Electronic confirmations are increasingly used in practice, thus raising several questions for auditors. Should auditors question the reliability of electronic confirmations? Can they be used as audit evidence? How can auditors verify the respondent’s identity and the confirmation’s source? How can they be sure the confirmation wasn’t intercepted and altered?
These questions also apply to any information used as audit evidence, whether in electronic or other form.
CAS 500, Audit Evidence, indicates that audit evidence is generally more reliable when it is obtained from independent sources outside the entity, obtained directly by the auditor and exists in documentary form, whether paper, electronic or other medium. Accordingly, audit evidence obtained directly by the auditor in the form of external confirmations is typically more reliable than evidence generated internally by the entity.
However, CAS 500 specifies that in general “[a]udit evidence provided by original documents is more reliable than audit evidence provided by photocopies or facsimiles, or documents that have been filmed, digitized or otherwise transformed into electronic form, the reliability of which may depend on the controls over their preparation and maintenance.” (CAS 500.A31) CAS 505, External Confirmations, includes similar guidance: “Responses received electronically, for example, by facsimile or electronic mail, involve risks as to reliability because proof of origin and authority of the respondent may be difficult to establish, and alterations may be difficult to detect.” (CAS 505.A12)
Although electronic confirmations may be used as audit evidence, under CAS 500.A14, auditors are required to determine whether to modify or add procedures to resolve doubts over the reliability of information to be used as audit evidence.
There are different ways to verify the source of electronic information, ranging from validating the respondent’s email address to encrypting confirmation requests with a unique code and ensuring that the response obtained directly from the respondent contains this same code. In addition, the auditor may choose to verify the source and contents of a response to a confirmation request by contacting the confirming party. For example, when a confirming party responds by electronic mail, the auditor may telephone the confirming party to determine whether the confirming party did, in fact, send the response. When a response has been returned to the auditor indirectly (e.g. because the confirming party incorrectly addressed it to the entity rather than to the auditor), the auditor may request the confirming party to respond in writing directly to the auditor.
Using a secure environment for responses received electronically may also mitigate these risks. The reliability of the related responses is enhanced if the auditor is satisfied that such a process is secure and properly controlled. If a system or process facilitating electronic confirmations between the auditor and respondent is in place, and the auditor expects to rely on the related controls, an assurance report on this system or process (e.g. SysTrust report) can assist the auditor in evaluating the design and effectiveness of the automated or manual controls.
It is therefore critical for auditors to question the reliability of electronic confirmations, perform procedures to ascertain their reliability and document their file to support their conclusion.