Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 (the “Act”), notice is hereby given that on October 4, 2023, the Public Company Accounting Oversight Board (the “Board” or “PCAOB”) filed with the Securities and Exchange Commission (the “Commission” or “SEC”) the proposed rules described in Items I and II below, which items have been prepared by the Board. The Commission is publishing this notice to solicit comments on the proposed rules from interested persons.

I. Board's Statement of the Terms of Substance of the Proposed Rules

On September 28, 2023, the Board adopted amendments to auditing standards for the auditor's use of confirmation, and amendments to related PCAOB standards (collectively, the “proposed rules”), including the retitling and replacement of an existing standard with a new standard. The text of the proposed rules appears in Exhibit A to the SEC Filing Form 19b–4 and is available on the Board's website at https://pcaobus.org/​about/​rules-rulemaking/​rulemaking-dockets/​docket-028-proposed-auditing-standard-related-to-confirmation and at the Commission's Public Reference Room.

II. Board's Statement of the Purpose of, and Statutory Basis for, the Proposed Rules

In its filing with the Commission, the Board included statements concerning the purpose of, and basis for, the proposed rules and discussed comments it received on the proposed rules. The text of these statements may be examined at the places specified in Item IV below. The Board has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements. In addition, the Board is requesting that the Commission approve the proposed rules, pursuant to Section 103(a)(3)(C) of the Act, for application to audits of emerging growth companies (“EGCs”), as that term is defined in Section 3(a)(80) of the Securities Exchange Act of 1934 (“Exchange Act”). The Board's request is set forth in section D.

A. Board's Statement of the Purpose of, and Statutory Basis for, the Proposed Rules

(a) Purpose

Summary

The Board is replacing AS 2310, The Confirmation Process, in its entirety with a new standard, AS 2310, The Auditor's Use of Confirmation (“new standard”) to strengthen and modernize the requirements for the confirmation process. As described in the new standard, the confirmation process involves selecting one or more items to be confirmed, sending a confirmation request directly to a confirming party ( e.g., a financial institution), evaluating the information received, and addressing nonresponses and incomplete responses to obtain audit evidence about one or more financial statement assertions. If properly designed and executed by an auditor, the confirmation process may provide important evidence that the auditor obtains as part of an audit of a company's financial statements.

Why the Board Is Adopting These Changes Now

AS 2310 is an important standard for audit quality and investor protection, as the audit confirmation process touches nearly every audit. The standard was initially written over 30 years ago and has had minimal amendments since its adoption by the PCAOB in 2003.

The Board adopted the new standard after substantial outreach, including several rounds of public comment. The PCAOB previously considered updating AS 2310 by issuing a concept release in 2009 and a proposal in 2010 for a new auditing standard that would supersede AS 2310. While the PCAOB did not amend or replace AS 2310 at that time, subsequent developments—including the increasing use of electronic communications and third-party intermediaries in the confirmation process—led the Board to conclude that enhancements to AS 2310 and modifications to the approach proposed in 2010 could improve the quality of audit evidence obtained by auditors. In addition, the Board has observed continued inspection findings related to auditors' use of confirmation, as well as enforcement actions involving failures to adhere to requirements in the existing auditing standard regarding confirmation, such as the requirement for the auditor to maintain control over the confirmation process.

Accordingly, having considered these developments and input from commenters, the Board revisited the previously proposed changes and issued a new proposed standard to replace AS 2310, along with conforming amendments to other PCAOB auditing standards, in December 2022. Commenters generally supported the Board's objective of improving the confirmation process, and suggested areas to further improve the new standard, modify proposed requirements that would not likely improve audit quality, and clarify the application of the new standard. In adopting the new standard and related amendments, the Board has taken into account all of these comments, as well as observations from PCAOB oversight activities.

Key Provisions of the New Standard

The new standard and related amendments are intended to enhance the PCAOB's requirements on the use of confirmation by describing principles-based requirements that apply to all methods of confirmation, including paper-based and electronic means of communications. In addition, the new standard is more expressly integrated with the PCAOB's risk assessment standards by incorporating certain risk-based considerations and emphasizing the auditor's responsibilities for obtaining relevant and reliable audit evidence through the confirmation process. Among other things, the new standard:

• Includes a new requirement regarding confirming cash and cash equivalents held by third parties (“cash”), or otherwise obtaining relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source;
• Carries forward the existing requirement regarding confirming accounts receivable, while addressing situations where it would not be feasible for the auditor to perform confirmation procedures or obtain relevant and reliable audit evidence for accounts receivable by directly accessing information maintained by a knowledgeable external source;
• States that the use of negative confirmation requests alone does not provide sufficient appropriate audit evidence (and includes examples of situations where the auditor may use negative confirmation requests to supplement other substantive audit procedures);

• Emphasizes the auditor's responsibility to maintain control over the confirmation process and provides that the auditor is responsible for selecting the items to be confirmed, Start Printed Page 71685 sending confirmation requests, and receiving confirmation responses; and

• Identifies situations in which alternative procedures should be performed by the auditor (and includes examples of such alternative procedures that may provide relevant and reliable audit evidence for a selected item).

(b) Statutory Basis

The statutory basis for the proposed rules is Title I of the Act.

B. Board's Statement on Burden on Competition

Not applicable. The Board's consideration of the economic impacts of the proposed rules is discussed in section D below.

C. Board's Statement on Comments on the Proposed Rules Received From Members, Participants or Others

The Board released the proposed rules for public comment in PCAOB Release No. 2022–009 (Dec. 20, 2022) (“2022 Proposal”). The Board previously issued a concept release for public comment in PCAOB Release No. 2009–002 (Apr. 14, 2009) (“2009 Concept Release”) and a proposed auditing standard related to confirmation and related amendments to PCAOB standards in PCAOB Release No. 2010–003 (July 13, 2010) (“2010 Proposal”). The Board received 98 written comment letters relating to the 2022 Proposal, the 2009 Concept Release, and the 2010 Proposal. The Board has carefully considered all comments received. The Board's response to the comments it received and the changes made to the rules in response to the comments received are discussed below.

Background

Information obtained by the auditor directly from knowledgeable external sources, including through confirmation, can be an important source of evidence obtained as part of an audit of a company's financial statements.^[1] Confirmation has long been used by auditors. For example, one early auditing treatise noted the importance of confirmation for cash deposits, accounts receivable, and demand notes.^[2] In addition, confirmation of accounts receivable has been a required audit procedure in the United States since 1939, when the American Institute of Accountants ^[3] adopted Statement on Auditing Procedure No. 1 (“SAP No. 1”) as a direct response to the McKesson & Robbins fraud case, which involved fraudulently reported inventories and accounts receivable that the independent auditors failed to detect after performing other procedures that did not involve confirmation.^[4]

SAP No. 1 required confirmation of accounts receivable by direct communication with customers in all independent audits of financial statements, subject to the auditor's ability to overcome the presumption to confirm accounts receivable for certain reasons. Following the adoption of SAP No. 1, the accounting profession also adopted a requirement in 1942, which remained in effect until the early 1970s, that auditors should disclose in the auditor's report when confirmation of accounts receivable was not performed. The AICPA's subsequent revisions to its auditing standards included the promulgation of AU sec. 330, The Confirmation Process, which was adopted in 1991 and took effect in 1992. The PCAOB adopted AU sec. 330 (now AS 2310) as an interim standard in 2003.^[5]

The amendments to the standards for the auditor's use of confirmation are intended to improve audit quality through principles-based requirements that apply to all methods of confirmation and are more expressly integrated with the Board's risk assessment standards. These enhancements should also lead to improvements in practice, commensurate with the associated risk, among audit firms of all sizes. The expected increase in audit quality should also enhance the credibility of information provided in a company's financial statements.

Rulemaking History

The final amendments to the auditing standards reflect public comments on a concept release and two proposals. In April 2009, the PCAOB issued a concept release seeking public comment on the potential direction of a standard-setting project that could result in amendments to the PCAOB's existing standard on the confirmation process or a new auditing standard that would supersede the existing standard.^[6] The 2009 Concept Release discussed existing requirements and posed questions about potential amendments to those requirements.

In July 2010, the PCAOB proposed an auditing standard that, if adopted, would have superseded the existing confirmation standard.^[7] The 2010 Proposal was informed by comments on the 2009 Concept Release and was intended to strengthen the existing standard by, among other things, expanding certain requirements and introducing new requirements. In general, commenters on the 2010 Proposal supported updating the existing standard to address relevant developments in audit practice, including greater use of emailed confirmation requests and responses and the involvement of third-party intermediaries. At the same time, some commenters asserted that the proposed requirements in the 2010 Proposal were unduly prescriptive ( i.e., included too many presumptively mandatory requirements) and would result in a significant increase in the volume of confirmation requests without a corresponding increase in the quality of audit evidence obtained by the auditor. The PCAOB did not adopt the 2010 Proposal.

In December 2022, the Board issued a proposed auditing standard to improve the quality of audits when confirmation is used by the auditor and to reflect changes in the means of communication and in business practice since the standard was originally issued.^[8] The 2022 Proposal was informed by comments on the 2009 Concept Release and 2010 Proposal and specified the auditor's responsibilities regarding the confirmation process. The Board received 46 comment letters on the 2022 Proposal from commenters across a range of affiliations. Those comments Start Printed Page 71686 are discussed throughout this release. Commenters on the 2022 Proposal generally expressed support for the project's objective and suggested ways to revise or clarify the proposed standard. The Board considered the comments on the 2022 Proposal, as well as on the 2009 Concept Release and the 2010 Proposal, in developing the final amendments.^[9] The Board also considered observations from PCAOB oversight activities.

Existing Standard

This section discusses key provisions of the existing PCAOB auditing standard on the confirmation process.

In 2003, the PCAOB adopted the standard now known as AS 2310 (at that time, AU sec. 330), when it adopted the AICPA's standards then in existence. Existing AS 2310 indicates that confirmation is the process of obtaining and evaluating a direct communication from a third party in response to a request for information about a particular item affecting financial statement assertions.^[10] For example, an auditor might request a company's customers to confirm balances owed at a certain date, or request confirmation of a company's accounts or loans payable to a bank at a certain date.

Key provisions of existing AS 2310 include the following:

• A presumption that the auditor will request confirmation of accounts receivable. The standard states that confirmation of accounts receivable is a generally accepted auditing procedure and provides the situations in which the auditor may overcome the presumption.
• Procedures for designing the confirmation request, including the requirement that the auditor direct the confirmation request to a third party who the auditor believes is knowledgeable about the information to be confirmed.

• Procedures relating to the use of both positive and negative confirmation requests. A positive confirmation request directs the recipient to send a response back to the auditor stating the recipient's agreement or disagreement with information stated in the request, or furnishing requested information. A negative confirmation request directs the recipient to respond back to the auditor only when the recipient disagrees with information in the auditor's request. The standard states that “[n]egative confirmation requests may be used to reduce audit risk to an acceptable level when (a) the combined assessed level of inherent and control risk is low, (b) a large number of small balances is involved, and (c) the auditor has no reason to believe that the recipients of the requests are unlikely to give them consideration.” ^[11] If negative confirmation requests are used, the auditor should consider performing other substantive procedures to supplement their use.^[12]

• A requirement for the auditor to maintain control over confirmation requests and responses by establishing direct communication between the intended recipient and the auditor.
• Procedures to consider when the auditor does not receive a written confirmation response via return mail, including how the auditor should evaluate the reliability of oral and facsimile responses to written confirmation requests. The standard provides that, when confirmation responses are in other than a written format mailed to the auditor, additional evidence may be necessary to establish the validity of the respondent.
• A requirement that the auditor should perform alternative procedures when the auditor has not received a response to a positive confirmation request.
• Requirements for the auditor's evaluation of the results of confirmation procedures and any alternative procedures performed by the auditor. These provisions include the requirement that, if the combined evidence provided by confirmation, alternative procedures, and other procedures is not sufficient, the auditor should request additional confirmations or extend other tests, such as tests of details or analytical procedures.

Current Practice

This section discusses the Board's understanding of current practice based on, among other things, observations from oversight activities of the Board and SEC enforcement actions.

Overview of Current Practice

The audit confirmation process touches nearly every financial statement audit conducted under PCAOB auditing standards. This is due in part to the presumption in existing AS 2310 that the auditor will confirm accounts receivable, which include claims against customers that have arisen from the sale of goods or services in the normal course of business and a financial institution's loans, unless certain exemptions apply. In addition, audit methodologies of many larger audit firms affiliated with global networks recommend or require confirming cash accounts. In the past, the use of confirmation was a common practice for auditing a financial institution's customer deposits. In recent years, however, there has been an increased wariness about phishing attempts by unauthorized parties aimed at obtaining sensitive personal or financial information of customers. As a result, some customers might not understand or trust an -unsolicited confirmation request from an auditor and, indeed, many financial institutions and other companies now advise customers not to reply to unsolicited correspondence concerning their accounts or other customer relationships.^[13]

Existing AS 2310 was written at a time when paper-based confirmation requests and responses were the prevailing means of communication. Since then, emailed confirmation requests and responses, and the use of technology-enabled confirmation tools, including the use of intermediaries to facilitate the confirmation process, have become commonplace. For example, numerous financial institutions in the United States, and an increasing number of international banks, mandate the use of an intermediary as part of the confirmation process and will not otherwise respond to an auditor's confirmation request.

As noted above, existing AS 2310 provides that the auditor should maintain control over the confirmation process. In practice, complying with this requirement involves the auditor directly sending the confirmation request to the confirming party via mail or email, without involving company personnel. The auditor's confirmation request generally specifies that any correspondence should be sent directly to the auditor's location (or email address) to minimize the risk of interference by company personnel. When an intermediary facilitates direct electronic communications between the auditor and the confirming party, the auditor is still required to maintain control over the confirmation process. Procedures performed by audit firms to address this requirement vary depending on facts and circumstances. Start Printed Page 71687 Some auditors have used a report on controls at a service organization (“SOC report”) to evaluate the design and operating effectiveness of the intermediary's controls relevant to sending and receiving confirmations.

Under the existing standard, auditors can use positive confirmation requests and, provided certain conditions are met, negative confirmation requests. A positive confirmation request either asks the recipient to respond directly to the auditor about whether the recipient agrees with information that is stated in the request or asks the recipient to provide the requested information by filling in a blank form. In comparison, a negative confirmation request directs the recipient to respond only when the recipient disagrees with the information included in the request. In practice, negative confirmation requests have typically been used to obtain audit evidence related to the completeness of deposit liabilities and other accounts of a similar nature and, less frequently, to obtain evidence related to the existence of accounts receivable. In some cases, auditors use a combination of positive and negative confirmation requests.

Observations From Inspections and Enforcement Actions

This section discusses observations from PCAOB oversight activities and SEC enforcement actions, including (1) PCAOB inspections of registered public accounting firms (“firms”) and (2) enforcement actions relating to deficient confirmation procedures performed by the auditor. These observations have informed the Board's view that providing greater clarity as the Board strengthens the requirements could result in improved compliance by auditors.

Inspections. Over the past several years, PCAOB inspections indicated that some auditors did not fulfill their responsibilities under the existing standard when performing confirmation procedures. The shortcomings have been noted at large and small domestic firms, and at large firms with domestic and international practices. For example, some auditors did not: (1) consider performing procedures to verify the source of confirmation responses received electronically; (2) perform sufficient alternative procedures; (3) restrict the use of negative confirmation requests to situations where the risk of material misstatement was assessed as low; or (4) maintain appropriate control over the confirmation process, including instances where company personnel were involved in either sending or receiving confirmations.

The PCAOB has also continued to monitor developments relating to the use of confirmation through its other oversight and research activities. For example, in 2021, the PCAOB staff issued a Spotlight discussing, among other things, the use of technology in the confirmation process.^[14] In addition, in 2022, the PCAOB staff issued a Spotlight that specifically discussed observations and reminders on the use of a service provider in the confirmation process.^[15]

Enforcement actions. Over the years, there have been a number of enforcement actions by the PCAOB and the SEC alleging that auditors failed to comply with PCAOB standards related to the confirmation process. Enforcement actions have been brought against large and small firms, and against U.S. and non-U.S. firms.

For example, PCAOB enforcement cases have involved allegations that auditors failed to: (1) perform appropriate confirmation procedures to address a fraud risk; ^[16] (2) adequately respond to contradictory audit evidence obtained from confirmation procedures; ^[17] (3) perform appropriate confirmation procedures and alternative procedures for accounts receivable; ^[18] or (4) maintain proper control over the confirmation process.^[19]

In several confirmation-related enforcement cases, the SEC alleged that the deficient confirmation procedures by the auditors involved companies that had engaged in widespread fraud, where properly performed confirmation procedures might have led to the detection of the fraudulent activity.^[20] Further, in a number of proceedings, the SEC alleged that confirmation procedures were not properly designed ^[21] or, more frequently, that the auditors failed to adequately evaluate responses to confirmation requests and perform alternative or additional procedures in light of exceptions, nonresponses, or responses that should have raised issues as to their reliability or the existence of undisclosed related parties.^[22] Several of these proceedings were brought in recent years, suggesting that problems persist in this area.

Reasons To Improve Auditing Standards

The amendments to PCAOB standards being adopted are intended to enhance audit quality by clarifying and strengthening the requirements for the auditor's use of confirmation. The final amendments are also more expressly integrated with the PCAOB's risk assessment standards by incorporating certain risk-based considerations and emphasizing the auditor's responsibilities for obtaining relevant and reliable audit evidence through the confirmation process. The Board believes that these improvements will enhance both audit quality and the credibility of the information provided in a company's financial statements.

Areas of Improvement

The Board has identified two important areas where improvements are warranted to existing standards, discussed below: (1) updating the standards to reflect developments in Start Printed Page 71688 practice and (2) clarifying the auditor's responsibilities to evaluate the reliability of evidence obtained through confirmation responses.

Updating the Standards To Reflect Developments in Practice

The new standard supports the auditor's use of electronic forms of communication between the auditor and the confirming party. Since the AICPA standard on the confirmation process adopted by the PCAOB took effect in 1992, there has been a significant change in the auditing environment and the means by which an auditor communicates with confirming parties. Emails and other forms of electronic communications between auditors and confirming parties have become ubiquitous, and third-party intermediaries now often facilitate the electronic transmission of confirmation requests and responses between auditors and confirming parties.

In addition, the Board believes its auditing standards should allow for continued innovation by auditors in the ways they obtain audit evidence. Traditionally, auditors have used confirmation in circumstances where reliable evidence about financial statement assertions could be obtained directly from a third party that transacts with the company ( e.g., to confirm the existence of cash or accounts receivable). Generally, audit evidence obtained directly from knowledgeable external sources, including through confirmation, has been viewed as more reliable than evidence obtained through other audit procedures available to the auditor,^[23] especially where the auditor identified a risk of fraud, chose not to test controls, or determined that controls could not be relied on.^[24]

The PCAOB staff's research indicates that some audit firms may have developed or may yet develop audit techniques that enable the auditor to obtain relevant and reliable audit evidence for the same assertions by performing substantive audit procedures that do not include confirmation, as discussed in more detail below. To reflect these developments, the new standard allows the performance of other procedures in lieu of confirmation for cash and accounts receivable in situations where the auditor can obtain relevant and reliable audit evidence by directly accessing information maintained by knowledgeable external sources. Further, the new standard acknowledges that, in certain situations, it may not be feasible for the auditor to obtain audit evidence for accounts receivable directly from a knowledgeable external source and provides that in those situations the auditor should obtain external information indirectly by performing other substantive procedures, including tests of details.

Clarifying the Auditor's Responsibilities To Evaluate the Reliability of Confirmation Responses

While information obtained through the confirmation process can be an important source of audit evidence, the confirmation process must be properly executed for the evidence obtained to be relevant and reliable. The enforcement actions discussed above and other recent high-profile financial reporting frauds have also called attention to the importance of well-executed confirmation procedures, including the confirmation of cash.^[25] In addition, PCAOB oversight activities have identified instances in which auditors did not obtain sufficient appropriate audit evidence when using confirmation. Accordingly, the new standard includes a new requirement to confirm certain cash balances and clarifies the auditor's responsibilities to evaluate the reliability of evidence obtained through confirmation responses (and, when necessary, to obtain audit evidence through alternative procedures).

Comments on the Reasons for Standard Setting

Many commenters on the 2022 Proposal broadly expressed support for revisions to the Board's standard on the auditor's use of confirmation to reflect developments in practice since the AICPA standard on the confirmation process adopted by the PCAOB took effect in 1992. A number of commenters also agreed that the standard on the auditor's use of confirmation should be more closely aligned with the Board's risk assessment standards. In addition, some commenters stated that updates to the PCAOB's standard on the auditor's use of confirmation would be generally consistent with their prior recommendations to the Board that the Board modernize its interim auditing standards. Other commenters suggested that the Board should also engage in additional outreach with investors or that it consider other mechanisms to engage with stakeholders prior to the adoption of standards, such as roundtables and pre-implementation “field testing” of proposed standards.

In addition, several commenters expressed support for the proposition that the PCAOB's auditing standards should allow for continued innovation by auditors in the ways they obtain audit evidence. These commenters generally stated that standards should be written to evolve with future technologies, including new methods of confirmation that may arise from technological changes in auditing in the future. A few commenters stated that the 2022 Proposal provided flexibility to respond to the current use of technology in the audit process, or left enough room for judgment-based application for further advances in technology. In comparison, some commenters stated that the proposed standard was not sufficiently forward-looking. Several commenters cautioned against more explicitly addressing the use of technology ( i.e., by adding prescriptive requirements), noting that doing so might not allow the standard to age effectively with time and innovation.

Several commenters broadly expressed support for the Board's goal, as described in the 2022 Proposal, of improving the quality of audit evidence obtained by auditors when using confirmation. One of these commenters stated that it was critical that confirmation requests are properly designed and that confirmation responses are appropriately evaluated, especially when there are confirmation exceptions or concerns about their reliability. In addition, other commenters generally expressed Start Printed Page 71689 support for the proposed requirements and stated they would lead to improvements in audit quality. A number of commenters, primarily firms and firm-related groups, asserted that certain requirements in the 2022 Proposal were unduly prescriptive and that the final standard should be more principles-based and risk-based to allow for more auditor judgment. In comparison, an investor-related group suggested that the Board remind auditors that, in exercising professional judgment, their judgments must be reasonable, careful, documented, and otherwise in compliance with applicable professional requirements.

In adopting the new standard, the Board has considered these comments on the 2022 Proposal, as well as the comments received on the 2010 Proposal and the 2009 Concept Release. Based on the information available to the Board—including the current regulatory baseline, observations from our oversight activities, academic literature, and comments—the Board believes that investors will benefit from strengthened and clarified auditing standards in this area. To the extent that commenters provided comments or expressed concerns about specific aspects of the proposed revisions to the Board's existing standard on the auditor's use of confirmation, the Board's consideration of these comments is discussed further below and elsewhere in this exhibit. While the Board does not expect that the new standard will eliminate inspection deficiencies observed in practice, it is intended to clarify the auditor's responsibilities and align the requirements for the use of confirmation more closely with the PCAOB's risk assessment standards.

The new standard also reflects several changes that were made after the Board's consideration of comments received about the potential impact of the proposed new standard on auditors, issuers, and intermediaries. In addition, some commenters called for a broader alignment of PCAOB standards with standards issued by other standard setters, namely the International Auditing and Assurance Standards Board (“IAASB”) and the AICPA's Auditing Standards Board (“ASB”). A few commenters stated that PCAOB standards should be harmonized with IAASB standards, in the interest of global comparability, and, in the view of one commenter, with ASB standards. A few commenters stated that the Board should provide robust and detailed explanations of differences between PCAOB standards and the standards of other standard setters. One commenter indicated that the dual standard-setting structure in the United States ( i.e., the existence of both PCAOB and ASB standards) creates issues that could erode audit quality.

The Board carefully considered the approaches of other standard setters when developing the 2022 Proposal, and the new standard reflects the approach that the Board believes best protects investors and furthers the public interest. As a result, certain differences will continue to exist between the Board's new standard and those of other standard setters, including a number of provisions that the Board believes are appropriate and consistent with its statutory mandate to protect the interests of investors and further the public interest.

Discussion of Final Rules

Overview of New Standard

The new standard replaces existing AS 2310 in its entirety. The provisions of the new standard the Board has adopted are intended to strengthen existing requirements for the auditor's use of confirmation. Key aspects of the new standard:

• Include principles-based requirements that are designed to apply to all methods of confirmation. The new standard is designed to enhance requirements that apply to longstanding methods, such as the use of paper-based confirmation requests and responses sent via regular mail; methods that involve electronic means of communications, such as the use of email or an intermediary to facilitate direct electronic transmission of confirmation requests and responses; and methods that are yet to emerge, thus encouraging audit innovation.

• Expressly integrate the requirements for the auditor's use of confirmation with the requirements of the Board's risk assessment standards, including AS 1105. The new standard specifies certain risk-based considerations and emphasizes the auditor's responsibilities for obtaining relevant and reliable audit evidence when performing confirmation procedures.

• Emphasize the use of confirmation procedures in certain situations. The new standard adds a new requirement that the auditor should perform confirmation procedures for cash held by third parties, carries forward an existing requirement that the auditor should perform confirmation procedures for accounts receivable, and adds a new provision that the auditor may otherwise obtain audit evidence by directly accessing information maintained by a knowledgeable external source for cash and accounts receivable. In addition, the new standard carries forward an existing requirement to consider confirming the terms of certain other transactions.

• Address situations in which it would not be feasible for the auditor to obtain information directly from a knowledgeable external source. The new standard provides that if it would not be feasible for the auditor to obtain audit evidence directly from a knowledgeable external source for accounts receivable, the auditor should perform other substantive audit procedures, including tests of details, that involve obtaining audit evidence from external sources indirectly.

• Communicate to the audit committee certain audit responses to significant risks. Under the new standard, for significant risks associated with cash or accounts receivable, the auditor is required to communicate with the audit committee when the auditor did not perform confirmation procedures or otherwise obtain audit evidence by directly accessing information maintained by a knowledgeable external source.

• Reflect the relatively insignificant amount of audit evidence obtained when using negative confirmation requests. Under the new standard, the use of negative confirmation requests may provide sufficient appropriate audit evidence only when combined with other substantive audit procedures. The new standard includes examples of situations in which the use of negative confirmation requests in combination with other substantive audit procedures may provide sufficient appropriate audit evidence.

• Emphasize the auditor's responsibility to maintain control over the confirmation process. The new standard states that the auditor should select the items to be confirmed, send confirmation requests, and receive confirmation responses.

• Provide more specific direction for circumstances where the auditor is unable to obtain relevant and reliable audit evidence through confirmation. The new standard identifies situations where other procedures should be performed by the auditor as an alternative to confirmation. The new standard also includes examples of alternative procedures that individually or in combination may provide relevant and reliable audit evidence.

Introduction and Objective

(See paragraphs .01 and .02 of the new standard).Start Printed Page 71690

The 2022 Proposal included requirements for the auditor's use of confirmation. As discussed in the proposal, the confirmation process involves selecting one or more items to be confirmed, sending a confirmation request directly to a confirming party, evaluating the information received, and addressing nonresponses and incomplete responses to obtain audit evidence about one or more financial statement assertions. Confirmation is one of the specific audit procedures described in PCAOB standards that an auditor could perform when addressing a risk of material misstatement.^[26] As is the case with other audit procedures, information obtained through confirmation may support and corroborate management's assertions or it may contradict such assertions.^[27]

Under the 2022 Proposal, the auditor's objective in designing and executing the confirmation process was to obtain relevant and reliable audit evidence about one or more relevant financial statement assertions of a significant account or disclosure.^[28] Existing AS 2310 does not include an objective.

As discussed below, the Board has modified the introduction and objective in the proposed standard in several respects.

A number of commenters stated that the objective of the proposed standard was clear. One commenter stated that the objective should be to provide requirements and guidance in situations where the auditor, as a result of its risk-assessment procedures, determines that confirmation procedures provide an appropriate response to one or more assertions related to an identified risk of material misstatement. Another commenter asserted that the objective in the proposed standard did not result in greater clarity than the proposed objective in the 2010 Proposal and created a wider gap between the PCAOB's standards and the equivalent standard of the IAASB.

Having considered these comments, the Board has revised the introduction to provide that the new standard establishes requirements regarding obtaining audit evidence from a knowledgeable external source through the auditor's use of confirmation. The introduction further states that the new standard includes additional requirements regarding obtaining audit evidence for cash, accounts receivable, and terms of certain transactions. The Board believes that this language more clearly aligns with the approach to the auditor's use of confirmation in the new standard and the inclusion of specific requirements in the new standard with respect to cash, accounts receivable, and terms of certain transactions.

In addition, the Board has added the phrase “from a knowledgeable external source” to the objective, such that the new standard provides that the objective of the auditor in designing and executing the confirmation process is to obtain relevant and reliable audit evidence from a knowledgeable external source about one or more relevant financial statement assertions of a significant account or disclosure. This language underscores that, when properly designed and executed, the confirmation process involves obtaining audit evidence regarding specific items from a knowledgeable external source. A knowledgeable external source, as referred to in the new standard, generally is a third party who the auditor believes has knowledge of the information that may be used as audit evidence. To the extent that this objective differs from the objective in standards adopted by other standard-setting bodies on the auditor's use of confirmation, the Board believes it appropriately reflects the Board's approach in the new standard and is consistent with its statutory mandate to protect the interests of investors and further the public interest. The next section of this exhibit further discusses the relationship of the confirmation process to the auditor's identification and assessment of, and response to, the risks of material misstatement.

Relationship of the Confirmation Process to the Auditor's Identification and Assessment of and Response to the Risks of Material Misstatement

(See paragraphs .03–.07 of the new standard).

When an auditor uses confirmation, the auditor should be mindful of, and comply with, the existing obligation to exercise due professional care in all matters relating to the audit.^[29] Due professional care requires the auditor to exercise professional skepticism, which is an attitude that includes a questioning mind and a critical assessment of audit evidence. Professional skepticism should be exercised throughout the audit process,^[30] including when identifying information to confirm, identifying confirming parties, evaluating confirmation responses, and addressing nonresponses. The requirements related to exercising professional skepticism, in combination with requirements in other PCAOB standards, are designed to reduce the risk of confirmation bias, a phenomenon wherein decision makers have been shown to actively seek out and assign more weight to evidence that confirms their hypothesis, and ignore or assign less weight to evidence that could disconfirm their hypothesis.^[31]

The 2022 Proposal described how the proposed standard would work in conjunction with the PCAOB standards on risk assessment. AS 2110 establishes requirements regarding the process of identifying and addressing the risks of material misstatement of the financial statements, and AS 2301, The Auditor's Responses to the Risks of Material Misstatement, establishes requirements regarding designing and implementing appropriate responses to the risks of material misstatement. Fundamental to the PCAOB's risk assessment standards is the concept that as risk increases, so does the amount of evidence that the auditor should obtain.^[32] Further, evidence obtained from a knowledgeable external source generally is more reliable than evidence obtained only from internal company sources.^[33]

Where the auditor uses confirmation as part of the auditor's response, the 2022 Proposal addressed the auditor's responsibilities for designing and executing the confirmation process to obtain relevant and reliable audit evidence. When properly designed and executed, the confirmation process can be an effective and efficient way of obtaining relevant and reliable external audit evidence, including in situations where the auditor identifies an elevated risk of material misstatement due to error or fraud. Start Printed Page 71691

The 2022 Proposal also recognized that performing confirmation procedures can effectively and efficiently provide evidential matter about certain financial statement assertions, including existence, occurrence, completeness, and rights and obligations. For example, confirmation may provide audit evidence related to the existence of cash, accounts receivable, and financial instruments, or the completeness of debt. However, the confirmation process generally provides less relevant evidence about the valuation assertion ( e.g., the confirming party may not intend to repay in full the amount owed, or the custodian may not know the value of shares held in custody). Confirmation could also be used to obtain audit evidence about the terms of contractual arrangements ( e.g., by verifying supplier discounts or concessions, corroborating sales practices, or substantiating oral arrangements and guarantees). Information in confirmation responses may indicate the existence of related parties, or relationships or transactions with related parties, previously undisclosed to the auditor.

The Board also observed in the 2022 Proposal that, in some situations, an auditor may determine that evidence obtained through confirmation may constitute sufficient appropriate audit evidence for a particular assertion, while in other situations performing other audit procedures in addition to confirmation may be necessary to obtain sufficient appropriate audit evidence. For example, for significant unusual sales transactions and the resulting accounts receivable balances, an auditor might confirm significant terms of the transactions and the receivable balances with the transaction counterparties and perform additional substantive procedures, such as examination of shipping documents and subsequent cash receipts. Determining the nature, timing, and extent of confirmation procedures, and any other additional audit procedures, is part of designing and implementing the auditor's response to the assessed risk of material misstatement.

The Board adopted the provisions in the 2022 Proposal that address the relationship of the confirmation process to the auditor's identification and assessment of and response to the risks of material misstatement, with certain modifications discussed below.

Overall, commenters expressed support for aligning the proposed standard on confirmation with the PCAOB's existing risk assessment standards. Several commenters stated that they had not identified changes needed to the proposed standard to align further with the PCAOB's risk assessment standards. Other commenters, as discussed below, called for various changes to the proposed provisions:

• Several commenters suggested that there could be further alignment of the 2022 Proposal with the risk assessment standards to enable the level of risk to drive the nature of the audit response. A number of commenters asserted that the 2022 Proposal included certain prescriptive requirements for the confirmation process, regardless of the assessed level of risk, and that those provisions could detract from the auditor's ability to apply professional judgment to determine the appropriate audit response. Consistent with the objective of the new standard, the requirements under the new standard apply to a significant account or disclosure.^[34] The new standard thus does not establish a presumption to confirm cash or accounts receivable if the auditor has not determined cash or accounts receivable to be a significant account. The auditor may choose to perform confirmation procedures, however, in situations other than those specifically addressed in paragraphs .24 through .30 of the new standard. The new standard does not otherwise prescribe the timing or extent of confirmation procedures, which are discussed as part of the auditor's response to the risks of material misstatement in AS 2301.

• Several commenters stated that paragraphs .06 and .07 of the proposed standard overly emphasized confirmation as being the most persuasive substantive audit procedure, with any other procedure thereby viewed as being less persuasive. One commenter asserted that that the 2022 Proposal appeared to be premised on an assumption that third-party confirmations represent “first best” audit evidence, regardless of the facts and circumstances. In addition, one commenter questioned whether the Board intended for confirmation to be used whenever possible to obtain evidence. Having considered these comments, the Board has made several changes in the new standard to clarify certain provisions. In the new standard, the Board has revised paragraph .06, which discusses obtaining audit evidence from knowledgeable external sources, to emphasize the source of the audit evidence, rather than the type of audit procedure performed. The Board understands that advances in technology, as well as changes in attitudes towards confirmation ( e.g., the potential hesitation of confirming parties to reply to a confirmation request from auditors because of the concern of falling victim to a phishing attack), have led auditors to perform other types of audit procedures that can provide relevant and reliable external evidence.

• Some commenters stated that the proposed standard could give rise to unrealistic expectations about confirmation procedures effectively addressing the risk of material misstatement due to fraud in all circumstances. While the Board does not believe that the new standard creates an unrealistic expectation about audit evidence obtained through confirmation, the appropriate focus of the auditor should be the obligation to obtain relevant and reliable audit evidence. Accordingly, the Board did not adopt paragraph .07 of the proposed standard, which had provided that “in situations involving fraud risks and significant unusual transactions, audit evidence obtained through the confirmation process generally is more persuasive than audit evidence obtained solely through other procedures.”
• Several commenters recommended that the standard address the current and anticipated use of technology to enable auditors to obtain sufficient appropriate audit evidence through performing audit procedures other than confirmation. Some commenters provided examples of using technology-based procedures in lieu of confirmations, including accessing company balances directly at the relevant financial institution and testing internal data against external data sources using audit data analytics. The Board considered these comments in developing the new standard. In particular, as discussed below, the new standard includes a presumption for the auditor to confirm cash and accounts receivable, or otherwise obtain relevant and reliable audit evidence for these accounts by directly accessing information maintained by a knowledgeable external source.

• One commenter suggested that the note to paragraph .05 of the proposed standard should also direct the auditor to take into account internal controls over cash, including segregation of duties, when there are side agreements to revenue transactions. The Board did not make this change in the new standard. The Board notes that internal control considerations are addressed by existing PCAOB standards, which Start Printed Page 71692 require obtaining an understanding of the company's controls when assessing the risk of material misstatement and identifying and testing certain controls when the auditor plans to rely on controls to respond to the assessed risk.^[35] The auditor would consider controls over cash when performing these procedures.

• With respect to the examples of assertions in paragraph .06 of the proposed standard, one commenter asserted that a final standard should more fully explain that a confirmation generally serves to test the assertion of existence, but does not serve to test other assertions such as valuation, including collectability. The Board did not incorporate such language in the new standard because it believes that limiting the use of confirmation to the existence assertion would be overly prescriptive and might disallow use of confirmation in other situations where the auditor has determined that confirmation could be used to obtain relevant and reliable information to test other assertions.

As discussed below, the Board continues to believe that confirmation procedures generally would provide relevant and reliable audit evidence for cash and accounts receivable. Accordingly, under the new standard the auditor should perform confirmation procedures or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source when the auditor determines that these accounts are significant accounts. In addition, the new standard specifies that when the auditor has identified a significant risk of material misstatement associated with either a complex transaction or a significant unusual transaction, the auditor should consider confirming those terms of the transaction that are associated with a significant risk of material misstatement, including a fraud risk.

Other Use of Confirmation Procedures. The 2022 Proposal requested commenters' views on whether there were additional accounts or financial statement assertions for which the auditor should be required to perform confirmation procedures. In addition, the 2022 Proposal requested views on whether the proposal was sufficiently flexible to accommodate situations where an auditor chooses to confirm information about newer types of assets ( e.g., digital assets based on blockchain or similar technologies).

Two investor-related groups identified specific types of additional transactions that should be subject to confirmation, including transactions (1) with unusual terms and conditions, (2) with related parties, (3) where the auditor has concern about whether side letters may exist, (4) where financing is obtained, including bank debt or supplier-provided financing, (5) involving certain sales practices, such as bill-and-hold arrangements or supplier discounts or concessions, (6) involving certain oral arrangements or guarantees, or (7) involving sales, lending, or liability for custodianship of digital assets. Another commenter suggested that confirmation of accounts payable should be considered, but not required, when auditors assess controls over the recording of liabilities to be ineffective. This commenter also suggested that the Board state that the use of confirmation is not limited to the circumstances discussed in the proposed standard.

In comparison, many firms and firm-related groups stated that the proposed standard should not prescribe additional other presumptive requirements to use confirmation. These commenters noted that doing so would be unduly prescriptive. Several commenters stated that the proposed standard provided for an appropriate amount of auditor judgment in determining when to perform confirmation procedures in situations other than those specifically addressed in the standard. In addition, several commenters indicated that the 2022 Proposal offered sufficient flexibility to accommodate situations where an auditor confirms information about newer types of assets.

Several commenters asserted that the effectiveness of confirmation procedures is negatively affected by the fact that third parties are not obligated, under legislation or regulation, to reply to an auditor's confirmation request.

The new standard does not specify additional accounts or transactions for which confirmation procedures are presumptively required beyond those in the 2022 Proposal. The PCAOB's risk assessment standards are foundational and are used by the auditor to determine the appropriate response to identified risks of material misstatement. The Board believes that confirmation can be an important tool for addressing certain risks for cash and accounts receivable, and for obtaining audit evidence about other financial relationships, and certain terms of complex transactions or significant unusual transactions, as discussed below. However, identifying additional accounts or scenarios that require the auditor to use confirmation, without regard to the specific facts and circumstances of the audit including the assessed risk of material misstatement and whether other audit procedures would provide sufficient appropriate audit evidence, would be overly prescriptive.

The auditor's responsibilities relevant to the use of confirmation are also addressed in several other PCAOB standards. AS 2315, Audit Sampling, which discusses planning, performing, and evaluating audit samples, is used if the auditor uses sampling in the confirmation process. AS 2510, Auditing Inventories, addresses confirmation of inventories in the hands of public warehouses or other outside custodians. Additionally, the new standard does not address auditor responsibilities regarding inquiries concerning litigation, claims, and assessments, which are addressed in AS 2505, Inquiry of a Client's Lawyer Concerning Litigation, Claims, and Assessments.

Designing Confirmation Requests

(See paragraphs .08–.13 of the new standard).

A properly designed and executed confirmation process may provide relevant and reliable audit evidence. Auditor responsibilities regarding designing a confirmation request are described in paragraphs .08–.13, as follows:

• Paragraph .08 discusses identifying information to confirm;
• Paragraphs .09 through .11 discuss identifying the confirming parties for confirmation requests; and
• Paragraphs .12 through .13 discuss using negative confirmation requests.

The new standard does not prescribe a particular format for a confirmation request. For example, requests could be paper-based or electronic, specifying the information to be confirmed or providing a blank response form, or sent with or without the involvement of an intermediary that facilitates electronic transmission. As a practical matter, the auditor determines the format of a confirmation request to increase the likelihood that the request is received and clearly understood by the confirming party, taking into consideration, among other things, the facts and circumstances of the company and the confirming party.

Identifying Information To Confirm

The 2022 Proposal provided that the auditor should, as part of designing confirmation requests, identify information related to the relevant assertions that the auditor plans to verify with confirming parties or (when using a blank form) obtain from confirming parties. Such information Start Printed Page 71693 could include transaction amounts, transaction dates, significant terms of transactions, and balances due to or from the confirming party as of a specific date. In addition, the 2022 Proposal discussed that using a blank confirmation request generally provides more reliable audit evidence than using a confirmation request that includes information the auditor is seeking to confirm ( e.g., a customer account balance). In the latter scenario, it is possible that a confirming party could agree to the information without verifying it against the confirming party's records.

The Board adopted the proposed requirement relating to identifying information to confirm with certain modifications discussed below.

Several commenters indicated that the provisions of the 2022 Proposal related to identifying information to confirm were clear and appropriate. A few commenters requested retaining a statement analogous to a statement in existing AS 2310 to emphasize in the standard that responding to blank form confirmation requests generally requires additional effort, which might lower the response rates and lead auditors to perform alternative procedures. One commenter expressed concern that fraudsters could use fake confirmation requests and, in particular, fake blank form confirmation requests, to defraud bank customers ( e.g., by soliciting their bank details).

Existing AS 2310 includes details regarding the form of confirmation requests, which includes general information regarding blank form positive confirmation requests. This information has been included in the new standard in a note to paragraph .08. Further, after considering the comments received, the new standard includes language not included in the proposed standard that is similar to language in existing AS 2310. This language explains that responding to blank form confirmation requests generally requires additional effort, which might lower the response rates and lead auditors to perform alternative procedures for more selected items. Despite the possibility of lower response rates, responses to blank form confirmation requests may provide more reliable audit evidence than responses to confirmation requests using pre-filled forms.

Paragraph .17 of the proposed standard also included a reminder of an existing requirement in AS 1105.10, pursuant to which the auditor should test the accuracy and completeness of information produced by the company that the auditor uses as audit evidence. The reminder emphasized that, in the confirmation process, the requirement in AS 1105.10 applies to the information produced by the company ( e.g., populations from which items are selected for confirmation, such as detailed account listings, vendor listings, and contractual agreements) that the auditor uses in selecting the items to confirm.

Several firms and firm-related groups indicated that the existing requirement in AS 1105.10 for the auditor to evaluate information produced by a company as audit evidence was sufficient and that paragraph .17 of the proposed standard was duplicative. A few commenters stated that confirmation requests are often designed to test the accuracy of a given account balance or disclosure and, accordingly, that the requirement should only focus on testing completeness. Finally, a few commenters suggested that the standard, consistent with AS 1105.10, should allow for the auditor to test controls over the accuracy and completeness of information produced by the company that the auditor uses in selecting items to confirm.

After considering these comments, in order to avoid duplication with other PCAOB standards, the new standard does not include paragraph .17 of the proposed standard.

Identifying Confirming Parties for Confirmation Requests

The 2022 Proposal provided that, to obtain reliable audit evidence from the confirmation process, the auditor should direct the confirmation requests to third parties (individuals or organizations) who are knowledgeable about the information to be confirmed. That provision was similar to existing AS 2310.26, which directs the auditor to send confirmation requests to third parties who the auditor believes are knowledgeable about the information to be confirmed, such as a counterparty who is knowledgeable about a transaction or arrangement.

When designing confirmation requests, an auditor may become aware of information about a potential confirming party's motivation, ability, or willingness to respond, or about the potential confirming party's objectivity and freedom from bias with respect to the audited entity. Because this type of information can affect the reliability of audit evidence provided by the confirming party to the auditor, the 2022 Proposal, similar to existing AS 2310.27, provided that the auditor should consider any such information that comes to the auditor's attention when selecting the confirming parties. The note to paragraph .19 of the proposed standard further emphasized that such information may indicate that the potential confirming party has incentives or pressures to provide responses that are inaccurate or otherwise misleading.^[36]

The 2022 Proposal also provided that the auditor should consider the source of any such information. For example, if management indicates to the auditor that a potential confirming party is unlikely to respond to a confirmation request, management may have other reasons to avoid a confirmation request being sent ( e.g., concealing management's fraudulent understatement of the amount the company owes to that party).

In addition, the 2022 Proposal provided more specific direction than existing AS 2310 for situations in which the auditor is unable to identify a confirming party who, in response to a confirmation request, would provide relevant and reliable audit evidence about a selected item. In such a scenario, the 2022 Proposal prescribed that the auditor should perform alternative procedures.

The 2022 Proposal also provided that the auditor should determine that confirmation requests are properly addressed, thus increasing the likelihood that they are received by the confirming party. The 2022 Proposal did not prescribe the nature or extent of procedures to be performed by the auditor when making this determination, thereby allowing the auditor to tailor the procedures to the facts and circumstances of the audit. For example, in practice, some auditors compare some or all confirming party addresses, which are typically provided by the company, to physical addresses or email domains included on the confirming party's website.

Alternatively, when using an intermediary to facilitate direct electronic transmission of confirmation requests and responses, Appendix B of the proposed standard required the Start Printed Page 71694 auditor to obtain an understanding of the intermediary's controls that address the risk of interception and alteration of the confirmation requests and responses and determine whether the relevant controls used by the intermediary are designed and operating effectively. The Board noted in the 2022 Proposal that, where an auditor determines that controls that address the risk of interception and alteration also include controls related to validating the addresses of confirming parties, the auditor may be able to determine that audit procedures performed in accordance with Appendix B are sufficient to determine that confirmation requests are properly addressed. In situations where the auditor determines that the intermediary's controls that address the risk of interception and alteration do not also include controls related to validating the addresses of confirming parties, the Board also noted that the auditor would need to perform other procedures to comply with the requirements of the proposed standard.

The Board adopted the requirements relating to identifying confirming parties for confirmation requests as proposed, with certain modifications discussed below.

Several commenters indicated that the provisions of the proposed standard related to identifying confirming parties were sufficiently clear and appropriate. One commenter indicated that the Board should require the auditor to send confirmation requests directly to an individual, rather than allow the auditor to choose between sending the request either to an individual or an organization. In this commenter's view, sending a confirmation request directly to an individual could increase the reliability of audit evidence obtained through the confirmation process. One commenter indicated that the Board should amend paragraph .18 of the proposed standard to read “the auditor should direct confirmation requests to confirming parties (individuals or organizations) who are expected to be knowledgeable about the information to be confirmed and determine that the confirmation requests are appropriately addressed.”

Because auditors often may have no or limited interaction with the personnel of confirming organizations, they may not be able to select an individual addressee for the confirmation request. As a result, the Board believes that allowing the auditor to address a confirmation request to an organization that is knowledgeable about the information to be confirmed is practicable and appropriate. Paragraph .20 of the proposed standard stated that the auditor should perform alternative procedures when the auditor is unable to identify a confirming party who, in response to a confirmation request, would provide relevant and reliable audit evidence about the selected item.

The Board has modified this language, which appears in paragraph .11 of the new standard, to emphasize that if the auditor is unable to identify a confirming party for a selected item who would provide relevant and reliable audit evidence in response to a confirmation request, including considering any information about the potential confirming party discussed in paragraph .10, the auditor should perform alternative procedures in accordance with Appendix C. In addition, the Board has added a note to paragraph .11 of the new standard to reiterate that AS 1105.08 provides that the reliability of evidence depends on the nature and source of the evidence and the circumstances under which it is obtained.

These revisions are intended to underscore that auditors should consider information that may indicate that a potential confirming party has incentives or pressures to provide responses that are inaccurate or misleading, and remind auditors that the reliability of audit evidence depends not only on its nature and source, but also the circumstances under which it is obtained. For example, restrictions on access to a potential confirming party that cause the auditor to identify and send a confirmation request to a different confirming party or to perform alternative procedures may themselves raise questions as to the reliability of the audit evidence that the auditor subsequently obtains from the other confirming party or through performing alternative procedures. In addition, the revisions to paragraph .11 clarify that the paragraph applies to a confirming party for an individual item selected for confirmation, rather than more broadly to a group of confirming parties that might provide audit evidence with respect to relevant assertions for an entire account, such as accounts receivable.

Several commenters on the 2022 Proposal also indicated that the requirement to send a confirmation request directly to the confirming party and determine that the request is properly addressed was sufficiently clear and appropriate. One of these commenters indicated that the standard should address procedures to verify the recipient's mailing or email address while the other commenters indicated there was no need to include specific procedures in the standard. Another commenter requested more guidance around verifying email addresses. One commenter indicated that there should be no specific requirement to check addresses, as such a requirement would not, in the commenter's view, deter those intent on deceiving auditors. Lastly, one commenter requested clarification as to whether an auditor should send either an initial confirmation request or a second request when the auditor is aware of information that indicates that the confirming party would be unlikely to respond.

The Board continues to believe that requiring auditors to determine that confirmation requests are appropriately addressed is critically important to the effectiveness of the confirmation process. The Board has noted above some of the ways in which an auditor might comply with this requirement but is not including such examples in the text of the new standard to avoid the possible misinterpretation that the examples describe the only steps an auditor could take in determining whether a confirmation request is properly addressed.

With respect to one commenter's suggestion that the Board clarify whether an auditor should send a confirmation request if the auditor is aware of information indicating that the confirming party would not respond, the Board believes the new standard is sufficiently clear. Paragraph .10 of the new standard states, in part, that if the auditor is aware of information about a potential confirming party's “willingness to respond,” the auditor should consider this information, including its source, in selecting the confirming parties. Further, paragraph .11 of the new standard states that, if the auditor is unable to identify a confirming party for a selected item who would provide relevant and reliable audit evidence in response to a confirmation request, the auditor should perform alternative procedures for the selected item in accordance with Appendix C of the new standard.

Using Negative Confirmation Requests

There are “positive” and “negative” types of confirmation requests. A positive confirmation request is a confirmation request in which the auditor requests a confirmation response. With a negative confirmation request, the auditor requests a confirmation response only if the confirming party disagrees with the information provided in the request. The auditor generally obtains significantly less audit evidence when Start Printed Page 71695 using negative confirmation requests than when using positive confirmation requests. A confirming party might not respond to a negative confirmation request because it did not receive or open the request, or alternatively the confirming party might have read the request and agreed with the information included therein.

Because of the limited evidence provided when using negative confirmation requests, the 2022 Proposal provided that the auditor may not use negative confirmation requests as the sole substantive procedure for addressing the risk of material misstatement to a financial statement assertion. Instead, the 2022 Proposal provided that the auditor may use negative confirmation requests only to supplement audit evidence provided by other substantive procedures ( e.g., examining subsequent cash receipts, including comparing the receipts with the amounts of respective invoices being paid; examining shipping documents; examining subsequent cash disbursements; or sending positive confirmation requests). In addition, Appendix B to the proposed standard provided examples of situations in which the use of negative confirmation requests, in combination with the performance of other substantive audit procedures, may provide sufficient appropriate audit evidence. In contrast, under existing AS 2310, the auditor may use negative confirmation requests where certain criteria are present and should consider performing other substantive procedures to supplement their use.

The Board adopted the requirements for using negative confirmation requests as proposed. Most commenters on this aspect of the 2022 Proposal expressed support for the proposed prohibition on using negative confirmation requests as the sole substantive procedure with a number of commenters stating that negative confirmation requests alone do not provide sufficient appropriate audit evidence.

Another commenter suggested that the word “generally” should be removed from paragraph .21 of the proposed standard to emphasize that a negative confirmation is not as persuasive as a positive confirmation. This commenter indicated that, in situations where the use of negative confirmation requests, in combination with the performance of other substantive audit procedures, may provide sufficient appropriate audit evidence, auditors should be required to specifically document their consideration of certain examples included in paragraph .B1 of the proposed standard.

Lastly, a few commenters indicated that additional guidance on the use of negative confirmations, and specifically on the use of substantive analytical procedures to supplement the use of negative confirmations, was needed while another commenter indicated that the examples in Appendix B would assist auditors in applying the requirements related to the use of negative confirmation requests.

After considering the comments on the 2022 Proposal, the Board has determined that the requirements in the 2022 Proposal relating to the use of negative confirmation requests are both appropriate and sufficiently clear. For ease of reference, the examples of situations in which the use of negative confirmation requests, in combination with the performance of other substantive audit procedures, may provide sufficient appropriate audit evidence now appear in paragraph .13 of the new standard rather than Appendix B. The Board is not including in the new standard additional examples of other substantive procedures that may be used to supplement negative confirmation requests, as some commenters had suggested. While such procedures may be appropriate in some circumstances, including such examples in the new standard could be misperceived as establishing a formal checklist, whereas determining the necessary nature, timing, and extent of audit procedures that provide sufficient appropriate audit evidence would depend on the facts and circumstances of each audit.

Paragraph .12 of the new standard retains the word “generally” ( i.e., “[g]enerally, the auditor obtains significantly less audit evidence when using negative confirmation requests than when using positive confirmation requests”) to acknowledge that in some circumstances using positive confirmations may not provide the auditor with the amount of evidence that the auditor planned to obtain ( e.g., if the auditor does not receive responses to some or all positive confirmation requests).

Maintaining Control Over the Confirmation Process

(See paragraphs .14–.17 and .B1–.B2 of the new standard).

The Requirement for the Auditor To Maintain Control Over the Confirmation Process

The 2022 Proposal included a provision, consistent with AS 2310, that the auditor should maintain control over the confirmation process to minimize the likelihood that information exchanged between the auditor and the confirming party is intercepted and altered. This is because the reliability of audit evidence provided by confirmation depends in large part on the auditor's ability to control the integrity of confirmation requests and responses. The 2022 Proposal also provided that, as part of maintaining control, the auditor should send confirmation requests directly to the confirming party and receive confirmation responses directly from the confirming party.

The Board adopted the requirements for maintaining control over the confirmation process as proposed, with one modification.

Commenters on this topic largely agreed that the auditor should maintain control over the confirmation process. One commenter stated that setting forth the requirement to maintain control over the confirmation process and the requirement to send confirmation requests directly to the confirming party in separate paragraphs might suggest that there are different responsibilities for the auditor. This commenter recommended combining the requirements to clarify that the auditor's responsibility is to send the confirmation directly while maintaining control of the process.

After considering the comments on the 2022 Proposal, the Board has determined that the proposed requirements are both appropriate and sufficiently clear, and adopted them as proposed, with the addition of a new paragraph that clarifies how an external auditor can use internal auditors in a direct assistance capacity as part of the confirmation process, as further discussed below. Paragraph .14 of the new standard establishes the auditor's responsibility for maintaining control over the confirmation process, and the other paragraphs in this section of the new standard specify auditor responsibilities regarding certain aspects of maintaining control, as discussed below. For example, consistent with the definition of “confirmation process,” ^[37] paragraph .15 of the new standard requires that the auditor select the items to be confirmed, send the confirmation requests and receive the confirmation responses. Start Printed Page 71696 Selecting an item involves the auditor identifying the information to be included on the confirmation request. Paragraph .16 of the new standard specifies that maintaining control over the confirmation process by the auditor involves sending the confirmation request directly to and obtaining the confirmation response directly from the confirming party.

Using and Intermediary To Facilitate Direct Electronic Transmission of Confirmation Requests and Responses

Background and Requirements

As discussed above, certain financial institutions and other companies have adopted the policy of responding to electronic confirmation requests from auditors only through another party that they, or the auditor, engage as an intermediary to facilitate the direct transmission of information between the auditor and the confirming party. The Board understands that such policies are intended to facilitate the timeliness and quality of confirmation responses provided by the confirming party to the auditor.

While the involvement of intermediaries is not discussed in existing AS 2310, the use of an intermediary does not relieve the auditor of the responsibility under PCAOB standards to maintain control over confirmation requests and responses. Because an intermediary's involvement may affect the integrity of information transmitted between the confirming party and the auditor, the 2022 Proposal provided that the auditor should evaluate the implications of such involvement for the reliability of confirmation requests and responses. Specifically, paragraphs .B2 and .B3 of the proposed standard provided that:

• The auditor's evaluation should address certain aspects of the intermediary's controls that address the risk of interception and alteration of communications between the auditor and the confirming party;

• The auditor's evaluation should assess whether circumstances exist that give the company the ability to override the intermediary's controls ( e.g., through financial or other relationships); and

• The auditor should not use an intermediary if information obtained by the auditor indicates that (i) the intermediary has not implemented controls that are necessary to address the risk of interception and alteration of the confirmation requests and responses, (ii) the necessary controls are not designed or operating effectively, or (iii) circumstances exist that give the company the ability to override the intermediary's controls.

The Board adopted the proposed requirements substantially as proposed, with certain modifications discussed below.

A few commenters on the 2022 Proposal indicated that it is not clear what an “intermediary” is and requested clarification. The Board is not adding a definition of the term “intermediary” in the new standard as it simply intends to use the term in describing a particular scenario under the new standard where a third party is engaged by the auditor or a confirming party to facilitate direct electronic transmission of confirmation requests and responses between the auditor and the confirming party. The Board believes that its intent in using the term “intermediary” is sufficiently clear.

Overall, several commenters indicated that the requirements in the 2022 Proposal to evaluate the implications of using an intermediary to facilitate direct electronic transmission of confirmation requests and responses were appropriate. However, as discussed below, a number of these commenters and other commenters stated that additional clarity may be required to ensure that the proposed revisions are operational in practice, or otherwise requested additional guidance. Conversely, a few commenters expressed the view that requirements in the 2022 Proposal regarding the implications of using an intermediary were not appropriate or sufficiently clear. One of those commenters asserted that the requirement to assess the intermediary would result in significant additional work for auditors and that it is not currently common practice to directly assess intermediaries in this manner. As discussed in Section IV of the 2022 Proposal, firm methodologies reviewed by the staff generally include guidance on maintaining control over the confirmation process, using intermediaries to facilitate the electronic transmission of confirmation requests and responses, and assessing controls at the intermediaries. The evidence from the PCAOB staff's review does not suggest that the requirements in Appendix B of the new standard would create significant additional work for auditors, nor did the commenters provide evidence to the contrary.

Separately, as the 2022 Proposal provided that the auditor should not use an intermediary if information obtained by the auditor indicates that certain conditions are present, several commenters stated that the presence of indicators would not necessarily mean that the intermediary is not fit for use. For example, these commenters stated that in a situation where an intermediary's control is not designed or operating effectively, an auditor may be able to obtain an understanding of whether a specific control failure impacts the confirmation process and perform tests of other controls or other procedures at the intermediary to address the control failure.

Having considered the comments, the Board is clarifying in paragraph .B2 of the new standard that the auditor should not use an intermediary to send confirmation requests or receive confirmation responses if the auditor determines that (1) the intermediary has not implemented controls that are designed or operating effectively to address the risk of interception and alteration of the confirmation requests and responses and the auditor cannot address such risk by performing other procedures beyond inquiry, or (2) circumstances exist that give the company the ability to override the intermediary's controls. In the 2022 Proposal, the prohibition was based on an indication, rather than determination, that such circumstances exist.

For example, when performing an evaluation required by paragraphs .17 and .B1 of the new standard, an auditor could obtain a SOC report stating that a particular access control at an intermediary is not designed or operating effectively. The auditor may then be able to identify and test other controls that could mitigate the control failure described in the SOC report. In this scenario, if the auditor determines that the identified controls are designed and operating effectively and mitigate the control failure, or the auditor has performed other procedures such as obtaining computer systems event logs generated by the intermediary that provide evidence there was no unauthorized access during the relevant period, the information in the SOC report in this scenario would not necessarily mean that the auditor is not allowed to use the intermediary under the new standard.

In addition, several commenters asserted that, if an auditor were not allowed to use an intermediary under proposed paragraph .B3 and the confirming party had a policy requiring the use of an intermediary for receiving and responding to auditor confirmation requests, an auditor may be unable to comply with the proposed requirement to confirm cash, even if relevant and reliable audit evidence were otherwise available. Considering these comments, the Board has modified paragraph .B2 of the new standard to state that in Start Printed Page 71697 circumstances where the auditor, under paragraph .B2, should not use an intermediary to send confirmation requests or receive confirmation responses, the auditor should send confirmation requests without the use of an intermediary or, if unable to do so, perform alternative procedures in accordance with Appendix C of the new standard. The Board believes that this modification and the adoption of a provision regarding obtaining audit evidence by directly accessing information maintained by a knowledgeable external source (see discussion below), address commenters' concerns that an auditor may not be able to comply with the requirement to confirm cash.

Certain commenters asked for additional guidance on what procedures an auditor should or could perform to comply with the requirements in Appendix B. Having considered these comments, the Board determined that the new standard, consistent with the 2022 Proposal, will not specify how the auditor should perform the particular procedures required by paragraphs .B1 and .B2 regarding evaluating the implications of using an intermediary. The new standard thus allows auditors to customize their approach based on the facts and circumstances of the audit engagement and the audit firm. For example, in obtaining an understanding of the intermediary's controls that address the risk of interception and alteration of confirmation requests and responses and determining whether they are designed and operating effectively, the auditor could (i) use, where available, a SOC report that evaluates the design and operating effectiveness of the relevant controls at the intermediary; or (ii) test the intermediary's controls that address the risk of interception and alteration directly.^[38]

Some commenters asked for guidance related to an acceptable window of time to be covered by “bridge letters.” ^[39] Where an auditor uses an independent service auditor's report on a service organization's controls, such procedures may involve using a bridge letter. The new standard does not specify an appropriate window of time to be covered by a bridge letter or a permissible window of time between the date covered by a bridge letter and the period when the auditor uses the intermediary to facilitate direct electronic transmission of confirmation requests and responses. Auditors should use their professional judgment based upon the facts and circumstances of the audit to determine the nature of procedures required to comply with paragraph .B1 of the new standard, including the note to paragraph .B1(b).

One commenter stated that paragraph .B2(b) of the proposed standard should have a specific documentation requirement. The Board believes that adding a specific documentation requirement is not necessary, as the auditor is required to document compliance with PCAOB standards under existing documentation requirements.^[40]

Lastly, the new standard modifies the language of the 2022 Proposal to provide in the note to paragraph .B1(b) of the new standard that, if the auditor performs procedures to determine that the controls used by the intermediary to address the risk of interception and alteration are designed and operating effectively at an interim date, the auditor should evaluate whether the results of the procedures can be used “during the period in which the auditor uses the intermediary”—rather than at “period end,” as described in the proposed standard—or whether additional procedures need to be performed to update the results. The Board believes that the modified provision more accurately describes the timeframe during which the results of the procedures may be used by an auditor. In addition, the modified provision clarifies that the auditor should consider the nature and extent of any changes in the intermediary's process and controls during the period between the auditor's procedures and the period the auditor uses the intermediary.

Interaction of New Standard and Proposed QC 1000

In November 2022 the Board issued for public comment a proposed quality control standard, referred to as proposed QC 1000, A Firm's System of Quality Control.^[41] Proposed QC 1000 addresses resources used by a registered public accounting firm that are sourced from third-party providers. An intermediary that facilitates direct electronic transmission of confirmation requests and responses is one example of a “third-party provider” under proposed QC 1000.

Under proposed QC 1000, a firm would consider the nature and extent of resources or services obtained from third-party providers in its risk assessment process and whether the use of third-party providers poses any quality risks to the firm in achieving its quality objectives. One of the required quality objectives relates to obtaining an understanding of how such resources or services are developed and maintained and whether they need to be supplemented and adapted as necessary, such that their use enables the performance of the firm's engagements in accordance with applicable professional and legal requirements and the firm's policies and procedures.^[42]

As noted above, the proposed standard on the auditor's use of confirmation included specific procedures related to the use of an intermediary, which included obtaining an understanding of the intermediary's controls that address the risk of interception and alteration of a confirmation request and response and determining whether such controls are designed and operating effectively.

A few commenters on the 2022 Proposal observed that firms may obtain and evaluate SOC reports centrally, rather than requiring that individual engagement teams obtain and evaluate the reports. One of these commenters suggested clarifying in the standard that the evaluations required by Appendix B may be performed, and the documentation may be retained centrally, as part of the firm's quality control system. Another of these commenters suggested that the requirements related to the use of an intermediary be removed entirely from the proposed confirmation standard and instead be dealt with solely in the proposed quality control standards. One commenter stated that, depending on the identified quality risks, procedures performed in accordance with QC 1000 need not align with the financial statement period-end of each audit engagement performed by the firm, which the commenter asserted was implied by paragraph .B2(b) and a related note in the proposed standard. Lastly, a few commenters indicated that it would be beneficial to explicitly link the provisions of the confirmation standard regarding the use of an intermediary with QC 1000. Start Printed Page 71698

Having considered these comments, the Board believes that the requirements in the new standard related to the auditor's use of intermediaries, with the modifications discussed above to the requirements in the proposed standard, are sufficiently clear and appropriate. The auditor's evaluation of the intermediary's controls could be performed by an engagement team, an audit firm's national office, or a combination of both. Where the national office performs procedures relating to the intermediary (either as part of the firm's quality control activities or specifically to comply with the new standard), the engagement team would still need to consider the procedures performed by the national office and include in its audit documentation considerations specific to the individual audit engagement. For example, if a national office evaluated an intermediary's controls at an interim date, the engagement team would need to, in accordance with the note accompanying paragraph .B1(b) of the new standard, evaluate whether the results of the interim procedures could be used during the period in which the auditor uses the intermediary to facilitate direct electronic transmission of confirmation requests and responses or whether they needed to be updated.

Using Internal Audit in the Confirmation Process

The 2022 Proposal identified certain activities in the confirmation process where the auditor may not use the assistance of the company's internal audit function. Under the 2022 Proposal, the auditor was not permitted to use internal auditors for selecting items to be confirmed, sending confirmation requests, and receiving confirmation responses, because using internal audit in a direct assistance capacity for such activities would not be consistent with the auditor's responsibility to maintain control over the confirmation process.

Existing AS 2310 does not include analogous provisions. It states instead that the auditor's need to maintain control does not preclude the use of internal auditors and that AS 2605, Consideration of the Internal Audit Function, provides guidance on considering the work of internal auditors and on using internal auditors to provide direct assistance to the auditor.^[43]

The Board adopted the proposed requirements substantially as proposed, with certain modifications discussed below.

A number of commenters, including investor-related groups, firms, and firm-related groups, agreed with the requirements proposed in the 2022 Proposal as being in line with the auditor's responsibility to maintain control over the confirmation process. Additionally, a few commenters observed that it is not current practice for auditors to use internal audit in a direct assistance capacity for selecting items to be confirmed, sending confirmation requests, or receiving confirmation responses and, therefore, that the requirements in the 2022 Proposal would not result in a significant change in practice. Conversely, one commenter stated that the proposed restrictions would impact current practice as it relates to direct assistance.

A significant number of commenters, including internal auditors and companies with internal audit functions, took exception to the provision in the 2022 Proposal to limit the external auditor's use of internal auditors in a direct assistance capacity in the confirmation process, and in some instances asserted that such limitations would be inconsistent with AS 2605. Many of these commenters also challenged the statement in the 2022 Proposal that “[i]nvolving internal auditors or other company employees in these activities [selecting items to be confirmed, sending confirmation requests, and receiving confirmation responses] would create a risk that information exchanged between the auditor and the confirming party is intercepted and altered.” These commenters asserted that this language called into question internal auditors' competence, objectivity, and independence. Additionally, a few commenters expressed concern with the prescriptiveness of the proposed restrictions on the use of internal auditors in the confirmation process.

Having considered the comments received, the Board notes that the discussion in the 2022 Proposal was not intended to cast doubt on the qualifications, competence, or objectivity of internal auditors. Internal auditors can and often do play an important role in enhancing the quality of a company's financial reporting. At the same time, the Board continues to believe that in order to maintain control over the confirmation process the auditor should select items to be confirmed, send confirmation requests, and receive confirmation responses.

In addition, after considering the comments received, the Board is (i) relocating the requirements related to the auditor's use of internal audit in the confirmation process to the section of the new standard on maintaining control over the confirmation process and (ii) rephrasing the requirements in terms of the auditor's affirmative responsibilities, by describing procedures the auditor is required to perform. In contrast, the proposed standard described procedures that internal auditors were not allowed to perform. As stated in footnote 7 of the new standard, auditors are permitted to use internal auditors in accordance with AS 2605, except for selecting items to confirm, sending confirmation requests, and receiving confirmation responses. The new standard does not impose any new limitations on how the internal auditors' work may affect the external auditor's audit procedures.^[44] Instead, the new standard clarifies how an external auditor can use internal auditors in a direct assistance capacity as part of the confirmation process.^[45]

Evaluating Confirmation Responses and Confirmation Exceptions, and Addressing Nonresponses and Incomplete Responses

(See paragraphs .18–.23 of the new standard).

Overall Approach

Under the 2022 Proposal, the auditor's responsibilities related to the confirmation process included evaluating the information received in confirmation responses and addressing nonresponses and incomplete responses. The 2022 Proposal provided that if the auditor is unable to determine whether the confirmation response is reliable, or in the case of a nonresponse or an incomplete response ( i.e., one that does not provide the audit evidence the auditor seeks to obtain), the auditor should perform alternative procedures.^[46] The 2022 Proposal built upon requirements in existing AS 2310 that discuss addressing information obtained from the performance of confirmation procedures.

The relevant requirements in the new standard include certain modifications to the approach in the 2022 Proposal, as discussed in the sections below. Start Printed Page 71699

Evaluating the Reliability of Confirmation Reponses

The 2022 Proposal was intended to provide additional direction beyond what is set forth in existing AS 2310 to assist the auditor's evaluation of the reliability of confirmation responses. Specifically, the 2022 Proposal (i) described information that the auditor should take into account when performing the evaluation, and (ii) provided examples of indicators that a confirmation response may have been intercepted or altered and thus may not be reliable. In particular, the 2022 Proposal provided that the auditor should take into account any information about events, conditions, or other information the auditor becomes aware of in assessing the reliability of the confirmation response.

Under existing PCAOB standards, the auditor is not expected to be an expert in document authentication but, if conditions indicate that a document ( e.g., a confirmation response) may not be authentic or may have been altered, the auditor should modify the planned audit procedures or perform additional audit procedures to respond to those conditions and should evaluate the effect, if any, on the other aspects of the audit.^[47] The 2022 Proposal did not alter these requirements, but specified for the confirmation process that, if the auditor were unable to determine that the confirmation response is reliable, the auditor's response should include performing alternative procedures.

The requirements for evaluating the reliability of confirmation responses were adopted substantially as proposed.

Several commenters indicated that the provisions of the 2022 Proposal related to evaluating the reliability of confirmation responses were clear and appropriate. One commenter proposed modifications to the proposed requirements, including replacing the words “taking into account” with “considering” in paragraph .25 of the proposed standard to reflect the commenter's perceived intent of the Board. One commenter asserted that paragraph .25 of the proposed standard could result in onerous documentation requirements in situations where there is a clear reason why a particular indicator is not necessarily indicative of interception or alteration of a confirmation request or confirmation response ( e.g., a confirmation request is sent to a general email account but returned from an email account belonging to an individual monitoring the general email account). Another commenter proposed that the Board remove one of the examples of indicators that a confirmation response may have been intercepted or altered because it appeared to create a de facto requirement that an auditor treat a confirmation response as not reliable if the original confirmation request is not returned with the confirmation response.

In addition, one commenter suggested modifying proposed paragraph .26 of the proposed standard to provide that the auditor should perform alternative procedures if the auditor became aware of any of the factors identified in paragraph .25 and was unable to overcome those factors to determine that the confirmation response is reliable. Another commenter stated that the proposed standard should acknowledge that, in certain specified circumstances, an unreliable confirmation would likely result in a scope limitation.

Having considered the comments received, the Board notes that assessing the reliability of confirmation responses is a critical component of the confirmation process. If indicators of interception or alteration are present, it is important for the auditor to address them. When the auditor follows up on a particular indicator, an auditor may determine that the confirmation requests and responses have not been intercepted or altered. For example, an auditor could verify that a difference in the confirming party's email address between the confirmation request and confirmation response occurred because the confirming party responds to confirmation requests from one central email address. The note to paragraph .18 of the new standard (paragraph .25 of the proposed standard) provides examples of information that the auditor should take into account if the auditor becomes aware of it. Under PCAOB standards, the auditor would document the procedures performed in response to information that indicates that a confirmation request or response may have been intercepted or altered. To minimize any confusion, the Board replaced the word “indicator” in the note with the phrase “information that indicates,” which has the same meaning.

In addition, to clarify that the auditor performs alternative procedures for the selected item if the auditor is unable to determine that a confirmation response regarding that item is reliable, the Board has added the phrase “for the selected item” after the words “alternative procedures” in paragraph .19 of the new standard. The Board also revised the reference in paragraph .26 of the proposed standard to performing alternative procedures “as discussed in paragraph .31” to “in accordance with Appendix C” in paragraph .19 of the new standard to reflect that alternative procedures for a selected item may not be necessary under certain circumstances, as discussed below, and to reflect the relocation of the more detailed discussion of alternative procedures from the body of the standard to Appendix C.

AS 3105, Departures from Unqualified Opinions and Other Reporting Circumstances, sets forth requirements regarding limitations on the scope of an audit,^[48] including scope limitations relating to confirmation procedures with respect to accounts receivable.^[49] One example of such a scope limitation would be the auditor's inability to confirm accounts receivable balances combined with an inability to perform other procedures in respect of accounts receivable to obtain sufficient appropriate audit evidence. The new standard does not repeat such existing requirements, as doing so would merely duplicate those requirements.

Evaluating Confirmation Exceptions and Addressing Nonresponses and Incomplete Responses

For various reasons, information in a confirmation response received by the auditor could differ from other information in the company's records obtained by the auditor. The 2022 Proposal provided that the auditor should evaluate the confirmation exceptions and determine their implications for certain aspects of the audit, as discussed below. The direction in the 2022 Proposal was more detailed than in existing AS 2310.

In particular, the 2022 Proposal provided that the auditor should evaluate whether confirmation exceptions individually or in the aggregate indicate a misstatement that should be evaluated in accordance with AS 2810. The 2022 Proposal did not, however, require investigating all confirmation exceptions to determine the cause of each confirmation exception. The 2022 Proposal also included a provision that the auditor should evaluate whether the confirmation exceptions individually, or in the aggregate, indicate a deficiency in the company's internal control over financial reporting (“ICFR”).

With regards to nonresponses and potential nonresponses, the 2022 Proposal provided that the auditor should send a second positive confirmation request to the confirming Start Printed Page 71700 party unless the auditor has become aware of information that indicates that the confirming party would be unlikely to respond to the auditor. Additionally, the 2022 Proposal specified that if a confirmation response is returned by the confirming party to anyone other than the auditor, the auditor should contact the confirming party and request that the response be re-sent directly to the auditor. If the auditor does not subsequently receive a confirmation response from the intended confirming party, the 2022 Proposal provided that the auditor should treat the situation as a nonresponse.

Further, in contrast with existing AS 2310, which does not address the auditor's responsibilities regarding incomplete responses, the 2022 Proposal provided that the auditor should perform alternative procedures if a confirmation response is not received or is incomplete.

The Board adopted the requirements for evaluating confirmation exceptions and addressing nonresponses as proposed, with certain modifications discussed below.

Some commenters indicated that the proposed provisions regarding evaluating confirmation exceptions and addressing nonresponses were sufficiently clear and appropriate. A few commenters stated that the Board should include requirements that limit an auditor's ability to assess confirmation exceptions as merely “isolated exceptions.” Similarly, one commenter asserted that the Board should require auditors to resolve any confirmation exceptions by examining other third-party evidence such as purchase orders. In light of these comments, the Board has added a new note to paragraph .20 of the new standard that states that determining that a confirmation exception does not represent a misstatement that should be evaluated in accordance with AS 2810 generally involves examining external information, which may include information that the company received from knowledgeable external sources.

In the Board's view, in many circumstances examining external evidence under the above provision is necessary, as doing so is consistent with both the goal of obtaining relevant and reliable audit evidence and the type of audit evidence sought from confirmation. For example, an auditor might send a confirmation request for a selected item to a knowledgeable confirming party regarding a $20,000 accounts receivable invoice and the confirming party ( i.e., the customer) indicates that the outstanding balance for this invoice at the date specified in the confirmation request is $18,000. Having investigated the $2,000 difference, the auditor learns that it does not represent a misstatement, as the customer overpaid for a different invoice but applied the overpayment to the invoice selected for confirmation and the company applied the overpayment differently. In this scenario, determining that there is not a $2,000 misstatement for the selected item would involve the auditor examining audit evidence from knowledgeable external sources, such as applicable purchase orders and customer cash payments, in addition to information generated by the company, such as customer invoices.

The note to paragraph .20 of the new standard uses the word “generally” to acknowledge that in some circumstances examining external audit evidence may not be necessary. For example, an auditor may have included an incorrect figure in the confirmation request and later determined that the amount confirmed by the confirming party agrees to the amount in the company's general ledger. Determining that such a confirmation exception does not represent a misstatement to be evaluated in accordance with AS 2810 would not require examining audit evidence from external sources.

One commenter suggested that the Board consider reminding auditors that, when using audit sampling, the auditor should project the misstatement results of the sample to the items from which the sample was selected in accordance with AS 2315. The Board considered this comment, but did not add a reminder regarding projecting the results of a sample as the new standard states in footnote 4 that AS 2315 addresses evaluating audit samples.

One commenter suggested that the Board restructure paragraph .27 of the proposed standard, as the auditor generally considers whether a confirmation exception is a misstatement and then determines whether there is a deficiency in internal control. In consideration of this comment, the Board has restructured paragraph .20 of the new standard to align with the typical order in which the auditor considers the two matters discussed therein ( i.e., an auditor typically considers whether a confirmation exception indicates a misstatement that should be evaluated in accordance with AS 2810, Evaluating Audit Results, and then considers whether the confirmation exception represents a deficiency in the company's ICFR).

One commenter expressed the view that the Board should not require auditors to evaluate whether a confirmation exception constitutes a control deficiency if the exception was a result of a clerical error or caused by a timing difference. The Board continues to believe that requiring the auditor to evaluate exceptions in such circumstances is appropriate and the auditor should consider whether all confirmation exceptions are control deficiencies. A clerical error or timing difference could be indicative of a deficiency in a company's ICFR.

One commenter indicated that the proposed requirement about sending a second positive confirmation request unless the auditor has become aware of information that indicates that the confirming party would be unlikely to respond to the auditor was sufficiently clear and appropriate. However, several firms commented that the requirement was too prescriptive, with one commenter asserting that the requirement could result in unnecessary and potentially ineffective administrative effort. Additionally, a few commenters expressed concern that following up on a confirmation request would not constitute sending a second confirmation request under the proposed standard, but asserted that it should be so treated.

The Board considered the comments about the requirement to send a second positive confirmation request. The use of confirmation is not required under the new standard other than for cash and accounts receivable when they are significant accounts or disclosures. Under the new standard, for cash and accounts receivable, the auditor may perform other audit procedures to obtain audit evidence by directly accessing information maintained by a knowledgeable external source. Further, for accounts receivable, in certain situations the new standard allows the auditor to obtain external information indirectly (see discussion of cash and accounts receivable below).

Because the auditor may have a choice of the audit procedure to perform, the Board believes that the auditor will select confirmation in those situations where confirming parties will be more likely to respond to the auditor. In situations where a confirming party does not respond to a confirmation request, the Board has concluded it is appropriate to require the auditor, in the case of a nonresponse to a positive confirmation request, to follow up with the confirming party. The requirement to follow up with the confirming party is included in paragraph .21 of the new standard. The new standard does not prescribe a form of the auditor's follow-up. For example, following up using the Start Printed Page 71701 same form of communication as in the original confirmation request ( e.g., email, direct electronic transmission facilitated by an intermediary) would be appropriate under the new standard. In the case of an electronic confirmation request, a follow-up request could be in the form of a reminder or automated reminder.

If the auditor subsequently receives a confirmation response, the new standard provides that the auditor should evaluate that response in accordance with paragraphs .18–.19 and evaluate any confirmation exception in accordance with paragraph .20. If the auditor's follow-up does not elicit a confirmation response, paragraph .23 of the new standard instructs the auditor to perform alternative procedures for the selected item in accordance with Appendix C of the new standard.

To clarify that the auditor performs alternative procedures for the selected item, the Board has added the phrase “for the selected item” after the words “alternative procedures” in paragraph .23 of the new standard. The Board also revised the reference in paragraph .30 of the proposed standard to performing alternative procedures “as discussed in paragraph .31” to refer to “in accordance with Appendix C” in paragraph .19 of the new standard to reflect that alternative procedures for a selected item may not be necessary under certain circumstances, as discussed below, and to reflect the relocation of the more detailed discussion of alternative procedures from the body of the standard to Appendix C.

Additional Considerations for Cash, Accounts Receivable, and Terms of Certain Transactions

(See paragraphs .24–.30 of the new standard).

In general, evidence obtained from a knowledgeable external source is more reliable than evidence obtained only from internal company sources. When cash or accounts receivable are significant accounts, there is a presumption in the new standard that the auditor should obtain audit evidence from a knowledgeable external source by performing confirmation procedures or using other means to obtain audit evidence by directly accessing information maintained by knowledgeable external sources. In addition, the new standard addresses other situations in which the auditor should consider the use of confirmation.

The Board discusses below the provisions of the new standard relating to confirming cash held by third parties, confirming accounts receivable, performing other audit procedures for accounts receivable when obtaining audit evidence directly from a knowledgeable external source would not be feasible, communicating with the audit committee in certain situations, and confirming the terms of certain other transactions. To improve the flow of the requirements in the new standard, these provisions have been placed after the general provisions that describe the auditor's responsibilities related to the confirmation process ( i.e., after paragraphs .08–.23).

Figure 1 depicts the relationship of the requirements in the new standard for cash and accounts receivable when they are significant accounts (paragraphs .24–.28) to the general provisions of the new standard applicable to the confirmation process (paragraphs .08–.23).^[50]

Cash Held by Third Parties

Confirming Cash

The 2022 Proposal provided that the auditor should perform confirmation procedures when auditing cash and cash equivalents held by a third party. Existing AS 2310 does not address auditor responsibilities for confirming cash.

The Board noted in the 2022 Proposal that an auditor need not necessarily confirm all cash accounts in all cases. Under PCAOB standards, the alternative means of selecting items for testing are selecting all items, selecting specific items, and audit sampling.^[51] An auditor selects individual cash items to confirm following the relevant direction in PCAOB standards, including identifying and assessing the risk of misstatement and developing an audit response.^[52] The particular means or combination of means of selecting cash items to confirm depend on, for example, the characteristics of the cash items and the evidence necessary to address the assessed risk of material misstatement.^[53]

The 2022 Proposal emphasized that, in selecting the individual items of cash to confirm, the auditor should take into account the auditor's understanding of the company's cash management and treasury function, and the substance of the company's arrangements and transactions with third parties. For example, an auditor might select bank accounts with balances over a certain amount, accounts with a high volume of Start Printed Page 71703 transactions, accounts opened or closed during the period under audit, or accounts the auditor identifies as particularly risk-prone. Alternatively, the auditor might determine it is appropriate to confirm all cash accounts. The auditor also follows the direction in PCAOB standards when determining whether performing procedures in addition to confirmation is necessary to address the assessed risk of material misstatement relating to cash.^[54]

The Board adopted the proposed requirements to confirm cash, with certain modifications discussed below.

A number of commenters supported the proposed requirement for the auditor to confirm cash held by third parties. Some of these commenters stated that confirming cash has long been an audit best practice and that requiring cash confirmation would lead to more consistency in practice. In addition, several commenters stated that the standard was sufficiently risk-based ( i.e., by allowing the auditor to select cash accounts and other financial relationships to confirm based on the risk of material misstatement associated with cash).

Several commenters asserted that a requirement to confirm cash was not sufficiently risk-based, despite the provisions in the 2022 Proposal that described that the auditor should take into account their understanding of the company's operations in making selections of individual cash items to confirm. In particular, several commenters stated that the proposed standard would require an auditor to confirm cash without regard to the level of risk that the auditor had determined for cash in their risk assessment or when other audit procedures could produce sufficient appropriate audit evidence. Other commenters expressed the view that the requirement to confirm cash, as well as accounts receivable, should be removed, with some of these commenters suggesting that the auditor should be able to determine the audit procedure that would be most effective in obtaining relevant and reliable audit evidence, without confirmation being the “default” procedure.

The Board continues to believe that a presumption to confirm cash is appropriate. As discussed above, this presumption to confirm cash is consistent with current practice. Consistent with the objective of the new standard, the requirement to confirm cash, as well as accounts receivable, only applies when the auditor has determined that that these accounts are significant accounts.

With respect to confirming cash, many commenters, primarily firms and firm-related groups, expressed concern that the 2022 Proposal did not contain a provision about overcoming the presumption to confirm cash. A number of commenters also expressed the view that auditors could obtain direct-access view of bank information (or would be able to do so in the future), which could provide a more effective means of directly obtaining external evidence than sending a confirmation.

The Board agrees that if the auditor is able to perform other audit procedures that allow the auditor to obtain audit evidence by directly accessing information maintained by knowledgeable external sources, such audit evidence would be at least as persuasive as audit evidence obtained through confirmation procedures. The Board therefore added to the presumption to confirm cash (and accounts receivable) in the new standard the phrase “or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source.”

By way of example, the auditor might satisfy this requirement to obtain relevant and reliable audit evidence under the new standard by obtaining read-only access to information maintained by a financial institution concerning its transactions or balances with the company directly online through a secure website of the financial institution using credentials provided to the auditor by the financial institution.

The Term “Cash and Cash Equivalents Held by Third Parties”

The 2022 Proposal provided that the term “cash” comprised both cash and cash equivalents. Cash equivalents generally refer to short-term, highly liquid investments that are readily convertible to known amounts of cash and are so near their maturity that they present insignificant risk of changes in value because of changes in interest rates.^[55] Such assets are commonly used by companies to manage their cash holdings. The 2022 Proposal also described that the requirements for confirming cash would apply to cash held by third parties, and not limited to cash held by financial institutions. In the Board's view, this expansion of confirmation requirements was appropriate, as company funds can be held by third parties other than financial institutions, such as money transfer providers.

The Board adopted this provision as proposed in the 2022 Proposal.

There was one comment related to this aspect of the 2022 Proposal, suggesting that the new standard should specify that “third parties” are not limited to financial institutions. The Board believes the reference to “third parties” was sufficiently clear as proposed and, accordingly, has not expanded this description.

Confirming Other Financial Relationships

The 2022 Proposal provided that the auditor should consider confirming other financial relationships with the third parties with which the auditor determines to confirm cash. Such relationships can include lines of credit, other indebtedness, compensating balance arrangements, or contingent liabilities, including guarantees. As proposed, the auditor would be required under PCAOB standards to document the consideration given to the confirmation of other financial relationships and the conclusions reached.^[56] Existing AS 2310 does not have an analogous requirement to confirm other financial relationships.

The Board adopted this provision as proposed, with certain modifications discussed below.

Several commenters stated that the requirements for the auditor to consider confirming other financial relationships were clear. One commenter suggested that confirming other financial relationships should be required, and that overcoming the presumption to confirm should be available only when the financial entity with which the company does business does not offer services that would give rise to other financial relationships.

A number of commenters asserted that auditors would be required to Start Printed Page 71704 produce additional documentation of their considerations, even when a financial relationship(s) is not an area of significant risk of material misstatement. Some commenters recommended that the provision that the auditor “should consider” other financial relationships be changed to “may consider,” in order to allow for more auditor judgment in determining the audit procedures to perform.

The Board continues to believe that information about financial relationships, including off-balance sheet relationships, could be important for the audit, as it could be part of significant disclosures in a company's financial statements. Accordingly, paragraph .29 of the new standard provides that, in addition to obtaining audit evidence from a knowledgeable external source regarding cash in accordance with paragraph .24, the auditor should consider sending confirmation requests to that source about other financial relationships with the company, based on the assessed risk of material misstatement. The phrase “based on the assessed risk of material misstatement” was added to clarify that the auditor has flexibility in tailoring audit procedures to the level of assessed risk ( e.g., by including or not including confirmation in the audit response based on the auditor's assessed risk of material misstatement of other financial relationships). In addition, paragraph .29 retains the examples of other financial relationships that were included in the 2022 Proposal.

Accounts Receivable

Confirming Accounts Receivable

The 2022 Proposal carried forward the requirement in existing AS 2310 to confirm accounts receivable. Similar to existing AS 2310, the 2022 Proposal did not specify the extent of confirmation procedures for accounts receivable. As noted above, the timing and extent of confirmation procedures are part of the auditor's response to the risks of material misstatement under PCAOB risk assessment standards. The 2022 Proposal instead required the auditor to take into account the auditor's understanding of the substance of the company's arrangements and transactions with third parties and the nature of the items that make up the company's account balances in selecting the individual accounts receivable to confirm. For example, an auditor might assess the risk of material misstatement relating to accounts receivable higher for a company that is being audited for the first time by the auditor, or for accounts receivable from a newly acquired operation in a foreign location.

The Board adopted the proposed requirements to confirm accounts receivable, with certain modifications discussed below.

Most commenters on this aspect of the 2022 Proposal generally supported the retention of a presumption to confirm accounts receivable, and most of those commenters stated that the requirement for the auditor to confirm accounts receivable was sufficiently clear and appropriate. Two investor-related groups stated that confirmation of cash and accounts receivable was necessary, in their view, to obtain persuasive, sufficient, and competent audit evidence.

On the other hand, a number of commenters, primarily firms and firm-related groups, expressed concerns about carrying forward the presumption for auditors to confirm accounts receivable from existing AS 2310. The common theme of those commenters was that requiring the auditor to use confirmation for certain accounts may not allow the auditor to exercise professional judgment in determining an appropriate response to the assessed risk of material misstatement for those accounts.

Regarding the selection of accounts receivable to confirm, several commenters agreed that the 2022 Proposal was sufficiently principles-based to allow auditors to use professional judgment in determining the extent of confirmation of accounts receivable.

The Board continues to believe that a presumption to confirm accounts receivable is appropriate to emphasize that audit evidence obtained from a knowledgeable external source is generally more reliable than evidence obtained only from internal company sources. Consistent with the objective of the new standard, the requirement to confirm cash and accounts receivable, or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source, only applies when the auditor has determined that these accounts are significant accounts.

As with cash balances discussed above, the Board believes that when the auditor is able to perform other audit procedures to obtain audit evidence about accounts receivable by directly accessing information maintained by knowledgeable external sources ( e.g., information maintained by the receivable counterparty), such evidence would be at least as persuasive as audit evidence through confirmation procedures. The Board therefore added to the presumption to confirm cash and accounts receivable in the new standard the phrase “or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source.”

Audit evidence that an auditor obtains by accessing a third party's information directly can be at least as persuasive as audit evidence obtained through confirmation procedures because the auditor is able to observe first-hand the information providing such evidence. As technology continues to develop, The Board believes it is important for the new standard to reflect that there may be additional opportunities for the auditor to obtain audit evidence directly beyond sending a confirmation request. The new standard would allow for future innovations in audit techniques that might involve the auditor obtaining evidence for accounts receivable by directly accessing information maintained by a counterparty or other knowledgeable external source. As noted in the new standard, consistent with selecting a confirming party, when selecting the knowledgeable external source providing the auditor with access to information directly, the auditor would be required to consider whether the knowledgeable external source would have any incentive or pressure to provide the auditor with access to information directly that is inaccurate or otherwise misleading.

Situations where it would not be feasible for the auditor to obtain audit evidence for accounts receivable directly from a knowledgeable external source, through confirmation procedures or other means, are discussed below.

The Term “Accounts Receivable”

The 2022 Proposal described “accounts receivable” as comprising receivables arising from the transfer of goods or services to a customer or from a financial institution's loans. Existing AS 2310 describes accounts receivable as the entity's claims against customers that have arisen from the sale of goods or services in the normal course of business, and a financial institution's loans. The 2022 Proposal was designed to apply to the same types of items as existing AS 2310, with a modified description to align more closely with the terminology of current accounting requirements, which have been updated since existing AS 2310 was written.^[57]

The Board adopted this provision as proposed.

Commenters on this aspect of the 2022 Proposal stated that the description of accounts receivable was clear. These commenters also noted that there was no need to further broaden the description to include additional types of receivables.

The description of accounts receivable in the new standard includes receivables that arise from the transfer of goods or services to a customer. These types of receivables generally arise from the company's ordinary revenue-generating activities, and include items for which revenue has been or will be recognized by a company, such as receivables from selling manufactured products or providing a service to customers. The description of accounts receivable also includes a financial institution's loans, including loans to customers that the institution has originated or purchased from another institution. Examples of financial institutions are banks, non-bank lenders, and mortgage companies that provide financing to customers.

Situations When Obtaining Audit Evidence for Accounts Receivable Directly Would Not Be Feasible

Performing Other Substantive Procedures, Including Tests of Details

In the 2022 Proposal, the presumption to confirm accounts receivable could be overcome when the auditor determined that an audit response that only included substantive audit procedures other than confirmation would provide audit evidence that is at least as persuasive as evidence the auditor might expect to obtain through performing confirmation procedures. The 2022 Proposal did not carry forward the provisions in existing AS 2310 addressing overcoming the presumption to confirm accounts receivable under certain conditions, which are (i) immateriality, (ii) ineffectiveness of confirmation, or (iii) a certain combination of the assessed risk and expected results from other auditing procedures.^[58]

As discussed below, the new standard includes a provision to address situations when obtaining audit evidence directly from knowledgeable external sources, whether through confirmation procedures or other means, would not be feasible to execute.

Many commenters addressed the provision in the 2022 Proposal to overcome the presumption to confirm accounts receivable. A few commenters noted that the ability to overcome the presumption to confirm accounts receivable was clear and appropriate. As discussed below, many commenters focused on the proposed provision that evidence obtained through other substantive procedures should be “at least as persuasive as” evidence obtained through confirmation:

• A number of investor-related groups stated that the provision gave too much leeway to auditors to overcome the presumption to confirm accounts receivable. These commenters asserted that exceptions to confirming accounts receivable should only be available when other audit procedures would provide more persuasive or greater accumulated evidence than that obtained through confirmation. These commenters recommended additional requirements, such as allowing the auditor to overcome the presumption only if they document the evidence and basis for their conclusion and have communicated the conclusion to the audit committee and investors.
• Several firms and firm-related groups stated that the relevant provisions were not clear or more guidance would be needed about overcoming the presumption to confirm accounts receivable when other substantive procedures would be “at least as persuasive as” the evidence expected to be obtained through confirmation. A few commenters observed that the absence of a definition of the term “persuasive” in AS 1105 contributed to a lack of clarity as to the Board's expectations and requested more guidance about how to measure or evaluate persuasiveness. Several commenters emphasized that, rather than focus the requirement for overcoming the presumption to confirm accounts receivable on whether audit evidence obtained through audit procedures other than confirmation is “at least as persuasive as” evidence expected to be obtained through confirmation, the Board should focus the requirement on obtaining evidence that is sufficient and appropriate to address the assessed risk of material misstatement or, as one commenter suggested, on the reliability of the audit evidence.
• Several commenters suggested that the Board retain provisions similar to those in existing AS 2310.34 for allowing the auditor to overcome the presumption to confirm accounts receivable. In addition, several firms and firm-related groups suggested that the auditor's ability to overcome the presumption to confirm should be based on risk assessment, similar to the provision in existing AS 2310 addressing when the assessed level of inherent and control risk is low.
• Many firms and firm-related groups expressed concern that the criteria for overcoming the presumption would result in auditors having to use confirmation even in situations where historically confirmations were determined by the auditor to be ineffective and not to provide persuasive audit evidence.
• One commenter stated that, if the proposed language were adopted, auditors would likely default to confirming accounts receivable over other audit procedures to avoid second-guessing of their determinations of the persuasiveness of audit evidence.
• Several commenters, primarily firms and firm-related groups, stated that the 2022 Proposal imposed a higher threshold than the existing standard for auditors to overcome the presumption to confirm accounts receivable without a corresponding increase to audit quality.

As previously discussed, the new standard creates a presumption that the auditor performs confirmation procedures or otherwise obtains relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source. Under PCAOB standards, in general, evidence obtained directly by the auditor from a knowledgeable external source is more reliable than evidence obtained indirectly.^[59] However, the Board appreciates that there are instances where the auditor determines that performing confirmation procedures in response to a risk of material misstatement related to accounts receivable would not be feasible. For example, commenters described situations involving a history of low response rates to confirmation requests in certain industries ( e.g., healthcare, utilities), or where customers have been advised by a government agency to avoid providing personal or financial information in response to an unexpected request. The Board further understands that companies in other industries ( e.g., large retailers, defense and aerospace companies that contract with the federal government) do not, as a matter of policy, respond to confirmation requests. There may also be instances in which the performance of confirmation procedures would not result in reliable audit evidence.

Accordingly, paragraph .25 allows the auditor to perform other substantive procedures in response to a risk of Start Printed Page 71706 material misstatement, as long as such procedures include tests of details, if the auditor determines it is not feasible to obtain audit evidence directly from a knowledgeable external source pursuant to paragraph .24. Paragraph .25 specifically provides that the auditor's determination should be based on the auditor's experience, such as prior years' audit experience with the company or experience with similar engagements where the auditor did not receive confirmation responses, and the auditor's expectation of similar results if procedures were performed pursuant to paragraph .24. Any such determination would be performed as part of conducting the audit based on the available facts and circumstances at that time and properly supported in the audit documentation for the engagement.^[60] In addition, as described below, for significant risks associated with accounts receivable, the auditor would be required to communicate with the audit committee when the auditor did not perform confirmation procedures or otherwise obtain audit evidence by directly accessing information maintained by a knowledgeable external source.

This provision replaces the concept in the 2022 Proposal about obtaining audit evidence that was “at least as persuasive as” the evidence expected to be obtained through confirmation procedures. It also specifies that the auditor should perform other substantive procedures, including tests of details, in these situations to make clear that performing only substantive analytical procedures would not be sufficient to overcome the presumption to confirm. These other substantive procedures should involve obtaining external information indirectly.

For accounts receivable, the auditor may be able to satisfy this requirement by obtaining information that is in the company's possession that the company received from one or more knowledgeable external sources.^[61] Examples of such external information may include, for example, subsequent cash receipts, shipping documents from third-party carriers, customer purchase orders, or signed contracts and amendments thereto. This information may be in electronic form ( e.g., a purchase order initiated by a customer through a company's website) or in paper form ( e.g., a signed contract).

Conversely, when performing other substantive procedures under this provision, it would not satisfy the requirements of the new standard to use or rely solely on the company's internally produced information. For example, an audit procedure that involves an automated matching analysis of a company's revenue, accounts receivable, and cash journal entries recorded by the company would be insufficient on its own because such an analysis only involves the company's internally produced information. On the other hand, when such internally produced information is evaluated in conjunction with external information that the company received from a knowledgeable external source, such as checks that the company received directly from customers or information on subsequent cash receipts that the company received from a financial institution, the procedures would involve audit evidence from a knowledgeable external source.

Under existing PCAOB standards, the quantity of audit evidence needed is affected by its quality, including its reliability, and in general evidence obtained directly by the auditor is more reliable than evidence obtained indirectly. This applies to all information (including external information) used by the auditor in arriving at the conclusions on which the auditor's opinion is based. For example, as the quality of the evidence increases, the need for additional corroborating evidence decreases. The auditor should be mindful of these requirements when determining an appropriate audit response to a risk of material misstatement that involves obtaining external information indirectly under the new standard.

Further, when performing audit procedures that involve obtaining external information, the auditor should be mindful of other relevant PCAOB standards that address the documentation of the procedures performed and the relevance and reliability of the audit evidence obtained.^[62] Audit documentation must clearly demonstrate the work performed by the auditor. In addition, the reliability of that audit evidence depends on the nature and source of the evidence and the circumstances under which it is obtained.

Communicating With the Audit Committee About the Auditor's Response to Significant Risks for Cash and Accounts Receivable

The 2022 Proposal included a requirement for the auditor to communicate to the audit committee ^[63] instances where the auditor had determined that the presumption to confirm accounts receivable had been overcome. In proposing that requirement, the Board considered the long-standing practice by auditors in the United States to confirm accounts receivable, and noted that a communication requirement when the presumption to confirm is overcome could enhance the audit committee's understanding of the auditor's strategy. In this regard, existing standards require the auditor to communicate to the audit committee about the auditor's overall audit strategy, significant risks identified during risk assessment procedures, significant changes to the planned audit strategy, and significant difficulties encountered during the audit.^[64] Existing AS 2310 does not have a requirement to communicate to the audit committee about overcoming the presumption to confirm accounts receivable.

The new standard contains a requirement for the auditor to communicate with the audit committee about the auditor's response to significant risks associated with cash or accounts receivable when the auditor did not perform confirmation procedures or otherwise obtain audit evidence by directly accessing information maintained by a knowledgeable external source.

Several commenters, primarily investor-related groups, supported the proposed requirement in the 2022 Proposal that the auditor communicate to the audit committee when an auditor overcomes the presumption to confirm accounts receivable. One of the commenters referred to a statement in the 2022 Proposal that a requirement to communicate to the audit committee when overcoming the presumption to confirm accounts receivable “may reinforce the auditor's obligation to exercise due professional care in making that determination.” This commenter also noted that overcoming the presumption could result in a critical audit matter under AS 3101, The Auditor's Report on an Audit of Start Printed Page 71707 Financial Statements When the Auditor Expresses an Unqualified Opinion. ^[65]

Many commenters on this aspect of the 2022 Proposal, primarily firms and firm-related groups, disagreed with a specific requirement to communicate with the audit committee on this matter. These commenters asserted that such a requirement did not align with principles in AS 1301 to communicate with the audit committee about significant risks, including audit matters arising from the audit that are significant to the oversight of the company's financial reporting process. A number of these commenters also noted that, if there were a significant risk in accounts receivable or associated with a critical audit matter, the auditor would already be required to communicate these matters under AS 1301. Several other commenters indicated that they did not object to a more targeted requirement to communicate with the audit committee about overcoming the presumption to confirm when accounts receivable was assessed as a significant risk.

In addition, several commenters asserted that a requirement to communicate to the audit committee about overcoming the presumption to confirm would not improve audit quality, and could be detrimental if this communication became a compliance exercise for auditors, detracting them from performing effective audit procedures. A few commenters also stated there would not be a benefit to audit quality if the Board were to mandate that auditors treat instances of overcoming the presumption to confirm as a critical audit matter.

The 2022 Proposal stated that there may be some expectation by audit committees that the auditor would use confirmation as part of a planned audit response. One commenter encouraged the Board to perform outreach with audit committees to understand whether this expectation was, in fact, widespread and whether the proposed communication requirement would be relevant and meaningful.

Having considered the comments received, the Board does not believe it is necessary to require the auditor to inform the audit committee in every instance where the auditor performed substantive audit procedures other than confirmation to address the risk of material misstatement of cash or accounts receivable. However, the Board believes the auditor should inform the audit committee when the auditor did not perform confirmation procedures or otherwise obtain audit evidence by directly accessing information maintained by a knowledgeable external source when responding to significant risks associated with either cash or accounts receivable.

This targeted requirement is consistent with the views expressed by several commenters, as discussed above. It is also consistent with the existing obligation of auditors under PCAOB standards to communicate to the audit committee an overview of the overall audit strategy and to discuss with the audit committee the significant risks of material misstatement identified during the auditor's risk assessment procedures.^[66] In addition, as with other matters arising from the audit of financial statements and communicated or required to be communicated to the audit committee, the auditor is required to determine whether these matters are critical audit matters in accordance with AS 3101.^[67]

Confirming Terms of Certain Transactions

The 2022 Proposal provided that, for significant risks of material misstatement associated with either a complex transaction or a significant unusual transaction, the auditor should consider confirming terms of the transaction with the counterparty to the transaction. This provision updates a requirement in existing AS 2310.08 that the auditor should consider confirming the terms of certain transactions that are associated with high levels of risk. The 2022 Proposal used the terminology “significant risk” and “significant unusual transactions,” but the provision was intended to be similar to that in existing AS 2310.

The Board adopted the proposed requirements to consider confirming terms of certain transactions, with certain modifications discussed below.

Several commenters noted that the provision in the 2022 Proposal was sufficiently clear and appropriate. Other commenters suggested various modifications to the provision that they asserted would improve its clarity, such as elaborating on the meaning of the term “complex transaction” and stating that the provision applies when the assertions related to the significant risk of material misstatement can be adequately addressed through confirmation. Several commenters indicated that other audit procedures, not including confirmation, may adequately address an assessed significant risk over the existence assertion, such as obtaining and reviewing an original executed contract and verifying the execution of its terms over a period of time.

To provide additional clarity, the new standard provides that the auditor should consider confirming those terms of a complex transaction or significant unusual transaction that are associated with a significant risk of material misstatement, including a fraud risk. Under the new standard, examples of such terms may include terms relating to (i) oral side agreements, or undisclosed written or oral side agreements, where the auditor has reason to believe that such agreements exist, (ii) bill and hold sales, and (iii) supplier discounts or concessions. When such arrangements or agreements are part of a complex transaction or significant unusual transaction identified by the auditor, there may be a heightened risk that the transaction has been entered into to engage in fraudulent financial reporting or conceal misappropriation of assets. Likewise, a complex transaction or a significant unusual transaction could have a heightened risk of error whereby confirmation could lead to identification of an additional term that, under an accounting standard, might have accounting implications not previously recognized by either the company or the auditor. Accordingly, the auditor's confirmation of terms related to such arrangements or agreements may assist the auditor in evaluating the business purpose, or lack thereof, of the transaction.^[68] These examples are not intended to be an exhaustive list. An auditor may identify other terms to confirm relating to a complex transaction or a significant unusual transaction if the auditor decides that confirmation could result in obtaining relevant and reliable audit evidence about that transaction.

One investor-related group recommended that the provision in the 2022 Proposal addressing the terms of complex transactions and significant unusual transactions should be mandatory and read “should” instead of “should consider.” In contrast, other commenters asserted that the provision was unduly prescriptive. Several commenters recommended that the Board change the phrase “should consider” to “may consider” to allow for more auditor judgment in Start Printed Page 71708 determining the audit procedures to perform to address significant unusual transactions or other complex transactions. The Board believes that the provision stating that the auditor “should consider” confirming terms of complex transactions or significant unusual transactions associated with a significant risk of material misstatement is sufficiently risk-based for the auditor to have flexibility in selecting the audit procedures that are best suited to address significant risks of material misstatement, depending on the facts and circumstances of individual transactions.

Another commenter suggested that the Board place additional emphasis on the auditor having a heightened degree of professional skepticism, similar to a provision in existing AS 2310.27, and that doing so would allow auditors to make appropriate judgments in determining whether facts and circumstances indicate that confirmation procedures may not produce sufficient appropriate evidence to address the assessed risks. The Board did not include additional language in the new standard about the auditor's potential need to exercise a heightened degree of professional skepticism related to confirmation because the auditor's obligation to apply professional skepticism is relevant to all aspects of the audit.^[69]

Performing Alternative Procedures for Selected Items

(See paragraphs .C1–.C2 of the new standard).

The 2022 Proposal provided that the auditor should perform alternative procedures in certain scenarios involving identifying confirming parties or evaluating the reliability of confirmation responses, as well as in scenarios involving nonresponses and incomplete responses.^[70] This range of scenarios was broader than under existing AS 2310, which provides that, with certain exceptions, the auditor should apply alternative procedures where the auditor has not received replies to positive confirmation requests. In addition, existing AS 2310 provides examples of alternative procedures, and requires the auditor to evaluate the combined evidence provided by confirmation and any alternative procedures and send additional confirmation requests or perform other audit tests, as needed, to obtain sufficient appropriate audit evidence.

The 2022 Proposal provided examples of alternative procedures that may provide relevant and reliable audit evidence regarding accounts receivable, accounts payable, and the terms of a transaction or agreement. These provisions expanded upon the examples of alternative procedures discussed in existing AS 2310.

The 2022 Proposal did not specify whether performing alternative procedures for the items the auditor was unable to confirm, alone or in combination with other audit procedures, is necessary to obtain sufficient appropriate audit evidence. Under the 2022 Proposal, the auditor would make that determination based on the facts and circumstances of the audit. Further, an auditor might determine that, without obtaining a reliable confirmation response, the auditor is unable to obtain sufficient appropriate audit evidence for a relevant assertion through performing alternative procedures for the items the auditor could not confirm, other audit procedures, or both ( e.g., if the auditor observes conditions during the confirmation process that indicate a heightened fraud risk). In such scenarios, the 2022 Proposal provided that the auditor would consider the impact on the audit opinion in accordance with AS 3105.

The 2022 Proposal also provided that performing alternative procedures may not be necessary where items selected for confirmation for which the auditor was not able to complete audit procedures would not—if misstated—change the outcome of the auditor's evaluation of the effect of uncorrected misstatements performed in accordance with AS 2810.17.^[71] For example, following the direction in AS 2810.17, under the 2022 Proposal an auditor may have determined that an item that the auditor was unable to confirm would not be material individually or in combination with other misstatements. In such situations, the auditor would not have been required to perform alternative procedures.^[72] Existing AS 2310 includes an analogous exception.

The Board adopted the requirements substantially as proposed, with certain modifications discussed below.

In the 2022 Proposal, the additional discussion of alternative procedures appeared in the main body of the proposed standard (paragraph .31). To enhance the readability of these provisions and facilitate their implementation, the Board has relocated them to Appendix C, which includes one paragraph that describes when performing other audit procedures may be necessary (paragraph .C1) and a second paragraph that provides further direction as to when alternative procedures are required under the new standard and includes examples of alternative procedures (paragraph .C2).

In addition, to remind auditors that the auditor's assessment of risks of material misstatement, including fraud risks, should continue throughout the audit, including the confirmation process, paragraph .C1 of the new standard states that, when the auditor is unable to obtain relevant and reliable audit evidence about the selected item through confirmation, the auditor should evaluate the implications for the auditor's assessment of the relevant risks of material misstatement, including fraud risks.

Several commenters indicated that the circumstances in the 2022 Proposal under which the auditor generally would be required to perform alternative procedures were sufficiently clear and appropriate. However, multiple commenters suggested that the Board include an example of an alternative procedure for cash. In consideration of these comments, the Board has incorporated an example of an alternative procedure that may provide relevant and reliable audit evidence regarding cash, which involves the auditor verifying information about the company's cash account maintained in a financial institution's information system by viewing this information directly on a secure website of the financial institution. In this example, the auditor might verify such information by determining the validity of the financial institution's website and viewing the information directly on the secure website. The information viewed by the auditor could be accessed either by the auditor, using login credentials provided by the company, or by company personnel. This additional example is intended to address some commenters' misperception that the 2022 Proposal would not allow the Start Printed Page 71709 auditor to perform alternative procedures in the event that a positive confirmation request related to cash does not result in a confirmation response.

Several commenters asserted that the note in the 2022 Proposal identifying situations where alternative procedures may not be necessary was not clear, with one commenter indicating that the analogous exception in existing AS 2310 was clearer because it addressed audit sampling. In consideration of these comments, the Board has revised the note to paragraph .C2 of the new standard to clarify how the exception from performing alternative procedures for selected items should be applied and revised the footnote in the paragraph to further explain how the exception is applied in scenarios involving audit sampling.

The following example further illustrates applying this provision in an audit: An auditor selects a sample of 50 accounts receivable invoices for confirmation and receives confirmation responses for 45 invoices that do not indicate a need for the auditor to perform alternative procedures. For two nonresponses, the auditor performs alternative procedures and obtains relevant and reliable audit evidence identifying no misstatements. For the three remaining nonresponses, the auditor does not perform alternative procedures because the auditor appropriately determines that, even if the amounts associated with the invoices were projected as 100 percent misstatements to the population from which the sample was selected and added to any other accounts receivable misstatements ( i.e., accounts receivable misstatements identified through audit procedures other than confirmation), the outcome of the auditor's evaluation performed in accordance with AS 2810.17 would not change.

Another commenter recommended that, for nonresponses, the Board require that the auditor “must” perform alternative procedures that include examining third-party evidence. This commenter also suggested that the Board revise the example of alternative procedures for accounts receivable by removing the phrase “one or more,” such that the auditor would perform all of the procedures identified in the example ( i.e., examining subsequent cash receipts, shipping documents, and other supporting documentation).

Having considered these comments, the Board believes that, with the modifications discussed above, the requirements in paragraph .C1 of the new standard provide appropriate direction regarding when alternative procedures are required. Additionally, the Board believes that including examples in paragraph .C2 of alternative procedures that may provide relevant and reliable audit evidence about selected items, without mandating specific procedures, is appropriate, as it is impracticable to describe specific procedures for all scenarios that could occur in an audit.

Additionally, as discussed above, the Board has modified paragraph .B2 of the new standard to provide that in circumstances where the auditor should not use an intermediary to send confirmation requests or receive confirmation responses, the auditor should send confirmation requests without the use of an intermediary or, if unable to do so, perform alternative procedures in accordance with Appendix C of the new standard. In light of this modification, the Board has added a reference to paragraph .B2 to Appendix C of the new standard.

Evaluating Results

(See paragraph .31 of the new standard).

The 2022 Proposal did not carry forward a requirement, included in existing AS 2310, for the auditor to evaluate in the aggregate audit evidence obtained from performing confirmation procedures and any alternative procedures. Excluding this requirement from the 2022 Proposal was intended to avoid the duplication of certain requirements of AS 2810 that discuss the auditor's responsibilities for evaluating audit results and determining whether the auditor has obtained sufficient appropriate audit evidence.

As discussed above, however, paragraph .24 of the new standard allows the auditor to perform audit procedures other than confirmation for cash and accounts receivable to obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source. The Board therefore decided to remind the auditor in paragraph .31 of the new standard that the auditor should evaluate the combined audit evidence provided by confirmation procedures, alternative procedures, and other procedures to determine whether sufficient appropriate audit evidence has been obtained in accordance with AS 2810.

Other Matters

This section addresses certain additional matters that were also discussed in the 2022 Proposal. In addition, this section discusses definitions included in the new standard and related amendments to PCAOB auditing standards.

Management Requests Not To Confirm

Consistent with existing AS 2310, the 2022 Proposal did not address, nor does the new standard address, situations in which management requests that the auditor not confirm one or more items.

Several commenters agreed with the approach in the 2022 Proposal and indicated that auditor responsibilities in such situations are already addressed by existing PCAOB standards. One commenter suggested that the Board consider adding a requirement that, if management requests an auditor not to confirm a certain item, the auditor should both request management to indicate the reason for the request and, as appropriate, consider whether the request is indicative of a risk of material misstatement. Another commenter agreed that the potential scope limitation or fraud risk from a management request not to confirm is addressed in other PCAOB standards, but expressed the view that including guidance in the new standard unique to confirmation would be appropriate. A different commenter did not suggest changes to the Board's approach, but observed that management requests not to confirm are primarily relevant in the financial services industry and that it had experienced infrequent management requests not to confirm in other industries.

Having considered the comments received, the Board believes that existing PCAOB standards appropriately address situations involving management requests not to confirm. In particular, AS 1301 requires that the auditor communicate to the audit committee disagreements with management ^[73] and difficulties encountered in performing the audit, including unreasonable management restrictions encountered by the auditor on the conduct of the audit ( e.g., an unreasonable restriction on confirming transactions or balances).^[74] AS 3105 also sets forth requirements regarding limitations on the scope of an audit,^[75] including scope limitations relating to confirmation.^[76]

Further, AS 2110 and AS 2401 describe the auditor's responsibilities regarding identifying, assessing, and responding to fraud risks. For example, AS 2401.09 states that fraud may be concealed by withholding evidence. A management request to limit audit Start Printed Page 71710 testing by not obtaining external audit evidence through confirmation could be relevant to the auditor's consideration of fraud risk factors, including the consideration of management incentives, opportunities, and rationalization for perpetrating fraud. Considering the applicability of existing provisions to situations involving management requests not to confirm, as discussed above, the Board believes that including analogous requirements in the new standard could lead to unnecessary duplication of existing requirements and potential confusion.

Restrictions and Disclaimers

The requirements in the proposed standard relating to the auditor's evaluation of the reliability of confirmation responses included a reminder, in the form of a footnote, of the auditor's responsibilities under AS 1105 as they relate to restrictions and disclaimers. A similar reminder does not exist in existing AS 2310.

The Board is including this reference to AS 1105.08 as proposed, in a footnote to paragraph .18 of the new standard. No comments were received on this aspect of the 2022 Proposal. In accordance with AS 1105.08, the auditor should evaluate the effect of restrictions, limitations, or disclaimers in confirmation responses on the reliability of audit evidence.^[77]

Direct Access

The 2022 Proposal did not describe direct access as a confirmation procedure. Existing AS 2310 currently does not address such a procedure, but the 2010 Proposal had provided that direct access could be considered a confirmation procedure in certain circumstances.

A few commenters on the 2022 Proposal either agreed with, or indicated that they did not object to, the Board's stated position that direct access does not constitute a confirmation procedure. However, several firms and firm-related groups stated that, when properly executed, audit evidence obtained by the auditor through direct access can provide persuasive evidence about the existence of cash. One commenter recommended that the PCAOB consider aligning with the AICPA's position on this matter by acknowledging that the auditor's direct access to information held by a confirming party may meet the definition of a confirmation procedure when, for example, the confirming party provides the auditor with the electronic access codes or other information necessary to access a secure website where data that addresses the subject matter of the confirmation is held.

Having considered these comments, the Board adopted the new standard as proposed in relation to direct access.

While direct access does not constitute a confirmation procedure under the new standard, the new standard provides that the auditor may obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source, as discussed above.

Definitions

To operationalize the requirements included in the 2022 Proposal, the proposal included definitions for “confirmation exception,” “confirmation process,” “confirmation request,” “confirmation response,” “confirming party,” “negative confirmation request,” “nonresponse,” and “positive confirmation request.”

The Board adopted the definitions as proposed, with certain modifications discussed below.

Several commenters stated that, in general, the definitions in the 2022 Proposal were sufficiently clear and appropriate. Other commenters either did not provide comments on the proposed definitions or suggested certain modifications, as discussed below.

Some commenters stated that the Board should modify the proposed definition of “nonresponse” to reflect that a nonresponse includes a situation where the auditor does not receive a confirmation response to a positive confirmation request directly from the intended confirming party. Having considered this comment, the Board is aligning the definition of “nonresponse” with the definition of “confirmation response” and the requirements of paragraph .16 of the new standard. This modification clarifies that a confirmation response that is not received directly from the confirming party would constitute a nonresponse. The Board has also modified the definition of “negative confirmation request” to use the defined term “confirmation request” rather than “request.”

One commenter proposed modifications to the definitions of “confirmation exception” and “confirmation process” to specify that (i) sending a confirmation request may include transmitting the request in electronic form and (ii) only differences between a confirmation response and information the auditor obtained from the company that the auditor had originally sought to confirm constitute a confirmation exception. Having considered the comment, the Board notes that the proposed definition of “confirmation process” intentionally did not prescribe the method or methods by which confirmation requests can be sent and by which confirmation responses can be received, as the standard is intended to apply to all methods of sending and receiving confirmation requests and responses. Further, the Board believes that any instance where information in a confirmation response differs from information the auditor obtained from the company, even if the information in the confirmation response was not information that the auditor originally sought to confirm, should constitute a confirmation exception. Accordingly, the Board adopted the definition of “confirmation exception” as proposed and adopted the definition of “confirmation process” as proposed, with one modification to include “selecting one or more items to be confirmed” in the definition to align with the requirements specifically related to the confirmation process in the new standard.

The 2022 Proposal also indicated that an oral response to a confirmation request was a nonresponse. One commenter stated that a video recording of a call between an auditor and an individual at a confirming party ought not be considered less reliable audit evidence than a written response from an organization. Another commenter suggested that the PCAOB define the term “confirmation” because the 2022 Proposal stated that an oral response was a nonresponse but did not provide guidance as to whether other forms of response would be evidence of confirmation.

As the Board continues to believe that obtaining direct written communication, in paper or electronic form, from a confirming party is necessary for a response to constitute a confirmation response, the Board has not made further modifications to the definition in the new standard beyond those described above. Accordingly, a video recording of a call between an auditor and an individual at a confirming party or an oral response would constitute nonresponses under the new standard, although the auditor could still consider the relevance and reliability of the audit evidence provided by a video recording or an oral response when determining the nature and extent of alternative procedures required to be performed under the new standard. Start Printed Page 71711

Amendments to Related PCAOB Auditing Standards

The Board adopted amendments to several existing PCAOB auditing standards to align with the new standard.

Amendments to AS 1105

(See paragraph .18 of AS 1105, as amended).

The 2022 Proposal included proposed amendments to AS 1105 to (i) align the description of a “confirmation response” in AS 1105 with the definition of the same term included in the 2022 Proposal and (ii) clarify that the terms “confirmation response,” “confirmation request,” and “confirming party,” as used in AS 1105, have the same meaning as defined in Appendix A of the 2022 Proposal.

The Board adopted the amendments as proposed.

Existing AS 1105.18 states that “[a] confirmation response represents a particular form of audit evidence obtained by the auditor from a third party in accordance with PCAOB standards.” The 2022 Proposal used the defined term “confirming party” in lieu of “third party.” One commenter suggested retaining the phrase “third party” in AS 1105.18 to provide further clarity. The Board is not using this term because the new standard describes a confirming party as “a third party, whether an individual or an organization, to which the auditor sends a confirmation request,” thus making it clear that a confirming party is a third party.

Another commenter suggested that the Board strike the word “independent” from AS 1105.08, which states that “[e]vidence obtained from a knowledgeable source that is independent of the company is more reliable than evidence obtained only from internal company sources.” This commenter asserted that, although confirmation evidence may be more reliable, it is not truly “independent.” The Board is not striking the word “independent” from AS 1105.08 as it believes the concept expressed in AS 1105.08 is well understood by auditors and does not purport to be a definitive statement about the “independence” of evidence from a confirming party.

Amendments to AS 1301

(See Appendix B to AS 1301, as amended).

The 2022 Proposal included a proposed requirement for the auditor to communicate to the audit committee instances in which the auditor has determined that the presumption to confirm accounts receivable has been overcome and the basis for the auditor's determination. The 2022 Proposal included a conforming amendment to AS 1301 that would refer to the proposed requirement.

The Board adopted the conforming amendment to AS 1301 that refers to the audit committee communication requirement contained in the new standard. The required communication with the audit committee about the auditor's response to significant risks associated with cash or accounts receivable when the auditor did not perform confirmation procedures or otherwise obtain audit evidence by directly accessing information maintained by a knowledgeable external source is discussed above.

Amendments to AS 2401

(See paragraphs .54 and .66A of AS 2401, as amended).

The 2022 Proposal included a proposed amendment to AS 2401 to refer to the title of the confirmation standard as proposed in the 2022 Proposal ( i.e., “The Auditor's Use of Confirmation”).

The Board adopted the amendment as proposed and adopted an additional conforming amendment to AS 2401, as discussed below.

One commenter suggested that the Board consider a conforming amendment to AS 2401 to acknowledge a requirement in proposed paragraph .15 to consider confirming terms of the transaction for significant risks of material misstatement associated with either a complex transaction or significant unusual transaction. Having considered the comment, the Board adopted a conforming amendment to the note to AS 2401.66A to remind the auditor of the requirement in paragraph .30 of the new standard that for significant risks of material misstatement associated with either a complex transaction or a significant unusual transaction, the auditor should consider confirming those terms of the transaction that are associated with a significant risk of material misstatement, including a fraud risk.

Amendments to AS 2510

(See paragraph .14 of AS 2510, as amended).

AS 2510.14 includes a statement that “if inventories are in the hands of public warehouses or other outside custodians, the auditor ordinarily would obtain direct confirmation in writing from the custodian.” The 2022 Proposal included a proposed amendment to AS 2510 to remind auditors that AS 2310 establishes requirements for the auditor's use of confirmation.

The Board adopted the amendment as proposed.

One commenter stated that the Board should address the confirmation of inventory in the new standard instead of making conforming amendments to AS 2510. The Board continues to believe that including requirements related to inventory in a single standard is appropriate. However, the Board acknowledges that AS 2510.14 includes two requirements related to the confirmation of inventory. First, AS 2510.14 provides that “[i]f inventories are in the hands of public warehouses or other outside custodians, the auditor ordinarily would obtain direct confirmation in writing from the custodian.” Second, AS 2510.14 further states that the auditor should perform one or more of four additional procedures, as considered necessary by the auditor, if such inventories represent a significant proportion of current or total assets. One such procedure is to confirm pertinent details of pledged receipts with lenders (on a test basis, if appropriate), if warehouse receipts have been pledged as collateral. The Board has added a cross-reference to AS 2510 in footnote 4 of the new standard to clarify that AS 2510 also includes auditor responsibilities relevant to the auditor's use of confirmation.

Amendments to AS 2605

(See paragraphs .22 and .27 of AS 2605, as amended).

AS 2605.22 includes a statement that “for certain assertions related to less material financial statement amounts where the risk of material misstatement or the degree of subjectivity in the valuation of the audit evidence is low, the auditor may decide, after considering the circumstances and the results of work (either test of controls or substantive tests) performed by internal auditors on those particular assertions, the audit risk has been reduced to an acceptable level and that testing of the assertions directly by the auditor may not be necessary.” The paragraph then includes assertions about the existence of cash, prepaid assets, and fixed-asset additions as examples of assertions that might have a low risk of material misstatement or involve a low degree of subjectivity in the evaluation of audit evidence.

The 2022 Proposal included a proposed amendment to strike the word “cash” from AS 2605.22 to avoid confusion, as the 2022 Proposal required the auditor to perform Start Printed Page 71712 confirmation procedures in respect of cash.

In addition, the 2022 Proposal included a proposed amendment to acknowledge in paragraph .27 of AS 2605, which discusses using internal auditors to provide direct assistance to the auditor, the proposed restrictions on the use of internal audit in a direct assistance capacity in the confirmation process.

The Board adopted the amendments substantially as proposed, with certain modifications discussed below.

One commenter indicated that the proposed amendment to AS 2605.22 ( i.e., striking the word “cash” from the list of accounts that might have a low risk of material misstatement), inappropriately assumed that there is always a heightened risk of fraud related to cash accounts in all audit engagements. Having considered the comment, the Board notes that neither the 2022 Proposal nor the new standard suggests that there is heightened risk of fraud associated with cash in every engagement. However, the Board believes that where an auditor identifies a risk of material misstatement for cash ( i.e., where cash is a significant account) it is necessary for the auditor to perform confirmation procedures or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source in respect of cash. Accordingly, the Board continues to believe that the conforming amendment to AS 2605.22 is appropriate.

Another commenter indicated that the proposed amendment to AS 2605.27 would not be necessary should the Board adopt the commenter's other recommendation to remove the proposed restrictions regarding the use of internal audit in the new standard. As discussed above, the Board continues to believe that in order to maintain control over the confirmation process the auditor should select items to be confirmed, send confirmation requests, and receive confirmation responses. The Board modified the conforming amendments to AS 2605.27, however, to align with paragraph .15 of the new standard.

Effective Date

The Board determined that the amendments will take effect, subject to approval by the SEC, for audits of financial statements for fiscal years ending on or after June 15, 2025.

As part of the 2022 Proposal, the Board sought comment on the amount of time auditors would need before the proposed standard and related amendments would become effective, if adopted by the Board and approved by the SEC. Many commenters, primarily firms and firm-related groups, supported an effective date of no earlier than two years after SEC approval, which some commenters indicated would give firms the necessary time to update firm methodologies and to develop and implement training. Additionally, as part of recommending an effective date no earlier than two years after SEC approval, a number of commenters observed that confirmation procedures are often performed as part of interim procedures and that, as a result, the new standard will impact engagement teams during the period under audit. Some commenters also stated that intermediaries involved in the confirmation process may also need to update their processes and controls as a result of the new standard. One commenter supported an effective date three years after SEC approval, while citing reasons similar to those expressed by commenters who supported an effective date of no earlier than two years after SEC approval.

The Board recognizes the preferences expressed by commenters. Nonetheless, having considered the requirements of the new standard, as well as the extent of differences between the new standard and AS 2310 and our understanding of firms' current practices, the Board believes that the effective date for fiscal years ending on or after June 15, 2025, will provide auditors with a reasonable period of time to implement the new standard and related amendments, without unduly delaying the intended benefits resulting from these improvements to PCAOB standards, and is consistent with the Board's mission to protect investors and protect the public interest.

D. Economic Considerations and Application to Audits of Emerging Growth Companies

The Board is mindful of the economic impacts of its standard setting. This section describes the economic baseline, need, and expected economic impacts of the new standard, as well as alternative approaches considered by the Board. Because there are limited data and research findings available to estimate quantitatively the economic impacts of the new standard, the economic analysis is largely qualitative in nature.

Baseline

Important components of the baseline against which the economic impact of the new standard can be considered are described above, including the Board's existing standard governing the audit confirmation process, firms' current practices when performing confirmation procedures, and observations from the Board's inspections program and enforcement cases. The Board discusses below two additional components that inform its understanding of the economic baseline: (i) the PCAOB staff's analysis of audit firm methodologies and the use of technology-based tools in the confirmation process, and (ii) a summary of academic and other literature on the confirmation process.

Auditing Practices Related to the Confirmation Process

Through its inspection and other oversight activities, the PCAOB has access to sources of information that help inform its understanding of how firms currently engage in the confirmation process. As part of this standard-setting project, the PCAOB staff has reviewed a selection of firms' audit methodologies, as well as other information about firms' use of technology-based tools when performing confirmation procedures. While this information is not a random sample that can be extrapolated accurately across all registered public accounting firms, the Board is able to make some general inferences that help inform development of the economic baseline.

PCAOB Staff Analysis of Audit Methodologies

PCAOB staff has reviewed the methodologies of selected registered public accounting firms to determine how they currently address the confirmation process and the extent to which changes to those methodologies will be necessary to implement the new standard. Specifically, the staff compared methodologies of selected global network firms (“GNFs”) ^[78] and some methodologies commonly used by U.S. non-affiliate firms (“NAFs”),^[79] which are smaller than GNFs, to existing AS 2310 as well as to the new standard. The review focused on the following aspects of the new standard which represent more notable changes relative to existing AS 2310:

• Substantive procedures for confirming cash and cash equivalents (paragraphs .24, .26, and .29); Start Printed Page 71713

• Substantive procedures for confirming accounts receivable (paragraphs .24–.25 and .27);
• The auditor's use of negative confirmation requests (paragraphs .12–.13);
• Maintaining control over the confirmation process, including when an intermediary is used (paragraphs .14–.17 and .Appendix B); and
• Other areas addressed in the new standard, including the evaluation of the reliability of confirmation responses (paragraphs .18–.19), and the performance of alternative procedures (Appendix C).

For the GNF methodologies reviewed, PCAOB staff observed that the methodologies generally reflect requirements in existing AS 2310 and other auditing standards on external confirmation, such as ISA 505 and AU–C 505. In addition, some of the methodologies already incorporate certain concepts included in the new standard, although revisions to the methodologies will nonetheless be needed to implement the new standard.

Specifically, some GNF methodologies, but not all, include requirements for confirmation of cash and cash equivalents held by third parties similar to the new requirements described in the new standard. Other GNF methodologies suggest, but do not require, that engagement teams consider specific confirmation procedures for cash and cash equivalents held by third parties. GNF methodologies for confirmation of accounts receivable are generally consistent with existing AS 2310. Some also include guidance that is similar in certain respects to the requirements in the new standard when the auditor is unable to obtain relevant and reliable audit evidence through confirmation procedures. With respect to negative confirmation requests, GNF methodologies acknowledge that negative confirmation requests provide less persuasive evidence than positive confirmation requests. However, some GNF methodologies still allow the use of negative confirmation requests as the sole substantive procedure under certain conditions.^[80]

The PCAOB staff also observed that GNF methodologies generally include guidance on maintaining control over the confirmation process, using intermediaries to facilitate the electronic transmission of confirmation requests, and assessing controls at the intermediaries. The firms' guidance in this area focuses on the performance of audit procedures to ensure that the electronic confirmation process occurs in a secure and controlled environment and that confirmation responses received are reliable. For example, the methodologies of some firms provide that an auditor may obtain a SOC report that would assist the engagement team in assessing the design and operating effectiveness of the intermediary's controls that address the risk of interception and alteration of confirmation requests and responses. Finally, although current GNF methodologies include guidance on the other areas being modernized or clarified in the new standard, GNFs may be required to make certain modifications to their methodologies to conform to the new standard, such as whether to perform alternative procedures.

For the NAF methodologies reviewed, the PCAOB staff observed that the methodologies generally align with existing AS 2310 across each of the areas studied, but include some guidance related to the new requirements in the new standard. For example, in some of the NAF methodologies, the confirmation of cash and cash equivalents held by third parties is a consideration but not a requirement. In other NAF methodologies, the confirmation of cash and cash equivalents held by third parties and negative confirmation requests are not discussed at all. NAF methodologies for confirmation of accounts receivable are generally consistent with existing AS 2310. Some include guidance that is similar in certain respects to the requirements described in the new standard when the auditor is unable to obtain relevant and reliable audit evidence through confirmation procedures.

The NAF methodologies also generally include guidance on maintaining control, using intermediaries in the confirmation process, and assessing controls at the intermediaries. Similar to GNF methodologies, NAF guidance in this area focuses on the performance of audit procedures to ensure that the electronic confirmation process occurs in a secure and controlled environment and that confirmation responses received are reliable. For example, a firm's methodology may provide that an auditor may obtain a SOC report that would assist the engagement team in assessing the design and operating effectiveness of the intermediary's controls that address the risk of interception and alteration of confirmation requests and responses.

