Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / External Confirmations / SA 505
Microlesson · 5-min read

Designing Confirmation Requests, Controls over the Process, and Evaluating Results

## Designing Confirmation Requests: ALARM2 Framework

When designing a confirmation request, the auditor considers the following factors (mnemonic: ALARM2):

LetterFactor
AAssertions for which external confirmation is being prepared
LLayout and presentation of the confirmation request
AAbility and willingness of the intended confirming party to confirm
RRisk of material misstatement (ROMM), including fraud risk
M1Mode of communication — paper, electronic, or other medium
M2Management's authorisation for third parties to respond (confirming parties may refuse without it)
SPrior experience on the audit or similar engagements

---

## Controls over the External Confirmation Procedure (4 Steps)

Step 1 – Determine information to be confirmed/requested

May include terms of agreements, contracts, or transactions; may also confirm the absence of conditions (e.g., no side agreements).

Step 2 – Select appropriate confirming party

Responses are more reliable when sent to a party the auditor believes is knowledgeable about the information being confirmed.

Step 3 – Design confirmation requests

Apply the ALARM2 framework.

Step 4 – Send requests and follow-up requests

If no reply is received within a reasonable time, the auditor may send an additional confirmation request.

---

## Evaluating Evidence Obtained from Confirmations

The auditor categorises results from individual confirmation requests into four groups:

CategoryDescription
AgreementResponse confirms the information — provides direct audit evidence
Response deemed unreliablee.g., returned unsigned, intercepted, or from unauthorised party — treat with scepticism
Non-responseNo reply received — perform alternative procedures
Exception (disagreement)Confirming party disputes the amount or fact — investigate the difference

Worked example

### Example 1

Scenario: An auditor is sending debtor confirmation requests for a company with known fraud risk in revenue. Apply ALARM2 to design the request.

  • A: Assertions targeted — existence, rights and completeness of debtors.
  • L: Use positive confirmation form (requires explicit reply, not just silence = agreement).
  • A: Large institutional debtors are more likely to respond accurately; small individual customers may not.
  • R: High fraud risk → use positive confirmations sent to a larger sample.
  • M1: Electronic confirmation platform preferred for speed and control over delivery.
  • M2: Ensure management's authorisation letter accompanies the request so third parties respond.
  • S: If prior year had a 40% non-response rate, increase sample size this year.

### Example 2

Scenario: The auditor sends 50 confirmation requests. Results: 30 agreements, 5 unreliable responses, 10 non-responses, 5 exceptions.

  • 30 agreements: Sufficient evidence for those balances.
  • 5 unreliable: Do not rely — treat as non-responses; perform alternative procedures.
  • 10 non-responses: Perform alternatives (subsequent receipts, shipping docs).
  • 5 exceptions: Investigate each — could be timing differences, errors, or fraud indicators. Document resolution.

⚠️ Common exam mistakes

  • Using negative confirmation forms (silence = agreement) in high-risk or high-ROMM areas — positive confirmations are required when fraud risk is elevated.
  • Failing to maintain control over the despatch and receipt of confirmations — auditors must send requests directly, not through management.
  • Treating a non-response as an agreement — non-responses require alternative audit procedures.
  • Ignoring exceptions as 'immaterial' without investigation — even small exceptions may indicate systemic errors or fraud.
  • Not following up when no reply is received within a reasonable time — SA 505 requires sending additional requests.
Bare-Act text Para 7 · SA 505 – External Confirmations (ICAI) · click to expand
When designing confirmation requests, the auditor shall consider: the assertions being addressed; the layout and presentation of the confirmation request; prior experience on the audit or similar engagements; the method of communication; management's authorisation or encouragement to the confirming parties to respond to the auditor; and the ability of the intended confirming party to confirm or provide the requested information.
Next →
Management's Refusal to Allow
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic