Collecting Better Evidence: Proposal to Strengthen an Auditor’s Use of Confirmation

Remarks as prepared for delivery

Today, we are considering how to modernize baseline auditor responsibilities for obtaining independent third-party evidence in an audit.

Confirmation, also known as circularization, is as old as the practice of auditing itself.

In 1913, early auditing literature placed a heavy emphasis on the importance of obtaining independent third-party evidence when performing audits. It instructed auditors that cash “should be…verified by independent confirmation” and that the confirmation of accounts receivable was “the only satisfactory verification.”1  

In 1939, obtaining independent third-party evidence by confirmation became a generally accepted auditing “procedure.” In fact, it was the very first one.

This adoption was mainly a result of the newly formed Securities and Exchange Commission’s (SEC) Commission. The Commission’s first financial fraud investigation found that a seventeen-year-long fraud at McKesson and Robbins would have been revealed years earlier if the auditor had simply confirmed what the company had reported for inventories and accounts receivable.2  

As a result, this generally accepted auditing procedure—to gather independent third-party evidence-- became required for all audits. And, if an auditor did not look for external evidence from confirmations, this had to be highlighted for investors in the audit report.3

And yet, when a company suddenly implodes, many of us are often stunned to learn that basic audit procedures, including obtaining independent third-party evidence through confirmation, were not used.

The Wirecard case in Germany is a good example. We are learning from the ongoing criminal trial that the alleged fraud – the country’s largest ever - involved vast amounts of fake revenues, a complex web of transactions routed through a variety of shell companies, and a false picture of financial strength and liquidity.

The fraud unraveled when the company defaulted on bond payments even though it had more than adequate cash on its balance sheet. Where was this online payment processor’s $2 billion in cash located (25% of the balance sheet)? Company management said the cash was in two banks in the Philippines, and this was supported by the company’s records and internal documents.

But no one asked the banks.

Let me just say that again: No one, including the company’s independent auditor for many years, asked the banks.

A few days before the company’s bankruptcy, investigators sought out the banks and both institutions “confirmed” that there was no banking relationship with Wirecard. There was no money, and there never had been.

Unfortunately, recent history is replete with examples of staggering corporate failures where a company’s books, records, and internal documents provided a vastly different picture from economic reality.

In 1999, discovery of HealthSouth’s $2.8 billion fraud and $300 million cash shell-game ended seventeen years of picture-perfect financial results4; in 2002, family loans and an embezzled $1 billion was discovered at Adelphia5; in 2003, nobody could find Parmalat’s $5 billion in milk money6; and in 2008, sham customer sales of Satyam were cut off as it was revealed that $1 billion in cash never existed.7

As a Senate staffer, I watched as the facade of Lehman’s repo transactions crumbled, revealing its significantly off-market terms with its counterparties. Lehmann’s bankruptcy sparked what almost became a collapse of the international financial system.

The list is nowhere near all inclusive, but all these cases involve a lack of challenge by the auditor, or as the Commission articulated in 1939, a failure to “employ a degree of vigilance, inquisitiveness, and analysis of the evidence”.

And that is what confirmation is all about.

So, in my mind, today’s proposed auditing standard is really about the auditor’s challenge of management’s assertions as part of the audit. Today’s proposal emphasizes the auditor’s duty to obtain the highest quality of audit evidence in response to that challenge.

Certain valuable audit evidence can only be provided by a knowledgeable independent third party. An auditor’s use of confirmation can shed light on management’s assertions, help identify related-party transactions or complex arrangements, and verify the existence of cash.

Properly designed confirmations procedures may involve the auditor using the confirmation process for balances, transactions, elements of an arrangement, management representations, or any information that supports assertions, assumptions, or estimates.

Sometimes auditors view requesting and obtaining confirmations as inefficient or troublesome.

In 1974, the AICPA (American Institute of Certified Public Accountants) eliminated the requirement for auditors to tell investors when confirmation of accounts receivable was not performed.8 It appears that the use of confirmations by public company auditors then declined after the mandatory requirement was removed.

In response to a Board proposal in 2010 to expand an auditor’s use of confirmation, audit firms largely opposed the proposal, while market participants asked for enhanced use of confirmation by auditors and that the Board require confirmation of cash.9 

Advancements in technology regarding confirmations have also changed the auditing landscape. The proposal before us recognizes that electronic platforms have been developed by intermediaries that are making it easier and more efficient to obtain third-party confirmations. On the other hand, some auditors have said that computer algorithms that show a high degree of correlation among entries in a company’s books and records (such as postings for sales, accounts receivable, and cash) will provide similarly persuasive audit evidence to external confirmations but at reduced effort and less cost.

These algorithms tend to validate the posting process, looking only at internal company information, which equates to a circular reference by using company data to validate company data.

Instead of this mutually exclusive paradigm, an auditor’s use of confirmations should be considered as a tool for a balanced information search strategy-- beginning in the risk assessment and planning phases and proceeding throughout the audit.

The resulting third-party evidence can identify or reveal side arrangements, management override of controls, roundtrip transactions, contingent losses, and unusual or complex arrangements.

When combined with other information obtained during the audit, confirmations can raise the level of sufficiency and the reliability of accumulated audit evidence.

Of course, I am interested in all comments regarding today’s proposal. However, I am particularly interested in answers to the following questions:

  1. Would investors find it useful in making investment decisions to have more information about the auditor’s use of confirmation? Would investors find it useful to have auditors describe how confirmation was or was not used during the audit ?
  2. Does the proposed standard provide the auditor with sufficient flexibility to use the confirmation process to obtain independent third-party evidence in response to the audit risk assessment and for any element of a financial statement assertion or account?
  3. The proposed standard provides that an auditor may conclude other procedures would result in audit evidence at least as persuasive as could be obtained from the confirmation process. How should this be evaluated? What factors should be used to make this determination? How can this be back tested?

Finally, but most importantly, I want to thank the staff, including Lisa Busedu, Dani Verbeck, David Hardison, and Dima Andriyenko from the Office of the Chief Auditor; and Tian Lian and Tasneem Raihan from the Office of Economic and Risk Analysis.

Thank you, and I look forward to receiving feedback on this proposal.

1 Nine years after the first Certified Public Accountant designation was created in the United States, confirmation was recognized in 1905 as an audit method, Robert H. Montgomery, Auditing Theory and Practice 91 (confirmation of cash deposits), 263 (confirmation of accounts receivable), and 353 (confirmation of demand notes) (1912).

2 In 1939, the American Institute of Accountants adopted Statement on Auditing Procedure No. 1 ("SAP No. 1") as a direct response to the McKesson & Robbins fraud case, which had continued for thirteen years prior to discovery in 1937. The SEC found that 20% of the assets of McKesson & Robbins were fictious and noted that the auditor “failed to employ a degree of vigilance, inquisitiveness, and analysis of the evidence available that is necessary” and that the overstatement of assets would have been discovered if the auditors had conducted independent confirmation. The auditor subsequently returned the audit fee.


3 In 1942, the standard audit report was changed to require disclosure in the auditor’s report of all cases in which communication with debtors concerning material accounts receivable was not carried out, even if the auditor was able to substantiate accounts receivable balances by alternative procedures.  The AICPA removed this requirement in the 1970s.


4 David McCann, Two CFOs Tell a Tale of Fraud at HealthSouth, CFO (March 27, 2017)

5 The Commission noted that auditor “substitute[ed] management’s representations for competent evidence” and issued an Order finding that Deloitte engaged in improper professional conduct and caused Adelphia's violations of the recordkeeping provisions of the securities laws because it failed to detect a massive fraud perpetrated by Adelphia and certain members of the Rigas family. See Accounting and Auditing Enforcement Release No. 2237/ April 26, 2005  

6 See Accounting and Auditing Enforcement Release No. 1936 / December 30, 2003, and Securities and Exchange Commission v. Parmalat Finanziaria S.p.A., Case No. 03 CV 10266 (PKC) (S.D.N.Y.)

7 Satyam – an information technology services company based in Hyderabad, India – used false invoices and forged bank statements to inflate the company’s cash balances and make it appear far more profitable to investors. The SEC sanctioned Satyam’s former independent auditors for violations of federal securities laws and improper professional conduct while auditing the company’s financial statements from 2005 through January 2009. See U.S. Securities and Exchange Commission, Accounting and Auditing Enforcement Release No. 3258 / April 5, 2011

8 SAS No. 2, Reports on Audited Financial Statements (1974)

9 PCAOB Concept Release on Possible Revisions to the PCAOB’s Standard on Audit Confirmations, PCAOB Release NO. 2009-002 (April 19, 2009); Proposed Auditing Standard Related to Confirmation, PCAOB Release NO. 2010-003 (July 13, 2010) (Docket 028)