To Confirm or Not to Confirm—Risk Assessment is the Answer

The Wise and Proper Use of Bank Confirmations

By: Howard B. Levy, CPA and L. Ralph Piercy, CPA

Bank confirmations have been a valuable source of audit evidence since the dawn of the profession. Like all confirmations, they can be both effective and efficient, but only to the extent the auditor has properly identified and assessed the significance of the risks they are intended to address and executed the confirmation process.

Bank confirmations are most effective and efficient when the financial statements contain material amounts of cash, and the auditor has identified entity or industry circumstances that elevate the risk of material misstatement. This includes, for example, when management’s risk tolerance is unusually high or the governing board does not place sufficient emphasis on managing risk. When an auditor has identified elevated risk, procedures supplemental to bank confirmations may also be necessary to address the risks of material misstatement from error and fraud. When the risk of material misstatement and fraud is low, alternative procedures to bank confirmation may be applied that are sufficiently effective to reduce the risk of material misstatement to an acceptably low level and may represent a more efficient evidence-gathering process.

Unfortunately, many auditors mistakenly believe that auditing standards require that all, or at least some, bank account balances be confirmed on all audit engagements without consideration of risk. In the opinion of the authors, auditors commonly believe this because for years this has been routine. In fact, the use of bank confirmations has never been a required procedure under any auditing standard.

This article advocates against the indiscriminate, often inefficient and ineffective, use of bank confirmations in all audits, but also advocates their use only when cash is material and risks to be addressed are significant. Bank confirmations may be the most effective test of the existence of cash balances (and the completeness of debt, contingent liabilities, and other disclosure matters)—but only when they are used properly, cash balances are material, and risk considerations warrant it (e.g., when entity- or industry-specific circumstances require greater professional skepticism).

Brief History and Current Status of Bank Confirmations

More than 20 years before the first auditing standard was issued in 1939, Robert H. Montgomery’s Auditing Theory and Practice (known in later editions as Montgomery’s Auditing), asserted that cash deposits “should be … verified by independent confirmation.” Bank confirmations were almost always been used with little or no regard to risk considerations until the development of risk-based auditing in the late 1970s and early 1980s. Then, largely in response to competitive pressures demanding increased audit efficiency and timelier reporting, some auditors began to reduce their indiscriminate use of bank confirmations in all audits.

The standard bank confirmation form, jointly approved by the American Bankers Association, the AICPA, and the Bank Administration Institute, has undergone only minor revisions over its 50-year history. The confirmation handling process, however, has become significantly more automated. Many banks have centralized their response processes, improving the quality of responses. Many financial institutions also support third-party, electronic confirmation service providers (effectively serving as intermediary responders on behalf of the banks). These popular alternatives have improved process efficiencies while reducing the—albeit minimal—risk of confirmation fraud that involves client and bank employee collusion.

Many institutions have made further improvements in cross-referencing other information about the depositor (made possible by the federal Patriot Act), but the completeness of such other information or relationships may be unreliable and should not be expected. Although these improvements have often resulted in better information linking, reduced response time, and better trained responders (which, accordingly, have improved the reliability of responses), many financial institutions do not fully accommodate automated confirmation services and have not centralized their response processes. Accordingly, the usefulness of the standard bank confirmation request may still be adversely affected by the limitations of the bank’s employees and processes.

When a third-party service provider is used to confirm bank balances, the process involves preparation effort by the auditor or client to assimilate the needed input information. The auditor then sends an online request to the client for review and approval. Once approved, the third-party service provider can log into the queue to complete the confirmation request, access the institution’s internal data for that client, complete the confirmation, and send it to the auditor. This process can be accomplished in a couple of days. While the online process may appear to be more effective and efficient than the standard manual bank confirmation forms, the authors’ position remains that bank confirmations need only be used when warranted by materiality and perceived risks.

Each service provider has contractual arrangements with a select set of financial institutions, although there is likely significant overlap. For example, according to its user’s manual and other published materials, Confirmation.com, one of the larger confirmation service providers in the United States, has arrangements with approximately 3,000 to 3,500 institutions in over 100 countries out of approximately 32,000 public and private banking institutions worldwide. The fact that a service provider engaged by the auditor does not have a relationship with a particular financial institution does not remove the auditor’s obligation to confirm cash balances when warranted by materiality and risk considerations. Unfortunately, because most financial institutions do not cooperate with all third-party confirmation service providers, the manual form of standard confirmation is here to stay, at least for a few more years.

Failed PCAOB Proposal

In 2010, the PCAOB proposed a new confirmation standard (Release 2010-003, Docket 028) that would have included, for the first time, a mandate for the universal use of bank confirmations without regard to any perceived risk of material misstatement. This proposal went nowhere. In 2015, the PCAOB hinted at its intent to revive and revise the proposal, but the project was apparently abandoned. AS 2310s remains unchanged today, relatively nonprescriptive with the judicious use of bank confirmations left to auditors’ discretion, consistent with its ASB counterpart (AU-C 505).

Without regard for the principles of risk-based auditing, the PCAOB stated (para. 9, Release 2010-003) that “the auditor should not base his or her selection of cash accounts to confirm only on the reported balances of the cash accounts.” The only supporting rationale offered for this conclusion was that “there might be significant activity in, and risks associated with, a cash account that has an immaterial or zero balance” (p. A1-4, p. A3-5, Release 2010-003). Many responders to the proposal stated that this conclusion was illogical, because confirming the year-end cash balance is only a snapshot in time that has nothing to do with a company’s historical liquidity, cash flows, or operations. They commented, therefore, that it was doubtful that any standard bank confirmation form would produce useful and credible evidence with regard to such matters and implied objectives when reported cash balances are immaterial or the perceived risk of material misstatement (most likely a fraud risk) is otherwise low. Only when cash is materially overstated can there be a significant suspicion of fraud, whether motivated to cover for a defalcation or to mislead investors as to the reporting entity’s financial condition. (Other circumstances could present fraud risk with respect to understatement of debt.)

In a speech about the proposal presented July 13, 2010, PCAOB Chair Daniel Goelzer asserted, without support (as none appears to have been available at the time), that “fictitious bank accounts have been the linchpin of several notorious frauds” (https://bit.ly/3HCGVxV). Although there may be others of a lesser magnitude, the authors were able to identify only one prominent fraud (Wirecard AG, a German company) that involved, among other things, fictitious bank accounts and alleged insufficient confirmation procedures by the auditors. The Wirecard fraud was an elaborate, sophisticated, and worldwide scheme with a deliberate aim to deceive conducted over many years but not discovered until 2020. Reported cash balances were material, and significant, unusual industry- and entity-specific risks and other “red flag” indicators were known that appear to have warranted a high degree of professional skepticism and expanded audit scope. This single example, however, hardly supports any advocacy for the universal use of bank confirmations.

The PCAOB asserted (pp. 3, 14, Release 2010-003), also without support, that the proposed mandate could “provide audit evidence to address the risk of material misstatement due to fraud [presumably referring to intentional overstatement of cash balances] and because of the importance of cash to a company’s liquidity and ongoing operations.” So what risk of material misstatement would be presented when reported balances are immaterial? Except in certain industries, cash in banks is generally a relatively small, immaterial asset; therefore, the risk of material overstatement is minor and understatement is a highly unlikely concern.

According to an unofficial summary transcript (https://doi.org/10.2308/ciia-50014) of a discussion held by the PCAOB’s Standing Advisory Group on October 14, 2010, about the proposal and the responses received thereto, the prescriptive, universal use of cash confirmations was almost unanimously rejected by all respondents (19 CPA firms, an accounting association, the GAO, and two academics). These responders believed that the proposed confirmation standard should be more principles-based, consistent with the risk assessment standards. (On the other hand, a committee of the American Accounting Association, whose membership consists of academics, expressed its support for the proposed requirement regarding bank confirmations.)

The comments of responders that opposed the PCAOB proposal indicated that they believed the proposed mandate was unduly onerous and too prescriptive; would increase the number of confirmations inordinately, regardless of identified risks; would prohibit auditors from exercising judgment and tailoring procedures; and would result in a “check-the-box” approach rather than one based on risk assessment. For example, the letter submitted by the AICPA’s Center for Audit Quality (https://bit.ly/3HDAdaT) included the following comments regarding the proposed mandate:

• the proposal is overly prescriptive … and may result in a significant increase in the use of confirmation requests.
• the proposal does not adequately recognize that confirmations may not always be the most effective means of gathering evidence and, as a result, limits the auditor’s ability to use judgment in determining the audit procedures that are appropriate based on the assessed level of risk at the assertion level.
• the proposed standard would significantly limit the auditor’s ability to use judgment in determining the appropriate audit procedures for obtaining sufficient audit evidence. As a result, we believe that auditors may expend significant efforts performing confirmation procedures in situations where they are neither the most effective nor efficient means of gathering sufficiently persuasive audit evidence.

Reliability of Bank Confirmations

Although auditing standards generally assert as an underlying principle that “the reliability of audit evidence is increased when it is obtained from independent sources outside the entity” (AU-C 500. A32), there are characteristics of standard bank confirmations other than as described above that may make them less reliable in some circumstances. Exhibit 1 notes some common myths about bank confirmations. When these characteristics go unnoticed by auditors, as they frequently do, alternative procedures might better address the perceived risks and related audit objectives.

