Automating the Confirmation Process
How to Enhance Audit Effectiveness and Efficiency

By George R. Aldhizer and James D. Cashell

E-mail Story Print Story

In the current manual confirmation environment, the auditor controls the initial mailing of confirmation requests to the client’s banks, accounts receivable customers, and others. The identity and addresses of these parties, however, is supplied by the auditee. An auditor cannot be absolutely sure that the confirmation request is actually received and completed by an objective and competent third-party respondent.

Automating the confirmation process should enhance a confirmation’s effectiveness by improving respondent authentication, which itself reduces the opportunity for confirmation fraud. As with other automated applications, it also substantially increases the efficiency of the confirmation process.

Limitations of the Manual Confirmation Process

The main limitations of the current manual confirmation practice are a lack of respondent authentication, and process inefficiencies. Specifically, Statement on Auditing Standards (SAS) 67, The Confirmation Process, does not require the auditor to validate the client-provided mailing addresses or to verify the confirmation respondents’ competence and objectivity. In addition, the current confirmation process can be quite time-consuming and expensive. Administrative tasks normally include preparing and mailing the initial confirmation requests, sending out second requests, and performing alternative procedures for nonresponses.

Difficulties of authentication. In 1991, Doug Carmichael, a professor at CUNY Baruch College, and chief auditor of the PCAOB from 2004 to 2006, warned of weaknesses within SAS 67 several months before its issuance. In “Pitfalls in the Confirmation Process” (The CPA Journal, June 1991), he suggested a requirement to authenticate, rather than merely obtain an awareness of: the validity of client-provided mailing addresses; the respondent’s competence, knowledge, motivation, ability, or willingness to respond; and the respondent’s objectivity and freedom from bias. The final standard, however, did not address these weaknesses, in part because the cost of compliance would have been prohibitive. Unfortunately, the reduced perception of detection resulting from the fact that SAS 67 does not require the above authentication appears to have emboldened unethical management at companies like Parmalat and CF Foods to engage in massive confirmation fraud schemes. [According to many sources, including the Association of Certified Fraud Examiners’ (ACFE) Fraud Examination Manual (Criminology Section, 4.621), 2003, increasing the perception of detection may be the most effective fraud-prevention technique.]

Parmalat overstated its cash assets by $4.9 billion—the equivalent balance purportedly held in a Bank of America account in a Parmalat Cayman Islands subsidiary, Bonlat Financing Corp. This represented about 40% of Parmalat’s previously reported total assets. During its audit in 2003, the then–Italian arm of Grant Thornton received a signed cash confirmation that included no exceptions related to the December 31, 2002, Bank of America cash-account balance. Had the above weaknesses within a paper-based confirmation process been investigated, the auditors would have discovered that the client-provided mailing address, a Bank of America New York branch, was not an authorized confirmation center; also that the cash confirmation signature was a forgery of the signature of a bank employee who was not authorized to process confirmation requests. Such problems occur because auditors normally do not verify signature authenticity or ascertain the confirmation respondent’s competence and objectivity. Forged signatures are difficult to detect unless firms invest substantial resources in hiring signature experts.

Another recent example of the authentication problem is provided by the audit failure at CF Foods, a wholesale candy distribution company that was found to have engaged in a massive Ponzi-type investment scheme whereby returns paid to early investors were generated from funds provided by later investors. To hide this scheme, the general partner of CF Foods recorded fictitious credits to sales and offset them with debits to existing legitimate accounts-receivable accounts from 1994 to 1999. (According to Joseph T. Wells, “So That’s Why It’s Called a Pyramid Scheme,” Journal of Accountancy, October 2000, this is the most common fictitious revenue accounting transaction.) While this caused accounts-receivable balances to be overstated, the auditor’s confirmation process failed to detect the fraud. Shortly after the confirmations were sent out by the auditor, the general partner of CF Foods intercepted them by contacting the customers and telling them that the confirmation requests had been sent out by mistake and should be returned to him. The general partner then essentially forged the customer’s signature by using an illegible signature, and returned the confirmation request to the auditor. [According to ACFE president and CEO (from 2002–2006) Toby Bishop, fraudsters are highly consistent in returning audit confirmation letters and signing them without noting any exceptions.] The fraud was eventually detected, and a subsequent investigation concluded that 97% of the previously recorded sales and offsetting accounts receivable were bogus.

The massive Parmalat and CF Foods confirmation frauds appear to have gotten the AICPA’s and the PCAOB’s attention. In response to a 2003 AICPA Practice Alert, the Auditing Standards Board (ASB) recommended that the PCAOB consider revisions to SAS 67, and reviewing this SAS has been one of the PCAOB’s top 10 priorities.

