[Federal Register Volume 88, Number 199 (Tuesday, October 17, 2023)]
[Notices]
[Pages 71684-71724]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-22491]



[[Page 71683]]

Vol. 88

Tuesday,

No. 199

October 17, 2023

Part III





Securities and Exchange Commission





-----------------------------------------------------------------------





Public Company Accounting Oversight Board; Notice of Filing of Proposed 
Rules on the Auditor's Use of Confirmation, and Other Amendments to 
Related PCAOB Standards; Notice

  Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 / 
Notices  

[[Page 71684]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-98689; File No. PCAOB-2023-02]


Public Company Accounting Oversight Board; Notice of Filing of 
Proposed Rules on the Auditor's Use of Confirmation, and Other 
Amendments to Related PCAOB Standards

October 5, 2023.
    Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 (the 
``Act''), notice is hereby given that on October 4, 2023, the Public 
Company Accounting Oversight Board (the ``Board'' or ``PCAOB'') filed 
with the Securities and Exchange Commission (the ``Commission'' or 
``SEC'') the proposed rules described in Items I and II below, which 
items have been prepared by the Board. The Commission is publishing 
this notice to solicit comments on the proposed rules from interested 
persons.

I. Board's Statement of the Terms of Substance of the Proposed Rules

    On September 28, 2023, the Board adopted amendments to auditing 
standards for the auditor's use of confirmation, and amendments to 
related PCAOB standards (collectively, the ``proposed rules''), 
including the retitling and replacement of an existing standard with a 
new standard. The text of the proposed rules appears in Exhibit A to 
the SEC Filing Form 19b-4 and is available on the Board's website at 
https://pcaobus.org/about/rules-rulemaking/rulemaking-dockets/docket-028-proposed-auditing-standard-related-to-confirmation and at the 
Commission's Public Reference Room.

II. Board's Statement of the Purpose of, and Statutory Basis for, the 
Proposed Rules

    In its filing with the Commission, the Board included statements 
concerning the purpose of, and basis for, the proposed rules and 
discussed comments it received on the proposed rules. The text of these 
statements may be examined at the places specified in Item IV below. 
The Board has prepared summaries, set forth in sections A, B, and C 
below, of the most significant aspects of such statements. In addition, 
the Board is requesting that the Commission approve the proposed rules, 
pursuant to Section 103(a)(3)(C) of the Act, for application to audits 
of emerging growth companies (``EGCs''), as that term is defined in 
Section 3(a)(80) of the Securities Exchange Act of 1934 (``Exchange 
Act''). The Board's request is set forth in section D.

A. Board's Statement of the Purpose of, and Statutory Basis for, the 
Proposed Rules

(a) Purpose
Summary
    The Board is replacing AS 2310, The Confirmation Process, in its 
entirety with a new standard, AS 2310, The Auditor's Use of 
Confirmation (``new standard'') to strengthen and modernize the 
requirements for the confirmation process. As described in the new 
standard, the confirmation process involves selecting one or more items 
to be confirmed, sending a confirmation request directly to a 
confirming party (e.g., a financial institution), evaluating the 
information received, and addressing nonresponses and incomplete 
responses to obtain audit evidence about one or more financial 
statement assertions. If properly designed and executed by an auditor, 
the confirmation process may provide important evidence that the 
auditor obtains as part of an audit of a company's financial 
statements.
Why the Board Is Adopting These Changes Now
    AS 2310 is an important standard for audit quality and investor 
protection, as the audit confirmation process touches nearly every 
audit. The standard was initially written over 30 years ago and has had 
minimal amendments since its adoption by the PCAOB in 2003.
    The Board adopted the new standard after substantial outreach, 
including several rounds of public comment. The PCAOB previously 
considered updating AS 2310 by issuing a concept release in 2009 and a 
proposal in 2010 for a new auditing standard that would supersede AS 
2310. While the PCAOB did not amend or replace AS 2310 at that time, 
subsequent developments--including the increasing use of electronic 
communications and third-party intermediaries in the confirmation 
process--led the Board to conclude that enhancements to AS 2310 and 
modifications to the approach proposed in 2010 could improve the 
quality of audit evidence obtained by auditors. In addition, the Board 
has observed continued inspection findings related to auditors' use of 
confirmation, as well as enforcement actions involving failures to 
adhere to requirements in the existing auditing standard regarding 
confirmation, such as the requirement for the auditor to maintain 
control over the confirmation process.
    Accordingly, having considered these developments and input from 
commenters, the Board revisited the previously proposed changes and 
issued a new proposed standard to replace AS 2310, along with 
conforming amendments to other PCAOB auditing standards, in December 
2022. Commenters generally supported the Board's objective of improving 
the confirmation process, and suggested areas to further improve the 
new standard, modify proposed requirements that would not likely 
improve audit quality, and clarify the application of the new standard. 
In adopting the new standard and related amendments, the Board has 
taken into account all of these comments, as well as observations from 
PCAOB oversight activities.
Key Provisions of the New Standard
    The new standard and related amendments are intended to enhance the 
PCAOB's requirements on the use of confirmation by describing 
principles-based requirements that apply to all methods of 
confirmation, including paper-based and electronic means of 
communications. In addition, the new standard is more expressly 
integrated with the PCAOB's risk assessment standards by incorporating 
certain risk-based considerations and emphasizing the auditor's 
responsibilities for obtaining relevant and reliable audit evidence 
through the confirmation process. Among other things, the new standard:
     Includes a new requirement regarding confirming cash and 
cash equivalents held by third parties (``cash''), or otherwise 
obtaining relevant and reliable audit evidence by directly accessing 
information maintained by a knowledgeable external source;
     Carries forward the existing requirement regarding 
confirming accounts receivable, while addressing situations where it 
would not be feasible for the auditor to perform confirmation 
procedures or obtain relevant and reliable audit evidence for accounts 
receivable by directly accessing information maintained by a 
knowledgeable external source;
     States that the use of negative confirmation requests 
alone does not provide sufficient appropriate audit evidence (and 
includes examples of situations where the auditor may use negative 
confirmation requests to supplement other substantive audit 
procedures);
     Emphasizes the auditor's responsibility to maintain 
control over the confirmation process and provides that the auditor is 
responsible for selecting the items to be confirmed,

[[Page 71685]]

sending confirmation requests, and receiving confirmation responses; 
and
     Identifies situations in which alternative procedures 
should be performed by the auditor (and includes examples of such 
alternative procedures that may provide relevant and reliable audit 
evidence for a selected item).
(b) Statutory Basis
    The statutory basis for the proposed rules is Title I of the Act.

B. Board's Statement on Burden on Competition

    Not applicable. The Board's consideration of the economic impacts 
of the proposed rules is discussed in section D below.

C. Board's Statement on Comments on the Proposed Rules Received From 
Members, Participants or Others

    The Board released the proposed rules for public comment in PCAOB 
Release No. 2022-009 (Dec. 20, 2022) (``2022 Proposal''). The Board 
previously issued a concept release for public comment in PCAOB Release 
No. 2009-002 (Apr. 14, 2009) (``2009 Concept Release'') and a proposed 
auditing standard related to confirmation and related amendments to 
PCAOB standards in PCAOB Release No. 2010-003 (July 13, 2010) (``2010 
Proposal''). The Board received 98 written comment letters relating to 
the 2022 Proposal, the 2009 Concept Release, and the 2010 Proposal. The 
Board has carefully considered all comments received. The Board's 
response to the comments it received and the changes made to the rules 
in response to the comments received are discussed below.
Background
    Information obtained by the auditor directly from knowledgeable 
external sources, including through confirmation, can be an important 
source of evidence obtained as part of an audit of a company's 
financial statements.\1\ Confirmation has long been used by auditors. 
For example, one early auditing treatise noted the importance of 
confirmation for cash deposits, accounts receivable, and demand 
notes.\2\ In addition, confirmation of accounts receivable has been a 
required audit procedure in the United States since 1939, when the 
American Institute of Accountants \3\ adopted Statement on Auditing 
Procedure No. 1 (``SAP No. 1'') as a direct response to the McKesson & 
Robbins fraud case, which involved fraudulently reported inventories 
and accounts receivable that the independent auditors failed to detect 
after performing other procedures that did not involve confirmation.\4\
---------------------------------------------------------------------------

    \1\ See, e.g., paragraph 08 of AS 1105, Audit Evidence 
(providing that, in general, ``[e]vidence obtained from a 
knowledgeable source that is independent of the company is more 
reliable than evidence obtained only from internal company 
sources'').
    \2\ Robert H. Montgomery, Auditing Theory and Practice 91 
(confirmation of cash deposits), 263 (confirmation of accounts 
receivable), and 353 (confirmation of demand notes) (1912).
    \3\ The American Institute of Accountants was the predecessor to 
the American Institute of CPAs (``AICPA'').
    \4\ See In the Matter of McKesson & Robbins, Inc., SEC Rel. No. 
34-2707 (Dec. 5, 1940).
---------------------------------------------------------------------------

    SAP No. 1 required confirmation of accounts receivable by direct 
communication with customers in all independent audits of financial 
statements, subject to the auditor's ability to overcome the 
presumption to confirm accounts receivable for certain reasons. 
Following the adoption of SAP No. 1, the accounting profession also 
adopted a requirement in 1942, which remained in effect until the early 
1970s, that auditors should disclose in the auditor's report when 
confirmation of accounts receivable was not performed. The AICPA's 
subsequent revisions to its auditing standards included the 
promulgation of AU sec. 330, The Confirmation Process, which was 
adopted in 1991 and took effect in 1992. The PCAOB adopted AU sec. 330 
(now AS 2310) as an interim standard in 2003.\5\
---------------------------------------------------------------------------

    \5\ Shortly after the Board's inception, the Board adopted the 
existing standards of the AICPA, as in existence on Apr. 16, 2003, 
as the Board's interim auditing standards. See Establishment of 
Interim Professional Auditing Standards, PCAOB Rel. No. 2003-006 
(Apr. 18, 2003). AU sec. 330 was one of these auditing standards. As 
of Dec. 31, 2016, the PCAOB reorganized its auditing standards using 
a topical structure and a single, integrated number system, at which 
time AU sec. 330 was designated AS 2310. See Reorganization of PCAOB 
Auditing Standards and Related Amendments to PCAOB Standards and 
Rules, PCAOB Rel. No. 2015-002 (Mar. 31, 2015).
---------------------------------------------------------------------------

    The amendments to the standards for the auditor's use of 
confirmation are intended to improve audit quality through principles-
based requirements that apply to all methods of confirmation and are 
more expressly integrated with the Board's risk assessment standards. 
These enhancements should also lead to improvements in practice, 
commensurate with the associated risk, among audit firms of all sizes. 
The expected increase in audit quality should also enhance the 
credibility of information provided in a company's financial 
statements.
Rulemaking History
    The final amendments to the auditing standards reflect public 
comments on a concept release and two proposals. In April 2009, the 
PCAOB issued a concept release seeking public comment on the potential 
direction of a standard-setting project that could result in amendments 
to the PCAOB's existing standard on the confirmation process or a new 
auditing standard that would supersede the existing standard.\6\ The 
2009 Concept Release discussed existing requirements and posed 
questions about potential amendments to those requirements.
---------------------------------------------------------------------------

    \6\ Concept Release on Possible Revisions to the PCAOB's 
Standard on Audit Confirmations, PCAOB Rel. No. 2009-002 (Apr. 14, 
2009).
---------------------------------------------------------------------------

    In July 2010, the PCAOB proposed an auditing standard that, if 
adopted, would have superseded the existing confirmation standard.\7\ 
The 2010 Proposal was informed by comments on the 2009 Concept Release 
and was intended to strengthen the existing standard by, among other 
things, expanding certain requirements and introducing new 
requirements. In general, commenters on the 2010 Proposal supported 
updating the existing standard to address relevant developments in 
audit practice, including greater use of emailed confirmation requests 
and responses and the involvement of third-party intermediaries. At the 
same time, some commenters asserted that the proposed requirements in 
the 2010 Proposal were unduly prescriptive (i.e., included too many 
presumptively mandatory requirements) and would result in a significant 
increase in the volume of confirmation requests without a corresponding 
increase in the quality of audit evidence obtained by the auditor. The 
PCAOB did not adopt the 2010 Proposal.
---------------------------------------------------------------------------

    \7\ Proposed Auditing Standard Related to Confirmation and 
Related Amendments to PCAOB Standards, PCAOB Rel. No. 2010-003 (July 
13, 2010).
---------------------------------------------------------------------------

    In December 2022, the Board issued a proposed auditing standard to 
improve the quality of audits when confirmation is used by the auditor 
and to reflect changes in the means of communication and in business 
practice since the standard was originally issued.\8\ The 2022 Proposal 
was informed by comments on the 2009 Concept Release and 2010 Proposal 
and specified the auditor's responsibilities regarding the confirmation 
process. The Board received 46 comment letters on the 2022 Proposal 
from commenters across a range of affiliations. Those comments

[[Page 71686]]

are discussed throughout this release. Commenters on the 2022 Proposal 
generally expressed support for the project's objective and suggested 
ways to revise or clarify the proposed standard. The Board considered 
the comments on the 2022 Proposal, as well as on the 2009 Concept 
Release and the 2010 Proposal, in developing the final amendments.\9\ 
The Board also considered observations from PCAOB oversight activities.
---------------------------------------------------------------------------

    \8\ Proposed Auditing Standard--The Auditor's Use of 
Confirmation, and Other Proposed Amendments to PCAOB Standards, 
PCAOB Rel. No. 2022-009 (Dec. 20, 2022). In this exhibit, the term 
``proposed standard'' refers to the proposed auditing standard 
relating to the auditor's use of confirmation as described in the 
2022 Proposal.
    \9\ The comment letters received on the 2009 Concept Release, 
2010 Proposal, and 2022 Proposal are available in the docket for 
this rulemaking on the PCAOB's website (https://pcaobus.org/Rulemaking/Pages/Docket028Comments.aspx).
---------------------------------------------------------------------------

Existing Standard
    This section discusses key provisions of the existing PCAOB 
auditing standard on the confirmation process.
    In 2003, the PCAOB adopted the standard now known as AS 2310 (at 
that time, AU sec. 330), when it adopted the AICPA's standards then in 
existence. Existing AS 2310 indicates that confirmation is the process 
of obtaining and evaluating a direct communication from a third party 
in response to a request for information about a particular item 
affecting financial statement assertions.\10\ For example, an auditor 
might request a company's customers to confirm balances owed at a 
certain date, or request confirmation of a company's accounts or loans 
payable to a bank at a certain date.
---------------------------------------------------------------------------

    \10\ Under PCAOB standards, financial statement assertions can 
be classified into the following categories: existence or 
occurrence, completeness, valuation or allocation, rights and 
obligations, and presentation and disclosure. See, e.g., AS 1105.11.
---------------------------------------------------------------------------

    Key provisions of existing AS 2310 include the following:
     A presumption that the auditor will request confirmation 
of accounts receivable. The standard states that confirmation of 
accounts receivable is a generally accepted auditing procedure and 
provides the situations in which the auditor may overcome the 
presumption.
     Procedures for designing the confirmation request, 
including the requirement that the auditor direct the confirmation 
request to a third party who the auditor believes is knowledgeable 
about the information to be confirmed.
     Procedures relating to the use of both positive and 
negative confirmation requests. A positive confirmation request directs 
the recipient to send a response back to the auditor stating the 
recipient's agreement or disagreement with information stated in the 
request, or furnishing requested information. A negative confirmation 
request directs the recipient to respond back to the auditor only when 
the recipient disagrees with information in the auditor's request. The 
standard states that ``[n]egative confirmation requests may be used to 
reduce audit risk to an acceptable level when (a) the combined assessed 
level of inherent and control risk is low, (b) a large number of small 
balances is involved, and (c) the auditor has no reason to believe that 
the recipients of the requests are unlikely to give them 
consideration.'' \11\ If negative confirmation requests are used, the 
auditor should consider performing other substantive procedures to 
supplement their use.\12\
---------------------------------------------------------------------------

    \11\ See AS 2310.20.
    \12\ Id.
---------------------------------------------------------------------------

     A requirement for the auditor to maintain control over 
confirmation requests and responses by establishing direct 
communication between the intended recipient and the auditor.
     Procedures to consider when the auditor does not receive a 
written confirmation response via return mail, including how the 
auditor should evaluate the reliability of oral and facsimile responses 
to written confirmation requests. The standard provides that, when 
confirmation responses are in other than a written format mailed to the 
auditor, additional evidence may be necessary to establish the validity 
of the respondent.
     A requirement that the auditor should perform alternative 
procedures when the auditor has not received a response to a positive 
confirmation request.
     Requirements for the auditor's evaluation of the results 
of confirmation procedures and any alternative procedures performed by 
the auditor. These provisions include the requirement that, if the 
combined evidence provided by confirmation, alternative procedures, and 
other procedures is not sufficient, the auditor should request 
additional confirmations or extend other tests, such as tests of 
details or analytical procedures.
Current Practice
    This section discusses the Board's understanding of current 
practice based on, among other things, observations from oversight 
activities of the Board and SEC enforcement actions.
Overview of Current Practice
    The audit confirmation process touches nearly every financial 
statement audit conducted under PCAOB auditing standards. This is due 
in part to the presumption in existing AS 2310 that the auditor will 
confirm accounts receivable, which include claims against customers 
that have arisen from the sale of goods or services in the normal 
course of business and a financial institution's loans, unless certain 
exemptions apply. In addition, audit methodologies of many larger audit 
firms affiliated with global networks recommend or require confirming 
cash accounts. In the past, the use of confirmation was a common 
practice for auditing a financial institution's customer deposits. In 
recent years, however, there has been an increased wariness about 
phishing attempts by unauthorized parties aimed at obtaining sensitive 
personal or financial information of customers. As a result, some 
customers might not understand or trust an -unsolicited confirmation 
request from an auditor and, indeed, many financial institutions and 
other companies now advise customers not to reply to unsolicited 
correspondence concerning their accounts or other customer 
relationships.\13\
---------------------------------------------------------------------------

    \13\ Situations that involve using audit procedures other than 
confirmation and situations where companies adopt the policy of 
responding to electronic confirmation requests from auditors only 
through an intermediary are discussed later in this exhibit.
---------------------------------------------------------------------------

    Existing AS 2310 was written at a time when paper-based 
confirmation requests and responses were the prevailing means of 
communication. Since then, emailed confirmation requests and responses, 
and the use of technology-enabled confirmation tools, including the use 
of intermediaries to facilitate the confirmation process, have become 
commonplace. For example, numerous financial institutions in the United 
States, and an increasing number of international banks, mandate the 
use of an intermediary as part of the confirmation process and will not 
otherwise respond to an auditor's confirmation request.
    As noted above, existing AS 2310 provides that the auditor should 
maintain control over the confirmation process. In practice, complying 
with this requirement involves the auditor directly sending the 
confirmation request to the confirming party via mail or email, without 
involving company personnel. The auditor's confirmation request 
generally specifies that any correspondence should be sent directly to 
the auditor's location (or email address) to minimize the risk of 
interference by company personnel. When an intermediary facilitates 
direct electronic communications between the auditor and the confirming 
party, the auditor is still required to maintain control over the 
confirmation process. Procedures performed by audit firms to address 
this requirement vary depending on facts and circumstances.

[[Page 71687]]

Some auditors have used a report on controls at a service organization 
(``SOC report'') to evaluate the design and operating effectiveness of 
the intermediary's controls relevant to sending and receiving 
confirmations.
    Under the existing standard, auditors can use positive confirmation 
requests and, provided certain conditions are met, negative 
confirmation requests. A positive confirmation request either asks the 
recipient to respond directly to the auditor about whether the 
recipient agrees with information that is stated in the request or asks 
the recipient to provide the requested information by filling in a 
blank form. In comparison, a negative confirmation request directs the 
recipient to respond only when the recipient disagrees with the 
information included in the request. In practice, negative confirmation 
requests have typically been used to obtain audit evidence related to 
the completeness of deposit liabilities and other accounts of a similar 
nature and, less frequently, to obtain evidence related to the 
existence of accounts receivable. In some cases, auditors use a 
combination of positive and negative confirmation requests.
Observations From Inspections and Enforcement Actions
    This section discusses observations from PCAOB oversight activities 
and SEC enforcement actions, including (1) PCAOB inspections of 
registered public accounting firms (``firms'') and (2) enforcement 
actions relating to deficient confirmation procedures performed by the 
auditor. These observations have informed the Board's view that 
providing greater clarity as the Board strengthens the requirements 
could result in improved compliance by auditors.
    Inspections. Over the past several years, PCAOB inspections 
indicated that some auditors did not fulfill their responsibilities 
under the existing standard when performing confirmation procedures. 
The shortcomings have been noted at large and small domestic firms, and 
at large firms with domestic and international practices. For example, 
some auditors did not: (1) consider performing procedures to verify the 
source of confirmation responses received electronically; (2) perform 
sufficient alternative procedures; (3) restrict the use of negative 
confirmation requests to situations where the risk of material 
misstatement was assessed as low; or (4) maintain appropriate control 
over the confirmation process, including instances where company 
personnel were involved in either sending or receiving confirmations.
    The PCAOB has also continued to monitor developments relating to 
the use of confirmation through its other oversight and research 
activities. For example, in 2021, the PCAOB staff issued a Spotlight 
discussing, among other things, the use of technology in the 
confirmation process.\14\ In addition, in 2022, the PCAOB staff issued 
a Spotlight that specifically discussed observations and reminders on 
the use of a service provider in the confirmation process.\15\
---------------------------------------------------------------------------

    \14\ See Spotlight: Data and Technology Research Project Update 
(May 2021), available at https://pcaobus.org/resources/staff-publications.
    \15\ See Spotlight: Observations and Reminders on the Use of a 
Service Provider in the Confirmation Process (Mar. 2022), available 
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------

    Enforcement actions. Over the years, there have been a number of 
enforcement actions by the PCAOB and the SEC alleging that auditors 
failed to comply with PCAOB standards related to the confirmation 
process. Enforcement actions have been brought against large and small 
firms, and against U.S. and non-U.S. firms.
    For example, PCAOB enforcement cases have involved allegations that 
auditors failed to: (1) perform appropriate confirmation procedures to 
address a fraud risk; \16\ (2) adequately respond to contradictory 
audit evidence obtained from confirmation procedures; \17\ (3) perform 
appropriate confirmation procedures and alternative procedures for 
accounts receivable; \18\ or (4) maintain proper control over the 
confirmation process.\19\
---------------------------------------------------------------------------

    \16\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Whitley Penn LLP, PCAOB 
Rel. No. 105-2020-002 (Mar. 24, 2020); In the Matter of PMB Helin 
Donovan, LLP, PCAOB Rel. No. 105-2019-031 (Dec. 17, 2019); In the 
Matter of Ronald R. Chadwick, P.C., PCAOB Rel. No. 105-2015-009 
(Apr. 28, 2015).
    \17\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Ronald R. Chadwick, 
P.C., PCAOB Rel. No. 105-2015-009 (Apr. 28, 2015); In the Matter of 
Price Waterhouse, Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5, 
2011).
    \18\ See, e.g., In the Matter of Whitley Penn LLP, PCAOB Rel. 
No. 105-2020-002 (Mar. 24, 2020); In the Matter of PMB Helin 
Donovan, LLP, PCAOB Rel. No. 105-2019-031 (Dec. 17, 2019); In the 
Matter of Wander Rodrigues Teles, PCAOB Rel. No. 105-2017-007 (Mar. 
20, 2017); In the Matter of Ronald R. Chadwick, P.C., PCAOB Rel. No. 
105-2015-009 (Apr. 28, 2015); In the Matter of Price Waterhouse, 
Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5, 2011).
    \19\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Price Waterhouse, 
Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5, 2011).
---------------------------------------------------------------------------

    In several confirmation-related enforcement cases, the SEC alleged 
that the deficient confirmation procedures by the auditors involved 
companies that had engaged in widespread fraud, where properly 
performed confirmation procedures might have led to the detection of 
the fraudulent activity.\20\ Further, in a number of proceedings, the 
SEC alleged that confirmation procedures were not properly designed 
\21\ or, more frequently, that the auditors failed to adequately 
evaluate responses to confirmation requests and perform alternative or 
additional procedures in light of exceptions, nonresponses, or 
responses that should have raised issues as to their reliability or the 
existence of undisclosed related parties.\22\ Several of these 
proceedings were brought in recent years, suggesting that problems 
persist in this area.
---------------------------------------------------------------------------

    \20\ See, e.g., In the Matter of CohnReznick LLP, SEC Rel. 
No.34-95066 (June 8, 2022); In the Matter of Ravindranathan 
Raghunathan, CPA, SEC Rel. No. 34-93133 (Sept. 27, 2021); In the 
Matter of Mancera, S.C., SEC Rel. No. 34-90699 (Dec. 17, 2020); In 
the Matter of Schulman Lobel Zand Katzen Williams & Blackman, LLP A/
K/A Schulman Lobel LLP, SEC Rel. No. 34-88653 (Apr. 15, 2020); In 
the Matter of William Joseph Kouser Jr., CPA, SEC Rel. No. 34-80370 
(Apr. 4, 2017).
    \21\ See, e.g., In the Matter of RSM US LLP, SEC Rel. No. 34-
95948 (Sept. 30, 2022); In the Matter of Ravindranathan Raghunathan, 
CPA, SEC Rel. No. 34-93133 (Sept. 27, 2021); In the Matter of 
Winter, Kloman, Moter & Repp, S.C., SEC Rel. No. 34-83168 (May 4, 
2018); In the Matter of Edward Richardson, Jr., CPA, SEC Rel. No. 
34-80918 (June 14, 2017).
    \22\ See, e.g., In the Matter of Jason Jianxun Tang, CPA, SEC 
Rel. No. 34-96347 (Nov. 17, 2022); In the Matter of Steven Kirn, 
CPA, SEC Rel. No. 34-95949 (Sept. 30, 2022); In the Matter of 
Friedman LLP, SEC Rel. No. 34-95887 (Sept. 23, 2022); In the Matter 
of Mancera, S.C., SEC Rel. No. 34-90699 (Dec. 17, 2020); In the 
Matter of Schulman Lobel Zand Katzen Williams & Blackman, LLP A/K/A 
Schulman Lobel LLP, SEC Rel. No. 34-88653 (Apr. 15, 2020); In the 
Matter of Anton & Chia, LLP, SEC Rel. No. 34-87033 (Sept. 20, 2019); 
In the Matter of Edward Richardson, Jr., CPA, SEC Rel. No. 34-80918 
(June 14, 2017); In the Matter of William Joseph Kouser Jr., CPA, 
SEC Rel. No. 34-80370 (Apr. 4, 2017).
---------------------------------------------------------------------------

Reasons To Improve Auditing Standards
    The amendments to PCAOB standards being adopted are intended to 
enhance audit quality by clarifying and strengthening the requirements 
for the auditor's use of confirmation. The final amendments are also 
more expressly integrated with the PCAOB's risk assessment standards by 
incorporating certain risk-based considerations and emphasizing the 
auditor's responsibilities for obtaining relevant and reliable audit 
evidence through the confirmation process. The Board believes that 
these improvements will enhance both audit quality and the credibility 
of the information provided in a company's financial statements.
Areas of Improvement
    The Board has identified two important areas where improvements are 
warranted to existing standards, discussed below: (1) updating the 
standards to reflect developments in

[[Page 71688]]

practice and (2) clarifying the auditor's responsibilities to evaluate 
the reliability of evidence obtained through confirmation responses.
Updating the Standards To Reflect Developments in Practice
    The new standard supports the auditor's use of electronic forms of 
communication between the auditor and the confirming party. Since the 
AICPA standard on the confirmation process adopted by the PCAOB took 
effect in 1992, there has been a significant change in the auditing 
environment and the means by which an auditor communicates with 
confirming parties. Emails and other forms of electronic communications 
between auditors and confirming parties have become ubiquitous, and 
third-party intermediaries now often facilitate the electronic 
transmission of confirmation requests and responses between auditors 
and confirming parties.
    In addition, the Board believes its auditing standards should allow 
for continued innovation by auditors in the ways they obtain audit 
evidence. Traditionally, auditors have used confirmation in 
circumstances where reliable evidence about financial statement 
assertions could be obtained directly from a third party that transacts 
with the company (e.g., to confirm the existence of cash or accounts 
receivable). Generally, audit evidence obtained directly from 
knowledgeable external sources, including through confirmation, has 
been viewed as more reliable than evidence obtained through other audit 
procedures available to the auditor,\23\ especially where the auditor 
identified a risk of fraud, chose not to test controls, or determined 
that controls could not be relied on.\24\
---------------------------------------------------------------------------

    \23\ The confirmation process involves obtaining audit evidence 
from a confirming party. Under PCAOB standards, in general, evidence 
obtained from a knowledgeable source that is independent from the 
company is more reliable than evidence obtained only from internal 
company sources. See, e.g., AS 1105.08.
    \24\ See, e.g., Staff Audit Practice Alert No. 8, Audit Risks in 
Certain Emerging Markets (Oct. 3, 2011) (``SAPA No. 8'') at 11 
(stating that, when an auditor has identified fraud risks relating 
to a company's bank accounts or amounts due from customers, ``it is 
important for the auditor to confirm amounts included in the 
company's financial statements directly with a knowledgeable 
individual from the bank or customer who is objective and free from 
bias with respect to the audited entity rather than rely solely on 
information provided by the company's management''). The 
requirements of the new standard are consistent with the guidance in 
SAPA No. 8, which auditors should continue to consider when using 
confirmations to address fraud risks in emerging markets.
---------------------------------------------------------------------------

    The PCAOB staff's research indicates that some audit firms may have 
developed or may yet develop audit techniques that enable the auditor 
to obtain relevant and reliable audit evidence for the same assertions 
by performing substantive audit procedures that do not include 
confirmation, as discussed in more detail below. To reflect these 
developments, the new standard allows the performance of other 
procedures in lieu of confirmation for cash and accounts receivable in 
situations where the auditor can obtain relevant and reliable audit 
evidence by directly accessing information maintained by knowledgeable 
external sources. Further, the new standard acknowledges that, in 
certain situations, it may not be feasible for the auditor to obtain 
audit evidence for accounts receivable directly from a knowledgeable 
external source and provides that in those situations the auditor 
should obtain external information indirectly by performing other 
substantive procedures, including tests of details.
Clarifying the Auditor's Responsibilities To Evaluate the Reliability 
of Confirmation Responses
    While information obtained through the confirmation process can be 
an important source of audit evidence, the confirmation process must be 
properly executed for the evidence obtained to be relevant and 
reliable. The enforcement actions discussed above and other recent 
high-profile financial reporting frauds have also called attention to 
the importance of well-executed confirmation procedures, including the 
confirmation of cash.\25\ In addition, PCAOB oversight activities have 
identified instances in which auditors did not obtain sufficient 
appropriate audit evidence when using confirmation. Accordingly, the 
new standard includes a new requirement to confirm certain cash 
balances and clarifies the auditor's responsibilities to evaluate the 
reliability of evidence obtained through confirmation responses (and, 
when necessary, to obtain audit evidence through alternative 
procedures).
---------------------------------------------------------------------------

    \25\ See, e.g., In the Matter of Mancera, S.C., SEC Rel. No. 34-
90699 (Dec. 17, 2020) (failure by auditors to properly evaluate 
confirmation responses to requests for information on cash balances 
of a Mexican homebuilder subsequently found to have engaged in a 
``multi-billion dollar financial fraud''). See also Olaf Storbeck, 
Tabby Kinder, and Stefania Palma, EY failed to check Wirecard bank 
statements for 3 years, Financial Times (June 26, 2020) (potential 
failure by auditors to confirm cash balances purportedly held by 
Wirecard AG, a German company whose securities were not registered 
with the SEC, directly with a Singapore-based bank).
---------------------------------------------------------------------------

Comments on the Reasons for Standard Setting
    Many commenters on the 2022 Proposal broadly expressed support for 
revisions to the Board's standard on the auditor's use of confirmation 
to reflect developments in practice since the AICPA standard on the 
confirmation process adopted by the PCAOB took effect in 1992. A number 
of commenters also agreed that the standard on the auditor's use of 
confirmation should be more closely aligned with the Board's risk 
assessment standards. In addition, some commenters stated that updates 
to the PCAOB's standard on the auditor's use of confirmation would be 
generally consistent with their prior recommendations to the Board that 
the Board modernize its interim auditing standards. Other commenters 
suggested that the Board should also engage in additional outreach with 
investors or that it consider other mechanisms to engage with 
stakeholders prior to the adoption of standards, such as roundtables 
and pre-implementation ``field testing'' of proposed standards.
    In addition, several commenters expressed support for the 
proposition that the PCAOB's auditing standards should allow for 
continued innovation by auditors in the ways they obtain audit 
evidence. These commenters generally stated that standards should be 
written to evolve with future technologies, including new methods of 
confirmation that may arise from technological changes in auditing in 
the future. A few commenters stated that the 2022 Proposal provided 
flexibility to respond to the current use of technology in the audit 
process, or left enough room for judgment-based application for further 
advances in technology. In comparison, some commenters stated that the 
proposed standard was not sufficiently forward-looking. Several 
commenters cautioned against more explicitly addressing the use of 
technology (i.e., by adding prescriptive requirements), noting that 
doing so might not allow the standard to age effectively with time and 
innovation.
    Several commenters broadly expressed support for the Board's goal, 
as described in the 2022 Proposal, of improving the quality of audit 
evidence obtained by auditors when using confirmation. One of these 
commenters stated that it was critical that confirmation requests are 
properly designed and that confirmation responses are appropriately 
evaluated, especially when there are confirmation exceptions or 
concerns about their reliability. In addition, other commenters 
generally expressed

[[Page 71689]]

support for the proposed requirements and stated they would lead to 
improvements in audit quality. A number of commenters, primarily firms 
and firm-related groups, asserted that certain requirements in the 2022 
Proposal were unduly prescriptive and that the final standard should be 
more principles-based and risk-based to allow for more auditor 
judgment. In comparison, an investor-related group suggested that the 
Board remind auditors that, in exercising professional judgment, their 
judgments must be reasonable, careful, documented, and otherwise in 
compliance with applicable professional requirements.
    In adopting the new standard, the Board has considered these 
comments on the 2022 Proposal, as well as the comments received on the 
2010 Proposal and the 2009 Concept Release. Based on the information 
available to the Board--including the current regulatory baseline, 
observations from our oversight activities, academic literature, and 
comments--the Board believes that investors will benefit from 
strengthened and clarified auditing standards in this area. To the 
extent that commenters provided comments or expressed concerns about 
specific aspects of the proposed revisions to the Board's existing 
standard on the auditor's use of confirmation, the Board's 
consideration of these comments is discussed further below and 
elsewhere in this exhibit. While the Board does not expect that the new 
standard will eliminate inspection deficiencies observed in practice, 
it is intended to clarify the auditor's responsibilities and align the 
requirements for the use of confirmation more closely with the PCAOB's 
risk assessment standards.
    The new standard also reflects several changes that were made after 
the Board's consideration of comments received about the potential 
impact of the proposed new standard on auditors, issuers, and 
intermediaries. In addition, some commenters called for a broader 
alignment of PCAOB standards with standards issued by other standard 
setters, namely the International Auditing and Assurance Standards 
Board (``IAASB'') and the AICPA's Auditing Standards Board (``ASB''). A 
few commenters stated that PCAOB standards should be harmonized with 
IAASB standards, in the interest of global comparability, and, in the 
view of one commenter, with ASB standards. A few commenters stated that 
the Board should provide robust and detailed explanations of 
differences between PCAOB standards and the standards of other standard 
setters. One commenter indicated that the dual standard-setting 
structure in the United States (i.e., the existence of both PCAOB and 
ASB standards) creates issues that could erode audit quality.
    The Board carefully considered the approaches of other standard 
setters when developing the 2022 Proposal, and the new standard 
reflects the approach that the Board believes best protects investors 
and furthers the public interest. As a result, certain differences will 
continue to exist between the Board's new standard and those of other 
standard setters, including a number of provisions that the Board 
believes are appropriate and consistent with its statutory mandate to 
protect the interests of investors and further the public interest.
Discussion of Final Rules
Overview of New Standard
    The new standard replaces existing AS 2310 in its entirety. The 
provisions of the new standard the Board has adopted are intended to 
strengthen existing requirements for the auditor's use of confirmation. 
Key aspects of the new standard:
     Include principles-based requirements that are designed to 
apply to all methods of confirmation. The new standard is designed to 
enhance requirements that apply to longstanding methods, such as the 
use of paper-based confirmation requests and responses sent via regular 
mail; methods that involve electronic means of communications, such as 
the use of email or an intermediary to facilitate direct electronic 
transmission of confirmation requests and responses; and methods that 
are yet to emerge, thus encouraging audit innovation.
     Expressly integrate the requirements for the auditor's use 
of confirmation with the requirements of the Board's risk assessment 
standards, including AS 1105. The new standard specifies certain risk-
based considerations and emphasizes the auditor's responsibilities for 
obtaining relevant and reliable audit evidence when performing 
confirmation procedures.
     Emphasize the use of confirmation procedures in certain 
situations. The new standard adds a new requirement that the auditor 
should perform confirmation procedures for cash held by third parties, 
carries forward an existing requirement that the auditor should perform 
confirmation procedures for accounts receivable, and adds a new 
provision that the auditor may otherwise obtain audit evidence by 
directly accessing information maintained by a knowledgeable external 
source for cash and accounts receivable. In addition, the new standard 
carries forward an existing requirement to consider confirming the 
terms of certain other transactions.
     Address situations in which it would not be feasible for 
the auditor to obtain information directly from a knowledgeable 
external source. The new standard provides that if it would not be 
feasible for the auditor to obtain audit evidence directly from a 
knowledgeable external source for accounts receivable, the auditor 
should perform other substantive audit procedures, including tests of 
details, that involve obtaining audit evidence from external sources 
indirectly.
     Communicate to the audit committee certain audit responses 
to significant risks. Under the new standard, for significant risks 
associated with cash or accounts receivable, the auditor is required to 
communicate with the audit committee when the auditor did not perform 
confirmation procedures or otherwise obtain audit evidence by directly 
accessing information maintained by a knowledgeable external source.
     Reflect the relatively insignificant amount of audit 
evidence obtained when using negative confirmation requests. Under the 
new standard, the use of negative confirmation requests may provide 
sufficient appropriate audit evidence only when combined with other 
substantive audit procedures. The new standard includes examples of 
situations in which the use of negative confirmation requests in 
combination with other substantive audit procedures may provide 
sufficient appropriate audit evidence.
     Emphasize the auditor's responsibility to maintain control 
over the confirmation process. The new standard states that the auditor 
should select the items to be confirmed, send confirmation requests, 
and receive confirmation responses.
     Provide more specific direction for circumstances where 
the auditor is unable to obtain relevant and reliable audit evidence 
through confirmation. The new standard identifies situations where 
other procedures should be performed by the auditor as an alternative 
to confirmation. The new standard also includes examples of alternative 
procedures that individually or in combination may provide relevant and 
reliable audit evidence.
Introduction and Objective
    (See paragraphs .01 and .02 of the new standard).

[[Page 71690]]

    The 2022 Proposal included requirements for the auditor's use of 
confirmation. As discussed in the proposal, the confirmation process 
involves selecting one or more items to be confirmed, sending a 
confirmation request directly to a confirming party, evaluating the 
information received, and addressing nonresponses and incomplete 
responses to obtain audit evidence about one or more financial 
statement assertions. Confirmation is one of the specific audit 
procedures described in PCAOB standards that an auditor could perform 
when addressing a risk of material misstatement.\26\ As is the case 
with other audit procedures, information obtained through confirmation 
may support and corroborate management's assertions or it may 
contradict such assertions.\27\
---------------------------------------------------------------------------

    \26\ See, e.g., AS 1105.14 and .18.
    \27\ See AS 1105.02.
---------------------------------------------------------------------------

    Under the 2022 Proposal, the auditor's objective in designing and 
executing the confirmation process was to obtain relevant and reliable 
audit evidence about one or more relevant financial statement 
assertions of a significant account or disclosure.\28\ Existing AS 2310 
does not include an objective.
---------------------------------------------------------------------------

    \28\ An account or disclosure is a significant account or 
disclosure if there is a reasonable possibility that the account or 
disclosure could contain a misstatement that, individually or when 
aggregated with others, has a material effect on the financial 
statements, considering the risks of both overstatement and 
understatement. See footnote 33 of AS 2110, Identifying and 
Assessing Risks of Material Misstatement; paragraph .A10 of AS 2201, 
An Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.
---------------------------------------------------------------------------

    As discussed below, the Board has modified the introduction and 
objective in the proposed standard in several respects.
    A number of commenters stated that the objective of the proposed 
standard was clear. One commenter stated that the objective should be 
to provide requirements and guidance in situations where the auditor, 
as a result of its risk-assessment procedures, determines that 
confirmation procedures provide an appropriate response to one or more 
assertions related to an identified risk of material misstatement. 
Another commenter asserted that the objective in the proposed standard 
did not result in greater clarity than the proposed objective in the 
2010 Proposal and created a wider gap between the PCAOB's standards and 
the equivalent standard of the IAASB.
    Having considered these comments, the Board has revised the 
introduction to provide that the new standard establishes requirements 
regarding obtaining audit evidence from a knowledgeable external source 
through the auditor's use of confirmation. The introduction further 
states that the new standard includes additional requirements regarding 
obtaining audit evidence for cash, accounts receivable, and terms of 
certain transactions. The Board believes that this language more 
clearly aligns with the approach to the auditor's use of confirmation 
in the new standard and the inclusion of specific requirements in the 
new standard with respect to cash, accounts receivable, and terms of 
certain transactions.
    In addition, the Board has added the phrase ``from a knowledgeable 
external source'' to the objective, such that the new standard provides 
that the objective of the auditor in designing and executing the 
confirmation process is to obtain relevant and reliable audit evidence 
from a knowledgeable external source about one or more relevant 
financial statement assertions of a significant account or disclosure. 
This language underscores that, when properly designed and executed, 
the confirmation process involves obtaining audit evidence regarding 
specific items from a knowledgeable external source. A knowledgeable 
external source, as referred to in the new standard, generally is a 
third party who the auditor believes has knowledge of the information 
that may be used as audit evidence. To the extent that this objective 
differs from the objective in standards adopted by other standard-
setting bodies on the auditor's use of confirmation, the Board believes 
it appropriately reflects the Board's approach in the new standard and 
is consistent with its statutory mandate to protect the interests of 
investors and further the public interest. The next section of this 
exhibit further discusses the relationship of the confirmation process 
to the auditor's identification and assessment of, and response to, the 
risks of material misstatement.
Relationship of the Confirmation Process to the Auditor's 
Identification and Assessment of and Response to the Risks of Material 
Misstatement
    (See paragraphs .03-.07 of the new standard).
    When an auditor uses confirmation, the auditor should be mindful 
of, and comply with, the existing obligation to exercise due 
professional care in all matters relating to the audit.\29\ Due 
professional care requires the auditor to exercise professional 
skepticism, which is an attitude that includes a questioning mind and a 
critical assessment of audit evidence. Professional skepticism should 
be exercised throughout the audit process,\30\ including when 
identifying information to confirm, identifying confirming parties, 
evaluating confirmation responses, and addressing nonresponses. The 
requirements related to exercising professional skepticism, in 
combination with requirements in other PCAOB standards, are designed to 
reduce the risk of confirmation bias, a phenomenon wherein decision 
makers have been shown to actively seek out and assign more weight to 
evidence that confirms their hypothesis, and ignore or assign less 
weight to evidence that could disconfirm their hypothesis.\31\
---------------------------------------------------------------------------

    \29\ See AS 1015, Due Professional Care in the Performance of 
Work. The Board currently has a separate standard-setting project to 
reorganize and consolidate a group of interim standards adopted by 
the Board in Apr. 2003, including AS 1015. See Proposed Auditing 
Standard--General Responsibilities of the Auditor in Conducting an 
Audit and Proposed Amendments to PCAOB Standards, PCAOB Rel. No. 
2023-001 (Mar. 28, 2023).
    \30\ See AS 1015.07-.08.
    \31\ For a discussion of confirmation bias, see, e.g., Raymond 
S. Nickerson, Confirmation Bias: A Ubiquitous Phenomenon in Many 
Guises, 2 Review of General Psychology, 175 (1998).
---------------------------------------------------------------------------

    The 2022 Proposal described how the proposed standard would work in 
conjunction with the PCAOB standards on risk assessment. AS 2110 
establishes requirements regarding the process of identifying and 
addressing the risks of material misstatement of the financial 
statements, and AS 2301, The Auditor's Responses to the Risks of 
Material Misstatement, establishes requirements regarding designing and 
implementing appropriate responses to the risks of material 
misstatement. Fundamental to the PCAOB's risk assessment standards is 
the concept that as risk increases, so does the amount of evidence that 
the auditor should obtain.\32\ Further, evidence obtained from a 
knowledgeable external source generally is more reliable than evidence 
obtained only from internal company sources.\33\
---------------------------------------------------------------------------

    \32\ See AS 1105.05.
    \33\ See AS 1105.08.
---------------------------------------------------------------------------

    Where the auditor uses confirmation as part of the auditor's 
response, the 2022 Proposal addressed the auditor's responsibilities 
for designing and executing the confirmation process to obtain relevant 
and reliable audit evidence. When properly designed and executed, the 
confirmation process can be an effective and efficient way of obtaining 
relevant and reliable external audit evidence, including in situations 
where the auditor identifies an elevated risk of material misstatement 
due to error or fraud.

[[Page 71691]]

    The 2022 Proposal also recognized that performing confirmation 
procedures can effectively and efficiently provide evidential matter 
about certain financial statement assertions, including existence, 
occurrence, completeness, and rights and obligations. For example, 
confirmation may provide audit evidence related to the existence of 
cash, accounts receivable, and financial instruments, or the 
completeness of debt. However, the confirmation process generally 
provides less relevant evidence about the valuation assertion (e.g., 
the confirming party may not intend to repay in full the amount owed, 
or the custodian may not know the value of shares held in custody). 
Confirmation could also be used to obtain audit evidence about the 
terms of contractual arrangements (e.g., by verifying supplier 
discounts or concessions, corroborating sales practices, or 
substantiating oral arrangements and guarantees). Information in 
confirmation responses may indicate the existence of related parties, 
or relationships or transactions with related parties, previously 
undisclosed to the auditor.
    The Board also observed in the 2022 Proposal that, in some 
situations, an auditor may determine that evidence obtained through 
confirmation may constitute sufficient appropriate audit evidence for a 
particular assertion, while in other situations performing other audit 
procedures in addition to confirmation may be necessary to obtain 
sufficient appropriate audit evidence. For example, for significant 
unusual sales transactions and the resulting accounts receivable 
balances, an auditor might confirm significant terms of the 
transactions and the receivable balances with the transaction 
counterparties and perform additional substantive procedures, such as 
examination of shipping documents and subsequent cash receipts. 
Determining the nature, timing, and extent of confirmation procedures, 
and any other additional audit procedures, is part of designing and 
implementing the auditor's response to the assessed risk of material 
misstatement.
    The Board adopted the provisions in the 2022 Proposal that address 
the relationship of the confirmation process to the auditor's 
identification and assessment of and response to the risks of material 
misstatement, with certain modifications discussed below.
    Overall, commenters expressed support for aligning the proposed 
standard on confirmation with the PCAOB's existing risk assessment 
standards. Several commenters stated that they had not identified 
changes needed to the proposed standard to align further with the 
PCAOB's risk assessment standards. Other commenters, as discussed 
below, called for various changes to the proposed provisions:
     Several commenters suggested that there could be further 
alignment of the 2022 Proposal with the risk assessment standards to 
enable the level of risk to drive the nature of the audit response. A 
number of commenters asserted that the 2022 Proposal included certain 
prescriptive requirements for the confirmation process, regardless of 
the assessed level of risk, and that those provisions could detract 
from the auditor's ability to apply professional judgment to determine 
the appropriate audit response. Consistent with the objective of the 
new standard, the requirements under the new standard apply to a 
significant account or disclosure.\34\ The new standard thus does not 
establish a presumption to confirm cash or accounts receivable if the 
auditor has not determined cash or accounts receivable to be a 
significant account. The auditor may choose to perform confirmation 
procedures, however, in situations other than those specifically 
addressed in paragraphs .24 through .30 of the new standard. The new 
standard does not otherwise prescribe the timing or extent of 
confirmation procedures, which are discussed as part of the auditor's 
response to the risks of material misstatement in AS 2301.
---------------------------------------------------------------------------

    \34\ AS 2110.59e directs the auditor to identify significant 
accounts and disclosures and their relevant assertions.
---------------------------------------------------------------------------

     Several commenters stated that paragraphs .06 and .07 of 
the proposed standard overly emphasized confirmation as being the most 
persuasive substantive audit procedure, with any other procedure 
thereby viewed as being less persuasive. One commenter asserted that 
that the 2022 Proposal appeared to be premised on an assumption that 
third-party confirmations represent ``first best'' audit evidence, 
regardless of the facts and circumstances. In addition, one commenter 
questioned whether the Board intended for confirmation to be used 
whenever possible to obtain evidence. Having considered these comments, 
the Board has made several changes in the new standard to clarify 
certain provisions. In the new standard, the Board has revised 
paragraph .06, which discusses obtaining audit evidence from 
knowledgeable external sources, to emphasize the source of the audit 
evidence, rather than the type of audit procedure performed. The Board 
understands that advances in technology, as well as changes in 
attitudes towards confirmation (e.g., the potential hesitation of 
confirming parties to reply to a confirmation request from auditors 
because of the concern of falling victim to a phishing attack), have 
led auditors to perform other types of audit procedures that can 
provide relevant and reliable external evidence.
     Some commenters stated that the proposed standard could 
give rise to unrealistic expectations about confirmation procedures 
effectively addressing the risk of material misstatement due to fraud 
in all circumstances. While the Board does not believe that the new 
standard creates an unrealistic expectation about audit evidence 
obtained through confirmation, the appropriate focus of the auditor 
should be the obligation to obtain relevant and reliable audit 
evidence. Accordingly, the Board did not adopt paragraph .07 of the 
proposed standard, which had provided that ``in situations involving 
fraud risks and significant unusual transactions, audit evidence 
obtained through the confirmation process generally is more persuasive 
than audit evidence obtained solely through other procedures.''
     Several commenters recommended that the standard address 
the current and anticipated use of technology to enable auditors to 
obtain sufficient appropriate audit evidence through performing audit 
procedures other than confirmation. Some commenters provided examples 
of using technology-based procedures in lieu of confirmations, 
including accessing company balances directly at the relevant financial 
institution and testing internal data against external data sources 
using audit data analytics. The Board considered these comments in 
developing the new standard. In particular, as discussed below, the new 
standard includes a presumption for the auditor to confirm cash and 
accounts receivable, or otherwise obtain relevant and reliable audit 
evidence for these accounts by directly accessing information 
maintained by a knowledgeable external source.
     One commenter suggested that the note to paragraph .05 of 
the proposed standard should also direct the auditor to take into 
account internal controls over cash, including segregation of duties, 
when there are side agreements to revenue transactions. The Board did 
not make this change in the new standard. The Board notes that internal 
control considerations are addressed by existing PCAOB standards, which

[[Page 71692]]

require obtaining an understanding of the company's controls when 
assessing the risk of material misstatement and identifying and testing 
certain controls when the auditor plans to rely on controls to respond 
to the assessed risk.\35\ The auditor would consider controls over cash 
when performing these procedures.
---------------------------------------------------------------------------

    \35\ See, e.g., AS 2110 and AS 2301.
---------------------------------------------------------------------------

     With respect to the examples of assertions in paragraph 
.06 of the proposed standard, one commenter asserted that a final 
standard should more fully explain that a confirmation generally serves 
to test the assertion of existence, but does not serve to test other 
assertions such as valuation, including collectability. The Board did 
not incorporate such language in the new standard because it believes 
that limiting the use of confirmation to the existence assertion would 
be overly prescriptive and might disallow use of confirmation in other 
situations where the auditor has determined that confirmation could be 
used to obtain relevant and reliable information to test other 
assertions.
    As discussed below, the Board continues to believe that 
confirmation procedures generally would provide relevant and reliable 
audit evidence for cash and accounts receivable. Accordingly, under the 
new standard the auditor should perform confirmation procedures or 
otherwise obtain relevant and reliable audit evidence by directly 
accessing information maintained by a knowledgeable external source 
when the auditor determines that these accounts are significant 
accounts. In addition, the new standard specifies that when the auditor 
has identified a significant risk of material misstatement associated 
with either a complex transaction or a significant unusual transaction, 
the auditor should consider confirming those terms of the transaction 
that are associated with a significant risk of material misstatement, 
including a fraud risk.
    Other Use of Confirmation Procedures. The 2022 Proposal requested 
commenters' views on whether there were additional accounts or 
financial statement assertions for which the auditor should be required 
to perform confirmation procedures. In addition, the 2022 Proposal 
requested views on whether the proposal was sufficiently flexible to 
accommodate situations where an auditor chooses to confirm information 
about newer types of assets (e.g., digital assets based on blockchain 
or similar technologies).
    Two investor-related groups identified specific types of additional 
transactions that should be subject to confirmation, including 
transactions (1) with unusual terms and conditions, (2) with related 
parties, (3) where the auditor has concern about whether side letters 
may exist, (4) where financing is obtained, including bank debt or 
supplier-provided financing, (5) involving certain sales practices, 
such as bill-and-hold arrangements or supplier discounts or 
concessions, (6) involving certain oral arrangements or guarantees, or 
(7) involving sales, lending, or liability for custodianship of digital 
assets. Another commenter suggested that confirmation of accounts 
payable should be considered, but not required, when auditors assess 
controls over the recording of liabilities to be ineffective. This 
commenter also suggested that the Board state that the use of 
confirmation is not limited to the circumstances discussed in the 
proposed standard.
    In comparison, many firms and firm-related groups stated that the 
proposed standard should not prescribe additional other presumptive 
requirements to use confirmation. These commenters noted that doing so 
would be unduly prescriptive. Several commenters stated that the 
proposed standard provided for an appropriate amount of auditor 
judgment in determining when to perform confirmation procedures in 
situations other than those specifically addressed in the standard. In 
addition, several commenters indicated that the 2022 Proposal offered 
sufficient flexibility to accommodate situations where an auditor 
confirms information about newer types of assets.
    Several commenters asserted that the effectiveness of confirmation 
procedures is negatively affected by the fact that third parties are 
not obligated, under legislation or regulation, to reply to an 
auditor's confirmation request.
    The new standard does not specify additional accounts or 
transactions for which confirmation procedures are presumptively 
required beyond those in the 2022 Proposal. The PCAOB's risk assessment 
standards are foundational and are used by the auditor to determine the 
appropriate response to identified risks of material misstatement. The 
Board believes that confirmation can be an important tool for 
addressing certain risks for cash and accounts receivable, and for 
obtaining audit evidence about other financial relationships, and 
certain terms of complex transactions or significant unusual 
transactions, as discussed below. However, identifying additional 
accounts or scenarios that require the auditor to use confirmation, 
without regard to the specific facts and circumstances of the audit 
including the assessed risk of material misstatement and whether other 
audit procedures would provide sufficient appropriate audit evidence, 
would be overly prescriptive.
    The auditor's responsibilities relevant to the use of confirmation 
are also addressed in several other PCAOB standards. AS 2315, Audit 
Sampling, which discusses planning, performing, and evaluating audit 
samples, is used if the auditor uses sampling in the confirmation 
process. AS 2510, Auditing Inventories, addresses confirmation of 
inventories in the hands of public warehouses or other outside 
custodians. Additionally, the new standard does not address auditor 
responsibilities regarding inquiries concerning litigation, claims, and 
assessments, which are addressed in AS 2505, Inquiry of a Client's 
Lawyer Concerning Litigation, Claims, and Assessments.
Designing Confirmation Requests
    (See paragraphs .08-.13 of the new standard).
    A properly designed and executed confirmation process may provide 
relevant and reliable audit evidence. Auditor responsibilities 
regarding designing a confirmation request are described in paragraphs 
.08-.13, as follows:
     Paragraph .08 discusses identifying information to 
confirm;
     Paragraphs .09 through .11 discuss identifying the 
confirming parties for confirmation requests; and
     Paragraphs .12 through .13 discuss using negative 
confirmation requests.
    The new standard does not prescribe a particular format for a 
confirmation request. For example, requests could be paper-based or 
electronic, specifying the information to be confirmed or providing a 
blank response form, or sent with or without the involvement of an 
intermediary that facilitates electronic transmission. As a practical 
matter, the auditor determines the format of a confirmation request to 
increase the likelihood that the request is received and clearly 
understood by the confirming party, taking into consideration, among 
other things, the facts and circumstances of the company and the 
confirming party.
Identifying Information To Confirm
    The 2022 Proposal provided that the auditor should, as part of 
designing confirmation requests, identify information related to the 
relevant assertions that the auditor plans to verify with confirming 
parties or (when using a blank form) obtain from confirming parties. 
Such information

[[Page 71693]]

could include transaction amounts, transaction dates, significant terms 
of transactions, and balances due to or from the confirming party as of 
a specific date. In addition, the 2022 Proposal discussed that using a 
blank confirmation request generally provides more reliable audit 
evidence than using a confirmation request that includes information 
the auditor is seeking to confirm (e.g., a customer account balance). 
In the latter scenario, it is possible that a confirming party could 
agree to the information without verifying it against the confirming 
party's records.
    The Board adopted the proposed requirement relating to identifying 
information to confirm with certain modifications discussed below.
    Several commenters indicated that the provisions of the 2022 
Proposal related to identifying information to confirm were clear and 
appropriate. A few commenters requested retaining a statement analogous 
to a statement in existing AS 2310 to emphasize in the standard that 
responding to blank form confirmation requests generally requires 
additional effort, which might lower the response rates and lead 
auditors to perform alternative procedures. One commenter expressed 
concern that fraudsters could use fake confirmation requests and, in 
particular, fake blank form confirmation requests, to defraud bank 
customers (e.g., by soliciting their bank details).
    Existing AS 2310 includes details regarding the form of 
confirmation requests, which includes general information regarding 
blank form positive confirmation requests. This information has been 
included in the new standard in a note to paragraph .08. Further, after 
considering the comments received, the new standard includes language 
not included in the proposed standard that is similar to language in 
existing AS 2310. This language explains that responding to blank form 
confirmation requests generally requires additional effort, which might 
lower the response rates and lead auditors to perform alternative 
procedures for more selected items. Despite the possibility of lower 
response rates, responses to blank form confirmation requests may 
provide more reliable audit evidence than responses to confirmation 
requests using pre-filled forms.
    Paragraph .17 of the proposed standard also included a reminder of 
an existing requirement in AS 1105.10, pursuant to which the auditor 
should test the accuracy and completeness of information produced by 
the company that the auditor uses as audit evidence. The reminder 
emphasized that, in the confirmation process, the requirement in AS 
1105.10 applies to the information produced by the company (e.g., 
populations from which items are selected for confirmation, such as 
detailed account listings, vendor listings, and contractual agreements) 
that the auditor uses in selecting the items to confirm.
    Several firms and firm-related groups indicated that the existing 
requirement in AS 1105.10 for the auditor to evaluate information 
produced by a company as audit evidence was sufficient and that 
paragraph .17 of the proposed standard was duplicative. A few 
commenters stated that confirmation requests are often designed to test 
the accuracy of a given account balance or disclosure and, accordingly, 
that the requirement should only focus on testing completeness. 
Finally, a few commenters suggested that the standard, consistent with 
AS 1105.10, should allow for the auditor to test controls over the 
accuracy and completeness of information produced by the company that 
the auditor uses in selecting items to confirm.
    After considering these comments, in order to avoid duplication 
with other PCAOB standards, the new standard does not include paragraph 
.17 of the proposed standard.
Identifying Confirming Parties for Confirmation Requests
    The 2022 Proposal provided that, to obtain reliable audit evidence 
from the confirmation process, the auditor should direct the 
confirmation requests to third parties (individuals or organizations) 
who are knowledgeable about the information to be confirmed. That 
provision was similar to existing AS 2310.26, which directs the auditor 
to send confirmation requests to third parties who the auditor believes 
are knowledgeable about the information to be confirmed, such as a 
counterparty who is knowledgeable about a transaction or arrangement.
    When designing confirmation requests, an auditor may become aware 
of information about a potential confirming party's motivation, 
ability, or willingness to respond, or about the potential confirming 
party's objectivity and freedom from bias with respect to the audited 
entity. Because this type of information can affect the reliability of 
audit evidence provided by the confirming party to the auditor, the 
2022 Proposal, similar to existing AS 2310.27, provided that the 
auditor should consider any such information that comes to the 
auditor's attention when selecting the confirming parties. The note to 
paragraph .19 of the proposed standard further emphasized that such 
information may indicate that the potential confirming party has 
incentives or pressures to provide responses that are inaccurate or 
otherwise misleading.\36\
---------------------------------------------------------------------------

    \36\ See also paragraph .10 of AS 2401, Consideration of Fraud 
in a Financial Statement Audit (stating that fraud may be concealed 
through collusion among management, employees, or third parties, and 
that an auditor may receive a false confirmation from a third party 
that is in collusion with management); SAPA No. 8 at 12 (stating 
that, when using confirmation to address fraud risks in emerging 
markets, ``the auditor should evaluate who the intended recipient of 
the confirmation request is and whether the company's management has 
an influence over this individual to provide false or misleading 
information to the auditor'' and that ``[f]or example, if the 
company is the only or a significant customer or supplier of the 
confirming entity, the staff of that entity may be more susceptible 
to pressure from the company's management to falsify documentation 
provided to the auditor'').
---------------------------------------------------------------------------

    The 2022 Proposal also provided that the auditor should consider 
the source of any such information. For example, if management 
indicates to the auditor that a potential confirming party is unlikely 
to respond to a confirmation request, management may have other reasons 
to avoid a confirmation request being sent (e.g., concealing 
management's fraudulent understatement of the amount the company owes 
to that party).
    In addition, the 2022 Proposal provided more specific direction 
than existing AS 2310 for situations in which the auditor is unable to 
identify a confirming party who, in response to a confirmation request, 
would provide relevant and reliable audit evidence about a selected 
item. In such a scenario, the 2022 Proposal prescribed that the auditor 
should perform alternative procedures.
    The 2022 Proposal also provided that the auditor should determine 
that confirmation requests are properly addressed, thus increasing the 
likelihood that they are received by the confirming party. The 2022 
Proposal did not prescribe the nature or extent of procedures to be 
performed by the auditor when making this determination, thereby 
allowing the auditor to tailor the procedures to the facts and 
circumstances of the audit. For example, in practice, some auditors 
compare some or all confirming party addresses, which are typically 
provided by the company, to physical addresses or email domains 
included on the confirming party's website.
    Alternatively, when using an intermediary to facilitate direct 
electronic transmission of confirmation requests and responses, 
Appendix B of the proposed standard required the

[[Page 71694]]

auditor to obtain an understanding of the intermediary's controls that 
address the risk of interception and alteration of the confirmation 
requests and responses and determine whether the relevant controls used 
by the intermediary are designed and operating effectively. The Board 
noted in the 2022 Proposal that, where an auditor determines that 
controls that address the risk of interception and alteration also 
include controls related to validating the addresses of confirming 
parties, the auditor may be able to determine that audit procedures 
performed in accordance with Appendix B are sufficient to determine 
that confirmation requests are properly addressed. In situations where 
the auditor determines that the intermediary's controls that address 
the risk of interception and alteration do not also include controls 
related to validating the addresses of confirming parties, the Board 
also noted that the auditor would need to perform other procedures to 
comply with the requirements of the proposed standard.
    The Board adopted the requirements relating to identifying 
confirming parties for confirmation requests as proposed, with certain 
modifications discussed below.
    Several commenters indicated that the provisions of the proposed 
standard related to identifying confirming parties were sufficiently 
clear and appropriate. One commenter indicated that the Board should 
require the auditor to send confirmation requests directly to an 
individual, rather than allow the auditor to choose between sending the 
request either to an individual or an organization. In this commenter's 
view, sending a confirmation request directly to an individual could 
increase the reliability of audit evidence obtained through the 
confirmation process. One commenter indicated that the Board should 
amend paragraph .18 of the proposed standard to read ``the auditor 
should direct confirmation requests to confirming parties (individuals 
or organizations) who are expected to be knowledgeable about the 
information to be confirmed and determine that the confirmation 
requests are appropriately addressed.''
    Because auditors often may have no or limited interaction with the 
personnel of confirming organizations, they may not be able to select 
an individual addressee for the confirmation request. As a result, the 
Board believes that allowing the auditor to address a confirmation 
request to an organization that is knowledgeable about the information 
to be confirmed is practicable and appropriate. Paragraph .20 of the 
proposed standard stated that the auditor should perform alternative 
procedures when the auditor is unable to identify a confirming party 
who, in response to a confirmation request, would provide relevant and 
reliable audit evidence about the selected item.
    The Board has modified this language, which appears in paragraph 
.11 of the new standard, to emphasize that if the auditor is unable to 
identify a confirming party for a selected item who would provide 
relevant and reliable audit evidence in response to a confirmation 
request, including considering any information about the potential 
confirming party discussed in paragraph .10, the auditor should perform 
alternative procedures in accordance with Appendix C. In addition, the 
Board has added a note to paragraph .11 of the new standard to 
reiterate that AS 1105.08 provides that the reliability of evidence 
depends on the nature and source of the evidence and the circumstances 
under which it is obtained.
    These revisions are intended to underscore that auditors should 
consider information that may indicate that a potential confirming 
party has incentives or pressures to provide responses that are 
inaccurate or misleading, and remind auditors that the reliability of 
audit evidence depends not only on its nature and source, but also the 
circumstances under which it is obtained. For example, restrictions on 
access to a potential confirming party that cause the auditor to 
identify and send a confirmation request to a different confirming 
party or to perform alternative procedures may themselves raise 
questions as to the reliability of the audit evidence that the auditor 
subsequently obtains from the other confirming party or through 
performing alternative procedures. In addition, the revisions to 
paragraph .11 clarify that the paragraph applies to a confirming party 
for an individual item selected for confirmation, rather than more 
broadly to a group of confirming parties that might provide audit 
evidence with respect to relevant assertions for an entire account, 
such as accounts receivable.
    Several commenters on the 2022 Proposal also indicated that the 
requirement to send a confirmation request directly to the confirming 
party and determine that the request is properly addressed was 
sufficiently clear and appropriate. One of these commenters indicated 
that the standard should address procedures to verify the recipient's 
mailing or email address while the other commenters indicated there was 
no need to include specific procedures in the standard. Another 
commenter requested more guidance around verifying email addresses. One 
commenter indicated that there should be no specific requirement to 
check addresses, as such a requirement would not, in the commenter's 
view, deter those intent on deceiving auditors. Lastly, one commenter 
requested clarification as to whether an auditor should send either an 
initial confirmation request or a second request when the auditor is 
aware of information that indicates that the confirming party would be 
unlikely to respond.
    The Board continues to believe that requiring auditors to determine 
that confirmation requests are appropriately addressed is critically 
important to the effectiveness of the confirmation process. The Board 
has noted above some of the ways in which an auditor might comply with 
this requirement but is not including such examples in the text of the 
new standard to avoid the possible misinterpretation that the examples 
describe the only steps an auditor could take in determining whether a 
confirmation request is properly addressed.
    With respect to one commenter's suggestion that the Board clarify 
whether an auditor should send a confirmation request if the auditor is 
aware of information indicating that the confirming party would not 
respond, the Board believes the new standard is sufficiently clear. 
Paragraph .10 of the new standard states, in part, that if the auditor 
is aware of information about a potential confirming party's 
``willingness to respond,'' the auditor should consider this 
information, including its source, in selecting the confirming parties. 
Further, paragraph .11 of the new standard states that, if the auditor 
is unable to identify a confirming party for a selected item who would 
provide relevant and reliable audit evidence in response to a 
confirmation request, the auditor should perform alternative procedures 
for the selected item in accordance with Appendix C of the new 
standard.
Using Negative Confirmation Requests
    There are ``positive'' and ``negative'' types of confirmation 
requests. A positive confirmation request is a confirmation request in 
which the auditor requests a confirmation response. With a negative 
confirmation request, the auditor requests a confirmation response only 
if the confirming party disagrees with the information provided in the 
request. The auditor generally obtains significantly less audit 
evidence when

[[Page 71695]]

using negative confirmation requests than when using positive 
confirmation requests. A confirming party might not respond to a 
negative confirmation request because it did not receive or open the 
request, or alternatively the confirming party might have read the 
request and agreed with the information included therein.
    Because of the limited evidence provided when using negative 
confirmation requests, the 2022 Proposal provided that the auditor may 
not use negative confirmation requests as the sole substantive 
procedure for addressing the risk of material misstatement to a 
financial statement assertion. Instead, the 2022 Proposal provided that 
the auditor may use negative confirmation requests only to supplement 
audit evidence provided by other substantive procedures (e.g., 
examining subsequent cash receipts, including comparing the receipts 
with the amounts of respective invoices being paid; examining shipping 
documents; examining subsequent cash disbursements; or sending positive 
confirmation requests). In addition, Appendix B to the proposed 
standard provided examples of situations in which the use of negative 
confirmation requests, in combination with the performance of other 
substantive audit procedures, may provide sufficient appropriate audit 
evidence. In contrast, under existing AS 2310, the auditor may use 
negative confirmation requests where certain criteria are present and 
should consider performing other substantive procedures to supplement 
their use.
    The Board adopted the requirements for using negative confirmation 
requests as proposed. Most commenters on this aspect of the 2022 
Proposal expressed support for the proposed prohibition on using 
negative confirmation requests as the sole substantive procedure with a 
number of commenters stating that negative confirmation requests alone 
do not provide sufficient appropriate audit evidence.
    Another commenter suggested that the word ``generally'' should be 
removed from paragraph .21 of the proposed standard to emphasize that a 
negative confirmation is not as persuasive as a positive confirmation. 
This commenter indicated that, in situations where the use of negative 
confirmation requests, in combination with the performance of other 
substantive audit procedures, may provide sufficient appropriate audit 
evidence, auditors should be required to specifically document their 
consideration of certain examples included in paragraph .B1 of the 
proposed standard.
    Lastly, a few commenters indicated that additional guidance on the 
use of negative confirmations, and specifically on the use of 
substantive analytical procedures to supplement the use of negative 
confirmations, was needed while another commenter indicated that the 
examples in Appendix B would assist auditors in applying the 
requirements related to the use of negative confirmation requests.
    After considering the comments on the 2022 Proposal, the Board has 
determined that the requirements in the 2022 Proposal relating to the 
use of negative confirmation requests are both appropriate and 
sufficiently clear. For ease of reference, the examples of situations 
in which the use of negative confirmation requests, in combination with 
the performance of other substantive audit procedures, may provide 
sufficient appropriate audit evidence now appear in paragraph .13 of 
the new standard rather than Appendix B. The Board is not including in 
the new standard additional examples of other substantive procedures 
that may be used to supplement negative confirmation requests, as some 
commenters had suggested. While such procedures may be appropriate in 
some circumstances, including such examples in the new standard could 
be misperceived as establishing a formal checklist, whereas determining 
the necessary nature, timing, and extent of audit procedures that 
provide sufficient appropriate audit evidence would depend on the facts 
and circumstances of each audit.
    Paragraph .12 of the new standard retains the word ``generally'' 
(i.e., ``[g]enerally, the auditor obtains significantly less audit 
evidence when using negative confirmation requests than when using 
positive confirmation requests'') to acknowledge that in some 
circumstances using positive confirmations may not provide the auditor 
with the amount of evidence that the auditor planned to obtain (e.g., 
if the auditor does not receive responses to some or all positive 
confirmation requests).
Maintaining Control Over the Confirmation Process
    (See paragraphs .14-.17 and .B1-.B2 of the new standard).
The Requirement for the Auditor To Maintain Control Over the 
Confirmation Process
    The 2022 Proposal included a provision, consistent with AS 2310, 
that the auditor should maintain control over the confirmation process 
to minimize the likelihood that information exchanged between the 
auditor and the confirming party is intercepted and altered. This is 
because the reliability of audit evidence provided by confirmation 
depends in large part on the auditor's ability to control the integrity 
of confirmation requests and responses. The 2022 Proposal also provided 
that, as part of maintaining control, the auditor should send 
confirmation requests directly to the confirming party and receive 
confirmation responses directly from the confirming party.
    The Board adopted the requirements for maintaining control over the 
confirmation process as proposed, with one modification.
    Commenters on this topic largely agreed that the auditor should 
maintain control over the confirmation process. One commenter stated 
that setting forth the requirement to maintain control over the 
confirmation process and the requirement to send confirmation requests 
directly to the confirming party in separate paragraphs might suggest 
that there are different responsibilities for the auditor. This 
commenter recommended combining the requirements to clarify that the 
auditor's responsibility is to send the confirmation directly while 
maintaining control of the process.
    After considering the comments on the 2022 Proposal, the Board has 
determined that the proposed requirements are both appropriate and 
sufficiently clear, and adopted them as proposed, with the addition of 
a new paragraph that clarifies how an external auditor can use internal 
auditors in a direct assistance capacity as part of the confirmation 
process, as further discussed below. Paragraph .14 of the new standard 
establishes the auditor's responsibility for maintaining control over 
the confirmation process, and the other paragraphs in this section of 
the new standard specify auditor responsibilities regarding certain 
aspects of maintaining control, as discussed below. For example, 
consistent with the definition of ``confirmation process,'' \37\ 
paragraph .15 of the new standard requires that the auditor select the 
items to be confirmed, send the confirmation requests and receive the 
confirmation responses.

[[Page 71696]]

Selecting an item involves the auditor identifying the information to 
be included on the confirmation request. Paragraph .16 of the new 
standard specifies that maintaining control over the confirmation 
process by the auditor involves sending the confirmation request 
directly to and obtaining the confirmation response directly from the 
confirming party.
---------------------------------------------------------------------------

    \37\ The term ``confirmation process'' is defined in paragraph 
.A3 of the new standard as ``[t]he process that involves selecting 
one of more items to be confirmed, sending a confirmation request 
directly to a confirming party, evaluating the information received, 
and addressing nonresponses and incomplete responses to obtain audit 
evidence about one or more financial statement assertions.''
---------------------------------------------------------------------------

Using and Intermediary To Facilitate Direct Electronic Transmission of 
Confirmation Requests and Responses
Background and Requirements
    As discussed above, certain financial institutions and other 
companies have adopted the policy of responding to electronic 
confirmation requests from auditors only through another party that 
they, or the auditor, engage as an intermediary to facilitate the 
direct transmission of information between the auditor and the 
confirming party. The Board understands that such policies are intended 
to facilitate the timeliness and quality of confirmation responses 
provided by the confirming party to the auditor.
    While the involvement of intermediaries is not discussed in 
existing AS 2310, the use of an intermediary does not relieve the 
auditor of the responsibility under PCAOB standards to maintain control 
over confirmation requests and responses. Because an intermediary's 
involvement may affect the integrity of information transmitted between 
the confirming party and the auditor, the 2022 Proposal provided that 
the auditor should evaluate the implications of such involvement for 
the reliability of confirmation requests and responses. Specifically, 
paragraphs .B2 and .B3 of the proposed standard provided that:
     The auditor's evaluation should address certain aspects of 
the intermediary's controls that address the risk of interception and 
alteration of communications between the auditor and the confirming 
party;
     The auditor's evaluation should assess whether 
circumstances exist that give the company the ability to override the 
intermediary's controls (e.g., through financial or other 
relationships); and
     The auditor should not use an intermediary if information 
obtained by the auditor indicates that (i) the intermediary has not 
implemented controls that are necessary to address the risk of 
interception and alteration of the confirmation requests and responses, 
(ii) the necessary controls are not designed or operating effectively, 
or (iii) circumstances exist that give the company the ability to 
override the intermediary's controls.
    The Board adopted the proposed requirements substantially as 
proposed, with certain modifications discussed below.
    A few commenters on the 2022 Proposal indicated that it is not 
clear what an ``intermediary'' is and requested clarification. The 
Board is not adding a definition of the term ``intermediary'' in the 
new standard as it simply intends to use the term in describing a 
particular scenario under the new standard where a third party is 
engaged by the auditor or a confirming party to facilitate direct 
electronic transmission of confirmation requests and responses between 
the auditor and the confirming party. The Board believes that its 
intent in using the term ``intermediary'' is sufficiently clear.
    Overall, several commenters indicated that the requirements in the 
2022 Proposal to evaluate the implications of using an intermediary to 
facilitate direct electronic transmission of confirmation requests and 
responses were appropriate. However, as discussed below, a number of 
these commenters and other commenters stated that additional clarity 
may be required to ensure that the proposed revisions are operational 
in practice, or otherwise requested additional guidance. Conversely, a 
few commenters expressed the view that requirements in the 2022 
Proposal regarding the implications of using an intermediary were not 
appropriate or sufficiently clear. One of those commenters asserted 
that the requirement to assess the intermediary would result in 
significant additional work for auditors and that it is not currently 
common practice to directly assess intermediaries in this manner. As 
discussed in Section IV of the 2022 Proposal, firm methodologies 
reviewed by the staff generally include guidance on maintaining control 
over the confirmation process, using intermediaries to facilitate the 
electronic transmission of confirmation requests and responses, and 
assessing controls at the intermediaries. The evidence from the PCAOB 
staff's review does not suggest that the requirements in Appendix B of 
the new standard would create significant additional work for auditors, 
nor did the commenters provide evidence to the contrary.
    Separately, as the 2022 Proposal provided that the auditor should 
not use an intermediary if information obtained by the auditor 
indicates that certain conditions are present, several commenters 
stated that the presence of indicators would not necessarily mean that 
the intermediary is not fit for use. For example, these commenters 
stated that in a situation where an intermediary's control is not 
designed or operating effectively, an auditor may be able to obtain an 
understanding of whether a specific control failure impacts the 
confirmation process and perform tests of other controls or other 
procedures at the intermediary to address the control failure.
    Having considered the comments, the Board is clarifying in 
paragraph .B2 of the new standard that the auditor should not use an 
intermediary to send confirmation requests or receive confirmation 
responses if the auditor determines that (1) the intermediary has not 
implemented controls that are designed or operating effectively to 
address the risk of interception and alteration of the confirmation 
requests and responses and the auditor cannot address such risk by 
performing other procedures beyond inquiry, or (2) circumstances exist 
that give the company the ability to override the intermediary's 
controls. In the 2022 Proposal, the prohibition was based on an 
indication, rather than determination, that such circumstances exist.
    For example, when performing an evaluation required by paragraphs 
.17 and .B1 of the new standard, an auditor could obtain a SOC report 
stating that a particular access control at an intermediary is not 
designed or operating effectively. The auditor may then be able to 
identify and test other controls that could mitigate the control 
failure described in the SOC report. In this scenario, if the auditor 
determines that the identified controls are designed and operating 
effectively and mitigate the control failure, or the auditor has 
performed other procedures such as obtaining computer systems event 
logs generated by the intermediary that provide evidence there was no 
unauthorized access during the relevant period, the information in the 
SOC report in this scenario would not necessarily mean that the auditor 
is not allowed to use the intermediary under the new standard.
    In addition, several commenters asserted that, if an auditor were 
not allowed to use an intermediary under proposed paragraph .B3 and the 
confirming party had a policy requiring the use of an intermediary for 
receiving and responding to auditor confirmation requests, an auditor 
may be unable to comply with the proposed requirement to confirm cash, 
even if relevant and reliable audit evidence were otherwise available. 
Considering these comments, the Board has modified paragraph .B2 of the 
new standard to state that in

[[Page 71697]]

circumstances where the auditor, under paragraph .B2, should not use an 
intermediary to send confirmation requests or receive confirmation 
responses, the auditor should send confirmation requests without the 
use of an intermediary or, if unable to do so, perform alternative 
procedures in accordance with Appendix C of the new standard. The Board 
believes that this modification and the adoption of a provision 
regarding obtaining audit evidence by directly accessing information 
maintained by a knowledgeable external source (see discussion below), 
address commenters' concerns that an auditor may not be able to comply 
with the requirement to confirm cash.
    Certain commenters asked for additional guidance on what procedures 
an auditor should or could perform to comply with the requirements in 
Appendix B. Having considered these comments, the Board determined that 
the new standard, consistent with the 2022 Proposal, will not specify 
how the auditor should perform the particular procedures required by 
paragraphs .B1 and .B2 regarding evaluating the implications of using 
an intermediary. The new standard thus allows auditors to customize 
their approach based on the facts and circumstances of the audit 
engagement and the audit firm. For example, in obtaining an 
understanding of the intermediary's controls that address the risk of 
interception and alteration of confirmation requests and responses and 
determining whether they are designed and operating effectively, the 
auditor could (i) use, where available, a SOC report that evaluates the 
design and operating effectiveness of the relevant controls at the 
intermediary; or (ii) test the intermediary's controls that address the 
risk of interception and alteration directly.\38\
---------------------------------------------------------------------------

    \38\ See Spotlight: Observations and Reminders on the Use of a 
Service Provider in the Confirmation Process (Mar. 2022), available 
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------

    Some commenters asked for guidance related to an acceptable window 
of time to be covered by ``bridge letters.'' \39\ Where an auditor uses 
an independent service auditor's report on a service organization's 
controls, such procedures may involve using a bridge letter. The new 
standard does not specify an appropriate window of time to be covered 
by a bridge letter or a permissible window of time between the date 
covered by a bridge letter and the period when the auditor uses the 
intermediary to facilitate direct electronic transmission of 
confirmation requests and responses. Auditors should use their 
professional judgment based upon the facts and circumstances of the 
audit to determine the nature of procedures required to comply with 
paragraph .B1 of the new standard, including the note to paragraph 
.B1(b).
---------------------------------------------------------------------------

    \39\ Some intermediaries provide a ``bridge letter'' or ``gap 
letter'' issued by the independent service auditor that addresses 
the period from the date of the service auditor's SOC report through 
a subsequent date, typically the most recent calendar year end.
---------------------------------------------------------------------------

    One commenter stated that paragraph .B2(b) of the proposed standard 
should have a specific documentation requirement. The Board believes 
that adding a specific documentation requirement is not necessary, as 
the auditor is required to document compliance with PCAOB standards 
under existing documentation requirements.\40\
---------------------------------------------------------------------------

    \40\ See, e.g., paragraph .05 of AS 1215, Audit Documentation.
---------------------------------------------------------------------------

    Lastly, the new standard modifies the language of the 2022 Proposal 
to provide in the note to paragraph .B1(b) of the new standard that, if 
the auditor performs procedures to determine that the controls used by 
the intermediary to address the risk of interception and alteration are 
designed and operating effectively at an interim date, the auditor 
should evaluate whether the results of the procedures can be used 
``during the period in which the auditor uses the intermediary''--
rather than at ``period end,'' as described in the proposed standard--
or whether additional procedures need to be performed to update the 
results. The Board believes that the modified provision more accurately 
describes the timeframe during which the results of the procedures may 
be used by an auditor. In addition, the modified provision clarifies 
that the auditor should consider the nature and extent of any changes 
in the intermediary's process and controls during the period between 
the auditor's procedures and the period the auditor uses the 
intermediary.
Interaction of New Standard and Proposed QC 1000
    In November 2022 the Board issued for public comment a proposed 
quality control standard, referred to as proposed QC 1000, A Firm's 
System of Quality Control.\41\ Proposed QC 1000 addresses resources 
used by a registered public accounting firm that are sourced from 
third-party providers. An intermediary that facilitates direct 
electronic transmission of confirmation requests and responses is one 
example of a ``third-party provider'' under proposed QC 1000.
---------------------------------------------------------------------------

    \41\ See A Firm's System of Quality Control and Other Proposed 
Amendments to PCAOB Standards, Rules, and Forms, PCAOB Rel. No. 
2022-006 (Nov. 18, 2022).
---------------------------------------------------------------------------

    Under proposed QC 1000, a firm would consider the nature and extent 
of resources or services obtained from third-party providers in its 
risk assessment process and whether the use of third-party providers 
poses any quality risks to the firm in achieving its quality 
objectives. One of the required quality objectives relates to obtaining 
an understanding of how such resources or services are developed and 
maintained and whether they need to be supplemented and adapted as 
necessary, such that their use enables the performance of the firm's 
engagements in accordance with applicable professional and legal 
requirements and the firm's policies and procedures.\42\
---------------------------------------------------------------------------

    \42\ See paragraph .44.j of proposed QC 1000.
---------------------------------------------------------------------------

    As noted above, the proposed standard on the auditor's use of 
confirmation included specific procedures related to the use of an 
intermediary, which included obtaining an understanding of the 
intermediary's controls that address the risk of interception and 
alteration of a confirmation request and response and determining 
whether such controls are designed and operating effectively.
    A few commenters on the 2022 Proposal observed that firms may 
obtain and evaluate SOC reports centrally, rather than requiring that 
individual engagement teams obtain and evaluate the reports. One of 
these commenters suggested clarifying in the standard that the 
evaluations required by Appendix B may be performed, and the 
documentation may be retained centrally, as part of the firm's quality 
control system. Another of these commenters suggested that the 
requirements related to the use of an intermediary be removed entirely 
from the proposed confirmation standard and instead be dealt with 
solely in the proposed quality control standards. One commenter stated 
that, depending on the identified quality risks, procedures performed 
in accordance with QC 1000 need not align with the financial statement 
period-end of each audit engagement performed by the firm, which the 
commenter asserted was implied by paragraph .B2(b) and a related note 
in the proposed standard. Lastly, a few commenters indicated that it 
would be beneficial to explicitly link the provisions of the 
confirmation standard regarding the use of an intermediary with QC 
1000.