Historically, financial institutions often cause disclaimers or restrictions to be added to responses to requests that limit responsibility for their accuracy. According to the auditing standards, the auditor is required to “direct the confirmation request to a third party who the auditor believes is knowledgeable about the information to be confirmed. For example, to confirm a client’s oral and written guarantees with a financial institution, the auditor should direct the request to a financial institution official who is responsible for the financial institution’s relationship with the client or is knowledgeable about the transactions or arrangements” (PCAOB AS 2310.26 with similar, but less specific, language in AU-C 505.07b and 505.A3). Therefore, potentially material arrangements, agreements, or transactions that are believed or suspected to exist, when deemed warranted by risk and materiality considerations, are best confirmed with separate letters that have been addressed directly to an appropriate banking relationship or lending officer and specifically request details about any significant information not provided by management. In practice, many auditors seem to pay little or no attention to these concerns and this requirement. When an auditor uses a third-party confirmation service provider, it is difficult, if not impossible, to comply with the “letter” of the requirement—an item that the authors believe needs clarification from standards setters.

As stated in many of the comment letters issued in response to the PCAOB’s 2010 proposal, these trends have been troublesome, as they tend to render bank confirmations less reliable unless adequate corroborative procedures are applied, diminishing the cost/benefit value of the cash confirmation process.

Furthermore, because the data for which confirmation is sought is frequently pre-entered by the client (ever since the form was redesigned in 1991) or the auditor, rather than the financial institution filling in the blanks on the manual confirmation form used historically, the confirmations may be considerably less reliable with respect to unrecorded bank accounts or debt, undisclosed guarantees, and other disclosure matters or under-statement risks related to the completeness assertion (Douglas P. Sauter, “The New Confirmation Form for Financial Institutions,” The CPA Journal, January 1991, http://archives.cpajournal.com/old/09387208.htm). When loan data is pre-entered on the forms, it is unlikely that the bank employees engaged in the confirmation response process will search to identify unreported loans or other matters and report them to the auditor.

One Size Doesn’t Fit All

Bank confirmations are requested primarily as evidence to support the existence assertion for cash in banks, although they are commonly used concurrently for other purposes (albeit less effectively), such as confirming other banking relationships including outstanding debt and covenants and contingent liabilities. But bank confirmations, like all confirmations, may effectively or efficiently address one risk and not another. With respect to such noncash matters, auditors often fail to obtain sufficient information about items such as debt terms or compensating balance arrangements. Due to limitations and usages of the standard form, the authors believe that financial institutions should not be relied upon to disclose such information to the extent necessary to meet audit objectives.

Alternatives to Confirmation

If an auditor has no reason to suspect fraudulent alteration or other risky circumstances, inspecting original bank statements provided in print by the client or obtained by direct observation online can be almost as effective in reducing moderate risk as receiving independent confirmations in many circumstances—but considerably more efficient. In addition, post-balance sheet activity (such as the bank’s timely payment of outstanding checks) will generally provide sufficient evidence of existence of the asset, assuming moderate risk and materiality. In higher risk situations, it might be more effective to inspect several year-end or interim period bank statements and related reconciliations throughout the audit period, possibly as a test of internal controls over the reconciliation process.

Of course, even original bank statements obtained from client personnel in conjunction with other tests of bank reconciliations (whether at year-end or interim dates) should be inspected for indications of possible alterations, and confirmations should be requested whenever there is reason to suspect that a bank statement may have been fraudulently altered, especially when there are other reasons for professional skepticism with regard to fraud risk. If there is reason for suspicion or skepticism, another reliable and efficient alternative procedure to confirmation is an auditor’s old-fashioned annual four-column proof-of-cash.

A four-column proof-of-cash is a relatively simple and efficient test that is highly effective at obtaining evidence that all receipts and disbursements processed and recorded by the bank for the year have likewise been recorded on the books. An annual proof entails assembling 12 monthly totals (i.e., receipts and disbursements) from the books and the bank statements and reconciling their annual totals. Such a proof may be performed manually or using Excel or more sophisticated computer-assisted techniques. If performed by client personnel (which is preferable), the auditor should test trace the source data to the underlying records. One might compile such a proof for the main operating account only or include additional accounts based on activity and other risk factors.

It Comes Down to Execution

Bank confirmations continue to be a valuable source of audit evidence when used appropriately. But they are most effective and efficient only when cash is material, when the auditor has properly identified other risks to be addressed, and when the confirmation process is properly executed. Exhibit 2 notes some common execution faults and tips for improvement.

One cannot predict whether, perhaps as a response to the recent Wirecard fraud, the PCAOB or another standards setter will in the future mandate the use of bank confirmations in all audit engagements without discretion. The authors firmly believe that if mandatory bank confirmations were to be put forth, much of the auditing profession would once again oppose such a proposal in favor of better guidance for 1) determining audit scope by using professional judgment, primarily based on risk, materiality considerations, and professional skepticism, and 2) using confirmations properly when appropriate.

L. Ralph Piercy, CPA, is a senior director of assurance services with BDO USA, LLP in Las Vegas and Reno, Nev.

Howard B. Levy, CPA, is an independent technical consultant based in Las Vegas, Nev. He is a member of The CPA Journal’s Editorial Advisory Board and the author of The Volunteer Treasurer’s Handbook: Financial Management Building Blocks for Not-for-Profit Organizations.