Proposed ISA 505 (Revised and Redrafted), External Confirmations
Proposed revised and redrafted International Standard on Auditing issued for comment by the International Auditing and Assurance Standards Board of the International Federation of Accountants
Comments from ACCA
February 2008
Executive Summary
ACCA welcomes the opportunity to comment on the proposed International Standard on Auditing ISA 505 (Revised and Redrafted) External Confirmations (proposed ISA 505), issued for comment by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants.
Our general comment on proposed ISA 505 is that it may be less helpful than extant ISA 505 because it is narrower in application. We suggest changes to the scope and objectives to retain the benefits of providing a central point of reference on confirmations, nevertheless recognising that some refocus is necessary as a consequence of changes to other ISAs that are more-generally applicable.
We disagree with a new definition of 'external confirmation' that changes it from a procedure to a form of audit evidence. We strongly suggest that fundamental changes of this nature be delayed until the IAASB can commence a long-term project to develop a conceptual framework for assurance.
We agree with the IAASB's views that proposed ISA 505 need not mandate the use of external confirmation requests nor need it require the auditor to decide explicitly on their use.
We agree that negative confirmations are less reliable than positive confirmations but concur with the IAASB's view that auditors should not be banned from using them. We disagree however with the nature of restrictions placed on their use.
Matters on which Specific Questions are Asked
In this section of our response we address the issues identified for specific comment in the Explanatory Memorandum forming part of the Exposure Draft.
Not Mandating the Use of External Confirmation Requests
We agree strongly with the view of the IAASB that, for the reasons set out in the Explanatory Memorandum, proposed ISA 505 should not mandate the use of external confirmation requests in any particular circumstance or in response to any particular risk of material misstatement.
Scope Directed ONLY at effective performance of external confirmation procedures
We agree strongly with the view of the IAASB that, for the reasons set out in the Explanatory Memorandum, proposed ISA 505 should not include a requirement that the auditor determine whether the use of external confirmations is necessary to obtain sufficient appropriate audit evidence at the assertion level.
We would draw attention, in particular, to the fear that a requirement in proposed ISA 505 would lead the auditor to document consideration of external confirmation for each assertion associated with material account balances, classes of transactions and disclosures. This would undoubtedly add considerable costs to all audits unless, as the Explanatory Memorandum points out, it was done in such a way as would render the activity relatively perfunctory.
In addition to cost, there is a problem under the Clarity drafting convention if proposed ISA 505 were to include a requirement that in effect related directly to determining if circumstances fell within the scope of its requirements. As drafted, this problem does not affect proposed ISA 505 but we are aware of other proposed ISAs where it does1. We caution against any change (perhaps made following comments in other responses) because of this.
We distinguish Proposed ISA 505 from the section of Proposed ISA 501 (Redrafted) Audit Evidence Regarding Specific Financial Statement Account Balances and Disclosures that deals with litigation and claims. The latter mandates direct communication with the entity's external legal counsel where the auditor assesses a risk of material misstatement regarding litigation and claims involving the entity. This is a very focussed response, whereas proposed ISA 505 potentially affects assertions for the whole financial statements.
Limitation on Use of Negative Confirmation Requests
We agree that negative confirmations can be useful and that proposed ISA 505 should not prevent their use.
We agree that negative confirmations are less reliable than positive confirmations and agree that material should be included to guide the auditor in their use.
We do not agree, however, that proposed ISA 505 should seek to place strict limits on the circumstances in which negative confirmation requests may be used as the only substantive audit procedure to address an assessed risk of material misstatement at the assertion level.
The first reason for this is expressed by the IAASB in the Explanatory Memorandum: ' that an ISA should not prevent the auditor from performing a particular audit procedure simply because that procedure would provide only limited audit evidence.'
The second reason is that the requirement in paragraph 14 will never be relevant in the circumstances of an audit. It follows that it is unnecessary and should be removed. The condition precedent only operates where the negative confirmation request is the only substantive procedure to address an assessed risk of material misstatement at the assertion level. In practice, there will always be other substantive procedures. For example, analytical procedures; or procedures of a dual risk assessment/substantive nature (such as would be necessary to predict the expectation of exceptions); or scrutiny of, for example a population to determine whether or not it comprises a large number of small, homogeneous account balances. Many auditors incorporate the concept of directional testing in their audit approach and, theoretically, substantive procedures throughout the audit provide secondary (or tertiary) evidence relevant to assertions and account balances that are not their primary focus.
There is an argument that the wording of the requirement could be amended to remove the word 'sole [substantive procedure]' so as to retain the concept that evidence for an assertion should not be drawn mainly from negative confirmation. Such an approach would, however, require auditors to make an assessment of the relative contribution to audit evidence of potentially many sources of evidence. We question whether this is feasible or worthwhile.
General Comments
Purpose of proposed ISA 505
We do not believe that the combination of title, scope, objective and requirements of proposed ISA 505 will be wholly successful in driving appropriate auditor behaviour.
The title of proposed ISA 505 is ' External Confirmations' ; a term that is now defined as a form of audit evidence2. The scope and objective of proposed
ISA 505 refer, however, to performing external confirmation procedures3. Moreover, the requirements and guidance are not all confined to the objective, which relates only to obtaining audit evidence that is relevant and reliable. There are, for example, requirements relating to the performance of alternative audit procedures, which necessitate decision-making more relevant to other ISAs. We do not criticise proposed ISA 505 for the inclusion of such requirements. Indeed, we welcome the material on external confirmation procedures as a response to assessed risks in the Scope section and in the Application and Other Explanatory Material section.
We suggest that proposed ISA 505 should recognise that auditors will expect and benefit from a more-comprehensive treatment of planning, performing and evaluating external confirmation procedures. We suggest, therefore, that as a minimum, the title, scope and objective be changed to make it clear that proposed ISA 505 can be regarded as the primary source of information on matters relating to confirmations.
Definitions and use of words
External confirmation
The definition of 'confirmation' / 'an external confirmation' has been changed, from a process for obtaining evidence into a from of evidence, and removed as a subset of 'inquiry' (inquiry remains as one form of audit procedure for obtaining audit evidence4).
We do not agree with this change and suggest that if additional precision of language is needed, the term 'external confirmation evidence' be defined (as 'Audit evidence obtained as a direct written response to the auditor from a third party (the confirming party), in paper form, or by electronic or other medium.' ).
There is, in general, no need to define terms to identify the audit evidence obtained from any particular type of procedure. For example, the audit evidence from analytical procedures has no defined term; the evidence from attendance at physical inventory counting is not named as such. More generally, the words inspection, observation and inquiry are not defined as types of evidence, they are means of obtaining audit evidence.
The Clarity project cannot address all of the considerable variation in the way words are used in ISAs and we suggest that the exposure draft of proposed
ISA 505 is not the right document in which to make a piecemeal change of this fundamental nature. Instead the need for such changes should form part of a long-term project to develop a conceptual framework for assurance.
Positive and negative confirmation requests
There is no definition of external confirmation procedures or confirmation requests; instead of the latter, there are proposed definitions for positive and negative confirmation requests. Both definitions refer to information provided (in the request) but only the positive request makes allowance for a response to a question. This means that a negative request must always contain information with which the confirming party is invited to disagree.
We see two problems with this approach. Some confirmation requests are of dual nature and some confirmation requests that might be regarded as negative do not fall within the definition because they contain no information (they might, for example, conditionally invite a response to a question).
It is not clear, therefore, whether proposed ISA 505 is applicable to such requests. We see no reason to exclude such matters from proposed ISA 505 and so suggest that the Definitions section be rewritten to ensure that all external confirmation procedures are within its scope5.
We also have some minor issues with the definitions, which do not address all possibilities. For example the definition of 'non-response' includes 'a confirmation request returned undelivered' (we are uncertain whether this includes negative confirmation requests) but does not include the absence of response to a negative confirmation (other than those returned undelivered). A non-response also includes a failure to fully respond; a circumstance we would prefer to refer to as a partial non-response because in our experience that is the way in which results are commonly analysed. However, we are conscious of the fact that having defined external confirmation as a type of evidence, a non-response ought to be defined by reference to the evidence obtained, or not obtained, as a result. We trust that these minor issues will be resolved when rewriting to give effect to our recommendation in the section of our response headed External confirmation .
We caution, nevertheless, against constructing artificial definitions when the plain language meaning of terms is sufficient. It is better to reword requirements, even if the prose is more difficult.
Conforming amendments
We do not agree with the conforming amendments to proposed ISA 500 Considering the Relevance and Reliability of Audit Evidence for the reasons set out elsewhere in this response under the heading External confirmation.
Changes made to Enhance the Clarity of Proposed ISA 505
OBJECTIVE
The objective is acceptable in context. However, it relates to the procedures rather than evidence and we are concerned that the title, scope, objective and requirements of proposed ISA 505 have been constructed too narrowly. We expand on these concerns elsewhere in this response under the heading Purpose of proposed ISA 505.
Requirements
A confirmation may be of a single matter (for example, a bank loan) or may be one of a sample (for example, of accounts receivable). The proposed standard appears mainly to be written for sampling (for example: paragraph 7 uses plural forms). We recommend that all requirements are worded so as to be relevant in both circumstances.
Paragraph 7
The requirement in paragraph 7 is preceded by text restating the condition for applying ISA 505. This is not necessary.
The requirement is to 'maintain control over the external confirmation requests and responses' . A requirement to maintain control is not one that can be performed and documented but is a principle that drives the performance of procedures. The bullet points are procedures that provide illustrations of how control may be achieved but may not themselves be interpreted as requirements (the single word 'shall' is too remote).
Paragraph 9
Paragraph 9 contains an unconditional requirement to report (in specific circumstances) to those charged with governance. It is normal to make reference to circumstances where all those charged with governance are also members of management.
The requirement is also constructed as a single sentence that apparently makes ISA 705 the determinant of how communication with those charged with governance should take place. We suggest that a minimum of two sentences is necessary.
Paragraph 10
The requirement6 in paragraph 10 potentially applies in the case of any doubts at all (which will normally be present) and requires that the auditor resolves (remove?) the doubts absolutely. We do not think this is realistic. The requirement should be rewritten to recognise that uncertainty is present.
Paragraph 12
As drafted, paragraph 12 requires performance of alternate audit procedures even for a non-response to a negative confirmation. This is not appropriate as such non-responses should be evaluated overall in the context of the outcome of the procedure. We discuss our uncertainty over the definition of non-response in the section of our response headed Positive and negative confirmation requests .
Paragraph 14
We comment on the requirements for negative confirmation in the section of our comments headed Limitation on use of negative confirmation requests.
The test in paragraph 14(c) should be more realistic - as in a typical negative confirmation procedure some of the potential responders will inevitably not respond through disregard.
Paragraph 15
Paragraph 15 requires evaluation of the results of external confirmation procedures rather than the evidence obtained (the 'external confirmations' as defined). This supports our view that such a definition is not appropriate.
Other Matters
The Explanatory Memorandum forming part of the Exposure Draft invites comments on the following other matters:
- Special considerations in the audit of small entities
- Special considerations in the audit of public sector entities
- Developing nations
- Translation
Our response contains comments that are relevant to the above and to undue costs, except we have not made a distinction between developing nations and others, as the audit of small entities may be present in both. We have no separate comments on public sector aspects of the proposed standard
1. For example, proposed ISA 620 Using the Work of an Auditor's Expert
2. The definition of confirmation is an important matter, which we discuss further in this response under the heading External confirmation
3. We note that the scope of proposed ISA 580 Written Representations, includes separate mention of aspects such as when evidence is not reliable. We suggest that finalisation of proposed ISA 505 ought to include a consistency check with proposed ISA 580.
4. Paragraph A12 to A15 of proposed ISA 500.
5. Except inquiries regarding litigation and claims.
6. If the auditor has doubts about the reliability of the response to a confirmation request, the auditor shall obtain further audit evidence to resolve those doubts.