In October 2023, the FRC published a revised version of ISA (UK) 505 - External Confirmations. It will be effective for audits of financial statements for periods commencing on or after 15 December 2024. As we come up on one year since the release of this revision, we recap the core elements of ISA 505.
What is ISA 505?
ISA 505 deals with the auditor’s use of external confirmations procedures as part audit evidence obtainment. Related ISAs are ISA 500 (Audit Evidence) and ISA 330 (The Auditor's Responses to Assessed Risks).
Background
Apart from some amendments made in 2022, the actual core standard had not been revised since 2017. In the intervening period, digital tools (such as Circit) have become much more popular.
The revised version of ISA 505 (May 2022) includes guidance on the use of digital platforms in the confirmations process to verify information and to help improve the reliability and credibility of audit evidence obtained via the process.
The related ISA 500 points out that the reliability of audit evidence is influenced by three important features, namely:
• Audit evidence is more reliable when it is obtained from independent sources outside the entity;
• Audit evidence obtained directly by the auditor is more reliable than audit evidence obtained indirectly or by inference; and
• Audit evidence is more reliable when it exists in documentary form, such as paper, electronic or other medium.
May 2022 update
The objective of external confirmations is to obtain relevant and reliable audit evidence. The updated version of ISA 505 from May 2022, outlines the following key elements the process:
- The use of digital platforms,
- Strengthened requirements for investigating exceptions and
- A ban on negative confirmations
We will be taking a closer look at the elements of digital platforms and negative confirmations specifically.
Using digital platforms
The FRC has introduced a measure to ensure that confirmations can be obtained directly by accessing information held by third parties through web portals or software interfaces. Platforms like Circit can improve the efficiency and reliability of response rates as part of a secure and properly controlled process.
ISA 505 alerts auditors to the dangers associated with obtaining confirmation responses either in paper or electronic format: the response may be from an improper source; a respondent may be unauthorised to respond, or the integrity of the transmission may be compromised.
Utilising a digital confirmations platform can alleviate a lot of these problems by improving the security of transmission, providing transparency on completeness and helping to ensure that the collected evidence supports all relevant assertions. Moving to a digital process also boosts security by validating the identity of a sender of information in electronic form, for example with electronic digital signatures.
Negative confirmations
A negative confirmation is where the confirming party responds directly to the auditor only if they disagree with the information provided in the request. The proposal prohibits negative confirmations, because they are not as effective as positive ones.
Negative confirmations can be problematic because the failure to receive a response to a request doesn't explicitly indicate receipt by the intended confirming party or verify the accuracy of the information contained in the request. Confirming parties are more likely to respond to a request, indicating their disagreement, when the information in the request is not in their favour, and are less likely to respond otherwise.
October 2023 Revision
Electronic confirmations and digital security
The October 2023 revision of the standard acknowledges the increasing role of digital technologies in audit processes even more, as it homes in on the use of electronic confirmations by providing comprehensive guidance on the topic. It highlights the role of the auditor in ensuring the security and integrity of the electronic channels used.
It emphasises secure methods, such as encryption and digital signatures, to prevent interception or alteration of confirmations.
Negative Confirmations
The revision also revisits negative confirmations, this time stating negative confirmations are not permitted as the sole substantive procedure unless very specific conditions are met, such as when the risk of material misstatement is low and the auditor has confidence in the controls related to that assertion.
To conclude: Digital confirmations improve reliability
One thing is clear from both the revision and the update: digital confirmations platforms play a key role in the process.
The FRC has included specific guidelines on the usage of digital platforms for confirmations because of the advantages they bring: increased efficiency, immutability of responses obtained and the assurance that responses come from a proper, authorised source. These platforms enhance audit reliability by ensuring secure, tamper-proof responses through techniques like encryption and digital signatures.
This is an important indicator for firms that implementing the right technology can help them stay ahead of the curve when it comes to assessing and improving audit processes.
By improving efficiency and response accuracy, they mitigate risks linked to fraud and unauthorised access, making them indispensable tools in today's digital audit environment. Firms adopting these technologies are better positioned to comply with evolving standards and maintain robust audit practices.