AS 2310: The Auditor’s Use of Confirmation (effective for FYE on or after 6/15/2025)
The following new standard, AS 2310, The Auditor’s Use of Confirmation, will be effective for audits of financial statements for fiscal years ending on or after June 15, 2025.
Amendments: Amending releases and related SEC approval orders
Guidance on AS 2310:
Staff Audit Practice Alert No. 8
Summary Table of Contents
- .01 Introduction
- .02 Objective
- .03 Relationship of the Confirmation Process to the Auditor’s Identification and Assessment of and Response to the Risks of Material Misstatement
- .08 Designing Confirmation Requests
- .14 Maintaining Control over the Confirmation Process
- .18 Evaluating Confirmation Responses and Confirmation Exceptions, and Addressing Nonresponses and Incomplete Responses
- .24 Additional Considerations for Cash, Accounts Receivable, and Terms of Certain Transactions
- .36 Evaluating the Results
Introduction
.01 This standard establishes requirements regarding obtaining audit evidence from a knowledgeable external source through the auditor’s use of confirmation. The standard also includes additional requirements regarding obtaining audit evidence for cash, accounts receivable and terms of certain transactions.
Objective
.02 The objective of the auditor in designing and executing the confirmation process is to obtain relevant and reliable audit evidence from a knowledgeable external source about one or more relevant financial statement assertions of a significant account or disclosure.1
Relationship of the Confirmation Process to the Auditor’s Identification and Assessment of and Response to the Risks of Material Misstatement
.03 AS 2110, Identifying and Assessing Risks of Material Misstatement, establishes requirements regarding the process of identifying and assessing risks of material misstatement of the financial statements and provides that the auditor’s assessment of risks of material misstatement, including fraud risks, should continue throughout the audit. When the auditor obtains audit evidence during the course of the audit (including through the confirmation process) that contradicts the audit evidence on which the auditor originally based the risk assessment, the auditor should revise the risk assessment and modify planned audit procedures or perform additional procedures in respect to the revised risk assessments.2
.04 AS 2301, The Auditor's Responses to the Risks of Material Misstatement, requires the auditor to design and implement appropriate responses that address risks of material misstatement. This may include using confirmation to address the assessed risks of material misstatement for certain relevant assertions of significant accounts and disclosures.
Note: If different components in a significant account or disclosure are subject to significantly differing risks of material misstatement, the auditor’s responses should include procedures that are responsive to the differing risks of material misstatement.
.05 AS 2301 provides that as the assessed risk of material misstatement increases, the evidence from substantive procedures that the auditor should obtain also increases. The evidence provided by substantive procedures depends upon the mix of the nature, timing, and extent of those procedures.
Note: AS 2110.68 provides that the auditor should presume that there is a fraud risk involving improper revenue recognition. According to paragraph .54 of AS 2401, Consideration of Fraud in a Financial Statement Audit, examples of audit procedures that might be performed in response to this risk include confirming with customers certain relevant contract terms and the absence of side agreements.
.06 Audit evidence obtained from a knowledgeable external source is generally more reliable than evidence obtained only from internal company sources.3 The following are examples of financial statement assertions for which the confirmation process, when properly designed and executed, can provide relevant and reliable audit evidence:
- Existence (e.g., cash, accounts receivable, investments)
- Occurrence (e.g., revenue transactions)
- Completeness (e.g., accounts payable, debt)
- Rights and obligations (e.g., cash, assets pledged as collateral)
.07 This standard describes the auditor’s responsibilities related to the confirmation process, as follows:
- Paragraphs .08-.13 discuss designing the confirmation request.
- Paragraphs .14-.17 discuss maintaining control over the confirmation process.
- Paragraphs .18-.23 discuss confirmation responses, confirmation exceptions and nonresponses.
- Paragraphs .24-.30 discuss additional considerations for cash, accounts receivable, and terms of certain transactions.
- Paragraph .31 discusses evaluating the results of confirmation and other audit procedures.
Other PCAOB standards also address auditor responsibilities relevant to the auditor's use of confirmation.4 This standard does not address matters described in AS 2505, Inquiry of a Client’s Lawyer Concerning Litigation, Claims, and Assessments.
Designing Confirmation Requests
Identifying Information to Confirm
.08 The auditor should identify the information related to the relevant assertions that the auditor plans to verify with confirming parties or (when using a blank form) obtain from confirming parties.
Note: Some forms of positive confirmation requests ask the confirming party to indicate whether the confirming party agrees with the information stated on the request. Other forms of positive confirmation requests, referred to as blank forms, do not state the amount (or other information) to be confirmed, but request the confirming party to fill in the balance or furnish other information. Using a blank form confirmation request may provide more reliable audit evidence than using a confirmation request that includes information the auditor is seeking to confirm (e.g., a customer account balance). However, blank forms might result in lower response rates because additional effort may be required of the confirming party; consequently, the auditor may have to perform alternative procedures for more selected items.
Identifying Confirming Parties for Confirmation Requests
.09 The auditor should direct confirmation requests to confirming parties (individuals or organizations) who are knowledgeable about the information to be confirmed and determine that the confirmation requests are properly addressed.
Note: AS 2401.53 provides that when the auditor has assessed a fraud risk, sending confirmation requests to a specific party within an organization is an example of an audit response to the risk.
.10 If the auditor is aware of information about a potential confirming party’s (i) motivation, ability, or willingness to respond, or (ii) objectivity and freedom from bias with respect to the audited entity,5 the auditor should consider this information, including its source, in selecting the confirming parties.
Note: Such information may indicate that the potential confirming party has incentives or pressures to provide responses that are inaccurate or otherwise misleading.
.11 If the auditor is unable to identify a confirming party for a selected item who would provide relevant and reliable audit evidence in response to a confirmation request (including considering any information discussed in paragraph .10), the auditor should perform alternative procedures for the selected item in accordance with Appendix C.
Note: The reliability of evidence depends on the nature and source of the evidence and the circumstances under which it is obtained.6
Using Negative Confirmation Requests
.12 Generally, the auditor obtains significantly less audit evidence when using negative confirmation requests than when using positive confirmation requests because the auditor typically does not receive from the confirming party a confirmation response to a negative confirmation request unless the confirming party disagrees with the information provided in the request. Therefore, the use of negative confirmation requests alone does not provide sufficient appropriate audit evidence for addressing the risk of material misstatement to a financial statement assertion.
.13 The following are examples of situations in which the use of negative confirmation requests, in combination with the performance of other substantive audit procedures, may provide sufficient appropriate audit evidence:
- The auditor has (i) assessed the risk of material misstatement for the relevant assertions as low, and (ii) obtained sufficient appropriate audit evidence regarding the design and operating effectiveness of controls.7
- The population of items within the account balance or class of transactions for which the auditor considers sending negative confirmation requests is composed of many small, homogeneous items.
- The auditor expects a low exception rate in response to negative confirmation requests and has a reasonable basis for this expectation.
Maintaining Control over the Confirmation Process
.14 The auditor should maintain control over the confirmation process to minimize the likelihood that information exchanged between the auditor and the confirming party is intercepted or altered.
.15 The auditor should (i) select the items to be confirmed, (ii) send confirmation requests, and (iii) receive confirmation responses.8
.16 The auditor should send the confirmation request directly to the confirming party and obtain the confirmation response directly from the confirming party.
.17 The auditor or the confirming party can engage another party as an intermediary to facilitate direct electronic transmission of confirmation requests and responses between the auditor and the confirming party. When using an intermediary for this purpose, the auditor should evaluate the implications on the reliability of confirmation requests and responses as discussed in Appendix B.
Evaluating Confirmation Responses and Confirmation Exceptions, and Addressing Nonresponses and Incomplete Responses
Evaluating Reliability of Confirmation Responses
.18 The auditor should evaluate the reliability of confirmation responses, taking into account any information about events, conditions, or other information that the auditor becomes aware of that (i) contradicts the information used when selecting the confirming party pursuant to paragraphs .09 and .10 or (ii) indicates that the confirmation request or confirmation response may have been intercepted and altered. 9
Note: The following are examples of information that indicates that a confirmation request or confirmation response may have been intercepted or altered:
- The confirmation response comes from a physical or electronic address other than the address on the confirmation request.
- The confirmation response does not include a signature of the confirming party or otherwise identify the confirming party.
- The confirmation response does not include a copy of the original confirmation request, e-mail chain, or any other information indicating that the confirming party is responding to the auditor’s confirmation request.
