Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ Paper 5 — Auditing & Ethics/ Core Audit Concepts
Microlesson · 5-min read

External Confirmation Procedures — Auditor's Control Requirements

## External Confirmation Procedures — Auditor Must Maintain Control

Governing Standard: SA 505 – External Confirmations

When using external confirmation procedures, the auditor shall maintain control over the entire process. This means the auditor personally handles:

1. Determining the information to be confirmed or requested

2. Selecting the appropriate confirming party

3. Designing the confirmation requests — ensuring requests are properly addressed and contain return information so responses are sent directly to the auditor

4. Sending the requests, including follow-up requests

### Key Principle: No Delegation to Internal Audit

The external auditor cannot delegate the external confirmation process to the internal audit department. Specifically:

  • The selection of debtors, design of requests, and receipt of responses must remain under the external auditor's control.
  • Responses must be received on the external auditor's contact details, not the internal audit department's.

### Why?

The integrity of external confirmation evidence depends on the confirming party responding directly and independently to the external auditor — bypassing management and internal audit ensures the evidence is not subject to manipulation.

Worked example

### Example 1

Scenario: CA J (statutory auditor of Gemini Ltd.) delegated the entire external confirmation process — choosing trade receivables, designing requests, and receiving responses — to the internal audit department. Responses came to the internal audit department's email. This violates SA 505. CA J must personally control each step: decide which debtors to confirm, design the letters with his own return address, send them out, and receive responses directly. He may involve internal auditors only for clerical tasks that do not compromise his control over the process.

⚠️ Common exam mistakes

  • Allowing management or internal audit to select which debtors receive confirmation requests — this introduces selection bias risk.
  • Letting responses be received at a company email address rather than directly at the external auditor — responses may be intercepted or altered.
  • Treating follow-up as optional — SA 505 requires follow-up requests when applicable.
  • Assuming delegation to internal audit is acceptable because internal audit is 'part of the client' — SA 505 is explicit that the external auditor must maintain control.
Bare-Act text Auditor's Control over External Confirmation Requests · SA 505 – External Confirmations · click to expand
When using external confirmation procedures, the auditor shall maintain control over external confirmation requests, including: (a) Determining the information to be confirmed or requested; (b) Selecting the appropriate confirming party; (c) Designing the confirmation requests, including determining that requests are properly addressed and contain return information for responses to be sent directly to the auditor; and (d) Sending the requests, including follow-up requests when applicable, to the confirming party.
← Previous
Evaluation of Internal Control
Next →
External Confirmations — Posit
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic