ISA 505 (Revised) DEALS with the auditor’s use of external confirmation procedures to OBTAIN audit evidence in accordance with the Requirements of ISA 330 and ISA 500.
01What is ISA 505?
ISA 505 – External Confirmations is an International Standard on Auditing issued by the International Auditing and Assurance Standards Board (IAASB). It establishes the auditor’s responsibilities in obtaining and evaluating external confirmation evidence during a financial statement audit.
External confirmation is one of the most reliable forms of audit evidence. By obtaining written responses directly from third parties such as banks, debtors, lawyers, and other counterparties – auditors can corroborate the accuracy of information contained in the entity’s accounting records without relying solely on management-prepared documents.
External confirmation evidence is widely considered among the most persuasive audit evidence because it comes directly from a knowledgeable third party, independent of both the client and the auditor. ISA 505 ensures this process is conducted rigorously and systematically.
The standard applies whenever the auditor determines that external confirmations are a necessary procedure to gather sufficient appropriate audit evidence, particularly for financial assertions such as existence, rights and obligations, and accuracy.
02Objective of ISA 505
The overarching objective of ISA 505 is to ensure that the auditor designs and performs external confirmation procedures that provide relevant and reliable audit evidence.
Determine When to Use Confirmations
Assess whether external confirmation procedures are appropriate given the assessed risks and the nature of account balances.
Design Effective Requests
Craft confirmation requests that are clear, unambiguous, and likely to generate reliable responses from confirming parties.
Evaluate Responses
Analyse responses for completeness, relevance, and reliability and identify exceptions or non-responses requiring further work.
Handle Non-Responses & Refusals
Apply alternative procedures when management refuses to allow confirmations or when confirming parties do not respond.
03Key Definitions Under ISA 505
| Term | Definition |
|---|---|
| External Confirmation | Audit evidence obtained as a direct written response to the auditor from a third party (the confirming party), either in paper form or by electronic or other medium. |
| Positive Confirmation Request | A request that asks the confirming party to respond directly to the auditor indicating whether they agree or disagree with the information stated in the request. |
| Negative Confirmation Request | A request that asks the confirming party to respond only if they disagree with the information provided in the request. |
| Non-Response | A failure of the confirming party to respond to, or a failure to completely respond to, a positive confirmation request. |
| Exception | A response that indicates a difference between information requested to be confirmed and information provided by the confirming party. |
| Confirming Party | The third party (e.g., a bank, debtor, creditor, or legal advisor) from whom the auditor requests confirmation. |
04Auditor Requirements under ISA 505
ISA 505 places specific requirements on auditors. These are not optional best practices, they are mandatory obligations that must be fulfilled whenever external confirmations are used or considered as audit procedures.
Maintaining Control Over Confirmation Requests
The auditor must maintain control over the entire confirmation process. This means the auditor, not management – sends the requests, receives the responses, and follows up on non-responses. Allowing management to handle any part of this process significantly impairs the reliability of the evidence obtained.
If the auditor cannot maintain adequate control over confirmation requests and responses (e.g., management intercepts responses), the evidence obtained should be treated with extreme scepticism and may not be reliable.
Assessing the Reliability of Responses
Not all responses are equally reliable. The auditor should consider whether the response came from the correct person (i.e., someone knowledgeable and authorised), whether it was sent directly to the auditor, and whether there are any indicators that the response may have been altered or intercepted.
Considering Information Technology Risks
When confirmations are received electronically, the auditor must consider whether electronic confirmation processes introduce risks of interception, alteration, or fraud. The auditor may need to verify the authenticity of email responses through a follow-up phone call or alternative means.
ISA 505 acknowledges that electronic confirmations (e.g., email or web-based responses) can be acceptable, provided the auditor satisfies themselves that the source is legitimate and the transmission is secure.
05The External Confirmation Process – Step by Step
Identify Items Requiring Confirmation
Based on the risk assessment and understanding of the entity, determine which balances, transactions, or other items require third-party corroboration. Common items include accounts receivable, bank balances, loans, and legal contingencies.
Select the Confirming Party
Identify the appropriate third party with direct knowledge of the item. For bank balances, this is the financial institution. For receivables, it is the customer. Ensure that the confirming party is genuinely independent.
Design the Confirmation Request
Draft a clear, unambiguous request that specifies the exact information the auditor needs confirmed. Obtain management’s authorisation for the request, as the entity’s relationship with the third party may require formal consent.
Send the Request and Maintain Control
The auditor (not management) sends the request directly to the confirming party. All responses must be returned directly to the auditor via a return address or email controlled exclusively by the auditor.
Follow Up on Non-Responses
Where no response has been received within a reasonable timeframe, the auditor should send follow-up requests. Document each follow-up attempt as part of the audit file.
Evaluate Responses and Investigate Exceptions
Analyse each response for completeness and accuracy. Investigate any exceptions – differences between the entity’s records and the confirming party’s response, to determine whether they indicate misstatements or timing differences.
Perform Alternative Procedures for Non-Responses
When a positive confirmation receives no response, the auditor must perform alternative audit procedures to address the risk of material misstatement. Document the procedures performed and the conclusions reached.
06Types of Confirmation Requests
ISA 505 distinguishes between two primary types of confirmation requests, each with its own use cases, advantages, and limitations.
Positive Confirmation Request
Asks the confirming party to respond regardless of whether they agree or disagree. This approach is more reliable because silence is not interpreted as agreement. Best used for higher-risk balances, large amounts, or when individual responses are essential.
Negative Confirmation Request
Asks the confirming party to respond only if they disagree with the information. Provides less reliable evidence because non-response could mean the party agrees or simply did not respond. Suitable only for large populations of small, low-risk balances.
Blank Confirmation Request
A form of positive confirmation where the confirming party is asked to fill in the balance or information themselves, rather than confirming a stated amount. More reliable than confirmations that state an amount, as it eliminates acquiescence bias.
Blank confirmation requests – where the confirming party must supply the balance themselves, are generally considered more reliable than requests that state a balance, as they reduce the risk of a confirming party simply agreeing to an incorrect amount without checking.
07Management Refusal to Allow Confirmations
One of the most significant provisions in ISA 505 concerns situations where management requests the auditor not to seek external confirmations. This scenario carries significant audit implications and must be handled carefully.
When Can Management Refuse?
Management may cite legitimate business reasons, such as ongoing disputes with a customer or sensitive negotiations for requesting that confirmations not be sent. ISA 505 acknowledges that such reasons may be valid. However, the auditor cannot simply accept the refusal without scrutiny.
Auditor’s Obligations When Faced with a Refusal
Per ISA 505, if management refuses to allow the auditor to perform external confirmation procedures, the auditor must:
Inquire into the Reasons for the Refusal
Understand management’s stated rationale. Document the reasons provided and evaluate their reasonableness.
Evaluate the Implications for Risk
Assess whether the refusal suggests a risk of material misstatement. A refusal without adequate justification may indicate that management is concealing something – a significant fraud risk indicator.
Perform Alternative Procedures
Design and perform alternative audit procedures that address the same assertions as the planned confirmation procedures. Document these alternatives thoroughly.
Consider the Effect on the Audit Report
If alternative procedures do not provide sufficient appropriate evidence, consider the implications for the audit opinion, including whether a modified opinion may be necessary.
Under ISA 240, an unexplained management refusal to allow external confirmations – particularly for accounts receivable, should be treated as a significant fraud risk indicator. The auditor must escalate their scepticism and scrutiny accordingly.
08Handling Exceptions and Anomalies
Exceptions in confirmation responses, where a confirming party’s information differs from the entity’s records — must never be dismissed as administrative errors without adequate investigation. ISA 505 requires auditors to evaluate all exceptions carefully.
Common Causes of Exceptions
Exceptions can arise from legitimate timing differences (e.g., payments in transit), legitimate disputes (e.g., a customer disputing an invoice), or potentially from errors or fraud. The auditor must determine which category applies.
| Type of Exception | Likely Cause | Auditor Response |
|---|---|---|
| Timing Difference | Payment or shipment in transit at the confirmation date | Verify subsequent receipt or delivery; no misstatement likely |
| Disputed Balance | Customer disputes the amount owed | Evaluate whether a provision or write-off is required |
| Recording Error | The entity has misrecorded the transaction | Identify if misstatement exists; consider broader impact |
| Fraud Indicator | Confirming party not aware of a transaction | Treat as a significant fraud risk; escalate immediately |
09Practical Examples of External Confirmations
To understand how ISA 505 operates in practice, consider the following common scenarios encountered in real-world audits:
1. Bank Confirmation (Bank Balance & Loans)
One of the most universal applications of ISA 505 is the bank confirmation. At period end, the auditor sends a standardised bank confirmation request to each bank where the entity holds accounts. The request typically asks the bank to confirm account balances, overdraft facilities, outstanding loans, charges, and contingent liabilities. This provides reliable evidence on the existence, completeness, and accuracy of the entity’s banking relationships.
2. Debtors / Accounts Receivable Confirmation
For entities with significant trade receivables, confirmations are sent to a sample of customers asking them to confirm the balance they owe. This addresses the existence and accuracy assertions for the receivables balance – a common area of misstatement. The auditor typically selects a statistical or risk-based sample, with larger balances and higher-risk customers receiving priority.
3. Lawyer / Solicitor Confirmation
To address the completeness and valuation of provisions for legal claims and contingent liabilities, auditors send confirmation letters to the entity’s external legal advisors. Lawyers are asked to confirm all pending or threatened litigation and to provide their assessment of likely outcomes. This is crucial for compliance with IAS 37 and accurate financial statement presentation.
4. Inventory Held by Third Parties
Where inventory is held at third-party warehouses or with consignees, the auditor must confirm the existence and condition of such inventory directly with the third party. This is especially relevant for commodities businesses, logistics companies, or entities with complex supply chains.
10Documentation Requirements
ISA 505 requires auditors to maintain robust documentation of the entire external confirmation process. This documentation must be sufficient to allow an experienced auditor, with no prior connection to the engagement, to understand the procedures performed and the conclusions reached.
Audit files should include: the list of items selected for confirmation; copies of all confirmation requests sent; evidence that requests were controlled by the auditor; all responses received; follow-up actions for non-responses; investigation of all exceptions; and the auditor’s overall conclusions.
Where management refuses to permit confirmations or where the auditor has concerns about the reliability of responses, the documentation must also record the reasons for the refusal, the risk assessment implications, and the alternative procedures performed.
11Frequently Asked Questions – ISA 505
Is an auditor required to perform external confirmation procedures in every audit?
No. ISA 505 does not mandate external confirmation procedures in every engagement. However, ISA 330 requires auditors to consider whether confirmations are necessary as part of their overall response to assessed risks. For most audits of entities with significant receivables or banking arrangements, confirmations will be almost universally required.
What should an auditor do when no response is received?
When a positive confirmation request goes unanswered, the auditor must perform alternative procedures to provide sufficient appropriate evidence. These may include examining subsequent cash receipts, reviewing underlying invoices and delivery notes, and corroborating with other records. The auditor must document all follow-up attempts and the alternative procedures performed.
Can the auditor rely solely on external confirmations as audit evidence?
No. External confirmations are one source of evidence and should generally be used in conjunction with other audit procedures. Even highly reliable confirmation evidence does not eliminate the need for the auditor to exercise professional judgement and consider other available information.
Are negative confirmation requests ever sufficient on their own?
Negative confirmation requests alone are rarely sufficient to constitute adequate audit evidence. They should only be used when the population consists of a large number of small, homogeneous, low-risk balances and the entity has a strong control environment. They must generally be supplemented by other procedures.
How does ISA 505 interact with ISA 240 (Fraud)?
ISA 240 identifies management refusal to permit external confirmations as a potential fraud risk indicator. An auditor encountering such a refusal must heighten their professional scepticism and increase the rigour of their alternative procedures. The refusal itself, and management’s stated reasons, must be carefully evaluated and documented.
What happens if the auditor suspects a confirmation response has been falsified?
If the auditor has reason to believe a response may not be genuine – for example, if it appears to have been intercepted or altered, they should attempt to verify the response through direct contact with the confirming party. This is a serious matter that may indicate fraud, and the auditor’s obligations under ISA 240 would be triggered.
(Qualified) Chartered Accountant – ICAP
Master of Commerce – HEC, Pakistan
Bachelor of Accounting (Honours) – AeU, Malaysia