In 2004, the PCAOB expressed concerns with existing cash confirmation guidance. It noted, for example, that under SAS 67, if the combined assessed level of inherent and control risk over the existence of cash is perceived to be low, the auditor may limit substantive procedures to inspecting client-provided bank statements rather than confirming cash balances. Parmalat and other companies have taken advantage of this exception by scanning legitimate, year-end bank statements into their information systems, inflating the account balances, and then reprinting the documents for auditor use without detection because the scanned documents look virtually identical to the original documents. (See Floyd Norris, “Technology to Fool Auditors: From Colored Pens to Computer Scanners,” The New York Times, December 26, 2003.)

The PCAOB also expressed concern about directing the confirmation request to the appropriate individual who has knowledge of the balance to be confirmed, and the increasing unwillingness on the part of third parties to respond to confirmation requests. According to the AICPA’s January 2004 CPA Letter, third parties may be less willing to respond to confirmations because, under Sarbanes-Oxley Act section 303, they may be held liable for not detecting fraud. The PCAOB has yet to issue guidance addressing these concerns.

The existing paper-based confirmation process has exposed auditors to substantial legal liability over the past two decades. [Besides Parmalat and CF Foods, confirmation fraud schemes have been perpetrated by HealthSouth (1996 to 2001), Bio Clinic (1994 to 1995), Sunrise Medical (1994 to 1995), BCCI Bank (1988 to 1990), and ZZZZ Best (1985 to 1987).] Confirmation respondents, such as financial institutions, have also experienced increased legal liability as a result of not detecting confirmation fraud schemes. For example, two accounting firms, Grant Thornton and Deloitte Touche, have been sued for $10 billion, and Bank of America has been sued for $10 billion for not detecting the Parmalat confirmation fraud scheme. Citigroup and Credit Suisse First Boston also have been sued for allegedly worsening Parmalat’s financial condition by arranging additional debt financing in 2003. These same entities are likely to sue the accounting firms because they relied on the audited financial statements, in part, as a basis for deciding whether to provide additional debt financing.

As a result of increased litigation risks, more organizations are less willing to respond to not only cash confirmation requests, but also accounts-receivable confirmation requests. If this trend continues, it will significantly erode the effectiveness of the audit confirmation process, in part because auditors may have to rely on alternative procedures that use potentially less reliable, internally generated documents. (The ASB’s “Recommendations for the Revision of SAS 67, The Confirmation Process,” issued in November 2003, retains two SAS 67 conditions that, if met, allow auditors to dispense with performing any alternative procedures for nonresponses.)

Audit efficiency limitations. In addition to audit effectiveness concerns, the current manual confirmation process is time-consuming and expensive. For example, preparing the initial confirmation requests, analyzing the returned confirmations, sending out second requests, and performing alternative procedures when second requests are unanswered requires several hours. Paper and postage also must be paid for. It may also take three to four weeks for an auditor to receive confirmations from respondents. This slow response time is due in part to the numerous middlemen involved in a manual confirmation process (e.g., the U.S. Postal Service, the entity’s mailroom, completion by the applicable staff, and return through a similar route). Using information technology to automate the confirmation process can substantially reduce the time required to send out and receive confirmation requests, as well as help alleviate the previously discussed authentication concerns.

Automating the Confirmation Process

Two key elements are necessary to ensure an effective automated confirmation process:

• Ensuring the privacy and security of the confirmation communication, and
• Establishing a way to authenticate the parties involved in the confirmation process.

One reason that automated confirmations have not been used earlier is the lack of an appropriate infrastructure to bring the auditor, the client, and the respondent together within a secure network. At least one such infrastructure has been developed by Capital Confirmation Inc. (CCI), and accounting firms of all sizes have begun using it, and have reported promising results. The authors are not aware of other software vendors that provide a comparable service; however, larger auditing software vendors are considering integrating CCI’s service into their existing software packages. (Neither author has any business or other financial relationship with CCI.)

Ensuring information privacy and security. An automated confirmation process should have controls in place to enhance the privacy and security of the communication between the auditor, the client, and the confirmation respondent. Unprotected communication could result in a loss of confidential information or in potentially fraudulent confirmation evidence. Key elements for ensuring the privacy and security of electronic communications include the use of encryption and a secure value-added network (VAN). [General Electric’s Internet VAN, Global eXchange Services (www.gxs.com), presents a useful template because it currently handles more than 30 million transactions a month to more than 35,000 trading partners.]

A confidential link can be established between the auditor and the confirming party by using state-of-the-art encryption. This can be accomplished, for example, by using 128-bit secure socket layers (SSL) encryption, administered by Verisign (128-bit SSL encryption is required to obtain the AICPA’s WebTrust and SysTrust seals). In addition, sensitive confirmation data should be stored in encrypted form within the VAN.

An effective way to protect the VAN from unauthorized intrusion is through firewalls, intrusion detection and prevention systems (IDS and IPS), and daily vulnerability scans. Firewalls should be capable of blocking suspicious incoming data packets, and IDSs should use data-mining techniques to identify traffic patterns associated with potential security breaches. Daily vulnerability scans, such as those provided by hackersafe.com, can be used to help ensure that the firewalls and IDS/IPSs are effectively deterring external and internal attacks.

Authenticating confirmation participants. For an automated confirmation process to be effective, the auditor should have some assurance that the confirmation request is received by the intended recipient. Additionally, the responding organization needs assurance that the auditor is who he claims to be and has the client’s permission to request the confirmation.

All this can be accomplished by performing authentication checks on all parties involved in the confirmation process (e.g., the accounting firm, the client, and the financial institution). This should include verifying that the confirming entity is a legitimate enterprise (not a “front company” trying to steal sensitive information) by validating its primary mailing address, telephone number, and business license. Next, the authorized individual within the confirming entity who will be directly involved in the confirmation process should be identified. Appropriate questions should be asked to ensure that the individual is qualified and has access to the data necessary to respond. (Because ensuring appropriate respondent qualifications may be time-consuming, some individuals and businesses may not agree to participate in this portion of the authentication program.)

When an accounting firm is ready to send out an electronic confirmation to a financial institution, the auditor responsible for controlling the process should be required to enter a unique user ID and password to access the secure VAN. State-of-the-art password technology and procedures should be used to ensure that the password is not compromised (e.g., long passwords with a combination of letters, numerals, and symbols). Next, the auditor should obtain and enter the client’s unique ID and randomly generated password. This ensures that the company has authorized the issuance of electronic confirmation requests.

An authentic and high-quality link can be established between the auditor, the client, and the individual respondent by using digital signatures that bind these three parties to the exact contents of the electronic message. As of June 2000, digital signatures carry the same legal weight as handwritten signatures. [The Electronic Signatures in Global and National Commerce Act was signed by President Clinton in June 2000 (15 USC 7001).] If access to a digital signature’s private key is adequately safeguarded, a digital signature may provide more assurance about an individual’s identity than a handwritten signature. This is partly because most auditors are not trained to detect fraudulent handwritten signatures (e.g., tracing; illegible signatures).

Advantages of Automating the Confirmation Process

The benefits of automating the confirmation process include a reduced risk of confirmation fraud, enhanced audit efficiency, and enhanced compliance with recent audit standards.

Reduced risk of confirmation fraud. A secure and authentic link between the auditor and the confirmation respondent provides assurance that: 1) the auditor’s and financial institution’s or other respondent’s mailing addresses are legitimate; 2) the individual auditor has approval from the audit firm and the client to send the confirmation request; 3) the individual respondent has appropriate authority to reply to the confirmation request; and 4) the confirmation “signature” is legitimate and can be traced back to the individual respondent. This significantly reduces the risk of confirmation fraud, such as having the confirmation request intercepted by an unethical manager and returned with a forged signature. It should also reduce both the auditor’s and respondent’s legal liability over the confirmation process.

Enhanced audit efficiency. SAS 67 requires auditors to control the initial mailing and the subsequent receipt of confirmation responses. The time spent doing this can be substantial. With electronic confirmations, however, the Internet is used to send the initial confirmations, and auditors receive real-time updates as confirmations are returned directly by respondents.

Furthermore, in response to the AICPA’s 2003 Practice Alert, the ASB recommended that SAS 67 require auditors to control the initial preparation of confirmation requests. This should enhance the reliability of the confirmation process because companies will not know in advance which accounts are being confirmed. It is, however, another time-consuming task in a manual confirmation environment. In an electronic environment, this task can be completed more efficiently by using drop-down menu options for adding and selecting accounts to be confirmed.

In addition to initial confirmation requests, auditors are also required to control the mailing of second requests. In a paper-based environment, a large number of initial confirmation requests are either not returned or are returned too late for the auditor to adequately investigate any discrepancies. This is partly because auditors may take several weeks to prepare the confirmations for mailing after the “as of” date, and the confirmations may be subsequently held up or misplaced in the delivery process. By this time, some enterprise resource planning (ERP) systems may have already overwritten prior-period transaction records, making it extremely difficult for potential respondents to provide the requested data. Electronic confirmations should significantly reduce the time required to prepare the confirmation requests, thus increasing the rate of return from the initial mailing and reducing the number of second requests. The intermediaries in a manual confirmation process are eliminated, reducing the likelihood of delayed or misplaced confirmation requests. The enhanced electronic authentication should reduce the respondents’ legal liability concerns, making them more willing to respond.

The need for second requests can be further reduced by instituting controls within the automated process to ensure that initial requests are properly completed. For example, embedded edit checks can require all key electronic fields to be completed before the request is sent. If a key field is not completed, the respondent will immediately receive an error message highlighting the missing fields. This may be especially important when dealing with critical revenue transaction issues such as side agreements. [The ASB’s November 2003 recommendations and the PCAOB’s September 2004 “discussion questions” address the possibility of requiring auditors to confirm the terms of revenue transactions (for example, in accordance with SAB 101); they also address the risk that side agreements (e.g., liberal return and refund policies) may significantly jeopardize the fair presentation of revenue account balances.]

Generating a higher rate of completed confirmations means that auditors will spend less time on alternative procedures that are often less reliable because they rely on documents the auditee has internally generated (e.g., invoices) or has had in its possession (e.g., scanned bank statements). In the absence of strong information-security controls, such documents can be easily manipulated and therefore have low reliability for the auditor.

Other advantages of electronic confirmations include quicker response times and more efficiently prepared summaries. For example, because the confirmation requests appear immediately on the computer desktops, electronic responses are likely to be received by the auditor within a few days, while paper-based responses may not be received for three to four weeks. Faster response times give auditors more time to investigate discrepancies. In addition, electronic systems can easily be programmed to summarize all returned confirmations in a report that can be automatically updated and downloaded directly into the audit workpapers.

Enhanced compliance with audit standards. Using electronic confirmations may become necessary to respond to the current audit environment. SAS 99 (Fraud Detection in a GAAS Audit) states that auditors should assume that the revenue cycle is high-risk for fraud on every engagement. This is supported by a recent study of SEC accounting and auditing enforcement releases (AAER) from 1992 to 2000 (Dale Martin, George Aldhizer, John Campbell, and Terry Baker, “When Earnings Management Becomes Fraud: Implications for Internal Auditors,” Internal Auditing, July/August 2002). This study found that 74% of all AAERs involved overstating revenue (e.g., through premature revenue recognition or the recognition of fictitious revenue) or, to a lesser extent, understating revenue (e.g., through improperly shifting revenue to a subsequent period).

SAS 99 also requires auditors to adjust the nature, timing, and extent of their audit procedures in response to identified fraud risks. With a heightened risk of fictitious revenues, this may include issuing accounts receivable and cash confirmations at multiple times during the year and increasing sample sizes, with substantial administrative costs and three-to-four-week turn-around times using paper-based confirmations.

Although the initial costs of getting into electronic confirmations are fairly high, these costs should decline significantly over time as accounting firms build their own infrastructure or an external service provider expands its capabilities. CCI has claimed that its service is often less costly than using a paper-based confirmation process.

Expanding the Scope of SAS 67

The authors agree with the PCAOB that SAS 67 should be expanded to require not only accounts-receivable confirmations but also cash confirmations on every audit. Third-party confirmations obtained through a secure VAN are more persuasive than internally generated documentation for supporting the existence of accounts receivable and cash balances. With more than $17 billion of outstanding debt at the height of the Parmalat fraud, another benefit of requiring cash confirmations is the ability to confirm client lines of credit, for example, with various financial institutions.

The authors also concur with the ASB and the PCAOB that SAS 67 should provide guidance about how auditors can increase their use of accounts-payable confirmations. Accounts-payable confirmations appear justified, in part, by the results of the ACFE’s recent report and a recent study of the SEC’s AAERs. Both studies found improper expense recognition (e.g., understated expenses and corresponding current liabilities) to be the second-most common fraudulent financial reporting scheme. [Recent examples include CKE Restaurants (2002 to 2005), Aurora Foods (late 1990s), and Leslie Fay (1988 to 1991).] A secure, automated accounts-payable confirmation process might have detected these schemes on a more timely basis.

The authors also agree with the PCAOB that other accounts, such as marketable securities and investments, especially derivative instruments, should be considered for inclusion in SAS 67. This is partly because of the phenomenal growth of high-risk derivative and hedging instruments over the past decade. Recent derivative investment debacles at Fannie Mae, CAO Singapore, and the National Australian Bank appear to justify this expanded focus.