.19 If the auditor is unable to determine that the confirmation response is reliable, the auditor should perform alternative procedures for the selected item in accordance with Appendix C.
Evaluating Confirmation Exceptions
.20 The auditor should evaluate confirmation exceptions and determine whether the confirmation exceptions individually or in the aggregate indicate (i) a misstatement that should be evaluated in accordance with AS 2810, Evaluating Audit Results, (ii) a deficiency in the company’s internal control over financial reporting,10 or both.
Note: The auditor’s determination under this paragraph generally involves examining external information, which may include information that the company received from knowledgeable external sources.
Addressing Nonresponses and Incomplete Responses
.21 If the auditor does not receive a confirmation response to a positive confirmation request, the auditor should follow up with the confirming party. The auditor should evaluate any confirmation response subsequently received in accordance with paragraphs .18-.19 and any confirmation exception in accordance with paragraph .20.
.22 If a confirmation response is returned by the confirming party to anyone other than the auditor, the auditor should contact the confirming party and request that the response be re-sent directly to the auditor. If the auditor does not subsequently receive a confirmation response from the intended confirming party, the auditor should treat the situation as a nonresponse.
.23 In the case of a nonresponse or an incomplete response, the auditor should perform alternative procedures for the selected item in accordance with Appendix C.
Additional Considerations for Cash, Accounts Receivable, and Terms of Certain Transactions
Obtaining Audit Evidence Directly from a Knowledgeable External Source
.24 For cash and cash equivalents held by third parties (“cash”), and for accounts receivable that arise from the transfer of goods or services to a customer or a financial institution’s loans (“accounts receivable”), the auditor should perform confirmation procedures in accordance with paragraphs .08 through .23, or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source.
Note: The direction in paragraphs .08-.10 for identifying the information related to the relevant assertions that the auditor plans to verify with confirming parties and selecting confirming parties also applies when identifying the information maintained by knowledgeable external sources and selecting knowledgeable external sources.
.25 For accounts receivable, if the auditor determines it is not feasible to obtain audit evidence pursuant to paragraph .24 based on the auditor’s experience, such as prior years' audit experience with the company or experience with similar engagements where the auditor did not receive confirmation responses, and the auditor’s expectation of similar results if procedures were performed pursuant to paragraph .24, the auditor should obtain external information indirectly by performing other substantive procedures, including tests of details.11 The auditor should document any such determination in accordance with AS 1215, Audit Documentation.
Note: Obtaining external information indirectly may include, for example, obtaining from the company information such as subsequent cash receipts, shipping documents from third-party carriers, purchase orders, or signed contracts and amendments thereto, that the company received, in electronic form or in paper form, from one or more knowledgeable external sources.
Selecting Individual Items of Cash and Accounts Receivable
.26 In selecting the individual items of cash for which audit evidence should be obtained, the auditor should take into account the auditor’s understanding of the company’s cash management and treasury function, and the substance of the company’s arrangements and transactions with third parties.
.27 In selecting the individual accounts receivable for which audit evidence should be obtained, the auditor should take into account the auditor’s understanding of the substance of the company’s arrangements and transactions with third parties and the nature of items that make up account balances.
Communicating with the Audit Committee
.28 Under paragraph .09 of AS 1301, Communications with Audit Committees, the auditor should discuss with the audit committee the significant risks of material misstatement identified through the auditor’s risk assessment procedures. In addition, for significant risks associated with either cash or accounts receivable, the auditor should communicate when the auditor did not perform confirmation procedures or otherwise obtain audit evidence by directly accessing information maintained by a knowledgeable external source in accordance with paragraph .24.12
Other Considerations
.29 In addition to obtaining audit evidence from a knowledgeable external source regarding cash in accordance with paragraph .24, the auditor should consider sending confirmation requests to that source about other financial relationships with the company, based on the assessed risk of material misstatement. Examples of other financial relationships are lines of credit, other indebtedness, compensating balance arrangements, or contingent liabilities, including guarantees.
.30 For significant risks of material misstatement associated with either a complex transaction or a significant unusual transaction, the auditor should consider confirming those terms of the transaction that are associated with a significant risk of material misstatement, including a fraud risk. Examples of such terms may include terms related to: (i) oral side agreements, or undisclosed written or oral side agreements, where the auditor has reason to believe that such agreements may exist, (ii) bill and hold sales,13 and (iii) supplier discounts or concessions.