Commenters on the 2022 Proposal did not provide additional information on firm methodologies beyond the staff's analysis. In general, the PCAOB staff's review indicates that all firms will likely need to revise their methodologies to some extent to implement the new standard. For example, all firms will need to update their methodologies to ensure that negative confirmation requests are not used as the sole source of audit evidence. NAF methodologies will likely require more revisions than the GNF methodologies, which have incorporated certain concepts included in the new standard.

Use of Technology-Based Tools

The PCAOB staff has also reviewed information collected through PCAOB oversight activities on firms' use of technology-based tools in the confirmation process. The staff's review focused primarily on the use of technology-based tools by GNFs, but also encompassed certain technology-based tools used by some NAFs. In addition, the review encompassed information on both proprietary technology-based tools that firms have developed internally and third-party or “off-the-shelf” tools that firms purchase and use (in certain cases, with further customizations) to assist in performing confirmation procedures as part of the audit process. The staff found that the number of technology-based tools used in the confirmation process varies across firms, and also varies based on the facts and circumstances of specific engagements. Generally speaking, firms allow engagement teams to select a tool but do not provide that the use of one or more tools is required.

Both GNFs and NAFs within the scope of the PCAOB staff's review use third-party tools to automate certain confirmation procedures, or to independently verify balances, terms of arrangements, or other information under audit. GNFs appear to be more likely to invest in customizing off-the-shelf tools they have purchased to their particular environment. For example, such modifications may permit a firm to automate the reconciliation of confirmed balances to client records. In comparison, NAFs tend to use the off-the-shelf tools without customization.

The PCAOB staff's review also found that GNFs have developed proprietary applications to facilitate various aspects of the confirmation process, whether conducted manually or electronically. These applications may facilitate the preparation of confirmation requests, their dissemination to recipients (including the preparation of logs to track confirmation requests and receipts), and the analysis of confirmation responses to determine Start Printed Page 71714 their completeness and accuracy. GNFs have also developed tools used when auditing specific accounts, other than cash and accounts receivable, where confirmation may provide audit evidence. For example, tools are used to prepare, log, and track confirmation requests and responses for various deposit, loan, and liability accounts.

As discussed above, auditors or confirming parties may engage an intermediary to facilitate the direct electronic transmission of confirmation requests and responses between the auditor and the confirming party.^[81] In one area, market forces have influenced firms' willingness to use an intermediary: a majority of financial institutions will only respond to confirmation requests through a centralized process and with a specified intermediary. As a result, all firms' methodologies required, and in practice firms did use, the specified intermediary in these circumstances.

The PCAOB staff has observed diverse practices related to the procedures auditors perform to support their reliance on an intermediary's controls when establishing direct communication between the auditor and the confirming party.^[82] In some situations where the procedures performed included obtaining a SOC report, the staff has observed insufficient evaluation of SOC reports, lack of consideration of the period covered and complementary user entity controls, and insufficient coordination of procedures performed centrally by the audit firm and by the engagement team.^[83]

These observations suggest that there may be a need for uniform guidance for situations involving the use of intermediaries. For example, enhanced procedures to be performed when auditors place reliance on an intermediary's controls could help address the risk of interception and alteration of communications between the auditor and the company and address the risk of override of the intermediary's controls by the company.

Commenters did not provide information about firms' use of technology-based tools that contradicted the staff's assessment. One commenter stated that some larger audit firms have established confirmation centers to centralize the sending and receiving of confirmation requests. Another commenter cited a study that noted the use of robotic process automation for confirming accounts receivable by a GNF.^[84]

Literature on the Confirmation Process

There is limited data on auditor confirmation decisions and research findings on the confirmation process.^[85] The literature documents that confirmation is “extensively used” and that confirmation responses received directly from a third party are often perceived by practitioners to be among “the most persuasive forms of audit evidence.” ^[86] Consistent with the PCAOB staff's observations from PCAOB oversight activities,^[87] studies find that the use of electronic confirmation has become prevalent.^[88] One study also observes that current U.S. auditing standards do not fully address how auditors should authenticate confirmations sent or received electronically, and asserts that there is a need for audit guidance related to electronic forms of evidence.^[89] Further, an earlier study reviews enforcement actions described in the SEC's Accounting and Auditing Enforcement Releases and concludes that additional direction regarding when cash and accounts receivable confirmation requests are required or recommended may be needed.^[90] Additionally, the literature suggests that more guidance may be necessary to identify when the risk is sufficiently low to justify the use of negative confirmation requests in certain areas.^[91] Moreover, an article on bank confirmation advocates a risk-based approach to the determination of confirmation procedures.^[92] Finally, a study finds that “anecdotal evidence and some research suggest confirmation response rates are declining.” ^[93] Commenters did not provide information contradicting the staff's summary of the relevant literature.

Accordingly, the academic literature is consistent with the conclusion that the Board's auditing requirements for the confirmation process should (i) accommodate electronic communications and address the implications of using an intermediary, (ii) address the confirmation of cash and accounts receivable, (iii) limit the use of negative confirmation requests, and (iv) align with the PCAOB's risk assessment standards.

Need

Several attributes of the audit market support a need for the PCAOB to establish effective audit performance standards. First, the company under audit, investors, and other financial statement users cannot easily observe the services performed by the auditor or the quality of the audit. This leads to a risk that, unbeknownst to the company, investors, or other financial statement users, the auditor may perform a low-quality audit.^[94]

Second, the federal securities laws require that an issuer retain an auditor for the purpose of preparing or issuing an audit report. While the appointment, compensation, and oversight of the work of the registered public accounting Start Printed Page 71715 firm conducting the audit is, under the Act, entrusted to the issuer's audit committee,^[95] there is nonetheless a risk that the auditor may seek to satisfy the interests of the issuer audit client rather than the interests of investors and other financial statement users.^[96] This risk can arise out of an audit committee's identification with the company or its management ( e.g., for compensation) or through management's exercise of influence over the audit committee's supervision of the auditor, which can result in a de facto principal-agent relationship between the company and the auditor.^[97] Effective auditing standards help to address these risks by explicitly assigning responsibilities to the auditor that, if executed properly, are expected to lead to high-quality audits that satisfy the interests of audited companies, investors, and other financial statement users.

This section discusses the specific problem that the new standard is intended to address and explains how the new standard is expected to address it.

Problem To Be Addressed

Focus on Obtaining Reliable Audit Evidence From the Confirmation Process

In situations where audit evidence can be obtained from a knowledgeable external source, the resulting audit evidence is likely to be more reliable than audit evidence obtained only from internal company sources. For evidence obtained through confirmation to be reliable, the confirmation process must be properly executed. Proper execution involves assessing the reliability of a confirmation response and performing robust, additional alternative procedures when the auditor is unable to determine that a confirmation response is reliable. Similarly, proper execution may entail the performance of alternative procedures when the auditor is unable to identify a confirming party, the auditor does not receive a confirmation response from the intended confirming party, or the confirmation response is incomplete.

As discussed above, the PCAOB staff has observed situations where auditors did not perform procedures to assess the reliability of confirmation responses or, where applicable, perform sufficient alternative procedures.^[98] In addition, the staff has noted that, in the case of some financial reporting frauds, the company's misconduct possibly could have been detected at an earlier point in time had the auditor made an appropriate assessment of the reliability of confirmation responses received, or performed additional procedures needed to obtain reliable audit evidence.^[99] These observations suggest a need for enhancements to auditing standards to more clearly address those situations where confirmation can be expected to provide reliable audit evidence, including the requirements for evaluating the reliability of confirmation responses and, if appropriate, performing alternative procedures.

Developments in Practice

There are areas of the confirmation process where developments in practice have outpaced existing requirements in the Board's auditing standards. In particular, existing AS 2310 does not reflect significant changes in technology and the methods by which auditors perform the confirmation process, including the use of electronic communication and the involvement of third-party intermediaries.

Regulatory standards that do not reflect changes in practice may lead to inconsistency in their application, potential misinterpretation, and ineffective regulatory intervention. For example, the PCAOB staff has observed diverse practices and audit deficiencies related to the procedures performed by auditors to support their use of an intermediary to facilitate the electronic transmission of confirmation requests and confirmation responses with confirming parties.^[100]

How the New Standard Addresses the Need

The new standard helps address the need by (i) strengthening requirements in certain areas to focus on the need to obtain reliable audit evidence from the confirmation process; and (ii) modernizing existing AS 2310 to accommodate certain developments in practice, including the use of electronic communications and intermediaries. The new standard is expected to promote consistent and effective practice relating to the confirmation process in audits subject to PCAOB standards, reducing the risk of low-quality audits caused by (i) the lack of observability of audit quality and (ii) the influence of the auditor-client relationship discussed above.

Focus on Obtaining Reliable Audit Evidence From the Confirmation Process

The new standard strengthens the Board's requirements in certain areas to focus on the need to obtain reliable audit evidence when executing the confirmation process. Specifically, the new standard includes a presumption for the auditor to confirm certain cash and cash equivalents held by third parties, or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source. In addition, the new standard strengthens the requirements for evaluating the reliability of confirmation responses. It also continues to emphasize the importance of maintaining control over the confirmation process and provides additional examples of information that indicates that a confirmation request or response may have been intercepted and altered. When confirmation responses are deemed to be unreliable, the auditor is directed to perform alternative procedures to obtain audit evidence.

Moreover, as discussed above, electronic communications likely have reduced the efficacy of negative confirmation requests. Under the new standard, the auditor is not able to use negative confirmation requests as the sole substantive procedure for addressing the risk of material misstatement for a financial statement assertion.

Developments in Practice

Under the new standard, the requirement to maintain control over the confirmation process addresses both traditional and newer, more prevalent forms of communication between the auditor and confirming parties, including emailed confirmation requests and responses and intermediaries facilitating electronic communication of confirmation requests and responses. The new standard is intended to apply to methods of confirmation currently in Start Printed Page 71716 use and to be flexible enough to apply to new methods that may arise from technological changes in auditing in the future.

The new standard emphasizes that in general, evidence obtained from a knowledgeable external source is more reliable than evidence obtained only from internal company sources. For cash and accounts receivable, if the auditor is able to perform audit procedures other than confirmation that allow the auditor to obtain audit evidence by directly accessing information maintained by knowledgeable external sources, such audit evidence could be as persuasive as audit evidence obtained through confirmation procedures, and the new standard allows the auditor to perform such procedures. Accordingly, to the extent that there are newer tools available to auditors now or in the future that enable them to obtain such audit evidence directly, the new standard would accommodate their use and future development.

Economic Impacts

This section discusses the expected benefits and costs of the new standard and potential unintended consequences. Overall, the Board expects that the economic impact of the new standard, including both benefits and costs, will be relatively modest, especially for those firms that have already incorporated into practice some of the new requirements. The Board also expects that the benefits of the new standard will justify the costs and any unintended negative effects.

Benefits

The Board expects the new standard to improve the consistency and effectiveness of the confirmation process, reducing the risk of low-quality audits caused by (i) the lack of observability of audit quality and (ii) the influence of the auditor-client relationship discussed above. Specifically, there exists a risk that, unbeknownst to the company under audit, investors, or other financial statement users, the auditor may perform a low-quality audit since audit quality is difficult to observe. In addition, some auditors may aim to satisfy the interests of the company or their own financial interests rather than the interests of investors and other financial statement users—interests that may lead them to perform insufficiently rigorous confirmation procedures to minimize the burden on clients and their counterparties to respond to confirmations, or to minimize audit costs.

The new standard helps to mitigate these risks in the audit confirmation process by strengthening and modernizing the requirements for the auditor regarding the design and execution of the confirmation process. Specifically, a confirmation process designed and executed under the new standard should benefit investors and other users of financial statements by reducing the likelihood that financial statements are materially misstated, whether due to error or fraud. Some commenters explicitly stated that the requirements described in the 2022 Proposal would improve the consistency of confirmation practices and enhance audit quality.

The enhanced quality of audits and financial information available to financial markets should also increase investor confidence in financial statements. In general, investors may use the more reliable financial information to improve the efficiency of their capital allocation decisions ( e.g., investors may reallocate capital from less profitable companies to more profitable companies). Investors may also perceive less risk in capital markets generally, leading to an increase in the supply of capital. An increase in the supply of capital could increase capital formation while also reducing the cost of capital to companies.^[101]

Auditors also are expected to benefit from the new standard, because the additional clarity provided by the new standard ( e.g., the accommodation of current practices, including the use of electronic communications and intermediaries) will reduce regulatory uncertainty and the associated compliance costs. Specifically, the new standard provides auditors with a better understanding of their responsibilities and the Board's expectations.

The following discussion describes the benefits of key changes to existing confirmation requirements that are expected to impact auditor behavior. As discussed above, the changes aim to (1) enhance the auditor's focus on obtaining reliable audit evidence from the confirmation process, and (2) accommodate certain developments in practice. As further discussed below, the changes that enhance the auditor's focus on obtaining reliable audit evidence are expected to strengthen confirmation procedures for cash held by third parties, promote consistency in practice, improve the reliability of confirmation responses, improve the quality of audit evidence, and increase the auditor's likelihood of identifying potential financial statement fraud. The changes that accommodate developments in practice are expected to clarify the auditor's responsibilities regarding the use of electronic communications in the confirmation process, standardize the procedures that auditors perform to support their use of intermediaries, and allow for the use or development of more sophisticated and effective technology-based auditing tools. To the extent that a firm has already implemented certain of the provisions of the new standard into its firm methodology, the benefits described below will be reduced.

Focus on Obtaining Reliable Audit Evidence From the Confirmation Process

The new standard should benefit investors and other users of a company's financial statements by placing additional emphasis on the auditor's need to obtain reliable audit evidence when performing confirmation procedures. In this regard, the new standard: (1) identifies certain accounts for which the auditor should perform confirmation procedures, (2) enhances the requirements for assessing the reliability of confirmation responses, (3) addresses the performance of alternative procedures when the auditor is unable to obtain relevant and reliable audit evidence through confirmation, (4) strengthens requirements regarding the use of negative confirmation requests, and (5) specifies certain activities in the confirmation process that should be performed by the auditor and not by other parties.

Specifically, the new presumption for the auditor to confirm certain cash and cash equivalents held by third parties or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source may reduce the risk of material errors in financial statements and strengthen investor protection to the extent that auditors are not already confirming cash pursuant to their existing audit methodologies.^[102] This requirement also Start Printed Page 71717 specifies that the extent of audit evidence to obtain through cash confirmation procedures should be based on the auditor's understanding of the company's cash management and treasury function.

The standard does not require that all cash accounts or all accounts receivable should be selected for confirmation. The auditor's assessment of the risk of material misstatement is an important consideration when designing audit procedures, including the use of confirmation. Consistent with the objective of the new standard, the requirement to confirm cash and accounts receivable, or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source, only applies when the auditor has determined that these accounts are significant accounts. Further, for both cash and accounts receivable, the new standard specifies that the auditor should take into account the auditor's understanding of the substance of a company's arrangements and transactions with third parties when selecting the individual items to confirm. These provisions in the new standard should encourage the auditor to determine the extent of confirmation procedures with regard to an assessment of the risk of material misstatement and avoid more work than necessary to obtain sufficient appropriate audit evidence.

However, to the extent that cash or accounts receivable fall within the scope of the new standard, the new standard strengthens the requirement to obtain relevant and reliable audit evidence, whether through performing confirmation procedures or otherwise obtaining audit evidence by directly accessing information maintained by a knowledgeable external source. At the same time, the new standard also addresses situations where, based on the auditor's experience, confirmation would not be feasible for accounts receivable. The additional clarity provided by these requirements in the new standard should reduce uncertainty in auditor responsibilities and promote consistency in practice with respect to the confirmation of cash and accounts receivable.

The new standard strengthens requirements addressing the reliability of confirmation responses by describing information that the auditor should take into account when evaluating the reliability of confirmation responses and providing examples of information that indicates that a confirmation request or response may have been intercepted or altered. These requirements are expected to improve the reliability of confirmation responses and therefore increase the quality of the audit evidence obtained by the auditor.

The requirement to communicate to the audit committee instances where, for significant risks associated with cash or accounts receivable, the auditor did not perform confirmation procedures or obtain audit evidence by directly accessing information maintained by a knowledgeable external source is expected to reinforce the auditor's obligation to exercise due professional care in determining not to perform confirmation procedures or otherwise obtain audit evidence by directly accessing information maintained by a knowledgeable external source.

The new standard also expands on the existing requirement to address the auditor's potential need to apply alternative procedures. The enhanced requirements for alternative procedures provide a greater level of detail and clarity to auditors for situations that are not currently addressed explicitly in existing AS 2310, potentially raising the quality of evidence obtained by auditors.

Under the new standard, the auditor may only use negative confirmation requests to supplement other substantive audit procedures; negative confirmation requests may not be used as the sole substantive audit procedure. As discussed above, the amount of electronic correspondence has increased dramatically over the years, leading to an increased likelihood that a negative confirmation request would not be appropriately considered by the confirming party and, therefore, would provide less persuasive audit evidence. The new standard addresses this issue by providing examples of situations in which negative confirmation requests, in combination with the performance of other substantive audit procedures, may provide sufficient appropriate audit evidence. As negative confirmation requests cannot be the sole source of audit evidence obtained, insofar as the new standard affects practice, the overall quality of audit evidence obtained by the auditor likely will increase.^[103]

Overall, the additional requirements and examples discussed above are expected to improve the reliability of confirmation responses and, therefore, increase the quality of the audit evidence obtained by the auditor. By introducing a new requirement to confirm certain cash balances (or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source) and enhancing the requirements for evaluating the reliability of confirmation responses, the new standard may also increase the auditor's likelihood of identifying potential financial statement fraud. Early detection of accounting fraud is an important aspect of investor protection because such fraud can cause significant harm to investors in the companies engaged in fraud, as well as indirect harm to investors in other companies.^[104] In addition, by clarifying and strengthening the auditor's responsibilities, including by specifying additional situations where alternative procedures may be necessary and providing additional examples of information that indicates that a confirmation request or response may have been intercepted and altered, the new standard takes into account past inspection findings by the Board that auditors did not obtain sufficient appropriate audit evidence when using confirmation.

One commenter on the proposing release expressed the view that the proposed standard would not achieve a significant reduction in inspection findings or improvements to audit quality because adverse inspection findings have historically focused on a failure to appropriately execute existing requirements. As discussed above, however, the need for this rulemaking is not limited to noncompliance with the current standard detected through our inspections program, but also reflects undetected financial reporting frauds and developments in practice. The Board continues to believe, therefore, that the rule will achieve its intended benefits, which include increased clarity from the new standard.

Developments in Practice

The new standard modernizes existing AS 2310 by accommodating certain developments in practice, Start Printed Page 71718 including the use of electronic communications and intermediaries.

Specifically, the new standard accommodates changes in how communications occur between the auditor and confirming parties. It clarifies the auditor's responsibilities by taking into account current confirmation practices among auditors and acknowledging differing methods of confirmation. These methods include longstanding methods, such as the use of paper-based confirmation requests and responses sent via postal mail. They also include methods that have become commonplace since the existing standard was adopted, including confirmation requests and responses communicated via email and the use of intermediaries to facilitate the direct electronic transmission of confirmation requests and responses. This additional clarity may enhance the reliability of audit evidence by decreasing the risk that a confirmation request or response is intercepted and altered. In addition, the new standard includes requirements specific to an intermediary's controls that mitigate the risk of interception and alteration. The requirements are expected to standardize the procedures auditors perform to support their use of intermediaries and reduce audit deficiencies in this area.

With regard to both cash and accounts receivable, the new standard accommodates the potential for future evolution of audit tools by allowing auditors to directly obtain access to relevant and reliable audit evidence from knowledgeable external sources other than through confirmation without the involvement of the company. This change allows for the use or development of technology-based auditing tools, subject to the requirement that they provide audit evidence by directly accessing information maintained by knowledgeable external sources about the relevant financial statement assertion. Accordingly, this change could potentially improve the efficiency and effectiveness of the audit.

Some commenters on the 2022 Proposal questioned the benefits of the proposed requirements, arguing that the auditor's inability under the proposed standard to overcome the presumption to confirm cash and a high threshold to overcome the presumption to confirm accounts receivable unduly restricted the ability to use professional judgment to determine the appropriateness of confirmation procedures. While the Board agrees that professional judgment plays an important role in the execution of audit procedures, the Board's experience indicates that it is also important for investor protection that auditors obtain relevant and reliable audit evidence for both cash and accounts receivable when they are significant accounts. With regard to accounts receivable, the new standard retains the presumption to perform audit procedures to obtain relevant and reliable evidence through confirmation, or otherwise by directly accessing information maintained by a knowledgeable external source, so would not decrease or remove the auditor's current responsibility. Furthermore, the new standard includes a provision to address situations when obtaining audit evidence directly from knowledgeable external sources, whether through confirmation procedures or other means, would not be feasible to execute for accounts receivable. Accordingly, the new standard strikes a balance intended to benefit investors by recognizing the value of professional judgment generally with respect to the use of confirmation while ensuring that cash and accounts receivable, when they are significant accounts, are subject to confirmation or other audit procedures designed to obtain relevant and reliable audit evidence from knowledgeable external sources.

Costs

The Board expects the costs associated with the new standard to be relatively modest. The PCAOB staff's review of audit firm methodologies related to the confirmation process indicates that some firms have already incorporated into practice some of the new requirements. For example, the methodologies of some GNFs include requirements for confirmation of cash that are similar to the requirements in the new standard. Both the GNF and NAF methodologies reviewed generally include guidance on maintaining control over the confirmation process and the use of intermediaries to facilitate the electronic transmission of confirmation requests and responses.

To the extent that audit firms need to make changes to meet the new requirements, they may incur certain fixed costs ( i.e., costs that are generally independent of the number of audits performed) to implement the new standard. These include costs of updating audit methodologies and tools, and costs to prepare training materials and conduct internal training. GNFs are likely to update methodologies using internal resources, whereas NAFs are more likely to purchase updated methodologies from external vendors. The costs of updating these methodologies likely depend on the extent to which the new requirements have already been incorporated in the firms' current methodologies. For firms that have implemented confirmation procedures like those required by the new standard, the costs of updating methodologies may be lower than for firms that currently do not have such procedures. In this regard, large firms may also benefit from economies of scale. As mentioned above, one commenter indicated that some larger audit firms have already established confirmation centers to centrally process the sending of confirmation requests and receiving of confirmation responses. For these firms, costs to implement the new standard may be further diminished as these firms may benefit from lower training costs and more efficient performance of the enhanced procedures. Smaller audit firms may not have adequate resources to establish such confirmation centers and may not recognize similar efficiency gains. The commenter observed that the establishment of confirmation centers within audit firms would require significant resources, which smaller audit firms may not have.

In addition, audit firms may incur certain engagement-level variable costs related to implementing the new standard. For example, the requirement to confirm certain cash balances or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source could impose engagement-level costs on some auditors if additional procedures need to be performed. Similarly, limiting the use of negative confirmation requests to situations where the auditor is also performing other substantive audit procedures could lead to additional time and effort by the auditor to perform the other audit procedures.

The magnitude of the variable costs likely depends on the extent to which existing practice differs from the new requirements. As discussed above, the PCAOB staff's review of firm methodologies, which included the methodologies of certain NAFs, suggests that the new standard likely will lead to a greater impact on confirmation procedures performed by smaller firms. Because the new standard generally applies a risk-based approach ( i.e., by providing that the use of confirmation may be part of the auditor's response to the assessed risks of material misstatement), the costs of performing the additional procedures are unlikely to be disproportionate to the benefits.

To the extent that auditors incur higher costs to implement the new standard and are able to pass on at least Start Printed Page 71719 part of the increased costs through an increase in audit fees, companies being audited could incur an indirect cost.^[105] Moreover, confirming parties could incur additional costs from supporting the confirmation process as a result of the enhanced requirements of the new standard, although the additional costs are expected to be limited. One commenter agreed that confirming parties may incur additional costs as they may have to allocate resources to respond to confirmation requests. As discussed above, however, confirmation is already commonly used by audit firms, and the Board therefore does not expect confirming parties to incur significant additional costs to respond to confirmation requests as a result of the new standard.

Some requirements under the new standard may result in more costs than others. The following discussion describes the potential costs associated with specific changes to existing confirmation requirements.

Focus on Obtaining Reliable Audit Evidence From the Confirmation Process

The new standard: (1) identifies certain accounts for which the auditor should perform confirmation procedures or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source, (2) enhances the requirements for assessing the reliability of confirmation responses, (3) addresses the performance of alternative procedures when the auditor is unable to obtain relevant and reliable audit evidence through confirmation, (4) strengthens requirements regarding the use of negative confirmation requests, and (5) specifies certain activities in the confirmation process that should be performed by the auditor and not by other parties.

For some firms, the requirement in the new standard to confirm certain cash balances or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source could be expected to result in the revision of firm methodologies and the performance of additional audit procedures. As discussed above, the methodologies of some GNFs already include requirements for cash confirmation that are similar to the new requirement described in the new standard. In addition, the risk-based approach in the new requirement should encourage the auditor to determine the extent of confirmation with regard to an assessment of the risks of material misstatement and conduct only the work necessary to obtain sufficient audit evidence.

Commenters on the 2022 Proposal asserted that confirming cash balances under the proposed standard would lead to increased costs, given the lack of discretion and ability to overcome the presumption in the proposed standard. In addition, some commenters on the 2022 Proposal asserted that the “at least as persuasive as” threshold in the proposed standard for overcoming the presumption to confirm accounts receivable would limit the auditor's use of professional judgment and could result in greater costs without a commensurate benefit to audit quality.

As discussed above, there is a presumption in the new standard that the auditor should obtain audit evidence from a knowledgeable external source by performing confirmation procedures or using other means to obtain audit evidence by directly accessing information maintained by knowledgeable external sources. In addition, the new standard provides that if, based on the auditor's experience, it would not be feasible for the auditor to obtain audit evidence about accounts receivable pursuant to paragraph .24, the auditor should obtain external information indirectly by performing other substantive procedures, including tests of details. Insofar as the final standard does not otherwise provide auditors with the discretion to avoid obtaining audit evidence directly from a knowledgeable external source for cash, and the only exception applicable to accounts receivable is for situations where obtaining audit evidence directly from a knowledgeable external source would not be feasible, firms may, therefore, incur additional costs to comply with the presumptive requirements of the new standard for cash and accounts receivable. These costs, however, are necessary to the achievement of the standard's intended benefits of emphasizing the quality and strength of the audit evidence to be obtained from knowledgeable external sources.

The new standard also requires the auditor to evaluate the reliability of confirmation responses and provides examples of information that indicate that a confirmation response may have been intercepted and altered. The costs associated with this requirement, however, are expected to be limited. First, the Board's auditing standards already require the auditor to obtain sufficient appropriate audit evidence to provide a reasonable basis for the auditor's report, and to evaluate the combined evidence provided by confirmation and other auditing procedures performed when the auditor has not received replies to confirmation requests ( i.e., nonresponses) to determine whether sufficient evidence has been obtained about all the applicable financial statement assertions.^[106] Second, the methodologies of some firms reflect application material in ISA 505 regarding factors (similar to indicators in the new standard) that may indicate doubts about the reliability of a confirmation response. One of these factors is analogous to the requirement in the new standard ( i.e., the confirmation response appears not to come from the originally intended confirming party), which may further limit the potential costs for firms that have incorporated this factor in their methodologies. One commenter on the 2022 Proposal stated that the proposed standard's requirement for evaluating the reliability of confirmation responses might cause the auditor to need to authenticate confirmation responses, which would add significant expense to the audit. However, as discussed above, AS 1105 already establishes the requirements for evaluating the reliability of audit evidence, and the new standard does not change those requirements.

The requirement for the auditor to communicate with the audit committee when the auditor did not perform confirmation procedures or otherwise obtain audit evidence by directly accessing information maintained by knowledgeable external sources for significant risks associated with either cash or accounts receivable could impose a modest incremental cost. Some commenters on the 2022 Proposal had expressed concern about the proposed requirement to communicate with the audit committee in all instances where the presumption to confirm accounts receivable had been overcome, which could be detrimental if the communication became a mere compliance exercise for auditors and audit committees. The new standard's requirement to communicate with the audit committee, however, is more risk-based and therefore, the Board continues to believe that the incremental costs will be modest. Start Printed Page 71720

Insofar as the new standard identifies additional situations in which the auditor generally would be required to perform alternative procedures, firms may incur additional costs. Specifically, the new standard extends the requirement in existing AS 2310 to perform alternative procedures in relation to nonresponses to positive confirmation requests to other situations, including the auditor's inability to identify a confirming party and the receipt of an unreliable response.

In contrast with existing AS 2310, negative confirmation requests may not be used as the sole substantive audit procedure under the new standard. This limitation reflects, among other things, the increase in the volume of electronic correspondence since existing AS 2310 was issued and the increasing likelihood that a recipient of a negative confirmation request would not consider the request. As a result, auditors may have to perform other substantive audit procedures for certain financial statement assertions. Although the Board understands through its oversight activities that few, if any, GNFs use negative confirmation requests as the sole substantive procedure in practice, as discussed above, the PCAOB staff's firm methodology review suggests that all the GNFs and NAFs reviewed will need to review their methodologies to ensure that negative confirmation requests are not used as the sole source of audit evidence.

Developments in Practice

As discussed above, the new standard includes requirements that clarify the procedures auditors should perform to support their use of intermediaries to facilitate the direct electronic transmission of confirmation requests and responses between the auditor and the confirming party. These requirements may lead to modifications to firm methodologies. Further, the required procedures may involve additional auditor time and effort. The resulting costs likely depend on the extent to which the new requirements have already been incorporated in a firm's current methodologies. One commenter expressed concern that the proposed requirement to assess the intermediary's controls would result in significant additional work for auditors because it is not currently common practice to directly assess intermediaries in this manner. The PCAOB staff's review of firm methodologies discussed above did not suggest that the requirements in Appendix B of the new standard would create significant additional work for auditors. In particular, both the GNF and NAF methodologies reviewed generally already include guidance on maintaining control over the confirmation process and the use of intermediaries, which may limit the costs. In addition, the Board notes that the requirements in the new standard relate to relevant controls that address the risk of interception and alteration of confirmation requests and responses and that some intermediaries currently make information about relevant internal controls available to auditors through a SOC report.

If the auditor is able to obtain audit evidence by directly accessing information maintained by knowledgeable external sources instead of confirmation, such audit evidence could be at least as persuasive as audit evidence obtained through confirmation procedures, and the new standard allows the auditor to perform such procedures. This provision is not expected to impose new costs on firms, as firms would only obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source to the extent that technological advancements render it more efficient than performing confirmation procedures. Thus, to the extent that the auditor is able to replace confirmation procedures with obtaining audit evidence by directly accessing information maintained by a knowledgeable external source, the new standard could reduce costs for firms.

Potential Unintended Consequences

In addition to the benefits and costs discussed above, the new standard could have unintended economic impacts. The following discussion describes potential unintended consequences the Board has considered and, where applicable, factors that mitigate the negative consequences, such as steps the Board has taken or the existence of other countervailing forces.

Potential Decline in Auditors' Usage of Confirmation

An unintended consequence of the new standard would occur if, contrary to the Board's expectation, there were a significant reduction in the use of confirmation procedures by auditors in circumstances where confirmation would provide relevant and reliable audit evidence.

Under the new standard, auditors retain the ability to use confirmation as one procedure, among others, to audit one or more financial statement accounts or disclosures. At the same time, the new standard strengthens the requirements for an auditor regarding evaluating the reliability of confirmation responses and addressing confirmation exceptions and incomplete responses, including performing alternative procedures to obtain audit evidence. Further, the new standard describes the types of procedures the auditor should perform in evaluating the effect of using an intermediary on the reliability of confirmation requests and responses, including determining whether relevant controls of the intermediary are designed and operating effectively. In addition, the new standard does not allow the auditor to use negative confirmation requests as the sole substantive procedure. As a result, when not required to use confirmation, auditors might decline to use confirmation and use other audit procedures more frequently than under existing AS 2310 if they perceive there could be more time or cost involved in the confirmation process relative to the performance of other procedures.

This potential unintended consequence is mitigated, however, by the requirement that the auditor should perform confirmation procedures for cash and accounts receivable, or otherwise obtain audit evidence by directly accessing information maintained by knowledgeable external sources. In addition, the Board's standards already provide that the auditor should evaluate whether the combined evidence provided by confirmation and other auditing procedures provide sufficient evidence about the applicable financial statement assertions. Several of the changes to existing requirements in the new standard align with the Board's understanding of current practice. For example, many audit firms' methodologies include guidance on maintaining control and the use of intermediaries. Additionally, the potential unintended consequence may be mitigated to the extent that a firm has experienced efficiencies from using newer audit tools for confirmation through reduced time or costs. Further, the Board does not anticipate that the requirements of the new standard will cause a significant change in the timing or extent of confirmation procedures for auditors, as the Board has not amended the requirements of AS 2301, which is the auditing standard that addresses those matters. Accordingly, the Board does not believe that the new standard will lead to a significant decline in the use of confirmation. Start Printed Page 71721

Potential Misinterpretation of the Requirements in the New Standard Relating to the Confirmation of Cash and Accounts Receivable

An unintended consequence of the presumed requirement in the new standard to confirm cash and accounts receivable would arise if auditors misinterpreted the language in the new standard as requiring the confirmation of cash and accounts receivable in all situations. For example, the new standard does not carry forward a provision included in existing AS 2310 that an auditor could overcome the presumption to confirm accounts receivable if, among other things, “[t]he use of confirmations would be ineffective.” It is possible that some auditors might misinterpret the elimination of this language as precluding the exercise of auditor judgment with respect to the confirmation of accounts receivable. Some commenters on the 2022 Proposal appeared to misinterpret the proposed requirement and suggested that confirmation would be required in all situations. For example, one commenter asserted that using confirmation regardless of risk assessment may promote a checklist mentality that does not contribute to audit quality and an audit approach that may be less efficient and effective.

The Board does not intend, however, that an auditor send confirmation requests for accounts receivable in all situations or when such procedures do not provide relevant and reliable audit evidence. If the auditor has not determined cash or accounts receivable to be a significant account, the new standard does not require the confirmation of cash or accounts receivable. Moreover, to clarify the Board's intent, it has modified the language in the proposed standard in several respects. First, paragraph .25 of the new standard addresses situations when obtaining audit evidence about accounts receivable directly from knowledgeable external sources, whether through confirmation procedures or other means, would not be feasible to execute. If it is not feasible for the auditor to obtain audit evidence about accounts receivable directly from a knowledgeable external source, the auditor should obtain external information indirectly by performing other substantive procedures, including tests of details.

In addition, the Board is not adopting paragraph .07 of the proposed standard, which referred to situations where evidence obtained through the confirmation process “generally is more persuasive than audit evidence obtained solely through other procedures” and may have contributed to a misperception that the Board was proposing to require confirmation in all circumstances. In the Board's view, the language in the new standard acknowledges the role of professional judgment in the auditor's selection of audit procedures to obtain sufficient appropriate audit evidence, while retaining a presumption to confirm cash and accounts receivable or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source. This should mitigate the potential unintended consequence described above.

Alternatives Considered

The development of the new standard involved considering a number of alternative approaches to address the problems described above. This section explains: (i) why standard setting is preferable to other policy-making approaches, such as providing interpretive guidance or enhancing inspection or enforcement efforts; (ii) other standard-setting approaches that were considered; and (iii) key policy choices made by the Board in determining the details of the new standard-setting approach.

Why Standard Setting Is Preferable to Other Policy-Making Approaches

The Board's policy tools include alternatives to standard setting, such as issuing additional interpretive guidance, or increasing our focus on inspections or enforcement of existing standards. The Board considered whether providing guidance or increasing inspection or enforcement efforts would be effective mechanisms to address concerns with the auditor's use of confirmation.

Interpretive guidance inherently provides additional information about existing standards. Inspection and enforcement actions take place after insufficient audit performance (and potential investor harm) has occurred. Devoting additional resources to interpretive guidance, inspections, or enforcement activities, without improving the relevant performance requirements for auditors, would at best focus auditors' performance on existing standards and would not provide the benefits discussed above associated with improving the standards. The new standard, on the other hand, is designed to improve existing requirements for the auditor's use of confirmation. For example, the new standard, unlike existing AS 2310, includes requirements relating to the confirmation of cash accounts, imposes additional limitations on the use of negative confirmation requests, clarifies the circumstances in which auditors would be expected to perform alternative procedures, and includes explicit provisions addressing the auditor's responsibility for selecting items to be confirmed, sending confirmation requests, and receiving confirmation responses.

Other Standard-Setting Alternatives Considered

Several alternative standard-setting approaches were also considered, including: (i) making amendments to the existing standard; and (ii) adopting an approach based on ISA 505, with certain modifications to reflect the PCAOB's statutory responsibilities with respect to audits of public companies and registered broker-dealers.

Amendments to Existing Standard

The Board considered, but decided against, limiting the amendments to AS 2310 solely to modifications relating to changes in technology that have affected the confirmation process. While this approach could result in fewer changes to firms' audit methodologies, the Board believes there are a number of other areas discussed throughout this release, beyond amending AS 2310 to reflect the increasing use of technology in the confirmation process, where the existing standard should be improved.

Standard Based on ISA 505

Some commenters on the 2009 Concept Release and the 2010 Proposal suggested that the Board should consider adopting ISA 505, the IAASB's standard on audit confirmation, which was issued in 2008. The Board has taken the requirements and application material of ISA 505 into account in developing the new standard ( e.g., the ISA 505 application material relating to the use of a third party to coordinate and provide responses to confirmation requests).

The Board concluded, however, that the new standard should also establish certain requirements that are not included in ISA 505 ( e.g., requirements to confirm cash and accounts receivable or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source), and should not include certain provisions that are described in ISA 505 ( e.g., regarding management's refusal to allow the auditor to send a confirmation request). In addition, audit practices have continued to evolve since ISA 505 Start Printed Page 71722 was issued in 2008, and the Board believes that the new standard should reflect these developments ( e.g., by addressing electronic communication and the use of intermediaries in the requirements of the standard rather than in application materials).

Key Policy Choices

Given a preference for replacing existing AS 2310 in its entirety, the Board considered different approaches to addressing key policy issues.

Use of Confirmation Procedures for Specific Accounts

The new standard provides that when addressing an assessed risk of material misstatement of cash and cash equivalents held by third parties, as well as of accounts receivable that arise from the transfer of goods or services to a customer or a financial institution's loans, the auditor should perform confirmation procedures or otherwise obtain relevant and reliable audit evidence by directly accessing information maintained by a knowledgeable external source. In addition, under the new standard, when obtaining audit evidence from a knowledgeable external source regarding cash, the auditor should consider sending confirmation requests to that source about other financial relationships with the company, based on the assessed risk of material misstatement. Also, when the auditor has identified a complex transaction or a significant unusual transaction, the auditor should consider confirming those terms of the transaction that are associated with a significant risk of material misstatement, including a fraud risk. The new standard does not specify other significant accounts or disclosures that the auditor should confirm or consider confirming. The Board considered several alternatives to this approach, as discussed below.

First, the Board considered an approach that would have no requirement for the auditor to confirm specified accounts or transactions. In the Board's view, this approach might result in the selection by some auditors of audit procedures that provide less relevant and reliable audit evidence than confirmation with respect to cash and accounts receivable ( e.g., if an auditor mistakenly assessed the risk of material misstatement too low for cash or accounts receivable). Further, confirmation of cash and accounts receivable is already a standard practice for many auditors and is consistent with the concept that audit evidence obtained from a knowledgeable external source is more reliable than evidence obtained only from internal company sources. Accordingly, the Board has decided against an approach that does not require the confirmation of any accounts and disclosures in the new standard.

In addition, the Board considered including in the new standard a requirement that the auditor should confirm other accounts in addition to cash and accounts receivable, such as investments. The Board has decided against this approach because it would limit auditor judgment in circumstances where the performance of other auditing procedures might provide relevant and reliable audit evidence, could be viewed as unduly prescriptive, and would not allow the auditor to take company-specific facts and circumstances into account. Instead, under the new standard, the auditor could decide to perform confirmation procedures with respect to financial statement assertions relating to other accounts and disclosures but is not required to do so.

The Board also considered an additional requirement that the auditor should perform confirmation procedures in response to significant risks that relate to relevant assertions, when such assertions can be adequately addressed by confirmation procedures. However, the Board believes that such a requirement would be inconsistent with the Board's risk assessment standards, which allow for auditor judgment in determining the audit response to significant risks identified by the auditor. The Board has not included this provision in the new standard.

Management Requests Not To Confirm

The Board considered addressing situations where management requests that the auditor not confirm one or more items in the new standard. Specifically, the Board considered requiring the auditor to obtain an understanding of the reasons for management's request, perform alternative procedures as discussed in Appendix C of the new standard, and communicate the request to the audit committee. In addition, the Board considered a requirement that the auditor should evaluate the implications for the auditor's report if the auditor determines that management's request impairs the auditor's ability to obtain sufficient appropriate audit evidence or indicates that one or more fraud risk factors are present. For the reasons discussed above, the Board has decided not to include such provisions in the new standard.

Special Considerations for Audits of Emerging Growth Companies

Pursuant to Section 104 of the Jumpstart Our Business Startups Act (“JOBS Act”), rules adopted by the Board subsequent to April 5, 2012, generally do not apply to the audits of EGCs, as defined in Section 3(a)(80) of the Exchange Act, unless the SEC “determines that the application of such additional requirements is necessary or appropriate in the public interest, after considering the protection of investors, and whether the action will promote efficiency, competition, and capital formation.” ^[107] As a result of the JOBS Act, the rules and related amendments to PCAOB standards that the Board adopts are generally subject to a separate determination by the SEC regarding their applicability to audits of EGCs.

To inform consideration of the application of auditing standards to audits of EGCs, PCAOB staff prepares a white paper annually that provides general information about characteristics of EGCs.^[108] As of the November 15, 2021, measurement date, PCAOB staff identified 3,092 companies that self-identified with the SEC as EGCs and filed audited financial statements in the 18 months preceding the measurement date.

Confirmation is a longstanding audit procedure used in nearly all audits, including audits of EGCs. The discussion of benefits, costs, and unintended consequences above is generally applicable to audits of EGCs. The economic impacts of the new standard on an EGC audit depend on factors such as the audit firm's current methodologies, the audit firm's ability to distribute implementation costs across engagements, and the auditor's assessed risk of material misstatement.

EGCs are likely to be newer companies, which may increase the importance to investors of the external audit to enhance the credibility of management disclosures.^[109] Further, Start Printed Page 71723 compared to non-EGCs, EGCs are more likely to be audited by NAFs.^[110] As discussed above, NAFs are expected to make more changes to their methodologies and practice to comply with the new standard. Therefore, all else equal, the benefits of the higher audit quality resulting from the new standard may be larger for EGCs than for non-EGCs, including improved efficiency of market capital allocation, lower cost of capital, and enhanced capital formation.^[111] In particular, because investors who face uncertainty about the reliability of a company's financial statements may require a larger risk premium that increases the cost of capital to companies, the improved audit quality resulting from applying the new standard to EGC audits could reduce the cost of capital to those EGCs.^[112]

While the associated costs may also be higher for EGC audits than for non-EGC audits, because of the scalability of the risk-based requirements, the costs of performing the procedures are unlikely to be disproportionate to the benefits of the procedures. Moreover, if any of the new amendments were determined not to apply to the audits of EGCs, auditors would need to address differing audit requirements in their methodologies, or policies and procedures, with respect to audits of EGCs and non-EGCs, which would create the potential for confusion. The new standard could impact competition in an EGC product market if the indirect costs to audited companies disproportionately impact EGCs relative to their competitors. However, as discussed above, the costs associated with the new standard are expected to be relatively modest. Therefore, the impact of the new standard on competition, if any, is expected to be limited. Overall, the new standard is expected to enhance audit quality and contribute to an increase in the credibility of financial reporting by EGCs.

Accordingly, and for the reasons explained above, the Board is requesting that the Commission determine that it is necessary or appropriate in the public interest, after considering the protection of investors and whether the action will promote efficiency, competition, and capital formation, to apply the new standard to audits of EGCs. One commenter specifically supported the application of the 2022 Proposal to EGCs.

III. Date of Effectiveness of the Proposed Rules and Timing for Commission Action

Within 45 days of the date of publication of this notice in the Federal Register or within such longer period (i) as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding or (ii) as to which the Board consents, the Commission will:

(A) By order approve or disapprove such proposed rules; or

(B) Institute proceedings to determine whether the proposed rules should be disapproved.

IV. Solicitation of Comments

Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rules are consistent with the requirements of Title I of the Act. Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form ( https://www.sec.gov/​rules/​pcaob); or

• Send an email to rule-comments@sec.gov. Please include file number PCAOB–2023–02 on the subject line.

Paper Comments

• Send paper comments in triplicate to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549–1090.

All submissions should refer to file number PCAOB–2023–02. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( https://www.sec.gov/​rules/​pcaob). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rules that are filed with the Commission, and all written communications relating to the proposed rules between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Copies of such filing will also be available for inspection and copying at the principal office of the PCAOB. Do not include personal identifiable information in

submissions; you should submit only information that you wish to make available publicly. We may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection. All submissions should refer to File Number PCAOB–2023–02 and should be submitted on or before November 7, 2023.

Footnotes