Divider
Divider

Electronic Confirmations

Recently several major financial institutions have announced that going forward they will only respond to electronic confirmations from auditors.

December 4, 2008
Sponsored by PASS Online

Recently several major financial institutions have announced that going forward they will only respond to electronic confirmations from auditors. The AICPA’s Auditing Standards Board has attempted to address this decision by issuing Interpretation 1 of AU 330, Use of Electronic Confirmations. The Interpretation states that electronic confirmations can be considered reliable audit evidence if they are properly controlled.
 
What are the risks?

The risks for electronic confirmations include interception, alteration and fraud. SAS 106, Audit Evidence, states that the auditor should consider reliability of the audit evidence obtained. Reliability risks for electronic confirmations include:

  • The source of the confirmation is inappropriate.
  • The respondent to the confirmation is unauthorized to make the confirmation.
  • A third party has compromised the confirmation during the transmission to the auditor.

So what should the process be?

The auditor needs a process in place to minimize the risks associated with confirmations with a third party. If the auditor plans to rely on electronic confirmations, he or she needs to address the three risks related to electronic confirmations. The auditor may choose to use an assurance trust services report or another auditor’s report to assess the design and operation of the controls over electronic confirmations or the auditor may perform other procedures to obtain adequate audit evidence about the reliability of the confirmations.

Ways to provide security over electronic confirmations

Three ways to provide security over electronic confirmations include:

  • Encryption – encoding electronic data to reduce the risk of third-party intervention of the communication.
  • Electronic digital signatures – using encryption to validate the signer of a document.
  • Website authenticity routines – monitoring data or a Web site to prevent unauthorized alteration. Webtrust or VeriSign certifications indicate an active protection program.

Where do we go from here?

In today’s electronic age and with financial institutions looking for more efficient ways to handle auditor’s requests for confirmation of accounts, requirements for the use of electronic confirmations only is a foregone conclusion. All we as auditors need to do is to put the proper controls in place and join the digital revolution.

From the CPE & Training Solutions Monthly e-newsletter from the Tax & Accounting business of Thomson Reuters, October 2008. To subscribe to this free, informative newsletter, visit trainingcpe.thomson.com or click here.