Evaluating the Results
.31 AS 2810 establishes requirements regarding the auditor’s evaluation of audit results and determination of whether the auditor has obtained sufficient appropriate audit evidence.14 In performing this evaluation, the auditor should take into account all relevant audit evidence provided by confirmation procedures,15 alternative procedures, and other procedures to determine whether sufficient appropriate audit evidence has been obtained about the relevant financial statement assertions.16
APPENDIX A – Definitions
.A1 For purposes of this standard, the terms listed below are defined as follows:
.A2 Confirmation exception – Information in a confirmation response that differs from information the auditor obtained from the company.
.A3 Confirmation process – The process that involves selecting one or more items to be confirmed, sending a confirmation request directly to a confirming party, evaluating the information received, and addressing nonresponses and incomplete responses to obtain audit evidence about one or more financial statement assertions.
.A4 Confirmation request – A request from the auditor to a confirming party regarding information about one or more particular accounts, balances, transactions, or other items as a means of obtaining audit evidence about one or more financial statement assertions.
.A5 Confirmation response – Information obtained as a direct written communication (in paper or electronic form) to the auditor from a confirming party in response to a confirmation request.
.A6 Confirming party – A third party, whether an individual or an organization, to which the auditor sends a confirmation request.
.A7 Negative confirmation request – A confirmation request in which the auditor requests a confirmation response only if the confirming party disagrees with the information provided in the confirmation request.
.A8 Nonresponse – A situation in which (i) after sending a confirmation request, the request is returned undelivered; (ii) the auditor does not receive a confirmation response to a positive confirmation request directly from the intended confirming party; (iii) the auditor receives correspondence from the intended confirming party indicating that the confirming party is unable or unwilling to respond to the confirmation request; or (iv) the auditor receives an oral response only.
.A9 Positive confirmation request – A confirmation request in which the auditor requests a confirmation response.
APPENDIX B – Evaluating the Implications of Using an Intermediary to Facilitate Direct Electronic Transmission of Confirmation Requests and Responses
.B1 Paragraph .17 requires that the auditor evaluate the implications of using an intermediary to facilitate direct electronic transmission of confirmation requests and responses between the auditor and the confirming party on the reliability of confirmation requests and responses. In performing the evaluation, the auditor should:
- Obtain an understanding of the intermediary’s controls that address the risk of interception and alteration of the confirmation requests and responses.
- Determine whether the controls used by the intermediary to address the risk of interception and alteration are designed and operating effectively.
- Assess the relationship of the intermediary with the company – specifically, whether circumstances exist that give the company the ability to override the intermediary’s controls that address the risk of interception and alteration of the confirmation requests and responses (e.g., through financial, ownership, or other business relationships, contractual rights, or otherwise).
Note: If the auditor performs procedures to determine whether the controls used by the intermediary to address the risk of interception and alteration are designed and operating effectively at an interim date, the auditor should evaluate whether
the results of the procedures can be used during the period the auditor uses the intermediary to facilitate direct electronic transmission of confirmation requests and responses or whether additional procedures need to be performed to update
the results. In performing the evaluation, the auditor should consider the length of time between the date of the procedures and the period the auditor uses the intermediary to facilitate direct electronic transmission of confirmation requests
and responses, and the nature and extent of any changes in the process and controls used by the intermediary during that time.
.B2 If the auditor determines that (i) the intermediary has not implemented controls that are designed and operating effectively to address the risk of interception and alteration of the confirmation requests and responses and the auditor cannot address such risk by performing other audit procedures beyond inquiry, or (ii) circumstances exist that give the company the ability to override the intermediary’s controls, the auditor should not use the intermediary to send confirmation requests or receive confirmation responses. In this case, the auditor should send confirmation requests for the selected items without the use of an intermediary or, if unable to do so, perform alternative procedures in accordance with Appendix C.
Appendix C – Performing Alternative Procedures for Selected Items
.C1 When the auditor is unable to obtain relevant and reliable audit evidence about the selected item through confirmation, performing other audit procedures may be necessary. In addition, the auditor should evaluate the implications for the auditor’s assessment of the relevant risks of material misstatement, including fraud risks.17
.C2 Paragraphs .11 (inability to identify a confirming party), .19 (unreliable response), .23 (nonresponse or incomplete response), and. B2 (inability to use an intermediary) discuss certain situations in which the auditor should perform alternative procedures. The following are examples of alternative procedures that individually or in combination may provide relevant and reliable audit evidence for the selected item:18
- For cash items, verifying information about the company’s cash account maintained in a financial institution’s information system by viewing this information directly on a secure website of the financial institution.
- For accounts receivable items, examining one or more of the following: (i) subsequent cash receipts, including comparing the receipts with the amounts of the respective invoices being paid, (ii) shipping documents, or (iii) other supporting documentation (e.g., purchase orders or signed contracts and amendments thereto).
- For terms of a transaction or agreement, inspecting the signed contract and amendments thereto, comparing contractual terms to industry norms, and discussing and verifying significant information with other parties involved in the transaction or agreement (e.g., banks, guarantors, agents, or attorneys).
- For accounts payable items, examining one or more of the following: (i) subsequent cash disbursements, (ii) correspondence from vendors and suppliers, or (iii) other supporting documentation.
Note: Performing alternative procedures for items for which the auditor was not able to complete the audit procedures may not be necessary if these items,19 in the aggregate, and when added to the sum of all other uncorrected misstatements in relation to the account, would not change the outcome of the auditor’s evaluation performed in accordance with AS 2810.17.
Footnotes (AS 2310, The Auditor’s Use of Confirmation):
1 Terms defined in Appendix A, Definitions, are set in boldface type the first time they appear.
2 See AS 2110.74; see also paragraphs .02 and .29 of AS 1105, Audit Evidence.
3 See AS 1105.08.
4 See, e.g., AS 2301 (regarding the nature, timing, and extent of audit procedures); AS 2315, Audit Sampling (regarding planning, performing, and evaluating audit samples); and AS 2510, Auditing Inventories (regarding confirmation of inventories in the hands of public warehouses or other outside custodians).
5 AS 2410, Related Parties, requires the auditor to perform procedures to obtain an understanding of the company’s relationships and transactions with related parties.
6 See AS 1105.08.
7 See also AS 2301.16-.18 for a discussion of tests of controls.
8 The auditor may use internal auditors to provide direct assistance in other aspects of the confirmation process in accordance with AS 2605, Consideration of the Internal Audit Function, which establishes requirements for using internal auditors to provide direct assistance to the auditor including supervising, reviewing, evaluating and testing the work performed by internal auditors.
9 A note to AS 1105.08 also describes the auditor’s responsibilities to evaluate third-party evidence provided to the auditor subject to restrictions, limitations, or disclaimers.
10 In an integrated audit of financial statements and internal control over financial reporting, the auditor should perform the evaluation in accordance with AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements. In an audit of financial statements, the auditor should follow the direction of AS 2201.62-.70, as stated in paragraph .03 of AS 1305, Communications About Control Deficiencies in an Audit of Financial Statements.
11 Under PCAOB standards, in general evidence obtained directly by the auditor is more reliable than evidence obtained indirectly. See AS 1105.08. In addition, AS 1105 establishes requirements regarding designing and performing audit procedures to obtain sufficient appropriate audit evidence and AS 2810 establishes requirements regarding the auditor's evaluation of audit results and determination of whether sufficient appropriate audit evidence has been obtained.
12 The term “audit committee,” as used in this standard, has the same meaning as defined in Appendix A of AS 1301. The communication to the audit committee should be made and documented in accordance with AS 1301.25 and .26.
13 Bill and hold sales are sales of merchandise that are billed to customers before delivery and are held by the entity for the customers.
14 See AS 2810.01.
15 Evaluating evidence provided by confirmation procedures includes, for example, the evaluation of confirmation exceptions in accordance with paragraph .20.
16 AS 2810.35 addresses situations where the auditor has not obtained sufficient appropriate audit evidence about a relevant assertion.
17 If the auditor is unable to obtain sufficient appropriate audit evidence about a relevant assertion, the auditor considers the impact on the audit opinion in accordance with AS 3105, Departures from Unqualified Opinions and Other Reporting Circumstances.
18 Performing alternative procedures that involve obtaining information from knowledgeable external sources will generally provide more relevant and reliable audit evidence than performing alternative procedures that involve obtaining information from only internal company sources.
19 The auditor would treat the items as 100 percent misstatements and, when sampling is used, project the misstatements to the populations from which the sample was selected in accordance with AS 2315.26.