Statement on Proposed Auditing Standard on Confirmation
Thank you, Mr. Chairman. I support the staff recommendation that the Board publish for public comment the proposed revision to our standard on confirmations.
As I said in my remarks at the open meeting last April when we issued the concept release, it is well-understood that confirmations are a critical part of the audit process. One of the first prominent accounting and auditing cases brought by the Securities and Exchange Commission in the late 1930s highlighted the consequences of inadequate confirmations, when the auditor failed to authenticate what turned out to be falsified documents at the pharmaceutical company, McKesson & Robbins, Inc.
As the SEC eventually found out, of the approximately $87 million in assets shown in McKesson & Robbins' 1937 year-end financial statements, over $19 million were entirely fictitious. These fraudulent accounts consisted primarily of inventories, accounts receivable, and cash. By the time the SEC exposed the fraud in December 1938, the $19 million reportedly had grown to about $21 million through more fraudulent transactions. These numbers are big enough today, but they were huge in the 1930s.
One reason the McKesson fraud was not detected by the company's auditors was the use of inadequate procedures to confirm cash being held by (what then was called) a banking agent, and a complete failure to confirm accounts and notes receivable.
Today, over 70-years since the McKesson case brought the issue of inadequate confirmations to the public's attention, our inspection staff continues to see deficiencies in some firms' confirmation practices.
As thoroughly explained in our release and in the draft standard, auditors use the confirmation process to obtain reliable audit evidence from knowledgeable third parties, outside the company, regarding the existence, completeness, or value of one or more of the company's accounts or statements.
Our proposal would expand the use of the confirmation process to have auditors confirm—
- Receivables that arise from credit sales, loans or other transactions,
- Cash and other relationships with financial institutions, and
- When appropriate, other accounts or balances that pose a significant risk that the financial statements might be materially misstated.
Our proposals also would bring the confirmation process from the age of McKesson and Robbins into the modern age by recognizing and dealing with issues involved with advances in technology.
Those issues include the use of electronic media to send and respond to confirmation requests. Some confirming parties also have indicated that, rather than sending back confirmation responses, they prefer to allow the auditors to have electronic "direct assess" to the company's accounts so the auditor may directly check the confirming party's records. We propose that this type of access could be acceptable but only under certain conditions, such as when the confirming party represents, in writing, that it is aware of both the auditor's confirmation request and the intended use of the requested information, and that the files to be accessed contain information responsive to the auditor's request.
Our proposal also sets out specific steps that the auditor should take during the confirmation process. The use of the word "should" means that investors may presume that the auditor will take those steps unless the auditor can demonstrate that in the particular circumstances alternative actions are sufficient to achieve the objectives of the standard. Some of these steps appear so basic, however, that it is hard to imagine how a confirmation process could be valid without them. Such steps include the auditor maintaining control over the confirmation process, the auditor designing confirmation requests to obtain relevant and reliable audit evidence, and the auditor evaluating the audit evidence obtained from performing confirmation procedures. I will be interested to see if comments from investors and other users of financial statements suggest that these and other steps should be mandatory and occur whenever confirmations are used, without exception. In others words, is it more appropriate for the proposed standard to mandate any of these requirements by using the word "must" rather than "should"? I believe that, with the exception of Auditing Standard No. 6, "Evaluating Consistency of Financial Statements", this is the only standard that the PCAOB has issued or proposed that does not include any mandatory or "must" requirements.
The Board seeks comments on whether, and how, to revise all aspects of the proposal. Earlier in the process, the Board heard comments from its Standing Advisory Group, and this proposal incorporates views from that discussion.
We are seeking input from all interested parties, including audit practitioners and financial statement users. It is important that the PCAOB also hear from Information Technology audit and financial reporting specialists in considering the security implications of an electronic confirmation process.
Most importantly, the Board actively seeks the input of investors, whose interests we are here to protect.
I would like to thank Jennifer Rand, Dee Mirando-Gould and Christopher David from the Office of Chief Auditor, as well as Nina Mojiri-Azad and Bob Burns from the General Counsel's office, for all their hard work in preparing this recommendation for the Board.