SA 505 External Confirmations

SA 505*
External Confirmations
(Effective for audit of financial statements for period
beginning on or after April 1, 2010)

Contents
Paragraph(s)
Introduction
Scope of this SA ....................................................... . .............................1
External Confirmation Procedures to Obtain Audit Evidence ............. 2-3
Effective Date .......................................................................................... 4
Objective ................................................................................................ 5
Definitions .............................................................................................. 6
Requirements
External Confirmation Procedures .......................................................... 7
Management’s Refusal to Allow the Auditor to Send a
Confirmation Request .......................................................................... 8-9
Results of the External Confirmation Procedures ............................ 10-14
Negative Confirmations ......................................................................... 15
Evaluating the Evidence Obtained ........................................................ 16
Application and Other Explanatory Material
External Confirmation Procedures .................................................. A1-A7
Management’s Refusal to Allow the Auditor to Send a
Confirmation Request ................................................................... A8-A10
Results of the External Confirmation Procedures ....................... A11-A22
Negative Confirmations ....................................................................... A23
Evaluating the Evidence Obtained .............................................. A24-A25
Modifications vis-a-vis ISA 505, “External Confirmations”
Standard on Auditing (SA) 505, “External Confirmations” should be read
in the context of the “Preface to the Standards on Quality Control,
Auditing, Review, Other Assurance and Related Services”, which sets
out the authority of SAs and SA 200, “Overall Objectives of the
Independent Auditor and the Conduct of an Audit in Accordance with
Standards on Auditing”.

* Published in March, 2010 issue of the Journal.
Handbook of Auditing Pronouncements-I.A

Introduction
Scope of this SA
1. This Standard on Auditing (SA) deals with the auditor’s use of external
confirmation procedures to obtain audit evidence in accordance with the
requirements of SA 3301 and SA 5002. It does not address inquiries regarding
litigation and claims. SA 5013 deals with obtaining sufficient appropriate audit
evidence from such inquiries.
External Confirmation Procedures to Obtain Audit Evidence
2. SA 500 indicates that the reliability of audit evidence is influenced by its
source and by its nature, and is dependent on the individual circumstances under
which it is obtained4. That SA also includes the following generalisations
applicable to audit evidence 5:
 Audit evidence is more reliable when it is obtained from independent
sources outside the entity.
 Audit evidence obtained directly by the auditor is more reliable than audit
evidence obtained indirectly or by inference.
 Audit evidence is more reliable when it exists in documentary form, whether
paper, electronic or other medium.
Accordingly, depending on the circumstances of the audit, audit evidence in the
form of external confirmations received directly by the auditor from confirming
parties may be more reliable than evidence generated internally by the entity.
This SA is intended to assist the auditor in designing and performing external
confirmations procedures to obtain relevant and reliable audit evidence.
3. Other SAs recognise the importance of external confirmations as audit
evidence, for example:
 SA 330 discusses the auditor’s responsibility to design and implement
overall responses to address the assessed risks of material misstatement
at the financial statement level, and to design and perform further audit
procedures whose nature, timing and extent are based on, and are
responsive to, the assessed risks of material misstatement at the assertion
level6. In addition, SA 330 requires that, irrespective of the assessed risks

1 SA 330, “The Auditor’s Responses to Assessed Risks”.
2 SA 500, “Audit Evidence”.
3 SA 501, “Audit Evidence—Specific Considerations for Selected Items”.
4 SA 500, paragraph A5.
5 SA 500, paragraph A31.
6 SA 330, paragraphs 5-6.

SA 505 2
 of material misstatement, the auditor designs and performs substantive
procedures for each material class of transactions, account balance, and
disclosure. The auditor is also required to consider whether external
confirmation procedures are to be performed as substantive audit
procedures7.
 SA 330 requires that the auditor obtain more persuasive audit evidence the
higher the auditor’s assessment of risk8. To do this, the auditor may
increase the quantity of the evidence or obtain evidence that is more
relevant or reliable, or both. For example, the auditor may place more
emphasis on obtaining evidence directly from third parties or obtaining
corroborating evidence from a number of independent sources. SA 330
also indicates that external confirmation procedures may assist the auditor
in obtaining audit evidence with the high level of reliability that the auditor
requires to respond to significant risks of material misstatement, whether
due to fraud or error9.
 SA 240 indicates that the auditor may design confirmation requests to
obtain additional corroborative information as a response to address the
assessed risks of material misstatement, whether due to fraud at the
assertion level10.
 SA 500 indicates that corroborating information obtained from a source
independent of the entity, such as external confirmations, may increase the
assurance the auditor obtains from evidence existing within the accounting
records or from the representations made by the management11.
Effective Date
4. This SA is effective for audit of financial statements for period beginning
on or after April 1, 2010.
Objective
5. The objective of the auditor, when using external confirmation
procedures, is to design and perform such procedures to obtain relevant and
reliable audit evidence.
Definitions
6. For purposes of the SAs, the following terms have the meanings

7 SA 330, paragraph 18 and 19.
8 SA 330, paragraph 7(b).
9 SA 330, paragraph A53.
10 SA 240, “The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements”,

paragraph A37.
11 SA 500, paragraph A8.

3 SA 505
Handbook of Auditing Pronouncements-I.A

attributed below:
a) External confirmation – Audit evidence obtained as a direct written
response to the auditor from a third party (the confirming party), in paper
form, or by electronic or other medium.
b) Positive confirmation request – A request that the confirming party respond
directly to the auditor indicating whether the confirming party agrees or
disagrees with the information in the request, or providing the requested
information.
c) Negative confirmation request – A request that the confirming party
respond directly to the auditor only if the confirming party disagrees with the
information provided in the request.
d) Non-response – A failure of the confirming party to respond, or fully
respond, to a positive confirmation request, or a confirmation request
returned undelivered.
e) Exception – A response that indicates a difference between information
requested to be confirmed, or contained in the entity’s records, and
information provided by the confirming party.
Requirements
External Confirmation Procedures
7. When using external confirmation procedures, the auditor shall maintain
control over external confirmation requests, including:
(a) Determining the information to be confirmed or requested; (Ref: Para. A1)
(b) Selecting the appropriate confirming party; (Ref: Para. A2)
(c) Designing the confirmation requests, including determining that requests
are properly addressed and contain return information for responses to be
sent directly to the auditor; and (Ref: Para. A3-A6)
(d) Sending the requests, including follow-up requests when applicable, to the
confirming party. (Ref: Para. A7)
Management’s Refusal to Allow the Auditor to Send a Confirmation
Request
8. If management refuses to allow the auditor to send a confirmation
request, the auditor shall:
(a) Inquire as to management’s reasons for the refusal, and seek audit
evidence as to their validity and reasonableness; (Ref: Para. A8)

SA 505 4
(b) Evaluate the implications of management’s refusal on the auditor’s
assessment of the relevant risks of material misstatement, including the risk
of fraud, and on the nature, timing and extent of other audit procedures;
and (Ref: Para. A9)
(c) Perform alternative audit procedures designed to obtain relevant and
reliable audit evidence. (Ref: Para. A10)
9. If the auditor concludes that management’s refusal to allow the auditor to
send a confirmation request is unreasonable, or the auditor is unable to obtain
relevant and reliable audit evidence from alternative audit procedures, the auditor
shall communicate with those charged with governance in accordance with SA
260(Revised)12. The auditor also shall determine the implications for the audit
and the auditor’s opinion in accordance with SA 705(Revised)13.
Results of the External Confirmation Procedures
Reliability of Responses to Confirmation Requests
10. If the auditor identifies factors that give rise to doubts about the reliability
of the response to a confirmation request, the auditor shall obtain further audit
evidence to resolve those doubts. (Ref: Para. A11-A16)
11. If the auditor determines that a response to a confirmation request is not
reliable, the auditor shall evaluate the implications on the assessment of the
relevant risks of material misstatement, including the risk of fraud, and on the
related nature, timing and extent of other audit procedures. (Ref: Para. A17)
Non-Responses
12. In the case of each non-response, the auditor shall perform alternative
audit procedures to obtain relevant and reliable audit evidence. (Ref: Para A18-
A19)
When a Response to a Positive Confirmation Request is Necessary to
Obtain Sufficient Appropriate Audit Evidence
13. If the auditor has determined that a response to a positive confirmation
request is necessary to obtain sufficient appropriate audit evidence, alternative
audit procedures will not provide the audit evidence the auditor requires. If the
auditor does not obtain such confirmation, the auditor shall determine the
implications for the audit and the auditor’s opinion in accordance with SA
705(Revised). (Ref: Para A20)

12 SA 260(Revised), “Communication with Those Charged with Governance”, paragraph 16.
13 SA 705(Revised), “Modifications to the Opinion in the Independent Auditor’s Report”.

5 SA 505
Handbook of Auditing Pronouncements-I.A

Exceptions
14. The auditor shall investigate exceptions to determine whether or not they
are indicative of misstatements. (Ref: Para. A21-A22)
Negative Confirmations
15. Negative confirmations provide less persuasive audit evidence than
positive confirmations. Accordingly, the auditor shall not use negative
confirmation requests as the sole substantive audit procedure to address an
assessed risk of material misstatement at the assertion level unless all of the
following are present: (Ref: Para. A23)
(a) The auditor has assessed the risk of material misstatement as low and has
obtained sufficient appropriate audit evidence regarding the operating
effectiveness of controls relevant to the assertion;
(b) The population of items subject to negative confirmation procedures
comprises a large number of small, homogeneous, account balances,
transactions or conditions;
(c) A very low exception rate is expected; and
(d) The auditor is not aware of circumstances or conditions that would cause
recipients of negative confirmation requests to disregard such requests.
Evaluating the Evidence Obtained
16. The auditor shall evaluate whether the results of the external confirmation
procedures provide relevant and reliable audit evidence, or whether performing
further audit procedures is necessary. (Ref: Para A24-A25)
***
Application and Other Explanatory Material
External Confirmation Procedures
Determining the Information to be Confirmed or Requested (Ref: Para. 7(a))
A1. External confirmation procedures frequently are performed to confirm or
request information regarding account balances and their elements. They may
also be used to confirm terms of agreements, contracts, or transactions between
an entity and other parties, or to confirm the absence of certain conditions, such
as a “side agreement”.
Selecting the Appropriate Confirming Party (Ref: Para. 7(b))
A2. Responses to confirmation requests provide more relevant and reliable
audit evidence when confirmation requests are sent to a confirming party the

SA 505 6
auditor believes is knowledgeable about the information to be confirmed. For
example, a financial institution official who is knowledgeable about the
transactions or arrangements for which confirmation is requested may be the
most appropriate person at the financial institution from whom to request
confirmation.
Designing Confirmation Requests (Ref: Para. 7(c))
A3. The design of a confirmation request may directly affect the confirmation
response rate, and the reliability and the nature of the audit evidence obtained
from responses.
A4. Factors to consider when designing confirmation requests include:
 The assertions being addressed.
 Specific identified risks of material misstatement, including fraud risks.
 The layout and presentation of the confirmation request.
 Prior experience on the audit or similar engagements.
 The method of communication (for example, in paper form, or by electronic
or other medium).
 Management’s authorisation or encouragement to the confirming parties to
respond to the auditor. Confirming parties may only be willing to respond to
a confirmation request containing management’s authorisation.
 The ability of the intended confirming party to confirm or provide the
requested information (for example, individual invoice amount versus total
balance).
A5. A positive external confirmation request asks the confirming party to reply
to the auditor in all cases, either by indicating the confirming party’s agreement
with the given information, or by asking the confirming party to provide
information. A response to a positive confirmation request ordinarily is expected
to provide reliable audit evidence. There is a risk, however, that a confirming
party may reply to the confirmation request without verifying that the information
is correct. The auditor may reduce this risk by using positive confirmation
requests that do not state the amount (or other information) on the confirmation
request, and ask the confirming party to fill in the amount or furnish other
information. On the other hand, use of this type of “blank” confirmation request
may result in lower response rates because additional effort is required of the
confirming parties.
A6. Determining that requests are properly addressed includes testing the
validity of some or all of the addresses on confirmation requests before they are
sent out.

7 SA 505
Handbook of Auditing Pronouncements-I.A

Follow-Up on Confirmation Requests (Ref: Para. 7(d))
A7. The auditor may send an additional confirmation request when a reply to
a previous request has not been received within a reasonable time. For example,
the auditor may, having re-verified the accuracy of the original address, send an
additional or follow-up request.
Management’s Refusal to Allow the Auditor to Send a Confirmation
Request
Reasonableness of Management’s Refusal (Ref: Para. 8(a))
A8. A refusal by management to allow the auditor to send a confirmation
request is a limitation on the audit evidence the auditor may wish to obtain. The
auditor is therefore required to inquire as to the reasons for the limitation. A
common reason advanced is the existence of a legal dispute or ongoing
negotiation with the intended confirming party, the resolution of which may be
affected by an untimely confirmation request. The auditor is required to seek
audit evidence as to the validity and reasonableness of the reasons because of
the risk that management may be attempting to deny the auditor access to audit
evidence that may reveal fraud or error.
Implications for the Assessment of Risks of Material Misstatement (Ref:
Para. 8(b))
A9. The auditor may conclude from the evaluation in paragraph 8(b) that it
would be appropriate to revise the assessment of the risks of material
misstatement at the assertion level and modify planned audit procedures in
accordance with SA 31514. For example, if management’s request to not confirm
is unreasonable, this may indicate a fraud risk factor that requires evaluation in
accordance with SA 24015.
Alternative Audit Procedures (Ref: Para. 8(c))
A10. The alternative audit procedures performed may be similar to those
appropriate for a non-response as set out in paragraphs A18-A19 of this SA.
Such procedures also would take account of the results of the auditor’s
evaluation in paragraph 8(b) of this SA.
Results of the External Confirmation Procedures
Reliability of Responses to Confirmation Requests (Ref: Para. 10)
A11. SA 500 indicates that even when audit evidence is obtained from sources

14 SA 315, paragraph 31.
15 SA 240, paragraph 24.

SA 505 8
external to the entity, circumstances may exist that affect its reliability16. All
responses carry some risk of interception, alteration or fraud. Such risk exists
regardless of whether a response is obtained in paper form, or by electronic or
other medium. Factors that may indicate doubts about the reliability of a
response include that it:
 Was received by the auditor indirectly; or
 Appeared not to come from the originally intended confirming party.
A12. Responses received electronically, for example by facsimile or electronic
mail, involve risks as to reliability because proof of origin and authority of the
respondent may be difficult to establish, and alterations may be difficult to detect.
A process used by the auditor and the respondent that creates a secure
environment for responses received electronically may mitigate these risks. If the
auditor is satisfied that such a process is secure and properly controlled, the
reliability of the related responses is enhanced. An electronic confirmation
process might incorporate various techniques for validating the identity of a
sender of information in electronic form, for example, through the use of
encryption, electronic digital signatures, and procedures to verify website
authenticity.
A13. If a confirming party uses a third party to coordinate and provide
responses to confirmation requests, the auditor may perform procedures to
address the risks that:
(a) The response may not be from the proper source;
(b) A respondent may not be authorised to respond; and
(c) The integrity of the transmission may have been compromised.
A14. The auditor is required by SA 500 to determine whether to modify or add
procedures to resolve doubts over the reliability of information to be used as
audit evidence17. The auditor may choose to verify the source and contents of a
response to a confirmation request by contacting the confirming party. For
example, when a confirming party responds by electronic mail, the auditor may
telephone the confirming party to determine whether the confirming party did, in
fact, send the response. When a response has been returned to the auditor
indirectly (for example, because the confirming party incorrectly addressed it to
the entity rather than to the auditor), the auditor may request the confirming party
to respond in writing directly to the auditor.

16 SA 500, paragraph A31.
17 SA 500, paragraph 11.

9 SA 505
Handbook of Auditing Pronouncements-I.A

A15. On its own, an oral response to a confirmation request does not meet the
definition of an external confirmation because it is not a direct written response to
the auditor. However, upon obtaining an oral response to a confirmation request,
the auditor may, depending on the circumstances, request the confirming party to
respond in writing directly to the auditor. If no such response is received, in
accordance with paragraph 12, the auditor seeks other audit evidence to support
the information in the oral response.
A16. A response to a confirmation request may contain restrictive language
regarding its use. Such restrictions do not necessarily invalidate the reliability of
the response as audit evidence.
Unreliable Responses (Ref: Para. 11)
A17. When the auditor concludes that a response is unreliable, the auditor may
need to revise the assessment of the risks of material misstatement at the
assertion level and modify planned audit procedures accordingly, in accordance
with SA 31518. For example, an unreliable response may indicate a fraud risk
factor that requires evaluation in accordance with SA 24019.
Non-Responses (Ref: Para. 12)
A18. Examples of alternative audit procedures the auditor may perform
include:
 For accounts receivable balances – examining specific subsequent cash
receipts, shipping documentation, and sales near the period-end.
 For accounts payable balances – examining subsequent cash
disbursements or correspondence from third parties, and other records,
such as goods received notes.
A19. The nature and extent of alternative audit procedures are affected by the
account and assertion in question. A non-response to a confirmation request
may indicate a previously unidentified risk of material misstatement. In such
situations, the auditor may need to revise the assessed risk of material
misstatement at the assertion level, and modify planned audit procedures, in
accordance with SA 31520. For example, fewer responses to confirmation
requests than anticipated, or a greater number of responses than anticipated,
may indicate a previously unidentified fraud risk factor that requires evaluation in
accordance with SA 24021.

18 SA 315, paragraph 31.
19 SA 240, paragraph 24.
20 SA 315, paragraph 31.
21 SA 240, paragraph 24.

SA 505 10
When a Response to a Positive Confirmation Request is Necessary to
Obtain Sufficient Appropriate Audit Evidence (Ref: Para. 13)
A20. In certain circumstances, the auditor may identify an assessed risk of
material misstatement at the assertion level for which a response to a positive
confirmation request is necessary to obtain sufficient appropriate audit evidence.
Such circumstances may include where:
 The information available to corroborate management’s assertion(s) is only
available outside the entity.
 Specific fraud risk factors, such as the risk of management override of
controls, or the risk of collusion which can involve employee(s) and/or
management, prevent the auditor from relying on evidence from the entity.
Exceptions (Ref: Para. 14)
A21. Exceptions noted in responses to confirmation requests may indicate
misstatements or potential misstatements in the financial statements. When a
misstatement is identified, the auditor is required by SA 240 to evaluate whether
such misstatement is indicative of fraud22. Exceptions may provide a guide to the
quality of responses from similar confirming parties or for similar accounts.
Exceptions also may indicate a deficiency, or deficiencies, in the entity’s internal
control over financial reporting.
A22. Some exceptions do not represent misstatements. For example, the
auditor may conclude that differences in responses to confirmation requests are
due to timing, measurement, or clerical errors in the external confirmation
procedures.
Negative Confirmations (Ref: Para. 15)
A23. The failure to receive a response to a negative confirmation request does
not explicitly indicate receipt by the intended confirming party of the confirmation
request or verification of the accuracy of the information contained in the request.
Accordingly, a failure of a confirming party to respond to a negative confirmation
request provides significantly less persuasive audit evidence than does a
response to a positive confirmation request. Confirming parties also may be
more likely to respond indicating their disagreement with a confirmation request
when the information in the request is not in their favour, and less likely to
respond otherwise. For example, holders of bank deposit accounts may be more
likely to respond if they believe that the balance in their account is understated in
the confirmation request, but may be less likely to respond when they believe the

22 SA 240, paragraph 35.

11 SA 505
Handbook of Auditing Pronouncements-I.A

balance is overstated. Therefore, sending negative confirmation requests to
holders of bank deposit accounts may be a useful procedure in considering
whether such balances may be understated, but is unlikely to be effective if the
auditor is seeking evidence regarding overstatement.
Evaluating the Evidence Obtained (Ref: Para. 16)
A24. When evaluating the results of individual external confirmation requests,
the auditor may categorise such results as follows:
(a) A response by the appropriate confirming party indicating agreement with
the information provided in the confirmation request, or providing requested
information without exception;
(b) A response deemed unreliable;
(c) A non-response; or
(d) A response indicating an exception.
A25. The auditor’s evaluation, when taken into account with other audit
procedures the auditor may have performed, may assist the auditor in concluding
whether sufficient appropriate audit evidence has been obtained or whether
performing further audit procedures is necessary, as required by SA 33023.
Modifications vis-a-vis ISA 505, “External Confirmations”
SA 505, “External Confirmations” does not contain any modifications vis-à-vis
ISA 505.

23 SA 330, paragraphs 26-27.

SA 505 12