Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / AUDIT
Microlesson · 5-min read

SA 505 - External Confirmations

# SA 505 — External Confirmations

## Definition

An external confirmation is audit evidence obtained as a direct written response to the auditor from a third party (the confirming party), in paper form, electronic, or another medium.

External confirmations are particularly valuable because they are independent of the entity and directly obtained by the auditor — both of which raise reliability under SA 500.

## 1. Positive Confirmation Request

  • A request that the confirming party respond directly to the auditor indicating agreement OR disagreement with the information, or providing the requested information.
  • A response to a positive confirmation is expected to provide reliable audit evidence.
  • Risk: the confirming party may reply without verifying that the information is correct (rubber-stamp risk).
  • Mitigation: auditor may not state the amount in the request, asking the confirming party to fill it in (called 'blank' confirmation). However, this may lower response rates because more effort is required.

### Key terms used with confirmation responses

  • Non-response: A failure to respond, or a confirmation request returned undelivered.
  • Exception: Response indicating a difference between the information requested and the information provided by the confirming party.

## 2. Negative Confirmation Request

  • A request that the confirming party respond only if they DISAGREE with the information provided.
  • Provides less persuasive evidence than positive confirmation.
  • Failure to receive a response does NOT explicitly indicate that the request was received, or that the information was verified.
  • Confirming parties are more likely to respond when info is not in their favour, and less likely otherwise.

### When may negative confirmations be used as SOLE substantive procedure?

Only if ALL FOUR conditions are present:

1. Auditor has assessed ROMM as LOW and obtained SAAE on operating effectiveness of controls.

2. A very low exception rate is expected.

3. Population comprises a large number of small and homogeneous items.

4. The auditor is not aware of circumstances that would cause recipients to disregard the request.

## 3. Management's Refusal to Allow the Auditor to Send a Confirmation Request

The auditor shall:

1. Inquire as to mgt's reasons for refusal and seek evidence of their validity and reasonableness.

2. Evaluate implications on the auditor's assessment of ROMM (including fraud risk) and on NTE of other procedures.

3. Perform alternative procedures to obtain relevant and reliable evidence.

If the auditor concludes that:

  • Mgt's refusal is unreasonable, OR
  • Alternative procedures cannot give SAAE,

then:

  • Communicate with TCWG per SA 260.
  • Determine implications for the opinion per SA 705 (likely modify).

## 4. External Confirmation Procedures — Auditor MUST Maintain CONTROL

When using confirmation procedures, the auditor shall maintain control over the confirmation requests, including:

  • Determining the information to be confirmed.
  • Selecting the appropriate confirming party.
  • Designing confirmation requests (proper addressing; responses to come directly to the auditor).
  • Sending the requests, including follow-ups to confirming parties.

## 5. Factors in Designing Confirmation Requests

The design may directly affect the response rate and reliability of evidence. Factors include:

  • Layout and presentation of the request.
  • Assertions being addressed.
  • Specific identified ROMM, including fraud risks.
  • Method of communication (paper, electronic).
  • Prior experience on similar engagements.
  • Ability of the intended confirming party to confirm/provide the info.
  • Mgt's authorisation/encouragement to the confirming party to respond.

## 6. Evaluating the Evidence Obtained

Results may be categorised as:

1. A response indicating agreement with info or providing the info without exception.

2. A response deemed unreliable (e.g., evidence of tampering, suspicious source).

3. A non-response.

4. A response indicating an exception (which the auditor must investigate).

## Memory Hooks

  • Positive vs Negative = explicit reply vs reply-only-if-disagree.
  • CONTROL is the watchword — the auditor (not mgt) determines, selects, designs, and sends.
  • Negative + Sole = Need ALL 4 conditions (Low ROMM + Low exception + Large homogeneous + No disregard risk).

Worked example

### Example 1

Example 1 — Blank Positive Confirmation

For a high-value trade receivable of ₹15 cr from a major customer, the auditor uses a blank positive confirmation: the letter asks the customer to fill in the balance as at 31 March, rather than confirming a stated amount. The customer must look up its records and respond, providing strong evidence — at the cost of a possibly lower response rate.

### Example 2

Example 2 — Negative Confirmation Use

A retail bank has 500,000 savings accounts, controls have been tested and operate effectively, exception rates historically below 0.1%, and no reason to expect customers to ignore the request. The auditor sends negative confirmations to a sample. This is permissible because all 4 conditions are satisfied.

If instead the bank is a new client with high ROMM, negative confirmations as the sole procedure would NOT be acceptable.

### Example 3

Example 3 — Management Refuses Confirmation

Mgt asks the auditor not to send a confirmation to a major debtor (₹25 cr), citing 'sensitive ongoing negotiations'. Auditor: (a) inquires further — discovers the debtor's solvency is doubtful, raising fraud risk; (b) performs alternative procedures (subsequent receipts, sales contracts, dispatch records); (c) if SAAE not obtained → communicate with TCWG and modify the opinion under SA 705.

### Example 4

Example 4 — Exception Response

Bank confirmation states a balance of ₹2.05 cr; the entity's books show ₹2.30 cr. This is an exception of ₹25 lakh. The auditor investigates — finds an uncleared cheque deposit of ₹25 lakh recorded by the entity but not yet credited by the bank. The exception is explained by a timing difference; the auditor verifies the cheque cleared subsequently.

⚠️ Common exam mistakes

  • Allowing management to send confirmation letters or receive responses — the auditor must retain control end-to-end.
  • Using negative confirmations as the SOLE substantive procedure without all 4 conditions present — most candidates remember 2-3 conditions but miss 'recipient not likely to disregard'.
  • Treating a non-response to a negative confirmation as positive evidence of accuracy — it is not.
  • Forgetting to send follow-up requests for non-responses to positive confirmations.
  • Failing to investigate every exception — even small differences may indicate larger issues (e.g., fraud).
  • Skipping inquiry into mgt's reasons for refusing a confirmation — this inquiry is the FIRST required step, not the last.
  • Believing that a positive confirmation response is automatically reliable — auditor must assess if it was returned undelivered, tampered with, or rubber-stamped.
  • Forgetting to communicate with TCWG (SA 260) when mgt's refusal is unreasonable.
Bare-Act text SA 505 · SA 505, ICAI Standards on Auditing · click to expand
SA 505 — External Confirmations. Issued by ICAI. Deals with the auditor's use of external confirmation procedures to obtain audit evidence in accordance with the requirements of SA 330 and SA 500.
← Previous
SA 501 - Audit Evidence: Speci
Next →
SA 510 - Initial Audit Engagem
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic