
to confirm are primarily relevant in the
financial services industry and that it
had experienced infrequent
management requests not to confirm in
other industries.
Having considered the comments
received, the Board believes that
existing PCAOB standards appropriately
address situations involving
management requests not to confirm. In
particular, AS 1301 requires that the
auditor communicate to the audit
committee disagreements with
management 73 and difficulties
encountered in performing the audit,
including unreasonable management
restrictions encountered by the auditor
on the conduct of the audit (e.g., an
unreasonable restriction on confirming
transactions or balances).74 AS 3105
also sets forth requirements regarding
limitations on the scope of an audit,75
including scope limitations relating to
confirmation.76
Further, AS 2110 and AS 2401
describe the auditor’s responsibilities
regarding identifying, assessing, and
responding to fraud risks. For example,
AS 2401.09 states that fraud may be
concealed by withholding evidence. A
management request to limit audit
73 See
AS 1301.22.
AS 1301.23.
75 See AS 3105.05–.17.
76 See AS 3105.07.
74 See
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
71710
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
testing by not obtaining external audit
evidence through confirmation could be
relevant to the auditor’s consideration of
fraud risk factors, including the
consideration of management
incentives, opportunities, and
rationalization for perpetrating fraud.
Considering the applicability of existing
provisions to situations involving
management requests not to confirm, as
discussed above, the Board believes that
including analogous requirements in the
new standard could lead to unnecessary
duplication of existing requirements
and potential confusion.
necessary to access a secure website
where data that addresses the subject
matter of the confirmation is held.
Having considered these comments,
the Board adopted the new standard as
proposed in relation to direct access.
While direct access does not
constitute a confirmation procedure
under the new standard, the new
standard provides that the auditor may
obtain relevant and reliable audit
evidence by directly accessing
information maintained by a
knowledgeable external source, as
discussed above.
Restrictions and Disclaimers
The requirements in the proposed
standard relating to the auditor’s
evaluation of the reliability of
confirmation responses included a
reminder, in the form of a footnote, of
the auditor’s responsibilities under AS
1105 as they relate to restrictions and
disclaimers. A similar reminder does
not exist in existing AS 2310.
The Board is including this reference
to AS 1105.08 as proposed, in a footnote
to paragraph .18 of the new standard.
No comments were received on this
aspect of the 2022 Proposal. In
accordance with AS 1105.08, the
auditor should evaluate the effect of
restrictions, limitations, or disclaimers
in confirmation responses on the
reliability of audit evidence.77
Definitions
To operationalize the requirements
included in the 2022 Proposal, the
proposal included definitions for
‘‘confirmation exception,’’
‘‘confirmation process,’’ ‘‘confirmation
request,’’ ‘‘confirmation response,’’
‘‘confirming party,’’ ‘‘negative
confirmation request,’’ ‘‘nonresponse,’’
and ‘‘positive confirmation request.’’
The Board adopted the definitions as
proposed, with certain modifications
discussed below.
Several commenters stated that, in
general, the definitions in the 2022
Proposal were sufficiently clear and
appropriate. Other commenters either
did not provide comments on the
proposed definitions or suggested
certain modifications, as discussed
below.
Some commenters stated that the
Board should modify the proposed
definition of ‘‘nonresponse’’ to reflect
that a nonresponse includes a situation
where the auditor does not receive a
confirmation response to a positive
confirmation request directly from the
intended confirming party. Having
considered this comment, the Board is
aligning the definition of ‘‘nonresponse’’
with the definition of ‘‘confirmation
response’’ and the requirements of
paragraph .16 of the new standard. This
modification clarifies that a
confirmation response that is not
received directly from the confirming
party would constitute a nonresponse.
The Board has also modified the
definition of ‘‘negative confirmation
request’’ to use the defined term
‘‘confirmation request’’ rather than
‘‘request.’’
One commenter proposed
modifications to the definitions of
‘‘confirmation exception’’ and
‘‘confirmation process’’ to specify that
(i) sending a confirmation request may
include transmitting the request in
electronic form and (ii) only differences
between a confirmation response and
information the auditor obtained from
the company that the auditor had
Direct Access
The 2022 Proposal did not describe
direct access as a confirmation
procedure. Existing AS 2310 currently
does not address such a procedure, but
the 2010 Proposal had provided that
direct access could be considered a
confirmation procedure in certain
circumstances.
A few commenters on the 2022
Proposal either agreed with, or
indicated that they did not object to, the
Board’s stated position that direct access
does not constitute a confirmation
procedure. However, several firms and
firm-related groups stated that, when
properly executed, audit evidence
obtained by the auditor through direct
access can provide persuasive evidence
about the existence of cash. One
commenter recommended that the
PCAOB consider aligning with the
AICPA’s position on this matter by
acknowledging that the auditor’s direct
access to information held by a
confirming party may meet the
definition of a confirmation procedure
when, for example, the confirming party
provides the auditor with the electronic
access codes or other information
77 See
AS 1105.08.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
PO 00000
Frm 00028
Fmt 4701
Sfmt 4703
originally sought to confirm constitute a
confirmation exception. Having
considered the comment, the Board
notes that the proposed definition of
‘‘confirmation process’’ intentionally
did not prescribe the method or
methods by which confirmation
requests can be sent and by which
confirmation responses can be received,
as the standard is intended to apply to
all methods of sending and receiving
confirmation requests and responses.
Further, the Board believes that any
instance where information in a
confirmation response differs from
information the auditor obtained from
the company, even if the information in
the confirmation response was not
information that the auditor originally
sought to confirm, should constitute a
confirmation exception. Accordingly,
the Board adopted the definition of
‘‘confirmation exception’’ as proposed
and adopted the definition of
‘‘confirmation process’’ as proposed,
with one modification to include
‘‘selecting one or more items to be
confirmed’’ in the definition to align
with the requirements specifically
related to the confirmation process in
the new standard.
The 2022 Proposal also indicated that
an oral response to a confirmation
request was a nonresponse. One
commenter stated that a video recording
of a call between an auditor and an
individual at a confirming party ought
not be considered less reliable audit
evidence than a written response from
an organization. Another commenter
suggested that the PCAOB define the
term ‘‘confirmation’’ because the 2022
Proposal stated that an oral response
was a nonresponse but did not provide
guidance as to whether other forms of
response would be evidence of
confirmation.
As the Board continues to believe that
obtaining direct written communication,
in paper or electronic form, from a
confirming party is necessary for a
response to constitute a confirmation
response, the Board has not made
further modifications to the definition
in the new standard beyond those
described above. Accordingly, a video
recording of a call between an auditor
and an individual at a confirming party
or an oral response would constitute
nonresponses under the new standard,
although the auditor could still consider
the relevance and reliability of the audit
evidence provided by a video recording
or an oral response when determining
the nature and extent of alternative
procedures required to be performed
under the new standard.
E:\FR\FM\17OCN2.SGM
17OCN2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
Amendments to Related PCAOB
Auditing Standards
The Board adopted amendments to
several existing PCAOB auditing
standards to align with the new
standard.
Amendments to AS 1105
(See paragraph .18 of AS 1105, as
amended).
The 2022 Proposal included proposed
amendments to AS 1105 to (i) align the
description of a ‘‘confirmation
response’’ in AS 1105 with the
definition of the same term included in
the 2022 Proposal and (ii) clarify that
the terms ‘‘confirmation response,’’
‘‘confirmation request,’’ and
‘‘confirming party,’’ as used in AS 1105,
have the same meaning as defined in
Appendix A of the 2022 Proposal.
The Board adopted the amendments
as proposed.
Existing AS 1105.18 states that ‘‘[a]
confirmation response represents a
particular form of audit evidence
obtained by the auditor from a third
party in accordance with PCAOB
standards.’’ The 2022 Proposal used the
defined term ‘‘confirming party’’ in lieu
of ‘‘third party.’’ One commenter
suggested retaining the phrase ‘‘third
party’’ in AS 1105.18 to provide further
clarity. The Board is not using this term
because the new standard describes a
confirming party as ‘‘a third party,
whether an individual or an
organization, to which the auditor sends
a confirmation request,’’ thus making it
clear that a confirming party is a third
party.
Another commenter suggested that
the Board strike the word
‘‘independent’’ from AS 1105.08, which
states that ‘‘[e]vidence obtained from a
knowledgeable source that is
independent of the company is more
reliable than evidence obtained only
from internal company sources.’’ This
commenter asserted that, although
confirmation evidence may be more
reliable, it is not truly ‘‘independent.’’
The Board is not striking the word
‘‘independent’’ from AS 1105.08 as it
believes the concept expressed in AS
1105.08 is well understood by auditors
and does not purport to be a definitive
statement about the ‘‘independence’’ of
evidence from a confirming party.
lotter on DSK11XQN23PROD with NOTICES2
Amendments to AS 1301
(See Appendix B to AS 1301, as
amended).
The 2022 Proposal included a
proposed requirement for the auditor to
communicate to the audit committee
instances in which the auditor has
determined that the presumption to
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
confirm accounts receivable has been
overcome and the basis for the auditor’s
determination. The 2022 Proposal
included a conforming amendment to
AS 1301 that would refer to the
proposed requirement.
The Board adopted the conforming
amendment to AS 1301 that refers to the
audit committee communication
requirement contained in the new
standard. The required communication
with the audit committee about the
auditor’s response to significant risks
associated with cash or accounts
receivable when the auditor did not
perform confirmation procedures or
otherwise obtain audit evidence by
directly accessing information
maintained by a knowledgeable external
source is discussed above.
Amendments to AS 2401
(See paragraphs .54 and .66A of AS
2401, as amended).
The 2022 Proposal included a
proposed amendment to AS 2401 to
refer to the title of the confirmation
standard as proposed in the 2022
Proposal (i.e., ‘‘The Auditor’s Use of
Confirmation’’).
The Board adopted the amendment as
proposed and adopted an additional
conforming amendment to AS 2401, as
discussed below.
One commenter suggested that the
Board consider a conforming
amendment to AS 2401 to acknowledge
a requirement in proposed paragraph
.15 to consider confirming terms of the
transaction for significant risks of
material misstatement associated with
either a complex transaction or
significant unusual transaction. Having
considered the comment, the Board
adopted a conforming amendment to the
note to AS 2401.66A to remind the
auditor of the requirement in paragraph
.30 of the new standard that for
significant risks of material
misstatement associated with either a
complex transaction or a significant
unusual transaction, the auditor should
consider confirming those terms of the
transaction that are associated with a
significant risk of material
misstatement, including a fraud risk.
Amendments to AS 2510
(See paragraph .14 of AS 2510, as
amended).
AS 2510.14 includes a statement that
‘‘if inventories are in the hands of
public warehouses or other outside
custodians, the auditor ordinarily would
obtain direct confirmation in writing
from the custodian.’’ The 2022 Proposal
included a proposed amendment to AS
2510 to remind auditors that AS 2310
PO 00000
Frm 00029
Fmt 4701
Sfmt 4703
71711
establishes requirements for the
auditor’s use of confirmation.
The Board adopted the amendment as
proposed.
One commenter stated that the Board
should address the confirmation of
inventory in the new standard instead of
making conforming amendments to AS
2510. The Board continues to believe
that including requirements related to
inventory in a single standard is
appropriate. However, the Board
acknowledges that AS 2510.14 includes
two requirements related to the
confirmation of inventory. First, AS
2510.14 provides that ‘‘[i]f inventories
are in the hands of public warehouses
or other outside custodians, the auditor
ordinarily would obtain direct
confirmation in writing from the
custodian.’’ Second, AS 2510.14 further
states that the auditor should perform
one or more of four additional
procedures, as considered necessary by
the auditor, if such inventories
represent a significant proportion of
current or total assets. One such
procedure is to confirm pertinent details
of pledged receipts with lenders (on a
test basis, if appropriate), if warehouse
receipts have been pledged as collateral.
The Board has added a cross-reference
to AS 2510 in footnote 4 of the new
standard to clarify that AS 2510 also
includes auditor responsibilities
relevant to the auditor’s use of
confirmation.
Amendments to AS 2605
(See paragraphs .22 and .27 of AS
2605, as amended).
AS 2605.22 includes a statement that
‘‘for certain assertions related to less
material financial statement amounts
where the risk of material misstatement
or the degree of subjectivity in the
valuation of the audit evidence is low,
the auditor may decide, after
considering the circumstances and the
results of work (either test of controls or
substantive tests) performed by internal
auditors on those particular assertions,
the audit risk has been reduced to an
acceptable level and that testing of the
assertions directly by the auditor may
not be necessary.’’ The paragraph then
includes assertions about the existence
of cash, prepaid assets, and fixed-asset
additions as examples of assertions that
might have a low risk of material
misstatement or involve a low degree of
subjectivity in the evaluation of audit
evidence.
The 2022 Proposal included a
proposed amendment to strike the word
‘‘cash’’ from AS 2605.22 to avoid
confusion, as the 2022 Proposal
required the auditor to perform
E:\FR\FM\17OCN2.SGM
17OCN2
71712
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES2
confirmation procedures in respect of
cash.
In addition, the 2022 Proposal
included a proposed amendment to
acknowledge in paragraph .27 of AS
2605, which discusses using internal
auditors to provide direct assistance to
the auditor, the proposed restrictions on
the use of internal audit in a direct
assistance capacity in the confirmation
process.
The Board adopted the amendments
substantially as proposed, with certain
modifications discussed below.
One commenter indicated that the
proposed amendment to AS 2605.22
(i.e., striking the word ‘‘cash’’ from the
list of accounts that might have a low
risk of material misstatement),
inappropriately assumed that there is
always a heightened risk of fraud related
to cash accounts in all audit
engagements. Having considered the
comment, the Board notes that neither
the 2022 Proposal nor the new standard
suggests that there is heightened risk of
fraud associated with cash in every
engagement. However, the Board
believes that where an auditor identifies
a risk of material misstatement for cash
(i.e., where cash is a significant account)
it is necessary for the auditor to perform
confirmation procedures or otherwise
obtain relevant and reliable audit
evidence by directly accessing
information maintained by a
knowledgeable external source in
respect of cash. Accordingly, the Board
continues to believe that the conforming
amendment to AS 2605.22 is
appropriate.
Another commenter indicated that the
proposed amendment to AS 2605.27
would not be necessary should the
Board adopt the commenter’s other
recommendation to remove the
proposed restrictions regarding the use
of internal audit in the new standard. As
discussed above, the Board continues to
believe that in order to maintain control
over the confirmation process the
auditor should select items to be
confirmed, send confirmation requests,
and receive confirmation responses. The
Board modified the conforming
amendments to AS 2605.27, however, to
align with paragraph .15 of the new
standard.
Effective Date
The Board determined that the
amendments will take effect, subject to
approval by the SEC, for audits of
financial statements for fiscal years
ending on or after June 15, 2025.
As part of the 2022 Proposal, the
Board sought comment on the amount
of time auditors would need before the
proposed standard and related
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
amendments would become effective, if
adopted by the Board and approved by
the SEC. Many commenters, primarily
firms and firm-related groups,
supported an effective date of no earlier
than two years after SEC approval,
which some commenters indicated
would give firms the necessary time to
update firm methodologies and to
develop and implement training.
Additionally, as part of recommending
an effective date no earlier than two
years after SEC approval, a number of
commenters observed that confirmation
procedures are often performed as part
of interim procedures and that, as a
result, the new standard will impact
engagement teams during the period
under audit. Some commenters also
stated that intermediaries involved in
the confirmation process may also need
to update their processes and controls as
a result of the new standard. One
commenter supported an effective date
three years after SEC approval, while
citing reasons similar to those expressed
by commenters who supported an
effective date of no earlier than two
years after SEC approval.
The Board recognizes the preferences
expressed by commenters. Nonetheless,
having considered the requirements of
the new standard, as well as the extent
of differences between the new standard
and AS 2310 and our understanding of
firms’ current practices, the Board
believes that the effective date for fiscal
years ending on or after June 15, 2025,
will provide auditors with a reasonable
period of time to implement the new
standard and related amendments,
without unduly delaying the intended
benefits resulting from these
improvements to PCAOB standards, and
is consistent with the Board’s mission to
protect investors and protect the public
interest.
D. Economic Considerations and
Application to Audits of Emerging
Growth Companies
The Board is mindful of the economic
impacts of its standard setting. This
section describes the economic baseline,
need, and expected economic impacts of
the new standard, as well as alternative
approaches considered by the Board.
Because there are limited data and
research findings available to estimate
quantitatively the economic impacts of
the new standard, the economic analysis
is largely qualitative in nature.
Baseline
Important components of the baseline
against which the economic impact of
the new standard can be considered are
described above, including the Board’s
existing standard governing the audit
PO 00000
Frm 00030
Fmt 4701
Sfmt 4703
confirmation process, firms’ current
practices when performing confirmation
procedures, and observations from the
Board’s inspections program and
enforcement cases. The Board discusses
below two additional components that
inform its understanding of the
economic baseline: (i) the PCAOB staff’s
analysis of audit firm methodologies
and the use of technology-based tools in
the confirmation process, and (ii) a
summary of academic and other
literature on the confirmation process.
Auditing Practices Related to the
Confirmation Process
Through its inspection and other
oversight activities, the PCAOB has
access to sources of information that
help inform its understanding of how
firms currently engage in the
confirmation process. As part of this
standard-setting project, the PCAOB
staff has reviewed a selection of firms’
audit methodologies, as well as other
information about firms’ use of
technology-based tools when
performing confirmation procedures.
While this information is not a random
sample that can be extrapolated
accurately across all registered public
accounting firms, the Board is able to
make some general inferences that help
inform development of the economic
baseline.
PCAOB Staff Analysis of Audit
Methodologies
PCAOB staff has reviewed the
methodologies of selected registered
public accounting firms to determine
how they currently address the
confirmation process and the extent to
which changes to those methodologies
will be necessary to implement the new
standard. Specifically, the staff
compared methodologies of selected
global network firms (‘‘GNFs’’) 78 and
some methodologies commonly used by
U.S. non-affiliate firms (‘‘NAFs’’),79
which are smaller than GNFs, to
existing AS 2310 as well as to the new
standard. The review focused on the
following aspects of the new standard
which represent more notable changes
relative to existing AS 2310:
• Substantive procedures for
confirming cash and cash equivalents
(paragraphs .24, .26, and .29);
78 GNFs are the member firms of the six global
accounting firm networks (BDO International Ltd.,
Deloitte Touche Tohmatsu Ltd., Ernst & Young
Global Ltd., Grant Thornton International Ltd.,
KPMG International Ltd., and
PricewaterhouseCoopers International Ltd.).
79 NAFs are both U.S. and non-U.S. accounting
firms registered with the Board that are not GNFs.
Some of the NAFs belong to international networks.
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
• Substantive procedures for
confirming accounts receivable
(paragraphs .24–.25 and .27);
• The auditor’s use of negative
confirmation requests (paragraphs .12–
.13);
• Maintaining control over the
confirmation process, including when
an intermediary is used (paragraphs
.14–.17 and .Appendix B); and
• Other areas addressed in the new
standard, including the evaluation of
the reliability of confirmation responses
(paragraphs .18–.19), and the
performance of alternative procedures
(Appendix C).
For the GNF methodologies reviewed,
PCAOB staff observed that the
methodologies generally reflect
requirements in existing AS 2310 and
other auditing standards on external
confirmation, such as ISA 505 and AU–
C 505. In addition, some of the
methodologies already incorporate
certain concepts included in the new
standard, although revisions to the
methodologies will nonetheless be
needed to implement the new standard.
Specifically, some GNF
methodologies, but not all, include
requirements for confirmation of cash
and cash equivalents held by third
parties similar to the new requirements
described in the new standard. Other
GNF methodologies suggest, but do not
require, that engagement teams consider
specific confirmation procedures for
cash and cash equivalents held by third
parties. GNF methodologies for
confirmation of accounts receivable are
generally consistent with existing AS
2310. Some also include guidance that
is similar in certain respects to the
requirements in the new standard when
the auditor is unable to obtain relevant
and reliable audit evidence through
confirmation procedures. With respect
to negative confirmation requests, GNF
methodologies acknowledge that
negative confirmation requests provide
less persuasive evidence than positive
confirmation requests. However, some
GNF methodologies still allow the use
of negative confirmation requests as the
sole substantive procedure under
certain conditions.80
The PCAOB staff also observed that
GNF methodologies generally include
guidance on maintaining control over
the confirmation process, using
intermediaries to facilitate the electronic
transmission of confirmation requests,
and assessing controls at the
intermediaries. The firms’ guidance in
this area focuses on the performance of
audit procedures to ensure that the
electronic confirmation process occurs
80 See
AS 2310.20 for these conditions.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
in a secure and controlled environment
and that confirmation responses
received are reliable. For example, the
methodologies of some firms provide
that an auditor may obtain a SOC report
that would assist the engagement team
in assessing the design and operating
effectiveness of the intermediary’s
controls that address the risk of
interception and alteration of
confirmation requests and responses.
Finally, although current GNF
methodologies include guidance on the
other areas being modernized or
clarified in the new standard, GNFs may
be required to make certain
modifications to their methodologies to
conform to the new standard, such as
whether to perform alternative
procedures.
For the NAF methodologies reviewed,
the PCAOB staff observed that the
methodologies generally align with
existing AS 2310 across each of the
areas studied, but include some
guidance related to the new
requirements in the new standard. For
example, in some of the NAF
methodologies, the confirmation of cash
and cash equivalents held by third
parties is a consideration but not a
requirement. In other NAF
methodologies, the confirmation of cash
and cash equivalents held by third
parties and negative confirmation
requests are not discussed at all. NAF
methodologies for confirmation of
accounts receivable are generally
consistent with existing AS 2310. Some
include guidance that is similar in
certain respects to the requirements
described in the new standard when the
auditor is unable to obtain relevant and
reliable audit evidence through
confirmation procedures.
The NAF methodologies also
generally include guidance on
maintaining control, using
intermediaries in the confirmation
process, and assessing controls at the
intermediaries. Similar to GNF
methodologies, NAF guidance in this
area focuses on the performance of audit
procedures to ensure that the electronic
confirmation process occurs in a secure
and controlled environment and that
confirmation responses received are
reliable. For example, a firm’s
methodology may provide that an
auditor may obtain a SOC report that
would assist the engagement team in
assessing the design and operating
effectiveness of the intermediary’s
controls that address the risk of
interception and alteration of
confirmation requests and responses.
Commenters on the 2022 Proposal did
not provide additional information on
firm methodologies beyond the staff’s
PO 00000
Frm 00031
Fmt 4701
Sfmt 4703
71713
analysis. In general, the PCAOB staff’s
review indicates that all firms will
likely need to revise their
methodologies to some extent to
implement the new standard. For
example, all firms will need to update
their methodologies to ensure that
negative confirmation requests are not
used as the sole source of audit
evidence. NAF methodologies will
likely require more revisions than the
GNF methodologies, which have
incorporated certain concepts included
in the new standard.
Use of Technology-Based Tools
The PCAOB staff has also reviewed
information collected through PCAOB
oversight activities on firms’ use of
technology-based tools in the
confirmation process. The staff’s review
focused primarily on the use of
technology-based tools by GNFs, but
also encompassed certain technologybased tools used by some NAFs. In
addition, the review encompassed
information on both proprietary
technology-based tools that firms have
developed internally and third-party or
‘‘off-the-shelf’’ tools that firms purchase
and use (in certain cases, with further
customizations) to assist in performing
confirmation procedures as part of the
audit process. The staff found that the
number of technology-based tools used
in the confirmation process varies
across firms, and also varies based on
the facts and circumstances of specific
engagements. Generally speaking, firms
allow engagement teams to select a tool
but do not provide that the use of one
or more tools is required.
Both GNFs and NAFs within the
scope of the PCAOB staff’s review use
third-party tools to automate certain
confirmation procedures, or to
independently verify balances, terms of
arrangements, or other information
under audit. GNFs appear to be more
likely to invest in customizing off-theshelf tools they have purchased to their
particular environment. For example,
such modifications may permit a firm to
automate the reconciliation of
confirmed balances to client records. In
comparison, NAFs tend to use the offthe-shelf tools without customization.
The PCAOB staff’s review also found
that GNFs have developed proprietary
applications to facilitate various aspects
of the confirmation process, whether
conducted manually or electronically.
These applications may facilitate the
preparation of confirmation requests,
their dissemination to recipients
(including the preparation of logs to
track confirmation requests and
receipts), and the analysis of
confirmation responses to determine
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
71714
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
their completeness and accuracy. GNFs
have also developed tools used when
auditing specific accounts, other than
cash and accounts receivable, where
confirmation may provide audit
evidence. For example, tools are used to
prepare, log, and track confirmation
requests and responses for various
deposit, loan, and liability accounts.
As discussed above, auditors or
confirming parties may engage an
intermediary to facilitate the direct
electronic transmission of confirmation
requests and responses between the
auditor and the confirming party.81 In
one area, market forces have influenced
firms’ willingness to use an
intermediary: a majority of financial
institutions will only respond to
confirmation requests through a
centralized process and with a specified
intermediary. As a result, all firms’
methodologies required, and in practice
firms did use, the specified
intermediary in these circumstances.
The PCAOB staff has observed diverse
practices related to the procedures
auditors perform to support their
reliance on an intermediary’s controls
when establishing direct
communication between the auditor and
the confirming party.82 In some
situations where the procedures
performed included obtaining a SOC
report, the staff has observed
insufficient evaluation of SOC reports,
lack of consideration of the period
covered and complementary user entity
controls, and insufficient coordination
of procedures performed centrally by
the audit firm and by the engagement
team.83
These observations suggest that there
may be a need for uniform guidance for
situations involving the use of
intermediaries. For example, enhanced
procedures to be performed when
auditors place reliance on an
intermediary’s controls could help
address the risk of interception and
alteration of communications between
the auditor and the company and
address the risk of override of the
intermediary’s controls by the company.
Commenters did not provide
information about firms’ use of
technology-based tools that contradicted
the staff’s assessment. One commenter
stated that some larger audit firms have
established confirmation centers to
centralize the sending and receiving of
confirmation requests. Another
commenter cited a study that noted the
81 See Spotlight: Observations and Reminders on
the Use of a Service Provider in the Confirmation
Process (Mar. 2022), available at https://
pcaobus.org/resources/staff-publications.
82 Id.
83 Id.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
use of robotic process automation for
confirming accounts receivable by a
GNF.84
Literature on the Confirmation Process
There is limited data on auditor
confirmation decisions and research
findings on the confirmation process.85
The literature documents that
confirmation is ‘‘extensively used’’ and
that confirmation responses received
directly from a third party are often
perceived by practitioners to be among
‘‘the most persuasive forms of audit
evidence.’’ 86 Consistent with the
PCAOB staff’s observations from
PCAOB oversight activities,87 studies
find that the use of electronic
confirmation has become prevalent.88
One study also observes that current
U.S. auditing standards do not fully
address how auditors should
authenticate confirmations sent or
received electronically, and asserts that
there is a need for audit guidance
related to electronic forms of
evidence.89 Further, an earlier study
reviews enforcement actions described
in the SEC’s Accounting and Auditing
Enforcement Releases and concludes
that additional direction regarding when
cash and accounts receivable
confirmation requests are required or
recommended may be needed.90
Additionally, the literature suggests that
more guidance may be necessary to
identify when the risk is sufficiently
low to justify the use of negative
confirmation requests in certain areas.91
Moreover, an article on bank
confirmation advocates a risk-based
approach to the determination of
84 See Feiqi Huang and Milos A. Vasarhelyi,
Applying Robotic Process Automation (RPA) in
Auditing: A Framework, 35 Internal Journal of
Accounting Information Systems 100433, 100436
(2019).
85 See Paul Caster, Randal J. Elder, and Diane J.
Janvrin, A Summary of Research and Enforcement
Release Evidence on Confirmation Use and
Effectiveness, 27 Auditing: A Journal of Practice &
Theory 253, 254 (2008).
86 See id. at 253.
87 See Spotlight: Data and Technology Research
Project Update (May 2021), available at https://
pcaobus.org/resources/staff-publications. See also
Spotlight: Observations and Reminders on the Use
of a Service Provider in the Confirmation Process
(Mar. 2022), available at https://pcaobus.org/
resources/staff-publications.
88 See, e.g., Paul Caster, Randal J. Elder, and
Diane J. Janvrin, An Exploration of Bank
Confirmation Process Automation: A Longitudinal
Study, 35 Journal of Information Systems 1, 5
(2021).
89 See id. at 2.
90 See Paul Caster, Randal J. Elder, and Diane J.
Janvrin, A Summary of Research and Enforcement
Release Evidence on Confirmation Use and
Effectiveness, 27 Auditing: A Journal of Practice &
Theory 253, 261–62 (2008).
91 See id. at 266.
PO 00000
Frm 00032
Fmt 4701
Sfmt 4703
confirmation procedures.92 Finally, a
study finds that ‘‘anecdotal evidence
and some research suggest confirmation
response rates are declining.’’ 93
Commenters did not provide
information contradicting the staff’s
summary of the relevant literature.
Accordingly, the academic literature
is consistent with the conclusion that
the Board’s auditing requirements for
the confirmation process should (i)
accommodate electronic
communications and address the
implications of using an intermediary,
(ii) address the confirmation of cash and
accounts receivable, (iii) limit the use of
negative confirmation requests, and (iv)
align with the PCAOB’s risk assessment
standards.
Need
Several attributes of the audit market
support a need for the PCAOB to
establish effective audit performance
standards. First, the company under
audit, investors, and other financial
statement users cannot easily observe
the services performed by the auditor or
the quality of the audit. This leads to a
risk that, unbeknownst to the company,
investors, or other financial statement
users, the auditor may perform a lowquality audit.94
Second, the federal securities laws
require that an issuer retain an auditor
for the purpose of preparing or issuing
an audit report. While the appointment,
compensation, and oversight of the
work of the registered public accounting
92 See L. Ralph Piercy and Howard B. Levy, To
Confirm or Not to Confirm-Risk Assessment is the
Answer, 91 The CPA Journal 54, 54 (2021).
93 See Paul Caster, Randal J. Elder, and Diane J.
Janvrin, A Summary of Research and Enforcement
Release Evidence on Confirmation Use and
Effectiveness, 27 Auditing: A Journal of Practice &
Theory 253, 254 (2008). The PCAOB staff has also
observed that the use of electronic confirmation
may affect the confirmation response rate. See
Spotlight: Data and Technology Research Project
Update (May 2021), available at https://
pcaobus.org/resources/staff-publications.
94 See, e.g., Monika Causholli and Robert W.
Knechel, An Examination of the Credence
Attributes of an Audit, 26 Accounting Horizons
631, 632 (2012): During the audit process, the
auditor is responsible for making decisions
concerning risk assessment, total effort, labor
allocation, and the timing and extent of audit
procedures that will be implemented to reduce the
residual risk of material misstatements. As a nonexpert, the auditee may not be able to judge the
appropriateness of such decisions. Moreover, the
auditee may not be able to ascertain the extent to
which the risk of material misstatement has been
reduced even after the audit is completed. Thus,
information asymmetry exists between the auditee
and the auditor, the benefit of which accrues to the
auditor. If such is the case, the auditor may have
incentives to: Under-audit, or expend less audit
effort than is required to reduce the uncertainty
about misstatements in the auditee’s financial
statements to the level that is appropriate for the
auditee.
E:\FR\FM\17OCN2.SGM
17OCN2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
firm conducting the audit is, under the
Act, entrusted to the issuer’s audit
committee,95 there is nonetheless a risk
that the auditor may seek to satisfy the
interests of the issuer audit client rather
than the interests of investors and other
financial statement users.96 This risk
can arise out of an audit committee’s
identification with the company or its
management (e.g., for compensation) or
through management’s exercise of
influence over the audit committee’s
supervision of the auditor, which can
result in a de facto principal-agent
relationship between the company and
the auditor.97 Effective auditing
standards help to address these risks by
explicitly assigning responsibilities to
the auditor that, if executed properly,
are expected to lead to high-quality
audits that satisfy the interests of
audited companies, investors, and other
financial statement users.
This section discusses the specific
problem that the new standard is
intended to address and explains how
the new standard is expected to address
it.
confirmation response from the
intended confirming party, or the
confirmation response is incomplete.
As discussed above, the PCAOB staff
has observed situations where auditors
did not perform procedures to assess the
reliability of confirmation responses or,
where applicable, perform sufficient
alternative procedures.98 In addition,
the staff has noted that, in the case of
some financial reporting frauds, the
company’s misconduct possibly could
have been detected at an earlier point in
time had the auditor made an
appropriate assessment of the reliability
of confirmation responses received, or
performed additional procedures
needed to obtain reliable audit
evidence.99 These observations suggest
a need for enhancements to auditing
standards to more clearly address those
situations where confirmation can be
expected to provide reliable audit
evidence, including the requirements
for evaluating the reliability of
confirmation responses and, if
appropriate, performing alternative
procedures.
Problem To Be Addressed
Developments in Practice
There are areas of the confirmation
process where developments in practice
have outpaced existing requirements in
the Board’s auditing standards. In
particular, existing AS 2310 does not
reflect significant changes in technology
and the methods by which auditors
perform the confirmation process,
including the use of electronic
communication and the involvement of
third-party intermediaries.
Regulatory standards that do not
reflect changes in practice may lead to
inconsistency in their application,
potential misinterpretation, and
ineffective regulatory intervention. For
example, the PCAOB staff has observed
diverse practices and audit deficiencies
related to the procedures performed by
auditors to support their use of an
intermediary to facilitate the electronic
transmission of confirmation requests
and confirmation responses with
confirming parties.100
lotter on DSK11XQN23PROD with NOTICES2
Focus on Obtaining Reliable Audit
Evidence From the Confirmation
Process
In situations where audit evidence
can be obtained from a knowledgeable
external source, the resulting audit
evidence is likely to be more reliable
than audit evidence obtained only from
internal company sources. For evidence
obtained through confirmation to be
reliable, the confirmation process must
be properly executed. Proper execution
involves assessing the reliability of a
confirmation response and performing
robust, additional alternative
procedures when the auditor is unable
to determine that a confirmation
response is reliable. Similarly, proper
execution may entail the performance of
alternative procedures when the auditor
is unable to identify a confirming party,
the auditor does not receive a
95 See Section 301 of the Act, 15 U.S.C. 78f(m).
As an additional safeguard, the auditor is also
required to be independent of the audit client. See
17 CFR 210.2–01.
96 See, e.g., Joshua Ronen, Corporate Audits and
How to Fix Them, 24 Journal of Economic
Perspectives 189 (2010).
97 See id.; see also, e.g., Liesbeth Bruynseels and
Eddy Cardinaels, The audit committee:
Management watchdog or personal friend of the
CEO?, 89 The Accounting Review 113 (2014). Cory
Cassell, Linda Myers, Roy Schmardebeck, and Jian
Zhou, The Monitoring Effectiveness of Co-Opted
Audit Committees, 35 Contemporary Accounting
Research 1732 (2018); Nathan Berglund, Michelle
Draeger, and Mikhail Sterin, Management’s Undue
Influence over Audit Committee Members: Evidence
from Auditor Reporting and Opinion Shopping, 41
Auditing: A Journal of Practice 49 (2022).
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
How the New Standard Addresses the
Need
The new standard helps address the
need by (i) strengthening requirements
98 See above for observations from the PCAOB’s
audit inspections and from SEC enforcement cases.
99 See also Diane Janvrin, Paul Caster, and Randy
Elder, Enforcement Release Evidence on The Audit
Confirmation Process: Implications for Standard
Setters, 22 Research in Accounting Regulation 1, 10
(2010).
100 See Spotlight: Observations and Reminders on
the Use of a Service Provider in the Confirmation
Process (Mar. 2022), available at https://
pcaobus.org/resources/staff-publications.
PO 00000
Frm 00033
Fmt 4701
Sfmt 4703
71715
in certain areas to focus on the need to
obtain reliable audit evidence from the
confirmation process; and (ii)
modernizing existing AS 2310 to
accommodate certain developments in
practice, including the use of electronic
communications and intermediaries.
The new standard is expected to
promote consistent and effective
practice relating to the confirmation
process in audits subject to PCAOB
standards, reducing the risk of lowquality audits caused by (i) the lack of
observability of audit quality and (ii) the
influence of the auditor-client
relationship discussed above.
Focus on Obtaining Reliable Audit
Evidence From the Confirmation
Process
The new standard strengthens the
Board’s requirements in certain areas to
focus on the need to obtain reliable
audit evidence when executing the
confirmation process. Specifically, the
new standard includes a presumption
for the auditor to confirm certain cash
and cash equivalents held by third
parties, or otherwise obtain relevant and
reliable audit evidence by directly
accessing information maintained by a
knowledgeable external source. In
addition, the new standard strengthens
the requirements for evaluating the
reliability of confirmation responses. It
also continues to emphasize the
importance of maintaining control over
the confirmation process and provides
additional examples of information that
indicates that a confirmation request or
response may have been intercepted and
altered. When confirmation responses
are deemed to be unreliable, the auditor
is directed to perform alternative
procedures to obtain audit evidence.
Moreover, as discussed above,
electronic communications likely have
reduced the efficacy of negative
confirmation requests. Under the new
standard, the auditor is not able to use
negative confirmation requests as the
sole substantive procedure for
addressing the risk of material
misstatement for a financial statement
assertion.
Developments in Practice
Under the new standard, the
requirement to maintain control over
the confirmation process addresses both
traditional and newer, more prevalent
forms of communication between the
auditor and confirming parties,
including emailed confirmation requests
and responses and intermediaries
facilitating electronic communication of
confirmation requests and responses.
The new standard is intended to apply
to methods of confirmation currently in
E:\FR\FM\17OCN2.SGM
17OCN2
71716
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
use and to be flexible enough to apply
to new methods that may arise from
technological changes in auditing in the
future.
The new standard emphasizes that in
general, evidence obtained from a
knowledgeable external source is more
reliable than evidence obtained only
from internal company sources. For
cash and accounts receivable, if the
auditor is able to perform audit
procedures other than confirmation that
allow the auditor to obtain audit
evidence by directly accessing
information maintained by
knowledgeable external sources, such
audit evidence could be as persuasive as
audit evidence obtained through
confirmation procedures, and the new
standard allows the auditor to perform
such procedures. Accordingly, to the
extent that there are newer tools
available to auditors now or in the
future that enable them to obtain such
audit evidence directly, the new
standard would accommodate their use
and future development.
lotter on DSK11XQN23PROD with NOTICES2
Economic Impacts
This section discusses the expected
benefits and costs of the new standard
and potential unintended consequences.
Overall, the Board expects that the
economic impact of the new standard,
including both benefits and costs, will
be relatively modest, especially for
those firms that have already
incorporated into practice some of the
new requirements. The Board also
expects that the benefits of the new
standard will justify the costs and any
unintended negative effects.
Benefits
The Board expects the new standard
to improve the consistency and
effectiveness of the confirmation
process, reducing the risk of low-quality
audits caused by (i) the lack of
observability of audit quality and (ii) the
influence of the auditor-client
relationship discussed above.
Specifically, there exists a risk that,
unbeknownst to the company under
audit, investors, or other financial
statement users, the auditor may
perform a low-quality audit since audit
quality is difficult to observe. In
addition, some auditors may aim to
satisfy the interests of the company or
their own financial interests rather than
the interests of investors and other
financial statement users—interests that
may lead them to perform insufficiently
rigorous confirmation procedures to
minimize the burden on clients and
their counterparties to respond to
confirmations, or to minimize audit
costs.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
The new standard helps to mitigate
these risks in the audit confirmation
process by strengthening and
modernizing the requirements for the
auditor regarding the design and
execution of the confirmation process.
Specifically, a confirmation process
designed and executed under the new
standard should benefit investors and
other users of financial statements by
reducing the likelihood that financial
statements are materially misstated,
whether due to error or fraud. Some
commenters explicitly stated that the
requirements described in the 2022
Proposal would improve the
consistency of confirmation practices
and enhance audit quality.
The enhanced quality of audits and
financial information available to
financial markets should also increase
investor confidence in financial
statements. In general, investors may
use the more reliable financial
information to improve the efficiency of
their capital allocation decisions (e.g.,
investors may reallocate capital from
less profitable companies to more
profitable companies). Investors may
also perceive less risk in capital markets
generally, leading to an increase in the
supply of capital. An increase in the
supply of capital could increase capital
formation while also reducing the cost
of capital to companies.101
Auditors also are expected to benefit
from the new standard, because the
additional clarity provided by the new
standard (e.g., the accommodation of
current practices, including the use of
electronic communications and
intermediaries) will reduce regulatory
uncertainty and the associated
compliance costs. Specifically, the new
standard provides auditors with a better
understanding of their responsibilities
and the Board’s expectations.
The following discussion describes
the benefits of key changes to existing
confirmation requirements that are
expected to impact auditor behavior. As
discussed above, the changes aim to (1)
enhance the auditor’s focus on obtaining
reliable audit evidence from the
confirmation process, and (2)
accommodate certain developments in
practice. As further discussed below,
the changes that enhance the auditor’s
focus on obtaining reliable audit
evidence are expected to strengthen
101 See, e.g., Hanwen Chen, Jeff Zeyun Chen,
Gerald J. Lobo, and Yanyan Wang, Effects of audit
quality on earnings management and cost of equity
capital: Evidence from China, 28 Contemporary
Accounting Research 892, 921 (2011); Richard
Lambert, Christian Leuz, and Robert E. Verrecchia,
Accounting Information, Disclosure, and the Cost of
Capital, 45 Journal of Accounting Research 385, 410
(2007).
PO 00000
Frm 00034
Fmt 4701
Sfmt 4703
confirmation procedures for cash held
by third parties, promote consistency in
practice, improve the reliability of
confirmation responses, improve the
quality of audit evidence, and increase
the auditor’s likelihood of identifying
potential financial statement fraud. The
changes that accommodate
developments in practice are expected
to clarify the auditor’s responsibilities
regarding the use of electronic
communications in the confirmation
process, standardize the procedures that
auditors perform to support their use of
intermediaries, and allow for the use or
development of more sophisticated and
effective technology-based auditing
tools. To the extent that a firm has
already implemented certain of the
provisions of the new standard into its
firm methodology, the benefits
described below will be reduced.
Focus on Obtaining Reliable Audit
Evidence From the Confirmation
Process
The new standard should benefit
investors and other users of a company’s
financial statements by placing
additional emphasis on the auditor’s
need to obtain reliable audit evidence
when performing confirmation
procedures. In this regard, the new
standard: (1) identifies certain accounts
for which the auditor should perform
confirmation procedures, (2) enhances
the requirements for assessing the
reliability of confirmation responses, (3)
addresses the performance of alternative
procedures when the auditor is unable
to obtain relevant and reliable audit
evidence through confirmation, (4)
strengthens requirements regarding the
use of negative confirmation requests,
and (5) specifies certain activities in the
confirmation process that should be
performed by the auditor and not by
other parties.
Specifically, the new presumption for
the auditor to confirm certain cash and
cash equivalents held by third parties or
otherwise obtain relevant and reliable
audit evidence by directly accessing
information maintained by a
knowledgeable external source may
reduce the risk of material errors in
financial statements and strengthen
investor protection to the extent that
auditors are not already confirming cash
pursuant to their existing audit
methodologies.102 This requirement also
102 As discussed above, the PCAOB staff’s review
of firm methodologies indicated that some firms are
already confirming cash balances, while other
firms’ methodologies do not require auditors to
perform procedures beyond those required by AS
2310. The growth in corporate cash holdings also
highlights the need to confirm cash and cash
equivalents. See, e.g., Kevin Amess, Sanjay Banerji,
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
specifies that the extent of audit
evidence to obtain through cash
confirmation procedures should be
based on the auditor’s understanding of
the company’s cash management and
treasury function.
The standard does not require that all
cash accounts or all accounts receivable
should be selected for confirmation. The
auditor’s assessment of the risk of
material misstatement is an important
consideration when designing audit
procedures, including the use of
confirmation. Consistent with the
objective of the new standard, the
requirement to confirm cash and
accounts receivable, or otherwise obtain
relevant and reliable audit evidence by
directly accessing information
maintained by a knowledgeable external
source, only applies when the auditor
has determined that these accounts are
significant accounts. Further, for both
cash and accounts receivable, the new
standard specifies that the auditor
should take into account the auditor’s
understanding of the substance of a
company’s arrangements and
transactions with third parties when
selecting the individual items to
confirm. These provisions in the new
standard should encourage the auditor
to determine the extent of confirmation
procedures with regard to an assessment
of the risk of material misstatement and
avoid more work than necessary to
obtain sufficient appropriate audit
evidence.
However, to the extent that cash or
accounts receivable fall within the
scope of the new standard, the new
standard strengthens the requirement to
obtain relevant and reliable audit
evidence, whether through performing
confirmation procedures or otherwise
obtaining audit evidence by directly
accessing information maintained by a
knowledgeable external source. At the
same time, the new standard also
addresses situations where, based on the
auditor’s experience, confirmation
would not be feasible for accounts
receivable. The additional clarity
provided by these requirements in the
new standard should reduce uncertainty
in auditor responsibilities and promote
consistency in practice with respect to
the confirmation of cash and accounts
receivable.
The new standard strengthens
requirements addressing the reliability
of confirmation responses by describing
information that the auditor should take
into account when evaluating the
and Athanasios Lampousis, Corporate Cash
Holdings: Causes and Consequences, 42
International Review of Financial Analysis 421, 422
(2015).
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
71717
reliability of confirmation responses and
providing examples of information that
indicates that a confirmation request or
response may have been intercepted or
altered. These requirements are
expected to improve the reliability of
confirmation responses and therefore
increase the quality of the audit
evidence obtained by the auditor.
The requirement to communicate to
the audit committee instances where,
for significant risks associated with cash
or accounts receivable, the auditor did
not perform confirmation procedures or
obtain audit evidence by directly
accessing information maintained by a
knowledgeable external source is
expected to reinforce the auditor’s
obligation to exercise due professional
care in determining not to perform
confirmation procedures or otherwise
obtain audit evidence by directly
accessing information maintained by a
knowledgeable external source.
The new standard also expands on the
existing requirement to address the
auditor’s potential need to apply
alternative procedures. The enhanced
requirements for alternative procedures
provide a greater level of detail and
clarity to auditors for situations that are
not currently addressed explicitly in
existing AS 2310, potentially raising the
quality of evidence obtained by
auditors.
Under the new standard, the auditor
may only use negative confirmation
requests to supplement other
substantive audit procedures; negative
confirmation requests may not be used
as the sole substantive audit procedure.
As discussed above, the amount of
electronic correspondence has increased
dramatically over the years, leading to
an increased likelihood that a negative
confirmation request would not be
appropriately considered by the
confirming party and, therefore, would
provide less persuasive audit evidence.
The new standard addresses this issue
by providing examples of situations in
which negative confirmation requests,
in combination with the performance of
other substantive audit procedures, may
provide sufficient appropriate audit
evidence. As negative confirmation
requests cannot be the sole source of
audit evidence obtained, insofar as the
new standard affects practice, the
overall quality of audit evidence
obtained by the auditor likely will
increase.103
Overall, the additional requirements
and examples discussed above are
expected to improve the reliability of
confirmation responses and, therefore,
increase the quality of the audit
evidence obtained by the auditor. By
introducing a new requirement to
confirm certain cash balances (or
otherwise obtain relevant and reliable
audit evidence by directly accessing
information maintained by a
knowledgeable external source) and
enhancing the requirements for
evaluating the reliability of confirmation
responses, the new standard may also
increase the auditor’s likelihood of
identifying potential financial statement
fraud. Early detection of accounting
fraud is an important aspect of investor
protection because such fraud can cause
significant harm to investors in the
companies engaged in fraud, as well as
indirect harm to investors in other
companies.104 In addition, by clarifying
and strengthening the auditor’s
responsibilities, including by specifying
additional situations where alternative
procedures may be necessary and
providing additional examples of
information that indicates that a
confirmation request or response may
have been intercepted and altered, the
new standard takes into account past
inspection findings by the Board that
auditors did not obtain sufficient
appropriate audit evidence when using
confirmation.
One commenter on the proposing
release expressed the view that the
proposed standard would not achieve a
significant reduction in inspection
findings or improvements to audit
quality because adverse inspection
findings have historically focused on a
failure to appropriately execute existing
requirements. As discussed above,
however, the need for this rulemaking is
not limited to noncompliance with the
current standard detected through our
inspections program, but also reflects
undetected financial reporting frauds
and developments in practice. The
Board continues to believe, therefore,
that the rule will achieve its intended
benefits, which include increased
clarity from the new standard.
103 The Board understands through its oversight
activities that few, if any, GNFs use negative
confirmation requests as the sole substantive
procedure in practice. As discussed above,
however, the PCAOB staff’s firm methodology
review suggests that all the GNFs and NAFs
reviewed will need to update their methodologies
to ensure that negative confirmation requests are
not used as the sole source of audit evidence.
104 See Yang Bao, Bin Ke, Bin Li, Y. Julia Yu, and
Jie Zhang, Detecting Accounting Fraud in Publicly
Traded US Firms Using a Machine Learning
Approach, 58 Journal of Accounting Research 199,
200 (2020).
PO 00000
Frm 00035
Fmt 4701
Sfmt 4703
Developments in Practice
The new standard modernizes
existing AS 2310 by accommodating
certain developments in practice,
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
71718
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
including the use of electronic
communications and intermediaries.
Specifically, the new standard
accommodates changes in how
communications occur between the
auditor and confirming parties. It
clarifies the auditor’s responsibilities by
taking into account current confirmation
practices among auditors and
acknowledging differing methods of
confirmation. These methods include
longstanding methods, such as the use
of paper-based confirmation requests
and responses sent via postal mail. They
also include methods that have become
commonplace since the existing
standard was adopted, including
confirmation requests and responses
communicated via email and the use of
intermediaries to facilitate the direct
electronic transmission of confirmation
requests and responses. This additional
clarity may enhance the reliability of
audit evidence by decreasing the risk
that a confirmation request or response
is intercepted and altered. In addition,
the new standard includes requirements
specific to an intermediary’s controls
that mitigate the risk of interception and
alteration. The requirements are
expected to standardize the procedures
auditors perform to support their use of
intermediaries and reduce audit
deficiencies in this area.
With regard to both cash and accounts
receivable, the new standard
accommodates the potential for future
evolution of audit tools by allowing
auditors to directly obtain access to
relevant and reliable audit evidence
from knowledgeable external sources
other than through confirmation
without the involvement of the
company. This change allows for the
use or development of technology-based
auditing tools, subject to the
requirement that they provide audit
evidence by directly accessing
information maintained by
knowledgeable external sources about
the relevant financial statement
assertion. Accordingly, this change
could potentially improve the efficiency
and effectiveness of the audit.
Some commenters on the 2022
Proposal questioned the benefits of the
proposed requirements, arguing that the
auditor’s inability under the proposed
standard to overcome the presumption
to confirm cash and a high threshold to
overcome the presumption to confirm
accounts receivable unduly restricted
the ability to use professional judgment
to determine the appropriateness of
confirmation procedures. While the
Board agrees that professional judgment
plays an important role in the execution
of audit procedures, the Board’s
experience indicates that it is also
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
important for investor protection that
auditors obtain relevant and reliable
audit evidence for both cash and
accounts receivable when they are
significant accounts. With regard to
accounts receivable, the new standard
retains the presumption to perform
audit procedures to obtain relevant and
reliable evidence through confirmation,
or otherwise by directly accessing
information maintained by a
knowledgeable external source, so
would not decrease or remove the
auditor’s current responsibility.
Furthermore, the new standard includes
a provision to address situations when
obtaining audit evidence directly from
knowledgeable external sources,
whether through confirmation
procedures or other means, would not
be feasible to execute for accounts
receivable. Accordingly, the new
standard strikes a balance intended to
benefit investors by recognizing the
value of professional judgment generally
with respect to the use of confirmation
while ensuring that cash and accounts
receivable, when they are significant
accounts, are subject to confirmation or
other audit procedures designed to
obtain relevant and reliable audit
evidence from knowledgeable external
sources.
Costs
The Board expects the costs
associated with the new standard to be
relatively modest. The PCAOB staff’s
review of audit firm methodologies
related to the confirmation process
indicates that some firms have already
incorporated into practice some of the
new requirements. For example, the
methodologies of some GNFs include
requirements for confirmation of cash
that are similar to the requirements in
the new standard. Both the GNF and
NAF methodologies reviewed generally
include guidance on maintaining
control over the confirmation process
and the use of intermediaries to
facilitate the electronic transmission of
confirmation requests and responses.
To the extent that audit firms need to
make changes to meet the new
requirements, they may incur certain
fixed costs (i.e., costs that are generally
independent of the number of audits
performed) to implement the new
standard. These include costs of
updating audit methodologies and tools,
and costs to prepare training materials
and conduct internal training. GNFs are
likely to update methodologies using
internal resources, whereas NAFs are
more likely to purchase updated
methodologies from external vendors.
The costs of updating these
methodologies likely depend on the
PO 00000
Frm 00036
Fmt 4701
Sfmt 4703
extent to which the new requirements
have already been incorporated in the
firms’ current methodologies. For firms
that have implemented confirmation
procedures like those required by the
new standard, the costs of updating
methodologies may be lower than for
firms that currently do not have such
procedures. In this regard, large firms
may also benefit from economies of
scale. As mentioned above, one
commenter indicated that some larger
audit firms have already established
confirmation centers to centrally
process the sending of confirmation
requests and receiving of confirmation
responses. For these firms, costs to
implement the new standard may be
further diminished as these firms may
benefit from lower training costs and
more efficient performance of the
enhanced procedures. Smaller audit
firms may not have adequate resources
to establish such confirmation centers
and may not recognize similar efficiency
gains. The commenter observed that the
establishment of confirmation centers
within audit firms would require
significant resources, which smaller
audit firms may not have.
In addition, audit firms may incur
certain engagement-level variable costs
related to implementing the new
standard. For example, the requirement
to confirm certain cash balances or
otherwise obtain relevant and reliable
audit evidence by directly accessing
information maintained by a
knowledgeable external source could
impose engagement-level costs on some
auditors if additional procedures need
to be performed. Similarly, limiting the
use of negative confirmation requests to
situations where the auditor is also
performing other substantive audit
procedures could lead to additional
time and effort by the auditor to perform
the other audit procedures.
The magnitude of the variable costs
likely depends on the extent to which
existing practice differs from the new
requirements. As discussed above, the
PCAOB staff’s review of firm
methodologies, which included the
methodologies of certain NAFs, suggests
that the new standard likely will lead to
a greater impact on confirmation
procedures performed by smaller firms.
Because the new standard generally
applies a risk-based approach (i.e., by
providing that the use of confirmation
may be part of the auditor’s response to
the assessed risks of material
misstatement), the costs of performing
the additional procedures are unlikely
to be disproportionate to the benefits.
To the extent that auditors incur
higher costs to implement the new
standard and are able to pass on at least
E:\FR\FM\17OCN2.SGM
17OCN2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
part of the increased costs through an
increase in audit fees, companies being
audited could incur an indirect cost.105
Moreover, confirming parties could
incur additional costs from supporting
the confirmation process as a result of
the enhanced requirements of the new
standard, although the additional costs
are expected to be limited. One
commenter agreed that confirming
parties may incur additional costs as
they may have to allocate resources to
respond to confirmation requests. As
discussed above, however, confirmation
is already commonly used by audit
firms, and the Board therefore does not
expect confirming parties to incur
significant additional costs to respond
to confirmation requests as a result of
the new standard.
Some requirements under the new
standard may result in more costs than
others. The following discussion
describes the potential costs associated
with specific changes to existing
confirmation requirements.
lotter on DSK11XQN23PROD with NOTICES2
Focus on Obtaining Reliable Audit
Evidence From the Confirmation
Process
The new standard: (1) identifies
certain accounts for which the auditor
should perform confirmation
procedures or otherwise obtain relevant
and reliable audit evidence by directly
accessing information maintained by a
knowledgeable external source, (2)
enhances the requirements for assessing
the reliability of confirmation responses,
(3) addresses the performance of
alternative procedures when the auditor
is unable to obtain relevant and reliable
audit evidence through confirmation, (4)
strengthens requirements regarding the
use of negative confirmation requests,
and (5) specifies certain activities in the
confirmation process that should be
performed by the auditor and not by
other parties.
For some firms, the requirement in
the new standard to confirm certain
cash balances or otherwise obtain
relevant and reliable audit evidence by
directly accessing information
maintained by a knowledgeable external
source could be expected to result in the
revision of firm methodologies and the
performance of additional audit
procedures. As discussed above, the
methodologies of some GNFs already
105 One commenter stated that the cost of audit
would increase if auditors were required to send
confirmations on any and all information that can
be confirmed by external parties. While the Board
notes that the new standard does not require
confirmations on any and all information that can
be confirmed, it agrees that companies being
audited can incur indirect costs to the extent that
auditors pass on at least part of the increased costs
in terms of increased audit fees to companies.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
include requirements for cash
confirmation that are similar to the new
requirement described in the new
standard. In addition, the risk-based
approach in the new requirement
should encourage the auditor to
determine the extent of confirmation
with regard to an assessment of the risks
of material misstatement and conduct
only the work necessary to obtain
sufficient audit evidence.
Commenters on the 2022 Proposal
asserted that confirming cash balances
under the proposed standard would
lead to increased costs, given the lack of
discretion and ability to overcome the
presumption in the proposed standard.
In addition, some commenters on the
2022 Proposal asserted that the ‘‘at least
as persuasive as’’ threshold in the
proposed standard for overcoming the
presumption to confirm accounts
receivable would limit the auditor’s use
of professional judgment and could
result in greater costs without a
commensurate benefit to audit quality.
As discussed above, there is a
presumption in the new standard that
the auditor should obtain audit
evidence from a knowledgeable external
source by performing confirmation
procedures or using other means to
obtain audit evidence by directly
accessing information maintained by
knowledgeable external sources. In
addition, the new standard provides
that if, based on the auditor’s
experience, it would not be feasible for
the auditor to obtain audit evidence
about accounts receivable pursuant to
paragraph .24, the auditor should obtain
external information indirectly by
performing other substantive
procedures, including tests of details.
Insofar as the final standard does not
otherwise provide auditors with the
discretion to avoid obtaining audit
evidence directly from a knowledgeable
external source for cash, and the only
exception applicable to accounts
receivable is for situations where
obtaining audit evidence directly from a
knowledgeable external source would
not be feasible, firms may, therefore,
incur additional costs to comply with
the presumptive requirements of the
new standard for cash and accounts
receivable. These costs, however, are
necessary to the achievement of the
standard’s intended benefits of
emphasizing the quality and strength of
the audit evidence to be obtained from
knowledgeable external sources.
The new standard also requires the
auditor to evaluate the reliability of
confirmation responses and provides
examples of information that indicate
that a confirmation response may have
been intercepted and altered. The costs
PO 00000
Frm 00037
Fmt 4701
Sfmt 4703
71719
associated with this requirement,
however, are expected to be limited.
First, the Board’s auditing standards
already require the auditor to obtain
sufficient appropriate audit evidence to
provide a reasonable basis for the
auditor’s report, and to evaluate the
combined evidence provided by
confirmation and other auditing
procedures performed when the auditor
has not received replies to confirmation
requests (i.e., nonresponses) to
determine whether sufficient evidence
has been obtained about all the
applicable financial statement
assertions.106 Second, the
methodologies of some firms reflect
application material in ISA 505
regarding factors (similar to indicators
in the new standard) that may indicate
doubts about the reliability of a
confirmation response. One of these
factors is analogous to the requirement
in the new standard (i.e., the
confirmation response appears not to
come from the originally intended
confirming party), which may further
limit the potential costs for firms that
have incorporated this factor in their
methodologies. One commenter on the
2022 Proposal stated that the proposed
standard’s requirement for evaluating
the reliability of confirmation responses
might cause the auditor to need to
authenticate confirmation responses,
which would add significant expense to
the audit. However, as discussed above,
AS 1105 already establishes the
requirements for evaluating the
reliability of audit evidence, and the
new standard does not change those
requirements.
The requirement for the auditor to
communicate with the audit committee
when the auditor did not perform
confirmation procedures or otherwise
obtain audit evidence by directly
accessing information maintained by
knowledgeable external sources for
significant risks associated with either
cash or accounts receivable could
impose a modest incremental cost.
Some commenters on the 2022 Proposal
had expressed concern about the
proposed requirement to communicate
with the audit committee in all
instances where the presumption to
confirm accounts receivable had been
overcome, which could be detrimental if
the communication became a mere
compliance exercise for auditors and
audit committees. The new standard’s
requirement to communicate with the
audit committee, however, is more riskbased and therefore, the Board
continues to believe that the
incremental costs will be modest.
106 See
E:\FR\FM\17OCN2.SGM
AS 1105.04; AS 2310.33.
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
71720
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
Insofar as the new standard identifies
additional situations in which the
auditor generally would be required to
perform alternative procedures, firms
may incur additional costs. Specifically,
the new standard extends the
requirement in existing AS 2310 to
perform alternative procedures in
relation to nonresponses to positive
confirmation requests to other
situations, including the auditor’s
inability to identify a confirming party
and the receipt of an unreliable
response.
In contrast with existing AS 2310,
negative confirmation requests may not
be used as the sole substantive audit
procedure under the new standard. This
limitation reflects, among other things,
the increase in the volume of electronic
correspondence since existing AS 2310
was issued and the increasing
likelihood that a recipient of a negative
confirmation request would not
consider the request. As a result,
auditors may have to perform other
substantive audit procedures for certain
financial statement assertions. Although
the Board understands through its
oversight activities that few, if any,
GNFs use negative confirmation
requests as the sole substantive
procedure in practice, as discussed
above, the PCAOB staff’s firm
methodology review suggests that all the
GNFs and NAFs reviewed will need to
review their methodologies to ensure
that negative confirmation requests are
not used as the sole source of audit
evidence.
additional work for auditors. In
particular, both the GNF and NAF
methodologies reviewed generally
already include guidance on
maintaining control over the
confirmation process and the use of
intermediaries, which may limit the
costs. In addition, the Board notes that
the requirements in the new standard
relate to relevant controls that address
the risk of interception and alteration of
confirmation requests and responses
and that some intermediaries currently
make information about relevant
internal controls available to auditors
through a SOC report.
If the auditor is able to obtain audit
evidence by directly accessing
information maintained by
knowledgeable external sources instead
of confirmation, such audit evidence
could be at least as persuasive as audit
evidence obtained through confirmation
procedures, and the new standard
allows the auditor to perform such
procedures. This provision is not
expected to impose new costs on firms,
as firms would only obtain relevant and
reliable audit evidence by directly
accessing information maintained by a
knowledgeable external source to the
extent that technological advancements
render it more efficient than performing
confirmation procedures. Thus, to the
extent that the auditor is able to replace
confirmation procedures with obtaining
audit evidence by directly accessing
information maintained by a
knowledgeable external source, the new
standard could reduce costs for firms.
Developments in Practice
As discussed above, the new standard
includes requirements that clarify the
procedures auditors should perform to
support their use of intermediaries to
facilitate the direct electronic
transmission of confirmation requests
and responses between the auditor and
the confirming party. These
requirements may lead to modifications
to firm methodologies. Further, the
required procedures may involve
additional auditor time and effort. The
resulting costs likely depend on the
extent to which the new requirements
have already been incorporated in a
firm’s current methodologies. One
commenter expressed concern that the
proposed requirement to assess the
intermediary’s controls would result in
significant additional work for auditors
because it is not currently common
practice to directly assess intermediaries
in this manner. The PCAOB staff’s
review of firm methodologies discussed
above did not suggest that the
requirements in Appendix B of the new
standard would create significant
Potential Unintended Consequences
In addition to the benefits and costs
discussed above, the new standard
could have unintended economic
impacts. The following discussion
describes potential unintended
consequences the Board has considered
and, where applicable, factors that
mitigate the negative consequences,
such as steps the Board has taken or the
existence of other countervailing forces.
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
Potential Decline in Auditors’ Usage of
Confirmation
An unintended consequence of the
new standard would occur if, contrary
to the Board’s expectation, there were a
significant reduction in the use of
confirmation procedures by auditors in
circumstances where confirmation
would provide relevant and reliable
audit evidence.
Under the new standard, auditors
retain the ability to use confirmation as
one procedure, among others, to audit
one or more financial statement
accounts or disclosures. At the same
time, the new standard strengthens the
PO 00000
Frm 00038
Fmt 4701
Sfmt 4703
requirements for an auditor regarding
evaluating the reliability of confirmation
responses and addressing confirmation
exceptions and incomplete responses,
including performing alternative
procedures to obtain audit evidence.
Further, the new standard describes the
types of procedures the auditor should
perform in evaluating the effect of using
an intermediary on the reliability of
confirmation requests and responses,
including determining whether relevant
controls of the intermediary are
designed and operating effectively. In
addition, the new standard does not
allow the auditor to use negative
confirmation requests as the sole
substantive procedure. As a result,
when not required to use confirmation,
auditors might decline to use
confirmation and use other audit
procedures more frequently than under
existing AS 2310 if they perceive there
could be more time or cost involved in
the confirmation process relative to the
performance of other procedures.
This potential unintended
consequence is mitigated, however, by
the requirement that the auditor should
perform confirmation procedures for
cash and accounts receivable, or
otherwise obtain audit evidence by
directly accessing information
maintained by knowledgeable external
sources. In addition, the Board’s
standards already provide that the
auditor should evaluate whether the
combined evidence provided by
confirmation and other auditing
procedures provide sufficient evidence
about the applicable financial statement
assertions. Several of the changes to
existing requirements in the new
standard align with the Board’s
understanding of current practice. For
example, many audit firms’
methodologies include guidance on
maintaining control and the use of
intermediaries. Additionally, the
potential unintended consequence may
be mitigated to the extent that a firm has
experienced efficiencies from using
newer audit tools for confirmation
through reduced time or costs. Further,
the Board does not anticipate that the
requirements of the new standard will
cause a significant change in the timing
or extent of confirmation procedures for
auditors, as the Board has not amended
the requirements of AS 2301, which is
the auditing standard that addresses
those matters. Accordingly, the Board
does not believe that the new standard
will lead to a significant decline in the
use of confirmation.
E:\FR\FM\17OCN2.SGM
17OCN2
lotter on DSK11XQN23PROD with NOTICES2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
Potential Misinterpretation of the
Requirements in the New Standard
Relating to the Confirmation of Cash
and Accounts Receivable
An unintended consequence of the
presumed requirement in the new
standard to confirm cash and accounts
receivable would arise if auditors
misinterpreted the language in the new
standard as requiring the confirmation
of cash and accounts receivable in all
situations. For example, the new
standard does not carry forward a
provision included in existing AS 2310
that an auditor could overcome the
presumption to confirm accounts
receivable if, among other things, ‘‘[t]he
use of confirmations would be
ineffective.’’ It is possible that some
auditors might misinterpret the
elimination of this language as
precluding the exercise of auditor
judgment with respect to the
confirmation of accounts receivable.
Some commenters on the 2022 Proposal
appeared to misinterpret the proposed
requirement and suggested that
confirmation would be required in all
situations. For example, one commenter
asserted that using confirmation
regardless of risk assessment may
promote a checklist mentality that does
not contribute to audit quality and an
audit approach that may be less efficient
and effective.
The Board does not intend, however,
that an auditor send confirmation
requests for accounts receivable in all
situations or when such procedures do
not provide relevant and reliable audit
evidence. If the auditor has not
determined cash or accounts receivable
to be a significant account, the new
standard does not require the
confirmation of cash or accounts
receivable. Moreover, to clarify the
Board’s intent, it has modified the
language in the proposed standard in
several respects. First, paragraph .25 of
the new standard addresses situations
when obtaining audit evidence about
accounts receivable directly from
knowledgeable external sources,
whether through confirmation
procedures or other means, would not
be feasible to execute. If it is not feasible
for the auditor to obtain audit evidence
about accounts receivable directly from
a knowledgeable external source, the
auditor should obtain external
information indirectly by performing
other substantive procedures, including
tests of details.
In addition, the Board is not adopting
paragraph .07 of the proposed standard,
which referred to situations where
evidence obtained through the
confirmation process ‘‘generally is more
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
persuasive than audit evidence obtained
solely through other procedures’’ and
may have contributed to a
misperception that the Board was
proposing to require confirmation in all
circumstances. In the Board’s view, the
language in the new standard
acknowledges the role of professional
judgment in the auditor’s selection of
audit procedures to obtain sufficient
appropriate audit evidence, while
retaining a presumption to confirm cash
and accounts receivable or otherwise
obtain relevant and reliable audit
evidence by directly accessing
information maintained by a
knowledgeable external source. This
should mitigate the potential
unintended consequence described
above.
Alternatives Considered
The development of the new standard
involved considering a number of
alternative approaches to address the
problems described above. This section
explains: (i) why standard setting is
preferable to other policy-making
approaches, such as providing
interpretive guidance or enhancing
inspection or enforcement efforts; (ii)
other standard-setting approaches that
were considered; and (iii) key policy
choices made by the Board in
determining the details of the new
standard-setting approach.
Why Standard Setting Is Preferable to
Other Policy-Making Approaches
The Board’s policy tools include
alternatives to standard setting, such as
issuing additional interpretive guidance,
or increasing our focus on inspections
or enforcement of existing standards.
The Board considered whether
providing guidance or increasing
inspection or enforcement efforts would
be effective mechanisms to address
concerns with the auditor’s use of
confirmation.
Interpretive guidance inherently
provides additional information about
existing standards. Inspection and
enforcement actions take place after
insufficient audit performance (and
potential investor harm) has occurred.
Devoting additional resources to
interpretive guidance, inspections, or
enforcement activities, without
improving the relevant performance
requirements for auditors, would at best
focus auditors’ performance on existing
standards and would not provide the
benefits discussed above associated
with improving the standards. The new
standard, on the other hand, is designed
to improve existing requirements for the
auditor’s use of confirmation. For
example, the new standard, unlike
PO 00000
Frm 00039
Fmt 4701
Sfmt 4703
71721
existing AS 2310, includes requirements
relating to the confirmation of cash
accounts, imposes additional limitations
on the use of negative confirmation
requests, clarifies the circumstances in
which auditors would be expected to
perform alternative procedures, and
includes explicit provisions addressing
the auditor’s responsibility for selecting
items to be confirmed, sending
confirmation requests, and receiving
confirmation responses.
Other Standard-Setting Alternatives
Considered
Several alternative standard-setting
approaches were also considered,
including: (i) making amendments to
the existing standard; and (ii) adopting
an approach based on ISA 505, with
certain modifications to reflect the
PCAOB’s statutory responsibilities with
respect to audits of public companies
and registered broker-dealers.
Amendments to Existing Standard
The Board considered, but decided
against, limiting the amendments to AS
2310 solely to modifications relating to
changes in technology that have affected
the confirmation process. While this
approach could result in fewer changes
to firms’ audit methodologies, the Board
believes there are a number of other
areas discussed throughout this release,
beyond amending AS 2310 to reflect the
increasing use of technology in the
confirmation process, where the existing
standard should be improved.
Standard Based on ISA 505
Some commenters on the 2009
Concept Release and the 2010 Proposal
suggested that the Board should
consider adopting ISA 505, the IAASB’s
standard on audit confirmation, which
was issued in 2008. The Board has taken
the requirements and application
material of ISA 505 into account in
developing the new standard (e.g., the
ISA 505 application material relating to
the use of a third party to coordinate
and provide responses to confirmation
requests).
The Board concluded, however, that
the new standard should also establish
certain requirements that are not
included in ISA 505 (e.g., requirements
to confirm cash and accounts receivable
or otherwise obtain relevant and reliable
audit evidence by directly accessing
information maintained by a
knowledgeable external source), and
should not include certain provisions
that are described in ISA 505 (e.g.,
regarding management’s refusal to allow
the auditor to send a confirmation
request). In addition, audit practices
have continued to evolve since ISA 505
E:\FR\FM\17OCN2.SGM
17OCN2
71722
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
was issued in 2008, and the Board
believes that the new standard should
reflect these developments (e.g., by
addressing electronic communication
and the use of intermediaries in the
requirements of the standard rather than
in application materials).
lotter on DSK11XQN23PROD with NOTICES2
Key Policy Choices
Given a preference for replacing
existing AS 2310 in its entirety, the
Board considered different approaches
to addressing key policy issues.
Use of Confirmation Procedures for
Specific Accounts
The new standard provides that when
addressing an assessed risk of material
misstatement of cash and cash
equivalents held by third parties, as
well as of accounts receivable that arise
from the transfer of goods or services to
a customer or a financial institution’s
loans, the auditor should perform
confirmation procedures or otherwise
obtain relevant and reliable audit
evidence by directly accessing
information maintained by a
knowledgeable external source. In
addition, under the new standard, when
obtaining audit evidence from a
knowledgeable external source
regarding cash, the auditor should
consider sending confirmation requests
to that source about other financial
relationships with the company, based
on the assessed risk of material
misstatement. Also, when the auditor
has identified a complex transaction or
a significant unusual transaction, the
auditor should consider confirming
those terms of the transaction that are
associated with a significant risk of
material misstatement, including a fraud
risk. The new standard does not specify
other significant accounts or disclosures
that the auditor should confirm or
consider confirming. The Board
considered several alternatives to this
approach, as discussed below.
First, the Board considered an
approach that would have no
requirement for the auditor to confirm
specified accounts or transactions. In
the Board’s view, this approach might
result in the selection by some auditors
of audit procedures that provide less
relevant and reliable audit evidence
than confirmation with respect to cash
and accounts receivable (e.g., if an
auditor mistakenly assessed the risk of
material misstatement too low for cash
or accounts receivable). Further,
confirmation of cash and accounts
receivable is already a standard practice
for many auditors and is consistent with
the concept that audit evidence
obtained from a knowledgeable external
source is more reliable than evidence
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
obtained only from internal company
sources. Accordingly, the Board has
decided against an approach that does
not require the confirmation of any
accounts and disclosures in the new
standard.
In addition, the Board considered
including in the new standard a
requirement that the auditor should
confirm other accounts in addition to
cash and accounts receivable, such as
investments. The Board has decided
against this approach because it would
limit auditor judgment in circumstances
where the performance of other auditing
procedures might provide relevant and
reliable audit evidence, could be viewed
as unduly prescriptive, and would not
allow the auditor to take companyspecific facts and circumstances into
account. Instead, under the new
standard, the auditor could decide to
perform confirmation procedures with
respect to financial statement assertions
relating to other accounts and
disclosures but is not required to do so.
The Board also considered an
additional requirement that the auditor
should perform confirmation
procedures in response to significant
risks that relate to relevant assertions,
when such assertions can be adequately
addressed by confirmation procedures.
However, the Board believes that such
a requirement would be inconsistent
with the Board’s risk assessment
standards, which allow for auditor
judgment in determining the audit
response to significant risks identified
by the auditor. The Board has not
included this provision in the new
standard.
Management Requests Not To Confirm
The Board considered addressing
situations where management requests
that the auditor not confirm one or more
items in the new standard. Specifically,
the Board considered requiring the
auditor to obtain an understanding of
the reasons for management’s request,
perform alternative procedures as
discussed in Appendix C of the new
standard, and communicate the request
to the audit committee. In addition, the
Board considered a requirement that the
auditor should evaluate the implications
for the auditor’s report if the auditor
determines that management’s request
impairs the auditor’s ability to obtain
sufficient appropriate audit evidence or
indicates that one or more fraud risk
factors are present. For the reasons
discussed above, the Board has decided
not to include such provisions in the
new standard.
PO 00000
Frm 00040
Fmt 4701
Sfmt 4703
Special Considerations for Audits of
Emerging Growth Companies
Pursuant to Section 104 of the
Jumpstart Our Business Startups Act
(‘‘JOBS Act’’), rules adopted by the
Board subsequent to April 5, 2012,
generally do not apply to the audits of
EGCs, as defined in Section 3(a)(80) of
the Exchange Act, unless the SEC
‘‘determines that the application of such
additional requirements is necessary or
appropriate in the public interest, after
considering the protection of investors,
and whether the action will promote
efficiency, competition, and capital
formation.’’ 107 As a result of the JOBS
Act, the rules and related amendments
to PCAOB standards that the Board
adopts are generally subject to a
separate determination by the SEC
regarding their applicability to audits of
EGCs.
To inform consideration of the
application of auditing standards to
audits of EGCs, PCAOB staff prepares a
white paper annually that provides
general information about
characteristics of EGCs.108 As of the
November 15, 2021, measurement date,
PCAOB staff identified 3,092 companies
that self-identified with the SEC as
EGCs and filed audited financial
statements in the 18 months preceding
the measurement date.
Confirmation is a longstanding audit
procedure used in nearly all audits,
including audits of EGCs. The
discussion of benefits, costs, and
unintended consequences above is
generally applicable to audits of EGCs.
The economic impacts of the new
standard on an EGC audit depend on
factors such as the audit firm’s current
methodologies, the audit firm’s ability
to distribute implementation costs
across engagements, and the auditor’s
assessed risk of material misstatement.
EGCs are likely to be newer
companies, which may increase the
importance to investors of the external
audit to enhance the credibility of
management disclosures.109 Further,
107 See Public Law 112–106 (Apr. 5, 2012).
Section 103(a)(3)(C) of the Act, as added by Section
104 of the JOBS Act, also provides that any rules
of the Board requiring (1) mandatory audit firm
rotation or (2) a supplement to the auditor’s report
in which the auditor would be required to provide
additional information about the audit and the
financial statements of the issuer (auditor
discussion and analysis) shall not apply to an audit
of an EGC. The new standard does not fall within
either of these two categories.
108 For the most recent EGC report, see White
Paper on Characteristics of Emerging Growth
Companies and Their Audit Firms at November 15,
2021 (Jan. 5, 2023) (‘‘EGC White Paper’’), available
at https://pcaobus.org/resources/other-researchprojects.
109 Researchers have developed a number of
proxies that are thought to be correlated with
E:\FR\FM\17OCN2.SGM
17OCN2
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES2
compared to non-EGCs, EGCs are more
likely to be audited by NAFs.110 As
discussed above, NAFs are expected to
make more changes to their
methodologies and practice to comply
with the new standard. Therefore, all
else equal, the benefits of the higher
audit quality resulting from the new
standard may be larger for EGCs than for
non-EGCs, including improved
efficiency of market capital allocation,
lower cost of capital, and enhanced
capital formation.111 In particular,
because investors who face uncertainty
about the reliability of a company’s
information asymmetry, including small issuer size,
lower analyst coverage, larger insider holdings, and
higher research and development costs. To the
extent that EGCs exhibit one or more of these
properties, there may be a greater degree of
information asymmetry for EGCs than for the
broader population of companies, which increases
the importance to investors of the external audit to
enhance the credibility of management disclosures.
See, e.g., Mary E. Barth, Wayne R. Landsman, and
Daniel J. Taylor, The JOBS Act and Information
Uncertainty in IPO Firms, 92 The Accounting
Review 25, 25 (2017); Steven A. Dennis and Ian G.
Sharpe, Firm Size Dependence in the Determinants
of Bank Term Loan Maturity, 32 Journal of Business
Finance and Accounting 31, 59 (2005); Michael J.
Brennan and Avanidhar Subrahmanyam,
Investment Analysis and Price Formation in
Securities Markets, 38 Journal of Financial
Economics 361, 363 (1995); David Aboody and
Baruch Lev, Information Asymmetry, R&D, and
Insider Gains, 55 Journal of Finance 2747, 2755
(2000); Raymond Chiang and P. C. Venkatesh,
Insider Holdings and Perceptions of Information
Asymmetry: A Note, 43 Journal of Finance 1041,
1047 (1988); Molly Mercer, How Do Investors
Assess the Credibility of Management Disclosures?,
18 Accounting Horizons 185, 194 (2004).
Furthermore, research has shown that reduced
disclosure requirements for EGCs are associated
with lower audit effort. The academic literature has
also documented evidence of lower audit quality for
EGCs. To the extent that the new standard will
increase auditor effort, EGCs are expected to benefit
from higher audit quality. See, e.g., Tiffany J.
Westfall and Thomas C. Omer, The Emerging
Growth Company Status on IPO: Auditor Effort,
Valuation, and Underpricing, 37 Journal of
Accounting and Public Policy 315, 316 (2018);
Essam Elshafie, The Impact of Reducing Reporting
Requirements on Audit Quality, Auditor Effort and
Auditor Conservatism, 35 Accounting Research
Journal 756, 756 (2022).
110 EGC White Paper at 22.
111 The enhanced quality of audits and financial
information available to financial markets may
result in investors perceiving less risk in capital
markets. This, in turn, may lead to an increase in
the supply of capital which could increase capital
formation. See, e.g., Hanwen Chen, Jeff Zeyun
Chen, Gerald J. Lobo, and Yanyan Wang, Effects of
audit quality on earnings management and cost of
equity capital: Evidence from China, 28
Contemporary Accounting Research 892, 921
(2011); Richard Lambert, Christian Leuz, and Robert
E. Verrecchia, Accounting Information, Disclosure,
and the Cost of Capital, 45 Journal of Accounting
Research 385, 410 (2007).
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
financial statements may require a larger
risk premium that increases the cost of
capital to companies, the improved
audit quality resulting from applying
the new standard to EGC audits could
reduce the cost of capital to those
EGCs.112
While the associated costs may also
be higher for EGC audits than for nonEGC audits, because of the scalability of
the risk-based requirements, the costs of
performing the procedures are unlikely
to be disproportionate to the benefits of
the procedures. Moreover, if any of the
new amendments were determined not
to apply to the audits of EGCs, auditors
would need to address differing audit
requirements in their methodologies, or
policies and procedures, with respect to
audits of EGCs and non-EGCs, which
would create the potential for
confusion. The new standard could
impact competition in an EGC product
market if the indirect costs to audited
companies disproportionately impact
EGCs relative to their competitors.
However, as discussed above, the costs
associated with the new standard are
expected to be relatively modest.
Therefore, the impact of the new
standard on competition, if any, is
expected to be limited. Overall, the new
standard is expected to enhance audit
quality and contribute to an increase in
the credibility of financial reporting by
EGCs.
Accordingly, and for the reasons
explained above, the Board is requesting
that the Commission determine that it is
necessary or appropriate in the public
interest, after considering the protection
of investors and whether the action will
promote efficiency, competition, and
capital formation, to apply the new
standard to audits of EGCs. One
commenter specifically supported the
application of the 2022 Proposal to
EGCs.
III. Date of Effectiveness of the
Proposed Rules and Timing for
Commission Action
Within 45 days of the date of
publication of this notice in the Federal
Register or within such longer period (i)
as the Commission may designate up to
90 days of such date if it finds such
longer period to be appropriate and
112 For a discussion of how increasing reliable
public information about a company can reduce
risk premium, see David Easley and Maureen
O’Hara, Information and the Cost of Capital, 59 The
Journal of Finance 1553, 1578 (2004).
PO 00000
Frm 00041
Fmt 4701
Sfmt 4703
71723
publishes its reasons for so finding or
(ii) as to which the Board consents, the
Commission will:
(A) By order approve or disapprove
such proposed rules; or
(B) Institute proceedings to determine
whether the proposed rules should be
disapproved.
IV. Solicitation of Comments
Interested persons are invited to
submit written data, views and
arguments concerning the foregoing,
including whether the proposed rules
are consistent with the requirements of
Title I of the Act. Comments may be
submitted by any of the following
methods:
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/pcaob); or
• Send an email to rule-comments@
sec.gov. Please include file number
PCAOB–2023–02 on the subject line.
Paper Comments
• Send paper comments in triplicate
to Vanessa A. Countryman, Secretary,
Securities and Exchange Commission,
100 F Street NE, Washington, DC
20549–1090.
All submissions should refer to file
number PCAOB–2023–02. This file
number should be included on the
subject line if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method. The Commission will
post all comments on the Commission’s
internet website (https://www.sec.gov/
rules/pcaob). Copies of the submission,
all subsequent amendments, all written
statements with respect to the proposed
rules that are filed with the
Commission, and all written
communications relating to the
proposed rules between the Commission
and any person, other than those that
may be withheld from the public in
accordance with the provisions of 5
U.S.C. 552, will be available for website
viewing and printing in the
Commission’s Public Reference Room,
100 F Street NE, Washington, DC 20549,
on official business days between the
hours of 10 a.m. and 3 p.m. Copies of
such filing will also be available for
inspection and copying at the principal
office of the PCAOB. Do not include
personal identifiable information in
E:\FR\FM\17OCN2.SGM
17OCN2
71724
Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES2
submissions; you should submit only
information that you wish to make
available publicly. We may redact in
part or withhold entirely from
publication submitted material that is
obscene or subject to copyright
VerDate Sep<11>2014
18:16 Oct 16, 2023
Jkt 262001
protection. All submissions should refer
to File Number PCAOB–2023–02 and
should be submitted on or before
November 7, 2023.
For the Commission, by the Office of the
Chief Accountant.113
Vanessa A. Countryman,
Secretary.
[FR Doc. 2023–22491 Filed 10–16–23; 8:45 am]
113 17
PO 00000
CFR 200.30–11(b)(1) and (3).
Frm 00042
Fmt 4701
Sfmt 9990
BILLING CODE 8011–01–P
E:\FR\FM\17OCN2.SGM
17OCN2
]]>Agencies
[Federal Register Volume 88, Number 199 (Tuesday, October 17, 2023)]
[Notices]
[Pages 71684-71724]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-22491]
[[Page 71683]]
Vol. 88
Tuesday,
No. 199
October 17, 2023
Part III
Securities and Exchange Commission
-----------------------------------------------------------------------
Public Company Accounting Oversight Board; Notice of Filing of Proposed
Rules on the Auditor's Use of Confirmation, and Other Amendments to
Related PCAOB Standards; Notice
��Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 /
Notices��
[[Page 71684]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-98689; File No. PCAOB-2023-02]
Public Company Accounting Oversight Board; Notice of Filing of
Proposed Rules on the Auditor's Use of Confirmation, and Other
Amendments to Related PCAOB Standards
October 5, 2023.
Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 (the
``Act''), notice is hereby given that on October 4, 2023, the Public
Company Accounting Oversight Board (the ``Board'' or ``PCAOB'') filed
with the Securities and Exchange Commission (the ``Commission'' or
``SEC'') the proposed rules described in Items I and II below, which
items have been prepared by the Board. The Commission is publishing
this notice to solicit comments on the proposed rules from interested
persons.
I. Board's Statement of the Terms of Substance of the Proposed Rules
On September 28, 2023, the Board adopted amendments to auditing
standards for the auditor's use of confirmation, and amendments to
related PCAOB standards (collectively, the ``proposed rules''),
including the retitling and replacement of an existing standard with a
new standard. The text of the proposed rules appears in Exhibit A to
the SEC Filing Form 19b-4 and is available on the Board's website at
https://pcaobus.org/about/rules-rulemaking/rulemaking-dockets/docket-028-proposed-auditing-standard-related-to-confirmation and at the
Commission's Public Reference Room.
II. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
In its filing with the Commission, the Board included statements
concerning the purpose of, and basis for, the proposed rules and
discussed comments it received on the proposed rules. The text of these
statements may be examined at the places specified in Item IV below.
The Board has prepared summaries, set forth in sections A, B, and C
below, of the most significant aspects of such statements. In addition,
the Board is requesting that the Commission approve the proposed rules,
pursuant to Section 103(a)(3)(C) of the Act, for application to audits
of emerging growth companies (``EGCs''), as that term is defined in
Section 3(a)(80) of the Securities Exchange Act of 1934 (``Exchange
Act''). The Board's request is set forth in section D.
A. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
(a) Purpose
Summary
The Board is replacing AS 2310, The Confirmation Process, in its
entirety with a new standard, AS 2310, The Auditor's Use of
Confirmation (``new standard'') to strengthen and modernize the
requirements for the confirmation process. As described in the new
standard, the confirmation process involves selecting one or more items
to be confirmed, sending a confirmation request directly to a
confirming party (e.g., a financial institution), evaluating the
information received, and addressing nonresponses and incomplete
responses to obtain audit evidence about one or more financial
statement assertions. If properly designed and executed by an auditor,
the confirmation process may provide important evidence that the
auditor obtains as part of an audit of a company's financial
statements.
Why the Board Is Adopting These Changes Now
AS 2310 is an important standard for audit quality and investor
protection, as the audit confirmation process touches nearly every
audit. The standard was initially written over 30 years ago and has had
minimal amendments since its adoption by the PCAOB in 2003.
The Board adopted the new standard after substantial outreach,
including several rounds of public comment. The PCAOB previously
considered updating AS 2310 by issuing a concept release in 2009 and a
proposal in 2010 for a new auditing standard that would supersede AS
2310. While the PCAOB did not amend or replace AS 2310 at that time,
subsequent developments--including the increasing use of electronic
communications and third-party intermediaries in the confirmation
process--led the Board to conclude that enhancements to AS 2310 and
modifications to the approach proposed in 2010 could improve the
quality of audit evidence obtained by auditors. In addition, the Board
has observed continued inspection findings related to auditors' use of
confirmation, as well as enforcement actions involving failures to
adhere to requirements in the existing auditing standard regarding
confirmation, such as the requirement for the auditor to maintain
control over the confirmation process.
Accordingly, having considered these developments and input from
commenters, the Board revisited the previously proposed changes and
issued a new proposed standard to replace AS 2310, along with
conforming amendments to other PCAOB auditing standards, in December
2022. Commenters generally supported the Board's objective of improving
the confirmation process, and suggested areas to further improve the
new standard, modify proposed requirements that would not likely
improve audit quality, and clarify the application of the new standard.
In adopting the new standard and related amendments, the Board has
taken into account all of these comments, as well as observations from
PCAOB oversight activities.
Key Provisions of the New Standard
The new standard and related amendments are intended to enhance the
PCAOB's requirements on the use of confirmation by describing
principles-based requirements that apply to all methods of
confirmation, including paper-based and electronic means of
communications. In addition, the new standard is more expressly
integrated with the PCAOB's risk assessment standards by incorporating
certain risk-based considerations and emphasizing the auditor's
responsibilities for obtaining relevant and reliable audit evidence
through the confirmation process. Among other things, the new standard:
Includes a new requirement regarding confirming cash and
cash equivalents held by third parties (``cash''), or otherwise
obtaining relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source;
Carries forward the existing requirement regarding
confirming accounts receivable, while addressing situations where it
would not be feasible for the auditor to perform confirmation
procedures or obtain relevant and reliable audit evidence for accounts
receivable by directly accessing information maintained by a
knowledgeable external source;
States that the use of negative confirmation requests
alone does not provide sufficient appropriate audit evidence (and
includes examples of situations where the auditor may use negative
confirmation requests to supplement other substantive audit
procedures);
Emphasizes the auditor's responsibility to maintain
control over the confirmation process and provides that the auditor is
responsible for selecting the items to be confirmed,
[[Page 71685]]
sending confirmation requests, and receiving confirmation responses;
and
Identifies situations in which alternative procedures
should be performed by the auditor (and includes examples of such
alternative procedures that may provide relevant and reliable audit
evidence for a selected item).
(b) Statutory Basis
The statutory basis for the proposed rules is Title I of the Act.
B. Board's Statement on Burden on Competition
Not applicable. The Board's consideration of the economic impacts
of the proposed rules is discussed in section D below.
C. Board's Statement on Comments on the Proposed Rules Received From
Members, Participants or Others
The Board released the proposed rules for public comment in PCAOB
Release No. 2022-009 (Dec. 20, 2022) (``2022 Proposal''). The Board
previously issued a concept release for public comment in PCAOB Release
No. 2009-002 (Apr. 14, 2009) (``2009 Concept Release'') and a proposed
auditing standard related to confirmation and related amendments to
PCAOB standards in PCAOB Release No. 2010-003 (July 13, 2010) (``2010
Proposal''). The Board received 98 written comment letters relating to
the 2022 Proposal, the 2009 Concept Release, and the 2010 Proposal. The
Board has carefully considered all comments received. The Board's
response to the comments it received and the changes made to the rules
in response to the comments received are discussed below.
Background
Information obtained by the auditor directly from knowledgeable
external sources, including through confirmation, can be an important
source of evidence obtained as part of an audit of a company's
financial statements.\1\ Confirmation has long been used by auditors.
For example, one early auditing treatise noted the importance of
confirmation for cash deposits, accounts receivable, and demand
notes.\2\ In addition, confirmation of accounts receivable has been a
required audit procedure in the United States since 1939, when the
American Institute of Accountants \3\ adopted Statement on Auditing
Procedure No. 1 (``SAP No. 1'') as a direct response to the McKesson &
Robbins fraud case, which involved fraudulently reported inventories
and accounts receivable that the independent auditors failed to detect
after performing other procedures that did not involve confirmation.\4\
---------------------------------------------------------------------------
\1\ See, e.g., paragraph 08 of AS 1105, Audit Evidence
(providing that, in general, ``[e]vidence obtained from a
knowledgeable source that is independent of the company is more
reliable than evidence obtained only from internal company
sources'').
\2\ Robert H. Montgomery, Auditing Theory and Practice 91
(confirmation of cash deposits), 263 (confirmation of accounts
receivable), and 353 (confirmation of demand notes) (1912).
\3\ The American Institute of Accountants was the predecessor to
the American Institute of CPAs (``AICPA'').
\4\ See In the Matter of McKesson & Robbins, Inc., SEC Rel. No.
34-2707 (Dec. 5, 1940).
---------------------------------------------------------------------------
SAP No. 1 required confirmation of accounts receivable by direct
communication with customers in all independent audits of financial
statements, subject to the auditor's ability to overcome the
presumption to confirm accounts receivable for certain reasons.
Following the adoption of SAP No. 1, the accounting profession also
adopted a requirement in 1942, which remained in effect until the early
1970s, that auditors should disclose in the auditor's report when
confirmation of accounts receivable was not performed. The AICPA's
subsequent revisions to its auditing standards included the
promulgation of AU sec. 330, The Confirmation Process, which was
adopted in 1991 and took effect in 1992. The PCAOB adopted AU sec. 330
(now AS 2310) as an interim standard in 2003.\5\
---------------------------------------------------------------------------
\5\ Shortly after the Board's inception, the Board adopted the
existing standards of the AICPA, as in existence on Apr. 16, 2003,
as the Board's interim auditing standards. See Establishment of
Interim Professional Auditing Standards, PCAOB Rel. No. 2003-006
(Apr. 18, 2003). AU sec. 330 was one of these auditing standards. As
of Dec. 31, 2016, the PCAOB reorganized its auditing standards using
a topical structure and a single, integrated number system, at which
time AU sec. 330 was designated AS 2310. See Reorganization of PCAOB
Auditing Standards and Related Amendments to PCAOB Standards and
Rules, PCAOB Rel. No. 2015-002 (Mar. 31, 2015).
---------------------------------------------------------------------------
The amendments to the standards for the auditor's use of
confirmation are intended to improve audit quality through principles-
based requirements that apply to all methods of confirmation and are
more expressly integrated with the Board's risk assessment standards.
These enhancements should also lead to improvements in practice,
commensurate with the associated risk, among audit firms of all sizes.
The expected increase in audit quality should also enhance the
credibility of information provided in a company's financial
statements.
Rulemaking History
The final amendments to the auditing standards reflect public
comments on a concept release and two proposals. In April 2009, the
PCAOB issued a concept release seeking public comment on the potential
direction of a standard-setting project that could result in amendments
to the PCAOB's existing standard on the confirmation process or a new
auditing standard that would supersede the existing standard.\6\ The
2009 Concept Release discussed existing requirements and posed
questions about potential amendments to those requirements.
---------------------------------------------------------------------------
\6\ Concept Release on Possible Revisions to the PCAOB's
Standard on Audit Confirmations, PCAOB Rel. No. 2009-002 (Apr. 14,
2009).
---------------------------------------------------------------------------
In July 2010, the PCAOB proposed an auditing standard that, if
adopted, would have superseded the existing confirmation standard.\7\
The 2010 Proposal was informed by comments on the 2009 Concept Release
and was intended to strengthen the existing standard by, among other
things, expanding certain requirements and introducing new
requirements. In general, commenters on the 2010 Proposal supported
updating the existing standard to address relevant developments in
audit practice, including greater use of emailed confirmation requests
and responses and the involvement of third-party intermediaries. At the
same time, some commenters asserted that the proposed requirements in
the 2010 Proposal were unduly prescriptive (i.e., included too many
presumptively mandatory requirements) and would result in a significant
increase in the volume of confirmation requests without a corresponding
increase in the quality of audit evidence obtained by the auditor. The
PCAOB did not adopt the 2010 Proposal.
---------------------------------------------------------------------------
\7\ Proposed Auditing Standard Related to Confirmation and
Related Amendments to PCAOB Standards, PCAOB Rel. No. 2010-003 (July
13, 2010).
---------------------------------------------------------------------------
In December 2022, the Board issued a proposed auditing standard to
improve the quality of audits when confirmation is used by the auditor
and to reflect changes in the means of communication and in business
practice since the standard was originally issued.\8\ The 2022 Proposal
was informed by comments on the 2009 Concept Release and 2010 Proposal
and specified the auditor's responsibilities regarding the confirmation
process. The Board received 46 comment letters on the 2022 Proposal
from commenters across a range of affiliations. Those comments
[[Page 71686]]
are discussed throughout this release. Commenters on the 2022 Proposal
generally expressed support for the project's objective and suggested
ways to revise or clarify the proposed standard. The Board considered
the comments on the 2022 Proposal, as well as on the 2009 Concept
Release and the 2010 Proposal, in developing the final amendments.\9\
The Board also considered observations from PCAOB oversight activities.
---------------------------------------------------------------------------
\8\ Proposed Auditing Standard--The Auditor's Use of
Confirmation, and Other Proposed Amendments to PCAOB Standards,
PCAOB Rel. No. 2022-009 (Dec. 20, 2022). In this exhibit, the term
``proposed standard'' refers to the proposed auditing standard
relating to the auditor's use of confirmation as described in the
2022 Proposal.
\9\ The comment letters received on the 2009 Concept Release,
2010 Proposal, and 2022 Proposal are available in the docket for
this rulemaking on the PCAOB's website (https://pcaobus.org/Rulemaking/Pages/Docket028Comments.aspx).
---------------------------------------------------------------------------
Existing Standard
This section discusses key provisions of the existing PCAOB
auditing standard on the confirmation process.
In 2003, the PCAOB adopted the standard now known as AS 2310 (at
that time, AU sec. 330), when it adopted the AICPA's standards then in
existence. Existing AS 2310 indicates that confirmation is the process
of obtaining and evaluating a direct communication from a third party
in response to a request for information about a particular item
affecting financial statement assertions.\10\ For example, an auditor
might request a company's customers to confirm balances owed at a
certain date, or request confirmation of a company's accounts or loans
payable to a bank at a certain date.
---------------------------------------------------------------------------
\10\ Under PCAOB standards, financial statement assertions can
be classified into the following categories: existence or
occurrence, completeness, valuation or allocation, rights and
obligations, and presentation and disclosure. See, e.g., AS 1105.11.
---------------------------------------------------------------------------
Key provisions of existing AS 2310 include the following:
A presumption that the auditor will request confirmation
of accounts receivable. The standard states that confirmation of
accounts receivable is a generally accepted auditing procedure and
provides the situations in which the auditor may overcome the
presumption.
Procedures for designing the confirmation request,
including the requirement that the auditor direct the confirmation
request to a third party who the auditor believes is knowledgeable
about the information to be confirmed.
Procedures relating to the use of both positive and
negative confirmation requests. A positive confirmation request directs
the recipient to send a response back to the auditor stating the
recipient's agreement or disagreement with information stated in the
request, or furnishing requested information. A negative confirmation
request directs the recipient to respond back to the auditor only when
the recipient disagrees with information in the auditor's request. The
standard states that ``[n]egative confirmation requests may be used to
reduce audit risk to an acceptable level when (a) the combined assessed
level of inherent and control risk is low, (b) a large number of small
balances is involved, and (c) the auditor has no reason to believe that
the recipients of the requests are unlikely to give them
consideration.'' \11\ If negative confirmation requests are used, the
auditor should consider performing other substantive procedures to
supplement their use.\12\
---------------------------------------------------------------------------
\11\ See AS 2310.20.
\12\ Id.
---------------------------------------------------------------------------
A requirement for the auditor to maintain control over
confirmation requests and responses by establishing direct
communication between the intended recipient and the auditor.
Procedures to consider when the auditor does not receive a
written confirmation response via return mail, including how the
auditor should evaluate the reliability of oral and facsimile responses
to written confirmation requests. The standard provides that, when
confirmation responses are in other than a written format mailed to the
auditor, additional evidence may be necessary to establish the validity
of the respondent.
A requirement that the auditor should perform alternative
procedures when the auditor has not received a response to a positive
confirmation request.
Requirements for the auditor's evaluation of the results
of confirmation procedures and any alternative procedures performed by
the auditor. These provisions include the requirement that, if the
combined evidence provided by confirmation, alternative procedures, and
other procedures is not sufficient, the auditor should request
additional confirmations or extend other tests, such as tests of
details or analytical procedures.
Current Practice
This section discusses the Board's understanding of current
practice based on, among other things, observations from oversight
activities of the Board and SEC enforcement actions.
Overview of Current Practice
The audit confirmation process touches nearly every financial
statement audit conducted under PCAOB auditing standards. This is due
in part to the presumption in existing AS 2310 that the auditor will
confirm accounts receivable, which include claims against customers
that have arisen from the sale of goods or services in the normal
course of business and a financial institution's loans, unless certain
exemptions apply. In addition, audit methodologies of many larger audit
firms affiliated with global networks recommend or require confirming
cash accounts. In the past, the use of confirmation was a common
practice for auditing a financial institution's customer deposits. In
recent years, however, there has been an increased wariness about
phishing attempts by unauthorized parties aimed at obtaining sensitive
personal or financial information of customers. As a result, some
customers might not understand or trust an -unsolicited confirmation
request from an auditor and, indeed, many financial institutions and
other companies now advise customers not to reply to unsolicited
correspondence concerning their accounts or other customer
relationships.\13\
---------------------------------------------------------------------------
\13\ Situations that involve using audit procedures other than
confirmation and situations where companies adopt the policy of
responding to electronic confirmation requests from auditors only
through an intermediary are discussed later in this exhibit.
---------------------------------------------------------------------------
Existing AS 2310 was written at a time when paper-based
confirmation requests and responses were the prevailing means of
communication. Since then, emailed confirmation requests and responses,
and the use of technology-enabled confirmation tools, including the use
of intermediaries to facilitate the confirmation process, have become
commonplace. For example, numerous financial institutions in the United
States, and an increasing number of international banks, mandate the
use of an intermediary as part of the confirmation process and will not
otherwise respond to an auditor's confirmation request.
As noted above, existing AS 2310 provides that the auditor should
maintain control over the confirmation process. In practice, complying
with this requirement involves the auditor directly sending the
confirmation request to the confirming party via mail or email, without
involving company personnel. The auditor's confirmation request
generally specifies that any correspondence should be sent directly to
the auditor's location (or email address) to minimize the risk of
interference by company personnel. When an intermediary facilitates
direct electronic communications between the auditor and the confirming
party, the auditor is still required to maintain control over the
confirmation process. Procedures performed by audit firms to address
this requirement vary depending on facts and circumstances.
[[Page 71687]]
Some auditors have used a report on controls at a service organization
(``SOC report'') to evaluate the design and operating effectiveness of
the intermediary's controls relevant to sending and receiving
confirmations.
Under the existing standard, auditors can use positive confirmation
requests and, provided certain conditions are met, negative
confirmation requests. A positive confirmation request either asks the
recipient to respond directly to the auditor about whether the
recipient agrees with information that is stated in the request or asks
the recipient to provide the requested information by filling in a
blank form. In comparison, a negative confirmation request directs the
recipient to respond only when the recipient disagrees with the
information included in the request. In practice, negative confirmation
requests have typically been used to obtain audit evidence related to
the completeness of deposit liabilities and other accounts of a similar
nature and, less frequently, to obtain evidence related to the
existence of accounts receivable. In some cases, auditors use a
combination of positive and negative confirmation requests.
Observations From Inspections and Enforcement Actions
This section discusses observations from PCAOB oversight activities
and SEC enforcement actions, including (1) PCAOB inspections of
registered public accounting firms (``firms'') and (2) enforcement
actions relating to deficient confirmation procedures performed by the
auditor. These observations have informed the Board's view that
providing greater clarity as the Board strengthens the requirements
could result in improved compliance by auditors.
Inspections. Over the past several years, PCAOB inspections
indicated that some auditors did not fulfill their responsibilities
under the existing standard when performing confirmation procedures.
The shortcomings have been noted at large and small domestic firms, and
at large firms with domestic and international practices. For example,
some auditors did not: (1) consider performing procedures to verify the
source of confirmation responses received electronically; (2) perform
sufficient alternative procedures; (3) restrict the use of negative
confirmation requests to situations where the risk of material
misstatement was assessed as low; or (4) maintain appropriate control
over the confirmation process, including instances where company
personnel were involved in either sending or receiving confirmations.
The PCAOB has also continued to monitor developments relating to
the use of confirmation through its other oversight and research
activities. For example, in 2021, the PCAOB staff issued a Spotlight
discussing, among other things, the use of technology in the
confirmation process.\14\ In addition, in 2022, the PCAOB staff issued
a Spotlight that specifically discussed observations and reminders on
the use of a service provider in the confirmation process.\15\
---------------------------------------------------------------------------
\14\ See Spotlight: Data and Technology Research Project Update
(May 2021), available at https://pcaobus.org/resources/staff-publications.
\15\ See Spotlight: Observations and Reminders on the Use of a
Service Provider in the Confirmation Process (Mar. 2022), available
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------
Enforcement actions. Over the years, there have been a number of
enforcement actions by the PCAOB and the SEC alleging that auditors
failed to comply with PCAOB standards related to the confirmation
process. Enforcement actions have been brought against large and small
firms, and against U.S. and non-U.S. firms.
For example, PCAOB enforcement cases have involved allegations that
auditors failed to: (1) perform appropriate confirmation procedures to
address a fraud risk; \16\ (2) adequately respond to contradictory
audit evidence obtained from confirmation procedures; \17\ (3) perform
appropriate confirmation procedures and alternative procedures for
accounts receivable; \18\ or (4) maintain proper control over the
confirmation process.\19\
---------------------------------------------------------------------------
\16\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Whitley Penn LLP, PCAOB
Rel. No. 105-2020-002 (Mar. 24, 2020); In the Matter of PMB Helin
Donovan, LLP, PCAOB Rel. No. 105-2019-031 (Dec. 17, 2019); In the
Matter of Ronald R. Chadwick, P.C., PCAOB Rel. No. 105-2015-009
(Apr. 28, 2015).
\17\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Ronald R. Chadwick,
P.C., PCAOB Rel. No. 105-2015-009 (Apr. 28, 2015); In the Matter of
Price Waterhouse, Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5,
2011).
\18\ See, e.g., In the Matter of Whitley Penn LLP, PCAOB Rel.
No. 105-2020-002 (Mar. 24, 2020); In the Matter of PMB Helin
Donovan, LLP, PCAOB Rel. No. 105-2019-031 (Dec. 17, 2019); In the
Matter of Wander Rodrigues Teles, PCAOB Rel. No. 105-2017-007 (Mar.
20, 2017); In the Matter of Ronald R. Chadwick, P.C., PCAOB Rel. No.
105-2015-009 (Apr. 28, 2015); In the Matter of Price Waterhouse,
Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5, 2011).
\19\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Price Waterhouse,
Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5, 2011).
---------------------------------------------------------------------------
In several confirmation-related enforcement cases, the SEC alleged
that the deficient confirmation procedures by the auditors involved
companies that had engaged in widespread fraud, where properly
performed confirmation procedures might have led to the detection of
the fraudulent activity.\20\ Further, in a number of proceedings, the
SEC alleged that confirmation procedures were not properly designed
\21\ or, more frequently, that the auditors failed to adequately
evaluate responses to confirmation requests and perform alternative or
additional procedures in light of exceptions, nonresponses, or
responses that should have raised issues as to their reliability or the
existence of undisclosed related parties.\22\ Several of these
proceedings were brought in recent years, suggesting that problems
persist in this area.
---------------------------------------------------------------------------
\20\ See, e.g., In the Matter of CohnReznick LLP, SEC Rel.
No.34-95066 (June 8, 2022); In the Matter of Ravindranathan
Raghunathan, CPA, SEC Rel. No. 34-93133 (Sept. 27, 2021); In the
Matter of Mancera, S.C., SEC Rel. No. 34-90699 (Dec. 17, 2020); In
the Matter of Schulman Lobel Zand Katzen Williams & Blackman, LLP A/
K/A Schulman Lobel LLP, SEC Rel. No. 34-88653 (Apr. 15, 2020); In
the Matter of William Joseph Kouser Jr., CPA, SEC Rel. No. 34-80370
(Apr. 4, 2017).
\21\ See, e.g., In the Matter of RSM US LLP, SEC Rel. No. 34-
95948 (Sept. 30, 2022); In the Matter of Ravindranathan Raghunathan,
CPA, SEC Rel. No. 34-93133 (Sept. 27, 2021); In the Matter of
Winter, Kloman, Moter & Repp, S.C., SEC Rel. No. 34-83168 (May 4,
2018); In the Matter of Edward Richardson, Jr., CPA, SEC Rel. No.
34-80918 (June 14, 2017).
\22\ See, e.g., In the Matter of Jason Jianxun Tang, CPA, SEC
Rel. No. 34-96347 (Nov. 17, 2022); In the Matter of Steven Kirn,
CPA, SEC Rel. No. 34-95949 (Sept. 30, 2022); In the Matter of
Friedman LLP, SEC Rel. No. 34-95887 (Sept. 23, 2022); In the Matter
of Mancera, S.C., SEC Rel. No. 34-90699 (Dec. 17, 2020); In the
Matter of Schulman Lobel Zand Katzen Williams & Blackman, LLP A/K/A
Schulman Lobel LLP, SEC Rel. No. 34-88653 (Apr. 15, 2020); In the
Matter of Anton & Chia, LLP, SEC Rel. No. 34-87033 (Sept. 20, 2019);
In the Matter of Edward Richardson, Jr., CPA, SEC Rel. No. 34-80918
(June 14, 2017); In the Matter of William Joseph Kouser Jr., CPA,
SEC Rel. No. 34-80370 (Apr. 4, 2017).
---------------------------------------------------------------------------
Reasons To Improve Auditing Standards
The amendments to PCAOB standards being adopted are intended to
enhance audit quality by clarifying and strengthening the requirements
for the auditor's use of confirmation. The final amendments are also
more expressly integrated with the PCAOB's risk assessment standards by
incorporating certain risk-based considerations and emphasizing the
auditor's responsibilities for obtaining relevant and reliable audit
evidence through the confirmation process. The Board believes that
these improvements will enhance both audit quality and the credibility
of the information provided in a company's financial statements.
Areas of Improvement
The Board has identified two important areas where improvements are
warranted to existing standards, discussed below: (1) updating the
standards to reflect developments in
[[Page 71688]]
practice and (2) clarifying the auditor's responsibilities to evaluate
the reliability of evidence obtained through confirmation responses.
Updating the Standards To Reflect Developments in Practice
The new standard supports the auditor's use of electronic forms of
communication between the auditor and the confirming party. Since the
AICPA standard on the confirmation process adopted by the PCAOB took
effect in 1992, there has been a significant change in the auditing
environment and the means by which an auditor communicates with
confirming parties. Emails and other forms of electronic communications
between auditors and confirming parties have become ubiquitous, and
third-party intermediaries now often facilitate the electronic
transmission of confirmation requests and responses between auditors
and confirming parties.
In addition, the Board believes its auditing standards should allow
for continued innovation by auditors in the ways they obtain audit
evidence. Traditionally, auditors have used confirmation in
circumstances where reliable evidence about financial statement
assertions could be obtained directly from a third party that transacts
with the company (e.g., to confirm the existence of cash or accounts
receivable). Generally, audit evidence obtained directly from
knowledgeable external sources, including through confirmation, has
been viewed as more reliable than evidence obtained through other audit
procedures available to the auditor,\23\ especially where the auditor
identified a risk of fraud, chose not to test controls, or determined
that controls could not be relied on.\24\
---------------------------------------------------------------------------
\23\ The confirmation process involves obtaining audit evidence
from a confirming party. Under PCAOB standards, in general, evidence
obtained from a knowledgeable source that is independent from the
company is more reliable than evidence obtained only from internal
company sources. See, e.g., AS 1105.08.
\24\ See, e.g., Staff Audit Practice Alert No. 8, Audit Risks in
Certain Emerging Markets (Oct. 3, 2011) (``SAPA No. 8'') at 11
(stating that, when an auditor has identified fraud risks relating
to a company's bank accounts or amounts due from customers, ``it is
important for the auditor to confirm amounts included in the
company's financial statements directly with a knowledgeable
individual from the bank or customer who is objective and free from
bias with respect to the audited entity rather than rely solely on
information provided by the company's management''). The
requirements of the new standard are consistent with the guidance in
SAPA No. 8, which auditors should continue to consider when using
confirmations to address fraud risks in emerging markets.
---------------------------------------------------------------------------
The PCAOB staff's research indicates that some audit firms may have
developed or may yet develop audit techniques that enable the auditor
to obtain relevant and reliable audit evidence for the same assertions
by performing substantive audit procedures that do not include
confirmation, as discussed in more detail below. To reflect these
developments, the new standard allows the performance of other
procedures in lieu of confirmation for cash and accounts receivable in
situations where the auditor can obtain relevant and reliable audit
evidence by directly accessing information maintained by knowledgeable
external sources. Further, the new standard acknowledges that, in
certain situations, it may not be feasible for the auditor to obtain
audit evidence for accounts receivable directly from a knowledgeable
external source and provides that in those situations the auditor
should obtain external information indirectly by performing other
substantive procedures, including tests of details.
Clarifying the Auditor's Responsibilities To Evaluate the Reliability
of Confirmation Responses
While information obtained through the confirmation process can be
an important source of audit evidence, the confirmation process must be
properly executed for the evidence obtained to be relevant and
reliable. The enforcement actions discussed above and other recent
high-profile financial reporting frauds have also called attention to
the importance of well-executed confirmation procedures, including the
confirmation of cash.\25\ In addition, PCAOB oversight activities have
identified instances in which auditors did not obtain sufficient
appropriate audit evidence when using confirmation. Accordingly, the
new standard includes a new requirement to confirm certain cash
balances and clarifies the auditor's responsibilities to evaluate the
reliability of evidence obtained through confirmation responses (and,
when necessary, to obtain audit evidence through alternative
procedures).
---------------------------------------------------------------------------
\25\ See, e.g., In the Matter of Mancera, S.C., SEC Rel. No. 34-
90699 (Dec. 17, 2020) (failure by auditors to properly evaluate
confirmation responses to requests for information on cash balances
of a Mexican homebuilder subsequently found to have engaged in a
``multi-billion dollar financial fraud''). See also Olaf Storbeck,
Tabby Kinder, and Stefania Palma, EY failed to check Wirecard bank
statements for 3 years, Financial Times (June 26, 2020) (potential
failure by auditors to confirm cash balances purportedly held by
Wirecard AG, a German company whose securities were not registered
with the SEC, directly with a Singapore-based bank).
---------------------------------------------------------------------------
Comments on the Reasons for Standard Setting
Many commenters on the 2022 Proposal broadly expressed support for
revisions to the Board's standard on the auditor's use of confirmation
to reflect developments in practice since the AICPA standard on the
confirmation process adopted by the PCAOB took effect in 1992. A number
of commenters also agreed that the standard on the auditor's use of
confirmation should be more closely aligned with the Board's risk
assessment standards. In addition, some commenters stated that updates
to the PCAOB's standard on the auditor's use of confirmation would be
generally consistent with their prior recommendations to the Board that
the Board modernize its interim auditing standards. Other commenters
suggested that the Board should also engage in additional outreach with
investors or that it consider other mechanisms to engage with
stakeholders prior to the adoption of standards, such as roundtables
and pre-implementation ``field testing'' of proposed standards.
In addition, several commenters expressed support for the
proposition that the PCAOB's auditing standards should allow for
continued innovation by auditors in the ways they obtain audit
evidence. These commenters generally stated that standards should be
written to evolve with future technologies, including new methods of
confirmation that may arise from technological changes in auditing in
the future. A few commenters stated that the 2022 Proposal provided
flexibility to respond to the current use of technology in the audit
process, or left enough room for judgment-based application for further
advances in technology. In comparison, some commenters stated that the
proposed standard was not sufficiently forward-looking. Several
commenters cautioned against more explicitly addressing the use of
technology (i.e., by adding prescriptive requirements), noting that
doing so might not allow the standard to age effectively with time and
innovation.
Several commenters broadly expressed support for the Board's goal,
as described in the 2022 Proposal, of improving the quality of audit
evidence obtained by auditors when using confirmation. One of these
commenters stated that it was critical that confirmation requests are
properly designed and that confirmation responses are appropriately
evaluated, especially when there are confirmation exceptions or
concerns about their reliability. In addition, other commenters
generally expressed
[[Page 71689]]
support for the proposed requirements and stated they would lead to
improvements in audit quality. A number of commenters, primarily firms
and firm-related groups, asserted that certain requirements in the 2022
Proposal were unduly prescriptive and that the final standard should be
more principles-based and risk-based to allow for more auditor
judgment. In comparison, an investor-related group suggested that the
Board remind auditors that, in exercising professional judgment, their
judgments must be reasonable, careful, documented, and otherwise in
compliance with applicable professional requirements.
In adopting the new standard, the Board has considered these
comments on the 2022 Proposal, as well as the comments received on the
2010 Proposal and the 2009 Concept Release. Based on the information
available to the Board--including the current regulatory baseline,
observations from our oversight activities, academic literature, and
comments--the Board believes that investors will benefit from
strengthened and clarified auditing standards in this area. To the
extent that commenters provided comments or expressed concerns about
specific aspects of the proposed revisions to the Board's existing
standard on the auditor's use of confirmation, the Board's
consideration of these comments is discussed further below and
elsewhere in this exhibit. While the Board does not expect that the new
standard will eliminate inspection deficiencies observed in practice,
it is intended to clarify the auditor's responsibilities and align the
requirements for the use of confirmation more closely with the PCAOB's
risk assessment standards.
The new standard also reflects several changes that were made after
the Board's consideration of comments received about the potential
impact of the proposed new standard on auditors, issuers, and
intermediaries. In addition, some commenters called for a broader
alignment of PCAOB standards with standards issued by other standard
setters, namely the International Auditing and Assurance Standards
Board (``IAASB'') and the AICPA's Auditing Standards Board (``ASB''). A
few commenters stated that PCAOB standards should be harmonized with
IAASB standards, in the interest of global comparability, and, in the
view of one commenter, with ASB standards. A few commenters stated that
the Board should provide robust and detailed explanations of
differences between PCAOB standards and the standards of other standard
setters. One commenter indicated that the dual standard-setting
structure in the United States (i.e., the existence of both PCAOB and
ASB standards) creates issues that could erode audit quality.
The Board carefully considered the approaches of other standard
setters when developing the 2022 Proposal, and the new standard
reflects the approach that the Board believes best protects investors
and furthers the public interest. As a result, certain differences will
continue to exist between the Board's new standard and those of other
standard setters, including a number of provisions that the Board
believes are appropriate and consistent with its statutory mandate to
protect the interests of investors and further the public interest.
Discussion of Final Rules
Overview of New Standard
The new standard replaces existing AS 2310 in its entirety. The
provisions of the new standard the Board has adopted are intended to
strengthen existing requirements for the auditor's use of confirmation.
Key aspects of the new standard:
Include principles-based requirements that are designed to
apply to all methods of confirmation. The new standard is designed to
enhance requirements that apply to longstanding methods, such as the
use of paper-based confirmation requests and responses sent via regular
mail; methods that involve electronic means of communications, such as
the use of email or an intermediary to facilitate direct electronic
transmission of confirmation requests and responses; and methods that
are yet to emerge, thus encouraging audit innovation.
Expressly integrate the requirements for the auditor's use
of confirmation with the requirements of the Board's risk assessment
standards, including AS 1105. The new standard specifies certain risk-
based considerations and emphasizes the auditor's responsibilities for
obtaining relevant and reliable audit evidence when performing
confirmation procedures.
Emphasize the use of confirmation procedures in certain
situations. The new standard adds a new requirement that the auditor
should perform confirmation procedures for cash held by third parties,
carries forward an existing requirement that the auditor should perform
confirmation procedures for accounts receivable, and adds a new
provision that the auditor may otherwise obtain audit evidence by
directly accessing information maintained by a knowledgeable external
source for cash and accounts receivable. In addition, the new standard
carries forward an existing requirement to consider confirming the
terms of certain other transactions.
Address situations in which it would not be feasible for
the auditor to obtain information directly from a knowledgeable
external source. The new standard provides that if it would not be
feasible for the auditor to obtain audit evidence directly from a
knowledgeable external source for accounts receivable, the auditor
should perform other substantive audit procedures, including tests of
details, that involve obtaining audit evidence from external sources
indirectly.
Communicate to the audit committee certain audit responses
to significant risks. Under the new standard, for significant risks
associated with cash or accounts receivable, the auditor is required to
communicate with the audit committee when the auditor did not perform
confirmation procedures or otherwise obtain audit evidence by directly
accessing information maintained by a knowledgeable external source.
Reflect the relatively insignificant amount of audit
evidence obtained when using negative confirmation requests. Under the
new standard, the use of negative confirmation requests may provide
sufficient appropriate audit evidence only when combined with other
substantive audit procedures. The new standard includes examples of
situations in which the use of negative confirmation requests in
combination with other substantive audit procedures may provide
sufficient appropriate audit evidence.
Emphasize the auditor's responsibility to maintain control
over the confirmation process. The new standard states that the auditor
should select the items to be confirmed, send confirmation requests,
and receive confirmation responses.
Provide more specific direction for circumstances where
the auditor is unable to obtain relevant and reliable audit evidence
through confirmation. The new standard identifies situations where
other procedures should be performed by the auditor as an alternative
to confirmation. The new standard also includes examples of alternative
procedures that individually or in combination may provide relevant and
reliable audit evidence.
Introduction and Objective
(See paragraphs .01 and .02 of the new standard).
[[Page 71690]]
The 2022 Proposal included requirements for the auditor's use of
confirmation. As discussed in the proposal, the confirmation process
involves selecting one or more items to be confirmed, sending a
confirmation request directly to a confirming party, evaluating the
information received, and addressing nonresponses and incomplete
responses to obtain audit evidence about one or more financial
statement assertions. Confirmation is one of the specific audit
procedures described in PCAOB standards that an auditor could perform
when addressing a risk of material misstatement.\26\ As is the case
with other audit procedures, information obtained through confirmation
may support and corroborate management's assertions or it may
contradict such assertions.\27\
---------------------------------------------------------------------------
\26\ See, e.g., AS 1105.14 and .18.
\27\ See AS 1105.02.
---------------------------------------------------------------------------
Under the 2022 Proposal, the auditor's objective in designing and
executing the confirmation process was to obtain relevant and reliable
audit evidence about one or more relevant financial statement
assertions of a significant account or disclosure.\28\ Existing AS 2310
does not include an objective.
---------------------------------------------------------------------------
\28\ An account or disclosure is a significant account or
disclosure if there is a reasonable possibility that the account or
disclosure could contain a misstatement that, individually or when
aggregated with others, has a material effect on the financial
statements, considering the risks of both overstatement and
understatement. See footnote 33 of AS 2110, Identifying and
Assessing Risks of Material Misstatement; paragraph .A10 of AS 2201,
An Audit of Internal Control Over Financial Reporting That Is
Integrated with An Audit of Financial Statements.
---------------------------------------------------------------------------
As discussed below, the Board has modified the introduction and
objective in the proposed standard in several respects.
A number of commenters stated that the objective of the proposed
standard was clear. One commenter stated that the objective should be
to provide requirements and guidance in situations where the auditor,
as a result of its risk-assessment procedures, determines that
confirmation procedures provide an appropriate response to one or more
assertions related to an identified risk of material misstatement.
Another commenter asserted that the objective in the proposed standard
did not result in greater clarity than the proposed objective in the
2010 Proposal and created a wider gap between the PCAOB's standards and
the equivalent standard of the IAASB.
Having considered these comments, the Board has revised the
introduction to provide that the new standard establishes requirements
regarding obtaining audit evidence from a knowledgeable external source
through the auditor's use of confirmation. The introduction further
states that the new standard includes additional requirements regarding
obtaining audit evidence for cash, accounts receivable, and terms of
certain transactions. The Board believes that this language more
clearly aligns with the approach to the auditor's use of confirmation
in the new standard and the inclusion of specific requirements in the
new standard with respect to cash, accounts receivable, and terms of
certain transactions.
In addition, the Board has added the phrase ``from a knowledgeable
external source'' to the objective, such that the new standard provides
that the objective of the auditor in designing and executing the
confirmation process is to obtain relevant and reliable audit evidence
from a knowledgeable external source about one or more relevant
financial statement assertions of a significant account or disclosure.
This language underscores that, when properly designed and executed,
the confirmation process involves obtaining audit evidence regarding
specific items from a knowledgeable external source. A knowledgeable
external source, as referred to in the new standard, generally is a
third party who the auditor believes has knowledge of the information
that may be used as audit evidence. To the extent that this objective
differs from the objective in standards adopted by other standard-
setting bodies on the auditor's use of confirmation, the Board believes
it appropriately reflects the Board's approach in the new standard and
is consistent with its statutory mandate to protect the interests of
investors and further the public interest. The next section of this
exhibit further discusses the relationship of the confirmation process
to the auditor's identification and assessment of, and response to, the
risks of material misstatement.
Relationship of the Confirmation Process to the Auditor's
Identification and Assessment of and Response to the Risks of Material
Misstatement
(See paragraphs .03-.07 of the new standard).
When an auditor uses confirmation, the auditor should be mindful
of, and comply with, the existing obligation to exercise due
professional care in all matters relating to the audit.\29\ Due
professional care requires the auditor to exercise professional
skepticism, which is an attitude that includes a questioning mind and a
critical assessment of audit evidence. Professional skepticism should
be exercised throughout the audit process,\30\ including when
identifying information to confirm, identifying confirming parties,
evaluating confirmation responses, and addressing nonresponses. The
requirements related to exercising professional skepticism, in
combination with requirements in other PCAOB standards, are designed to
reduce the risk of confirmation bias, a phenomenon wherein decision
makers have been shown to actively seek out and assign more weight to
evidence that confirms their hypothesis, and ignore or assign less
weight to evidence that could disconfirm their hypothesis.\31\
---------------------------------------------------------------------------
\29\ See AS 1015, Due Professional Care in the Performance of
Work. The Board currently has a separate standard-setting project to
reorganize and consolidate a group of interim standards adopted by
the Board in Apr. 2003, including AS 1015. See Proposed Auditing
Standard--General Responsibilities of the Auditor in Conducting an
Audit and Proposed Amendments to PCAOB Standards, PCAOB Rel. No.
2023-001 (Mar. 28, 2023).
\30\ See AS 1015.07-.08.
\31\ For a discussion of confirmation bias, see, e.g., Raymond
S. Nickerson, Confirmation Bias: A Ubiquitous Phenomenon in Many
Guises, 2 Review of General Psychology, 175 (1998).
---------------------------------------------------------------------------
The 2022 Proposal described how the proposed standard would work in
conjunction with the PCAOB standards on risk assessment. AS 2110
establishes requirements regarding the process of identifying and
addressing the risks of material misstatement of the financial
statements, and AS 2301, The Auditor's Responses to the Risks of
Material Misstatement, establishes requirements regarding designing and
implementing appropriate responses to the risks of material
misstatement. Fundamental to the PCAOB's risk assessment standards is
the concept that as risk increases, so does the amount of evidence that
the auditor should obtain.\32\ Further, evidence obtained from a
knowledgeable external source generally is more reliable than evidence
obtained only from internal company sources.\33\
---------------------------------------------------------------------------
\32\ See AS 1105.05.
\33\ See AS 1105.08.
---------------------------------------------------------------------------
Where the auditor uses confirmation as part of the auditor's
response, the 2022 Proposal addressed the auditor's responsibilities
for designing and executing the confirmation process to obtain relevant
and reliable audit evidence. When properly designed and executed, the
confirmation process can be an effective and efficient way of obtaining
relevant and reliable external audit evidence, including in situations
where the auditor identifies an elevated risk of material misstatement
due to error or fraud.
[[Page 71691]]
The 2022 Proposal also recognized that performing confirmation
procedures can effectively and efficiently provide evidential matter
about certain financial statement assertions, including existence,
occurrence, completeness, and rights and obligations. For example,
confirmation may provide audit evidence related to the existence of
cash, accounts receivable, and financial instruments, or the
completeness of debt. However, the confirmation process generally
provides less relevant evidence about the valuation assertion (e.g.,
the confirming party may not intend to repay in full the amount owed,
or the custodian may not know the value of shares held in custody).
Confirmation could also be used to obtain audit evidence about the
terms of contractual arrangements (e.g., by verifying supplier
discounts or concessions, corroborating sales practices, or
substantiating oral arrangements and guarantees). Information in
confirmation responses may indicate the existence of related parties,
or relationships or transactions with related parties, previously
undisclosed to the auditor.
The Board also observed in the 2022 Proposal that, in some
situations, an auditor may determine that evidence obtained through
confirmation may constitute sufficient appropriate audit evidence for a
particular assertion, while in other situations performing other audit
procedures in addition to confirmation may be necessary to obtain
sufficient appropriate audit evidence. For example, for significant
unusual sales transactions and the resulting accounts receivable
balances, an auditor might confirm significant terms of the
transactions and the receivable balances with the transaction
counterparties and perform additional substantive procedures, such as
examination of shipping documents and subsequent cash receipts.
Determining the nature, timing, and extent of confirmation procedures,
and any other additional audit procedures, is part of designing and
implementing the auditor's response to the assessed risk of material
misstatement.
The Board adopted the provisions in the 2022 Proposal that address
the relationship of the confirmation process to the auditor's
identification and assessment of and response to the risks of material
misstatement, with certain modifications discussed below.
Overall, commenters expressed support for aligning the proposed
standard on confirmation with the PCAOB's existing risk assessment
standards. Several commenters stated that they had not identified
changes needed to the proposed standard to align further with the
PCAOB's risk assessment standards. Other commenters, as discussed
below, called for various changes to the proposed provisions:
Several commenters suggested that there could be further
alignment of the 2022 Proposal with the risk assessment standards to
enable the level of risk to drive the nature of the audit response. A
number of commenters asserted that the 2022 Proposal included certain
prescriptive requirements for the confirmation process, regardless of
the assessed level of risk, and that those provisions could detract
from the auditor's ability to apply professional judgment to determine
the appropriate audit response. Consistent with the objective of the
new standard, the requirements under the new standard apply to a
significant account or disclosure.\34\ The new standard thus does not
establish a presumption to confirm cash or accounts receivable if the
auditor has not determined cash or accounts receivable to be a
significant account. The auditor may choose to perform confirmation
procedures, however, in situations other than those specifically
addressed in paragraphs .24 through .30 of the new standard. The new
standard does not otherwise prescribe the timing or extent of
confirmation procedures, which are discussed as part of the auditor's
response to the risks of material misstatement in AS 2301.
---------------------------------------------------------------------------
\34\ AS 2110.59e directs the auditor to identify significant
accounts and disclosures and their relevant assertions.
---------------------------------------------------------------------------
Several commenters stated that paragraphs .06 and .07 of
the proposed standard overly emphasized confirmation as being the most
persuasive substantive audit procedure, with any other procedure
thereby viewed as being less persuasive. One commenter asserted that
that the 2022 Proposal appeared to be premised on an assumption that
third-party confirmations represent ``first best'' audit evidence,
regardless of the facts and circumstances. In addition, one commenter
questioned whether the Board intended for confirmation to be used
whenever possible to obtain evidence. Having considered these comments,
the Board has made several changes in the new standard to clarify
certain provisions. In the new standard, the Board has revised
paragraph .06, which discusses obtaining audit evidence from
knowledgeable external sources, to emphasize the source of the audit
evidence, rather than the type of audit procedure performed. The Board
understands that advances in technology, as well as changes in
attitudes towards confirmation (e.g., the potential hesitation of
confirming parties to reply to a confirmation request from auditors
because of the concern of falling victim to a phishing attack), have
led auditors to perform other types of audit procedures that can
provide relevant and reliable external evidence.
Some commenters stated that the proposed standard could
give rise to unrealistic expectations about confirmation procedures
effectively addressing the risk of material misstatement due to fraud
in all circumstances. While the Board does not believe that the new
standard creates an unrealistic expectation about audit evidence
obtained through confirmation, the appropriate focus of the auditor
should be the obligation to obtain relevant and reliable audit
evidence. Accordingly, the Board did not adopt paragraph .07 of the
proposed standard, which had provided that ``in situations involving
fraud risks and significant unusual transactions, audit evidence
obtained through the confirmation process generally is more persuasive
than audit evidence obtained solely through other procedures.''
Several commenters recommended that the standard address
the current and anticipated use of technology to enable auditors to
obtain sufficient appropriate audit evidence through performing audit
procedures other than confirmation. Some commenters provided examples
of using technology-based procedures in lieu of confirmations,
including accessing company balances directly at the relevant financial
institution and testing internal data against external data sources
using audit data analytics. The Board considered these comments in
developing the new standard. In particular, as discussed below, the new
standard includes a presumption for the auditor to confirm cash and
accounts receivable, or otherwise obtain relevant and reliable audit
evidence for these accounts by directly accessing information
maintained by a knowledgeable external source.
One commenter suggested that the note to paragraph .05 of
the proposed standard should also direct the auditor to take into
account internal controls over cash, including segregation of duties,
when there are side agreements to revenue transactions. The Board did
not make this change in the new standard. The Board notes that internal
control considerations are addressed by existing PCAOB standards, which
[[Page 71692]]
require obtaining an understanding of the company's controls when
assessing the risk of material misstatement and identifying and testing
certain controls when the auditor plans to rely on controls to respond
to the assessed risk.\35\ The auditor would consider controls over cash
when performing these procedures.
---------------------------------------------------------------------------
\35\ See, e.g., AS 2110 and AS 2301.
---------------------------------------------------------------------------
With respect to the examples of assertions in paragraph
.06 of the proposed standard, one commenter asserted that a final
standard should more fully explain that a confirmation generally serves
to test the assertion of existence, but does not serve to test other
assertions such as valuation, including collectability. The Board did
not incorporate such language in the new standard because it believes
that limiting the use of confirmation to the existence assertion would
be overly prescriptive and might disallow use of confirmation in other
situations where the auditor has determined that confirmation could be
used to obtain relevant and reliable information to test other
assertions.
As discussed below, the Board continues to believe that
confirmation procedures generally would provide relevant and reliable
audit evidence for cash and accounts receivable. Accordingly, under the
new standard the auditor should perform confirmation procedures or
otherwise obtain relevant and reliable audit evidence by directly
accessing information maintained by a knowledgeable external source
when the auditor determines that these accounts are significant
accounts. In addition, the new standard specifies that when the auditor
has identified a significant risk of material misstatement associated
with either a complex transaction or a significant unusual transaction,
the auditor should consider confirming those terms of the transaction
that are associated with a significant risk of material misstatement,
including a fraud risk.
Other Use of Confirmation Procedures. The 2022 Proposal requested
commenters' views on whether there were additional accounts or
financial statement assertions for which the auditor should be required
to perform confirmation procedures. In addition, the 2022 Proposal
requested views on whether the proposal was sufficiently flexible to
accommodate situations where an auditor chooses to confirm information
about newer types of assets (e.g., digital assets based on blockchain
or similar technologies).
Two investor-related groups identified specific types of additional
transactions that should be subject to confirmation, including
transactions (1) with unusual terms and conditions, (2) with related
parties, (3) where the auditor has concern about whether side letters
may exist, (4) where financing is obtained, including bank debt or
supplier-provided financing, (5) involving certain sales practices,
such as bill-and-hold arrangements or supplier discounts or
concessions, (6) involving certain oral arrangements or guarantees, or
(7) involving sales, lending, or liability for custodianship of digital
assets. Another commenter suggested that confirmation of accounts
payable should be considered, but not required, when auditors assess
controls over the recording of liabilities to be ineffective. This
commenter also suggested that the Board state that the use of
confirmation is not limited to the circumstances discussed in the
proposed standard.
In comparison, many firms and firm-related groups stated that the
proposed standard should not prescribe additional other presumptive
requirements to use confirmation. These commenters noted that doing so
would be unduly prescriptive. Several commenters stated that the
proposed standard provided for an appropriate amount of auditor
judgment in determining when to perform confirmation procedures in
situations other than those specifically addressed in the standard. In
addition, several commenters indicated that the 2022 Proposal offered
sufficient flexibility to accommodate situations where an auditor
confirms information about newer types of assets.
Several commenters asserted that the effectiveness of confirmation
procedures is negatively affected by the fact that third parties are
not obligated, under legislation or regulation, to reply to an
auditor's confirmation request.
The new standard does not specify additional accounts or
transactions for which confirmation procedures are presumptively
required beyond those in the 2022 Proposal. The PCAOB's risk assessment
standards are foundational and are used by the auditor to determine the
appropriate response to identified risks of material misstatement. The
Board believes that confirmation can be an important tool for
addressing certain risks for cash and accounts receivable, and for
obtaining audit evidence about other financial relationships, and
certain terms of complex transactions or significant unusual
transactions, as discussed below. However, identifying additional
accounts or scenarios that require the auditor to use confirmation,
without regard to the specific facts and circumstances of the audit
including the assessed risk of material misstatement and whether other
audit procedures would provide sufficient appropriate audit evidence,
would be overly prescriptive.
The auditor's responsibilities relevant to the use of confirmation
are also addressed in several other PCAOB standards. AS 2315, Audit
Sampling, which discusses planning, performing, and evaluating audit
samples, is used if the auditor uses sampling in the confirmation
process. AS 2510, Auditing Inventories, addresses confirmation of
inventories in the hands of public warehouses or other outside
custodians. Additionally, the new standard does not address auditor
responsibilities regarding inquiries concerning litigation, claims, and
assessments, which are addressed in AS 2505, Inquiry of a Client's
Lawyer Concerning Litigation, Claims, and Assessments.
Designing Confirmation Requests
(See paragraphs .08-.13 of the new standard).
A properly designed and executed confirmation process may provide
relevant and reliable audit evidence. Auditor responsibilities
regarding designing a confirmation request are described in paragraphs
.08-.13, as follows:
Paragraph .08 discusses identifying information to
confirm;
Paragraphs .09 through .11 discuss identifying the
confirming parties for confirmation requests; and
Paragraphs .12 through .13 discuss using negative
confirmation requests.
The new standard does not prescribe a particular format for a
confirmation request. For example, requests could be paper-based or
electronic, specifying the information to be confirmed or providing a
blank response form, or sent with or without the involvement of an
intermediary that facilitates electronic transmission. As a practical
matter, the auditor determines the format of a confirmation request to
increase the likelihood that the request is received and clearly
understood by the confirming party, taking into consideration, among
other things, the facts and circumstances of the company and the
confirming party.
Identifying Information To Confirm
The 2022 Proposal provided that the auditor should, as part of
designing confirmation requests, identify information related to the
relevant assertions that the auditor plans to verify with confirming
parties or (when using a blank form) obtain from confirming parties.
Such information
[[Page 71693]]
could include transaction amounts, transaction dates, significant terms
of transactions, and balances due to or from the confirming party as of
a specific date. In addition, the 2022 Proposal discussed that using a
blank confirmation request generally provides more reliable audit
evidence than using a confirmation request that includes information
the auditor is seeking to confirm (e.g., a customer account balance).
In the latter scenario, it is possible that a confirming party could
agree to the information without verifying it against the confirming
party's records.
The Board adopted the proposed requirement relating to identifying
information to confirm with certain modifications discussed below.
Several commenters indicated that the provisions of the 2022
Proposal related to identifying information to confirm were clear and
appropriate. A few commenters requested retaining a statement analogous
to a statement in existing AS 2310 to emphasize in the standard that
responding to blank form confirmation requests generally requires
additional effort, which might lower the response rates and lead
auditors to perform alternative procedures. One commenter expressed
concern that fraudsters could use fake confirmation requests and, in
particular, fake blank form confirmation requests, to defraud bank
customers (e.g., by soliciting their bank details).
Existing AS 2310 includes details regarding the form of
confirmation requests, which includes general information regarding
blank form positive confirmation requests. This information has been
included in the new standard in a note to paragraph .08. Further, after
considering the comments received, the new standard includes language
not included in the proposed standard that is similar to language in
existing AS 2310. This language explains that responding to blank form
confirmation requests generally requires additional effort, which might
lower the response rates and lead auditors to perform alternative
procedures for more selected items. Despite the possibility of lower
response rates, responses to blank form confirmation requests may
provide more reliable audit evidence than responses to confirmation
requests using pre-filled forms.
Paragraph .17 of the proposed standard also included a reminder of
an existing requirement in AS 1105.10, pursuant to which the auditor
should test the accuracy and completeness of information produced by
the company that the auditor uses as audit evidence. The reminder
emphasized that, in the confirmation process, the requirement in AS
1105.10 applies to the information produced by the company (e.g.,
populations from which items are selected for confirmation, such as
detailed account listings, vendor listings, and contractual agreements)
that the auditor uses in selecting the items to confirm.
Several firms and firm-related groups indicated that the existing
requirement in AS 1105.10 for the auditor to evaluate information
produced by a company as audit evidence was sufficient and that
paragraph .17 of the proposed standard was duplicative. A few
commenters stated that confirmation requests are often designed to test
the accuracy of a given account balance or disclosure and, accordingly,
that the requirement should only focus on testing completeness.
Finally, a few commenters suggested that the standard, consistent with
AS 1105.10, should allow for the auditor to test controls over the
accuracy and completeness of information produced by the company that
the auditor uses in selecting items to confirm.
After considering these comments, in order to avoid duplication
with other PCAOB standards, the new standard does not include paragraph
.17 of the proposed standard.
Identifying Confirming Parties for Confirmation Requests
The 2022 Proposal provided that, to obtain reliable audit evidence
from the confirmation process, the auditor should direct the
confirmation requests to third parties (individuals or organizations)
who are knowledgeable about the information to be confirmed. That
provision was similar to existing AS 2310.26, which directs the auditor
to send confirmation requests to third parties who the auditor believes
are knowledgeable about the information to be confirmed, such as a
counterparty who is knowledgeable about a transaction or arrangement.
When designing confirmation requests, an auditor may become aware
of information about a potential confirming party's motivation,
ability, or willingness to respond, or about the potential confirming
party's objectivity and freedom from bias with respect to the audited
entity. Because this type of information can affect the reliability of
audit evidence provided by the confirming party to the auditor, the
2022 Proposal, similar to existing AS 2310.27, provided that the
auditor should consider any such information that comes to the
auditor's attention when selecting the confirming parties. The note to
paragraph .19 of the proposed standard further emphasized that such
information may indicate that the potential confirming party has
incentives or pressures to provide responses that are inaccurate or
otherwise misleading.\36\
---------------------------------------------------------------------------
\36\ See also paragraph .10 of AS 2401, Consideration of Fraud
in a Financial Statement Audit (stating that fraud may be concealed
through collusion among management, employees, or third parties, and
that an auditor may receive a false confirmation from a third party
that is in collusion with management); SAPA No. 8 at 12 (stating
that, when using confirmation to address fraud risks in emerging
markets, ``the auditor should evaluate who the intended recipient of
the confirmation request is and whether the company's management has
an influence over this individual to provide false or misleading
information to the auditor'' and that ``[f]or example, if the
company is the only or a significant customer or supplier of the
confirming entity, the staff of that entity may be more susceptible
to pressure from the company's management to falsify documentation
provided to the auditor'').
---------------------------------------------------------------------------
The 2022 Proposal also provided that the auditor should consider
the source of any such information. For example, if management
indicates to the auditor that a potential confirming party is unlikely
to respond to a confirmation request, management may have other reasons
to avoid a confirmation request being sent (e.g., concealing
management's fraudulent understatement of the amount the company owes
to that party).
In addition, the 2022 Proposal provided more specific direction
than existing AS 2310 for situations in which the auditor is unable to
identify a confirming party who, in response to a confirmation request,
would provide relevant and reliable audit evidence about a selected
item. In such a scenario, the 2022 Proposal prescribed that the auditor
should perform alternative procedures.
The 2022 Proposal also provided that the auditor should determine
that confirmation requests are properly addressed, thus increasing the
likelihood that they are received by the confirming party. The 2022
Proposal did not prescribe the nature or extent of procedures to be
performed by the auditor when making this determination, thereby
allowing the auditor to tailor the procedures to the facts and
circumstances of the audit. For example, in practice, some auditors
compare some or all confirming party addresses, which are typically
provided by the company, to physical addresses or email domains
included on the confirming party's website.
Alternatively, when using an intermediary to facilitate direct
electronic transmission of confirmation requests and responses,
Appendix B of the proposed standard required the
[[Page 71694]]
auditor to obtain an understanding of the intermediary's controls that
address the risk of interception and alteration of the confirmation
requests and responses and determine whether the relevant controls used
by the intermediary are designed and operating effectively. The Board
noted in the 2022 Proposal that, where an auditor determines that
controls that address the risk of interception and alteration also
include controls related to validating the addresses of confirming
parties, the auditor may be able to determine that audit procedures
performed in accordance with Appendix B are sufficient to determine
that confirmation requests are properly addressed. In situations where
the auditor determines that the intermediary's controls that address
the risk of interception and alteration do not also include controls
related to validating the addresses of confirming parties, the Board
also noted that the auditor would need to perform other procedures to
comply with the requirements of the proposed standard.
The Board adopted the requirements relating to identifying
confirming parties for confirmation requests as proposed, with certain
modifications discussed below.
Several commenters indicated that the provisions of the proposed
standard related to identifying confirming parties were sufficiently
clear and appropriate. One commenter indicated that the Board should
require the auditor to send confirmation requests directly to an
individual, rather than allow the auditor to choose between sending the
request either to an individual or an organization. In this commenter's
view, sending a confirmation request directly to an individual could
increase the reliability of audit evidence obtained through the
confirmation process. One commenter indicated that the Board should
amend paragraph .18 of the proposed standard to read ``the auditor
should direct confirmation requests to confirming parties (individuals
or organizations) who are expected to be knowledgeable about the
information to be confirmed and determine that the confirmation
requests are appropriately addressed.''
Because auditors often may have no or limited interaction with the
personnel of confirming organizations, they may not be able to select
an individual addressee for the confirmation request. As a result, the
Board believes that allowing the auditor to address a confirmation
request to an organization that is knowledgeable about the information
to be confirmed is practicable and appropriate. Paragraph .20 of the
proposed standard stated that the auditor should perform alternative
procedures when the auditor is unable to identify a confirming party
who, in response to a confirmation request, would provide relevant and
reliable audit evidence about the selected item.
The Board has modified this language, which appears in paragraph
.11 of the new standard, to emphasize that if the auditor is unable to
identify a confirming party for a selected item who would provide
relevant and reliable audit evidence in response to a confirmation
request, including considering any information about the potential
confirming party discussed in paragraph .10, the auditor should perform
alternative procedures in accordance with Appendix C. In addition, the
Board has added a note to paragraph .11 of the new standard to
reiterate that AS 1105.08 provides that the reliability of evidence
depends on the nature and source of the evidence and the circumstances
under which it is obtained.
These revisions are intended to underscore that auditors should
consider information that may indicate that a potential confirming
party has incentives or pressures to provide responses that are
inaccurate or misleading, and remind auditors that the reliability of
audit evidence depends not only on its nature and source, but also the
circumstances under which it is obtained. For example, restrictions on
access to a potential confirming party that cause the auditor to
identify and send a confirmation request to a different confirming
party or to perform alternative procedures may themselves raise
questions as to the reliability of the audit evidence that the auditor
subsequently obtains from the other confirming party or through
performing alternative procedures. In addition, the revisions to
paragraph .11 clarify that the paragraph applies to a confirming party
for an individual item selected for confirmation, rather than more
broadly to a group of confirming parties that might provide audit
evidence with respect to relevant assertions for an entire account,
such as accounts receivable.
Several commenters on the 2022 Proposal also indicated that the
requirement to send a confirmation request directly to the confirming
party and determine that the request is properly addressed was
sufficiently clear and appropriate. One of these commenters indicated
that the standard should address procedures to verify the recipient's
mailing or email address while the other commenters indicated there was
no need to include specific procedures in the standard. Another
commenter requested more guidance around verifying email addresses. One
commenter indicated that there should be no specific requirement to
check addresses, as such a requirement would not, in the commenter's
view, deter those intent on deceiving auditors. Lastly, one commenter
requested clarification as to whether an auditor should send either an
initial confirmation request or a second request when the auditor is
aware of information that indicates that the confirming party would be
unlikely to respond.
The Board continues to believe that requiring auditors to determine
that confirmation requests are appropriately addressed is critically
important to the effectiveness of the confirmation process. The Board
has noted above some of the ways in which an auditor might comply with
this requirement but is not including such examples in the text of the
new standard to avoid the possible misinterpretation that the examples
describe the only steps an auditor could take in determining whether a
confirmation request is properly addressed.
With respect to one commenter's suggestion that the Board clarify
whether an auditor should send a confirmation request if the auditor is
aware of information indicating that the confirming party would not
respond, the Board believes the new standard is sufficiently clear.
Paragraph .10 of the new standard states, in part, that if the auditor
is aware of information about a potential confirming party's
``willingness to respond,'' the auditor should consider this
information, including its source, in selecting the confirming parties.
Further, paragraph .11 of the new standard states that, if the auditor
is unable to identify a confirming party for a selected item who would
provide relevant and reliable audit evidence in response to a
confirmation request, the auditor should perform alternative procedures
for the selected item in accordance with Appendix C of the new
standard.
Using Negative Confirmation Requests
There are ``positive'' and ``negative'' types of confirmation
requests. A positive confirmation request is a confirmation request in
which the auditor requests a confirmation response. With a negative
confirmation request, the auditor requests a confirmation response only
if the confirming party disagrees with the information provided in the
request. The auditor generally obtains significantly less audit
evidence when
[[Page 71695]]
using negative confirmation requests than when using positive
confirmation requests. A confirming party might not respond to a
negative confirmation request because it did not receive or open the
request, or alternatively the confirming party might have read the
request and agreed with the information included therein.
Because of the limited evidence provided when using negative
confirmation requests, the 2022 Proposal provided that the auditor may
not use negative confirmation requests as the sole substantive
procedure for addressing the risk of material misstatement to a
financial statement assertion. Instead, the 2022 Proposal provided that
the auditor may use negative confirmation requests only to supplement
audit evidence provided by other substantive procedures (e.g.,
examining subsequent cash receipts, including comparing the receipts
with the amounts of respective invoices being paid; examining shipping
documents; examining subsequent cash disbursements; or sending positive
confirmation requests). In addition, Appendix B to the proposed
standard provided examples of situations in which the use of negative
confirmation requests, in combination with the performance of other
substantive audit procedures, may provide sufficient appropriate audit
evidence. In contrast, under existing AS 2310, the auditor may use
negative confirmation requests where certain criteria are present and
should consider performing other substantive procedures to supplement
their use.
The Board adopted the requirements for using negative confirmation
requests as proposed. Most commenters on this aspect of the 2022
Proposal expressed support for the proposed prohibition on using
negative confirmation requests as the sole substantive procedure with a
number of commenters stating that negative confirmation requests alone
do not provide sufficient appropriate audit evidence.
Another commenter suggested that the word ``generally'' should be
removed from paragraph .21 of the proposed standard to emphasize that a
negative confirmation is not as persuasive as a positive confirmation.
This commenter indicated that, in situations where the use of negative
confirmation requests, in combination with the performance of other
substantive audit procedures, may provide sufficient appropriate audit
evidence, auditors should be required to specifically document their
consideration of certain examples included in paragraph .B1 of the
proposed standard.
Lastly, a few commenters indicated that additional guidance on the
use of negative confirmations, and specifically on the use of
substantive analytical procedures to supplement the use of negative
confirmations, was needed while another commenter indicated that the
examples in Appendix B would assist auditors in applying the
requirements related to the use of negative confirmation requests.
After considering the comments on the 2022 Proposal, the Board has
determined that the requirements in the 2022 Proposal relating to the
use of negative confirmation requests are both appropriate and
sufficiently clear. For ease of reference, the examples of situations
in which the use of negative confirmation requests, in combination with
the performance of other substantive audit procedures, may provide
sufficient appropriate audit evidence now appear in paragraph .13 of
the new standard rather than Appendix B. The Board is not including in
the new standard additional examples of other substantive procedures
that may be used to supplement negative confirmation requests, as some
commenters had suggested. While such procedures may be appropriate in
some circumstances, including such examples in the new standard could
be misperceived as establishing a formal checklist, whereas determining
the necessary nature, timing, and extent of audit procedures that
provide sufficient appropriate audit evidence would depend on the facts
and circumstances of each audit.
Paragraph .12 of the new standard retains the word ``generally''
(i.e., ``[g]enerally, the auditor obtains significantly less audit
evidence when using negative confirmation requests than when using
positive confirmation requests'') to acknowledge that in some
circumstances using positive confirmations may not provide the auditor
with the amount of evidence that the auditor planned to obtain (e.g.,
if the auditor does not receive responses to some or all positive
confirmation requests).
Maintaining Control Over the Confirmation Process
(See paragraphs .14-.17 and .B1-.B2 of the new standard).
The Requirement for the Auditor To Maintain Control Over the
Confirmation Process
The 2022 Proposal included a provision, consistent with AS 2310,
that the auditor should maintain control over the confirmation process
to minimize the likelihood that information exchanged between the
auditor and the confirming party is intercepted and altered. This is
because the reliability of audit evidence provided by confirmation
depends in large part on the auditor's ability to control the integrity
of confirmation requests and responses. The 2022 Proposal also provided
that, as part of maintaining control, the auditor should send
confirmation requests directly to the confirming party and receive
confirmation responses directly from the confirming party.
The Board adopted the requirements for maintaining control over the
confirmation process as proposed, with one modification.
Commenters on this topic largely agreed that the auditor should
maintain control over the confirmation process. One commenter stated
that setting forth the requirement to maintain control over the
confirmation process and the requirement to send confirmation requests
directly to the confirming party in separate paragraphs might suggest
that there are different responsibilities for the auditor. This
commenter recommended combining the requirements to clarify that the
auditor's responsibility is to send the confirmation directly while
maintaining control of the process.
After considering the comments on the 2022 Proposal, the Board has
determined that the proposed requirements are both appropriate and
sufficiently clear, and adopted them as proposed, with the addition of
a new paragraph that clarifies how an external auditor can use internal
auditors in a direct assistance capacity as part of the confirmation
process, as further discussed below. Paragraph .14 of the new standard
establishes the auditor's responsibility for maintaining control over
the confirmation process, and the other paragraphs in this section of
the new standard specify auditor responsibilities regarding certain
aspects of maintaining control, as discussed below. For example,
consistent with the definition of ``confirmation process,'' \37\
paragraph .15 of the new standard requires that the auditor select the
items to be confirmed, send the confirmation requests and receive the
confirmation responses.
[[Page 71696]]
Selecting an item involves the auditor identifying the information to
be included on the confirmation request. Paragraph .16 of the new
standard specifies that maintaining control over the confirmation
process by the auditor involves sending the confirmation request
directly to and obtaining the confirmation response directly from the
confirming party.
---------------------------------------------------------------------------
\37\ The term ``confirmation process'' is defined in paragraph
.A3 of the new standard as ``[t]he process that involves selecting
one of more items to be confirmed, sending a confirmation request
directly to a confirming party, evaluating the information received,
and addressing nonresponses and incomplete responses to obtain audit
evidence about one or more financial statement assertions.''
---------------------------------------------------------------------------
Using and Intermediary To Facilitate Direct Electronic Transmission of
Confirmation Requests and Responses
Background and Requirements
As discussed above, certain financial institutions and other
companies have adopted the policy of responding to electronic
confirmation requests from auditors only through another party that
they, or the auditor, engage as an intermediary to facilitate the
direct transmission of information between the auditor and the
confirming party. The Board understands that such policies are intended
to facilitate the timeliness and quality of confirmation responses
provided by the confirming party to the auditor.
While the involvement of intermediaries is not discussed in
existing AS 2310, the use of an intermediary does not relieve the
auditor of the responsibility under PCAOB standards to maintain control
over confirmation requests and responses. Because an intermediary's
involvement may affect the integrity of information transmitted between
the confirming party and the auditor, the 2022 Proposal provided that
the auditor should evaluate the implications of such involvement for
the reliability of confirmation requests and responses. Specifically,
paragraphs .B2 and .B3 of the proposed standard provided that:
The auditor's evaluation should address certain aspects of
the intermediary's controls that address the risk of interception and
alteration of communications between the auditor and the confirming
party;
The auditor's evaluation should assess whether
circumstances exist that give the company the ability to override the
intermediary's controls (e.g., through financial or other
relationships); and
The auditor should not use an intermediary if information
obtained by the auditor indicates that (i) the intermediary has not
implemented controls that are necessary to address the risk of
interception and alteration of the confirmation requests and responses,
(ii) the necessary controls are not designed or operating effectively,
or (iii) circumstances exist that give the company the ability to
override the intermediary's controls.
The Board adopted the proposed requirements substantially as
proposed, with certain modifications discussed below.
A few commenters on the 2022 Proposal indicated that it is not
clear what an ``intermediary'' is and requested clarification. The
Board is not adding a definition of the term ``intermediary'' in the
new standard as it simply intends to use the term in describing a
particular scenario under the new standard where a third party is
engaged by the auditor or a confirming party to facilitate direct
electronic transmission of confirmation requests and responses between
the auditor and the confirming party. The Board believes that its
intent in using the term ``intermediary'' is sufficiently clear.
Overall, several commenters indicated that the requirements in the
2022 Proposal to evaluate the implications of using an intermediary to
facilitate direct electronic transmission of confirmation requests and
responses were appropriate. However, as discussed below, a number of
these commenters and other commenters stated that additional clarity
may be required to ensure that the proposed revisions are operational
in practice, or otherwise requested additional guidance. Conversely, a
few commenters expressed the view that requirements in the 2022
Proposal regarding the implications of using an intermediary were not
appropriate or sufficiently clear. One of those commenters asserted
that the requirement to assess the intermediary would result in
significant additional work for auditors and that it is not currently
common practice to directly assess intermediaries in this manner. As
discussed in Section IV of the 2022 Proposal, firm methodologies
reviewed by the staff generally include guidance on maintaining control
over the confirmation process, using intermediaries to facilitate the
electronic transmission of confirmation requests and responses, and
assessing controls at the intermediaries. The evidence from the PCAOB
staff's review does not suggest that the requirements in Appendix B of
the new standard would create significant additional work for auditors,
nor did the commenters provide evidence to the contrary.
Separately, as the 2022 Proposal provided that the auditor should
not use an intermediary if information obtained by the auditor
indicates that certain conditions are present, several commenters
stated that the presence of indicators would not necessarily mean that
the intermediary is not fit for use. For example, these commenters
stated that in a situation where an intermediary's control is not
designed or operating effectively, an auditor may be able to obtain an
understanding of whether a specific control failure impacts the
confirmation process and perform tests of other controls or other
procedures at the intermediary to address the control failure.
Having considered the comments, the Board is clarifying in
paragraph .B2 of the new standard that the auditor should not use an
intermediary to send confirmation requests or receive confirmation
responses if the auditor determines that (1) the intermediary has not
implemented controls that are designed or operating effectively to
address the risk of interception and alteration of the confirmation
requests and responses and the auditor cannot address such risk by
performing other procedures beyond inquiry, or (2) circumstances exist
that give the company the ability to override the intermediary's
controls. In the 2022 Proposal, the prohibition was based on an
indication, rather than determination, that such circumstances exist.
For example, when performing an evaluation required by paragraphs
.17 and .B1 of the new standard, an auditor could obtain a SOC report
stating that a particular access control at an intermediary is not
designed or operating effectively. The auditor may then be able to
identify and test other controls that could mitigate the control
failure described in the SOC report. In this scenario, if the auditor
determines that the identified controls are designed and operating
effectively and mitigate the control failure, or the auditor has
performed other procedures such as obtaining computer systems event
logs generated by the intermediary that provide evidence there was no
unauthorized access during the relevant period, the information in the
SOC report in this scenario would not necessarily mean that the auditor
is not allowed to use the intermediary under the new standard.
In addition, several commenters asserted that, if an auditor were
not allowed to use an intermediary under proposed paragraph .B3 and the
confirming party had a policy requiring the use of an intermediary for
receiving and responding to auditor confirmation requests, an auditor
may be unable to comply with the proposed requirement to confirm cash,
even if relevant and reliable audit evidence were otherwise available.
Considering these comments, the Board has modified paragraph .B2 of the
new standard to state that in
[[Page 71697]]
circumstances where the auditor, under paragraph .B2, should not use an
intermediary to send confirmation requests or receive confirmation
responses, the auditor should send confirmation requests without the
use of an intermediary or, if unable to do so, perform alternative
procedures in accordance with Appendix C of the new standard. The Board
believes that this modification and the adoption of a provision
regarding obtaining audit evidence by directly accessing information
maintained by a knowledgeable external source (see discussion below),
address commenters' concerns that an auditor may not be able to comply
with the requirement to confirm cash.
Certain commenters asked for additional guidance on what procedures
an auditor should or could perform to comply with the requirements in
Appendix B. Having considered these comments, the Board determined that
the new standard, consistent with the 2022 Proposal, will not specify
how the auditor should perform the particular procedures required by
paragraphs .B1 and .B2 regarding evaluating the implications of using
an intermediary. The new standard thus allows auditors to customize
their approach based on the facts and circumstances of the audit
engagement and the audit firm. For example, in obtaining an
understanding of the intermediary's controls that address the risk of
interception and alteration of confirmation requests and responses and
determining whether they are designed and operating effectively, the
auditor could (i) use, where available, a SOC report that evaluates the
design and operating effectiveness of the relevant controls at the
intermediary; or (ii) test the intermediary's controls that address the
risk of interception and alteration directly.\38\
---------------------------------------------------------------------------
\38\ See Spotlight: Observations and Reminders on the Use of a
Service Provider in the Confirmation Process (Mar. 2022), available
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------
Some commenters asked for guidance related to an acceptable window
of time to be covered by ``bridge letters.'' \39\ Where an auditor uses
an independent service auditor's report on a service organization's
controls, such procedures may involve using a bridge letter. The new
standard does not specify an appropriate window of time to be covered
by a bridge letter or a permissible window of time between the date
covered by a bridge letter and the period when the auditor uses the
intermediary to facilitate direct electronic transmission of
confirmation requests and responses. Auditors should use their
professional judgment based upon the facts and circumstances of the
audit to determine the nature of procedures required to comply with
paragraph .B1 of the new standard, including the note to paragraph
.B1(b).
---------------------------------------------------------------------------
\39\ Some intermediaries provide a ``bridge letter'' or ``gap
letter'' issued by the independent service auditor that addresses
the period from the date of the service auditor's SOC report through
a subsequent date, typically the most recent calendar year end.
---------------------------------------------------------------------------
One commenter stated that paragraph .B2(b) of the proposed standard
should have a specific documentation requirement. The Board believes
that adding a specific documentation requirement is not necessary, as
the auditor is required to document compliance with PCAOB standards
under existing documentation requirements.\40\
---------------------------------------------------------------------------
\40\ See, e.g., paragraph .05 of AS 1215, Audit Documentation.
---------------------------------------------------------------------------
Lastly, the new standard modifies the language of the 2022 Proposal
to provide in the note to paragraph .B1(b) of the new standard that, if
the auditor performs procedures to determine that the controls used by
the intermediary to address the risk of interception and alteration are
designed and operating effectively at an interim date, the auditor
should evaluate whether the results of the procedures can be used
``during the period in which the auditor uses the intermediary''--
rather than at ``period end,'' as described in the proposed standard--
or whether additional procedures need to be performed to update the
results. The Board believes that the modified provision more accurately
describes the timeframe during which the results of the procedures may
be used by an auditor. In addition, the modified provision clarifies
that the auditor should consider the nature and extent of any changes
in the intermediary's process and controls during the period between
the auditor's procedures and the period the auditor uses the
intermediary.
Interaction of New Standard and Proposed QC 1000
In November 2022 the Board issued for public comment a proposed
quality control standard, referred to as proposed QC 1000, A Firm's
System of Quality Control.\41\ Proposed QC 1000 addresses resources
used by a registered public accounting firm that are sourced from
third-party providers. An intermediary that facilitates direct
electronic transmission of confirmation requests and responses is one
example of a ``third-party provider'' under proposed QC 1000.
---------------------------------------------------------------------------
\41\ See A Firm's System of Quality Control and Other Proposed
Amendments to PCAOB Standards, Rules, and Forms, PCAOB Rel. No.
2022-006 (Nov. 18, 2022).
---------------------------------------------------------------------------
Under proposed QC 1000, a firm would consider the nature and extent
of resources or services obtained from third-party providers in its
risk assessment process and whether the use of third-party providers
poses any quality risks to the firm in achieving its quality
objectives. One of the required quality objectives relates to obtaining
an understanding of how such resources or services are developed and
maintained and whether they need to be supplemented and adapted as
necessary, such that their use enables the performance of the firm's
engagements in accordance with applicable professional and legal
requirements and the firm's policies and procedures.\42\
---------------------------------------------------------------------------
\42\ See paragraph .44.j of proposed QC 1000.
---------------------------------------------------------------------------
As noted above, the proposed standard on the auditor's use of
confirmation included specific procedures related to the use of an
intermediary, which included obtaining an understanding of the
intermediary's controls that address the risk of interception and
alteration of a confirmation request and response and determining
whether such controls are designed and operating effectively.
A few commenters on the 2022 Proposal observed that firms may
obtain and evaluate SOC reports centrally, rather than requiring that
individual engagement teams obtain and evaluate the reports. One of
these commenters suggested clarifying in the standard that the
evaluations required by Appendix B may be performed, and the
documentation may be retained centrally, as part of the firm's quality
control system. Another of these commenters suggested that the
requirements related to the use of an intermediary be removed entirely
from the proposed confirmation standard and instead be dealt with
solely in the proposed quality control standards. One commenter stated
that, depending on the identified quality risks, procedures performed
in accordance with QC 1000 need not align with the financial statement
period-end of each audit engagement performed by the firm, which the
commenter asserted was implied by paragraph .B2(b) and a related note
in the proposed standard. Lastly, a few commenters indicated that it
would be beneficial to explicitly link the provisions of the
confirmation standard regarding the use of an intermediary with QC
1000.
[[Page 71698]]
Having considered these comments, the Board believes that the
requirements in the new standard related to the auditor's use of
intermediaries, with the modifications discussed above to the
requirements in the proposed standard, are sufficiently clear and
appropriate. The auditor's evaluation of the intermediary's controls
could be performed by an engagement team, an audit firm's national
office, or a combination of both. Where the national office performs
procedures relating to the intermediary (either as part of the firm's
quality control activities or specifically to comply with the new
standard), the engagement team would still need to consider the
procedures performed by the national office and include in its audit
documentation considerations specific to the individual audit
engagement. For example, if a national office evaluated an
intermediary's controls at an interim date, the engagement team would
need to, in accordance with the note accompanying paragraph .B1(b) of
the new standard, evaluate whether the results of the interim
procedures could be used during the period in which the auditor uses
the intermediary to facilitate direct electronic transmission of
confirmation requests and responses or whether they needed to be
updated.
Using Internal Audit in the Confirmation Process
The 2022 Proposal identified certain activities in the confirmation
process where the auditor may not use the assistance of the company's
internal audit function. Under the 2022 Proposal, the auditor was not
permitted to use internal auditors for selecting items to be confirmed,
sending confirmation requests, and receiving confirmation responses,
because using internal audit in a direct assistance capacity for such
activities would not be consistent with the auditor's responsibility to
maintain control over the confirmation process.
Existing AS 2310 does not include analogous provisions. It states
instead that the auditor's need to maintain control does not preclude
the use of internal auditors and that AS 2605, Consideration of the
Internal Audit Function, provides guidance on considering the work of
internal auditors and on using internal auditors to provide direct
assistance to the auditor.\43\
---------------------------------------------------------------------------
\43\ See footnote 3 of AS 2310.
---------------------------------------------------------------------------
The Board adopted the proposed requirements substantially as
proposed, with certain modifications discussed below.
A number of commenters, including investor-related groups, firms,
and firm-related groups, agreed with the requirements proposed in the
2022 Proposal as being in line with the auditor's responsibility to
maintain control over the confirmation process. Additionally, a few
commenters observed that it is not current practice for auditors to use
internal audit in a direct assistance capacity for selecting items to
be confirmed, sending confirmation requests, or receiving confirmation
responses and, therefore, that the requirements in the 2022 Proposal
would not result in a significant change in practice. Conversely, one
commenter stated that the proposed restrictions would impact current
practice as it relates to direct assistance.
A significant number of commenters, including internal auditors and
companies with internal audit functions, took exception to the
provision in the 2022 Proposal to limit the external auditor's use of
internal auditors in a direct assistance capacity in the confirmation
process, and in some instances asserted that such limitations would be
inconsistent with AS 2605. Many of these commenters also challenged the
statement in the 2022 Proposal that ``[i]nvolving internal auditors or
other company employees in these activities [selecting items to be
confirmed, sending confirmation requests, and receiving confirmation
responses] would create a risk that information exchanged between the
auditor and the confirming party is intercepted and altered.'' These
commenters asserted that this language called into question internal
auditors' competence, objectivity, and independence. Additionally, a
few commenters expressed concern with the prescriptiveness of the
proposed restrictions on the use of internal auditors in the
confirmation process.
Having considered the comments received, the Board notes that the
discussion in the 2022 Proposal was not intended to cast doubt on the
qualifications, competence, or objectivity of internal auditors.
Internal auditors can and often do play an important role in enhancing
the quality of a company's financial reporting. At the same time, the
Board continues to believe that in order to maintain control over the
confirmation process the auditor should select items to be confirmed,
send confirmation requests, and receive confirmation responses.
In addition, after considering the comments received, the Board is
(i) relocating the requirements related to the auditor's use of
internal audit in the confirmation process to the section of the new
standard on maintaining control over the confirmation process and (ii)
rephrasing the requirements in terms of the auditor's affirmative
responsibilities, by describing procedures the auditor is required to
perform. In contrast, the proposed standard described procedures that
internal auditors were not allowed to perform. As stated in footnote 7
of the new standard, auditors are permitted to use internal auditors in
accordance with AS 2605, except for selecting items to confirm, sending
confirmation requests, and receiving confirmation responses. The new
standard does not impose any new limitations on how the internal
auditors' work may affect the external auditor's audit procedures.\44\
Instead, the new standard clarifies how an external auditor can use
internal auditors in a direct assistance capacity as part of the
confirmation process.\45\
---------------------------------------------------------------------------
\44\ AS 2605.12 states that ``the internal auditor's work may
affect the nature, timing, and extent of the audit,'' including
``procedures the auditor performs when obtaining an understanding of
the entity's internal control (paragraph .13),'' ``procedures the
auditor performs when assessing risk (paragraphs .14 through .16),''
and ``substantive procedures the auditor performs (paragraph .17).''
\45\ AS 2605.27 discusses how the auditor may use internal
auditors to provide direct assistance.
---------------------------------------------------------------------------
Evaluating Confirmation Responses and Confirmation Exceptions, and
Addressing Nonresponses and Incomplete Responses
(See paragraphs .18-.23 of the new standard).
Overall Approach
Under the 2022 Proposal, the auditor's responsibilities related to
the confirmation process included evaluating the information received
in confirmation responses and addressing nonresponses and incomplete
responses. The 2022 Proposal provided that if the auditor is unable to
determine whether the confirmation response is reliable, or in the case
of a nonresponse or an incomplete response (i.e., one that does not
provide the audit evidence the auditor seeks to obtain), the auditor
should perform alternative procedures.\46\ The 2022 Proposal built upon
requirements in existing AS 2310 that discuss addressing information
obtained from the performance of confirmation procedures.
---------------------------------------------------------------------------
\46\ Alternative procedures, including the relevant exception
described in Appendix C of the new standard, are discussed below.
---------------------------------------------------------------------------
The relevant requirements in the new standard include certain
modifications to the approach in the 2022 Proposal, as discussed in the
sections below.
[[Page 71699]]
Evaluating the Reliability of Confirmation Reponses
The 2022 Proposal was intended to provide additional direction
beyond what is set forth in existing AS 2310 to assist the auditor's
evaluation of the reliability of confirmation responses. Specifically,
the 2022 Proposal (i) described information that the auditor should
take into account when performing the evaluation, and (ii) provided
examples of indicators that a confirmation response may have been
intercepted or altered and thus may not be reliable. In particular, the
2022 Proposal provided that the auditor should take into account any
information about events, conditions, or other information the auditor
becomes aware of in assessing the reliability of the confirmation
response.
Under existing PCAOB standards, the auditor is not expected to be
an expert in document authentication but, if conditions indicate that a
document (e.g., a confirmation response) may not be authentic or may
have been altered, the auditor should modify the planned audit
procedures or perform additional audit procedures to respond to those
conditions and should evaluate the effect, if any, on the other aspects
of the audit.\47\ The 2022 Proposal did not alter these requirements,
but specified for the confirmation process that, if the auditor were
unable to determine that the confirmation response is reliable, the
auditor's response should include performing alternative procedures.
---------------------------------------------------------------------------
\47\ See AS 1105.09.
---------------------------------------------------------------------------
The requirements for evaluating the reliability of confirmation
responses were adopted substantially as proposed.
Several commenters indicated that the provisions of the 2022
Proposal related to evaluating the reliability of confirmation
responses were clear and appropriate. One commenter proposed
modifications to the proposed requirements, including replacing the
words ``taking into account'' with ``considering'' in paragraph .25 of
the proposed standard to reflect the commenter's perceived intent of
the Board. One commenter asserted that paragraph .25 of the proposed
standard could result in onerous documentation requirements in
situations where there is a clear reason why a particular indicator is
not necessarily indicative of interception or alteration of a
confirmation request or confirmation response (e.g., a confirmation
request is sent to a general email account but returned from an email
account belonging to an individual monitoring the general email
account). Another commenter proposed that the Board remove one of the
examples of indicators that a confirmation response may have been
intercepted or altered because it appeared to create a de facto
requirement that an auditor treat a confirmation response as not
reliable if the original confirmation request is not returned with the
confirmation response.
In addition, one commenter suggested modifying proposed paragraph
.26 of the proposed standard to provide that the auditor should perform
alternative procedures if the auditor became aware of any of the
factors identified in paragraph .25 and was unable to overcome those
factors to determine that the confirmation response is reliable.
Another commenter stated that the proposed standard should acknowledge
that, in certain specified circumstances, an unreliable confirmation
would likely result in a scope limitation.
Having considered the comments received, the Board notes that
assessing the reliability of confirmation responses is a critical
component of the confirmation process. If indicators of interception or
alteration are present, it is important for the auditor to address
them. When the auditor follows up on a particular indicator, an auditor
may determine that the confirmation requests and responses have not
been intercepted or altered. For example, an auditor could verify that
a difference in the confirming party's email address between the
confirmation request and confirmation response occurred because the
confirming party responds to confirmation requests from one central
email address. The note to paragraph .18 of the new standard (paragraph
.25 of the proposed standard) provides examples of information that the
auditor should take into account if the auditor becomes aware of it.
Under PCAOB standards, the auditor would document the procedures
performed in response to information that indicates that a confirmation
request or response may have been intercepted or altered. To minimize
any confusion, the Board replaced the word ``indicator'' in the note
with the phrase ``information that indicates,'' which has the same
meaning.
In addition, to clarify that the auditor performs alternative
procedures for the selected item if the auditor is unable to determine
that a confirmation response regarding that item is reliable, the Board
has added the phrase ``for the selected item'' after the words
``alternative procedures'' in paragraph .19 of the new standard. The
Board also revised the reference in paragraph .26 of the proposed
standard to performing alternative procedures ``as discussed in
paragraph .31'' to ``in accordance with Appendix C'' in paragraph .19
of the new standard to reflect that alternative procedures for a
selected item may not be necessary under certain circumstances, as
discussed below, and to reflect the relocation of the more detailed
discussion of alternative procedures from the body of the standard to
Appendix C.
AS 3105, Departures from Unqualified Opinions and Other Reporting
Circumstances, sets forth requirements regarding limitations on the
scope of an audit,\48\ including scope limitations relating to
confirmation procedures with respect to accounts receivable.\49\ One
example of such a scope limitation would be the auditor's inability to
confirm accounts receivable balances combined with an inability to
perform other procedures in respect of accounts receivable to obtain
sufficient appropriate audit evidence. The new standard does not repeat
such existing requirements, as doing so would merely duplicate those
requirements.
---------------------------------------------------------------------------
\48\ See AS 3105.05-.15.
\49\ See AS 3105.07.
---------------------------------------------------------------------------
Evaluating Confirmation Exceptions and Addressing Nonresponses and
Incomplete Responses
For various reasons, information in a confirmation response
received by the auditor could differ from other information in the
company's records obtained by the auditor. The 2022 Proposal provided
that the auditor should evaluate the confirmation exceptions and
determine their implications for certain aspects of the audit, as
discussed below. The direction in the 2022 Proposal was more detailed
than in existing AS 2310.
In particular, the 2022 Proposal provided that the auditor should
evaluate whether confirmation exceptions individually or in the
aggregate indicate a misstatement that should be evaluated in
accordance with AS 2810. The 2022 Proposal did not, however, require
investigating all confirmation exceptions to determine the cause of
each confirmation exception. The 2022 Proposal also included a
provision that the auditor should evaluate whether the confirmation
exceptions individually, or in the aggregate, indicate a deficiency in
the company's internal control over financial reporting (``ICFR'').
With regards to nonresponses and potential nonresponses, the 2022
Proposal provided that the auditor should send a second positive
confirmation request to the confirming
[[Page 71700]]
party unless the auditor has become aware of information that indicates
that the confirming party would be unlikely to respond to the auditor.
Additionally, the 2022 Proposal specified that if a confirmation
response is returned by the confirming party to anyone other than the
auditor, the auditor should contact the confirming party and request
that the response be re-sent directly to the auditor. If the auditor
does not subsequently receive a confirmation response from the intended
confirming party, the 2022 Proposal provided that the auditor should
treat the situation as a nonresponse.
Further, in contrast with existing AS 2310, which does not address
the auditor's responsibilities regarding incomplete responses, the 2022
Proposal provided that the auditor should perform alternative
procedures if a confirmation response is not received or is incomplete.
The Board adopted the requirements for evaluating confirmation
exceptions and addressing nonresponses as proposed, with certain
modifications discussed below.
Some commenters indicated that the proposed provisions regarding
evaluating confirmation exceptions and addressing nonresponses were
sufficiently clear and appropriate. A few commenters stated that the
Board should include requirements that limit an auditor's ability to
assess confirmation exceptions as merely ``isolated exceptions.''
Similarly, one commenter asserted that the Board should require
auditors to resolve any confirmation exceptions by examining other
third-party evidence such as purchase orders. In light of these
comments, the Board has added a new note to paragraph .20 of the new
standard that states that determining that a confirmation exception
does not represent a misstatement that should be evaluated in
accordance with AS 2810 generally involves examining external
information, which may include information that the company received
from knowledgeable external sources.
In the Board's view, in many circumstances examining external
evidence under the above provision is necessary, as doing so is
consistent with both the goal of obtaining relevant and reliable audit
evidence and the type of audit evidence sought from confirmation. For
example, an auditor might send a confirmation request for a selected
item to a knowledgeable confirming party regarding a $20,000 accounts
receivable invoice and the confirming party (i.e., the customer)
indicates that the outstanding balance for this invoice at the date
specified in the confirmation request is $18,000. Having investigated
the $2,000 difference, the auditor learns that it does not represent a
misstatement, as the customer overpaid for a different invoice but
applied the overpayment to the invoice selected for confirmation and
the company applied the overpayment differently. In this scenario,
determining that there is not a $2,000 misstatement for the selected
item would involve the auditor examining audit evidence from
knowledgeable external sources, such as applicable purchase orders and
customer cash payments, in addition to information generated by the
company, such as customer invoices.
The note to paragraph .20 of the new standard uses the word
``generally'' to acknowledge that in some circumstances examining
external audit evidence may not be necessary. For example, an auditor
may have included an incorrect figure in the confirmation request and
later determined that the amount confirmed by the confirming party
agrees to the amount in the company's general ledger. Determining that
such a confirmation exception does not represent a misstatement to be
evaluated in accordance with AS 2810 would not require examining audit
evidence from external sources.
One commenter suggested that the Board consider reminding auditors
that, when using audit sampling, the auditor should project the
misstatement results of the sample to the items from which the sample
was selected in accordance with AS 2315. The Board considered this
comment, but did not add a reminder regarding projecting the results of
a sample as the new standard states in footnote 4 that AS 2315
addresses evaluating audit samples.
One commenter suggested that the Board restructure paragraph .27 of
the proposed standard, as the auditor generally considers whether a
confirmation exception is a misstatement and then determines whether
there is a deficiency in internal control. In consideration of this
comment, the Board has restructured paragraph .20 of the new standard
to align with the typical order in which the auditor considers the two
matters discussed therein (i.e., an auditor typically considers whether
a confirmation exception indicates a misstatement that should be
evaluated in accordance with AS 2810, Evaluating Audit Results, and
then considers whether the confirmation exception represents a
deficiency in the company's ICFR).
One commenter expressed the view that the Board should not require
auditors to evaluate whether a confirmation exception constitutes a
control deficiency if the exception was a result of a clerical error or
caused by a timing difference. The Board continues to believe that
requiring the auditor to evaluate exceptions in such circumstances is
appropriate and the auditor should consider whether all confirmation
exceptions are control deficiencies. A clerical error or timing
difference could be indicative of a deficiency in a company's ICFR.
One commenter indicated that the proposed requirement about sending
a second positive confirmation request unless the auditor has become
aware of information that indicates that the confirming party would be
unlikely to respond to the auditor was sufficiently clear and
appropriate. However, several firms commented that the requirement was
too prescriptive, with one commenter asserting that the requirement
could result in unnecessary and potentially ineffective administrative
effort. Additionally, a few commenters expressed concern that following
up on a confirmation request would not constitute sending a second
confirmation request under the proposed standard, but asserted that it
should be so treated.
The Board considered the comments about the requirement to send a
second positive confirmation request. The use of confirmation is not
required under the new standard other than for cash and accounts
receivable when they are significant accounts or disclosures. Under the
new standard, for cash and accounts receivable, the auditor may perform
other audit procedures to obtain audit evidence by directly accessing
information maintained by a knowledgeable external source. Further, for
accounts receivable, in certain situations the new standard allows the
auditor to obtain external information indirectly (see discussion of
cash and accounts receivable below).
Because the auditor may have a choice of the audit procedure to
perform, the Board believes that the auditor will select confirmation
in those situations where confirming parties will be more likely to
respond to the auditor. In situations where a confirming party does not
respond to a confirmation request, the Board has concluded it is
appropriate to require the auditor, in the case of a nonresponse to a
positive confirmation request, to follow up with the confirming party.
The requirement to follow up with the confirming party is included in
paragraph .21 of the new standard. The new standard does not prescribe
a form of the auditor's follow-up. For example, following up using the
[[Page 71701]]
same form of communication as in the original confirmation request
(e.g., email, direct electronic transmission facilitated by an
intermediary) would be appropriate under the new standard. In the case
of an electronic confirmation request, a follow-up request could be in
the form of a reminder or automated reminder.
If the auditor subsequently receives a confirmation response, the
new standard provides that the auditor should evaluate that response in
accordance with paragraphs .18-.19 and evaluate any confirmation
exception in accordance with paragraph .20. If the auditor's follow-up
does not elicit a confirmation response, paragraph .23 of the new
standard instructs the auditor to perform alternative procedures for
the selected item in accordance with Appendix C of the new standard.
To clarify that the auditor performs alternative procedures for the
selected item, the Board has added the phrase ``for the selected item''
after the words ``alternative procedures'' in paragraph .23 of the new
standard. The Board also revised the reference in paragraph .30 of the
proposed standard to performing alternative procedures ``as discussed
in paragraph .31'' to refer to ``in accordance with Appendix C'' in
paragraph .19 of the new standard to reflect that alternative
procedures for a selected item may not be necessary under certain
circumstances, as discussed below, and to reflect the relocation of the
more detailed discussion of alternative procedures from the body of the
standard to Appendix C.
Additional Considerations for Cash, Accounts Receivable, and Terms of
Certain Transactions
(See paragraphs .24-.30 of the new standard).
In general, evidence obtained from a knowledgeable external source
is more reliable than evidence obtained only from internal company
sources. When cash or accounts receivable are significant accounts,
there is a presumption in the new standard that the auditor should
obtain audit evidence from a knowledgeable external source by
performing confirmation procedures or using other means to obtain audit
evidence by directly accessing information maintained by knowledgeable
external sources. In addition, the new standard addresses other
situations in which the auditor should consider the use of
confirmation.
The Board discusses below the provisions of the new standard
relating to confirming cash held by third parties, confirming accounts
receivable, performing other audit procedures for accounts receivable
when obtaining audit evidence directly from a knowledgeable external
source would not be feasible, communicating with the audit committee in
certain situations, and confirming the terms of certain other
transactions. To improve the flow of the requirements in the new
standard, these provisions have been placed after the general
provisions that describe the auditor's responsibilities related to the
confirmation process (i.e., after paragraphs .08-.23).
Figure 1 depicts the relationship of the requirements in the new
standard for cash and accounts receivable when they are significant
accounts (paragraphs .24-.28) to the general provisions of the new
standard applicable to the confirmation process (paragraphs
.08-.23).\50\
---------------------------------------------------------------------------
\50\ The information in Figure 1 is intended to be for
illustrative purposes and is not a substitute for the new standard;
only the new standard provides the auditor with the definitive
requirements.
---------------------------------------------------------------------------
BILLING CODE 8011-01-P
[[Page 71702]]
[GRAPHIC] [TIFF OMITTED] TN17OC23.008
BILLING CODE 8011-01-C
Cash Held by Third Parties
Confirming Cash
The 2022 Proposal provided that the auditor should perform
confirmation procedures when auditing cash and cash equivalents held by
a third party. Existing AS 2310 does not address auditor
responsibilities for confirming cash.
The Board noted in the 2022 Proposal that an auditor need not
necessarily confirm all cash accounts in all cases. Under PCAOB
standards, the alternative means of selecting items for testing are
selecting all items, selecting specific items, and audit sampling.\51\
An auditor selects individual cash items to confirm following the
relevant direction in PCAOB standards, including identifying and
assessing the risk of misstatement and developing an audit
response.\52\ The particular means or combination of means of selecting
cash items to confirm depend on, for example, the characteristics of
the cash items and the evidence necessary to address the assessed risk
of material misstatement.\53\
---------------------------------------------------------------------------
\51\ See AS 1105.22.
\52\ See, e.g., AS 2110 and AS 2301.
\53\ See AS 1105.23 and AS 2301.03.
---------------------------------------------------------------------------
The 2022 Proposal emphasized that, in selecting the individual
items of cash to confirm, the auditor should take into account the
auditor's understanding of the company's cash management and treasury
function, and the substance of the company's arrangements and
transactions with third parties. For example, an auditor might select
bank accounts with balances over a certain amount, accounts with a high
volume of
[[Page 71703]]
transactions, accounts opened or closed during the period under audit,
or accounts the auditor identifies as particularly risk-prone.
Alternatively, the auditor might determine it is appropriate to confirm
all cash accounts. The auditor also follows the direction in PCAOB
standards when determining whether performing procedures in addition to
confirmation is necessary to address the assessed risk of material
misstatement relating to cash.\54\
---------------------------------------------------------------------------
\54\ See, e.g., AS 2301.09.
---------------------------------------------------------------------------
The Board adopted the proposed requirements to confirm cash, with
certain modifications discussed below.
A number of commenters supported the proposed requirement for the
auditor to confirm cash held by third parties. Some of these commenters
stated that confirming cash has long been an audit best practice and
that requiring cash confirmation would lead to more consistency in
practice. In addition, several commenters stated that the standard was
sufficiently risk-based (i.e., by allowing the auditor to select cash
accounts and other financial relationships to confirm based on the risk
of material misstatement associated with cash).
Several commenters asserted that a requirement to confirm cash was
not sufficiently risk-based, despite the provisions in the 2022
Proposal that described that the auditor should take into account their
understanding of the company's operations in making selections of
individual cash items to confirm. In particular, several commenters
stated that the proposed standard would require an auditor to confirm
cash without regard to the level of risk that the auditor had
determined for cash in their risk assessment or when other audit
procedures could produce sufficient appropriate audit evidence. Other
commenters expressed the view that the requirement to confirm cash, as
well as accounts receivable, should be removed, with some of these
commenters suggesting that the auditor should be able to determine the
audit procedure that would be most effective in obtaining relevant and
reliable audit evidence, without confirmation being the ``default''
procedure.
The Board continues to believe that a presumption to confirm cash
is appropriate. As discussed above, this presumption to confirm cash is
consistent with current practice. Consistent with the objective of the
new standard, the requirement to confirm cash, as well as accounts
receivable, only applies when the auditor has determined that that
these accounts are significant accounts.
With respect to confirming cash, many commenters, primarily firms
and firm-related groups, expressed concern that the 2022 Proposal did
not contain a provision about overcoming the presumption to confirm
cash. A number of commenters also expressed the view that auditors
could obtain direct-access view of bank information (or would be able
to do so in the future), which could provide a more effective means of
directly obtaining external evidence than sending a confirmation.
The Board agrees that if the auditor is able to perform other audit
procedures that allow the auditor to obtain audit evidence by directly
accessing information maintained by knowledgeable external sources,
such audit evidence would be at least as persuasive as audit evidence
obtained through confirmation procedures. The Board therefore added to
the presumption to confirm cash (and accounts receivable) in the new
standard the phrase ``or otherwise obtain relevant and reliable audit
evidence by directly accessing information maintained by a
knowledgeable external source.''
By way of example, the auditor might satisfy this requirement to
obtain relevant and reliable audit evidence under the new standard by
obtaining read-only access to information maintained by a financial
institution concerning its transactions or balances with the company
directly online through a secure website of the financial institution
using credentials provided to the auditor by the financial institution.
The Term ``Cash and Cash Equivalents Held by Third Parties''
The 2022 Proposal provided that the term ``cash'' comprised both
cash and cash equivalents. Cash equivalents generally refer to short-
term, highly liquid investments that are readily convertible to known
amounts of cash and are so near their maturity that they present
insignificant risk of changes in value because of changes in interest
rates.\55\ Such assets are commonly used by companies to manage their
cash holdings. The 2022 Proposal also described that the requirements
for confirming cash would apply to cash held by third parties, and not
limited to cash held by financial institutions. In the Board's view,
this expansion of confirmation requirements was appropriate, as company
funds can be held by third parties other than financial institutions,
such as money transfer providers.
---------------------------------------------------------------------------
\55\ See, e.g., definition of ``cash equivalents'' in the Master
Glossary of the Financial Accounting Standards Board (``FASB'')
Accounting Standards Codification and of ``cash equivalents'' in the
International Financial Reporting Standards (``IFRS'').
---------------------------------------------------------------------------
The Board adopted this provision as proposed in the 2022 Proposal.
There was one comment related to this aspect of the 2022 Proposal,
suggesting that the new standard should specify that ``third parties''
are not limited to financial institutions. The Board believes the
reference to ``third parties'' was sufficiently clear as proposed and,
accordingly, has not expanded this description.
Confirming Other Financial Relationships
The 2022 Proposal provided that the auditor should consider
confirming other financial relationships with the third parties with
which the auditor determines to confirm cash. Such relationships can
include lines of credit, other indebtedness, compensating balance
arrangements, or contingent liabilities, including guarantees. As
proposed, the auditor would be required under PCAOB standards to
document the consideration given to the confirmation of other financial
relationships and the conclusions reached.\56\ Existing AS 2310 does
not have an analogous requirement to confirm other financial
relationships.
---------------------------------------------------------------------------
\56\ See Note to PCAOB Rule 3101(a)(3), which states that ``(i)f
a Board standard provides that the auditor ``should consider'' an
action or procedure, consideration of the action or procedure is
presumptively mandatory, while the action or procedure is not,'' and
AS 1215.05-.06 (audit documentation should ``[d]emonstrate that the
engagement complied with the standards of the PCAOB'' and must
``document the procedures performed . . . with respect to relevant
financial statement assertions''). See also Audit Documentation and
Amendment to Interim Auditing Standards, PCAOB Rel. No. 2004-006
(June 9, 2004), at 3 (``the auditor documents not only the nature,
timing, and extent of the work performed, but also the professional
judgments made by members of the engagement team and others'').
---------------------------------------------------------------------------
The Board adopted this provision as proposed, with certain
modifications discussed below.
Several commenters stated that the requirements for the auditor to
consider confirming other financial relationships were clear. One
commenter suggested that confirming other financial relationships
should be required, and that overcoming the presumption to confirm
should be available only when the financial entity with which the
company does business does not offer services that would give rise to
other financial relationships.
A number of commenters asserted that auditors would be required to
[[Page 71704]]
produce additional documentation of their considerations, even when a
financial relationship(s) is not an area of significant risk of
material misstatement. Some commenters recommended that the provision
that the auditor ``should consider'' other financial relationships be
changed to ``may consider,'' in order to allow for more auditor
judgment in determining the audit procedures to perform.
The Board continues to believe that information about financial
relationships, including off-balance sheet relationships, could be
important for the audit, as it could be part of significant disclosures
in a company's financial statements. Accordingly, paragraph .29 of the
new standard provides that, in addition to obtaining audit evidence
from a knowledgeable external source regarding cash in accordance with
paragraph .24, the auditor should consider sending confirmation
requests to that source about other financial relationships with the
company, based on the assessed risk of material misstatement. The
phrase ``based on the assessed risk of material misstatement'' was
added to clarify that the auditor has flexibility in tailoring audit
procedures to the level of assessed risk (e.g., by including or not
including confirmation in the audit response based on the auditor's
assessed risk of material misstatement of other financial
relationships). In addition, paragraph .29 retains the examples of
other financial relationships that were included in the 2022 Proposal.
Accounts Receivable
Confirming Accounts Receivable
The 2022 Proposal carried forward the requirement in existing AS
2310 to confirm accounts receivable. Similar to existing AS 2310, the
2022 Proposal did not specify the extent of confirmation procedures for
accounts receivable. As noted above, the timing and extent of
confirmation procedures are part of the auditor's response to the risks
of material misstatement under PCAOB risk assessment standards. The
2022 Proposal instead required the auditor to take into account the
auditor's understanding of the substance of the company's arrangements
and transactions with third parties and the nature of the items that
make up the company's account balances in selecting the individual
accounts receivable to confirm. For example, an auditor might assess
the risk of material misstatement relating to accounts receivable
higher for a company that is being audited for the first time by the
auditor, or for accounts receivable from a newly acquired operation in
a foreign location.
The Board adopted the proposed requirements to confirm accounts
receivable, with certain modifications discussed below.
Most commenters on this aspect of the 2022 Proposal generally
supported the retention of a presumption to confirm accounts
receivable, and most of those commenters stated that the requirement
for the auditor to confirm accounts receivable was sufficiently clear
and appropriate. Two investor-related groups stated that confirmation
of cash and accounts receivable was necessary, in their view, to obtain
persuasive, sufficient, and competent audit evidence.
On the other hand, a number of commenters, primarily firms and
firm-related groups, expressed concerns about carrying forward the
presumption for auditors to confirm accounts receivable from existing
AS 2310. The common theme of those commenters was that requiring the
auditor to use confirmation for certain accounts may not allow the
auditor to exercise professional judgment in determining an appropriate
response to the assessed risk of material misstatement for those
accounts.
Regarding the selection of accounts receivable to confirm, several
commenters agreed that the 2022 Proposal was sufficiently principles-
based to allow auditors to use professional judgment in determining the
extent of confirmation of accounts receivable.
The Board continues to believe that a presumption to confirm
accounts receivable is appropriate to emphasize that audit evidence
obtained from a knowledgeable external source is generally more
reliable than evidence obtained only from internal company sources.
Consistent with the objective of the new standard, the requirement to
confirm cash and accounts receivable, or otherwise obtain relevant and
reliable audit evidence by directly accessing information maintained by
a knowledgeable external source, only applies when the auditor has
determined that these accounts are significant accounts.
As with cash balances discussed above, the Board believes that when
the auditor is able to perform other audit procedures to obtain audit
evidence about accounts receivable by directly accessing information
maintained by knowledgeable external sources (e.g., information
maintained by the receivable counterparty), such evidence would be at
least as persuasive as audit evidence through confirmation procedures.
The Board therefore added to the presumption to confirm cash and
accounts receivable in the new standard the phrase ``or otherwise
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source.''
Audit evidence that an auditor obtains by accessing a third party's
information directly can be at least as persuasive as audit evidence
obtained through confirmation procedures because the auditor is able to
observe first-hand the information providing such evidence. As
technology continues to develop, The Board believes it is important for
the new standard to reflect that there may be additional opportunities
for the auditor to obtain audit evidence directly beyond sending a
confirmation request. The new standard would allow for future
innovations in audit techniques that might involve the auditor
obtaining evidence for accounts receivable by directly accessing
information maintained by a counterparty or other knowledgeable
external source. As noted in the new standard, consistent with
selecting a confirming party, when selecting the knowledgeable external
source providing the auditor with access to information directly, the
auditor would be required to consider whether the knowledgeable
external source would have any incentive or pressure to provide the
auditor with access to information directly that is inaccurate or
otherwise misleading.
Situations where it would not be feasible for the auditor to obtain
audit evidence for accounts receivable directly from a knowledgeable
external source, through confirmation procedures or other means, are
discussed below.
The Term ``Accounts Receivable''
The 2022 Proposal described ``accounts receivable'' as comprising
receivables arising from the transfer of goods or services to a
customer or from a financial institution's loans. Existing AS 2310
describes accounts receivable as the entity's claims against customers
that have arisen from the sale of goods or services in the normal
course of business, and a financial institution's loans. The 2022
Proposal was designed to apply to the same types of items as existing
AS 2310, with a modified description to align more closely with the
terminology of current accounting requirements, which have been updated
since existing AS 2310 was written.\57\
---------------------------------------------------------------------------
\57\ See, e.g., FASB Accounting Standards Codification Topic
606, Revenue from Contracts with Customers, and IFRS 15, Revenue
from Contracts with Customers.
---------------------------------------------------------------------------
[[Page 71705]]
The Board adopted this provision as proposed.
Commenters on this aspect of the 2022 Proposal stated that the
description of accounts receivable was clear. These commenters also
noted that there was no need to further broaden the description to
include additional types of receivables.
The description of accounts receivable in the new standard includes
receivables that arise from the transfer of goods or services to a
customer. These types of receivables generally arise from the company's
ordinary revenue-generating activities, and include items for which
revenue has been or will be recognized by a company, such as
receivables from selling manufactured products or providing a service
to customers. The description of accounts receivable also includes a
financial institution's loans, including loans to customers that the
institution has originated or purchased from another institution.
Examples of financial institutions are banks, non-bank lenders, and
mortgage companies that provide financing to customers.
Situations When Obtaining Audit Evidence for Accounts Receivable
Directly Would Not Be Feasible
Performing Other Substantive Procedures, Including Tests of Details
In the 2022 Proposal, the presumption to confirm accounts
receivable could be overcome when the auditor determined that an audit
response that only included substantive audit procedures other than
confirmation would provide audit evidence that is at least as
persuasive as evidence the auditor might expect to obtain through
performing confirmation procedures. The 2022 Proposal did not carry
forward the provisions in existing AS 2310 addressing overcoming the
presumption to confirm accounts receivable under certain conditions,
which are (i) immateriality, (ii) ineffectiveness of confirmation, or
(iii) a certain combination of the assessed risk and expected results
from other auditing procedures.\58\
---------------------------------------------------------------------------
\58\ See AS 2310.34.
---------------------------------------------------------------------------
As discussed below, the new standard includes a provision to
address situations when obtaining audit evidence directly from
knowledgeable external sources, whether through confirmation procedures
or other means, would not be feasible to execute.
Many commenters addressed the provision in the 2022 Proposal to
overcome the presumption to confirm accounts receivable. A few
commenters noted that the ability to overcome the presumption to
confirm accounts receivable was clear and appropriate. As discussed
below, many commenters focused on the proposed provision that evidence
obtained through other substantive procedures should be ``at least as
persuasive as'' evidence obtained through confirmation:
A number of investor-related groups stated that the
provision gave too much leeway to auditors to overcome the presumption
to confirm accounts receivable. These commenters asserted that
exceptions to confirming accounts receivable should only be available
when other audit procedures would provide more persuasive or greater
accumulated evidence than that obtained through confirmation. These
commenters recommended additional requirements, such as allowing the
auditor to overcome the presumption only if they document the evidence
and basis for their conclusion and have communicated the conclusion to
the audit committee and investors.
Several firms and firm-related groups stated that the
relevant provisions were not clear or more guidance would be needed
about overcoming the presumption to confirm accounts receivable when
other substantive procedures would be ``at least as persuasive as'' the
evidence expected to be obtained through confirmation. A few commenters
observed that the absence of a definition of the term ``persuasive'' in
AS 1105 contributed to a lack of clarity as to the Board's expectations
and requested more guidance about how to measure or evaluate
persuasiveness. Several commenters emphasized that, rather than focus
the requirement for overcoming the presumption to confirm accounts
receivable on whether audit evidence obtained through audit procedures
other than confirmation is ``at least as persuasive as'' evidence
expected to be obtained through confirmation, the Board should focus
the requirement on obtaining evidence that is sufficient and
appropriate to address the assessed risk of material misstatement or,
as one commenter suggested, on the reliability of the audit evidence.
Several commenters suggested that the Board retain
provisions similar to those in existing AS 2310.34 for allowing the
auditor to overcome the presumption to confirm accounts receivable. In
addition, several firms and firm-related groups suggested that the
auditor's ability to overcome the presumption to confirm should be
based on risk assessment, similar to the provision in existing AS 2310
addressing when the assessed level of inherent and control risk is low.
Many firms and firm-related groups expressed concern that
the criteria for overcoming the presumption would result in auditors
having to use confirmation even in situations where historically
confirmations were determined by the auditor to be ineffective and not
to provide persuasive audit evidence.
One commenter stated that, if the proposed language were
adopted, auditors would likely default to confirming accounts
receivable over other audit procedures to avoid second-guessing of
their determinations of the persuasiveness of audit evidence.
Several commenters, primarily firms and firm-related
groups, stated that the 2022 Proposal imposed a higher threshold than
the existing standard for auditors to overcome the presumption to
confirm accounts receivable without a corresponding increase to audit
quality.
As previously discussed, the new standard creates a presumption
that the auditor performs confirmation procedures or otherwise obtains
relevant and reliable audit evidence by directly accessing information
maintained by a knowledgeable external source. Under PCAOB standards,
in general, evidence obtained directly by the auditor from a
knowledgeable external source is more reliable than evidence obtained
indirectly.\59\ However, the Board appreciates that there are instances
where the auditor determines that performing confirmation procedures in
response to a risk of material misstatement related to accounts
receivable would not be feasible. For example, commenters described
situations involving a history of low response rates to confirmation
requests in certain industries (e.g., healthcare, utilities), or where
customers have been advised by a government agency to avoid providing
personal or financial information in response to an unexpected request.
The Board further understands that companies in other industries (e.g.,
large retailers, defense and aerospace companies that contract with the
federal government) do not, as a matter of policy, respond to
confirmation requests. There may also be instances in which the
performance of confirmation procedures would not result in reliable
audit evidence.
---------------------------------------------------------------------------
\59\ See AS 1105.08.
---------------------------------------------------------------------------
Accordingly, paragraph .25 allows the auditor to perform other
substantive procedures in response to a risk of
[[Page 71706]]
material misstatement, as long as such procedures include tests of
details, if the auditor determines it is not feasible to obtain audit
evidence directly from a knowledgeable external source pursuant to
paragraph .24. Paragraph .25 specifically provides that the auditor's
determination should be based on the auditor's experience, such as
prior years' audit experience with the company or experience with
similar engagements where the auditor did not receive confirmation
responses, and the auditor's expectation of similar results if
procedures were performed pursuant to paragraph .24. Any such
determination would be performed as part of conducting the audit based
on the available facts and circumstances at that time and properly
supported in the audit documentation for the engagement.\60\ In
addition, as described below, for significant risks associated with
accounts receivable, the auditor would be required to communicate with
the audit committee when the auditor did not perform confirmation
procedures or otherwise obtain audit evidence by directly accessing
information maintained by a knowledgeable external source.
---------------------------------------------------------------------------
\60\ See AS 1215.05.
---------------------------------------------------------------------------
This provision replaces the concept in the 2022 Proposal about
obtaining audit evidence that was ``at least as persuasive as'' the
evidence expected to be obtained through confirmation procedures. It
also specifies that the auditor should perform other substantive
procedures, including tests of details, in these situations to make
clear that performing only substantive analytical procedures would not
be sufficient to overcome the presumption to confirm. These other
substantive procedures should involve obtaining external information
indirectly.
For accounts receivable, the auditor may be able to satisfy this
requirement by obtaining information that is in the company's
possession that the company received from one or more knowledgeable
external sources.\61\ Examples of such external information may
include, for example, subsequent cash receipts, shipping documents from
third-party carriers, customer purchase orders, or signed contracts and
amendments thereto. This information may be in electronic form (e.g., a
purchase order initiated by a customer through a company's website) or
in paper form (e.g., a signed contract).
---------------------------------------------------------------------------
\61\ See also Proposed Amendments Related to Aspects of
Designing and Performing Audit Procedures that Involve Technology-
Assisted Analysis of Information in Electronic Form, PCAOB Rel. No.
2023-004 (June 26, 2023) (proposing amendments to PCAOB auditing
standards to specify auditor responsibilities regarding certain
company-provided information that the auditor uses as audit
evidence, including information that the company received from
external sources).
---------------------------------------------------------------------------
Conversely, when performing other substantive procedures under this
provision, it would not satisfy the requirements of the new standard to
use or rely solely on the company's internally produced information.
For example, an audit procedure that involves an automated matching
analysis of a company's revenue, accounts receivable, and cash journal
entries recorded by the company would be insufficient on its own
because such an analysis only involves the company's internally
produced information. On the other hand, when such internally produced
information is evaluated in conjunction with external information that
the company received from a knowledgeable external source, such as
checks that the company received directly from customers or information
on subsequent cash receipts that the company received from a financial
institution, the procedures would involve audit evidence from a
knowledgeable external source.
Under existing PCAOB standards, the quantity of audit evidence
needed is affected by its quality, including its reliability, and in
general evidence obtained directly by the auditor is more reliable than
evidence obtained indirectly. This applies to all information
(including external information) used by the auditor in arriving at the
conclusions on which the auditor's opinion is based. For example, as
the quality of the evidence increases, the need for additional
corroborating evidence decreases. The auditor should be mindful of
these requirements when determining an appropriate audit response to a
risk of material misstatement that involves obtaining external
information indirectly under the new standard.
Further, when performing audit procedures that involve obtaining
external information, the auditor should be mindful of other relevant
PCAOB standards that address the documentation of the procedures
performed and the relevance and reliability of the audit evidence
obtained.\62\ Audit documentation must clearly demonstrate the work
performed by the auditor. In addition, the reliability of that audit
evidence depends on the nature and source of the evidence and the
circumstances under which it is obtained.
---------------------------------------------------------------------------
\62\ See e.g., AS 1215.05-.06 and AS 1105.07-.08.
---------------------------------------------------------------------------
Communicating With the Audit Committee About the Auditor's Response to
Significant Risks for Cash and Accounts Receivable
The 2022 Proposal included a requirement for the auditor to
communicate to the audit committee \63\ instances where the auditor had
determined that the presumption to confirm accounts receivable had been
overcome. In proposing that requirement, the Board considered the long-
standing practice by auditors in the United States to confirm accounts
receivable, and noted that a communication requirement when the
presumption to confirm is overcome could enhance the audit committee's
understanding of the auditor's strategy. In this regard, existing
standards require the auditor to communicate to the audit committee
about the auditor's overall audit strategy, significant risks
identified during risk assessment procedures, significant changes to
the planned audit strategy, and significant difficulties encountered
during the audit.\64\ Existing AS 2310 does not have a requirement to
communicate to the audit committee about overcoming the presumption to
confirm accounts receivable.
---------------------------------------------------------------------------
\63\ The term ``audit committee,'' as used in the new standard,
has the same meaning as defined in Appendix A of AS 1301,
Communications with Audit Committees.
\64\ See AS 1301.09, .11, .23.
---------------------------------------------------------------------------
The new standard contains a requirement for the auditor to
communicate with the audit committee about the auditor's response to
significant risks associated with cash or accounts receivable when the
auditor did not perform confirmation procedures or otherwise obtain
audit evidence by directly accessing information maintained by a
knowledgeable external source.
Several commenters, primarily investor-related groups, supported
the proposed requirement in the 2022 Proposal that the auditor
communicate to the audit committee when an auditor overcomes the
presumption to confirm accounts receivable. One of the commenters
referred to a statement in the 2022 Proposal that a requirement to
communicate to the audit committee when overcoming the presumption to
confirm accounts receivable ``may reinforce the auditor's obligation to
exercise due professional care in making that determination.'' This
commenter also noted that overcoming the presumption could result in a
critical audit matter under AS 3101, The Auditor's Report on an Audit
of
[[Page 71707]]
Financial Statements When the Auditor Expresses an Unqualified
Opinion.\65\
---------------------------------------------------------------------------
\65\ A critical audit matter is defined in AS 3101.A2 as ``[a]ny
matter arising from the audit of the financial statements that was
communicated or required to be communicated to the audit committee
and that: (1) relates to accounts or disclosures that are material
to the financial statements and (2) involved especially challenging,
subjective, or complex auditor judgment.''
---------------------------------------------------------------------------
Many commenters on this aspect of the 2022 Proposal, primarily
firms and firm-related groups, disagreed with a specific requirement to
communicate with the audit committee on this matter. These commenters
asserted that such a requirement did not align with principles in AS
1301 to communicate with the audit committee about significant risks,
including audit matters arising from the audit that are significant to
the oversight of the company's financial reporting process. A number of
these commenters also noted that, if there were a significant risk in
accounts receivable or associated with a critical audit matter, the
auditor would already be required to communicate these matters under AS
1301. Several other commenters indicated that they did not object to a
more targeted requirement to communicate with the audit committee about
overcoming the presumption to confirm when accounts receivable was
assessed as a significant risk.
In addition, several commenters asserted that a requirement to
communicate to the audit committee about overcoming the presumption to
confirm would not improve audit quality, and could be detrimental if
this communication became a compliance exercise for auditors,
detracting them from performing effective audit procedures. A few
commenters also stated there would not be a benefit to audit quality if
the Board were to mandate that auditors treat instances of overcoming
the presumption to confirm as a critical audit matter.
The 2022 Proposal stated that there may be some expectation by
audit committees that the auditor would use confirmation as part of a
planned audit response. One commenter encouraged the Board to perform
outreach with audit committees to understand whether this expectation
was, in fact, widespread and whether the proposed communication
requirement would be relevant and meaningful.
Having considered the comments received, the Board does not believe
it is necessary to require the auditor to inform the audit committee in
every instance where the auditor performed substantive audit procedures
other than confirmation to address the risk of material misstatement of
cash or accounts receivable. However, the Board believes the auditor
should inform the audit committee when the auditor did not perform
confirmation procedures or otherwise obtain audit evidence by directly
accessing information maintained by a knowledgeable external source
when responding to significant risks associated with either cash or
accounts receivable.
This targeted requirement is consistent with the views expressed by
several commenters, as discussed above. It is also consistent with the
existing obligation of auditors under PCAOB standards to communicate to
the audit committee an overview of the overall audit strategy and to
discuss with the audit committee the significant risks of material
misstatement identified during the auditor's risk assessment
procedures.\66\ In addition, as with other matters arising from the
audit of financial statements and communicated or required to be
communicated to the audit committee, the auditor is required to
determine whether these matters are critical audit matters in
accordance with AS 3101.\67\
---------------------------------------------------------------------------
\66\ See AS 1301.09.
\67\ See AS 3101.11-.12.
---------------------------------------------------------------------------
Confirming Terms of Certain Transactions
The 2022 Proposal provided that, for significant risks of material
misstatement associated with either a complex transaction or a
significant unusual transaction, the auditor should consider confirming
terms of the transaction with the counterparty to the transaction. This
provision updates a requirement in existing AS 2310.08 that the auditor
should consider confirming the terms of certain transactions that are
associated with high levels of risk. The 2022 Proposal used the
terminology ``significant risk'' and ``significant unusual
transactions,'' but the provision was intended to be similar to that in
existing AS 2310.
The Board adopted the proposed requirements to consider confirming
terms of certain transactions, with certain modifications discussed
below.
Several commenters noted that the provision in the 2022 Proposal
was sufficiently clear and appropriate. Other commenters suggested
various modifications to the provision that they asserted would improve
its clarity, such as elaborating on the meaning of the term ``complex
transaction'' and stating that the provision applies when the
assertions related to the significant risk of material misstatement can
be adequately addressed through confirmation. Several commenters
indicated that other audit procedures, not including confirmation, may
adequately address an assessed significant risk over the existence
assertion, such as obtaining and reviewing an original executed
contract and verifying the execution of its terms over a period of
time.
To provide additional clarity, the new standard provides that the
auditor should consider confirming those terms of a complex transaction
or significant unusual transaction that are associated with a
significant risk of material misstatement, including a fraud risk.
Under the new standard, examples of such terms may include terms
relating to (i) oral side agreements, or undisclosed written or oral
side agreements, where the auditor has reason to believe that such
agreements exist, (ii) bill and hold sales, and (iii) supplier
discounts or concessions. When such arrangements or agreements are part
of a complex transaction or significant unusual transaction identified
by the auditor, there may be a heightened risk that the transaction has
been entered into to engage in fraudulent financial reporting or
conceal misappropriation of assets. Likewise, a complex transaction or
a significant unusual transaction could have a heightened risk of error
whereby confirmation could lead to identification of an additional term
that, under an accounting standard, might have accounting implications
not previously recognized by either the company or the auditor.
Accordingly, the auditor's confirmation of terms related to such
arrangements or agreements may assist the auditor in evaluating the
business purpose, or lack thereof, of the transaction.\68\ These
examples are not intended to be an exhaustive list. An auditor may
identify other terms to confirm relating to a complex transaction or a
significant unusual transaction if the auditor decides that
confirmation could result in obtaining relevant and reliable audit
evidence about that transaction.
---------------------------------------------------------------------------
\68\ See AS 2401.67.
---------------------------------------------------------------------------
One investor-related group recommended that the provision in the
2022 Proposal addressing the terms of complex transactions and
significant unusual transactions should be mandatory and read
``should'' instead of ``should consider.'' In contrast, other
commenters asserted that the provision was unduly prescriptive. Several
commenters recommended that the Board change the phrase ``should
consider'' to ``may consider'' to allow for more auditor judgment in
[[Page 71708]]
determining the audit procedures to perform to address significant
unusual transactions or other complex transactions. The Board believes
that the provision stating that the auditor ``should consider''
confirming terms of complex transactions or significant unusual
transactions associated with a significant risk of material
misstatement is sufficiently risk-based for the auditor to have
flexibility in selecting the audit procedures that are best suited to
address significant risks of material misstatement, depending on the
facts and circumstances of individual transactions.
Another commenter suggested that the Board place additional
emphasis on the auditor having a heightened degree of professional
skepticism, similar to a provision in existing AS 2310.27, and that
doing so would allow auditors to make appropriate judgments in
determining whether facts and circumstances indicate that confirmation
procedures may not produce sufficient appropriate evidence to address
the assessed risks. The Board did not include additional language in
the new standard about the auditor's potential need to exercise a
heightened degree of professional skepticism related to confirmation
because the auditor's obligation to apply professional skepticism is
relevant to all aspects of the audit.\69\
---------------------------------------------------------------------------
\69\ See AS 1015.07.
---------------------------------------------------------------------------
Performing Alternative Procedures for Selected Items
(See paragraphs .C1-.C2 of the new standard).
The 2022 Proposal provided that the auditor should perform
alternative procedures in certain scenarios involving identifying
confirming parties or evaluating the reliability of confirmation
responses, as well as in scenarios involving nonresponses and
incomplete responses.\70\ This range of scenarios was broader than
under existing AS 2310, which provides that, with certain exceptions,
the auditor should apply alternative procedures where the auditor has
not received replies to positive confirmation requests. In addition,
existing AS 2310 provides examples of alternative procedures, and
requires the auditor to evaluate the combined evidence provided by
confirmation and any alternative procedures and send additional
confirmation requests or perform other audit tests, as needed, to
obtain sufficient appropriate audit evidence.
---------------------------------------------------------------------------
\70\ See paragraphs .20 (inability to identify a confirming
party), .26 (unreliable response), and .30 (nonresponse or
incomplete response) of the proposed standard.
---------------------------------------------------------------------------
The 2022 Proposal provided examples of alternative procedures that
may provide relevant and reliable audit evidence regarding accounts
receivable, accounts payable, and the terms of a transaction or
agreement. These provisions expanded upon the examples of alternative
procedures discussed in existing AS 2310.
The 2022 Proposal did not specify whether performing alternative
procedures for the items the auditor was unable to confirm, alone or in
combination with other audit procedures, is necessary to obtain
sufficient appropriate audit evidence. Under the 2022 Proposal, the
auditor would make that determination based on the facts and
circumstances of the audit. Further, an auditor might determine that,
without obtaining a reliable confirmation response, the auditor is
unable to obtain sufficient appropriate audit evidence for a relevant
assertion through performing alternative procedures for the items the
auditor could not confirm, other audit procedures, or both (e.g., if
the auditor observes conditions during the confirmation process that
indicate a heightened fraud risk). In such scenarios, the 2022 Proposal
provided that the auditor would consider the impact on the audit
opinion in accordance with AS 3105.
The 2022 Proposal also provided that performing alternative
procedures may not be necessary where items selected for confirmation
for which the auditor was not able to complete audit procedures would
not--if misstated--change the outcome of the auditor's evaluation of
the effect of uncorrected misstatements performed in accordance with AS
2810.17.\71\ For example, following the direction in AS 2810.17, under
the 2022 Proposal an auditor may have determined that an item that the
auditor was unable to confirm would not be material individually or in
combination with other misstatements. In such situations, the auditor
would not have been required to perform alternative procedures.\72\
Existing AS 2310 includes an analogous exception.
---------------------------------------------------------------------------
\71\ The auditor's evaluation of materiality under AS 2810.17
takes into account both relevant quantitative and qualitative
factors.
\72\ In certain circumstances, auditors may have obligations
independent of the Board's auditing standards to perform either
confirmation procedures or other auditing procedures. See, e.g.,
Section 30(g) of the Investment Company Act of 1940, 15 U.S.C. 80a-
29(g) (providing that the auditor's report on the financial
statements of a registered investment company ``shall state that
such independent public accountants have verified securities owned,
either by actual examination, or by receipt of a certificate from
the custodian, as the Commission may prescribe by rules and
regulations'').
---------------------------------------------------------------------------
The Board adopted the requirements substantially as proposed, with
certain modifications discussed below.
In the 2022 Proposal, the additional discussion of alternative
procedures appeared in the main body of the proposed standard
(paragraph .31). To enhance the readability of these provisions and
facilitate their implementation, the Board has relocated them to
Appendix C, which includes one paragraph that describes when performing
other audit procedures may be necessary (paragraph .C1) and a second
paragraph that provides further direction as to when alternative
procedures are required under the new standard and includes examples of
alternative procedures (paragraph .C2).
In addition, to remind auditors that the auditor's assessment of
risks of material misstatement, including fraud risks, should continue
throughout the audit, including the confirmation process, paragraph .C1
of the new standard states that, when the auditor is unable to obtain
relevant and reliable audit evidence about the selected item through
confirmation, the auditor should evaluate the implications for the
auditor's assessment of the relevant risks of material misstatement,
including fraud risks.
Several commenters indicated that the circumstances in the 2022
Proposal under which the auditor generally would be required to perform
alternative procedures were sufficiently clear and appropriate.
However, multiple commenters suggested that the Board include an
example of an alternative procedure for cash. In consideration of these
comments, the Board has incorporated an example of an alternative
procedure that may provide relevant and reliable audit evidence
regarding cash, which involves the auditor verifying information about
the company's cash account maintained in a financial institution's
information system by viewing this information directly on a secure
website of the financial institution. In this example, the auditor
might verify such information by determining the validity of the
financial institution's website and viewing the information directly on
the secure website. The information viewed by the auditor could be
accessed either by the auditor, using login credentials provided by the
company, or by company personnel. This additional example is intended
to address some commenters' misperception that the 2022 Proposal would
not allow the
[[Page 71709]]
auditor to perform alternative procedures in the event that a positive
confirmation request related to cash does not result in a confirmation
response.
Several commenters asserted that the note in the 2022 Proposal
identifying situations where alternative procedures may not be
necessary was not clear, with one commenter indicating that the
analogous exception in existing AS 2310 was clearer because it
addressed audit sampling. In consideration of these comments, the Board
has revised the note to paragraph .C2 of the new standard to clarify
how the exception from performing alternative procedures for selected
items should be applied and revised the footnote in the paragraph to
further explain how the exception is applied in scenarios involving
audit sampling.
The following example further illustrates applying this provision
in an audit: An auditor selects a sample of 50 accounts receivable
invoices for confirmation and receives confirmation responses for 45
invoices that do not indicate a need for the auditor to perform
alternative procedures. For two nonresponses, the auditor performs
alternative procedures and obtains relevant and reliable audit evidence
identifying no misstatements. For the three remaining nonresponses, the
auditor does not perform alternative procedures because the auditor
appropriately determines that, even if the amounts associated with the
invoices were projected as 100 percent misstatements to the population
from which the sample was selected and added to any other accounts
receivable misstatements (i.e., accounts receivable misstatements
identified through audit procedures other than confirmation), the
outcome of the auditor's evaluation performed in accordance with AS
2810.17 would not change.
Another commenter recommended that, for nonresponses, the Board
require that the auditor ``must'' perform alternative procedures that
include examining third-party evidence. This commenter also suggested
that the Board revise the example of alternative procedures for
accounts receivable by removing the phrase ``one or more,'' such that
the auditor would perform all of the procedures identified in the
example (i.e., examining subsequent cash receipts, shipping documents,
and other supporting documentation).
Having considered these comments, the Board believes that, with the
modifications discussed above, the requirements in paragraph .C1 of the
new standard provide appropriate direction regarding when alternative
procedures are required. Additionally, the Board believes that
including examples in paragraph .C2 of alternative procedures that may
provide relevant and reliable audit evidence about selected items,
without mandating specific procedures, is appropriate, as it is
impracticable to describe specific procedures for all scenarios that
could occur in an audit.
Additionally, as discussed above, the Board has modified paragraph
.B2 of the new standard to provide that in circumstances where the
auditor should not use an intermediary to send confirmation requests or
receive confirmation responses, the auditor should send confirmation
requests without the use of an intermediary or, if unable to do so,
perform alternative procedures in accordance with Appendix C of the new
standard. In light of this modification, the Board has added a
reference to paragraph .B2 to Appendix C of the new standard.
Evaluating Results
(See paragraph .31 of the new standard).
The 2022 Proposal did not carry forward a requirement, included in
existing AS 2310, for the auditor to evaluate in the aggregate audit
evidence obtained from performing confirmation procedures and any
alternative procedures. Excluding this requirement from the 2022
Proposal was intended to avoid the duplication of certain requirements
of AS 2810 that discuss the auditor's responsibilities for evaluating
audit results and determining whether the auditor has obtained
sufficient appropriate audit evidence.
As discussed above, however, paragraph .24 of the new standard
allows the auditor to perform audit procedures other than confirmation
for cash and accounts receivable to obtain relevant and reliable audit
evidence by directly accessing information maintained by a
knowledgeable external source. The Board therefore decided to remind
the auditor in paragraph .31 of the new standard that the auditor
should evaluate the combined audit evidence provided by confirmation
procedures, alternative procedures, and other procedures to determine
whether sufficient appropriate audit evidence has been obtained in
accordance with AS 2810.
Other Matters
This section addresses certain additional matters that were also
discussed in the 2022 Proposal. In addition, this section discusses
definitions included in the new standard and related amendments to
PCAOB auditing standards.
Management Requests Not To Confirm
Consistent with existing AS 2310, the 2022 Proposal did not
address, nor does the new standard address, situations in which
management requests that the auditor not confirm one or more items.
Several commenters agreed with the approach in the 2022 Proposal
and indicated that auditor responsibilities in such situations are
already addressed by existing PCAOB standards. One commenter suggested
that the Board consider adding a requirement that, if management
requests an auditor not to confirm a certain item, the auditor should
both request management to indicate the reason for the request and, as
appropriate, consider whether the request is indicative of a risk of
material misstatement. Another commenter agreed that the potential
scope limitation or fraud risk from a management request not to confirm
is addressed in other PCAOB standards, but expressed the view that
including guidance in the new standard unique to confirmation would be
appropriate. A different commenter did not suggest changes to the
Board's approach, but observed that management requests not to confirm
are primarily relevant in the financial services industry and that it
had experienced infrequent management requests not to confirm in other
industries.
Having considered the comments received, the Board believes that
existing PCAOB standards appropriately address situations involving
management requests not to confirm. In particular, AS 1301 requires
that the auditor communicate to the audit committee disagreements with
management \73\ and difficulties encountered in performing the audit,
including unreasonable management restrictions encountered by the
auditor on the conduct of the audit (e.g., an unreasonable restriction
on confirming transactions or balances).\74\ AS 3105 also sets forth
requirements regarding limitations on the scope of an audit,\75\
including scope limitations relating to confirmation.\76\
---------------------------------------------------------------------------
\73\ See AS 1301.22.
\74\ See AS 1301.23.
\75\ See AS 3105.05-.17.
\76\ See AS 3105.07.
---------------------------------------------------------------------------
Further, AS 2110 and AS 2401 describe the auditor's
responsibilities regarding identifying, assessing, and responding to
fraud risks. For example, AS 2401.09 states that fraud may be concealed
by withholding evidence. A management request to limit audit
[[Page 71710]]
testing by not obtaining external audit evidence through confirmation
could be relevant to the auditor's consideration of fraud risk factors,
including the consideration of management incentives, opportunities,
and rationalization for perpetrating fraud. Considering the
applicability of existing provisions to situations involving management
requests not to confirm, as discussed above, the Board believes that
including analogous requirements in the new standard could lead to
unnecessary duplication of existing requirements and potential
confusion.
Restrictions and Disclaimers
The requirements in the proposed standard relating to the auditor's
evaluation of the reliability of confirmation responses included a
reminder, in the form of a footnote, of the auditor's responsibilities
under AS 1105 as they relate to restrictions and disclaimers. A similar
reminder does not exist in existing AS 2310.
The Board is including this reference to AS 1105.08 as proposed, in
a footnote to paragraph .18 of the new standard. No comments were
received on this aspect of the 2022 Proposal. In accordance with AS
1105.08, the auditor should evaluate the effect of restrictions,
limitations, or disclaimers in confirmation responses on the
reliability of audit evidence.\77\
---------------------------------------------------------------------------
\77\ See AS 1105.08.
---------------------------------------------------------------------------
Direct Access
The 2022 Proposal did not describe direct access as a confirmation
procedure. Existing AS 2310 currently does not address such a
procedure, but the 2010 Proposal had provided that direct access could
be considered a confirmation procedure in certain circumstances.
A few commenters on the 2022 Proposal either agreed with, or
indicated that they did not object to, the Board's stated position that
direct access does not constitute a confirmation procedure. However,
several firms and firm-related groups stated that, when properly
executed, audit evidence obtained by the auditor through direct access
can provide persuasive evidence about the existence of cash. One
commenter recommended that the PCAOB consider aligning with the AICPA's
position on this matter by acknowledging that the auditor's direct
access to information held by a confirming party may meet the
definition of a confirmation procedure when, for example, the
confirming party provides the auditor with the electronic access codes
or other information necessary to access a secure website where data
that addresses the subject matter of the confirmation is held.
Having considered these comments, the Board adopted the new
standard as proposed in relation to direct access.
While direct access does not constitute a confirmation procedure
under the new standard, the new standard provides that the auditor may
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source, as discussed
above.
Definitions
To operationalize the requirements included in the 2022 Proposal,
the proposal included definitions for ``confirmation exception,''
``confirmation process,'' ``confirmation request,'' ``confirmation
response,'' ``confirming party,'' ``negative confirmation request,''
``nonresponse,'' and ``positive confirmation request.''
The Board adopted the definitions as proposed, with certain
modifications discussed below.
Several commenters stated that, in general, the definitions in the
2022 Proposal were sufficiently clear and appropriate. Other commenters
either did not provide comments on the proposed definitions or
suggested certain modifications, as discussed below.
Some commenters stated that the Board should modify the proposed
definition of ``nonresponse'' to reflect that a nonresponse includes a
situation where the auditor does not receive a confirmation response to
a positive confirmation request directly from the intended confirming
party. Having considered this comment, the Board is aligning the
definition of ``nonresponse'' with the definition of ``confirmation
response'' and the requirements of paragraph .16 of the new standard.
This modification clarifies that a confirmation response that is not
received directly from the confirming party would constitute a
nonresponse. The Board has also modified the definition of ``negative
confirmation request'' to use the defined term ``confirmation request''
rather than ``request.''
One commenter proposed modifications to the definitions of
``confirmation exception'' and ``confirmation process'' to specify that
(i) sending a confirmation request may include transmitting the request
in electronic form and (ii) only differences between a confirmation
response and information the auditor obtained from the company that the
auditor had originally sought to confirm constitute a confirmation
exception. Having considered the comment, the Board notes that the
proposed definition of ``confirmation process'' intentionally did not
prescribe the method or methods by which confirmation requests can be
sent and by which confirmation responses can be received, as the
standard is intended to apply to all methods of sending and receiving
confirmation requests and responses. Further, the Board believes that
any instance where information in a confirmation response differs from
information the auditor obtained from the company, even if the
information in the confirmation response was not information that the
auditor originally sought to confirm, should constitute a confirmation
exception. Accordingly, the Board adopted the definition of
``confirmation exception'' as proposed and adopted the definition of
``confirmation process'' as proposed, with one modification to include
``selecting one or more items to be confirmed'' in the definition to
align with the requirements specifically related to the confirmation
process in the new standard.
The 2022 Proposal also indicated that an oral response to a
confirmation request was a nonresponse. One commenter stated that a
video recording of a call between an auditor and an individual at a
confirming party ought not be considered less reliable audit evidence
than a written response from an organization. Another commenter
suggested that the PCAOB define the term ``confirmation'' because the
2022 Proposal stated that an oral response was a nonresponse but did
not provide guidance as to whether other forms of response would be
evidence of confirmation.
As the Board continues to believe that obtaining direct written
communication, in paper or electronic form, from a confirming party is
necessary for a response to constitute a confirmation response, the
Board has not made further modifications to the definition in the new
standard beyond those described above. Accordingly, a video recording
of a call between an auditor and an individual at a confirming party or
an oral response would constitute nonresponses under the new standard,
although the auditor could still consider the relevance and reliability
of the audit evidence provided by a video recording or an oral response
when determining the nature and extent of alternative procedures
required to be performed under the new standard.
[[Page 71711]]
Amendments to Related PCAOB Auditing Standards
The Board adopted amendments to several existing PCAOB auditing
standards to align with the new standard.
Amendments to AS 1105
(See paragraph .18 of AS 1105, as amended).
The 2022 Proposal included proposed amendments to AS 1105 to (i)
align the description of a ``confirmation response'' in AS 1105 with
the definition of the same term included in the 2022 Proposal and (ii)
clarify that the terms ``confirmation response,'' ``confirmation
request,'' and ``confirming party,'' as used in AS 1105, have the same
meaning as defined in Appendix A of the 2022 Proposal.
The Board adopted the amendments as proposed.
Existing AS 1105.18 states that ``[a] confirmation response
represents a particular form of audit evidence obtained by the auditor
from a third party in accordance with PCAOB standards.'' The 2022
Proposal used the defined term ``confirming party'' in lieu of ``third
party.'' One commenter suggested retaining the phrase ``third party''
in AS 1105.18 to provide further clarity. The Board is not using this
term because the new standard describes a confirming party as ``a third
party, whether an individual or an organization, to which the auditor
sends a confirmation request,'' thus making it clear that a confirming
party is a third party.
Another commenter suggested that the Board strike the word
``independent'' from AS 1105.08, which states that ``[e]vidence
obtained from a knowledgeable source that is independent of the company
is more reliable than evidence obtained only from internal company
sources.'' This commenter asserted that, although confirmation evidence
may be more reliable, it is not truly ``independent.'' The Board is not
striking the word ``independent'' from AS 1105.08 as it believes the
concept expressed in AS 1105.08 is well understood by auditors and does
not purport to be a definitive statement about the ``independence'' of
evidence from a confirming party.
Amendments to AS 1301
(See Appendix B to AS 1301, as amended).
The 2022 Proposal included a proposed requirement for the auditor
to communicate to the audit committee instances in which the auditor
has determined that the presumption to confirm accounts receivable has
been overcome and the basis for the auditor's determination. The 2022
Proposal included a conforming amendment to AS 1301 that would refer to
the proposed requirement.
The Board adopted the conforming amendment to AS 1301 that refers
to the audit committee communication requirement contained in the new
standard. The required communication with the audit committee about the
auditor's response to significant risks associated with cash or
accounts receivable when the auditor did not perform confirmation
procedures or otherwise obtain audit evidence by directly accessing
information maintained by a knowledgeable external source is discussed
above.
Amendments to AS 2401
(See paragraphs .54 and .66A of AS 2401, as amended).
The 2022 Proposal included a proposed amendment to AS 2401 to refer
to the title of the confirmation standard as proposed in the 2022
Proposal (i.e., ``The Auditor's Use of Confirmation'').
The Board adopted the amendment as proposed and adopted an
additional conforming amendment to AS 2401, as discussed below.
One commenter suggested that the Board consider a conforming
amendment to AS 2401 to acknowledge a requirement in proposed paragraph
.15 to consider confirming terms of the transaction for significant
risks of material misstatement associated with either a complex
transaction or significant unusual transaction. Having considered the
comment, the Board adopted a conforming amendment to the note to AS
2401.66A to remind the auditor of the requirement in paragraph .30 of
the new standard that for significant risks of material misstatement
associated with either a complex transaction or a significant unusual
transaction, the auditor should consider confirming those terms of the
transaction that are associated with a significant risk of material
misstatement, including a fraud risk.
Amendments to AS 2510
(See paragraph .14 of AS 2510, as amended).
AS 2510.14 includes a statement that ``if inventories are in the
hands of public warehouses or other outside custodians, the auditor
ordinarily would obtain direct confirmation in writing from the
custodian.'' The 2022 Proposal included a proposed amendment to AS 2510
to remind auditors that AS 2310 establishes requirements for the
auditor's use of confirmation.
The Board adopted the amendment as proposed.
One commenter stated that the Board should address the confirmation
of inventory in the new standard instead of making conforming
amendments to AS 2510. The Board continues to believe that including
requirements related to inventory in a single standard is appropriate.
However, the Board acknowledges that AS 2510.14 includes two
requirements related to the confirmation of inventory. First, AS
2510.14 provides that ``[i]f inventories are in the hands of public
warehouses or other outside custodians, the auditor ordinarily would
obtain direct confirmation in writing from the custodian.'' Second, AS
2510.14 further states that the auditor should perform one or more of
four additional procedures, as considered necessary by the auditor, if
such inventories represent a significant proportion of current or total
assets. One such procedure is to confirm pertinent details of pledged
receipts with lenders (on a test basis, if appropriate), if warehouse
receipts have been pledged as collateral. The Board has added a cross-
reference to AS 2510 in footnote 4 of the new standard to clarify that
AS 2510 also includes auditor responsibilities relevant to the
auditor's use of confirmation.
Amendments to AS 2605
(See paragraphs .22 and .27 of AS 2605, as amended).
AS 2605.22 includes a statement that ``for certain assertions
related to less material financial statement amounts where the risk of
material misstatement or the degree of subjectivity in the valuation of
the audit evidence is low, the auditor may decide, after considering
the circumstances and the results of work (either test of controls or
substantive tests) performed by internal auditors on those particular
assertions, the audit risk has been reduced to an acceptable level and
that testing of the assertions directly by the auditor may not be
necessary.'' The paragraph then includes assertions about the existence
of cash, prepaid assets, and fixed-asset additions as examples of
assertions that might have a low risk of material misstatement or
involve a low degree of subjectivity in the evaluation of audit
evidence.
The 2022 Proposal included a proposed amendment to strike the word
``cash'' from AS 2605.22 to avoid confusion, as the 2022 Proposal
required the auditor to perform
[[Page 71712]]
confirmation procedures in respect of cash.
In addition, the 2022 Proposal included a proposed amendment to
acknowledge in paragraph .27 of AS 2605, which discusses using internal
auditors to provide direct assistance to the auditor, the proposed
restrictions on the use of internal audit in a direct assistance
capacity in the confirmation process.
The Board adopted the amendments substantially as proposed, with
certain modifications discussed below.
One commenter indicated that the proposed amendment to AS 2605.22
(i.e., striking the word ``cash'' from the list of accounts that might
have a low risk of material misstatement), inappropriately assumed that
there is always a heightened risk of fraud related to cash accounts in
all audit engagements. Having considered the comment, the Board notes
that neither the 2022 Proposal nor the new standard suggests that there
is heightened risk of fraud associated with cash in every engagement.
However, the Board believes that where an auditor identifies a risk of
material misstatement for cash (i.e., where cash is a significant
account) it is necessary for the auditor to perform confirmation
procedures or otherwise obtain relevant and reliable audit evidence by
directly accessing information maintained by a knowledgeable external
source in respect of cash. Accordingly, the Board continues to believe
that the conforming amendment to AS 2605.22 is appropriate.
Another commenter indicated that the proposed amendment to AS
2605.27 would not be necessary should the Board adopt the commenter's
other recommendation to remove the proposed restrictions regarding the
use of internal audit in the new standard. As discussed above, the
Board continues to believe that in order to maintain control over the
confirmation process the auditor should select items to be confirmed,
send confirmation requests, and receive confirmation responses. The
Board modified the conforming amendments to AS 2605.27, however, to
align with paragraph .15 of the new standard.
Effective Date
The Board determined that the amendments will take effect, subject
to approval by the SEC, for audits of financial statements for fiscal
years ending on or after June 15, 2025.
As part of the 2022 Proposal, the Board sought comment on the
amount of time auditors would need before the proposed standard and
related amendments would become effective, if adopted by the Board and
approved by the SEC. Many commenters, primarily firms and firm-related
groups, supported an effective date of no earlier than two years after
SEC approval, which some commenters indicated would give firms the
necessary time to update firm methodologies and to develop and
implement training. Additionally, as part of recommending an effective
date no earlier than two years after SEC approval, a number of
commenters observed that confirmation procedures are often performed as
part of interim procedures and that, as a result, the new standard will
impact engagement teams during the period under audit. Some commenters
also stated that intermediaries involved in the confirmation process
may also need to update their processes and controls as a result of the
new standard. One commenter supported an effective date three years
after SEC approval, while citing reasons similar to those expressed by
commenters who supported an effective date of no earlier than two years
after SEC approval.
The Board recognizes the preferences expressed by commenters.
Nonetheless, having considered the requirements of the new standard, as
well as the extent of differences between the new standard and AS 2310
and our understanding of firms' current practices, the Board believes
that the effective date for fiscal years ending on or after June 15,
2025, will provide auditors with a reasonable period of time to
implement the new standard and related amendments, without unduly
delaying the intended benefits resulting from these improvements to
PCAOB standards, and is consistent with the Board's mission to protect
investors and protect the public interest.
D. Economic Considerations and Application to Audits of Emerging Growth
Companies
The Board is mindful of the economic impacts of its standard
setting. This section describes the economic baseline, need, and
expected economic impacts of the new standard, as well as alternative
approaches considered by the Board. Because there are limited data and
research findings available to estimate quantitatively the economic
impacts of the new standard, the economic analysis is largely
qualitative in nature.
Baseline
Important components of the baseline against which the economic
impact of the new standard can be considered are described above,
including the Board's existing standard governing the audit
confirmation process, firms' current practices when performing
confirmation procedures, and observations from the Board's inspections
program and enforcement cases. The Board discusses below two additional
components that inform its understanding of the economic baseline: (i)
the PCAOB staff's analysis of audit firm methodologies and the use of
technology-based tools in the confirmation process, and (ii) a summary
of academic and other literature on the confirmation process.
Auditing Practices Related to the Confirmation Process
Through its inspection and other oversight activities, the PCAOB
has access to sources of information that help inform its understanding
of how firms currently engage in the confirmation process. As part of
this standard-setting project, the PCAOB staff has reviewed a selection
of firms' audit methodologies, as well as other information about
firms' use of technology-based tools when performing confirmation
procedures. While this information is not a random sample that can be
extrapolated accurately across all registered public accounting firms,
the Board is able to make some general inferences that help inform
development of the economic baseline.
PCAOB Staff Analysis of Audit Methodologies
PCAOB staff has reviewed the methodologies of selected registered
public accounting firms to determine how they currently address the
confirmation process and the extent to which changes to those
methodologies will be necessary to implement the new standard.
Specifically, the staff compared methodologies of selected global
network firms (``GNFs'') \78\ and some methodologies commonly used by
U.S. non-affiliate firms (``NAFs''),\79\ which are smaller than GNFs,
to existing AS 2310 as well as to the new standard. The review focused
on the following aspects of the new standard which represent more
notable changes relative to existing AS 2310:
---------------------------------------------------------------------------
\78\ GNFs are the member firms of the six global accounting firm
networks (BDO International Ltd., Deloitte Touche Tohmatsu Ltd.,
Ernst & Young Global Ltd., Grant Thornton International Ltd., KPMG
International Ltd., and PricewaterhouseCoopers International Ltd.).
\79\ NAFs are both U.S. and non-U.S. accounting firms registered
with the Board that are not GNFs. Some of the NAFs belong to
international networks.
---------------------------------------------------------------------------
Substantive procedures for confirming cash and cash
equivalents (paragraphs .24, .26, and .29);
[[Page 71713]]
Substantive procedures for confirming accounts receivable
(paragraphs .24-.25 and .27);
The auditor's use of negative confirmation requests
(paragraphs .12-.13);
Maintaining control over the confirmation process,
including when an intermediary is used (paragraphs .14-.17 and
.Appendix B); and
Other areas addressed in the new standard, including the
evaluation of the reliability of confirmation responses (paragraphs
.18-.19), and the performance of alternative procedures (Appendix C).
For the GNF methodologies reviewed, PCAOB staff observed that the
methodologies generally reflect requirements in existing AS 2310 and
other auditing standards on external confirmation, such as ISA 505 and
AU-C 505. In addition, some of the methodologies already incorporate
certain concepts included in the new standard, although revisions to
the methodologies will nonetheless be needed to implement the new
standard.
Specifically, some GNF methodologies, but not all, include
requirements for confirmation of cash and cash equivalents held by
third parties similar to the new requirements described in the new
standard. Other GNF methodologies suggest, but do not require, that
engagement teams consider specific confirmation procedures for cash and
cash equivalents held by third parties. GNF methodologies for
confirmation of accounts receivable are generally consistent with
existing AS 2310. Some also include guidance that is similar in certain
respects to the requirements in the new standard when the auditor is
unable to obtain relevant and reliable audit evidence through
confirmation procedures. With respect to negative confirmation
requests, GNF methodologies acknowledge that negative confirmation
requests provide less persuasive evidence than positive confirmation
requests. However, some GNF methodologies still allow the use of
negative confirmation requests as the sole substantive procedure under
certain conditions.\80\
---------------------------------------------------------------------------
\80\ See AS 2310.20 for these conditions.
---------------------------------------------------------------------------
The PCAOB staff also observed that GNF methodologies generally
include guidance on maintaining control over the confirmation process,
using intermediaries to facilitate the electronic transmission of
confirmation requests, and assessing controls at the intermediaries.
The firms' guidance in this area focuses on the performance of audit
procedures to ensure that the electronic confirmation process occurs in
a secure and controlled environment and that confirmation responses
received are reliable. For example, the methodologies of some firms
provide that an auditor may obtain a SOC report that would assist the
engagement team in assessing the design and operating effectiveness of
the intermediary's controls that address the risk of interception and
alteration of confirmation requests and responses. Finally, although
current GNF methodologies include guidance on the other areas being
modernized or clarified in the new standard, GNFs may be required to
make certain modifications to their methodologies to conform to the new
standard, such as whether to perform alternative procedures.
For the NAF methodologies reviewed, the PCAOB staff observed that
the methodologies generally align with existing AS 2310 across each of
the areas studied, but include some guidance related to the new
requirements in the new standard. For example, in some of the NAF
methodologies, the confirmation of cash and cash equivalents held by
third parties is a consideration but not a requirement. In other NAF
methodologies, the confirmation of cash and cash equivalents held by
third parties and negative confirmation requests are not discussed at
all. NAF methodologies for confirmation of accounts receivable are
generally consistent with existing AS 2310. Some include guidance that
is similar in certain respects to the requirements described in the new
standard when the auditor is unable to obtain relevant and reliable
audit evidence through confirmation procedures.
The NAF methodologies also generally include guidance on
maintaining control, using intermediaries in the confirmation process,
and assessing controls at the intermediaries. Similar to GNF
methodologies, NAF guidance in this area focuses on the performance of
audit procedures to ensure that the electronic confirmation process
occurs in a secure and controlled environment and that confirmation
responses received are reliable. For example, a firm's methodology may
provide that an auditor may obtain a SOC report that would assist the
engagement team in assessing the design and operating effectiveness of
the intermediary's controls that address the risk of interception and
alteration of confirmation requests and responses.
Commenters on the 2022 Proposal did not provide additional
information on firm methodologies beyond the staff's analysis. In
general, the PCAOB staff's review indicates that all firms will likely
need to revise their methodologies to some extent to implement the new
standard. For example, all firms will need to update their
methodologies to ensure that negative confirmation requests are not
used as the sole source of audit evidence. NAF methodologies will
likely require more revisions than the GNF methodologies, which have
incorporated certain concepts included in the new standard.
Use of Technology-Based Tools
The PCAOB staff has also reviewed information collected through
PCAOB oversight activities on firms' use of technology-based tools in
the confirmation process. The staff's review focused primarily on the
use of technology-based tools by GNFs, but also encompassed certain
technology-based tools used by some NAFs. In addition, the review
encompassed information on both proprietary technology-based tools that
firms have developed internally and third-party or ``off-the-shelf''
tools that firms purchase and use (in certain cases, with further
customizations) to assist in performing confirmation procedures as part
of the audit process. The staff found that the number of technology-
based tools used in the confirmation process varies across firms, and
also varies based on the facts and circumstances of specific
engagements. Generally speaking, firms allow engagement teams to select
a tool but do not provide that the use of one or more tools is
required.
Both GNFs and NAFs within the scope of the PCAOB staff's review use
third-party tools to automate certain confirmation procedures, or to
independently verify balances, terms of arrangements, or other
information under audit. GNFs appear to be more likely to invest in
customizing off-the-shelf tools they have purchased to their particular
environment. For example, such modifications may permit a firm to
automate the reconciliation of confirmed balances to client records. In
comparison, NAFs tend to use the off-the-shelf tools without
customization.
The PCAOB staff's review also found that GNFs have developed
proprietary applications to facilitate various aspects of the
confirmation process, whether conducted manually or electronically.
These applications may facilitate the preparation of confirmation
requests, their dissemination to recipients (including the preparation
of logs to track confirmation requests and receipts), and the analysis
of confirmation responses to determine
[[Page 71714]]
their completeness and accuracy. GNFs have also developed tools used
when auditing specific accounts, other than cash and accounts
receivable, where confirmation may provide audit evidence. For example,
tools are used to prepare, log, and track confirmation requests and
responses for various deposit, loan, and liability accounts.
As discussed above, auditors or confirming parties may engage an
intermediary to facilitate the direct electronic transmission of
confirmation requests and responses between the auditor and the
confirming party.\81\ In one area, market forces have influenced firms'
willingness to use an intermediary: a majority of financial
institutions will only respond to confirmation requests through a
centralized process and with a specified intermediary. As a result, all
firms' methodologies required, and in practice firms did use, the
specified intermediary in these circumstances.
---------------------------------------------------------------------------
\81\ See Spotlight: Observations and Reminders on the Use of a
Service Provider in the Confirmation Process (Mar. 2022), available
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------
The PCAOB staff has observed diverse practices related to the
procedures auditors perform to support their reliance on an
intermediary's controls when establishing direct communication between
the auditor and the confirming party.\82\ In some situations where the
procedures performed included obtaining a SOC report, the staff has
observed insufficient evaluation of SOC reports, lack of consideration
of the period covered and complementary user entity controls, and
insufficient coordination of procedures performed centrally by the
audit firm and by the engagement team.\83\
---------------------------------------------------------------------------
\82\ Id.
\83\ Id.
---------------------------------------------------------------------------
These observations suggest that there may be a need for uniform
guidance for situations involving the use of intermediaries. For
example, enhanced procedures to be performed when auditors place
reliance on an intermediary's controls could help address the risk of
interception and alteration of communications between the auditor and
the company and address the risk of override of the intermediary's
controls by the company.
Commenters did not provide information about firms' use of
technology-based tools that contradicted the staff's assessment. One
commenter stated that some larger audit firms have established
confirmation centers to centralize the sending and receiving of
confirmation requests. Another commenter cited a study that noted the
use of robotic process automation for confirming accounts receivable by
a GNF.\84\
---------------------------------------------------------------------------
\84\ See Feiqi Huang and Milos A. Vasarhelyi, Applying Robotic
Process Automation (RPA) in Auditing: A Framework, 35 Internal
Journal of Accounting Information Systems 100433, 100436 (2019).
---------------------------------------------------------------------------
Literature on the Confirmation Process
There is limited data on auditor confirmation decisions and
research findings on the confirmation process.\85\ The literature
documents that confirmation is ``extensively used'' and that
confirmation responses received directly from a third party are often
perceived by practitioners to be among ``the most persuasive forms of
audit evidence.'' \86\ Consistent with the PCAOB staff's observations
from PCAOB oversight activities,\87\ studies find that the use of
electronic confirmation has become prevalent.\88\ One study also
observes that current U.S. auditing standards do not fully address how
auditors should authenticate confirmations sent or received
electronically, and asserts that there is a need for audit guidance
related to electronic forms of evidence.\89\ Further, an earlier study
reviews enforcement actions described in the SEC's Accounting and
Auditing Enforcement Releases and concludes that additional direction
regarding when cash and accounts receivable confirmation requests are
required or recommended may be needed.\90\ Additionally, the literature
suggests that more guidance may be necessary to identify when the risk
is sufficiently low to justify the use of negative confirmation
requests in certain areas.\91\ Moreover, an article on bank
confirmation advocates a risk-based approach to the determination of
confirmation procedures.\92\ Finally, a study finds that ``anecdotal
evidence and some research suggest confirmation response rates are
declining.'' \93\ Commenters did not provide information contradicting
the staff's summary of the relevant literature.
---------------------------------------------------------------------------
\85\ See Paul Caster, Randal J. Elder, and Diane J. Janvrin, A
Summary of Research and Enforcement Release Evidence on Confirmation
Use and Effectiveness, 27 Auditing: A Journal of Practice & Theory
253, 254 (2008).
\86\ See id. at 253.
\87\ See Spotlight: Data and Technology Research Project Update
(May 2021), available at https://pcaobus.org/resources/staff-publications. See also Spotlight: Observations and Reminders on the
Use of a Service Provider in the Confirmation Process (Mar. 2022),
available at https://pcaobus.org/resources/staff-publications.
\88\ See, e.g., Paul Caster, Randal J. Elder, and Diane J.
Janvrin, An Exploration of Bank Confirmation Process Automation: A
Longitudinal Study, 35 Journal of Information Systems 1, 5 (2021).
\89\ See id. at 2.
\90\ See Paul Caster, Randal J. Elder, and Diane J. Janvrin, A
Summary of Research and Enforcement Release Evidence on Confirmation
Use and Effectiveness, 27 Auditing: A Journal of Practice & Theory
253, 261-62 (2008).
\91\ See id. at 266.
\92\ See L. Ralph Piercy and Howard B. Levy, To Confirm or Not
to Confirm-Risk Assessment is the Answer, 91 The CPA Journal 54, 54
(2021).
\93\ See Paul Caster, Randal J. Elder, and Diane J. Janvrin, A
Summary of Research and Enforcement Release Evidence on Confirmation
Use and Effectiveness, 27 Auditing: A Journal of Practice & Theory
253, 254 (2008). The PCAOB staff has also observed that the use of
electronic confirmation may affect the confirmation response rate.
See Spotlight: Data and Technology Research Project Update (May
2021), available at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------
Accordingly, the academic literature is consistent with the
conclusion that the Board's auditing requirements for the confirmation
process should (i) accommodate electronic communications and address
the implications of using an intermediary, (ii) address the
confirmation of cash and accounts receivable, (iii) limit the use of
negative confirmation requests, and (iv) align with the PCAOB's risk
assessment standards.
Need
Several attributes of the audit market support a need for the PCAOB
to establish effective audit performance standards. First, the company
under audit, investors, and other financial statement users cannot
easily observe the services performed by the auditor or the quality of
the audit. This leads to a risk that, unbeknownst to the company,
investors, or other financial statement users, the auditor may perform
a low-quality audit.\94\
---------------------------------------------------------------------------
\94\ See, e.g., Monika Causholli and Robert W. Knechel, An
Examination of the Credence Attributes of an Audit, 26 Accounting
Horizons 631, 632 (2012): During the audit process, the auditor is
responsible for making decisions concerning risk assessment, total
effort, labor allocation, and the timing and extent of audit
procedures that will be implemented to reduce the residual risk of
material misstatements. As a non-expert, the auditee may not be able
to judge the appropriateness of such decisions. Moreover, the
auditee may not be able to ascertain the extent to which the risk of
material misstatement has been reduced even after the audit is
completed. Thus, information asymmetry exists between the auditee
and the auditor, the benefit of which accrues to the auditor. If
such is the case, the auditor may have incentives to: Under-audit,
or expend less audit effort than is required to reduce the
uncertainty about misstatements in the auditee's financial
statements to the level that is appropriate for the auditee.
---------------------------------------------------------------------------
Second, the federal securities laws require that an issuer retain
an auditor for the purpose of preparing or issuing an audit report.
While the appointment, compensation, and oversight of the work of the
registered public accounting
[[Page 71715]]
firm conducting the audit is, under the Act, entrusted to the issuer's
audit committee,\95\ there is nonetheless a risk that the auditor may
seek to satisfy the interests of the issuer audit client rather than
the interests of investors and other financial statement users.\96\
This risk can arise out of an audit committee's identification with the
company or its management (e.g., for compensation) or through
management's exercise of influence over the audit committee's
supervision of the auditor, which can result in a de facto principal-
agent relationship between the company and the auditor.\97\ Effective
auditing standards help to address these risks by explicitly assigning
responsibilities to the auditor that, if executed properly, are
expected to lead to high-quality audits that satisfy the interests of
audited companies, investors, and other financial statement users.
---------------------------------------------------------------------------
\95\ See Section 301 of the Act, 15 U.S.C. 78f(m). As an
additional safeguard, the auditor is also required to be independent
of the audit client. See 17 CFR 210.2-01.
\96\ See, e.g., Joshua Ronen, Corporate Audits and How to Fix
Them, 24 Journal of Economic Perspectives 189 (2010).
\97\ See id.; see also, e.g., Liesbeth Bruynseels and Eddy
Cardinaels, The audit committee: Management watchdog or personal
friend of the CEO?, 89 The Accounting Review 113 (2014). Cory
Cassell, Linda Myers, Roy Schmardebeck, and Jian Zhou, The
Monitoring Effectiveness of Co-Opted Audit Committees, 35
Contemporary Accounting Research 1732 (2018); Nathan Berglund,
Michelle Draeger, and Mikhail Sterin, Management's Undue Influence
over Audit Committee Members: Evidence from Auditor Reporting and
Opinion Shopping, 41 Auditing: A Journal of Practice 49 (2022).
---------------------------------------------------------------------------
This section discusses the specific problem that the new standard
is intended to address and explains how the new standard is expected to
address it.
Problem To Be Addressed
Focus on Obtaining Reliable Audit Evidence From the Confirmation
Process
In situations where audit evidence can be obtained from a
knowledgeable external source, the resulting audit evidence is likely
to be more reliable than audit evidence obtained only from internal
company sources. For evidence obtained through confirmation to be
reliable, the confirmation process must be properly executed. Proper
execution involves assessing the reliability of a confirmation response
and performing robust, additional alternative procedures when the
auditor is unable to determine that a confirmation response is
reliable. Similarly, proper execution may entail the performance of
alternative procedures when the auditor is unable to identify a
confirming party, the auditor does not receive a confirmation response
from the intended confirming party, or the confirmation response is
incomplete.
As discussed above, the PCAOB staff has observed situations where
auditors did not perform procedures to assess the reliability of
confirmation responses or, where applicable, perform sufficient
alternative procedures.\98\ In addition, the staff has noted that, in
the case of some financial reporting frauds, the company's misconduct
possibly could have been detected at an earlier point in time had the
auditor made an appropriate assessment of the reliability of
confirmation responses received, or performed additional procedures
needed to obtain reliable audit evidence.\99\ These observations
suggest a need for enhancements to auditing standards to more clearly
address those situations where confirmation can be expected to provide
reliable audit evidence, including the requirements for evaluating the
reliability of confirmation responses and, if appropriate, performing
alternative procedures.
---------------------------------------------------------------------------
\98\ See above for observations from the PCAOB's audit
inspections and from SEC enforcement cases.
\99\ See also Diane Janvrin, Paul Caster, and Randy Elder,
Enforcement Release Evidence on The Audit Confirmation Process:
Implications for Standard Setters, 22 Research in Accounting
Regulation 1, 10 (2010).
---------------------------------------------------------------------------
Developments in Practice
There are areas of the confirmation process where developments in
practice have outpaced existing requirements in the Board's auditing
standards. In particular, existing AS 2310 does not reflect significant
changes in technology and the methods by which auditors perform the
confirmation process, including the use of electronic communication and
the involvement of third-party intermediaries.
Regulatory standards that do not reflect changes in practice may
lead to inconsistency in their application, potential
misinterpretation, and ineffective regulatory intervention. For
example, the PCAOB staff has observed diverse practices and audit
deficiencies related to the procedures performed by auditors to support
their use of an intermediary to facilitate the electronic transmission
of confirmation requests and confirmation responses with confirming
parties.\100\
---------------------------------------------------------------------------
\100\ See Spotlight: Observations and Reminders on the Use of a
Service Provider in the Confirmation Process (Mar. 2022), available
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------
How the New Standard Addresses the Need
The new standard helps address the need by (i) strengthening
requirements in certain areas to focus on the need to obtain reliable
audit evidence from the confirmation process; and (ii) modernizing
existing AS 2310 to accommodate certain developments in practice,
including the use of electronic communications and intermediaries. The
new standard is expected to promote consistent and effective practice
relating to the confirmation process in audits subject to PCAOB
standards, reducing the risk of low-quality audits caused by (i) the
lack of observability of audit quality and (ii) the influence of the
auditor-client relationship discussed above.
Focus on Obtaining Reliable Audit Evidence From the Confirmation
Process
The new standard strengthens the Board's requirements in certain
areas to focus on the need to obtain reliable audit evidence when
executing the confirmation process. Specifically, the new standard
includes a presumption for the auditor to confirm certain cash and cash
equivalents held by third parties, or otherwise obtain relevant and
reliable audit evidence by directly accessing information maintained by
a knowledgeable external source. In addition, the new standard
strengthens the requirements for evaluating the reliability of
confirmation responses. It also continues to emphasize the importance
of maintaining control over the confirmation process and provides
additional examples of information that indicates that a confirmation
request or response may have been intercepted and altered. When
confirmation responses are deemed to be unreliable, the auditor is
directed to perform alternative procedures to obtain audit evidence.
Moreover, as discussed above, electronic communications likely have
reduced the efficacy of negative confirmation requests. Under the new
standard, the auditor is not able to use negative confirmation requests
as the sole substantive procedure for addressing the risk of material
misstatement for a financial statement assertion.
Developments in Practice
Under the new standard, the requirement to maintain control over
the confirmation process addresses both traditional and newer, more
prevalent forms of communication between the auditor and confirming
parties, including emailed confirmation requests and responses and
intermediaries facilitating electronic communication of confirmation
requests and responses. The new standard is intended to apply to
methods of confirmation currently in
[[Page 71716]]
use and to be flexible enough to apply to new methods that may arise
from technological changes in auditing in the future.
The new standard emphasizes that in general, evidence obtained from
a knowledgeable external source is more reliable than evidence obtained
only from internal company sources. For cash and accounts receivable,
if the auditor is able to perform audit procedures other than
confirmation that allow the auditor to obtain audit evidence by
directly accessing information maintained by knowledgeable external
sources, such audit evidence could be as persuasive as audit evidence
obtained through confirmation procedures, and the new standard allows
the auditor to perform such procedures. Accordingly, to the extent that
there are newer tools available to auditors now or in the future that
enable them to obtain such audit evidence directly, the new standard
would accommodate their use and future development.
Economic Impacts
This section discusses the expected benefits and costs of the new
standard and potential unintended consequences. Overall, the Board
expects that the economic impact of the new standard, including both
benefits and costs, will be relatively modest, especially for those
firms that have already incorporated into practice some of the new
requirements. The Board also expects that the benefits of the new
standard will justify the costs and any unintended negative effects.
Benefits
The Board expects the new standard to improve the consistency and
effectiveness of the confirmation process, reducing the risk of low-
quality audits caused by (i) the lack of observability of audit quality
and (ii) the influence of the auditor-client relationship discussed
above. Specifically, there exists a risk that, unbeknownst to the
company under audit, investors, or other financial statement users, the
auditor may perform a low-quality audit since audit quality is
difficult to observe. In addition, some auditors may aim to satisfy the
interests of the company or their own financial interests rather than
the interests of investors and other financial statement users--
interests that may lead them to perform insufficiently rigorous
confirmation procedures to minimize the burden on clients and their
counterparties to respond to confirmations, or to minimize audit costs.
The new standard helps to mitigate these risks in the audit
confirmation process by strengthening and modernizing the requirements
for the auditor regarding the design and execution of the confirmation
process. Specifically, a confirmation process designed and executed
under the new standard should benefit investors and other users of
financial statements by reducing the likelihood that financial
statements are materially misstated, whether due to error or fraud.
Some commenters explicitly stated that the requirements described in
the 2022 Proposal would improve the consistency of confirmation
practices and enhance audit quality.
The enhanced quality of audits and financial information available
to financial markets should also increase investor confidence in
financial statements. In general, investors may use the more reliable
financial information to improve the efficiency of their capital
allocation decisions (e.g., investors may reallocate capital from less
profitable companies to more profitable companies). Investors may also
perceive less risk in capital markets generally, leading to an increase
in the supply of capital. An increase in the supply of capital could
increase capital formation while also reducing the cost of capital to
companies.\101\
---------------------------------------------------------------------------
\101\ See, e.g., Hanwen Chen, Jeff Zeyun Chen, Gerald J. Lobo,
and Yanyan Wang, Effects of audit quality on earnings management and
cost of equity capital: Evidence from China, 28 Contemporary
Accounting Research 892, 921 (2011); Richard Lambert, Christian
Leuz, and Robert E. Verrecchia, Accounting Information, Disclosure,
and the Cost of Capital, 45 Journal of Accounting Research 385, 410
(2007).
---------------------------------------------------------------------------
Auditors also are expected to benefit from the new standard,
because the additional clarity provided by the new standard (e.g., the
accommodation of current practices, including the use of electronic
communications and intermediaries) will reduce regulatory uncertainty
and the associated compliance costs. Specifically, the new standard
provides auditors with a better understanding of their responsibilities
and the Board's expectations.
The following discussion describes the benefits of key changes to
existing confirmation requirements that are expected to impact auditor
behavior. As discussed above, the changes aim to (1) enhance the
auditor's focus on obtaining reliable audit evidence from the
confirmation process, and (2) accommodate certain developments in
practice. As further discussed below, the changes that enhance the
auditor's focus on obtaining reliable audit evidence are expected to
strengthen confirmation procedures for cash held by third parties,
promote consistency in practice, improve the reliability of
confirmation responses, improve the quality of audit evidence, and
increase the auditor's likelihood of identifying potential financial
statement fraud. The changes that accommodate developments in practice
are expected to clarify the auditor's responsibilities regarding the
use of electronic communications in the confirmation process,
standardize the procedures that auditors perform to support their use
of intermediaries, and allow for the use or development of more
sophisticated and effective technology-based auditing tools. To the
extent that a firm has already implemented certain of the provisions of
the new standard into its firm methodology, the benefits described
below will be reduced.
Focus on Obtaining Reliable Audit Evidence From the Confirmation
Process
The new standard should benefit investors and other users of a
company's financial statements by placing additional emphasis on the
auditor's need to obtain reliable audit evidence when performing
confirmation procedures. In this regard, the new standard: (1)
identifies certain accounts for which the auditor should perform
confirmation procedures, (2) enhances the requirements for assessing
the reliability of confirmation responses, (3) addresses the
performance of alternative procedures when the auditor is unable to
obtain relevant and reliable audit evidence through confirmation, (4)
strengthens requirements regarding the use of negative confirmation
requests, and (5) specifies certain activities in the confirmation
process that should be performed by the auditor and not by other
parties.
Specifically, the new presumption for the auditor to confirm
certain cash and cash equivalents held by third parties or otherwise
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source may reduce
the risk of material errors in financial statements and strengthen
investor protection to the extent that auditors are not already
confirming cash pursuant to their existing audit methodologies.\102\
This requirement also
[[Page 71717]]
specifies that the extent of audit evidence to obtain through cash
confirmation procedures should be based on the auditor's understanding
of the company's cash management and treasury function.
---------------------------------------------------------------------------
\102\ As discussed above, the PCAOB staff's review of firm
methodologies indicated that some firms are already confirming cash
balances, while other firms' methodologies do not require auditors
to perform procedures beyond those required by AS 2310. The growth
in corporate cash holdings also highlights the need to confirm cash
and cash equivalents. See, e.g., Kevin Amess, Sanjay Banerji, and
Athanasios Lampousis, Corporate Cash Holdings: Causes and
Consequences, 42 International Review of Financial Analysis 421, 422
(2015).
---------------------------------------------------------------------------
The standard does not require that all cash accounts or all
accounts receivable should be selected for confirmation. The auditor's
assessment of the risk of material misstatement is an important
consideration when designing audit procedures, including the use of
confirmation. Consistent with the objective of the new standard, the
requirement to confirm cash and accounts receivable, or otherwise
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source, only applies
when the auditor has determined that these accounts are significant
accounts. Further, for both cash and accounts receivable, the new
standard specifies that the auditor should take into account the
auditor's understanding of the substance of a company's arrangements
and transactions with third parties when selecting the individual items
to confirm. These provisions in the new standard should encourage the
auditor to determine the extent of confirmation procedures with regard
to an assessment of the risk of material misstatement and avoid more
work than necessary to obtain sufficient appropriate audit evidence.