[[Page 71698]]

    Having considered these comments, the Board believes that the 
requirements in the new standard related to the auditor's use of 
intermediaries, with the modifications discussed above to the 
requirements in the proposed standard, are sufficiently clear and 
appropriate. The auditor's evaluation of the intermediary's controls 
could be performed by an engagement team, an audit firm's national 
office, or a combination of both. Where the national office performs 
procedures relating to the intermediary (either as part of the firm's 
quality control activities or specifically to comply with the new 
standard), the engagement team would still need to consider the 
procedures performed by the national office and include in its audit 
documentation considerations specific to the individual audit 
engagement. For example, if a national office evaluated an 
intermediary's controls at an interim date, the engagement team would 
need to, in accordance with the note accompanying paragraph .B1(b) of 
the new standard, evaluate whether the results of the interim 
procedures could be used during the period in which the auditor uses 
the intermediary to facilitate direct electronic transmission of 
confirmation requests and responses or whether they needed to be 
updated.
Using Internal Audit in the Confirmation Process
    The 2022 Proposal identified certain activities in the confirmation 
process where the auditor may not use the assistance of the company's 
internal audit function. Under the 2022 Proposal, the auditor was not 
permitted to use internal auditors for selecting items to be confirmed, 
sending confirmation requests, and receiving confirmation responses, 
because using internal audit in a direct assistance capacity for such 
activities would not be consistent with the auditor's responsibility to 
maintain control over the confirmation process.
    Existing AS 2310 does not include analogous provisions. It states 
instead that the auditor's need to maintain control does not preclude 
the use of internal auditors and that AS 2605, Consideration of the 
Internal Audit Function, provides guidance on considering the work of 
internal auditors and on using internal auditors to provide direct 
assistance to the auditor.\43\
---------------------------------------------------------------------------

    \43\ See footnote 3 of AS 2310.
---------------------------------------------------------------------------

    The Board adopted the proposed requirements substantially as 
proposed, with certain modifications discussed below.
    A number of commenters, including investor-related groups, firms, 
and firm-related groups, agreed with the requirements proposed in the 
2022 Proposal as being in line with the auditor's responsibility to 
maintain control over the confirmation process. Additionally, a few 
commenters observed that it is not current practice for auditors to use 
internal audit in a direct assistance capacity for selecting items to 
be confirmed, sending confirmation requests, or receiving confirmation 
responses and, therefore, that the requirements in the 2022 Proposal 
would not result in a significant change in practice. Conversely, one 
commenter stated that the proposed restrictions would impact current 
practice as it relates to direct assistance.
    A significant number of commenters, including internal auditors and 
companies with internal audit functions, took exception to the 
provision in the 2022 Proposal to limit the external auditor's use of 
internal auditors in a direct assistance capacity in the confirmation 
process, and in some instances asserted that such limitations would be 
inconsistent with AS 2605. Many of these commenters also challenged the 
statement in the 2022 Proposal that ``[i]nvolving internal auditors or 
other company employees in these activities [selecting items to be 
confirmed, sending confirmation requests, and receiving confirmation 
responses] would create a risk that information exchanged between the 
auditor and the confirming party is intercepted and altered.'' These 
commenters asserted that this language called into question internal 
auditors' competence, objectivity, and independence. Additionally, a 
few commenters expressed concern with the prescriptiveness of the 
proposed restrictions on the use of internal auditors in the 
confirmation process.
    Having considered the comments received, the Board notes that the 
discussion in the 2022 Proposal was not intended to cast doubt on the 
qualifications, competence, or objectivity of internal auditors. 
Internal auditors can and often do play an important role in enhancing 
the quality of a company's financial reporting. At the same time, the 
Board continues to believe that in order to maintain control over the 
confirmation process the auditor should select items to be confirmed, 
send confirmation requests, and receive confirmation responses.
    In addition, after considering the comments received, the Board is 
(i) relocating the requirements related to the auditor's use of 
internal audit in the confirmation process to the section of the new 
standard on maintaining control over the confirmation process and (ii) 
rephrasing the requirements in terms of the auditor's affirmative 
responsibilities, by describing procedures the auditor is required to 
perform. In contrast, the proposed standard described procedures that 
internal auditors were not allowed to perform. As stated in footnote 7 
of the new standard, auditors are permitted to use internal auditors in 
accordance with AS 2605, except for selecting items to confirm, sending 
confirmation requests, and receiving confirmation responses. The new 
standard does not impose any new limitations on how the internal 
auditors' work may affect the external auditor's audit procedures.\44\ 
Instead, the new standard clarifies how an external auditor can use 
internal auditors in a direct assistance capacity as part of the 
confirmation process.\45\
---------------------------------------------------------------------------

    \44\ AS 2605.12 states that ``the internal auditor's work may 
affect the nature, timing, and extent of the audit,'' including 
``procedures the auditor performs when obtaining an understanding of 
the entity's internal control (paragraph .13),'' ``procedures the 
auditor performs when assessing risk (paragraphs .14 through .16),'' 
and ``substantive procedures the auditor performs (paragraph .17).''
    \45\ AS 2605.27 discusses how the auditor may use internal 
auditors to provide direct assistance.
---------------------------------------------------------------------------

Evaluating Confirmation Responses and Confirmation Exceptions, and 
Addressing Nonresponses and Incomplete Responses
    (See paragraphs .18-.23 of the new standard).
Overall Approach
    Under the 2022 Proposal, the auditor's responsibilities related to 
the confirmation process included evaluating the information received 
in confirmation responses and addressing nonresponses and incomplete 
responses. The 2022 Proposal provided that if the auditor is unable to 
determine whether the confirmation response is reliable, or in the case 
of a nonresponse or an incomplete response (i.e., one that does not 
provide the audit evidence the auditor seeks to obtain), the auditor 
should perform alternative procedures.\46\ The 2022 Proposal built upon 
requirements in existing AS 2310 that discuss addressing information 
obtained from the performance of confirmation procedures.
---------------------------------------------------------------------------

    \46\ Alternative procedures, including the relevant exception 
described in Appendix C of the new standard, are discussed below.
---------------------------------------------------------------------------

    The relevant requirements in the new standard include certain 
modifications to the approach in the 2022 Proposal, as discussed in the 
sections below.

[[Page 71699]]

Evaluating the Reliability of Confirmation Reponses
    The 2022 Proposal was intended to provide additional direction 
beyond what is set forth in existing AS 2310 to assist the auditor's 
evaluation of the reliability of confirmation responses. Specifically, 
the 2022 Proposal (i) described information that the auditor should 
take into account when performing the evaluation, and (ii) provided 
examples of indicators that a confirmation response may have been 
intercepted or altered and thus may not be reliable. In particular, the 
2022 Proposal provided that the auditor should take into account any 
information about events, conditions, or other information the auditor 
becomes aware of in assessing the reliability of the confirmation 
response.
    Under existing PCAOB standards, the auditor is not expected to be 
an expert in document authentication but, if conditions indicate that a 
document (e.g., a confirmation response) may not be authentic or may 
have been altered, the auditor should modify the planned audit 
procedures or perform additional audit procedures to respond to those 
conditions and should evaluate the effect, if any, on the other aspects 
of the audit.\47\ The 2022 Proposal did not alter these requirements, 
but specified for the confirmation process that, if the auditor were 
unable to determine that the confirmation response is reliable, the 
auditor's response should include performing alternative procedures.
---------------------------------------------------------------------------

    \47\ See AS 1105.09.
---------------------------------------------------------------------------

    The requirements for evaluating the reliability of confirmation 
responses were adopted substantially as proposed.
    Several commenters indicated that the provisions of the 2022 
Proposal related to evaluating the reliability of confirmation 
responses were clear and appropriate. One commenter proposed 
modifications to the proposed requirements, including replacing the 
words ``taking into account'' with ``considering'' in paragraph .25 of 
the proposed standard to reflect the commenter's perceived intent of 
the Board. One commenter asserted that paragraph .25 of the proposed 
standard could result in onerous documentation requirements in 
situations where there is a clear reason why a particular indicator is 
not necessarily indicative of interception or alteration of a 
confirmation request or confirmation response (e.g., a confirmation 
request is sent to a general email account but returned from an email 
account belonging to an individual monitoring the general email 
account). Another commenter proposed that the Board remove one of the 
examples of indicators that a confirmation response may have been 
intercepted or altered because it appeared to create a de facto 
requirement that an auditor treat a confirmation response as not 
reliable if the original confirmation request is not returned with the 
confirmation response.
    In addition, one commenter suggested modifying proposed paragraph 
.26 of the proposed standard to provide that the auditor should perform 
alternative procedures if the auditor became aware of any of the 
factors identified in paragraph .25 and was unable to overcome those 
factors to determine that the confirmation response is reliable. 
Another commenter stated that the proposed standard should acknowledge 
that, in certain specified circumstances, an unreliable confirmation 
would likely result in a scope limitation.
    Having considered the comments received, the Board notes that 
assessing the reliability of confirmation responses is a critical 
component of the confirmation process. If indicators of interception or 
alteration are present, it is important for the auditor to address 
them. When the auditor follows up on a particular indicator, an auditor 
may determine that the confirmation requests and responses have not 
been intercepted or altered. For example, an auditor could verify that 
a difference in the confirming party's email address between the 
confirmation request and confirmation response occurred because the 
confirming party responds to confirmation requests from one central 
email address. The note to paragraph .18 of the new standard (paragraph 
.25 of the proposed standard) provides examples of information that the 
auditor should take into account if the auditor becomes aware of it. 
Under PCAOB standards, the auditor would document the procedures 
performed in response to information that indicates that a confirmation 
request or response may have been intercepted or altered. To minimize 
any confusion, the Board replaced the word ``indicator'' in the note 
with the phrase ``information that indicates,'' which has the same 
meaning.
    In addition, to clarify that the auditor performs alternative 
procedures for the selected item if the auditor is unable to determine 
that a confirmation response regarding that item is reliable, the Board 
has added the phrase ``for the selected item'' after the words 
``alternative procedures'' in paragraph .19 of the new standard. The 
Board also revised the reference in paragraph .26 of the proposed 
standard to performing alternative procedures ``as discussed in 
paragraph .31'' to ``in accordance with Appendix C'' in paragraph .19 
of the new standard to reflect that alternative procedures for a 
selected item may not be necessary under certain circumstances, as 
discussed below, and to reflect the relocation of the more detailed 
discussion of alternative procedures from the body of the standard to 
Appendix C.
    AS 3105, Departures from Unqualified Opinions and Other Reporting 
Circumstances, sets forth requirements regarding limitations on the 
scope of an audit,\48\ including scope limitations relating to 
confirmation procedures with respect to accounts receivable.\49\ One 
example of such a scope limitation would be the auditor's inability to 
confirm accounts receivable balances combined with an inability to 
perform other procedures in respect of accounts receivable to obtain 
sufficient appropriate audit evidence. The new standard does not repeat 
such existing requirements, as doing so would merely duplicate those 
requirements.
---------------------------------------------------------------------------

    \48\ See AS 3105.05-.15.
    \49\ See AS 3105.07.
---------------------------------------------------------------------------

Evaluating Confirmation Exceptions and Addressing Nonresponses and 
Incomplete Responses
    For various reasons, information in a confirmation response 
received by the auditor could differ from other information in the 
company's records obtained by the auditor. The 2022 Proposal provided 
that the auditor should evaluate the confirmation exceptions and 
determine their implications for certain aspects of the audit, as 
discussed below. The direction in the 2022 Proposal was more detailed 
than in existing AS 2310.
    In particular, the 2022 Proposal provided that the auditor should 
evaluate whether confirmation exceptions individually or in the 
aggregate indicate a misstatement that should be evaluated in 
accordance with AS 2810. The 2022 Proposal did not, however, require 
investigating all confirmation exceptions to determine the cause of 
each confirmation exception. The 2022 Proposal also included a 
provision that the auditor should evaluate whether the confirmation 
exceptions individually, or in the aggregate, indicate a deficiency in 
the company's internal control over financial reporting (``ICFR'').
    With regards to nonresponses and potential nonresponses, the 2022 
Proposal provided that the auditor should send a second positive 
confirmation request to the confirming

[[Page 71700]]

party unless the auditor has become aware of information that indicates 
that the confirming party would be unlikely to respond to the auditor. 
Additionally, the 2022 Proposal specified that if a confirmation 
response is returned by the confirming party to anyone other than the 
auditor, the auditor should contact the confirming party and request 
that the response be re-sent directly to the auditor. If the auditor 
does not subsequently receive a confirmation response from the intended 
confirming party, the 2022 Proposal provided that the auditor should 
treat the situation as a nonresponse.
    Further, in contrast with existing AS 2310, which does not address 
the auditor's responsibilities regarding incomplete responses, the 2022 
Proposal provided that the auditor should perform alternative 
procedures if a confirmation response is not received or is incomplete.
    The Board adopted the requirements for evaluating confirmation 
exceptions and addressing nonresponses as proposed, with certain 
modifications discussed below.
    Some commenters indicated that the proposed provisions regarding 
evaluating confirmation exceptions and addressing nonresponses were 
sufficiently clear and appropriate. A few commenters stated that the 
Board should include requirements that limit an auditor's ability to 
assess confirmation exceptions as merely ``isolated exceptions.'' 
Similarly, one commenter asserted that the Board should require 
auditors to resolve any confirmation exceptions by examining other 
third-party evidence such as purchase orders. In light of these 
comments, the Board has added a new note to paragraph .20 of the new 
standard that states that determining that a confirmation exception 
does not represent a misstatement that should be evaluated in 
accordance with AS 2810 generally involves examining external 
information, which may include information that the company received 
from knowledgeable external sources.
    In the Board's view, in many circumstances examining external 
evidence under the above provision is necessary, as doing so is 
consistent with both the goal of obtaining relevant and reliable audit 
evidence and the type of audit evidence sought from confirmation. For 
example, an auditor might send a confirmation request for a selected 
item to a knowledgeable confirming party regarding a $20,000 accounts 
receivable invoice and the confirming party (i.e., the customer) 
indicates that the outstanding balance for this invoice at the date 
specified in the confirmation request is $18,000. Having investigated 
the $2,000 difference, the auditor learns that it does not represent a 
misstatement, as the customer overpaid for a different invoice but 
applied the overpayment to the invoice selected for confirmation and 
the company applied the overpayment differently. In this scenario, 
determining that there is not a $2,000 misstatement for the selected 
item would involve the auditor examining audit evidence from 
knowledgeable external sources, such as applicable purchase orders and 
customer cash payments, in addition to information generated by the 
company, such as customer invoices.
    The note to paragraph .20 of the new standard uses the word 
``generally'' to acknowledge that in some circumstances examining 
external audit evidence may not be necessary. For example, an auditor 
may have included an incorrect figure in the confirmation request and 
later determined that the amount confirmed by the confirming party 
agrees to the amount in the company's general ledger. Determining that 
such a confirmation exception does not represent a misstatement to be 
evaluated in accordance with AS 2810 would not require examining audit 
evidence from external sources.
    One commenter suggested that the Board consider reminding auditors 
that, when using audit sampling, the auditor should project the 
misstatement results of the sample to the items from which the sample 
was selected in accordance with AS 2315. The Board considered this 
comment, but did not add a reminder regarding projecting the results of 
a sample as the new standard states in footnote 4 that AS 2315 
addresses evaluating audit samples.
    One commenter suggested that the Board restructure paragraph .27 of 
the proposed standard, as the auditor generally considers whether a 
confirmation exception is a misstatement and then determines whether 
there is a deficiency in internal control. In consideration of this 
comment, the Board has restructured paragraph .20 of the new standard 
to align with the typical order in which the auditor considers the two 
matters discussed therein (i.e., an auditor typically considers whether 
a confirmation exception indicates a misstatement that should be 
evaluated in accordance with AS 2810, Evaluating Audit Results, and 
then considers whether the confirmation exception represents a 
deficiency in the company's ICFR).
    One commenter expressed the view that the Board should not require 
auditors to evaluate whether a confirmation exception constitutes a 
control deficiency if the exception was a result of a clerical error or 
caused by a timing difference. The Board continues to believe that 
requiring the auditor to evaluate exceptions in such circumstances is 
appropriate and the auditor should consider whether all confirmation 
exceptions are control deficiencies. A clerical error or timing 
difference could be indicative of a deficiency in a company's ICFR.
    One commenter indicated that the proposed requirement about sending 
a second positive confirmation request unless the auditor has become 
aware of information that indicates that the confirming party would be 
unlikely to respond to the auditor was sufficiently clear and 
appropriate. However, several firms commented that the requirement was 
too prescriptive, with one commenter asserting that the requirement 
could result in unnecessary and potentially ineffective administrative 
effort. Additionally, a few commenters expressed concern that following 
up on a confirmation request would not constitute sending a second 
confirmation request under the proposed standard, but asserted that it 
should be so treated.
    The Board considered the comments about the requirement to send a 
second positive confirmation request. The use of confirmation is not 
required under the new standard other than for cash and accounts 
receivable when they are significant accounts or disclosures. Under the 
new standard, for cash and accounts receivable, the auditor may perform 
other audit procedures to obtain audit evidence by directly accessing 
information maintained by a knowledgeable external source. Further, for 
accounts receivable, in certain situations the new standard allows the 
auditor to obtain external information indirectly (see discussion of 
cash and accounts receivable below).
    Because the auditor may have a choice of the audit procedure to 
perform, the Board believes that the auditor will select confirmation 
in those situations where confirming parties will be more likely to 
respond to the auditor. In situations where a confirming party does not 
respond to a confirmation request, the Board has concluded it is 
appropriate to require the auditor, in the case of a nonresponse to a 
positive confirmation request, to follow up with the confirming party. 
The requirement to follow up with the confirming party is included in 
paragraph .21 of the new standard. The new standard does not prescribe 
a form of the auditor's follow-up. For example, following up using the

[[Page 71701]]

same form of communication as in the original confirmation request 
(e.g., email, direct electronic transmission facilitated by an 
intermediary) would be appropriate under the new standard. In the case 
of an electronic confirmation request, a follow-up request could be in 
the form of a reminder or automated reminder.
    If the auditor subsequently receives a confirmation response, the 
new standard provides that the auditor should evaluate that response in 
accordance with paragraphs .18-.19 and evaluate any confirmation 
exception in accordance with paragraph .20. If the auditor's follow-up 
does not elicit a confirmation response, paragraph .23 of the new 
standard instructs the auditor to perform alternative procedures for 
the selected item in accordance with Appendix C of the new standard.
    To clarify that the auditor performs alternative procedures for the 
selected item, the Board has added the phrase ``for the selected item'' 
after the words ``alternative procedures'' in paragraph .23 of the new 
standard. The Board also revised the reference in paragraph .30 of the 
proposed standard to performing alternative procedures ``as discussed 
in paragraph .31'' to refer to ``in accordance with Appendix C'' in 
paragraph .19 of the new standard to reflect that alternative 
procedures for a selected item may not be necessary under certain 
circumstances, as discussed below, and to reflect the relocation of the 
more detailed discussion of alternative procedures from the body of the 
standard to Appendix C.
Additional Considerations for Cash, Accounts Receivable, and Terms of 
Certain Transactions
    (See paragraphs .24-.30 of the new standard).
    In general, evidence obtained from a knowledgeable external source 
is more reliable than evidence obtained only from internal company 
sources. When cash or accounts receivable are significant accounts, 
there is a presumption in the new standard that the auditor should 
obtain audit evidence from a knowledgeable external source by 
performing confirmation procedures or using other means to obtain audit 
evidence by directly accessing information maintained by knowledgeable 
external sources. In addition, the new standard addresses other 
situations in which the auditor should consider the use of 
confirmation.
    The Board discusses below the provisions of the new standard 
relating to confirming cash held by third parties, confirming accounts 
receivable, performing other audit procedures for accounts receivable 
when obtaining audit evidence directly from a knowledgeable external 
source would not be feasible, communicating with the audit committee in 
certain situations, and confirming the terms of certain other 
transactions. To improve the flow of the requirements in the new 
standard, these provisions have been placed after the general 
provisions that describe the auditor's responsibilities related to the 
confirmation process (i.e., after paragraphs .08-.23).
    Figure 1 depicts the relationship of the requirements in the new 
standard for cash and accounts receivable when they are significant 
accounts (paragraphs .24-.28) to the general provisions of the new 
standard applicable to the confirmation process (paragraphs 
.08-.23).\50\
---------------------------------------------------------------------------

    \50\ The information in Figure 1 is intended to be for 
illustrative purposes and is not a substitute for the new standard; 
only the new standard provides the auditor with the definitive 
requirements.
---------------------------------------------------------------------------

BILLING CODE 8011-01-P

[[Page 71702]]

[GRAPHIC] [TIFF OMITTED] TN17OC23.008

BILLING CODE 8011-01-C
Cash Held by Third Parties
Confirming Cash
    The 2022 Proposal provided that the auditor should perform 
confirmation procedures when auditing cash and cash equivalents held by 
a third party. Existing AS 2310 does not address auditor 
responsibilities for confirming cash.
    The Board noted in the 2022 Proposal that an auditor need not 
necessarily confirm all cash accounts in all cases. Under PCAOB 
standards, the alternative means of selecting items for testing are 
selecting all items, selecting specific items, and audit sampling.\51\ 
An auditor selects individual cash items to confirm following the 
relevant direction in PCAOB standards, including identifying and 
assessing the risk of misstatement and developing an audit 
response.\52\ The particular means or combination of means of selecting 
cash items to confirm depend on, for example, the characteristics of 
the cash items and the evidence necessary to address the assessed risk 
of material misstatement.\53\
---------------------------------------------------------------------------

    \51\ See AS 1105.22.
    \52\ See, e.g., AS 2110 and AS 2301.
    \53\ See AS 1105.23 and AS 2301.03.
---------------------------------------------------------------------------

    The 2022 Proposal emphasized that, in selecting the individual 
items of cash to confirm, the auditor should take into account the 
auditor's understanding of the company's cash management and treasury 
function, and the substance of the company's arrangements and 
transactions with third parties. For example, an auditor might select 
bank accounts with balances over a certain amount, accounts with a high 
volume of

[[Page 71703]]

transactions, accounts opened or closed during the period under audit, 
or accounts the auditor identifies as particularly risk-prone. 
Alternatively, the auditor might determine it is appropriate to confirm 
all cash accounts. The auditor also follows the direction in PCAOB 
standards when determining whether performing procedures in addition to 
confirmation is necessary to address the assessed risk of material 
misstatement relating to cash.\54\
---------------------------------------------------------------------------

    \54\ See, e.g., AS 2301.09.
---------------------------------------------------------------------------

    The Board adopted the proposed requirements to confirm cash, with 
certain modifications discussed below.
    A number of commenters supported the proposed requirement for the 
auditor to confirm cash held by third parties. Some of these commenters 
stated that confirming cash has long been an audit best practice and 
that requiring cash confirmation would lead to more consistency in 
practice. In addition, several commenters stated that the standard was 
sufficiently risk-based (i.e., by allowing the auditor to select cash 
accounts and other financial relationships to confirm based on the risk 
of material misstatement associated with cash).
    Several commenters asserted that a requirement to confirm cash was 
not sufficiently risk-based, despite the provisions in the 2022 
Proposal that described that the auditor should take into account their 
understanding of the company's operations in making selections of 
individual cash items to confirm. In particular, several commenters 
stated that the proposed standard would require an auditor to confirm 
cash without regard to the level of risk that the auditor had 
determined for cash in their risk assessment or when other audit 
procedures could produce sufficient appropriate audit evidence. Other 
commenters expressed the view that the requirement to confirm cash, as 
well as accounts receivable, should be removed, with some of these 
commenters suggesting that the auditor should be able to determine the 
audit procedure that would be most effective in obtaining relevant and 
reliable audit evidence, without confirmation being the ``default'' 
procedure.
    The Board continues to believe that a presumption to confirm cash 
is appropriate. As discussed above, this presumption to confirm cash is 
consistent with current practice. Consistent with the objective of the 
new standard, the requirement to confirm cash, as well as accounts 
receivable, only applies when the auditor has determined that that 
these accounts are significant accounts.
    With respect to confirming cash, many commenters, primarily firms 
and firm-related groups, expressed concern that the 2022 Proposal did 
not contain a provision about overcoming the presumption to confirm 
cash. A number of commenters also expressed the view that auditors 
could obtain direct-access view of bank information (or would be able 
to do so in the future), which could provide a more effective means of 
directly obtaining external evidence than sending a confirmation.
    The Board agrees that if the auditor is able to perform other audit 
procedures that allow the auditor to obtain audit evidence by directly 
accessing information maintained by knowledgeable external sources, 
such audit evidence would be at least as persuasive as audit evidence 
obtained through confirmation procedures. The Board therefore added to 
the presumption to confirm cash (and accounts receivable) in the new 
standard the phrase ``or otherwise obtain relevant and reliable audit 
evidence by directly accessing information maintained by a 
knowledgeable external source.''
    By way of example, the auditor might satisfy this requirement to 
obtain relevant and reliable audit evidence under the new standard by 
obtaining read-only access to information maintained by a financial 
institution concerning its transactions or balances with the company 
directly online through a secure website of the financial institution 
using credentials provided to the auditor by the financial institution.
The Term ``Cash and Cash Equivalents Held by Third Parties''
    The 2022 Proposal provided that the term ``cash'' comprised both 
cash and cash equivalents. Cash equivalents generally refer to short-
term, highly liquid investments that are readily convertible to known 
amounts of cash and are so near their maturity that they present 
insignificant risk of changes in value because of changes in interest 
rates.\55\ Such assets are commonly used by companies to manage their 
cash holdings. The 2022 Proposal also described that the requirements 
for confirming cash would apply to cash held by third parties, and not 
limited to cash held by financial institutions. In the Board's view, 
this expansion of confirmation requirements was appropriate, as company 
funds can be held by third parties other than financial institutions, 
such as money transfer providers.
---------------------------------------------------------------------------

    \55\ See, e.g., definition of ``cash equivalents'' in the Master 
Glossary of the Financial Accounting Standards Board (``FASB'') 
Accounting Standards Codification and of ``cash equivalents'' in the 
International Financial Reporting Standards (``IFRS'').
---------------------------------------------------------------------------

    The Board adopted this provision as proposed in the 2022 Proposal.
    There was one comment related to this aspect of the 2022 Proposal, 
suggesting that the new standard should specify that ``third parties'' 
are not limited to financial institutions. The Board believes the 
reference to ``third parties'' was sufficiently clear as proposed and, 
accordingly, has not expanded this description.
Confirming Other Financial Relationships
    The 2022 Proposal provided that the auditor should consider 
confirming other financial relationships with the third parties with 
which the auditor determines to confirm cash. Such relationships can 
include lines of credit, other indebtedness, compensating balance 
arrangements, or contingent liabilities, including guarantees. As 
proposed, the auditor would be required under PCAOB standards to 
document the consideration given to the confirmation of other financial 
relationships and the conclusions reached.\56\ Existing AS 2310 does 
not have an analogous requirement to confirm other financial 
relationships.
---------------------------------------------------------------------------

    \56\ See Note to PCAOB Rule 3101(a)(3), which states that ``(i)f 
a Board standard provides that the auditor ``should consider'' an 
action or procedure, consideration of the action or procedure is 
presumptively mandatory, while the action or procedure is not,'' and 
AS 1215.05-.06 (audit documentation should ``[d]emonstrate that the 
engagement complied with the standards of the PCAOB'' and must 
``document the procedures performed . . . with respect to relevant 
financial statement assertions''). See also Audit Documentation and 
Amendment to Interim Auditing Standards, PCAOB Rel. No. 2004-006 
(June 9, 2004), at 3 (``the auditor documents not only the nature, 
timing, and extent of the work performed, but also the professional 
judgments made by members of the engagement team and others'').
---------------------------------------------------------------------------

    The Board adopted this provision as proposed, with certain 
modifications discussed below.
    Several commenters stated that the requirements for the auditor to 
consider confirming other financial relationships were clear. One 
commenter suggested that confirming other financial relationships 
should be required, and that overcoming the presumption to confirm 
should be available only when the financial entity with which the 
company does business does not offer services that would give rise to 
other financial relationships.
    A number of commenters asserted that auditors would be required to

[[Page 71704]]

produce additional documentation of their considerations, even when a 
financial relationship(s) is not an area of significant risk of 
material misstatement. Some commenters recommended that the provision 
that the auditor ``should consider'' other financial relationships be 
changed to ``may consider,'' in order to allow for more auditor 
judgment in determining the audit procedures to perform.
    The Board continues to believe that information about financial 
relationships, including off-balance sheet relationships, could be 
important for the audit, as it could be part of significant disclosures 
in a company's financial statements. Accordingly, paragraph .29 of the 
new standard provides that, in addition to obtaining audit evidence 
from a knowledgeable external source regarding cash in accordance with 
paragraph .24, the auditor should consider sending confirmation 
requests to that source about other financial relationships with the 
company, based on the assessed risk of material misstatement. The 
phrase ``based on the assessed risk of material misstatement'' was 
added to clarify that the auditor has flexibility in tailoring audit 
procedures to the level of assessed risk (e.g., by including or not 
including confirmation in the audit response based on the auditor's 
assessed risk of material misstatement of other financial 
relationships). In addition, paragraph .29 retains the examples of 
other financial relationships that were included in the 2022 Proposal.
Accounts Receivable
Confirming Accounts Receivable
    The 2022 Proposal carried forward the requirement in existing AS 
2310 to confirm accounts receivable. Similar to existing AS 2310, the 
2022 Proposal did not specify the extent of confirmation procedures for 
accounts receivable. As noted above, the timing and extent of 
confirmation procedures are part of the auditor's response to the risks 
of material misstatement under PCAOB risk assessment standards. The 
2022 Proposal instead required the auditor to take into account the 
auditor's understanding of the substance of the company's arrangements 
and transactions with third parties and the nature of the items that 
make up the company's account balances in selecting the individual 
accounts receivable to confirm. For example, an auditor might assess 
the risk of material misstatement relating to accounts receivable 
higher for a company that is being audited for the first time by the 
auditor, or for accounts receivable from a newly acquired operation in 
a foreign location.
    The Board adopted the proposed requirements to confirm accounts 
receivable, with certain modifications discussed below.
    Most commenters on this aspect of the 2022 Proposal generally 
supported the retention of a presumption to confirm accounts 
receivable, and most of those commenters stated that the requirement 
for the auditor to confirm accounts receivable was sufficiently clear 
and appropriate. Two investor-related groups stated that confirmation 
of cash and accounts receivable was necessary, in their view, to obtain 
persuasive, sufficient, and competent audit evidence.
    On the other hand, a number of commenters, primarily firms and 
firm-related groups, expressed concerns about carrying forward the 
presumption for auditors to confirm accounts receivable from existing 
AS 2310. The common theme of those commenters was that requiring the 
auditor to use confirmation for certain accounts may not allow the 
auditor to exercise professional judgment in determining an appropriate 
response to the assessed risk of material misstatement for those 
accounts.
    Regarding the selection of accounts receivable to confirm, several 
commenters agreed that the 2022 Proposal was sufficiently principles-
based to allow auditors to use professional judgment in determining the 
extent of confirmation of accounts receivable.
    The Board continues to believe that a presumption to confirm 
accounts receivable is appropriate to emphasize that audit evidence 
obtained from a knowledgeable external source is generally more 
reliable than evidence obtained only from internal company sources. 
Consistent with the objective of the new standard, the requirement to 
confirm cash and accounts receivable, or otherwise obtain relevant and 
reliable audit evidence by directly accessing information maintained by 
a knowledgeable external source, only applies when the auditor has 
determined that these accounts are significant accounts.
    As with cash balances discussed above, the Board believes that when 
the auditor is able to perform other audit procedures to obtain audit 
evidence about accounts receivable by directly accessing information 
maintained by knowledgeable external sources (e.g., information 
maintained by the receivable counterparty), such evidence would be at 
least as persuasive as audit evidence through confirmation procedures. 
The Board therefore added to the presumption to confirm cash and 
accounts receivable in the new standard the phrase ``or otherwise 
obtain relevant and reliable audit evidence by directly accessing 
information maintained by a knowledgeable external source.''
    Audit evidence that an auditor obtains by accessing a third party's 
information directly can be at least as persuasive as audit evidence 
obtained through confirmation procedures because the auditor is able to 
observe first-hand the information providing such evidence. As 
technology continues to develop, The Board believes it is important for 
the new standard to reflect that there may be additional opportunities 
for the auditor to obtain audit evidence directly beyond sending a 
confirmation request. The new standard would allow for future 
innovations in audit techniques that might involve the auditor 
obtaining evidence for accounts receivable by directly accessing 
information maintained by a counterparty or other knowledgeable 
external source. As noted in the new standard, consistent with 
selecting a confirming party, when selecting the knowledgeable external 
source providing the auditor with access to information directly, the 
auditor would be required to consider whether the knowledgeable 
external source would have any incentive or pressure to provide the 
auditor with access to information directly that is inaccurate or 
otherwise misleading.
    Situations where it would not be feasible for the auditor to obtain 
audit evidence for accounts receivable directly from a knowledgeable 
external source, through confirmation procedures or other means, are 
discussed below.
The Term ``Accounts Receivable''
    The 2022 Proposal described ``accounts receivable'' as comprising 
receivables arising from the transfer of goods or services to a 
customer or from a financial institution's loans. Existing AS 2310 
describes accounts receivable as the entity's claims against customers 
that have arisen from the sale of goods or services in the normal 
course of business, and a financial institution's loans. The 2022 
Proposal was designed to apply to the same types of items as existing 
AS 2310, with a modified description to align more closely with the 
terminology of current accounting requirements, which have been updated 
since existing AS 2310 was written.\57\
---------------------------------------------------------------------------

    \57\ See, e.g., FASB Accounting Standards Codification Topic 
606, Revenue from Contracts with Customers, and IFRS 15, Revenue 
from Contracts with Customers.

---------------------------------------------------------------------------

[[Page 71705]]

    The Board adopted this provision as proposed.
    Commenters on this aspect of the 2022 Proposal stated that the 
description of accounts receivable was clear. These commenters also 
noted that there was no need to further broaden the description to 
include additional types of receivables.
    The description of accounts receivable in the new standard includes 
receivables that arise from the transfer of goods or services to a 
customer. These types of receivables generally arise from the company's 
ordinary revenue-generating activities, and include items for which 
revenue has been or will be recognized by a company, such as 
receivables from selling manufactured products or providing a service 
to customers. The description of accounts receivable also includes a 
financial institution's loans, including loans to customers that the 
institution has originated or purchased from another institution. 
Examples of financial institutions are banks, non-bank lenders, and 
mortgage companies that provide financing to customers.
Situations When Obtaining Audit Evidence for Accounts Receivable 
Directly Would Not Be Feasible
Performing Other Substantive Procedures, Including Tests of Details
    In the 2022 Proposal, the presumption to confirm accounts 
receivable could be overcome when the auditor determined that an audit 
response that only included substantive audit procedures other than 
confirmation would provide audit evidence that is at least as 
persuasive as evidence the auditor might expect to obtain through 
performing confirmation procedures. The 2022 Proposal did not carry 
forward the provisions in existing AS 2310 addressing overcoming the 
presumption to confirm accounts receivable under certain conditions, 
which are (i) immateriality, (ii) ineffectiveness of confirmation, or 
(iii) a certain combination of the assessed risk and expected results 
from other auditing procedures.\58\
---------------------------------------------------------------------------

    \58\ See AS 2310.34.
---------------------------------------------------------------------------

    As discussed below, the new standard includes a provision to 
address situations when obtaining audit evidence directly from 
knowledgeable external sources, whether through confirmation procedures 
or other means, would not be feasible to execute.
    Many commenters addressed the provision in the 2022 Proposal to 
overcome the presumption to confirm accounts receivable. A few 
commenters noted that the ability to overcome the presumption to 
confirm accounts receivable was clear and appropriate. As discussed 
below, many commenters focused on the proposed provision that evidence 
obtained through other substantive procedures should be ``at least as 
persuasive as'' evidence obtained through confirmation:
     A number of investor-related groups stated that the 
provision gave too much leeway to auditors to overcome the presumption 
to confirm accounts receivable. These commenters asserted that 
exceptions to confirming accounts receivable should only be available 
when other audit procedures would provide more persuasive or greater 
accumulated evidence than that obtained through confirmation. These 
commenters recommended additional requirements, such as allowing the 
auditor to overcome the presumption only if they document the evidence 
and basis for their conclusion and have communicated the conclusion to 
the audit committee and investors.
     Several firms and firm-related groups stated that the 
relevant provisions were not clear or more guidance would be needed 
about overcoming the presumption to confirm accounts receivable when 
other substantive procedures would be ``at least as persuasive as'' the 
evidence expected to be obtained through confirmation. A few commenters 
observed that the absence of a definition of the term ``persuasive'' in 
AS 1105 contributed to a lack of clarity as to the Board's expectations 
and requested more guidance about how to measure or evaluate 
persuasiveness. Several commenters emphasized that, rather than focus 
the requirement for overcoming the presumption to confirm accounts 
receivable on whether audit evidence obtained through audit procedures 
other than confirmation is ``at least as persuasive as'' evidence 
expected to be obtained through confirmation, the Board should focus 
the requirement on obtaining evidence that is sufficient and 
appropriate to address the assessed risk of material misstatement or, 
as one commenter suggested, on the reliability of the audit evidence.
     Several commenters suggested that the Board retain 
provisions similar to those in existing AS 2310.34 for allowing the 
auditor to overcome the presumption to confirm accounts receivable. In 
addition, several firms and firm-related groups suggested that the 
auditor's ability to overcome the presumption to confirm should be 
based on risk assessment, similar to the provision in existing AS 2310 
addressing when the assessed level of inherent and control risk is low.
     Many firms and firm-related groups expressed concern that 
the criteria for overcoming the presumption would result in auditors 
having to use confirmation even in situations where historically 
confirmations were determined by the auditor to be ineffective and not 
to provide persuasive audit evidence.
     One commenter stated that, if the proposed language were 
adopted, auditors would likely default to confirming accounts 
receivable over other audit procedures to avoid second-guessing of 
their determinations of the persuasiveness of audit evidence.
     Several commenters, primarily firms and firm-related 
groups, stated that the 2022 Proposal imposed a higher threshold than 
the existing standard for auditors to overcome the presumption to 
confirm accounts receivable without a corresponding increase to audit 
quality.
    As previously discussed, the new standard creates a presumption 
that the auditor performs confirmation procedures or otherwise obtains 
relevant and reliable audit evidence by directly accessing information 
maintained by a knowledgeable external source. Under PCAOB standards, 
in general, evidence obtained directly by the auditor from a 
knowledgeable external source is more reliable than evidence obtained 
indirectly.\59\ However, the Board appreciates that there are instances 
where the auditor determines that performing confirmation procedures in 
response to a risk of material misstatement related to accounts 
receivable would not be feasible. For example, commenters described 
situations involving a history of low response rates to confirmation 
requests in certain industries (e.g., healthcare, utilities), or where 
customers have been advised by a government agency to avoid providing 
personal or financial information in response to an unexpected request. 
The Board further understands that companies in other industries (e.g., 
large retailers, defense and aerospace companies that contract with the 
federal government) do not, as a matter of policy, respond to 
confirmation requests. There may also be instances in which the 
performance of confirmation procedures would not result in reliable 
audit evidence.
---------------------------------------------------------------------------

    \59\ See AS 1105.08.
---------------------------------------------------------------------------

    Accordingly, paragraph .25 allows the auditor to perform other 
substantive procedures in response to a risk of

[[Page 71706]]

material misstatement, as long as such procedures include tests of 
details, if the auditor determines it is not feasible to obtain audit 
evidence directly from a knowledgeable external source pursuant to 
paragraph .24. Paragraph .25 specifically provides that the auditor's 
determination should be based on the auditor's experience, such as 
prior years' audit experience with the company or experience with 
similar engagements where the auditor did not receive confirmation 
responses, and the auditor's expectation of similar results if 
procedures were performed pursuant to paragraph .24. Any such 
determination would be performed as part of conducting the audit based 
on the available facts and circumstances at that time and properly 
supported in the audit documentation for the engagement.\60\ In 
addition, as described below, for significant risks associated with 
accounts receivable, the auditor would be required to communicate with 
the audit committee when the auditor did not perform confirmation 
procedures or otherwise obtain audit evidence by directly accessing 
information maintained by a knowledgeable external source.
---------------------------------------------------------------------------

    \60\ See AS 1215.05.
---------------------------------------------------------------------------

    This provision replaces the concept in the 2022 Proposal about 
obtaining audit evidence that was ``at least as persuasive as'' the 
evidence expected to be obtained through confirmation procedures. It 
also specifies that the auditor should perform other substantive 
procedures, including tests of details, in these situations to make 
clear that performing only substantive analytical procedures would not 
be sufficient to overcome the presumption to confirm. These other 
substantive procedures should involve obtaining external information 
indirectly.
    For accounts receivable, the auditor may be able to satisfy this 
requirement by obtaining information that is in the company's 
possession that the company received from one or more knowledgeable 
external sources.\61\ Examples of such external information may 
include, for example, subsequent cash receipts, shipping documents from 
third-party carriers, customer purchase orders, or signed contracts and 
amendments thereto. This information may be in electronic form (e.g., a 
purchase order initiated by a customer through a company's website) or 
in paper form (e.g., a signed contract).
---------------------------------------------------------------------------

    \61\ See also Proposed Amendments Related to Aspects of 
Designing and Performing Audit Procedures that Involve Technology-
Assisted Analysis of Information in Electronic Form, PCAOB Rel. No. 
2023-004 (June 26, 2023) (proposing amendments to PCAOB auditing 
standards to specify auditor responsibilities regarding certain 
company-provided information that the auditor uses as audit 
evidence, including information that the company received from 
external sources).
---------------------------------------------------------------------------

    Conversely, when performing other substantive procedures under this 
provision, it would not satisfy the requirements of the new standard to 
use or rely solely on the company's internally produced information. 
For example, an audit procedure that involves an automated matching 
analysis of a company's revenue, accounts receivable, and cash journal 
entries recorded by the company would be insufficient on its own 
because such an analysis only involves the company's internally 
produced information. On the other hand, when such internally produced 
information is evaluated in conjunction with external information that 
the company received from a knowledgeable external source, such as 
checks that the company received directly from customers or information 
on subsequent cash receipts that the company received from a financial 
institution, the procedures would involve audit evidence from a 
knowledgeable external source.
    Under existing PCAOB standards, the quantity of audit evidence 
needed is affected by its quality, including its reliability, and in 
general evidence obtained directly by the auditor is more reliable than 
evidence obtained indirectly. This applies to all information 
(including external information) used by the auditor in arriving at the 
conclusions on which the auditor's opinion is based. For example, as 
the quality of the evidence increases, the need for additional 
corroborating evidence decreases. The auditor should be mindful of 
these requirements when determining an appropriate audit response to a 
risk of material misstatement that involves obtaining external 
information indirectly under the new standard.
    Further, when performing audit procedures that involve obtaining 
external information, the auditor should be mindful of other relevant 
PCAOB standards that address the documentation of the procedures 
performed and the relevance and reliability of the audit evidence 
obtained.\62\ Audit documentation must clearly demonstrate the work 
performed by the auditor. In addition, the reliability of that audit 
evidence depends on the nature and source of the evidence and the 
circumstances under which it is obtained.
---------------------------------------------------------------------------

    \62\ See e.g., AS 1215.05-.06 and AS 1105.07-.08.
---------------------------------------------------------------------------

Communicating With the Audit Committee About the Auditor's Response to 
Significant Risks for Cash and Accounts Receivable
    The 2022 Proposal included a requirement for the auditor to 
communicate to the audit committee \63\ instances where the auditor had 
determined that the presumption to confirm accounts receivable had been 
overcome. In proposing that requirement, the Board considered the long-
standing practice by auditors in the United States to confirm accounts 
receivable, and noted that a communication requirement when the 
presumption to confirm is overcome could enhance the audit committee's 
understanding of the auditor's strategy. In this regard, existing 
standards require the auditor to communicate to the audit committee 
about the auditor's overall audit strategy, significant risks 
identified during risk assessment procedures, significant changes to 
the planned audit strategy, and significant difficulties encountered 
during the audit.\64\ Existing AS 2310 does not have a requirement to 
communicate to the audit committee about overcoming the presumption to 
confirm accounts receivable.
---------------------------------------------------------------------------

    \63\ The term ``audit committee,'' as used in the new standard, 
has the same meaning as defined in Appendix A of AS 1301, 
Communications with Audit Committees.
    \64\ See AS 1301.09, .11, .23.
---------------------------------------------------------------------------

    The new standard contains a requirement for the auditor to 
communicate with the audit committee about the auditor's response to 
significant risks associated with cash or accounts receivable when the 
auditor did not perform confirmation procedures or otherwise obtain 
audit evidence by directly accessing information maintained by a 
knowledgeable external source.
    Several commenters, primarily investor-related groups, supported 
the proposed requirement in the 2022 Proposal that the auditor 
communicate to the audit committee when an auditor overcomes the 
presumption to confirm accounts receivable. One of the commenters 
referred to a statement in the 2022 Proposal that a requirement to 
communicate to the audit committee when overcoming the presumption to 
confirm accounts receivable ``may reinforce the auditor's obligation to 
exercise due professional care in making that determination.'' This 
commenter also noted that overcoming the presumption could result in a 
critical audit matter under AS 3101, The Auditor's Report on an Audit 
of

[[Page 71707]]

Financial Statements When the Auditor Expresses an Unqualified 
Opinion.\65\
---------------------------------------------------------------------------

    \65\ A critical audit matter is defined in AS 3101.A2 as ``[a]ny 
matter arising from the audit of the financial statements that was 
communicated or required to be communicated to the audit committee 
and that: (1) relates to accounts or disclosures that are material 
to the financial statements and (2) involved especially challenging, 
subjective, or complex auditor judgment.''
---------------------------------------------------------------------------

    Many commenters on this aspect of the 2022 Proposal, primarily 
firms and firm-related groups, disagreed with a specific requirement to 
communicate with the audit committee on this matter. These commenters 
asserted that such a requirement did not align with principles in AS 
1301 to communicate with the audit committee about significant risks, 
including audit matters arising from the audit that are significant to 
the oversight of the company's financial reporting process. A number of 
these commenters also noted that, if there were a significant risk in 
accounts receivable or associated with a critical audit matter, the 
auditor would already be required to communicate these matters under AS 
1301. Several other commenters indicated that they did not object to a 
more targeted requirement to communicate with the audit committee about 
overcoming the presumption to confirm when accounts receivable was 
assessed as a significant risk.
    In addition, several commenters asserted that a requirement to 
communicate to the audit committee about overcoming the presumption to 
confirm would not improve audit quality, and could be detrimental if 
this communication became a compliance exercise for auditors, 
detracting them from performing effective audit procedures. A few 
commenters also stated there would not be a benefit to audit quality if 
the Board were to mandate that auditors treat instances of overcoming 
the presumption to confirm as a critical audit matter.
    The 2022 Proposal stated that there may be some expectation by 
audit committees that the auditor would use confirmation as part of a 
planned audit response. One commenter encouraged the Board to perform 
outreach with audit committees to understand whether this expectation 
was, in fact, widespread and whether the proposed communication 
requirement would be relevant and meaningful.
    Having considered the comments received, the Board does not believe 
it is necessary to require the auditor to inform the audit committee in 
every instance where the auditor performed substantive audit procedures 
other than confirmation to address the risk of material misstatement of 
cash or accounts receivable. However, the Board believes the auditor 
should inform the audit committee when the auditor did not perform 
confirmation procedures or otherwise obtain audit evidence by directly 
accessing information maintained by a knowledgeable external source 
when responding to significant risks associated with either cash or 
accounts receivable.
    This targeted requirement is consistent with the views expressed by 
several commenters, as discussed above. It is also consistent with the 
existing obligation of auditors under PCAOB standards to communicate to 
the audit committee an overview of the overall audit strategy and to 
discuss with the audit committee the significant risks of material 
misstatement identified during the auditor's risk assessment 
procedures.\66\ In addition, as with other matters arising from the 
audit of financial statements and communicated or required to be 
communicated to the audit committee, the auditor is required to 
determine whether these matters are critical audit matters in 
accordance with AS 3101.\67\
---------------------------------------------------------------------------

    \66\ See AS 1301.09.
    \67\ See AS 3101.11-.12.
---------------------------------------------------------------------------

Confirming Terms of Certain Transactions
    The 2022 Proposal provided that, for significant risks of material 
misstatement associated with either a complex transaction or a 
significant unusual transaction, the auditor should consider confirming 
terms of the transaction with the counterparty to the transaction. This 
provision updates a requirement in existing AS 2310.08 that the auditor 
should consider confirming the terms of certain transactions that are 
associated with high levels of risk. The 2022 Proposal used the 
terminology ``significant risk'' and ``significant unusual 
transactions,'' but the provision was intended to be similar to that in 
existing AS 2310.
    The Board adopted the proposed requirements to consider confirming 
terms of certain transactions, with certain modifications discussed 
below.
    Several commenters noted that the provision in the 2022 Proposal 
was sufficiently clear and appropriate. Other commenters suggested 
various modifications to the provision that they asserted would improve 
its clarity, such as elaborating on the meaning of the term ``complex 
transaction'' and stating that the provision applies when the 
assertions related to the significant risk of material misstatement can 
be adequately addressed through confirmation. Several commenters 
indicated that other audit procedures, not including confirmation, may 
adequately address an assessed significant risk over the existence 
assertion, such as obtaining and reviewing an original executed 
contract and verifying the execution of its terms over a period of 
time.
    To provide additional clarity, the new standard provides that the 
auditor should consider confirming those terms of a complex transaction 
or significant unusual transaction that are associated with a 
significant risk of material misstatement, including a fraud risk. 
Under the new standard, examples of such terms may include terms 
relating to (i) oral side agreements, or undisclosed written or oral 
side agreements, where the auditor has reason to believe that such 
agreements exist, (ii) bill and hold sales, and (iii) supplier 
discounts or concessions. When such arrangements or agreements are part 
of a complex transaction or significant unusual transaction identified 
by the auditor, there may be a heightened risk that the transaction has 
been entered into to engage in fraudulent financial reporting or 
conceal misappropriation of assets. Likewise, a complex transaction or 
a significant unusual transaction could have a heightened risk of error 
whereby confirmation could lead to identification of an additional term 
that, under an accounting standard, might have accounting implications 
not previously recognized by either the company or the auditor. 
Accordingly, the auditor's confirmation of terms related to such 
arrangements or agreements may assist the auditor in evaluating the 
business purpose, or lack thereof, of the transaction.\68\ These 
examples are not intended to be an exhaustive list. An auditor may 
identify other terms to confirm relating to a complex transaction or a 
significant unusual transaction if the auditor decides that 
confirmation could result in obtaining relevant and reliable audit 
evidence about that transaction.
---------------------------------------------------------------------------

    \68\ See AS 2401.67.
---------------------------------------------------------------------------

    One investor-related group recommended that the provision in the 
2022 Proposal addressing the terms of complex transactions and 
significant unusual transactions should be mandatory and read 
``should'' instead of ``should consider.'' In contrast, other 
commenters asserted that the provision was unduly prescriptive. Several 
commenters recommended that the Board change the phrase ``should 
consider'' to ``may consider'' to allow for more auditor judgment in

[[Page 71708]]

determining the audit procedures to perform to address significant 
unusual transactions or other complex transactions. The Board believes 
that the provision stating that the auditor ``should consider'' 
confirming terms of complex transactions or significant unusual 
transactions associated with a significant risk of material 
misstatement is sufficiently risk-based for the auditor to have 
flexibility in selecting the audit procedures that are best suited to 
address significant risks of material misstatement, depending on the 
facts and circumstances of individual transactions.
    Another commenter suggested that the Board place additional 
emphasis on the auditor having a heightened degree of professional 
skepticism, similar to a provision in existing AS 2310.27, and that 
doing so would allow auditors to make appropriate judgments in 
determining whether facts and circumstances indicate that confirmation 
procedures may not produce sufficient appropriate evidence to address 
the assessed risks. The Board did not include additional language in 
the new standard about the auditor's potential need to exercise a 
heightened degree of professional skepticism related to confirmation 
because the auditor's obligation to apply professional skepticism is 
relevant to all aspects of the audit.\69\
---------------------------------------------------------------------------

    \69\ See AS 1015.07.
---------------------------------------------------------------------------

Performing Alternative Procedures for Selected Items
    (See paragraphs .C1-.C2 of the new standard).
    The 2022 Proposal provided that the auditor should perform 
alternative procedures in certain scenarios involving identifying 
confirming parties or evaluating the reliability of confirmation 
responses, as well as in scenarios involving nonresponses and 
incomplete responses.\70\ This range of scenarios was broader than 
under existing AS 2310, which provides that, with certain exceptions, 
the auditor should apply alternative procedures where the auditor has 
not received replies to positive confirmation requests. In addition, 
existing AS 2310 provides examples of alternative procedures, and 
requires the auditor to evaluate the combined evidence provided by 
confirmation and any alternative procedures and send additional 
confirmation requests or perform other audit tests, as needed, to 
obtain sufficient appropriate audit evidence.
---------------------------------------------------------------------------

    \70\ See paragraphs .20 (inability to identify a confirming 
party), .26 (unreliable response), and .30 (nonresponse or 
incomplete response) of the proposed standard.
---------------------------------------------------------------------------

    The 2022 Proposal provided examples of alternative procedures that 
may provide relevant and reliable audit evidence regarding accounts 
receivable, accounts payable, and the terms of a transaction or 
agreement. These provisions expanded upon the examples of alternative 
procedures discussed in existing AS 2310.
    The 2022 Proposal did not specify whether performing alternative 
procedures for the items the auditor was unable to confirm, alone or in 
combination with other audit procedures, is necessary to obtain 
sufficient appropriate audit evidence. Under the 2022 Proposal, the 
auditor would make that determination based on the facts and 
circumstances of the audit. Further, an auditor might determine that, 
without obtaining a reliable confirmation response, the auditor is 
unable to obtain sufficient appropriate audit evidence for a relevant 
assertion through performing alternative procedures for the items the 
auditor could not confirm, other audit procedures, or both (e.g., if 
the auditor observes conditions during the confirmation process that 
indicate a heightened fraud risk). In such scenarios, the 2022 Proposal 
provided that the auditor would consider the impact on the audit 
opinion in accordance with AS 3105.
    The 2022 Proposal also provided that performing alternative 
procedures may not be necessary where items selected for confirmation 
for which the auditor was not able to complete audit procedures would 
not--if misstated--change the outcome of the auditor's evaluation of 
the effect of uncorrected misstatements performed in accordance with AS 
2810.17.\71\ For example, following the direction in AS 2810.17, under 
the 2022 Proposal an auditor may have determined that an item that the 
auditor was unable to confirm would not be material individually or in 
combination with other misstatements. In such situations, the auditor 
would not have been required to perform alternative procedures.\72\ 
Existing AS 2310 includes an analogous exception.
---------------------------------------------------------------------------

    \71\ The auditor's evaluation of materiality under AS 2810.17 
takes into account both relevant quantitative and qualitative 
factors.
    \72\ In certain circumstances, auditors may have obligations 
independent of the Board's auditing standards to perform either 
confirmation procedures or other auditing procedures. See, e.g., 
Section 30(g) of the Investment Company Act of 1940, 15 U.S.C. 80a-
29(g) (providing that the auditor's report on the financial 
statements of a registered investment company ``shall state that 
such independent public accountants have verified securities owned, 
either by actual examination, or by receipt of a certificate from 
the custodian, as the Commission may prescribe by rules and 
regulations'').
---------------------------------------------------------------------------

    The Board adopted the requirements substantially as proposed, with 
certain modifications discussed below.
    In the 2022 Proposal, the additional discussion of alternative 
procedures appeared in the main body of the proposed standard 
(paragraph .31). To enhance the readability of these provisions and 
facilitate their implementation, the Board has relocated them to 
Appendix C, which includes one paragraph that describes when performing 
other audit procedures may be necessary (paragraph .C1) and a second 
paragraph that provides further direction as to when alternative 
procedures are required under the new standard and includes examples of 
alternative procedures (paragraph .C2).
    In addition, to remind auditors that the auditor's assessment of 
risks of material misstatement, including fraud risks, should continue 
throughout the audit, including the confirmation process, paragraph .C1 
of the new standard states that, when the auditor is unable to obtain 
relevant and reliable audit evidence about the selected item through 
confirmation, the auditor should evaluate the implications for the 
auditor's assessment of the relevant risks of material misstatement, 
including fraud risks.
    Several commenters indicated that the circumstances in the 2022 
Proposal under which the auditor generally would be required to perform 
alternative procedures were sufficiently clear and appropriate. 
However, multiple commenters suggested that the Board include an 
example of an alternative procedure for cash. In consideration of these 
comments, the Board has incorporated an example of an alternative 
procedure that may provide relevant and reliable audit evidence 
regarding cash, which involves the auditor verifying information about 
the company's cash account maintained in a financial institution's 
information system by viewing this information directly on a secure 
website of the financial institution. In this example, the auditor 
might verify such information by determining the validity of the 
financial institution's website and viewing the information directly on 
the secure website. The information viewed by the auditor could be 
accessed either by the auditor, using login credentials provided by the 
company, or by company personnel. This additional example is intended 
to address some commenters' misperception that the 2022 Proposal would 
not allow the

