When in doubt, confirm it." "If it moves, confirm it." "The audit begins when the confirmations are mailed out." "You can sign off now; the confirmations are all in." These statements, that auditors have all used at one time or another, clearly indicate that confirmations play an important role in the audit process. Someone wishing to get a feel for the importance of confirmations should ask any auditor how many confirmations have been requested in his or her career. In the late 1930s, the McKesson & Robbins debacle catapulted the use of confirmations to a pre-eminate position in the audit procedures in use today. One practice that auditors learn early in their careers is the use of confirmations.

Then why was SAS 67, The Confirmation Process, recently issued? Has recent experience shown that the use of confirmations has led the auditor to erroneous conclusions? Have auditors been doing it wrong all these years?

Recent empirical studies have revealed that auditors from time to time have "over-relied" on the confirmation process for audit evidence. The new SAS cautions the auditor about such overreliance. However, it does much more than that. Before discussing this new guidance, let's review some background that led to the new statement.

THE NEED FOR CHANGE IN THE CONFIRMATION PROCESS

Since September 1970, AU 331, Receivables and Inventory, has represented the authoritative literature of the auditing profession on the confirmation of receivables; it was originally issued as Statement on Auditing Procedure 43. Its primary guidance consisted of the following:

Confirmation of receivables requires direct communication with debtors either during or after the period under audit; the confirmation date, the method of requesting confirmation and the number to be requested are determined by the independent auditor.

In 1989, the ASB convened the Use of Confirmations Task Force to determine whether modification of AU 331 was merited. Based on evidence gathered, it identified several problems with current auditing guidance on the use of confirmations. For example, a myriad of practitioner interpretations to AU 331 was found to exist ranging from the belief that the use of confirmations is always necessary, to the belief that they are not needed at all if review of payments on receivable balances subsequent to the balance sheet date is possible. The Task Force also found that auditors are confused about the financial statement assertions addressed by confirmations and what should be done when a confirmation response is not received. In addition, it was determined there was an apparent inconsistency between AU 331 and more recent GAAS guidance in SAS 31, Evidential Matter, SAS 47, Audit Risk and Materiality in Conducting an Audit, and SAS 55, Consideration of the Internal Control Structure in a Financial Statement Audit. Specifically, the more recent standards require the auditor to predicate the nature, timing, and extent of audit procedures to be performed by considering audit risk, assessing inherent risk and control risk, and determining the resulting detection risk that may be tolerated. AU 331 did not require these determinations and did not mesh with GAAS's current "audit risk model."

As a result of these deficiencies and other problems that the Task Force later identified, ASB issued SAS No. 67, The Confirmation Process, which primarily:

1. Recasts the guidance of AU 331 into the newer concepts of audit risk assessment, financial statement assertions, skepticism, etc., thus providing internal consistency among SASs, and

2. Highlights those areas where the auditor must be especially careful in using confirmations, particularly from the perspective of overreliance.

THE AUDIT RISK MODEL AND ASSERTIONS

Two important changes introduced by SAS 67 are the integration of the audit risk assessment model and the concept of financial statement assertions into the confirmation process. What is the practical meaning of these notions and what is their audit significance in confirming financial data?

Relationship of Auditor's Assessment of Risk to Confirmation Procedures

One of the problems with the previous guidance on confirmations was it preceded the development of the audit risk model. SAS 67 now requires that confirmation procedures, like all other audit procedures, be performed as a function of overall audit risk, inherent risk, and control risk.

The audit risk model is discussed in SAS 47, Audit Risk and Materiality in Conducting an Audit. The SAS defines audit risk as the probability that the auditor will issue an unqualified opinion on financial statements when they are, in fact, materially misstated requiring a modification of opinion. Due to the need for a high level of confidence, medium and small CPA firms generally set this risk at a small amount such as 5% or lower.

Conceptually, audit risk consists of three independent components: inherent risk, control risk, and detection risk. Inherent risk is the probability that an assertion is materially misstated assuming the client has no related internal control structure policies and procedures. Inherent risk varies from assertion (and related account balance and class of transactions) to assertion. In general, an account requiring complex calculations is more susceptible to error than one requiring simple calculations and, as a result, would be considered to have a higher level of inherent risk. Correspondingly, the inherent risk of error in cash could be higher than for plant and equipment since it is more likely to be stolen. Inherent risk is generally set at the maximum level (i.e. 100%) for assertions related to accounts such as cash and, occasionally, at a reduced amount for accounts and classes of transactions that have less inherent risk--e.g. fixed assets. Control risk is the probability that a material misstatement could occur in an account or class of transactions and not be prevented or detected on a timely basis by the client's internal control structure policies and procedures. Many medium and small accounting firms routinely set this risk at the maximum--i.e. 100%--to achieve efficiency and effectiveness in subsequent audit testing.

Detection risk is the probability the auditor's procedures will not detect a material misstatement in an assertion, account, or class of transactions. It is affected by the nature, timing, and extent of procedures performed. Inherent and control risk relate to the characteristics of the client while detection risk is auditor controlled. In addition, for a given level of audit risk, inherent risk and control risk are inversely related to detection risk. Thus, for a given level of audit risk, increased levels of inherent and control risk require the auditor to operate with a low degree of detection risk. This implies that the auditor would require a higher assurance from the substantive tests performed to substantiate a particular financial statement assertion.

For example, an auditor in a low detection risk situation might decide to use confirmation procedures rather than obtain internal documentation or derive information from within the client organization. In addition, if the client had entered into an unusual or complex transaction during the year, an auditor might consider confirming the arrangement with the other party to the transaction as well as inspecting corroborating documentation from the company. On the other hand, if the inherent and control risks are assessed at less than the maximum for a particular assertion, then the auditor may consider modifying the substantive tests to be performed. That is, less costly, less effective tests would be substituted for more costly but effective ones due to the greater degree of detection risk that he or she would be willing to accept. For example, in the area of cash, the auditor might consider just reviewing bank statements rather than directly confirming bank cash balances with the bank. Actual quantification of the resulting detection risk that would result from the assessing the aforementioned componential variables may be found in a model in the appendix of SAS 39, Audit Sampling.

The new standard fundamentally improves AU 331 by relating the nature, timing, and extent of confirmation audit procedures to the audit risk model. It also emphasizes the financial statement assertions that confirmations are most effective in addressing and clarifies those assertions that confirmations address less effectively.

Financial Statement Assertions addressed by Confirmations

SAS 31, Evidential Matter specifies that financial statement assertions may be divided into five categories:

* Existence or occurrence; * Completeness; * Rights and obligations; * Valuation or allocation; and * Presentation and disclosure.

Although confirmations may be designed to address any one of these assertions, it is generally known, (SAS 67) that confirmations are most effective in testing existence and less effective for the completeness and valuation assertions. For the other assertions, other audit procedures should be used in lieu of confirmations. With respect to completeness, although a confirmation might not provide a highly effective means of detecting an understatement of accounts payable, if properly designed, it can be of some use in this determination. SAS 67 indicates that the success in addressing the completeness assertion depends, in part, on the population from which the auditor selects For example, when testing for the completeness assertion (understatement), of a client's accounts payable balance, the appropriate population should be a list of vendors, receiving documents, or disbursements rather than the amounts recorded in the accounts payable subsidiary ledger.

NEGATIVE CONFIRMATIONS OF ACCOUNTS RECEIVABLE IN THE SMALL BUSINESS AUDIT

SAS 67, The Confirmation Process, is very restrictive as to when the use of negative confirmations would be appropriate. Regarding the use of negative confirmations, SAS 67 states the following:

Negative confirmation requests may be used to reduce audit risk to an acceptable level when (a) the combined assessed level of inherent and control risk is low, (b) a large number of small balances is involved, and (c) the auditor has no reason to believe that the recipients of the requests are unlikely to give them consideration.

For various sound reasons relating to the small business audit, the auditor typically assesses control risk for most assertions at the maximum. The question then arises as to whether the combined assessed level of inherent and control risk could ever be considered as low if control risk standing alone is assessed at the maximum?

It appears that the ASB in using the term "combined assessed level of inherent and control risk," is attempting to allow as much auditor judgment as possible in making decisions as to what confirmation approach is to be used. However, it would be difficult to rationalize that the combined assessed level of inherent and control risk could ever be low, when one of the factors--inherent risk or control risk--is assessed at the maximum.

The logical conclusion is that negative confirmations would not be appropriate in the small business audit where internal control risk has been assessed at the maximum.

BEWARE OF OVERRELYING ON CONFIRMATIONS AND OTHER IMPORTANT TIPS

New guidance in SAS 67 also emphasizes that auditors be careful not fall into the trap of overrelying on the confirmation process. This admonition, and others relating to areas when using confirmations, are noted in the new standard. Although the seasoned auditor may be familiar with some, their importance merits mentioning them here.

* The auditor should exercise an appropriate level of skepticism throughout the confirmation process including designing the confirmation, performing the confirmation procedures, and evaluating the results.

* Positive confirmations may be returned signed by recipients when they have not verified that the information was correct.

* Unreturned negative confirmations do not provide explicit evidence that the intended third party either actually received the confirmation or verified the information contained therein. (A discussion of the reliability of the negative confirmation is presented in accompanying sidebar.)

* An auditor may decide that employing confirmations is ineffective in a given situation and as a result may decide that he or she should consider obtaining audit evidence from other sources. For example, such a choice may be made when poor response rates were experienced in prior audits. Knowledge of misstatements in responses in prior years' audits might also enter into this decision.

* The auditor should consider the type of information that the respondent is capable of confirming. This will affect the competence of evidence received as well as the response rate. For example, if a client's system's is transaction rather than balance oriented--i.e. voucher system-- then the auditor should consider confirming material transactions rather than balances to maximize reliability. In another situation, a client may not be able to reliably confirm the balances of their installment loans, but may be able to accurately determine whether payments are current, their amount, and the terms of loans.

* The auditor should consider requesting confirmation of unusual agreements or transactions such as sales of merchandise that are billed before delivery and held by the selling entity for customers (bill and hold sales). If it is suspected that there is a significant degree of risk that there may be oral modifications to agreements e.g. unusual payment terms or liberal rights of return the auditor should inquire about such modifications and attempt to confirm their existence.

* An auditor should consider the respondent's competence, knowledge, motivation, ability, willingness to respond, and overall objectivity. Significant, unusual year end transactions, such as when the respondent is the custodian of a significant amount of the entity's assets, should heighten the auditor's skepticism relative to these factors.

* When a respondent uses a confirmation format other than a written one, e.g. facsimile response, an auditor should verify its source and contents in a telephone call to the sender and should request that the original confirmation be directly mailed to the auditor. Oral confirmation should always be documented in the working papers. If the data in oral confirmations are significant, the respondents involved should be requested to submit written confirmation directly to the auditor.

* After following up positive confirmations with a second and sometimes third request, an auditor should apply alternative procedures to significant nonresponding accounts. The nature of alternative procedures will vary according to the account and assertion involved. For example, in confirming accounts receivable, subsequent cash received on account as well as shipping documents may provide satisfactory sources of evidence of the existence of accounts receivable. On the other hand, for accounts payable, examination of subsequent cash disbursements and correspondence from third parties provide evidence of completeness.

* If, in evaluating the results of the confirmation process, the auditor determines that the combined evidence provided by the confirmations, alternative procedures, and other data collected is not sufficient, additional confirmations and extended tests, including tests of details and analytical procedures, should be performed.

OTHER MATTERS

Although confirmation of accounts receivable is still considered a generally accepted auditing procedure, the new standard also expands the exceptions in which the confirmation is not required to the following three situations:

* Accounts receivable are considered to be immaterial;

* The use of confirmations would be ineffective, i.e., prior years audits have shown that response rates to confirmations have been poor and unreliable; and

* Audit risk, based on assessed low levels of inherent and control risk and evidence derived from other sources such as test of details and analytical procedures, is at an acceptably low level for the given assertion.

However, the SAS notes that in many situations, the confirmation of receivables will be needed together with test of details to reduce audit risk to an acceptably low level. In addition, it requires that an auditor who has not confirmed accounts receivable must document how this presumption of necessity was overcome.

Although the audit risk model and use of the assertion concept have now been incorporated into the confirmation process by the new standard, many of the "rules of thumb" relating to the use of confirmations are "commonsenseful" and not significantly different from prior practice. For example, if independent outside parties can be expected to provide relevant, reliable evidence and it is reasonably efficient to obtain this evidence from these parties, confirmation would be appropriate. Thus, unless the audit risk evaluation dictates otherwise, confirmations provide qualitative evidence concerning the validity of receivables, cash balances, and in some cases the completeness and valuation of certain liabilities such as long-term debt. Clearly, the auditor should always control the mailing of confirmation requests and address them, as was previously noted, to individuals in the organization who are knowledgeable about the balances or selected transaction being confirmed.

INTERNAL CONSISTENCY

Important changes have been introduced by the new standard reformatting the confirmation process in terms of the concepts of "audit risk" and "assertions" so as to achieve internal consistency among SASs. It has also identified those areas to which the auditor should be especially sensitive and careful about when using confirmations.

Marc Levine, CPA, Ph.D., is professor of Accounting and Information Systems, Queens College, CUNY

Adrian Fitzsimons, CPA, Ph.D., CMA, CFA is an Associate Professor of Accounting, St. Johns University

Drs. Levine and Fitzsimons co-authored the Warren, Gorham & Lamont, Audit Manual c. 1990

HOW EFFECTIVE ARE CONFIRMATIONS?

In conducting its study on the need for new confirmation guidance, the AICPA's Use of Confirmations Task Force reviewed the most current empirical confirmation research. Recent studies clearly indicated there were serious problems relating to the effectiveness of the confirmation process. Confirmations have been one of the most common means used by auditors of providing what was widely believed to be highly competent evidence. The strength of this conviction was based on the fact that a confirmation involved a direct communication with an independent source outside the company being audited.

One such study, An Empirical Study of Accounts Receivable Confirmations as Audit Evidence, by Paul Castor, refutes the effectiveness of the confirmation process based on his finding that positive confirmations were capable of detecting only forty-seven percent of errors in his test population. In addition, he found the reliability of the confirmation related to the direction and size of errors in the accounts. That is, he determined that errors that were unfavorable to the customer had a greater likelihood of being detected and reported to the auditors than favorable errors, and errors of 20% were more likely to be detected and reported than errors of 3%. Caster also determined that exaggerated inferences by auditors were not uncommon. He concluded this as a result of finding that study recipients would often confirm erroneous balances as being correct.

Another study, The Effectiveness of Audit Confirmation by Jack L. Armitage, examined the audit effectiveness of confirming trade accounts receivable sent to individuals. Armintage's conclusions very much complemented Caster's. He determined, for example, that positive and negative confirmations detected only 38% and 16.5%, respectively, of account errors. Based on this finding, Armitage concluded that confirmations were surprisingly ineffective in this function. In addition, Armitage, like Caster, found that accounts with overstatement errors had a higher detection rate than accounts with understatement errors for both positive and negative confirmations. That is, customers were more likely to report errors that would have benefitted the company (overstatement errors) than would have benefitted the confirming company (understatement errors). To rectify this situation, Armitage concluded that the auditor should consider performing additional tests for possible understatement such as examining shipping documents and tracing subsequent payments to detect the existence of understated or unrecorded receivables.

Armitage's research also indicated an important inconsistency with respect to auditor perception. Although the study results clearly showed that accounts receivable confirmation was not a very effective audit tool, all auditors responding to the questionnaire indicated that they regularly use positive and negative confirmations on their audit engagements. Armitage concluded that auditors greatly overestimate the effectiveness of this auditing procedure and are not cognizant of its low level of effectiveness. As a result, they may be putting themselves at more risk than they realize. This is particularly true in the current environment of increased audit scrutiny and litigation.

Conclusions of the Task Force

The Use of Confirmations Task Force reported to the Auditing Standards Board based on its analysis and review of all accumulated data and research on confirmations:

"Auditors should be permitted to exercise professional judgment, in conjunction with their audit risk assessment, in determining whether confirmations are appropriate in a particular situation. In some instances, other audit techniques may be equally or even more efficient and effective than confirmation procedures. Furthermore, given recent research that raises uncertainties about the reliability of confirmations and auditors' potential overreliance on confirmations as a source of audit evidence, the task force concluded that existing evidence on the use of confirmations in auditing account receivable may overstate the reliability of confirmations.

The use of the negative form of confirmations generally does not provide significant evidence and their use should be discouraged. The discussion in AU 331 of the negative form of confirmations may inappropriately imply that such confirmations are an effective form of obtaining evidence. Guidance on the use of confirmations should include matters auditors should consider in evaluating the reliability of confirmation procedures and determining when the use of confirmation is appropriate. The guidance should emphasize that confirmations should not be thought of as a routine procedure, but one that requires considerable planning to obtain effective results. Operational guidance should be provided in the form of an auditing procedures study or an audit and accounting guide."