However, to the extent that cash or accounts receivable fall within
the scope of the new standard, the new standard strengthens the
requirement to obtain relevant and reliable audit evidence, whether
through performing confirmation procedures or otherwise obtaining audit
evidence by directly accessing information maintained by a
knowledgeable external source. At the same time, the new standard also
addresses situations where, based on the auditor's experience,
confirmation would not be feasible for accounts receivable. The
additional clarity provided by these requirements in the new standard
should reduce uncertainty in auditor responsibilities and promote
consistency in practice with respect to the confirmation of cash and
accounts receivable.
The new standard strengthens requirements addressing the
reliability of confirmation responses by describing information that
the auditor should take into account when evaluating the reliability of
confirmation responses and providing examples of information that
indicates that a confirmation request or response may have been
intercepted or altered. These requirements are expected to improve the
reliability of confirmation responses and therefore increase the
quality of the audit evidence obtained by the auditor.
The requirement to communicate to the audit committee instances
where, for significant risks associated with cash or accounts
receivable, the auditor did not perform confirmation procedures or
obtain audit evidence by directly accessing information maintained by a
knowledgeable external source is expected to reinforce the auditor's
obligation to exercise due professional care in determining not to
perform confirmation procedures or otherwise obtain audit evidence by
directly accessing information maintained by a knowledgeable external
source.
The new standard also expands on the existing requirement to
address the auditor's potential need to apply alternative procedures.
The enhanced requirements for alternative procedures provide a greater
level of detail and clarity to auditors for situations that are not
currently addressed explicitly in existing AS 2310, potentially raising
the quality of evidence obtained by auditors.
Under the new standard, the auditor may only use negative
confirmation requests to supplement other substantive audit procedures;
negative confirmation requests may not be used as the sole substantive
audit procedure. As discussed above, the amount of electronic
correspondence has increased dramatically over the years, leading to an
increased likelihood that a negative confirmation request would not be
appropriately considered by the confirming party and, therefore, would
provide less persuasive audit evidence. The new standard addresses this
issue by providing examples of situations in which negative
confirmation requests, in combination with the performance of other
substantive audit procedures, may provide sufficient appropriate audit
evidence. As negative confirmation requests cannot be the sole source
of audit evidence obtained, insofar as the new standard affects
practice, the overall quality of audit evidence obtained by the auditor
likely will increase.\103\
---------------------------------------------------------------------------
\103\ The Board understands through its oversight activities
that few, if any, GNFs use negative confirmation requests as the
sole substantive procedure in practice. As discussed above, however,
the PCAOB staff's firm methodology review suggests that all the GNFs
and NAFs reviewed will need to update their methodologies to ensure
that negative confirmation requests are not used as the sole source
of audit evidence.
---------------------------------------------------------------------------
Overall, the additional requirements and examples discussed above
are expected to improve the reliability of confirmation responses and,
therefore, increase the quality of the audit evidence obtained by the
auditor. By introducing a new requirement to confirm certain cash
balances (or otherwise obtain relevant and reliable audit evidence by
directly accessing information maintained by a knowledgeable external
source) and enhancing the requirements for evaluating the reliability
of confirmation responses, the new standard may also increase the
auditor's likelihood of identifying potential financial statement
fraud. Early detection of accounting fraud is an important aspect of
investor protection because such fraud can cause significant harm to
investors in the companies engaged in fraud, as well as indirect harm
to investors in other companies.\104\ In addition, by clarifying and
strengthening the auditor's responsibilities, including by specifying
additional situations where alternative procedures may be necessary and
providing additional examples of information that indicates that a
confirmation request or response may have been intercepted and altered,
the new standard takes into account past inspection findings by the
Board that auditors did not obtain sufficient appropriate audit
evidence when using confirmation.
---------------------------------------------------------------------------
\104\ See Yang Bao, Bin Ke, Bin Li, Y. Julia Yu, and Jie Zhang,
Detecting Accounting Fraud in Publicly Traded US Firms Using a
Machine Learning Approach, 58 Journal of Accounting Research 199,
200 (2020).
---------------------------------------------------------------------------
One commenter on the proposing release expressed the view that the
proposed standard would not achieve a significant reduction in
inspection findings or improvements to audit quality because adverse
inspection findings have historically focused on a failure to
appropriately execute existing requirements. As discussed above,
however, the need for this rulemaking is not limited to noncompliance
with the current standard detected through our inspections program, but
also reflects undetected financial reporting frauds and developments in
practice. The Board continues to believe, therefore, that the rule will
achieve its intended benefits, which include increased clarity from the
new standard.
Developments in Practice
The new standard modernizes existing AS 2310 by accommodating
certain developments in practice,
[[Page 71718]]
including the use of electronic communications and intermediaries.
Specifically, the new standard accommodates changes in how
communications occur between the auditor and confirming parties. It
clarifies the auditor's responsibilities by taking into account current
confirmation practices among auditors and acknowledging differing
methods of confirmation. These methods include longstanding methods,
such as the use of paper-based confirmation requests and responses sent
via postal mail. They also include methods that have become commonplace
since the existing standard was adopted, including confirmation
requests and responses communicated via email and the use of
intermediaries to facilitate the direct electronic transmission of
confirmation requests and responses. This additional clarity may
enhance the reliability of audit evidence by decreasing the risk that a
confirmation request or response is intercepted and altered. In
addition, the new standard includes requirements specific to an
intermediary's controls that mitigate the risk of interception and
alteration. The requirements are expected to standardize the procedures
auditors perform to support their use of intermediaries and reduce
audit deficiencies in this area.
With regard to both cash and accounts receivable, the new standard
accommodates the potential for future evolution of audit tools by
allowing auditors to directly obtain access to relevant and reliable
audit evidence from knowledgeable external sources other than through
confirmation without the involvement of the company. This change allows
for the use or development of technology-based auditing tools, subject
to the requirement that they provide audit evidence by directly
accessing information maintained by knowledgeable external sources
about the relevant financial statement assertion. Accordingly, this
change could potentially improve the efficiency and effectiveness of
the audit.
Some commenters on the 2022 Proposal questioned the benefits of the
proposed requirements, arguing that the auditor's inability under the
proposed standard to overcome the presumption to confirm cash and a
high threshold to overcome the presumption to confirm accounts
receivable unduly restricted the ability to use professional judgment
to determine the appropriateness of confirmation procedures. While the
Board agrees that professional judgment plays an important role in the
execution of audit procedures, the Board's experience indicates that it
is also important for investor protection that auditors obtain relevant
and reliable audit evidence for both cash and accounts receivable when
they are significant accounts. With regard to accounts receivable, the
new standard retains the presumption to perform audit procedures to
obtain relevant and reliable evidence through confirmation, or
otherwise by directly accessing information maintained by a
knowledgeable external source, so would not decrease or remove the
auditor's current responsibility. Furthermore, the new standard
includes a provision to address situations when obtaining audit
evidence directly from knowledgeable external sources, whether through
confirmation procedures or other means, would not be feasible to
execute for accounts receivable. Accordingly, the new standard strikes
a balance intended to benefit investors by recognizing the value of
professional judgment generally with respect to the use of confirmation
while ensuring that cash and accounts receivable, when they are
significant accounts, are subject to confirmation or other audit
procedures designed to obtain relevant and reliable audit evidence from
knowledgeable external sources.
Costs
The Board expects the costs associated with the new standard to be
relatively modest. The PCAOB staff's review of audit firm methodologies
related to the confirmation process indicates that some firms have
already incorporated into practice some of the new requirements. For
example, the methodologies of some GNFs include requirements for
confirmation of cash that are similar to the requirements in the new
standard. Both the GNF and NAF methodologies reviewed generally include
guidance on maintaining control over the confirmation process and the
use of intermediaries to facilitate the electronic transmission of
confirmation requests and responses.
To the extent that audit firms need to make changes to meet the new
requirements, they may incur certain fixed costs (i.e., costs that are
generally independent of the number of audits performed) to implement
the new standard. These include costs of updating audit methodologies
and tools, and costs to prepare training materials and conduct internal
training. GNFs are likely to update methodologies using internal
resources, whereas NAFs are more likely to purchase updated
methodologies from external vendors. The costs of updating these
methodologies likely depend on the extent to which the new requirements
have already been incorporated in the firms' current methodologies. For
firms that have implemented confirmation procedures like those required
by the new standard, the costs of updating methodologies may be lower
than for firms that currently do not have such procedures. In this
regard, large firms may also benefit from economies of scale. As
mentioned above, one commenter indicated that some larger audit firms
have already established confirmation centers to centrally process the
sending of confirmation requests and receiving of confirmation
responses. For these firms, costs to implement the new standard may be
further diminished as these firms may benefit from lower training costs
and more efficient performance of the enhanced procedures. Smaller
audit firms may not have adequate resources to establish such
confirmation centers and may not recognize similar efficiency gains.
The commenter observed that the establishment of confirmation centers
within audit firms would require significant resources, which smaller
audit firms may not have.
In addition, audit firms may incur certain engagement-level
variable costs related to implementing the new standard. For example,
the requirement to confirm certain cash balances or otherwise obtain
relevant and reliable audit evidence by directly accessing information
maintained by a knowledgeable external source could impose engagement-
level costs on some auditors if additional procedures need to be
performed. Similarly, limiting the use of negative confirmation
requests to situations where the auditor is also performing other
substantive audit procedures could lead to additional time and effort
by the auditor to perform the other audit procedures.
The magnitude of the variable costs likely depends on the extent to
which existing practice differs from the new requirements. As discussed
above, the PCAOB staff's review of firm methodologies, which included
the methodologies of certain NAFs, suggests that the new standard
likely will lead to a greater impact on confirmation procedures
performed by smaller firms. Because the new standard generally applies
a risk-based approach (i.e., by providing that the use of confirmation
may be part of the auditor's response to the assessed risks of material
misstatement), the costs of performing the additional procedures are
unlikely to be disproportionate to the benefits.
To the extent that auditors incur higher costs to implement the new
standard and are able to pass on at least
[[Page 71719]]
part of the increased costs through an increase in audit fees,
companies being audited could incur an indirect cost.\105\ Moreover,
confirming parties could incur additional costs from supporting the
confirmation process as a result of the enhanced requirements of the
new standard, although the additional costs are expected to be limited.
One commenter agreed that confirming parties may incur additional costs
as they may have to allocate resources to respond to confirmation
requests. As discussed above, however, confirmation is already commonly
used by audit firms, and the Board therefore does not expect confirming
parties to incur significant additional costs to respond to
confirmation requests as a result of the new standard.
---------------------------------------------------------------------------
\105\ One commenter stated that the cost of audit would increase
if auditors were required to send confirmations on any and all
information that can be confirmed by external parties. While the
Board notes that the new standard does not require confirmations on
any and all information that can be confirmed, it agrees that
companies being audited can incur indirect costs to the extent that
auditors pass on at least part of the increased costs in terms of
increased audit fees to companies.
---------------------------------------------------------------------------
Some requirements under the new standard may result in more costs
than others. The following discussion describes the potential costs
associated with specific changes to existing confirmation requirements.
Focus on Obtaining Reliable Audit Evidence From the Confirmation
Process
The new standard: (1) identifies certain accounts for which the
auditor should perform confirmation procedures or otherwise obtain
relevant and reliable audit evidence by directly accessing information
maintained by a knowledgeable external source, (2) enhances the
requirements for assessing the reliability of confirmation responses,
(3) addresses the performance of alternative procedures when the
auditor is unable to obtain relevant and reliable audit evidence
through confirmation, (4) strengthens requirements regarding the use of
negative confirmation requests, and (5) specifies certain activities in
the confirmation process that should be performed by the auditor and
not by other parties.
For some firms, the requirement in the new standard to confirm
certain cash balances or otherwise obtain relevant and reliable audit
evidence by directly accessing information maintained by a
knowledgeable external source could be expected to result in the
revision of firm methodologies and the performance of additional audit
procedures. As discussed above, the methodologies of some GNFs already
include requirements for cash confirmation that are similar to the new
requirement described in the new standard. In addition, the risk-based
approach in the new requirement should encourage the auditor to
determine the extent of confirmation with regard to an assessment of
the risks of material misstatement and conduct only the work necessary
to obtain sufficient audit evidence.
Commenters on the 2022 Proposal asserted that confirming cash
balances under the proposed standard would lead to increased costs,
given the lack of discretion and ability to overcome the presumption in
the proposed standard. In addition, some commenters on the 2022
Proposal asserted that the ``at least as persuasive as'' threshold in
the proposed standard for overcoming the presumption to confirm
accounts receivable would limit the auditor's use of professional
judgment and could result in greater costs without a commensurate
benefit to audit quality.
As discussed above, there is a presumption in the new standard that
the auditor should obtain audit evidence from a knowledgeable external
source by performing confirmation procedures or using other means to
obtain audit evidence by directly accessing information maintained by
knowledgeable external sources. In addition, the new standard provides
that if, based on the auditor's experience, it would not be feasible
for the auditor to obtain audit evidence about accounts receivable
pursuant to paragraph .24, the auditor should obtain external
information indirectly by performing other substantive procedures,
including tests of details. Insofar as the final standard does not
otherwise provide auditors with the discretion to avoid obtaining audit
evidence directly from a knowledgeable external source for cash, and
the only exception applicable to accounts receivable is for situations
where obtaining audit evidence directly from a knowledgeable external
source would not be feasible, firms may, therefore, incur additional
costs to comply with the presumptive requirements of the new standard
for cash and accounts receivable. These costs, however, are necessary
to the achievement of the standard's intended benefits of emphasizing
the quality and strength of the audit evidence to be obtained from
knowledgeable external sources.
The new standard also requires the auditor to evaluate the
reliability of confirmation responses and provides examples of
information that indicate that a confirmation response may have been
intercepted and altered. The costs associated with this requirement,
however, are expected to be limited. First, the Board's auditing
standards already require the auditor to obtain sufficient appropriate
audit evidence to provide a reasonable basis for the auditor's report,
and to evaluate the combined evidence provided by confirmation and
other auditing procedures performed when the auditor has not received
replies to confirmation requests (i.e., nonresponses) to determine
whether sufficient evidence has been obtained about all the applicable
financial statement assertions.\106\ Second, the methodologies of some
firms reflect application material in ISA 505 regarding factors
(similar to indicators in the new standard) that may indicate doubts
about the reliability of a confirmation response. One of these factors
is analogous to the requirement in the new standard (i.e., the
confirmation response appears not to come from the originally intended
confirming party), which may further limit the potential costs for
firms that have incorporated this factor in their methodologies. One
commenter on the 2022 Proposal stated that the proposed standard's
requirement for evaluating the reliability of confirmation responses
might cause the auditor to need to authenticate confirmation responses,
which would add significant expense to the audit. However, as discussed
above, AS 1105 already establishes the requirements for evaluating the
reliability of audit evidence, and the new standard does not change
those requirements.
---------------------------------------------------------------------------
\106\ See AS 1105.04; AS 2310.33.
---------------------------------------------------------------------------
The requirement for the auditor to communicate with the audit
committee when the auditor did not perform confirmation procedures or
otherwise obtain audit evidence by directly accessing information
maintained by knowledgeable external sources for significant risks
associated with either cash or accounts receivable could impose a
modest incremental cost. Some commenters on the 2022 Proposal had
expressed concern about the proposed requirement to communicate with
the audit committee in all instances where the presumption to confirm
accounts receivable had been overcome, which could be detrimental if
the communication became a mere compliance exercise for auditors and
audit committees. The new standard's requirement to communicate with
the audit committee, however, is more risk-based and therefore, the
Board continues to believe that the incremental costs will be modest.
[[Page 71720]]
Insofar as the new standard identifies additional situations in
which the auditor generally would be required to perform alternative
procedures, firms may incur additional costs. Specifically, the new
standard extends the requirement in existing AS 2310 to perform
alternative procedures in relation to nonresponses to positive
confirmation requests to other situations, including the auditor's
inability to identify a confirming party and the receipt of an
unreliable response.
In contrast with existing AS 2310, negative confirmation requests
may not be used as the sole substantive audit procedure under the new
standard. This limitation reflects, among other things, the increase in
the volume of electronic correspondence since existing AS 2310 was
issued and the increasing likelihood that a recipient of a negative
confirmation request would not consider the request. As a result,
auditors may have to perform other substantive audit procedures for
certain financial statement assertions. Although the Board understands
through its oversight activities that few, if any, GNFs use negative
confirmation requests as the sole substantive procedure in practice, as
discussed above, the PCAOB staff's firm methodology review suggests
that all the GNFs and NAFs reviewed will need to review their
methodologies to ensure that negative confirmation requests are not
used as the sole source of audit evidence.
Developments in Practice
As discussed above, the new standard includes requirements that
clarify the procedures auditors should perform to support their use of
intermediaries to facilitate the direct electronic transmission of
confirmation requests and responses between the auditor and the
confirming party. These requirements may lead to modifications to firm
methodologies. Further, the required procedures may involve additional
auditor time and effort. The resulting costs likely depend on the
extent to which the new requirements have already been incorporated in
a firm's current methodologies. One commenter expressed concern that
the proposed requirement to assess the intermediary's controls would
result in significant additional work for auditors because it is not
currently common practice to directly assess intermediaries in this
manner. The PCAOB staff's review of firm methodologies discussed above
did not suggest that the requirements in Appendix B of the new standard
would create significant additional work for auditors. In particular,
both the GNF and NAF methodologies reviewed generally already include
guidance on maintaining control over the confirmation process and the
use of intermediaries, which may limit the costs. In addition, the
Board notes that the requirements in the new standard relate to
relevant controls that address the risk of interception and alteration
of confirmation requests and responses and that some intermediaries
currently make information about relevant internal controls available
to auditors through a SOC report.
If the auditor is able to obtain audit evidence by directly
accessing information maintained by knowledgeable external sources
instead of confirmation, such audit evidence could be at least as
persuasive as audit evidence obtained through confirmation procedures,
and the new standard allows the auditor to perform such procedures.
This provision is not expected to impose new costs on firms, as firms
would only obtain relevant and reliable audit evidence by directly
accessing information maintained by a knowledgeable external source to
the extent that technological advancements render it more efficient
than performing confirmation procedures. Thus, to the extent that the
auditor is able to replace confirmation procedures with obtaining audit
evidence by directly accessing information maintained by a
knowledgeable external source, the new standard could reduce costs for
firms.
Potential Unintended Consequences
In addition to the benefits and costs discussed above, the new
standard could have unintended economic impacts. The following
discussion describes potential unintended consequences the Board has
considered and, where applicable, factors that mitigate the negative
consequences, such as steps the Board has taken or the existence of
other countervailing forces.
Potential Decline in Auditors' Usage of Confirmation
An unintended consequence of the new standard would occur if,
contrary to the Board's expectation, there were a significant reduction
in the use of confirmation procedures by auditors in circumstances
where confirmation would provide relevant and reliable audit evidence.
Under the new standard, auditors retain the ability to use
confirmation as one procedure, among others, to audit one or more
financial statement accounts or disclosures. At the same time, the new
standard strengthens the requirements for an auditor regarding
evaluating the reliability of confirmation responses and addressing
confirmation exceptions and incomplete responses, including performing
alternative procedures to obtain audit evidence. Further, the new
standard describes the types of procedures the auditor should perform
in evaluating the effect of using an intermediary on the reliability of
confirmation requests and responses, including determining whether
relevant controls of the intermediary are designed and operating
effectively. In addition, the new standard does not allow the auditor
to use negative confirmation requests as the sole substantive
procedure. As a result, when not required to use confirmation, auditors
might decline to use confirmation and use other audit procedures more
frequently than under existing AS 2310 if they perceive there could be
more time or cost involved in the confirmation process relative to the
performance of other procedures.
This potential unintended consequence is mitigated, however, by the
requirement that the auditor should perform confirmation procedures for
cash and accounts receivable, or otherwise obtain audit evidence by
directly accessing information maintained by knowledgeable external
sources. In addition, the Board's standards already provide that the
auditor should evaluate whether the combined evidence provided by
confirmation and other auditing procedures provide sufficient evidence
about the applicable financial statement assertions. Several of the
changes to existing requirements in the new standard align with the
Board's understanding of current practice. For example, many audit
firms' methodologies include guidance on maintaining control and the
use of intermediaries. Additionally, the potential unintended
consequence may be mitigated to the extent that a firm has experienced
efficiencies from using newer audit tools for confirmation through
reduced time or costs. Further, the Board does not anticipate that the
requirements of the new standard will cause a significant change in the
timing or extent of confirmation procedures for auditors, as the Board
has not amended the requirements of AS 2301, which is the auditing
standard that addresses those matters. Accordingly, the Board does not
believe that the new standard will lead to a significant decline in the
use of confirmation.
[[Page 71721]]
Potential Misinterpretation of the Requirements in the New Standard
Relating to the Confirmation of Cash and Accounts Receivable
An unintended consequence of the presumed requirement in the new
standard to confirm cash and accounts receivable would arise if
auditors misinterpreted the language in the new standard as requiring
the confirmation of cash and accounts receivable in all situations. For
example, the new standard does not carry forward a provision included
in existing AS 2310 that an auditor could overcome the presumption to
confirm accounts receivable if, among other things, ``[t]he use of
confirmations would be ineffective.'' It is possible that some auditors
might misinterpret the elimination of this language as precluding the
exercise of auditor judgment with respect to the confirmation of
accounts receivable. Some commenters on the 2022 Proposal appeared to
misinterpret the proposed requirement and suggested that confirmation
would be required in all situations. For example, one commenter
asserted that using confirmation regardless of risk assessment may
promote a checklist mentality that does not contribute to audit quality
and an audit approach that may be less efficient and effective.
The Board does not intend, however, that an auditor send
confirmation requests for accounts receivable in all situations or when
such procedures do not provide relevant and reliable audit evidence. If
the auditor has not determined cash or accounts receivable to be a
significant account, the new standard does not require the confirmation
of cash or accounts receivable. Moreover, to clarify the Board's
intent, it has modified the language in the proposed standard in
several respects. First, paragraph .25 of the new standard addresses
situations when obtaining audit evidence about accounts receivable
directly from knowledgeable external sources, whether through
confirmation procedures or other means, would not be feasible to
execute. If it is not feasible for the auditor to obtain audit evidence
about accounts receivable directly from a knowledgeable external
source, the auditor should obtain external information indirectly by
performing other substantive procedures, including tests of details.
In addition, the Board is not adopting paragraph .07 of the
proposed standard, which referred to situations where evidence obtained
through the confirmation process ``generally is more persuasive than
audit evidence obtained solely through other procedures'' and may have
contributed to a misperception that the Board was proposing to require
confirmation in all circumstances. In the Board's view, the language in
the new standard acknowledges the role of professional judgment in the
auditor's selection of audit procedures to obtain sufficient
appropriate audit evidence, while retaining a presumption to confirm
cash and accounts receivable or otherwise obtain relevant and reliable
audit evidence by directly accessing information maintained by a
knowledgeable external source. This should mitigate the potential
unintended consequence described above.
Alternatives Considered
The development of the new standard involved considering a number
of alternative approaches to address the problems described above. This
section explains: (i) why standard setting is preferable to other
policy-making approaches, such as providing interpretive guidance or
enhancing inspection or enforcement efforts; (ii) other standard-
setting approaches that were considered; and (iii) key policy choices
made by the Board in determining the details of the new standard-
setting approach.
Why Standard Setting Is Preferable to Other Policy-Making Approaches
The Board's policy tools include alternatives to standard setting,
such as issuing additional interpretive guidance, or increasing our
focus on inspections or enforcement of existing standards. The Board
considered whether providing guidance or increasing inspection or
enforcement efforts would be effective mechanisms to address concerns
with the auditor's use of confirmation.
Interpretive guidance inherently provides additional information
about existing standards. Inspection and enforcement actions take place
after insufficient audit performance (and potential investor harm) has
occurred. Devoting additional resources to interpretive guidance,
inspections, or enforcement activities, without improving the relevant
performance requirements for auditors, would at best focus auditors'
performance on existing standards and would not provide the benefits
discussed above associated with improving the standards. The new
standard, on the other hand, is designed to improve existing
requirements for the auditor's use of confirmation. For example, the
new standard, unlike existing AS 2310, includes requirements relating
to the confirmation of cash accounts, imposes additional limitations on
the use of negative confirmation requests, clarifies the circumstances
in which auditors would be expected to perform alternative procedures,
and includes explicit provisions addressing the auditor's
responsibility for selecting items to be confirmed, sending
confirmation requests, and receiving confirmation responses.
Other Standard-Setting Alternatives Considered
Several alternative standard-setting approaches were also
considered, including: (i) making amendments to the existing standard;
and (ii) adopting an approach based on ISA 505, with certain
modifications to reflect the PCAOB's statutory responsibilities with
respect to audits of public companies and registered broker-dealers.
Amendments to Existing Standard
The Board considered, but decided against, limiting the amendments
to AS 2310 solely to modifications relating to changes in technology
that have affected the confirmation process. While this approach could
result in fewer changes to firms' audit methodologies, the Board
believes there are a number of other areas discussed throughout this
release, beyond amending AS 2310 to reflect the increasing use of
technology in the confirmation process, where the existing standard
should be improved.
Standard Based on ISA 505
Some commenters on the 2009 Concept Release and the 2010 Proposal
suggested that the Board should consider adopting ISA 505, the IAASB's
standard on audit confirmation, which was issued in 2008. The Board has
taken the requirements and application material of ISA 505 into account
in developing the new standard (e.g., the ISA 505 application material
relating to the use of a third party to coordinate and provide
responses to confirmation requests).
The Board concluded, however, that the new standard should also
establish certain requirements that are not included in ISA 505 (e.g.,
requirements to confirm cash and accounts receivable or otherwise
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source), and should
not include certain provisions that are described in ISA 505 (e.g.,
regarding management's refusal to allow the auditor to send a
confirmation request). In addition, audit practices have continued to
evolve since ISA 505
[[Page 71722]]
was issued in 2008, and the Board believes that the new standard should
reflect these developments (e.g., by addressing electronic
communication and the use of intermediaries in the requirements of the
standard rather than in application materials).
Key Policy Choices
Given a preference for replacing existing AS 2310 in its entirety,
the Board considered different approaches to addressing key policy
issues.
Use of Confirmation Procedures for Specific Accounts
The new standard provides that when addressing an assessed risk of
material misstatement of cash and cash equivalents held by third
parties, as well as of accounts receivable that arise from the transfer
of goods or services to a customer or a financial institution's loans,
the auditor should perform confirmation procedures or otherwise obtain
relevant and reliable audit evidence by directly accessing information
maintained by a knowledgeable external source. In addition, under the
new standard, when obtaining audit evidence from a knowledgeable
external source regarding cash, the auditor should consider sending
confirmation requests to that source about other financial
relationships with the company, based on the assessed risk of material
misstatement. Also, when the auditor has identified a complex
transaction or a significant unusual transaction, the auditor should
consider confirming those terms of the transaction that are associated
with a significant risk of material misstatement, including a fraud
risk. The new standard does not specify other significant accounts or
disclosures that the auditor should confirm or consider confirming. The
Board considered several alternatives to this approach, as discussed
below.
First, the Board considered an approach that would have no
requirement for the auditor to confirm specified accounts or
transactions. In the Board's view, this approach might result in the
selection by some auditors of audit procedures that provide less
relevant and reliable audit evidence than confirmation with respect to
cash and accounts receivable (e.g., if an auditor mistakenly assessed
the risk of material misstatement too low for cash or accounts
receivable). Further, confirmation of cash and accounts receivable is
already a standard practice for many auditors and is consistent with
the concept that audit evidence obtained from a knowledgeable external
source is more reliable than evidence obtained only from internal
company sources. Accordingly, the Board has decided against an approach
that does not require the confirmation of any accounts and disclosures
in the new standard.
In addition, the Board considered including in the new standard a
requirement that the auditor should confirm other accounts in addition
to cash and accounts receivable, such as investments. The Board has
decided against this approach because it would limit auditor judgment
in circumstances where the performance of other auditing procedures
might provide relevant and reliable audit evidence, could be viewed as
unduly prescriptive, and would not allow the auditor to take company-
specific facts and circumstances into account. Instead, under the new
standard, the auditor could decide to perform confirmation procedures
with respect to financial statement assertions relating to other
accounts and disclosures but is not required to do so.
The Board also considered an additional requirement that the
auditor should perform confirmation procedures in response to
significant risks that relate to relevant assertions, when such
assertions can be adequately addressed by confirmation procedures.
However, the Board believes that such a requirement would be
inconsistent with the Board's risk assessment standards, which allow
for auditor judgment in determining the audit response to significant
risks identified by the auditor. The Board has not included this
provision in the new standard.
Management Requests Not To Confirm
The Board considered addressing situations where management
requests that the auditor not confirm one or more items in the new
standard. Specifically, the Board considered requiring the auditor to
obtain an understanding of the reasons for management's request,
perform alternative procedures as discussed in Appendix C of the new
standard, and communicate the request to the audit committee. In
addition, the Board considered a requirement that the auditor should
evaluate the implications for the auditor's report if the auditor
determines that management's request impairs the auditor's ability to
obtain sufficient appropriate audit evidence or indicates that one or
more fraud risk factors are present. For the reasons discussed above,
the Board has decided not to include such provisions in the new
standard.
Special Considerations for Audits of Emerging Growth Companies
Pursuant to Section 104 of the Jumpstart Our Business Startups Act
(``JOBS Act''), rules adopted by the Board subsequent to April 5, 2012,
generally do not apply to the audits of EGCs, as defined in Section
3(a)(80) of the Exchange Act, unless the SEC ``determines that the
application of such additional requirements is necessary or appropriate
in the public interest, after considering the protection of investors,
and whether the action will promote efficiency, competition, and
capital formation.'' \107\ As a result of the JOBS Act, the rules and
related amendments to PCAOB standards that the Board adopts are
generally subject to a separate determination by the SEC regarding
their applicability to audits of EGCs.
---------------------------------------------------------------------------
\107\ See Public Law 112-106 (Apr. 5, 2012). Section
103(a)(3)(C) of the Act, as added by Section 104 of the JOBS Act,
also provides that any rules of the Board requiring (1) mandatory
audit firm rotation or (2) a supplement to the auditor's report in
which the auditor would be required to provide additional
information about the audit and the financial statements of the
issuer (auditor discussion and analysis) shall not apply to an audit
of an EGC. The new standard does not fall within either of these two
categories.
---------------------------------------------------------------------------
To inform consideration of the application of auditing standards to
audits of EGCs, PCAOB staff prepares a white paper annually that
provides general information about characteristics of EGCs.\108\ As of
the November 15, 2021, measurement date, PCAOB staff identified 3,092
companies that self-identified with the SEC as EGCs and filed audited
financial statements in the 18 months preceding the measurement date.
---------------------------------------------------------------------------
\108\ For the most recent EGC report, see White Paper on
Characteristics of Emerging Growth Companies and Their Audit Firms
at November 15, 2021 (Jan. 5, 2023) (``EGC White Paper''), available
at https://pcaobus.org/resources/other-research-projects.
---------------------------------------------------------------------------
Confirmation is a longstanding audit procedure used in nearly all
audits, including audits of EGCs. The discussion of benefits, costs,
and unintended consequences above is generally applicable to audits of
EGCs. The economic impacts of the new standard on an EGC audit depend
on factors such as the audit firm's current methodologies, the audit
firm's ability to distribute implementation costs across engagements,
and the auditor's assessed risk of material misstatement.
EGCs are likely to be newer companies, which may increase the
importance to investors of the external audit to enhance the
credibility of management disclosures.\109\ Further,
[[Page 71723]]
compared to non-EGCs, EGCs are more likely to be audited by NAFs.\110\
As discussed above, NAFs are expected to make more changes to their
methodologies and practice to comply with the new standard. Therefore,
all else equal, the benefits of the higher audit quality resulting from
the new standard may be larger for EGCs than for non-EGCs, including
improved efficiency of market capital allocation, lower cost of
capital, and enhanced capital formation.\111\ In particular, because
investors who face uncertainty about the reliability of a company's
financial statements may require a larger risk premium that increases
the cost of capital to companies, the improved audit quality resulting
from applying the new standard to EGC audits could reduce the cost of
capital to those EGCs.\112\
---------------------------------------------------------------------------
\109\ Researchers have developed a number of proxies that are
thought to be correlated with information asymmetry, including small
issuer size, lower analyst coverage, larger insider holdings, and
higher research and development costs. To the extent that EGCs
exhibit one or more of these properties, there may be a greater
degree of information asymmetry for EGCs than for the broader
population of companies, which increases the importance to investors
of the external audit to enhance the credibility of management
disclosures. See, e.g., Mary E. Barth, Wayne R. Landsman, and Daniel
J. Taylor, The JOBS Act and Information Uncertainty in IPO Firms, 92
The Accounting Review 25, 25 (2017); Steven A. Dennis and Ian G.
Sharpe, Firm Size Dependence in the Determinants of Bank Term Loan
Maturity, 32 Journal of Business Finance and Accounting 31, 59
(2005); Michael J. Brennan and Avanidhar Subrahmanyam, Investment
Analysis and Price Formation in Securities Markets, 38 Journal of
Financial Economics 361, 363 (1995); David Aboody and Baruch Lev,
Information Asymmetry, R&D, and Insider Gains, 55 Journal of Finance
2747, 2755 (2000); Raymond Chiang and P. C. Venkatesh, Insider
Holdings and Perceptions of Information Asymmetry: A Note, 43
Journal of Finance 1041, 1047 (1988); Molly Mercer, How Do Investors
Assess the Credibility of Management Disclosures?, 18 Accounting
Horizons 185, 194 (2004). Furthermore, research has shown that
reduced disclosure requirements for EGCs are associated with lower
audit effort. The academic literature has also documented evidence
of lower audit quality for EGCs. To the extent that the new standard
will increase auditor effort, EGCs are expected to benefit from
higher audit quality. See, e.g., Tiffany J. Westfall and Thomas C.
Omer, The Emerging Growth Company Status on IPO: Auditor Effort,
Valuation, and Underpricing, 37 Journal of Accounting and Public
Policy 315, 316 (2018); Essam Elshafie, The Impact of Reducing
Reporting Requirements on Audit Quality, Auditor Effort and Auditor
Conservatism, 35 Accounting Research Journal 756, 756 (2022).
\110\ EGC White Paper at 22.
\111\ The enhanced quality of audits and financial information
available to financial markets may result in investors perceiving
less risk in capital markets. This, in turn, may lead to an increase
in the supply of capital which could increase capital formation.
See, e.g., Hanwen Chen, Jeff Zeyun Chen, Gerald J. Lobo, and Yanyan
Wang, Effects of audit quality on earnings management and cost of
equity capital: Evidence from China, 28 Contemporary Accounting
Research 892, 921 (2011); Richard Lambert, Christian Leuz, and
Robert E. Verrecchia, Accounting Information, Disclosure, and the
Cost of Capital, 45 Journal of Accounting Research 385, 410 (2007).
\112\ For a discussion of how increasing reliable public
information about a company can reduce risk premium, see David
Easley and Maureen O'Hara, Information and the Cost of Capital, 59
The Journal of Finance 1553, 1578 (2004).
---------------------------------------------------------------------------
While the associated costs may also be higher for EGC audits than
for non-EGC audits, because of the scalability of the risk-based
requirements, the costs of performing the procedures are unlikely to be
disproportionate to the benefits of the procedures. Moreover, if any of
the new amendments were determined not to apply to the audits of EGCs,
auditors would need to address differing audit requirements in their
methodologies, or policies and procedures, with respect to audits of
EGCs and non-EGCs, which would create the potential for confusion. The
new standard could impact competition in an EGC product market if the
indirect costs to audited companies disproportionately impact EGCs
relative to their competitors. However, as discussed above, the costs
associated with the new standard are expected to be relatively modest.
Therefore, the impact of the new standard on competition, if any, is
expected to be limited. Overall, the new standard is expected to
enhance audit quality and contribute to an increase in the credibility
of financial reporting by EGCs.
Accordingly, and for the reasons explained above, the Board is
requesting that the Commission determine that it is necessary or
appropriate in the public interest, after considering the protection of
investors and whether the action will promote efficiency, competition,
and capital formation, to apply the new standard to audits of EGCs. One
commenter specifically supported the application of the 2022 Proposal
to EGCs.
III. Date of Effectiveness of the Proposed Rules and Timing for
Commission Action
Within 45 days of the date of publication of this notice in the
Federal Register or within such longer period (i) as the Commission may
designate up to 90 days of such date if it finds such longer period to
be appropriate and publishes its reasons for so finding or (ii) as to
which the Board consents, the Commission will:
(A) By order approve or disapprove such proposed rules; or
(B) Institute proceedings to determine whether the proposed rules
should be disapproved.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views and
arguments concerning the foregoing, including whether the proposed
rules are consistent with the requirements of Title I of the Act.
Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/pcaob); or
Send an email to [email protected]. Please include
file number PCAOB-2023-02 on the subject line.
Paper Comments
Send paper comments in triplicate to Vanessa A.
Countryman, Secretary, Securities and Exchange Commission, 100 F Street
NE, Washington, DC 20549-1090.
All submissions should refer to file number PCAOB-2023-02. This file
number should be included on the subject line if email is used. To help
the Commission process and review your comments more efficiently,
please use only one method. The Commission will post all comments on
the Commission's internet website (https://www.sec.gov/rules/pcaob).
Copies of the submission, all subsequent amendments, all written
statements with respect to the proposed rules that are filed with the
Commission, and all written communications relating to the proposed
rules between the Commission and any person, other than those that may
be withheld from the public in accordance with the provisions of 5
U.S.C. 552, will be available for website viewing and printing in the
Commission's Public Reference Room, 100 F Street NE, Washington, DC
20549, on official business days between the hours of 10 a.m. and 3
p.m. Copies of such filing will also be available for inspection and
copying at the principal office of the PCAOB. Do not include personal
identifiable information in
[[Page 71724]]
submissions; you should submit only information that you wish to make
available publicly. We may redact in part or withhold entirely from
publication submitted material that is obscene or subject to copyright
protection. All submissions should refer to File Number PCAOB-2023-02
and should be submitted on or before November 7, 2023.
---------------------------------------------------------------------------
\113\ 17 CFR 200.30-11(b)(1) and (3).
For the Commission, by the Office of the Chief Accountant.\113\
Vanessa A. Countryman,
Secretary.
[FR Doc. 2023-22491 Filed 10-16-23; 8:45 am]
BILLING CODE 8011-01-P