[[Page 71709]]

auditor to perform alternative procedures in the event that a positive 
confirmation request related to cash does not result in a confirmation 
response.
    Several commenters asserted that the note in the 2022 Proposal 
identifying situations where alternative procedures may not be 
necessary was not clear, with one commenter indicating that the 
analogous exception in existing AS 2310 was clearer because it 
addressed audit sampling. In consideration of these comments, the Board 
has revised the note to paragraph .C2 of the new standard to clarify 
how the exception from performing alternative procedures for selected 
items should be applied and revised the footnote in the paragraph to 
further explain how the exception is applied in scenarios involving 
audit sampling.
    The following example further illustrates applying this provision 
in an audit: An auditor selects a sample of 50 accounts receivable 
invoices for confirmation and receives confirmation responses for 45 
invoices that do not indicate a need for the auditor to perform 
alternative procedures. For two nonresponses, the auditor performs 
alternative procedures and obtains relevant and reliable audit evidence 
identifying no misstatements. For the three remaining nonresponses, the 
auditor does not perform alternative procedures because the auditor 
appropriately determines that, even if the amounts associated with the 
invoices were projected as 100 percent misstatements to the population 
from which the sample was selected and added to any other accounts 
receivable misstatements (i.e., accounts receivable misstatements 
identified through audit procedures other than confirmation), the 
outcome of the auditor's evaluation performed in accordance with AS 
2810.17 would not change.
    Another commenter recommended that, for nonresponses, the Board 
require that the auditor ``must'' perform alternative procedures that 
include examining third-party evidence. This commenter also suggested 
that the Board revise the example of alternative procedures for 
accounts receivable by removing the phrase ``one or more,'' such that 
the auditor would perform all of the procedures identified in the 
example (i.e., examining subsequent cash receipts, shipping documents, 
and other supporting documentation).
    Having considered these comments, the Board believes that, with the 
modifications discussed above, the requirements in paragraph .C1 of the 
new standard provide appropriate direction regarding when alternative 
procedures are required. Additionally, the Board believes that 
including examples in paragraph .C2 of alternative procedures that may 
provide relevant and reliable audit evidence about selected items, 
without mandating specific procedures, is appropriate, as it is 
impracticable to describe specific procedures for all scenarios that 
could occur in an audit.
    Additionally, as discussed above, the Board has modified paragraph 
.B2 of the new standard to provide that in circumstances where the 
auditor should not use an intermediary to send confirmation requests or 
receive confirmation responses, the auditor should send confirmation 
requests without the use of an intermediary or, if unable to do so, 
perform alternative procedures in accordance with Appendix C of the new 
standard. In light of this modification, the Board has added a 
reference to paragraph .B2 to Appendix C of the new standard.
Evaluating Results
    (See paragraph .31 of the new standard).
    The 2022 Proposal did not carry forward a requirement, included in 
existing AS 2310, for the auditor to evaluate in the aggregate audit 
evidence obtained from performing confirmation procedures and any 
alternative procedures. Excluding this requirement from the 2022 
Proposal was intended to avoid the duplication of certain requirements 
of AS 2810 that discuss the auditor's responsibilities for evaluating 
audit results and determining whether the auditor has obtained 
sufficient appropriate audit evidence.
    As discussed above, however, paragraph .24 of the new standard 
allows the auditor to perform audit procedures other than confirmation 
for cash and accounts receivable to obtain relevant and reliable audit 
evidence by directly accessing information maintained by a 
knowledgeable external source. The Board therefore decided to remind 
the auditor in paragraph .31 of the new standard that the auditor 
should evaluate the combined audit evidence provided by confirmation 
procedures, alternative procedures, and other procedures to determine 
whether sufficient appropriate audit evidence has been obtained in 
accordance with AS 2810.
Other Matters
    This section addresses certain additional matters that were also 
discussed in the 2022 Proposal. In addition, this section discusses 
definitions included in the new standard and related amendments to 
PCAOB auditing standards.
Management Requests Not To Confirm
    Consistent with existing AS 2310, the 2022 Proposal did not 
address, nor does the new standard address, situations in which 
management requests that the auditor not confirm one or more items.
    Several commenters agreed with the approach in the 2022 Proposal 
and indicated that auditor responsibilities in such situations are 
already addressed by existing PCAOB standards. One commenter suggested 
that the Board consider adding a requirement that, if management 
requests an auditor not to confirm a certain item, the auditor should 
both request management to indicate the reason for the request and, as 
appropriate, consider whether the request is indicative of a risk of 
material misstatement. Another commenter agreed that the potential 
scope limitation or fraud risk from a management request not to confirm 
is addressed in other PCAOB standards, but expressed the view that 
including guidance in the new standard unique to confirmation would be 
appropriate. A different commenter did not suggest changes to the 
Board's approach, but observed that management requests not to confirm 
are primarily relevant in the financial services industry and that it 
had experienced infrequent management requests not to confirm in other 
industries.
    Having considered the comments received, the Board believes that 
existing PCAOB standards appropriately address situations involving 
management requests not to confirm. In particular, AS 1301 requires 
that the auditor communicate to the audit committee disagreements with 
management \73\ and difficulties encountered in performing the audit, 
including unreasonable management restrictions encountered by the 
auditor on the conduct of the audit (e.g., an unreasonable restriction 
on confirming transactions or balances).\74\ AS 3105 also sets forth 
requirements regarding limitations on the scope of an audit,\75\ 
including scope limitations relating to confirmation.\76\
---------------------------------------------------------------------------

    \73\ See AS 1301.22.
    \74\ See AS 1301.23.
    \75\ See AS 3105.05-.17.
    \76\ See AS 3105.07.
---------------------------------------------------------------------------

    Further, AS 2110 and AS 2401 describe the auditor's 
responsibilities regarding identifying, assessing, and responding to 
fraud risks. For example, AS 2401.09 states that fraud may be concealed 
by withholding evidence. A management request to limit audit

[[Page 71710]]

testing by not obtaining external audit evidence through confirmation 
could be relevant to the auditor's consideration of fraud risk factors, 
including the consideration of management incentives, opportunities, 
and rationalization for perpetrating fraud. Considering the 
applicability of existing provisions to situations involving management 
requests not to confirm, as discussed above, the Board believes that 
including analogous requirements in the new standard could lead to 
unnecessary duplication of existing requirements and potential 
confusion.
Restrictions and Disclaimers
    The requirements in the proposed standard relating to the auditor's 
evaluation of the reliability of confirmation responses included a 
reminder, in the form of a footnote, of the auditor's responsibilities 
under AS 1105 as they relate to restrictions and disclaimers. A similar 
reminder does not exist in existing AS 2310.
    The Board is including this reference to AS 1105.08 as proposed, in 
a footnote to paragraph .18 of the new standard. No comments were 
received on this aspect of the 2022 Proposal. In accordance with AS 
1105.08, the auditor should evaluate the effect of restrictions, 
limitations, or disclaimers in confirmation responses on the 
reliability of audit evidence.\77\
---------------------------------------------------------------------------

    \77\ See AS 1105.08.
---------------------------------------------------------------------------

Direct Access
    The 2022 Proposal did not describe direct access as a confirmation 
procedure. Existing AS 2310 currently does not address such a 
procedure, but the 2010 Proposal had provided that direct access could 
be considered a confirmation procedure in certain circumstances.
    A few commenters on the 2022 Proposal either agreed with, or 
indicated that they did not object to, the Board's stated position that 
direct access does not constitute a confirmation procedure. However, 
several firms and firm-related groups stated that, when properly 
executed, audit evidence obtained by the auditor through direct access 
can provide persuasive evidence about the existence of cash. One 
commenter recommended that the PCAOB consider aligning with the AICPA's 
position on this matter by acknowledging that the auditor's direct 
access to information held by a confirming party may meet the 
definition of a confirmation procedure when, for example, the 
confirming party provides the auditor with the electronic access codes 
or other information necessary to access a secure website where data 
that addresses the subject matter of the confirmation is held.
    Having considered these comments, the Board adopted the new 
standard as proposed in relation to direct access.
    While direct access does not constitute a confirmation procedure 
under the new standard, the new standard provides that the auditor may 
obtain relevant and reliable audit evidence by directly accessing 
information maintained by a knowledgeable external source, as discussed 
above.
Definitions
    To operationalize the requirements included in the 2022 Proposal, 
the proposal included definitions for ``confirmation exception,'' 
``confirmation process,'' ``confirmation request,'' ``confirmation 
response,'' ``confirming party,'' ``negative confirmation request,'' 
``nonresponse,'' and ``positive confirmation request.''
    The Board adopted the definitions as proposed, with certain 
modifications discussed below.
    Several commenters stated that, in general, the definitions in the 
2022 Proposal were sufficiently clear and appropriate. Other commenters 
either did not provide comments on the proposed definitions or 
suggested certain modifications, as discussed below.
    Some commenters stated that the Board should modify the proposed 
definition of ``nonresponse'' to reflect that a nonresponse includes a 
situation where the auditor does not receive a confirmation response to 
a positive confirmation request directly from the intended confirming 
party. Having considered this comment, the Board is aligning the 
definition of ``nonresponse'' with the definition of ``confirmation 
response'' and the requirements of paragraph .16 of the new standard. 
This modification clarifies that a confirmation response that is not 
received directly from the confirming party would constitute a 
nonresponse. The Board has also modified the definition of ``negative 
confirmation request'' to use the defined term ``confirmation request'' 
rather than ``request.''
    One commenter proposed modifications to the definitions of 
``confirmation exception'' and ``confirmation process'' to specify that 
(i) sending a confirmation request may include transmitting the request 
in electronic form and (ii) only differences between a confirmation 
response and information the auditor obtained from the company that the 
auditor had originally sought to confirm constitute a confirmation 
exception. Having considered the comment, the Board notes that the 
proposed definition of ``confirmation process'' intentionally did not 
prescribe the method or methods by which confirmation requests can be 
sent and by which confirmation responses can be received, as the 
standard is intended to apply to all methods of sending and receiving 
confirmation requests and responses. Further, the Board believes that 
any instance where information in a confirmation response differs from 
information the auditor obtained from the company, even if the 
information in the confirmation response was not information that the 
auditor originally sought to confirm, should constitute a confirmation 
exception. Accordingly, the Board adopted the definition of 
``confirmation exception'' as proposed and adopted the definition of 
``confirmation process'' as proposed, with one modification to include 
``selecting one or more items to be confirmed'' in the definition to 
align with the requirements specifically related to the confirmation 
process in the new standard.
    The 2022 Proposal also indicated that an oral response to a 
confirmation request was a nonresponse. One commenter stated that a 
video recording of a call between an auditor and an individual at a 
confirming party ought not be considered less reliable audit evidence 
than a written response from an organization. Another commenter 
suggested that the PCAOB define the term ``confirmation'' because the 
2022 Proposal stated that an oral response was a nonresponse but did 
not provide guidance as to whether other forms of response would be 
evidence of confirmation.
    As the Board continues to believe that obtaining direct written 
communication, in paper or electronic form, from a confirming party is 
necessary for a response to constitute a confirmation response, the 
Board has not made further modifications to the definition in the new 
standard beyond those described above. Accordingly, a video recording 
of a call between an auditor and an individual at a confirming party or 
an oral response would constitute nonresponses under the new standard, 
although the auditor could still consider the relevance and reliability 
of the audit evidence provided by a video recording or an oral response 
when determining the nature and extent of alternative procedures 
required to be performed under the new standard.

[[Page 71711]]

Amendments to Related PCAOB Auditing Standards
    The Board adopted amendments to several existing PCAOB auditing 
standards to align with the new standard.
Amendments to AS 1105
    (See paragraph .18 of AS 1105, as amended).
    The 2022 Proposal included proposed amendments to AS 1105 to (i) 
align the description of a ``confirmation response'' in AS 1105 with 
the definition of the same term included in the 2022 Proposal and (ii) 
clarify that the terms ``confirmation response,'' ``confirmation 
request,'' and ``confirming party,'' as used in AS 1105, have the same 
meaning as defined in Appendix A of the 2022 Proposal.
    The Board adopted the amendments as proposed.
    Existing AS 1105.18 states that ``[a] confirmation response 
represents a particular form of audit evidence obtained by the auditor 
from a third party in accordance with PCAOB standards.'' The 2022 
Proposal used the defined term ``confirming party'' in lieu of ``third 
party.'' One commenter suggested retaining the phrase ``third party'' 
in AS 1105.18 to provide further clarity. The Board is not using this 
term because the new standard describes a confirming party as ``a third 
party, whether an individual or an organization, to which the auditor 
sends a confirmation request,'' thus making it clear that a confirming 
party is a third party.
    Another commenter suggested that the Board strike the word 
``independent'' from AS 1105.08, which states that ``[e]vidence 
obtained from a knowledgeable source that is independent of the company 
is more reliable than evidence obtained only from internal company 
sources.'' This commenter asserted that, although confirmation evidence 
may be more reliable, it is not truly ``independent.'' The Board is not 
striking the word ``independent'' from AS 1105.08 as it believes the 
concept expressed in AS 1105.08 is well understood by auditors and does 
not purport to be a definitive statement about the ``independence'' of 
evidence from a confirming party.
Amendments to AS 1301
    (See Appendix B to AS 1301, as amended).
    The 2022 Proposal included a proposed requirement for the auditor 
to communicate to the audit committee instances in which the auditor 
has determined that the presumption to confirm accounts receivable has 
been overcome and the basis for the auditor's determination. The 2022 
Proposal included a conforming amendment to AS 1301 that would refer to 
the proposed requirement.
    The Board adopted the conforming amendment to AS 1301 that refers 
to the audit committee communication requirement contained in the new 
standard. The required communication with the audit committee about the 
auditor's response to significant risks associated with cash or 
accounts receivable when the auditor did not perform confirmation 
procedures or otherwise obtain audit evidence by directly accessing 
information maintained by a knowledgeable external source is discussed 
above.
Amendments to AS 2401
    (See paragraphs .54 and .66A of AS 2401, as amended).
    The 2022 Proposal included a proposed amendment to AS 2401 to refer 
to the title of the confirmation standard as proposed in the 2022 
Proposal (i.e., ``The Auditor's Use of Confirmation'').
    The Board adopted the amendment as proposed and adopted an 
additional conforming amendment to AS 2401, as discussed below.
    One commenter suggested that the Board consider a conforming 
amendment to AS 2401 to acknowledge a requirement in proposed paragraph 
.15 to consider confirming terms of the transaction for significant 
risks of material misstatement associated with either a complex 
transaction or significant unusual transaction. Having considered the 
comment, the Board adopted a conforming amendment to the note to AS 
2401.66A to remind the auditor of the requirement in paragraph .30 of 
the new standard that for significant risks of material misstatement 
associated with either a complex transaction or a significant unusual 
transaction, the auditor should consider confirming those terms of the 
transaction that are associated with a significant risk of material 
misstatement, including a fraud risk.
Amendments to AS 2510
    (See paragraph .14 of AS 2510, as amended).
    AS 2510.14 includes a statement that ``if inventories are in the 
hands of public warehouses or other outside custodians, the auditor 
ordinarily would obtain direct confirmation in writing from the 
custodian.'' The 2022 Proposal included a proposed amendment to AS 2510 
to remind auditors that AS 2310 establishes requirements for the 
auditor's use of confirmation.
    The Board adopted the amendment as proposed.
    One commenter stated that the Board should address the confirmation 
of inventory in the new standard instead of making conforming 
amendments to AS 2510. The Board continues to believe that including 
requirements related to inventory in a single standard is appropriate. 
However, the Board acknowledges that AS 2510.14 includes two 
requirements related to the confirmation of inventory. First, AS 
2510.14 provides that ``[i]f inventories are in the hands of public 
warehouses or other outside custodians, the auditor ordinarily would 
obtain direct confirmation in writing from the custodian.'' Second, AS 
2510.14 further states that the auditor should perform one or more of 
four additional procedures, as considered necessary by the auditor, if 
such inventories represent a significant proportion of current or total 
assets. One such procedure is to confirm pertinent details of pledged 
receipts with lenders (on a test basis, if appropriate), if warehouse 
receipts have been pledged as collateral. The Board has added a cross-
reference to AS 2510 in footnote 4 of the new standard to clarify that 
AS 2510 also includes auditor responsibilities relevant to the 
auditor's use of confirmation.
Amendments to AS 2605
    (See paragraphs .22 and .27 of AS 2605, as amended).
    AS 2605.22 includes a statement that ``for certain assertions 
related to less material financial statement amounts where the risk of 
material misstatement or the degree of subjectivity in the valuation of 
the audit evidence is low, the auditor may decide, after considering 
the circumstances and the results of work (either test of controls or 
substantive tests) performed by internal auditors on those particular 
assertions, the audit risk has been reduced to an acceptable level and 
that testing of the assertions directly by the auditor may not be 
necessary.'' The paragraph then includes assertions about the existence 
of cash, prepaid assets, and fixed-asset additions as examples of 
assertions that might have a low risk of material misstatement or 
involve a low degree of subjectivity in the evaluation of audit 
evidence.
    The 2022 Proposal included a proposed amendment to strike the word 
``cash'' from AS 2605.22 to avoid confusion, as the 2022 Proposal 
required the auditor to perform

[[Page 71712]]

confirmation procedures in respect of cash.
    In addition, the 2022 Proposal included a proposed amendment to 
acknowledge in paragraph .27 of AS 2605, which discusses using internal 
auditors to provide direct assistance to the auditor, the proposed 
restrictions on the use of internal audit in a direct assistance 
capacity in the confirmation process.
    The Board adopted the amendments substantially as proposed, with 
certain modifications discussed below.
    One commenter indicated that the proposed amendment to AS 2605.22 
(i.e., striking the word ``cash'' from the list of accounts that might 
have a low risk of material misstatement), inappropriately assumed that 
there is always a heightened risk of fraud related to cash accounts in 
all audit engagements. Having considered the comment, the Board notes 
that neither the 2022 Proposal nor the new standard suggests that there 
is heightened risk of fraud associated with cash in every engagement. 
However, the Board believes that where an auditor identifies a risk of 
material misstatement for cash (i.e., where cash is a significant 
account) it is necessary for the auditor to perform confirmation 
procedures or otherwise obtain relevant and reliable audit evidence by 
directly accessing information maintained by a knowledgeable external 
source in respect of cash. Accordingly, the Board continues to believe 
that the conforming amendment to AS 2605.22 is appropriate.
    Another commenter indicated that the proposed amendment to AS 
2605.27 would not be necessary should the Board adopt the commenter's 
other recommendation to remove the proposed restrictions regarding the 
use of internal audit in the new standard. As discussed above, the 
Board continues to believe that in order to maintain control over the 
confirmation process the auditor should select items to be confirmed, 
send confirmation requests, and receive confirmation responses. The 
Board modified the conforming amendments to AS 2605.27, however, to 
align with paragraph .15 of the new standard.
Effective Date
    The Board determined that the amendments will take effect, subject 
to approval by the SEC, for audits of financial statements for fiscal 
years ending on or after June 15, 2025.
    As part of the 2022 Proposal, the Board sought comment on the 
amount of time auditors would need before the proposed standard and 
related amendments would become effective, if adopted by the Board and 
approved by the SEC. Many commenters, primarily firms and firm-related 
groups, supported an effective date of no earlier than two years after 
SEC approval, which some commenters indicated would give firms the 
necessary time to update firm methodologies and to develop and 
implement training. Additionally, as part of recommending an effective 
date no earlier than two years after SEC approval, a number of 
commenters observed that confirmation procedures are often performed as 
part of interim procedures and that, as a result, the new standard will 
impact engagement teams during the period under audit. Some commenters 
also stated that intermediaries involved in the confirmation process 
may also need to update their processes and controls as a result of the 
new standard. One commenter supported an effective date three years 
after SEC approval, while citing reasons similar to those expressed by 
commenters who supported an effective date of no earlier than two years 
after SEC approval.
    The Board recognizes the preferences expressed by commenters. 
Nonetheless, having considered the requirements of the new standard, as 
well as the extent of differences between the new standard and AS 2310 
and our understanding of firms' current practices, the Board believes 
that the effective date for fiscal years ending on or after June 15, 
2025, will provide auditors with a reasonable period of time to 
implement the new standard and related amendments, without unduly 
delaying the intended benefits resulting from these improvements to 
PCAOB standards, and is consistent with the Board's mission to protect 
investors and protect the public interest.

D. Economic Considerations and Application to Audits of Emerging Growth 
Companies

    The Board is mindful of the economic impacts of its standard 
setting. This section describes the economic baseline, need, and 
expected economic impacts of the new standard, as well as alternative 
approaches considered by the Board. Because there are limited data and 
research findings available to estimate quantitatively the economic 
impacts of the new standard, the economic analysis is largely 
qualitative in nature.
Baseline
    Important components of the baseline against which the economic 
impact of the new standard can be considered are described above, 
including the Board's existing standard governing the audit 
confirmation process, firms' current practices when performing 
confirmation procedures, and observations from the Board's inspections 
program and enforcement cases. The Board discusses below two additional 
components that inform its understanding of the economic baseline: (i) 
the PCAOB staff's analysis of audit firm methodologies and the use of 
technology-based tools in the confirmation process, and (ii) a summary 
of academic and other literature on the confirmation process.
Auditing Practices Related to the Confirmation Process
    Through its inspection and other oversight activities, the PCAOB 
has access to sources of information that help inform its understanding 
of how firms currently engage in the confirmation process. As part of 
this standard-setting project, the PCAOB staff has reviewed a selection 
of firms' audit methodologies, as well as other information about 
firms' use of technology-based tools when performing confirmation 
procedures. While this information is not a random sample that can be 
extrapolated accurately across all registered public accounting firms, 
the Board is able to make some general inferences that help inform 
development of the economic baseline.
PCAOB Staff Analysis of Audit Methodologies
    PCAOB staff has reviewed the methodologies of selected registered 
public accounting firms to determine how they currently address the 
confirmation process and the extent to which changes to those 
methodologies will be necessary to implement the new standard. 
Specifically, the staff compared methodologies of selected global 
network firms (``GNFs'') \78\ and some methodologies commonly used by 
U.S. non-affiliate firms (``NAFs''),\79\ which are smaller than GNFs, 
to existing AS 2310 as well as to the new standard. The review focused 
on the following aspects of the new standard which represent more 
notable changes relative to existing AS 2310:
---------------------------------------------------------------------------

    \78\ GNFs are the member firms of the six global accounting firm 
networks (BDO International Ltd., Deloitte Touche Tohmatsu Ltd., 
Ernst & Young Global Ltd., Grant Thornton International Ltd., KPMG 
International Ltd., and PricewaterhouseCoopers International Ltd.).
    \79\ NAFs are both U.S. and non-U.S. accounting firms registered 
with the Board that are not GNFs. Some of the NAFs belong to 
international networks.
---------------------------------------------------------------------------

     Substantive procedures for confirming cash and cash 
equivalents (paragraphs .24, .26, and .29);

[[Page 71713]]

     Substantive procedures for confirming accounts receivable 
(paragraphs .24-.25 and .27);
     The auditor's use of negative confirmation requests 
(paragraphs .12-.13);
     Maintaining control over the confirmation process, 
including when an intermediary is used (paragraphs .14-.17 and 
.Appendix B); and
     Other areas addressed in the new standard, including the 
evaluation of the reliability of confirmation responses (paragraphs 
.18-.19), and the performance of alternative procedures (Appendix C).
    For the GNF methodologies reviewed, PCAOB staff observed that the 
methodologies generally reflect requirements in existing AS 2310 and 
other auditing standards on external confirmation, such as ISA 505 and 
AU-C 505. In addition, some of the methodologies already incorporate 
certain concepts included in the new standard, although revisions to 
the methodologies will nonetheless be needed to implement the new 
standard.
    Specifically, some GNF methodologies, but not all, include 
requirements for confirmation of cash and cash equivalents held by 
third parties similar to the new requirements described in the new 
standard. Other GNF methodologies suggest, but do not require, that 
engagement teams consider specific confirmation procedures for cash and 
cash equivalents held by third parties. GNF methodologies for 
confirmation of accounts receivable are generally consistent with 
existing AS 2310. Some also include guidance that is similar in certain 
respects to the requirements in the new standard when the auditor is 
unable to obtain relevant and reliable audit evidence through 
confirmation procedures. With respect to negative confirmation 
requests, GNF methodologies acknowledge that negative confirmation 
requests provide less persuasive evidence than positive confirmation 
requests. However, some GNF methodologies still allow the use of 
negative confirmation requests as the sole substantive procedure under 
certain conditions.\80\
---------------------------------------------------------------------------

    \80\ See AS 2310.20 for these conditions.
---------------------------------------------------------------------------

    The PCAOB staff also observed that GNF methodologies generally 
include guidance on maintaining control over the confirmation process, 
using intermediaries to facilitate the electronic transmission of 
confirmation requests, and assessing controls at the intermediaries. 
The firms' guidance in this area focuses on the performance of audit 
procedures to ensure that the electronic confirmation process occurs in 
a secure and controlled environment and that confirmation responses 
received are reliable. For example, the methodologies of some firms 
provide that an auditor may obtain a SOC report that would assist the 
engagement team in assessing the design and operating effectiveness of 
the intermediary's controls that address the risk of interception and 
alteration of confirmation requests and responses. Finally, although 
current GNF methodologies include guidance on the other areas being 
modernized or clarified in the new standard, GNFs may be required to 
make certain modifications to their methodologies to conform to the new 
standard, such as whether to perform alternative procedures.
    For the NAF methodologies reviewed, the PCAOB staff observed that 
the methodologies generally align with existing AS 2310 across each of 
the areas studied, but include some guidance related to the new 
requirements in the new standard. For example, in some of the NAF 
methodologies, the confirmation of cash and cash equivalents held by 
third parties is a consideration but not a requirement. In other NAF 
methodologies, the confirmation of cash and cash equivalents held by 
third parties and negative confirmation requests are not discussed at 
all. NAF methodologies for confirmation of accounts receivable are 
generally consistent with existing AS 2310. Some include guidance that 
is similar in certain respects to the requirements described in the new 
standard when the auditor is unable to obtain relevant and reliable 
audit evidence through confirmation procedures.
    The NAF methodologies also generally include guidance on 
maintaining control, using intermediaries in the confirmation process, 
and assessing controls at the intermediaries. Similar to GNF 
methodologies, NAF guidance in this area focuses on the performance of 
audit procedures to ensure that the electronic confirmation process 
occurs in a secure and controlled environment and that confirmation 
responses received are reliable. For example, a firm's methodology may 
provide that an auditor may obtain a SOC report that would assist the 
engagement team in assessing the design and operating effectiveness of 
the intermediary's controls that address the risk of interception and 
alteration of confirmation requests and responses.
    Commenters on the 2022 Proposal did not provide additional 
information on firm methodologies beyond the staff's analysis. In 
general, the PCAOB staff's review indicates that all firms will likely 
need to revise their methodologies to some extent to implement the new 
standard. For example, all firms will need to update their 
methodologies to ensure that negative confirmation requests are not 
used as the sole source of audit evidence. NAF methodologies will 
likely require more revisions than the GNF methodologies, which have 
incorporated certain concepts included in the new standard.
Use of Technology-Based Tools
    The PCAOB staff has also reviewed information collected through 
PCAOB oversight activities on firms' use of technology-based tools in 
the confirmation process. The staff's review focused primarily on the 
use of technology-based tools by GNFs, but also encompassed certain 
technology-based tools used by some NAFs. In addition, the review 
encompassed information on both proprietary technology-based tools that 
firms have developed internally and third-party or ``off-the-shelf'' 
tools that firms purchase and use (in certain cases, with further 
customizations) to assist in performing confirmation procedures as part 
of the audit process. The staff found that the number of technology-
based tools used in the confirmation process varies across firms, and 
also varies based on the facts and circumstances of specific 
engagements. Generally speaking, firms allow engagement teams to select 
a tool but do not provide that the use of one or more tools is 
required.
    Both GNFs and NAFs within the scope of the PCAOB staff's review use 
third-party tools to automate certain confirmation procedures, or to 
independently verify balances, terms of arrangements, or other 
information under audit. GNFs appear to be more likely to invest in 
customizing off-the-shelf tools they have purchased to their particular 
environment. For example, such modifications may permit a firm to 
automate the reconciliation of confirmed balances to client records. In 
comparison, NAFs tend to use the off-the-shelf tools without 
customization.
    The PCAOB staff's review also found that GNFs have developed 
proprietary applications to facilitate various aspects of the 
confirmation process, whether conducted manually or electronically. 
These applications may facilitate the preparation of confirmation 
requests, their dissemination to recipients (including the preparation 
of logs to track confirmation requests and receipts), and the analysis 
of confirmation responses to determine

[[Page 71714]]

their completeness and accuracy. GNFs have also developed tools used 
when auditing specific accounts, other than cash and accounts 
receivable, where confirmation may provide audit evidence. For example, 
tools are used to prepare, log, and track confirmation requests and 
responses for various deposit, loan, and liability accounts.
    As discussed above, auditors or confirming parties may engage an 
intermediary to facilitate the direct electronic transmission of 
confirmation requests and responses between the auditor and the 
confirming party.\81\ In one area, market forces have influenced firms' 
willingness to use an intermediary: a majority of financial 
institutions will only respond to confirmation requests through a 
centralized process and with a specified intermediary. As a result, all 
firms' methodologies required, and in practice firms did use, the 
specified intermediary in these circumstances.
---------------------------------------------------------------------------

    \81\ See Spotlight: Observations and Reminders on the Use of a 
Service Provider in the Confirmation Process (Mar. 2022), available 
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------

    The PCAOB staff has observed diverse practices related to the 
procedures auditors perform to support their reliance on an 
intermediary's controls when establishing direct communication between 
the auditor and the confirming party.\82\ In some situations where the 
procedures performed included obtaining a SOC report, the staff has 
observed insufficient evaluation of SOC reports, lack of consideration 
of the period covered and complementary user entity controls, and 
insufficient coordination of procedures performed centrally by the 
audit firm and by the engagement team.\83\
---------------------------------------------------------------------------

    \82\ Id.
    \83\ Id.
---------------------------------------------------------------------------

    These observations suggest that there may be a need for uniform 
guidance for situations involving the use of intermediaries. For 
example, enhanced procedures to be performed when auditors place 
reliance on an intermediary's controls could help address the risk of 
interception and alteration of communications between the auditor and 
the company and address the risk of override of the intermediary's 
controls by the company.
    Commenters did not provide information about firms' use of 
technology-based tools that contradicted the staff's assessment. One 
commenter stated that some larger audit firms have established 
confirmation centers to centralize the sending and receiving of 
confirmation requests. Another commenter cited a study that noted the 
use of robotic process automation for confirming accounts receivable by 
a GNF.\84\
---------------------------------------------------------------------------

    \84\ See Feiqi Huang and Milos A. Vasarhelyi, Applying Robotic 
Process Automation (RPA) in Auditing: A Framework, 35 Internal 
Journal of Accounting Information Systems 100433, 100436 (2019).
---------------------------------------------------------------------------

Literature on the Confirmation Process
    There is limited data on auditor confirmation decisions and 
research findings on the confirmation process.\85\ The literature 
documents that confirmation is ``extensively used'' and that 
confirmation responses received directly from a third party are often 
perceived by practitioners to be among ``the most persuasive forms of 
audit evidence.'' \86\ Consistent with the PCAOB staff's observations 
from PCAOB oversight activities,\87\ studies find that the use of 
electronic confirmation has become prevalent.\88\ One study also 
observes that current U.S. auditing standards do not fully address how 
auditors should authenticate confirmations sent or received 
electronically, and asserts that there is a need for audit guidance 
related to electronic forms of evidence.\89\ Further, an earlier study 
reviews enforcement actions described in the SEC's Accounting and 
Auditing Enforcement Releases and concludes that additional direction 
regarding when cash and accounts receivable confirmation requests are 
required or recommended may be needed.\90\ Additionally, the literature 
suggests that more guidance may be necessary to identify when the risk 
is sufficiently low to justify the use of negative confirmation 
requests in certain areas.\91\ Moreover, an article on bank 
confirmation advocates a risk-based approach to the determination of 
confirmation procedures.\92\ Finally, a study finds that ``anecdotal 
evidence and some research suggest confirmation response rates are 
declining.'' \93\ Commenters did not provide information contradicting 
the staff's summary of the relevant literature.
---------------------------------------------------------------------------

    \85\ See Paul Caster, Randal J. Elder, and Diane J. Janvrin, A 
Summary of Research and Enforcement Release Evidence on Confirmation 
Use and Effectiveness, 27 Auditing: A Journal of Practice & Theory 
253, 254 (2008).
    \86\ See id. at 253.
    \87\ See Spotlight: Data and Technology Research Project Update 
(May 2021), available at https://pcaobus.org/resources/staff-publications. See also Spotlight: Observations and Reminders on the 
Use of a Service Provider in the Confirmation Process (Mar. 2022), 
available at https://pcaobus.org/resources/staff-publications.
    \88\ See, e.g., Paul Caster, Randal J. Elder, and Diane J. 
Janvrin, An Exploration of Bank Confirmation Process Automation: A 
Longitudinal Study, 35 Journal of Information Systems 1, 5 (2021).
    \89\ See id. at 2.
    \90\ See Paul Caster, Randal J. Elder, and Diane J. Janvrin, A 
Summary of Research and Enforcement Release Evidence on Confirmation 
Use and Effectiveness, 27 Auditing: A Journal of Practice & Theory 
253, 261-62 (2008).
    \91\ See id. at 266.
    \92\ See L. Ralph Piercy and Howard B. Levy, To Confirm or Not 
to Confirm-Risk Assessment is the Answer, 91 The CPA Journal 54, 54 
(2021).
    \93\ See Paul Caster, Randal J. Elder, and Diane J. Janvrin, A 
Summary of Research and Enforcement Release Evidence on Confirmation 
Use and Effectiveness, 27 Auditing: A Journal of Practice & Theory 
253, 254 (2008). The PCAOB staff has also observed that the use of 
electronic confirmation may affect the confirmation response rate. 
See Spotlight: Data and Technology Research Project Update (May 
2021), available at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------

    Accordingly, the academic literature is consistent with the 
conclusion that the Board's auditing requirements for the confirmation 
process should (i) accommodate electronic communications and address 
the implications of using an intermediary, (ii) address the 
confirmation of cash and accounts receivable, (iii) limit the use of 
negative confirmation requests, and (iv) align with the PCAOB's risk 
assessment standards.
Need
    Several attributes of the audit market support a need for the PCAOB 
to establish effective audit performance standards. First, the company 
under audit, investors, and other financial statement users cannot 
easily observe the services performed by the auditor or the quality of 
the audit. This leads to a risk that, unbeknownst to the company, 
investors, or other financial statement users, the auditor may perform 
a low-quality audit.\94\
---------------------------------------------------------------------------

    \94\ See, e.g., Monika Causholli and Robert W. Knechel, An 
Examination of the Credence Attributes of an Audit, 26 Accounting 
Horizons 631, 632 (2012): During the audit process, the auditor is 
responsible for making decisions concerning risk assessment, total 
effort, labor allocation, and the timing and extent of audit 
procedures that will be implemented to reduce the residual risk of 
material misstatements. As a non-expert, the auditee may not be able 
to judge the appropriateness of such decisions. Moreover, the 
auditee may not be able to ascertain the extent to which the risk of 
material misstatement has been reduced even after the audit is 
completed. Thus, information asymmetry exists between the auditee 
and the auditor, the benefit of which accrues to the auditor. If 
such is the case, the auditor may have incentives to: Under-audit, 
or expend less audit effort than is required to reduce the 
uncertainty about misstatements in the auditee's financial 
statements to the level that is appropriate for the auditee.
---------------------------------------------------------------------------

    Second, the federal securities laws require that an issuer retain 
an auditor for the purpose of preparing or issuing an audit report. 
While the appointment, compensation, and oversight of the work of the 
registered public accounting

[[Page 71715]]

firm conducting the audit is, under the Act, entrusted to the issuer's 
audit committee,\95\ there is nonetheless a risk that the auditor may 
seek to satisfy the interests of the issuer audit client rather than 
the interests of investors and other financial statement users.\96\ 
This risk can arise out of an audit committee's identification with the 
company or its management (e.g., for compensation) or through 
management's exercise of influence over the audit committee's 
supervision of the auditor, which can result in a de facto principal-
agent relationship between the company and the auditor.\97\ Effective 
auditing standards help to address these risks by explicitly assigning 
responsibilities to the auditor that, if executed properly, are 
expected to lead to high-quality audits that satisfy the interests of 
audited companies, investors, and other financial statement users.
---------------------------------------------------------------------------

    \95\ See Section 301 of the Act, 15 U.S.C. 78f(m). As an 
additional safeguard, the auditor is also required to be independent 
of the audit client. See 17 CFR 210.2-01.
    \96\ See, e.g., Joshua Ronen, Corporate Audits and How to Fix 
Them, 24 Journal of Economic Perspectives 189 (2010).
    \97\ See id.; see also, e.g., Liesbeth Bruynseels and Eddy 
Cardinaels, The audit committee: Management watchdog or personal 
friend of the CEO?, 89 The Accounting Review 113 (2014). Cory 
Cassell, Linda Myers, Roy Schmardebeck, and Jian Zhou, The 
Monitoring Effectiveness of Co-Opted Audit Committees, 35 
Contemporary Accounting Research 1732 (2018); Nathan Berglund, 
Michelle Draeger, and Mikhail Sterin, Management's Undue Influence 
over Audit Committee Members: Evidence from Auditor Reporting and 
Opinion Shopping, 41 Auditing: A Journal of Practice 49 (2022).
---------------------------------------------------------------------------

    This section discusses the specific problem that the new standard 
is intended to address and explains how the new standard is expected to 
address it.
Problem To Be Addressed
Focus on Obtaining Reliable Audit Evidence From the Confirmation 
Process
    In situations where audit evidence can be obtained from a 
knowledgeable external source, the resulting audit evidence is likely 
to be more reliable than audit evidence obtained only from internal 
company sources. For evidence obtained through confirmation to be 
reliable, the confirmation process must be properly executed. Proper 
execution involves assessing the reliability of a confirmation response 
and performing robust, additional alternative procedures when the 
auditor is unable to determine that a confirmation response is 
reliable. Similarly, proper execution may entail the performance of 
alternative procedures when the auditor is unable to identify a 
confirming party, the auditor does not receive a confirmation response 
from the intended confirming party, or the confirmation response is 
incomplete.
    As discussed above, the PCAOB staff has observed situations where 
auditors did not perform procedures to assess the reliability of 
confirmation responses or, where applicable, perform sufficient 
alternative procedures.\98\ In addition, the staff has noted that, in 
the case of some financial reporting frauds, the company's misconduct 
possibly could have been detected at an earlier point in time had the 
auditor made an appropriate assessment of the reliability of 
confirmation responses received, or performed additional procedures 
needed to obtain reliable audit evidence.\99\ These observations 
suggest a need for enhancements to auditing standards to more clearly 
address those situations where confirmation can be expected to provide 
reliable audit evidence, including the requirements for evaluating the 
reliability of confirmation responses and, if appropriate, performing 
alternative procedures.
---------------------------------------------------------------------------

    \98\ See above for observations from the PCAOB's audit 
inspections and from SEC enforcement cases.
    \99\ See also Diane Janvrin, Paul Caster, and Randy Elder, 
Enforcement Release Evidence on The Audit Confirmation Process: 
Implications for Standard Setters, 22 Research in Accounting 
Regulation 1, 10 (2010).
---------------------------------------------------------------------------

Developments in Practice
    There are areas of the confirmation process where developments in 
practice have outpaced existing requirements in the Board's auditing 
standards. In particular, existing AS 2310 does not reflect significant 
changes in technology and the methods by which auditors perform the 
confirmation process, including the use of electronic communication and 
the involvement of third-party intermediaries.
    Regulatory standards that do not reflect changes in practice may 
lead to inconsistency in their application, potential 
misinterpretation, and ineffective regulatory intervention. For 
example, the PCAOB staff has observed diverse practices and audit 
deficiencies related to the procedures performed by auditors to support 
their use of an intermediary to facilitate the electronic transmission 
of confirmation requests and confirmation responses with confirming 
parties.\100\
---------------------------------------------------------------------------

    \100\ See Spotlight: Observations and Reminders on the Use of a 
Service Provider in the Confirmation Process (Mar. 2022), available 
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------

How the New Standard Addresses the Need
    The new standard helps address the need by (i) strengthening 
requirements in certain areas to focus on the need to obtain reliable 
audit evidence from the confirmation process; and (ii) modernizing 
existing AS 2310 to accommodate certain developments in practice, 
including the use of electronic communications and intermediaries. The 
new standard is expected to promote consistent and effective practice 
relating to the confirmation process in audits subject to PCAOB 
standards, reducing the risk of low-quality audits caused by (i) the 
lack of observability of audit quality and (ii) the influence of the 
auditor-client relationship discussed above.
Focus on Obtaining Reliable Audit Evidence From the Confirmation 
Process
    The new standard strengthens the Board's requirements in certain 
areas to focus on the need to obtain reliable audit evidence when 
executing the confirmation process. Specifically, the new standard 
includes a presumption for the auditor to confirm certain cash and cash 
equivalents held by third parties, or otherwise obtain relevant and 
reliable audit evidence by directly accessing information maintained by 
a knowledgeable external source. In addition, the new standard 
strengthens the requirements for evaluating the reliability of 
confirmation responses. It also continues to emphasize the importance 
of maintaining control over the confirmation process and provides 
additional examples of information that indicates that a confirmation 
request or response may have been intercepted and altered. When 
confirmation responses are deemed to be unreliable, the auditor is 
directed to perform alternative procedures to obtain audit evidence.
    Moreover, as discussed above, electronic communications likely have 
reduced the efficacy of negative confirmation requests. Under the new 
standard, the auditor is not able to use negative confirmation requests 
as the sole substantive procedure for addressing the risk of material 
misstatement for a financial statement assertion.
Developments in Practice
    Under the new standard, the requirement to maintain control over 
the confirmation process addresses both traditional and newer, more 
prevalent forms of communication between the auditor and confirming 
parties, including emailed confirmation requests and responses and 
intermediaries facilitating electronic communication of confirmation 
requests and responses. The new standard is intended to apply to 
methods of confirmation currently in

[[Page 71716]]

use and to be flexible enough to apply to new methods that may arise 
from technological changes in auditing in the future.
    The new standard emphasizes that in general, evidence obtained from 
a knowledgeable external source is more reliable than evidence obtained 
only from internal company sources. For cash and accounts receivable, 
if the auditor is able to perform audit procedures other than 
confirmation that allow the auditor to obtain audit evidence by 
directly accessing information maintained by knowledgeable external 
sources, such audit evidence could be as persuasive as audit evidence 
obtained through confirmation procedures, and the new standard allows 
the auditor to perform such procedures. Accordingly, to the extent that 
there are newer tools available to auditors now or in the future that 
enable them to obtain such audit evidence directly, the new standard 
would accommodate their use and future development.
Economic Impacts
    This section discusses the expected benefits and costs of the new 
standard and potential unintended consequences. Overall, the Board 
expects that the economic impact of the new standard, including both 
benefits and costs, will be relatively modest, especially for those 
firms that have already incorporated into practice some of the new 
requirements. The Board also expects that the benefits of the new 
standard will justify the costs and any unintended negative effects.
Benefits
    The Board expects the new standard to improve the consistency and 
effectiveness of the confirmation process, reducing the risk of low-
quality audits caused by (i) the lack of observability of audit quality 
and (ii) the influence of the auditor-client relationship discussed 
above. Specifically, there exists a risk that, unbeknownst to the 
company under audit, investors, or other financial statement users, the 
auditor may perform a low-quality audit since audit quality is 
difficult to observe. In addition, some auditors may aim to satisfy the 
interests of the company or their own financial interests rather than 
the interests of investors and other financial statement users--
interests that may lead them to perform insufficiently rigorous 
confirmation procedures to minimize the burden on clients and their 
counterparties to respond to confirmations, or to minimize audit costs.
    The new standard helps to mitigate these risks in the audit 
confirmation process by strengthening and modernizing the requirements 
for the auditor regarding the design and execution of the confirmation 
process. Specifically, a confirmation process designed and executed 
under the new standard should benefit investors and other users of 
financial statements by reducing the likelihood that financial 
statements are materially misstated, whether due to error or fraud. 
Some commenters explicitly stated that the requirements described in 
the 2022 Proposal would improve the consistency of confirmation 
practices and enhance audit quality.
    The enhanced quality of audits and financial information available 
to financial markets should also increase investor confidence in 
financial statements. In general, investors may use the more reliable 
financial information to improve the efficiency of their capital 
allocation decisions (e.g., investors may reallocate capital from less 
profitable companies to more profitable companies). Investors may also 
perceive less risk in capital markets generally, leading to an increase 
in the supply of capital. An increase in the supply of capital could 
increase capital formation while also reducing the cost of capital to 
companies.\101\
---------------------------------------------------------------------------

    \101\ See, e.g., Hanwen Chen, Jeff Zeyun Chen, Gerald J. Lobo, 
and Yanyan Wang, Effects of audit quality on earnings management and 
cost of equity capital: Evidence from China, 28 Contemporary 
Accounting Research 892, 921 (2011); Richard Lambert, Christian 
Leuz, and Robert E. Verrecchia, Accounting Information, Disclosure, 
and the Cost of Capital, 45 Journal of Accounting Research 385, 410 
(2007).
---------------------------------------------------------------------------

    Auditors also are expected to benefit from the new standard, 
because the additional clarity provided by the new standard (e.g., the 
accommodation of current practices, including the use of electronic 
communications and intermediaries) will reduce regulatory uncertainty 
and the associated compliance costs. Specifically, the new standard 
provides auditors with a better understanding of their responsibilities 
and the Board's expectations.
    The following discussion describes the benefits of key changes to 
existing confirmation requirements that are expected to impact auditor 
behavior. As discussed above, the changes aim to (1) enhance the 
auditor's focus on obtaining reliable audit evidence from the 
confirmation process, and (2) accommodate certain developments in 
practice. As further discussed below, the changes that enhance the 
auditor's focus on obtaining reliable audit evidence are expected to 
strengthen confirmation procedures for cash held by third parties, 
promote consistency in practice, improve the reliability of 
confirmation responses, improve the quality of audit evidence, and 
increase the auditor's likelihood of identifying potential financial 
statement fraud. The changes that accommodate developments in practice 
are expected to clarify the auditor's responsibilities regarding the 
use of electronic communications in the confirmation process, 
standardize the procedures that auditors perform to support their use 
of intermediaries, and allow for the use or development of more 
sophisticated and effective technology-based auditing tools. To the 
extent that a firm has already implemented certain of the provisions of 
the new standard into its firm methodology, the benefits described 
below will be reduced.
Focus on Obtaining Reliable Audit Evidence From the Confirmation 
Process
    The new standard should benefit investors and other users of a 
company's financial statements by placing additional emphasis on the 
auditor's need to obtain reliable audit evidence when performing 
confirmation procedures. In this regard, the new standard: (1) 
identifies certain accounts for which the auditor should perform 
confirmation procedures, (2) enhances the requirements for assessing 
the reliability of confirmation responses, (3) addresses the 
performance of alternative procedures when the auditor is unable to 
obtain relevant and reliable audit evidence through confirmation, (4) 
strengthens requirements regarding the use of negative confirmation 
requests, and (5) specifies certain activities in the confirmation 
process that should be performed by the auditor and not by other 
parties.
    Specifically, the new presumption for the auditor to confirm 
certain cash and cash equivalents held by third parties or otherwise 
obtain relevant and reliable audit evidence by directly accessing 
information maintained by a knowledgeable external source may reduce 
the risk of material errors in financial statements and strengthen 
investor protection to the extent that auditors are not already 
confirming cash pursuant to their existing audit methodologies.\102\ 
This requirement also

[[Page 71717]]

specifies that the extent of audit evidence to obtain through cash 
confirmation procedures should be based on the auditor's understanding 
of the company's cash management and treasury function.
---------------------------------------------------------------------------

    \102\ As discussed above, the PCAOB staff's review of firm 
methodologies indicated that some firms are already confirming cash 
balances, while other firms' methodologies do not require auditors 
to perform procedures beyond those required by AS 2310. The growth 
in corporate cash holdings also highlights the need to confirm cash 
and cash equivalents. See, e.g., Kevin Amess, Sanjay Banerji, and 
Athanasios Lampousis, Corporate Cash Holdings: Causes and 
Consequences, 42 International Review of Financial Analysis 421, 422 
(2015).
---------------------------------------------------------------------------

    The standard does not require that all cash accounts or all 
accounts receivable should be selected for confirmation. The auditor's 
assessment of the risk of material misstatement is an important 
consideration when designing audit procedures, including the use of 
confirmation. Consistent with the objective of the new standard, the 
requirement to confirm cash and accounts receivable, or otherwise 
obtain relevant and reliable audit evidence by directly accessing 
information maintained by a knowledgeable external source, only applies 
when the auditor has determined that these accounts are significant 
accounts. Further, for both cash and accounts receivable, the new 
standard specifies that the auditor should take into account the 
auditor's understanding of the substance of a company's arrangements 
and transactions with third parties when selecting the individual items 
to confirm. These provisions in the new standard should encourage the 
auditor to determine the extent of confirmation procedures with regard 
to an assessment of the risk of material misstatement and avoid more 
work than necessary to obtain sufficient appropriate audit evidence.
    However, to the extent that cash or accounts receivable fall within 
the scope of the new standard, the new standard strengthens the 
requirement to obtain relevant and reliable audit evidence, whether 
through performing confirmation procedures or otherwise obtaining audit 
evidence by directly accessing information maintained by a 
knowledgeable external source. At the same time, the new standard also 
addresses situations where, based on the auditor's experience, 
confirmation would not be feasible for accounts receivable. The 
additional clarity provided by these requirements in the new standard 
should reduce uncertainty in auditor responsibilities and promote 
consistency in practice with respect to the confirmation of cash and 
accounts receivable.
    The new standard strengthens requirements addressing the 
reliability of confirmation responses by describing information that 
the auditor should take into account when evaluating the reliability of 
confirmation responses and providing examples of information that 
indicates that a confirmation request or response may have been 
intercepted or altered. These requirements are expected to improve the 
reliability of confirmation responses and therefore increase the 
quality of the audit evidence obtained by the auditor.
    The requirement to communicate to the audit committee instances 
where, for significant risks associated with cash or accounts 
receivable, the auditor did not perform confirmation procedures or 
obtain audit evidence by directly accessing information maintained by a 
knowledgeable external source is expected to reinforce the auditor's 
obligation to exercise due professional care in determining not to 
perform confirmation procedures or otherwise obtain audit evidence by 
directly accessing information maintained by a knowledgeable external 
source.
    The new standard also expands on the existing requirement to 
address the auditor's potential need to apply alternative procedures. 
The enhanced requirements for alternative procedures provide a greater 
level of detail and clarity to auditors for situations that are not 
currently addressed explicitly in existing AS 2310, potentially raising 
the quality of evidence obtained by auditors.
    Under the new standard, the auditor may only use negative 
confirmation requests to supplement other substantive audit procedures; 
negative confirmation requests may not be used as the sole substantive 
audit procedure. As discussed above, the amount of electronic 
correspondence has increased dramatically over the years, leading to an 
increased likelihood that a negative confirmation request would not be 
appropriately considered by the confirming party and, therefore, would 
provide less persuasive audit evidence. The new standard addresses this 
issue by providing examples of situations in which negative 
confirmation requests, in combination with the performance of other 
substantive audit procedures, may provide sufficient appropriate audit 
evidence. As negative confirmation requests cannot be the sole source 
of audit evidence obtained, insofar as the new standard affects 
practice, the overall quality of audit evidence obtained by the auditor 
likely will increase.\103\
---------------------------------------------------------------------------

    \103\ The Board understands through its oversight activities 
that few, if any, GNFs use negative confirmation requests as the 
sole substantive procedure in practice. As discussed above, however, 
the PCAOB staff's firm methodology review suggests that all the GNFs 
and NAFs reviewed will need to update their methodologies to ensure 
that negative confirmation requests are not used as the sole source 
of audit evidence.
---------------------------------------------------------------------------

    Overall, the additional requirements and examples discussed above 
are expected to improve the reliability of confirmation responses and, 
therefore, increase the quality of the audit evidence obtained by the 
auditor. By introducing a new requirement to confirm certain cash 
balances (or otherwise obtain relevant and reliable audit evidence by 
directly accessing information maintained by a knowledgeable external 
source) and enhancing the requirements for evaluating the reliability 
of confirmation responses, the new standard may also increase the 
auditor's likelihood of identifying potential financial statement 
fraud. Early detection of accounting fraud is an important aspect of 
investor protection because such fraud can cause significant harm to 
investors in the companies engaged in fraud, as well as indirect harm 
to investors in other companies.\104\ In addition, by clarifying and 
strengthening the auditor's responsibilities, including by specifying 
additional situations where alternative procedures may be necessary and 
providing additional examples of information that indicates that a 
confirmation request or response may have been intercepted and altered, 
the new standard takes into account past inspection findings by the 
Board that auditors did not obtain sufficient appropriate audit 
evidence when using confirmation.
---------------------------------------------------------------------------

    \104\ See Yang Bao, Bin Ke, Bin Li, Y. Julia Yu, and Jie Zhang, 
Detecting Accounting Fraud in Publicly Traded US Firms Using a 
Machine Learning Approach, 58 Journal of Accounting Research 199, 
200 (2020).
---------------------------------------------------------------------------

    One commenter on the proposing release expressed the view that the 
proposed standard would not achieve a significant reduction in 
inspection findings or improvements to audit quality because adverse 
inspection findings have historically focused on a failure to 
appropriately execute existing requirements. As discussed above, 
however, the need for this rulemaking is not limited to noncompliance 
with the current standard detected through our inspections program, but 
also reflects undetected financial reporting frauds and developments in 
practice. The Board continues to believe, therefore, that the rule will 
achieve its intended benefits, which include increased clarity from the 
new standard.
Developments in Practice
    The new standard modernizes existing AS 2310 by accommodating 
certain developments in practice,

[[Page 71718]]

including the use of electronic communications and intermediaries.
    Specifically, the new standard accommodates changes in how 
communications occur between the auditor and confirming parties. It 
clarifies the auditor's responsibilities by taking into account current 
confirmation practices among auditors and acknowledging differing 
methods of confirmation. These methods include longstanding methods, 
such as the use of paper-based confirmation requests and responses sent 
via postal mail. They also include methods that have become commonplace 
since the existing standard was adopted, including confirmation 
requests and responses communicated via email and the use of 
intermediaries to facilitate the direct electronic transmission of 
confirmation requests and responses. This additional clarity may 
enhance the reliability of audit evidence by decreasing the risk that a 
confirmation request or response is intercepted and altered. In 
addition, the new standard includes requirements specific to an 
intermediary's controls that mitigate the risk of interception and 
alteration. The requirements are expected to standardize the procedures 
auditors perform to support their use of intermediaries and reduce 
audit deficiencies in this area.
    With regard to both cash and accounts receivable, the new standard 
accommodates the potential for future evolution of audit tools by 
allowing auditors to directly obtain access to relevant and reliable 
audit evidence from knowledgeable external sources other than through 
confirmation without the involvement of the company. This change allows 
for the use or development of technology-based auditing tools, subject 
to the requirement that they provide audit evidence by directly 
accessing information maintained by knowledgeable external sources 
about the relevant financial statement assertion. Accordingly, this 
change could potentially improve the efficiency and effectiveness of 
the audit.
    Some commenters on the 2022 Proposal questioned the benefits of the 
proposed requirements, arguing that the auditor's inability under the 
proposed standard to overcome the presumption to confirm cash and a 
high threshold to overcome the presumption to confirm accounts 
receivable unduly restricted the ability to use professional judgment 
to determine the appropriateness of confirmation procedures. While the 
Board agrees that professional judgment plays an important role in the 
execution of audit procedures, the Board's experience indicates that it 
is also important for investor protection that auditors obtain relevant 
and reliable audit evidence for both cash and accounts receivable when 
they are significant accounts. With regard to accounts receivable, the 
new standard retains the presumption to perform audit procedures to 
obtain relevant and reliable evidence through confirmation, or 
otherwise by directly accessing information maintained by a 
knowledgeable external source, so would not decrease or remove the 
auditor's current responsibility. Furthermore, the new standard 
includes a provision to address situations when obtaining audit 
evidence directly from knowledgeable external sources, whether through 
confirmation procedures or other means, would not be feasible to 
execute for accounts receivable. Accordingly, the new standard strikes 
a balance intended to benefit investors by recognizing the value of 
professional judgment generally with respect to the use of confirmation 
while ensuring that cash and accounts receivable, when they are 
significant accounts, are subject to confirmation or other audit 
procedures designed to obtain relevant and reliable audit evidence from 
knowledgeable external sources.
Costs
    The Board expects the costs associated with the new standard to be 
relatively modest. The PCAOB staff's review of audit firm methodologies 
related to the confirmation process indicates that some firms have 
already incorporated into practice some of the new requirements. For 
example, the methodologies of some GNFs include requirements for 
confirmation of cash that are similar to the requirements in the new 
standard. Both the GNF and NAF methodologies reviewed generally include 
guidance on maintaining control over the confirmation process and the 
use of intermediaries to facilitate the electronic transmission of 
confirmation requests and responses.
    To the extent that audit firms need to make changes to meet the new 
requirements, they may incur certain fixed costs (i.e., costs that are 
generally independent of the number of audits performed) to implement 
the new standard. These include costs of updating audit methodologies 
and tools, and costs to prepare training materials and conduct internal 
training. GNFs are likely to update methodologies using internal 
resources, whereas NAFs are more likely to purchase updated 
methodologies from external vendors. The costs of updating these 
methodologies likely depend on the extent to which the new requirements 
have already been incorporated in the firms' current methodologies. For 
firms that have implemented confirmation procedures like those required 
by the new standard, the costs of updating methodologies may be lower 
than for firms that currently do not have such procedures. In this 
regard, large firms may also benefit from economies of scale. As 
mentioned above, one commenter indicated that some larger audit firms 
have already established confirmation centers to centrally process the 
sending of confirmation requests and receiving of confirmation 
responses. For these firms, costs to implement the new standard may be 
further diminished as these firms may benefit from lower training costs 
and more efficient performance of the enhanced procedures. Smaller 
audit firms may not have adequate resources to establish such 
confirmation centers and may not recognize similar efficiency gains. 
The commenter observed that the establishment of confirmation centers 
within audit firms would require significant resources, which smaller 
audit firms may not have.
    In addition, audit firms may incur certain engagement-level 
variable costs related to implementing the new standard. For example, 
the requirement to confirm certain cash balances or otherwise obtain 
relevant and reliable audit evidence by directly accessing information 
maintained by a knowledgeable external source could impose engagement-
level costs on some auditors if additional procedures need to be 
performed. Similarly, limiting the use of negative confirmation 
requests to situations where the auditor is also performing other 
substantive audit procedures could lead to additional time and effort 
by the auditor to perform the other audit procedures.
    The magnitude of the variable costs likely depends on the extent to 
which existing practice differs from the new requirements. As discussed 
above, the PCAOB staff's review of firm methodologies, which included 
the methodologies of certain NAFs, suggests that the new standard 
likely will lead to a greater impact on confirmation procedures 
performed by smaller firms. Because the new standard generally applies 
a risk-based approach (i.e., by providing that the use of confirmation 
may be part of the auditor's response to the assessed risks of material 
misstatement), the costs of performing the additional procedures are 
unlikely to be disproportionate to the benefits.
    To the extent that auditors incur higher costs to implement the new 
standard and are able to pass on at least

[[Page 71719]]

part of the increased costs through an increase in audit fees, 
companies being audited could incur an indirect cost.\105\ Moreover, 
confirming parties could incur additional costs from supporting the 
confirmation process as a result of the enhanced requirements of the 
new standard, although the additional costs are expected to be limited. 
One commenter agreed that confirming parties may incur additional costs 
as they may have to allocate resources to respond to confirmation 
requests. As discussed above, however, confirmation is already commonly 
used by audit firms, and the Board therefore does not expect confirming 
parties to incur significant additional costs to respond to 
confirmation requests as a result of the new standard.
---------------------------------------------------------------------------

    \105\ One commenter stated that the cost of audit would increase 
if auditors were required to send confirmations on any and all 
information that can be confirmed by external parties. While the 
Board notes that the new standard does not require confirmations on 
any and all information that can be confirmed, it agrees that 
companies being audited can incur indirect costs to the extent that 
auditors pass on at least part of the increased costs in terms of 
increased audit fees to companies.
---------------------------------------------------------------------------

    Some requirements under the new standard may result in more costs 
than others. The following discussion describes the potential costs 
associated with specific changes to existing confirmation requirements.
Focus on Obtaining Reliable Audit Evidence From the Confirmation 
Process
    The new standard: (1) identifies certain accounts for which the 
auditor should perform confirmation procedures or otherwise obtain 
relevant and reliable audit evidence by directly accessing information 
maintained by a knowledgeable external source, (2) enhances the 
requirements for assessing the reliability of confirmation responses, 
(3) addresses the performance of alternative procedures when the 
auditor is unable to obtain relevant and reliable audit evidence 
through confirmation, (4) strengthens requirements regarding the use of 
negative confirmation requests, and (5) specifies certain activities in 
the confirmation process that should be performed by the auditor and 
not by other parties.
    For some firms, the requirement in the new standard to confirm 
certain cash balances or otherwise obtain relevant and reliable audit 
evidence by directly accessing information maintained by a 
knowledgeable external source could be expected to result in the 
revision of firm methodologies and the performance of additional audit 
procedures. As discussed above, the methodologies of some GNFs already 
include requirements for cash confirmation that are similar to the new 
requirement described in the new standard. In addition, the risk-based 
approach in the new requirement should encourage the auditor to 
determine the extent of confirmation with regard to an assessment of 
the risks of material misstatement and conduct only the work necessary 
to obtain sufficient audit evidence.
    Commenters on the 2022 Proposal asserted that confirming cash 
balances under the proposed standard would lead to increased costs, 
given the lack of discretion and ability to overcome the presumption in 
the proposed standard. In addition, some commenters on the 2022 
Proposal asserted that the ``at least as persuasive as'' threshold in 
the proposed standard for overcoming the presumption to confirm 
accounts receivable would limit the auditor's use of professional 
judgment and could result in greater costs without a commensurate 
benefit to audit quality.
    As discussed above, there is a presumption in the new standard that 
the auditor should obtain audit evidence from a knowledgeable external 
source by performing confirmation procedures or using other means to 
obtain audit evidence by directly accessing information maintained by 
knowledgeable external sources. In addition, the new standard provides 
that if, based on the auditor's experience, it would not be feasible 
for the auditor to obtain audit evidence about accounts receivable 
pursuant to paragraph .24, the auditor should obtain external 
information indirectly by performing other substantive procedures, 
including tests of details. Insofar as the final standard does not 
otherwise provide auditors with the discretion to avoid obtaining audit 
evidence directly from a knowledgeable external source for cash, and 
the only exception applicable to accounts receivable is for situations 
where obtaining audit evidence directly from a knowledgeable external 
source would not be feasible, firms may, therefore, incur additional 
costs to comply with the presumptive requirements of the new standard 
for cash and accounts receivable. These costs, however, are necessary 
to the achievement of the standard's intended benefits of emphasizing 
the quality and strength of the audit evidence to be obtained from 
knowledgeable external sources.
    The new standard also requires the auditor to evaluate the 
reliability of confirmation responses and provides examples of 
information that indicate that a confirmation response may have been 
intercepted and altered. The costs associated with this requirement, 
however, are expected to be limited. First, the Board's auditing 
standards already require the auditor to obtain sufficient appropriate 
audit evidence to provide a reasonable basis for the auditor's report, 
and to evaluate the combined evidence provided by confirmation and 
other auditing procedures performed when the auditor has not received 
replies to confirmation requests (i.e., nonresponses) to determine 
whether sufficient evidence has been obtained about all the applicable 
financial statement assertions.\106\ Second, the methodologies of some 
firms reflect application material in ISA 505 regarding factors 
(similar to indicators in the new standard) that may indicate doubts 
about the reliability of a confirmation response. One of these factors 
is analogous to the requirement in the new standard (i.e., the 
confirmation response appears not to come from the originally intended 
confirming party), which may further limit the potential costs for 
firms that have incorporated this factor in their methodologies. One 
commenter on the 2022 Proposal stated that the proposed standard's 
requirement for evaluating the reliability of confirmation responses 
might cause the auditor to need to authenticate confirmation responses, 
which would add significant expense to the audit. However, as discussed 
above, AS 1105 already establishes the requirements for evaluating the 
reliability of audit evidence, and the new standard does not change 
those requirements.
---------------------------------------------------------------------------

    \106\ See AS 1105.04; AS 2310.33.
---------------------------------------------------------------------------

    The requirement for the auditor to communicate with the audit 
committee when the auditor did not perform confirmation procedures or 
otherwise obtain audit evidence by directly accessing information 
maintained by knowledgeable external sources for significant risks 
associated with either cash or accounts receivable could impose a 
modest incremental cost. Some commenters on the 2022 Proposal had 
expressed concern about the proposed requirement to communicate with 
the audit committee in all instances where the presumption to confirm 
accounts receivable had been overcome, which could be detrimental if 
the communication became a mere compliance exercise for auditors and 
audit committees. The new standard's requirement to communicate with 
the audit committee, however, is more risk-based and therefore, the 
Board continues to believe that the incremental costs will be modest.

[[Page 71720]]

    Insofar as the new standard identifies additional situations in 
which the auditor generally would be required to perform alternative 
procedures, firms may incur additional costs. Specifically, the new 
standard extends the requirement in existing AS 2310 to perform 
alternative procedures in relation to nonresponses to positive 
confirmation requests to other situations, including the auditor's 
inability to identify a confirming party and the receipt of an 
unreliable response.
    In contrast with existing AS 2310, negative confirmation requests 
may not be used as the sole substantive audit procedure under the new 
standard. This limitation reflects, among other things, the increase in 
the volume of electronic correspondence since existing AS 2310 was 
issued and the increasing likelihood that a recipient of a negative 
confirmation request would not consider the request. As a result, 
auditors may have to perform other substantive audit procedures for 
certain financial statement assertions. Although the Board understands 
through its oversight activities that few, if any, GNFs use negative 
confirmation requests as the sole substantive procedure in practice, as 
discussed above, the PCAOB staff's firm methodology review suggests 
that all the GNFs and NAFs reviewed will need to review their 
methodologies to ensure that negative confirmation requests are not 
used as the sole source of audit evidence.
Developments in Practice
    As discussed above, the new standard includes requirements that 
clarify the procedures auditors should perform to support their use of 
intermediaries to facilitate the direct electronic transmission of 
confirmation requests and responses between the auditor and the 
confirming party. These requirements may lead to modifications to firm 
methodologies. Further, the required procedures may involve additional 
auditor time and effort. The resulting costs likely depend on the 
extent to which the new requirements have already been incorporated in 
a firm's current methodologies. One commenter expressed concern that 
the proposed requirement to assess the intermediary's controls would 
result in significant additional work for auditors because it is not 
currently common practice to directly assess intermediaries in this 
manner. The PCAOB staff's review of firm methodologies discussed above 
did not suggest that the requirements in Appendix B of the new standard 
would create significant additional work for auditors. In particular, 
both the GNF and NAF methodologies reviewed generally already include 
guidance on maintaining control over the confirmation process and the 
use of intermediaries, which may limit the costs. In addition, the 
Board notes that the requirements in the new standard relate to 
relevant controls that address the risk of interception and alteration 
of confirmation requests and responses and that some intermediaries 
currently make information about relevant internal controls available 
to auditors through a SOC report.
    If the auditor is able to obtain audit evidence by directly 
accessing information maintained by knowledgeable external sources 
instead of confirmation, such audit evidence could be at least as 
persuasive as audit evidence obtained through confirmation procedures, 
and the new standard allows the auditor to perform such procedures. 
This provision is not expected to impose new costs on firms, as firms 
would only obtain relevant and reliable audit evidence by directly 
accessing information maintained by a knowledgeable external source to 
the extent that technological advancements render it more efficient 
than performing confirmation procedures. Thus, to the extent that the 
auditor is able to replace confirmation procedures with obtaining audit 
evidence by directly accessing information maintained by a 
knowledgeable external source, the new standard could reduce costs for 
firms.
Potential Unintended Consequences
    In addition to the benefits and costs discussed above, the new 
standard could have unintended economic impacts. The following 
discussion describes potential unintended consequences the Board has 
considered and, where applicable, factors that mitigate the negative 
consequences, such as steps the Board has taken or the existence of 
other countervailing forces.
Potential Decline in Auditors' Usage of Confirmation
    An unintended consequence of the new standard would occur if, 
contrary to the Board's expectation, there were a significant reduction 
in the use of confirmation procedures by auditors in circumstances 
where confirmation would provide relevant and reliable audit evidence.
    Under the new standard, auditors retain the ability to use 
confirmation as one procedure, among others, to audit one or more 
financial statement accounts or disclosures. At the same time, the new 
standard strengthens the requirements for an auditor regarding 
evaluating the reliability of confirmation responses and addressing 
confirmation exceptions and incomplete responses, including performing 
alternative procedures to obtain audit evidence. Further, the new 
standard describes the types of procedures the auditor should perform 
in evaluating the effect of using an intermediary on the reliability of 
confirmation requests and responses, including determining whether 
relevant controls of the intermediary are designed and operating 
effectively. In addition, the new standard does not allow the auditor 
to use negative confirmation requests as the sole substantive 
procedure. As a result, when not required to use confirmation, auditors 
might decline to use confirmation and use other audit procedures more 
frequently than under existing AS 2310 if they perceive there could be 
more time or cost involved in the confirmation process relative to the 
performance of other procedures.
    This potential unintended consequence is mitigated, however, by the 
requirement that the auditor should perform confirmation procedures for 
cash and accounts receivable, or otherwise obtain audit evidence by 
directly accessing information maintained by knowledgeable external 
sources. In addition, the Board's standards already provide that the 
auditor should evaluate whether the combined evidence provided by 
confirmation and other auditing procedures provide sufficient evidence 
about the applicable financial statement assertions. Several of the 
changes to existing requirements in the new standard align with the 
Board's understanding of current practice. For example, many audit 
firms' methodologies include guidance on maintaining control and the 
use of intermediaries. Additionally, the potential unintended 
consequence may be mitigated to the extent that a firm has experienced 
efficiencies from using newer audit tools for confirmation through 
reduced time or costs. Further, the Board does not anticipate that the 
requirements of the new standard will cause a significant change in the 
timing or extent of confirmation procedures for auditors, as the Board 
has not amended the requirements of AS 2301, which is the auditing 
standard that addresses those matters. Accordingly, the Board does not 
believe that the new standard will lead to a significant decline in the 
use of confirmation.

[[Page 71721]]

Potential Misinterpretation of the Requirements in the New Standard 
Relating to the Confirmation of Cash and Accounts Receivable
    An unintended consequence of the presumed requirement in the new 
standard to confirm cash and accounts receivable would arise if 
auditors misinterpreted the language in the new standard as requiring 
the confirmation of cash and accounts receivable in all situations. For 
example, the new standard does not carry forward a provision included 
in existing AS 2310 that an auditor could overcome the presumption to 
confirm accounts receivable if, among other things, ``[t]he use of 
confirmations would be ineffective.'' It is possible that some auditors 
might misinterpret the elimination of this language as precluding the 
exercise of auditor judgment with respect to the confirmation of 
accounts receivable. Some commenters on the 2022 Proposal appeared to 
misinterpret the proposed requirement and suggested that confirmation 
would be required in all situations. For example, one commenter 
asserted that using confirmation regardless of risk assessment may 
promote a checklist mentality that does not contribute to audit quality 
and an audit approach that may be less efficient and effective.
    The Board does not intend, however, that an auditor send 
confirmation requests for accounts receivable in all situations or when 
such procedures do not provide relevant and reliable audit evidence. If 
the auditor has not determined cash or accounts receivable to be a 
significant account, the new standard does not require the confirmation 
of cash or accounts receivable. Moreover, to clarify the Board's 
intent, it has modified the language in the proposed standard in 
several respects. First, paragraph .25 of the new standard addresses 
situations when obtaining audit evidence about accounts receivable 
directly from knowledgeable external sources, whether through 
confirmation procedures or other means, would not be feasible to 
execute. If it is not feasible for the auditor to obtain audit evidence 
about accounts receivable directly from a knowledgeable external 
source, the auditor should obtain external information indirectly by 
performing other substantive procedures, including tests of details.
    In addition, the Board is not adopting paragraph .07 of the 
proposed standard, which referred to situations where evidence obtained 
through the confirmation process ``generally is more persuasive than 
audit evidence obtained solely through other procedures'' and may have 
contributed to a misperception that the Board was proposing to require 
confirmation in all circumstances. In the Board's view, the language in 
the new standard acknowledges the role of professional judgment in the 
auditor's selection of audit procedures to obtain sufficient 
appropriate audit evidence, while retaining a presumption to confirm 
cash and accounts receivable or otherwise obtain relevant and reliable 
audit evidence by directly accessing information maintained by a 
knowledgeable external source. This should mitigate the potential 
unintended consequence described above.
Alternatives Considered
    The development of the new standard involved considering a number 
of alternative approaches to address the problems described above. This 
section explains: (i) why standard setting is preferable to other 
policy-making approaches, such as providing interpretive guidance or 
enhancing inspection or enforcement efforts; (ii) other standard-
setting approaches that were considered; and (iii) key policy choices 
made by the Board in determining the details of the new standard-
setting approach.
Why Standard Setting Is Preferable to Other Policy-Making Approaches
    The Board's policy tools include alternatives to standard setting, 
such as issuing additional interpretive guidance, or increasing our 
focus on inspections or enforcement of existing standards. The Board 
considered whether providing guidance or increasing inspection or 
enforcement efforts would be effective mechanisms to address concerns 
with the auditor's use of confirmation.
    Interpretive guidance inherently provides additional information 
about existing standards. Inspection and enforcement actions take place 
after insufficient audit performance (and potential investor harm) has 
occurred. Devoting additional resources to interpretive guidance, 
inspections, or enforcement activities, without improving the relevant 
performance requirements for auditors, would at best focus auditors' 
performance on existing standards and would not provide the benefits 
discussed above associated with improving the standards. The new 
standard, on the other hand, is designed to improve existing 
requirements for the auditor's use of confirmation. For example, the 
new standard, unlike existing AS 2310, includes requirements relating 
to the confirmation of cash accounts, imposes additional limitations on 
the use of negative confirmation requests, clarifies the circumstances 
in which auditors would be expected to perform alternative procedures, 
and includes explicit provisions addressing the auditor's 
responsibility for selecting items to be confirmed, sending 
confirmation requests, and receiving confirmation responses.
Other Standard-Setting Alternatives Considered
    Several alternative standard-setting approaches were also 
considered, including: (i) making amendments to the existing standard; 
and (ii) adopting an approach based on ISA 505, with certain 
modifications to reflect the PCAOB's statutory responsibilities with 
respect to audits of public companies and registered broker-dealers.
Amendments to Existing Standard
    The Board considered, but decided against, limiting the amendments 
to AS 2310 solely to modifications relating to changes in technology 
that have affected the confirmation process. While this approach could 
result in fewer changes to firms' audit methodologies, the Board 
believes there are a number of other areas discussed throughout this 
release, beyond amending AS 2310 to reflect the increasing use of 
technology in the confirmation process, where the existing standard 
should be improved.
Standard Based on ISA 505
    Some commenters on the 2009 Concept Release and the 2010 Proposal 
suggested that the Board should consider adopting ISA 505, the IAASB's 
standard on audit confirmation, which was issued in 2008. The Board has 
taken the requirements and application material of ISA 505 into account 
in developing the new standard (e.g., the ISA 505 application material 
relating to the use of a third party to coordinate and provide 
responses to confirmation requests).
    The Board concluded, however, that the new standard should also 
establish certain requirements that are not included in ISA 505 (e.g., 
requirements to confirm cash and accounts receivable or otherwise 
obtain relevant and reliable audit evidence by directly accessing 
information maintained by a knowledgeable external source), and should 
not include certain provisions that are described in ISA 505 (e.g., 
regarding management's refusal to allow the auditor to send a 
confirmation request). In addition, audit practices have continued to 
evolve since ISA 505

[[Page 71722]]

was issued in 2008, and the Board believes that the new standard should 
reflect these developments (e.g., by addressing electronic 
communication and the use of intermediaries in the requirements of the 
standard rather than in application materials).
Key Policy Choices
    Given a preference for replacing existing AS 2310 in its entirety, 
the Board considered different approaches to addressing key policy 
issues.
Use of Confirmation Procedures for Specific Accounts
    The new standard provides that when addressing an assessed risk of 
material misstatement of cash and cash equivalents held by third 
parties, as well as of accounts receivable that arise from the transfer 
of goods or services to a customer or a financial institution's loans, 
the auditor should perform confirmation procedures or otherwise obtain 
relevant and reliable audit evidence by directly accessing information 
maintained by a knowledgeable external source. In addition, under the 
new standard, when obtaining audit evidence from a knowledgeable 
external source regarding cash, the auditor should consider sending 
confirmation requests to that source about other financial 
relationships with the company, based on the assessed risk of material 
misstatement. Also, when the auditor has identified a complex 
transaction or a significant unusual transaction, the auditor should 
consider confirming those terms of the transaction that are associated 
with a significant risk of material misstatement, including a fraud 
risk. The new standard does not specify other significant accounts or 
disclosures that the auditor should confirm or consider confirming. The 
Board considered several alternatives to this approach, as discussed 
below.
    First, the Board considered an approach that would have no 
requirement for the auditor to confirm specified accounts or 
transactions. In the Board's view, this approach might result in the 
selection by some auditors of audit procedures that provide less 
relevant and reliable audit evidence than confirmation with respect to 
cash and accounts receivable (e.g., if an auditor mistakenly assessed 
the risk of material misstatement too low for cash or accounts 
receivable). Further, confirmation of cash and accounts receivable is 
already a standard practice for many auditors and is consistent with 
the concept that audit evidence obtained from a knowledgeable external 
source is more reliable than evidence obtained only from internal 
company sources. Accordingly, the Board has decided against an approach 
that does not require the confirmation of any accounts and disclosures 
in the new standard.
    In addition, the Board considered including in the new standard a 
requirement that the auditor should confirm other accounts in addition 
to cash and accounts receivable, such as investments. The Board has 
decided against this approach because it would limit auditor judgment 
in circumstances where the performance of other auditing procedures 
might provide relevant and reliable audit evidence, could be viewed as 
unduly prescriptive, and would not allow the auditor to take company-
specific facts and circumstances into account. Instead, under the new 
standard, the auditor could decide to perform confirmation procedures 
with respect to financial statement assertions relating to other 
accounts and disclosures but is not required to do so.
    The Board also considered an additional requirement that the 
auditor should perform confirmation procedures in response to 
significant risks that relate to relevant assertions, when such 
assertions can be adequately addressed by confirmation procedures. 
However, the Board believes that such a requirement would be 
inconsistent with the Board's risk assessment standards, which allow 
for auditor judgment in determining the audit response to significant 
risks identified by the auditor. The Board has not included this 
provision in the new standard.
Management Requests Not To Confirm
    The Board considered addressing situations where management 
requests that the auditor not confirm one or more items in the new 
standard. Specifically, the Board considered requiring the auditor to 
obtain an understanding of the reasons for management's request, 
perform alternative procedures as discussed in Appendix C of the new 
standard, and communicate the request to the audit committee. In 
addition, the Board considered a requirement that the auditor should 
evaluate the implications for the auditor's report if the auditor 
determines that management's request impairs the auditor's ability to 
obtain sufficient appropriate audit evidence or indicates that one or 
more fraud risk factors are present. For the reasons discussed above, 
the Board has decided not to include such provisions in the new 
standard.
Special Considerations for Audits of Emerging Growth Companies
    Pursuant to Section 104 of the Jumpstart Our Business Startups Act 
(``JOBS Act''), rules adopted by the Board subsequent to April 5, 2012, 
generally do not apply to the audits of EGCs, as defined in Section 
3(a)(80) of the Exchange Act, unless the SEC ``determines that the 
application of such additional requirements is necessary or appropriate 
in the public interest, after considering the protection of investors, 
and whether the action will promote efficiency, competition, and 
capital formation.'' \107\ As a result of the JOBS Act, the rules and 
related amendments to PCAOB standards that the Board adopts are 
generally subject to a separate determination by the SEC regarding 
their applicability to audits of EGCs.
---------------------------------------------------------------------------

    \107\ See Public Law 112-106 (Apr. 5, 2012). Section 
103(a)(3)(C) of the Act, as added by Section 104 of the JOBS Act, 
also provides that any rules of the Board requiring (1) mandatory 
audit firm rotation or (2) a supplement to the auditor's report in 
which the auditor would be required to provide additional 
information about the audit and the financial statements of the 
issuer (auditor discussion and analysis) shall not apply to an audit 
of an EGC. The new standard does not fall within either of these two 
categories.
---------------------------------------------------------------------------

    To inform consideration of the application of auditing standards to 
audits of EGCs, PCAOB staff prepares a white paper annually that 
provides general information about characteristics of EGCs.\108\ As of 
the November 15, 2021, measurement date, PCAOB staff identified 3,092 
companies that self-identified with the SEC as EGCs and filed audited 
financial statements in the 18 months preceding the measurement date.
---------------------------------------------------------------------------

    \108\ For the most recent EGC report, see White Paper on 
Characteristics of Emerging Growth Companies and Their Audit Firms 
at November 15, 2021 (Jan. 5, 2023) (``EGC White Paper''), available 
at https://pcaobus.org/resources/other-research-projects.
---------------------------------------------------------------------------

    Confirmation is a longstanding audit procedure used in nearly all 
audits, including audits of EGCs. The discussion of benefits, costs, 
and unintended consequences above is generally applicable to audits of 
EGCs. The economic impacts of the new standard on an EGC audit depend 
on factors such as the audit firm's current methodologies, the audit 
firm's ability to distribute implementation costs across engagements, 
and the auditor's assessed risk of material misstatement.
    EGCs are likely to be newer companies, which may increase the 
importance to investors of the external audit to enhance the 
credibility of management disclosures.\109\ Further,

[[Page 71723]]

compared to non-EGCs, EGCs are more likely to be audited by NAFs.\110\ 
As discussed above, NAFs are expected to make more changes to their 
methodologies and practice to comply with the new standard. Therefore, 
all else equal, the benefits of the higher audit quality resulting from 
the new standard may be larger for EGCs than for non-EGCs, including 
improved efficiency of market capital allocation, lower cost of 
capital, and enhanced capital formation.\111\ In particular, because 
investors who face uncertainty about the reliability of a company's 
financial statements may require a larger risk premium that increases 
the cost of capital to companies, the improved audit quality resulting 
from applying the new standard to EGC audits could reduce the cost of 
capital to those EGCs.\112\
---------------------------------------------------------------------------

    \109\ Researchers have developed a number of proxies that are 
thought to be correlated with information asymmetry, including small 
issuer size, lower analyst coverage, larger insider holdings, and 
higher research and development costs. To the extent that EGCs 
exhibit one or more of these properties, there may be a greater 
degree of information asymmetry for EGCs than for the broader 
population of companies, which increases the importance to investors 
of the external audit to enhance the credibility of management 
disclosures. See, e.g., Mary E. Barth, Wayne R. Landsman, and Daniel 
J. Taylor, The JOBS Act and Information Uncertainty in IPO Firms, 92 
The Accounting Review 25, 25 (2017); Steven A. Dennis and Ian G. 
Sharpe, Firm Size Dependence in the Determinants of Bank Term Loan 
Maturity, 32 Journal of Business Finance and Accounting 31, 59 
(2005); Michael J. Brennan and Avanidhar Subrahmanyam, Investment 
Analysis and Price Formation in Securities Markets, 38 Journal of 
Financial Economics 361, 363 (1995); David Aboody and Baruch Lev, 
Information Asymmetry, R&D, and Insider Gains, 55 Journal of Finance 
2747, 2755 (2000); Raymond Chiang and P. C. Venkatesh, Insider 
Holdings and Perceptions of Information Asymmetry: A Note, 43 
Journal of Finance 1041, 1047 (1988); Molly Mercer, How Do Investors 
Assess the Credibility of Management Disclosures?, 18 Accounting 
Horizons 185, 194 (2004). Furthermore, research has shown that 
reduced disclosure requirements for EGCs are associated with lower 
audit effort. The academic literature has also documented evidence 
of lower audit quality for EGCs. To the extent that the new standard 
will increase auditor effort, EGCs are expected to benefit from 
higher audit quality. See, e.g., Tiffany J. Westfall and Thomas C. 
Omer, The Emerging Growth Company Status on IPO: Auditor Effort, 
Valuation, and Underpricing, 37 Journal of Accounting and Public 
Policy 315, 316 (2018); Essam Elshafie, The Impact of Reducing 
Reporting Requirements on Audit Quality, Auditor Effort and Auditor 
Conservatism, 35 Accounting Research Journal 756, 756 (2022).
    \110\ EGC White Paper at 22.
    \111\ The enhanced quality of audits and financial information 
available to financial markets may result in investors perceiving 
less risk in capital markets. This, in turn, may lead to an increase 
in the supply of capital which could increase capital formation. 
See, e.g., Hanwen Chen, Jeff Zeyun Chen, Gerald J. Lobo, and Yanyan 
Wang, Effects of audit quality on earnings management and cost of 
equity capital: Evidence from China, 28 Contemporary Accounting 
Research 892, 921 (2011); Richard Lambert, Christian Leuz, and 
Robert E. Verrecchia, Accounting Information, Disclosure, and the 
Cost of Capital, 45 Journal of Accounting Research 385, 410 (2007).
    \112\ For a discussion of how increasing reliable public 
information about a company can reduce risk premium, see David 
Easley and Maureen O'Hara, Information and the Cost of Capital, 59 
The Journal of Finance 1553, 1578 (2004).
---------------------------------------------------------------------------

    While the associated costs may also be higher for EGC audits than 
for non-EGC audits, because of the scalability of the risk-based 
requirements, the costs of performing the procedures are unlikely to be 
disproportionate to the benefits of the procedures. Moreover, if any of 
the new amendments were determined not to apply to the audits of EGCs, 
auditors would need to address differing audit requirements in their 
methodologies, or policies and procedures, with respect to audits of 
EGCs and non-EGCs, which would create the potential for confusion. The 
new standard could impact competition in an EGC product market if the 
indirect costs to audited companies disproportionately impact EGCs 
relative to their competitors. However, as discussed above, the costs 
associated with the new standard are expected to be relatively modest. 
Therefore, the impact of the new standard on competition, if any, is 
expected to be limited. Overall, the new standard is expected to 
enhance audit quality and contribute to an increase in the credibility 
of financial reporting by EGCs.
    Accordingly, and for the reasons explained above, the Board is 
requesting that the Commission determine that it is necessary or 
appropriate in the public interest, after considering the protection of 
investors and whether the action will promote efficiency, competition, 
and capital formation, to apply the new standard to audits of EGCs. One 
commenter specifically supported the application of the 2022 Proposal 
to EGCs.

III. Date of Effectiveness of the Proposed Rules and Timing for 
Commission Action

    Within 45 days of the date of publication of this notice in the 
Federal Register or within such longer period (i) as the Commission may 
designate up to 90 days of such date if it finds such longer period to 
be appropriate and publishes its reasons for so finding or (ii) as to 
which the Board consents, the Commission will:
    (A) By order approve or disapprove such proposed rules; or
    (B) Institute proceedings to determine whether the proposed rules 
should be disapproved.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed 
rules are consistent with the requirements of Title I of the Act. 
Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's internet comment form (https://www.sec.gov/rules/pcaob); or
     Send an email to [email protected]. Please include 
file number PCAOB-2023-02 on the subject line.

Paper Comments

     Send paper comments in triplicate to Vanessa A. 
Countryman, Secretary, Securities and Exchange Commission, 100 F Street 
NE, Washington, DC 20549-1090.

All submissions should refer to file number PCAOB-2023-02. This file 
number should be included on the subject line if email is used. To help 
the Commission process and review your comments more efficiently, 
please use only one method. The Commission will post all comments on 
the Commission's internet website (https://www.sec.gov/rules/pcaob). 
Copies of the submission, all subsequent amendments, all written 
statements with respect to the proposed rules that are filed with the 
Commission, and all written communications relating to the proposed 
rules between the Commission and any person, other than those that may 
be withheld from the public in accordance with the provisions of 5 
U.S.C. 552, will be available for website viewing and printing in the 
Commission's Public Reference Room, 100 F Street NE, Washington, DC 
20549, on official business days between the hours of 10 a.m. and 3 
p.m. Copies of such filing will also be available for inspection and 
copying at the principal office of the PCAOB. Do not include personal 
identifiable information in

[[Page 71724]]

submissions; you should submit only information that you wish to make 
available publicly. We may redact in part or withhold entirely from 
publication submitted material that is obscene or subject to copyright 
protection. All submissions should refer to File Number PCAOB-2023-02 
and should be submitted on or before November 7, 2023.
---------------------------------------------------------------------------

    \113\ 17 CFR 200.30-11(b)(1) and (3).

    For the Commission, by the Office of the Chief Accountant.\113\
Vanessa A. Countryman,
Secretary.
[FR Doc. 2023-22491 Filed 10-16-23; 8:45 am]
BILLING CODE 8011-01-P