The Big Four and other global audit firms believe that the PCAOB’s proposed standard updating and expanding the requirements related to the outside auditor’s use of confirmations is overly prescriptive and does not make sufficient use of auditor professional judgment. While supporting the Board’s efforts to update the current confirmation standard, AU 330, which was written more than 15 years ago, the global audit firms asked the Board to make the standard more principles-based, risk-based and more consistent with the Board’s own risk-assessment standards. The Board was also encouraged to work with the SEC to learn how the additional confirmation requirements will affect confirming parties as part of an overall reform of the entire conformation process. While the standard includes a number of requirements for auditors, there is no ability to require confirming parties to actually respond to those confirmation requests.
The proposed standard is intended to reforms the auditor’s use of confirmation, which involves direct auditor communication with a third party about a particular item affecting the company's financial statements. Because confirmation involves third parties it provides a high level of audit evidence and, according to PCAOB Acting Chair Dan Goelzer, is one of the building blocks of auditing. Asking customers who owe the company money to confirm the accuracy of their balances is a familiar example of an audit confirmation, but there are many other aspects of financial reporting that can be the subject of confirmation procedures. Confirmation of receivables has been required in the United States since the SEC's 1940 McKesson Robbins case, described by the PCAOB Chair as involving a ``stunning’’ fraud in which the perils of auditing that takes the company's word for its receivables were dramatically demonstrated.
The proposed standard includes a requirement to confirm receivables, broadened to include receivables that arise from credit sales, loans or other transactions. The standard also includes a ``should confirm’’ receivables which, according to Board staff, establishes a presumptively mandatory requirement to confirm receivables. The proposed standard also includes a requirement to confirm cash with financial institutions and a requirement to confirm other relationships with those financial institutions, including lines of credit, compensating balances, contingent liabilities, including guarantees, and the like.
The standard includes a requirement to confirm significant risks, but it discusses the fact that confirmation might not be appropriate for all significant risk, because confirmation should be performed for those significant risks that relate to relevant assertions that can be adequately addressed by confirmation procedures. Board staff has clarified that not all significant risks will be able to be confirmed.
The proposed standard includes requirements around maintaining control consistent with the existing requirement, but there are also some new requirements. For example, it includes a requirement to perform procedures to determine the validity of addresses on confirmation requests. It also includes a requirement around management's requests not to confirm accounts, and actions the auditor should consider to evaluate the implications of those requests The proposed standard also includes a requirement for the auditor to evaluate the audit evidence. While that mandate is also in the existing standard, the proposed standard goes a little bit further in that it requires the auditor to perform alternative procedures for all non-responses.
In the view of Ernst&Young, the proposed standard significantly departs from previous PCAOB standards in terms of its level of prescriptiveness, extends beyond the areas of technology and restrictive language and will result in substantial changes in the manner in which auditors utilize confirmations. E&Y believes that the proposed standard is overly prescriptive and does not adequately allow for auditors to use professional judgment and tailor their audit procedures to respond to assessed risks. Specifically, the firm is concerned with the expansion of the requirement to use confirmations in the areas of receivables, cash and significant risks, without also including a provision whereby auditors may exercise professional judgment in determining not to perform confirmation procedures when the use of confirmations in such areas would be ineffective or the associated risk of material misstatement is sufficiently low.
The firm also believe that the requirement to confirm certain account balances, without a corresponding exception based on the auditor’s judgment, will result in an increased documentation burden in situations in which an auditor concludes that confirmation procedures would either not be effective or, based on the assessed level of risk, other audit procedures would be equally effective.
In its letter to the Board, KPMG also said that the proposed standard is overly prescriptive. KPMG asserted that a confirmation standard should not represent a checklist of requirements, but rather should be a collection of guiding principles for auditors to apply to the particular facts and circumstances of a given audit using professional judgment. Echoing this theme, PwC said that the new standard encourages a checklist approach that is inconsistent with the framework of the Board's recently adopted risk assessment standards.
Noting that the proposed standard is prescriptive and contradicts the concept of risk-based auditing, McGladrey said that an effective risk-based audit approach is dependent on the auditor’s use of professional judgment in identifying and assessing risks of material misstatement and in designing and performing further audit procedures in response to those risks. In the firm’s view, prescriptive procedures inhibit the auditor’s use of professional judgment based on the facts and circumstances of the entity and its environment. In many instances, the Board could achieve its objectives by providing additional guidance regarding the auditor’s use of professional judgment, rather than requiring adherence to rigid, prescriptive requirements.
In its comments, Deloitte agreed that the prescriptive direction regarding the use of confirmations in the proposed standard is inconsistent with the direction of the risk assessment standards, which are premised on the planning and performance of audit procedures that the auditor believes will be most effective in addressing the identified risks. Prescriptive requirements, by their nature, can never be comprehensive in addressing any and all facts and circumstances of a particular situation, explained Deloitte, and may even detract from the ability of the auditor to exercise professional judgment in performing procedures that are likely to be most effective in addressing identified risks of misstatement.
In addition, establishing detailed requirements to always obtain confirmations in a wide variety of situations also conveys the notion that confirmations are therefore always more reliable or effective than other forms of audit evidence. Confirmations have limitations, said Deloitte, and other audit procedures may be more effective in addressing particular risks of misstatements.
More broadly, Deloitte emphasized that the effectiveness of the entire confirmation process needs to be improved, with revisions to the auditing standard being only part of what should be a much broader initiative. An effective confirmation process would also make confirming parties accountable for responding promptly, accurately, and completely to confirmation requests without using unnecessary restrictive language. In recent years, noted Deloitte, auditors have experienced declining response rates to confirmation requests and increasing use of disclaimers or restrictive language in confirmation responses.
Deloitte believes that, if adopted, provisions in the proposed standard calling for significantly more confirmation requests will exacerbate these issues. Deloitte urged the Board, before finalizing the standard, to engage the SEC and the issuer and auditor communities in an effort to improve the effectiveness of the entire confirmation process. Without such an effort, Deloitte questioned the ability of auditors to successfully implement the proposed standard.