[Federal Register Volume 88, Number 199 (Tuesday, October 17, 2023)]
[Notices]
[Pages 71684-71724]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-22491]
[[Page 71683]]
Vol. 88
Tuesday,
No. 199
October 17, 2023
Part III
Securities and Exchange Commission
-----------------------------------------------------------------------
Public Company Accounting Oversight Board; Notice of Filing of Proposed
Rules on the Auditor's Use of Confirmation, and Other Amendments to
Related PCAOB Standards; Notice
��Federal Register / Vol. 88, No. 199 / Tuesday, October 17, 2023 /
Notices��
[[Page 71684]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-98689; File No. PCAOB-2023-02]
Public Company Accounting Oversight Board; Notice of Filing of
Proposed Rules on the Auditor's Use of Confirmation, and Other
Amendments to Related PCAOB Standards
October 5, 2023.
Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 (the
``Act''), notice is hereby given that on October 4, 2023, the Public
Company Accounting Oversight Board (the ``Board'' or ``PCAOB'') filed
with the Securities and Exchange Commission (the ``Commission'' or
``SEC'') the proposed rules described in Items I and II below, which
items have been prepared by the Board. The Commission is publishing
this notice to solicit comments on the proposed rules from interested
persons.
I. Board's Statement of the Terms of Substance of the Proposed Rules
On September 28, 2023, the Board adopted amendments to auditing
standards for the auditor's use of confirmation, and amendments to
related PCAOB standards (collectively, the ``proposed rules''),
including the retitling and replacement of an existing standard with a
new standard. The text of the proposed rules appears in Exhibit A to
the SEC Filing Form 19b-4 and is available on the Board's website at
https://pcaobus.org/about/rules-rulemaking/rulemaking-dockets/docket-028-proposed-auditing-standard-related-to-confirmation and at the
Commission's Public Reference Room.
II. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
In its filing with the Commission, the Board included statements
concerning the purpose of, and basis for, the proposed rules and
discussed comments it received on the proposed rules. The text of these
statements may be examined at the places specified in Item IV below.
The Board has prepared summaries, set forth in sections A, B, and C
below, of the most significant aspects of such statements. In addition,
the Board is requesting that the Commission approve the proposed rules,
pursuant to Section 103(a)(3)(C) of the Act, for application to audits
of emerging growth companies (``EGCs''), as that term is defined in
Section 3(a)(80) of the Securities Exchange Act of 1934 (``Exchange
Act''). The Board's request is set forth in section D.
A. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
(a) Purpose
Summary
The Board is replacing AS 2310, The Confirmation Process, in its
entirety with a new standard, AS 2310, The Auditor's Use of
Confirmation (``new standard'') to strengthen and modernize the
requirements for the confirmation process. As described in the new
standard, the confirmation process involves selecting one or more items
to be confirmed, sending a confirmation request directly to a
confirming party (e.g., a financial institution), evaluating the
information received, and addressing nonresponses and incomplete
responses to obtain audit evidence about one or more financial
statement assertions. If properly designed and executed by an auditor,
the confirmation process may provide important evidence that the
auditor obtains as part of an audit of a company's financial
statements.
Why the Board Is Adopting These Changes Now
AS 2310 is an important standard for audit quality and investor
protection, as the audit confirmation process touches nearly every
audit. The standard was initially written over 30 years ago and has had
minimal amendments since its adoption by the PCAOB in 2003.
The Board adopted the new standard after substantial outreach,
including several rounds of public comment. The PCAOB previously
considered updating AS 2310 by issuing a concept release in 2009 and a
proposal in 2010 for a new auditing standard that would supersede AS
2310. While the PCAOB did not amend or replace AS 2310 at that time,
subsequent developments--including the increasing use of electronic
communications and third-party intermediaries in the confirmation
process--led the Board to conclude that enhancements to AS 2310 and
modifications to the approach proposed in 2010 could improve the
quality of audit evidence obtained by auditors. In addition, the Board
has observed continued inspection findings related to auditors' use of
confirmation, as well as enforcement actions involving failures to
adhere to requirements in the existing auditing standard regarding
confirmation, such as the requirement for the auditor to maintain
control over the confirmation process.
Accordingly, having considered these developments and input from
commenters, the Board revisited the previously proposed changes and
issued a new proposed standard to replace AS 2310, along with
conforming amendments to other PCAOB auditing standards, in December
2022. Commenters generally supported the Board's objective of improving
the confirmation process, and suggested areas to further improve the
new standard, modify proposed requirements that would not likely
improve audit quality, and clarify the application of the new standard.
In adopting the new standard and related amendments, the Board has
taken into account all of these comments, as well as observations from
PCAOB oversight activities.
Key Provisions of the New Standard
The new standard and related amendments are intended to enhance the
PCAOB's requirements on the use of confirmation by describing
principles-based requirements that apply to all methods of
confirmation, including paper-based and electronic means of
communications. In addition, the new standard is more expressly
integrated with the PCAOB's risk assessment standards by incorporating
certain risk-based considerations and emphasizing the auditor's
responsibilities for obtaining relevant and reliable audit evidence
through the confirmation process. Among other things, the new standard:
Includes a new requirement regarding confirming cash and
cash equivalents held by third parties (``cash''), or otherwise
obtaining relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source;
Carries forward the existing requirement regarding
confirming accounts receivable, while addressing situations where it
would not be feasible for the auditor to perform confirmation
procedures or obtain relevant and reliable audit evidence for accounts
receivable by directly accessing information maintained by a
knowledgeable external source;
States that the use of negative confirmation requests
alone does not provide sufficient appropriate audit evidence (and
includes examples of situations where the auditor may use negative
confirmation requests to supplement other substantive audit
procedures);
Emphasizes the auditor's responsibility to maintain
control over the confirmation process and provides that the auditor is
responsible for selecting the items to be confirmed,
[[Page 71685]]
sending confirmation requests, and receiving confirmation responses;
and
Identifies situations in which alternative procedures
should be performed by the auditor (and includes examples of such
alternative procedures that may provide relevant and reliable audit
evidence for a selected item).
(b) Statutory Basis
The statutory basis for the proposed rules is Title I of the Act.
B. Board's Statement on Burden on Competition
Not applicable. The Board's consideration of the economic impacts
of the proposed rules is discussed in section D below.
C. Board's Statement on Comments on the Proposed Rules Received From
Members, Participants or Others
The Board released the proposed rules for public comment in PCAOB
Release No. 2022-009 (Dec. 20, 2022) (``2022 Proposal''). The Board
previously issued a concept release for public comment in PCAOB Release
No. 2009-002 (Apr. 14, 2009) (``2009 Concept Release'') and a proposed
auditing standard related to confirmation and related amendments to
PCAOB standards in PCAOB Release No. 2010-003 (July 13, 2010) (``2010
Proposal''). The Board received 98 written comment letters relating to
the 2022 Proposal, the 2009 Concept Release, and the 2010 Proposal. The
Board has carefully considered all comments received. The Board's
response to the comments it received and the changes made to the rules
in response to the comments received are discussed below.
Background
Information obtained by the auditor directly from knowledgeable
external sources, including through confirmation, can be an important
source of evidence obtained as part of an audit of a company's
financial statements.\1\ Confirmation has long been used by auditors.
For example, one early auditing treatise noted the importance of
confirmation for cash deposits, accounts receivable, and demand
notes.\2\ In addition, confirmation of accounts receivable has been a
required audit procedure in the United States since 1939, when the
American Institute of Accountants \3\ adopted Statement on Auditing
Procedure No. 1 (``SAP No. 1'') as a direct response to the McKesson &
Robbins fraud case, which involved fraudulently reported inventories
and accounts receivable that the independent auditors failed to detect
after performing other procedures that did not involve confirmation.\4\
---------------------------------------------------------------------------
\1\ See, e.g., paragraph 08 of AS 1105, Audit Evidence
(providing that, in general, ``[e]vidence obtained from a
knowledgeable source that is independent of the company is more
reliable than evidence obtained only from internal company
sources'').
\2\ Robert H. Montgomery, Auditing Theory and Practice 91
(confirmation of cash deposits), 263 (confirmation of accounts
receivable), and 353 (confirmation of demand notes) (1912).
\3\ The American Institute of Accountants was the predecessor to
the American Institute of CPAs (``AICPA'').
\4\ See In the Matter of McKesson & Robbins, Inc., SEC Rel. No.
34-2707 (Dec. 5, 1940).
---------------------------------------------------------------------------
SAP No. 1 required confirmation of accounts receivable by direct
communication with customers in all independent audits of financial
statements, subject to the auditor's ability to overcome the
presumption to confirm accounts receivable for certain reasons.
Following the adoption of SAP No. 1, the accounting profession also
adopted a requirement in 1942, which remained in effect until the early
1970s, that auditors should disclose in the auditor's report when
confirmation of accounts receivable was not performed. The AICPA's
subsequent revisions to its auditing standards included the
promulgation of AU sec. 330, The Confirmation Process, which was
adopted in 1991 and took effect in 1992. The PCAOB adopted AU sec. 330
(now AS 2310) as an interim standard in 2003.\5\
---------------------------------------------------------------------------
\5\ Shortly after the Board's inception, the Board adopted the
existing standards of the AICPA, as in existence on Apr. 16, 2003,
as the Board's interim auditing standards. See Establishment of
Interim Professional Auditing Standards, PCAOB Rel. No. 2003-006
(Apr. 18, 2003). AU sec. 330 was one of these auditing standards. As
of Dec. 31, 2016, the PCAOB reorganized its auditing standards using
a topical structure and a single, integrated number system, at which
time AU sec. 330 was designated AS 2310. See Reorganization of PCAOB
Auditing Standards and Related Amendments to PCAOB Standards and
Rules, PCAOB Rel. No. 2015-002 (Mar. 31, 2015).
---------------------------------------------------------------------------
The amendments to the standards for the auditor's use of
confirmation are intended to improve audit quality through principles-
based requirements that apply to all methods of confirmation and are
more expressly integrated with the Board's risk assessment standards.
These enhancements should also lead to improvements in practice,
commensurate with the associated risk, among audit firms of all sizes.
The expected increase in audit quality should also enhance the
credibility of information provided in a company's financial
statements.
Rulemaking History
The final amendments to the auditing standards reflect public
comments on a concept release and two proposals. In April 2009, the
PCAOB issued a concept release seeking public comment on the potential
direction of a standard-setting project that could result in amendments
to the PCAOB's existing standard on the confirmation process or a new
auditing standard that would supersede the existing standard.\6\ The
2009 Concept Release discussed existing requirements and posed
questions about potential amendments to those requirements.
---------------------------------------------------------------------------
\6\ Concept Release on Possible Revisions to the PCAOB's
Standard on Audit Confirmations, PCAOB Rel. No. 2009-002 (Apr. 14,
2009).
---------------------------------------------------------------------------
In July 2010, the PCAOB proposed an auditing standard that, if
adopted, would have superseded the existing confirmation standard.\7\
The 2010 Proposal was informed by comments on the 2009 Concept Release
and was intended to strengthen the existing standard by, among other
things, expanding certain requirements and introducing new
requirements. In general, commenters on the 2010 Proposal supported
updating the existing standard to address relevant developments in
audit practice, including greater use of emailed confirmation requests
and responses and the involvement of third-party intermediaries. At the
same time, some commenters asserted that the proposed requirements in
the 2010 Proposal were unduly prescriptive (i.e., included too many
presumptively mandatory requirements) and would result in a significant
increase in the volume of confirmation requests without a corresponding
increase in the quality of audit evidence obtained by the auditor. The
PCAOB did not adopt the 2010 Proposal.
---------------------------------------------------------------------------
\7\ Proposed Auditing Standard Related to Confirmation and
Related Amendments to PCAOB Standards, PCAOB Rel. No. 2010-003 (July
13, 2010).
---------------------------------------------------------------------------
In December 2022, the Board issued a proposed auditing standard to
improve the quality of audits when confirmation is used by the auditor
and to reflect changes in the means of communication and in business
practice since the standard was originally issued.\8\ The 2022 Proposal
was informed by comments on the 2009 Concept Release and 2010 Proposal
and specified the auditor's responsibilities regarding the confirmation
process. The Board received 46 comment letters on the 2022 Proposal
from commenters across a range of affiliations. Those comments
[[Page 71686]]
are discussed throughout this release. Commenters on the 2022 Proposal
generally expressed support for the project's objective and suggested
ways to revise or clarify the proposed standard. The Board considered
the comments on the 2022 Proposal, as well as on the 2009 Concept
Release and the 2010 Proposal, in developing the final amendments.\9\
The Board also considered observations from PCAOB oversight activities.
---------------------------------------------------------------------------
\8\ Proposed Auditing Standard--The Auditor's Use of
Confirmation, and Other Proposed Amendments to PCAOB Standards,
PCAOB Rel. No. 2022-009 (Dec. 20, 2022). In this exhibit, the term
``proposed standard'' refers to the proposed auditing standard
relating to the auditor's use of confirmation as described in the
2022 Proposal.
\9\ The comment letters received on the 2009 Concept Release,
2010 Proposal, and 2022 Proposal are available in the docket for
this rulemaking on the PCAOB's website (https://pcaobus.org/Rulemaking/Pages/Docket028Comments.aspx).
---------------------------------------------------------------------------
Existing Standard
This section discusses key provisions of the existing PCAOB
auditing standard on the confirmation process.
In 2003, the PCAOB adopted the standard now known as AS 2310 (at
that time, AU sec. 330), when it adopted the AICPA's standards then in
existence. Existing AS 2310 indicates that confirmation is the process
of obtaining and evaluating a direct communication from a third party
in response to a request for information about a particular item
affecting financial statement assertions.\10\ For example, an auditor
might request a company's customers to confirm balances owed at a
certain date, or request confirmation of a company's accounts or loans
payable to a bank at a certain date.
---------------------------------------------------------------------------
\10\ Under PCAOB standards, financial statement assertions can
be classified into the following categories: existence or
occurrence, completeness, valuation or allocation, rights and
obligations, and presentation and disclosure. See, e.g., AS 1105.11.
---------------------------------------------------------------------------
Key provisions of existing AS 2310 include the following:
A presumption that the auditor will request confirmation
of accounts receivable. The standard states that confirmation of
accounts receivable is a generally accepted auditing procedure and
provides the situations in which the auditor may overcome the
presumption.
Procedures for designing the confirmation request,
including the requirement that the auditor direct the confirmation
request to a third party who the auditor believes is knowledgeable
about the information to be confirmed.
Procedures relating to the use of both positive and
negative confirmation requests. A positive confirmation request directs
the recipient to send a response back to the auditor stating the
recipient's agreement or disagreement with information stated in the
request, or furnishing requested information. A negative confirmation
request directs the recipient to respond back to the auditor only when
the recipient disagrees with information in the auditor's request. The
standard states that ``[n]egative confirmation requests may be used to
reduce audit risk to an acceptable level when (a) the combined assessed
level of inherent and control risk is low, (b) a large number of small
balances is involved, and (c) the auditor has no reason to believe that
the recipients of the requests are unlikely to give them
consideration.'' \11\ If negative confirmation requests are used, the
auditor should consider performing other substantive procedures to
supplement their use.\12\
---------------------------------------------------------------------------
\11\ See AS 2310.20.
\12\ Id.
---------------------------------------------------------------------------
A requirement for the auditor to maintain control over
confirmation requests and responses by establishing direct
communication between the intended recipient and the auditor.
Procedures to consider when the auditor does not receive a
written confirmation response via return mail, including how the
auditor should evaluate the reliability of oral and facsimile responses
to written confirmation requests. The standard provides that, when
confirmation responses are in other than a written format mailed to the
auditor, additional evidence may be necessary to establish the validity
of the respondent.
A requirement that the auditor should perform alternative
procedures when the auditor has not received a response to a positive
confirmation request.
Requirements for the auditor's evaluation of the results
of confirmation procedures and any alternative procedures performed by
the auditor. These provisions include the requirement that, if the
combined evidence provided by confirmation, alternative procedures, and
other procedures is not sufficient, the auditor should request
additional confirmations or extend other tests, such as tests of
details or analytical procedures.
Current Practice
This section discusses the Board's understanding of current
practice based on, among other things, observations from oversight
activities of the Board and SEC enforcement actions.
Overview of Current Practice
The audit confirmation process touches nearly every financial
statement audit conducted under PCAOB auditing standards. This is due
in part to the presumption in existing AS 2310 that the auditor will
confirm accounts receivable, which include claims against customers
that have arisen from the sale of goods or services in the normal
course of business and a financial institution's loans, unless certain
exemptions apply. In addition, audit methodologies of many larger audit
firms affiliated with global networks recommend or require confirming
cash accounts. In the past, the use of confirmation was a common
practice for auditing a financial institution's customer deposits. In
recent years, however, there has been an increased wariness about
phishing attempts by unauthorized parties aimed at obtaining sensitive
personal or financial information of customers. As a result, some
customers might not understand or trust an -unsolicited confirmation
request from an auditor and, indeed, many financial institutions and
other companies now advise customers not to reply to unsolicited
correspondence concerning their accounts or other customer
relationships.\13\
---------------------------------------------------------------------------
\13\ Situations that involve using audit procedures other than
confirmation and situations where companies adopt the policy of
responding to electronic confirmation requests from auditors only
through an intermediary are discussed later in this exhibit.
---------------------------------------------------------------------------
Existing AS 2310 was written at a time when paper-based
confirmation requests and responses were the prevailing means of
communication. Since then, emailed confirmation requests and responses,
and the use of technology-enabled confirmation tools, including the use
of intermediaries to facilitate the confirmation process, have become
commonplace. For example, numerous financial institutions in the United
States, and an increasing number of international banks, mandate the
use of an intermediary as part of the confirmation process and will not
otherwise respond to an auditor's confirmation request.
As noted above, existing AS 2310 provides that the auditor should
maintain control over the confirmation process. In practice, complying
with this requirement involves the auditor directly sending the
confirmation request to the confirming party via mail or email, without
involving company personnel. The auditor's confirmation request
generally specifies that any correspondence should be sent directly to
the auditor's location (or email address) to minimize the risk of
interference by company personnel. When an intermediary facilitates
direct electronic communications between the auditor and the confirming
party, the auditor is still required to maintain control over the
confirmation process. Procedures performed by audit firms to address
this requirement vary depending on facts and circumstances.
[[Page 71687]]
Some auditors have used a report on controls at a service organization
(``SOC report'') to evaluate the design and operating effectiveness of
the intermediary's controls relevant to sending and receiving
confirmations.
Under the existing standard, auditors can use positive confirmation
requests and, provided certain conditions are met, negative
confirmation requests. A positive confirmation request either asks the
recipient to respond directly to the auditor about whether the
recipient agrees with information that is stated in the request or asks
the recipient to provide the requested information by filling in a
blank form. In comparison, a negative confirmation request directs the
recipient to respond only when the recipient disagrees with the
information included in the request. In practice, negative confirmation
requests have typically been used to obtain audit evidence related to
the completeness of deposit liabilities and other accounts of a similar
nature and, less frequently, to obtain evidence related to the
existence of accounts receivable. In some cases, auditors use a
combination of positive and negative confirmation requests.
Observations From Inspections and Enforcement Actions
This section discusses observations from PCAOB oversight activities
and SEC enforcement actions, including (1) PCAOB inspections of
registered public accounting firms (``firms'') and (2) enforcement
actions relating to deficient confirmation procedures performed by the
auditor. These observations have informed the Board's view that
providing greater clarity as the Board strengthens the requirements
could result in improved compliance by auditors.
Inspections. Over the past several years, PCAOB inspections
indicated that some auditors did not fulfill their responsibilities
under the existing standard when performing confirmation procedures.
The shortcomings have been noted at large and small domestic firms, and
at large firms with domestic and international practices. For example,
some auditors did not: (1) consider performing procedures to verify the
source of confirmation responses received electronically; (2) perform
sufficient alternative procedures; (3) restrict the use of negative
confirmation requests to situations where the risk of material
misstatement was assessed as low; or (4) maintain appropriate control
over the confirmation process, including instances where company
personnel were involved in either sending or receiving confirmations.
The PCAOB has also continued to monitor developments relating to
the use of confirmation through its other oversight and research
activities. For example, in 2021, the PCAOB staff issued a Spotlight
discussing, among other things, the use of technology in the
confirmation process.\14\ In addition, in 2022, the PCAOB staff issued
a Spotlight that specifically discussed observations and reminders on
the use of a service provider in the confirmation process.\15\
---------------------------------------------------------------------------
\14\ See Spotlight: Data and Technology Research Project Update
(May 2021), available at https://pcaobus.org/resources/staff-publications.
\15\ See Spotlight: Observations and Reminders on the Use of a
Service Provider in the Confirmation Process (Mar. 2022), available
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------
Enforcement actions. Over the years, there have been a number of
enforcement actions by the PCAOB and the SEC alleging that auditors
failed to comply with PCAOB standards related to the confirmation
process. Enforcement actions have been brought against large and small
firms, and against U.S. and non-U.S. firms.
For example, PCAOB enforcement cases have involved allegations that
auditors failed to: (1) perform appropriate confirmation procedures to
address a fraud risk; \16\ (2) adequately respond to contradictory
audit evidence obtained from confirmation procedures; \17\ (3) perform
appropriate confirmation procedures and alternative procedures for
accounts receivable; \18\ or (4) maintain proper control over the
confirmation process.\19\
---------------------------------------------------------------------------
\16\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Whitley Penn LLP, PCAOB
Rel. No. 105-2020-002 (Mar. 24, 2020); In the Matter of PMB Helin
Donovan, LLP, PCAOB Rel. No. 105-2019-031 (Dec. 17, 2019); In the
Matter of Ronald R. Chadwick, P.C., PCAOB Rel. No. 105-2015-009
(Apr. 28, 2015).
\17\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Ronald R. Chadwick,
P.C., PCAOB Rel. No. 105-2015-009 (Apr. 28, 2015); In the Matter of
Price Waterhouse, Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5,
2011).
\18\ See, e.g., In the Matter of Whitley Penn LLP, PCAOB Rel.
No. 105-2020-002 (Mar. 24, 2020); In the Matter of PMB Helin
Donovan, LLP, PCAOB Rel. No. 105-2019-031 (Dec. 17, 2019); In the
Matter of Wander Rodrigues Teles, PCAOB Rel. No. 105-2017-007 (Mar.
20, 2017); In the Matter of Ronald R. Chadwick, P.C., PCAOB Rel. No.
105-2015-009 (Apr. 28, 2015); In the Matter of Price Waterhouse,
Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5, 2011).
\19\ See, e.g., In the Matter of Marcum LLP, PCAOB Rel. No. 105-
2020-012 (Sept. 24, 2020); In the Matter of Price Waterhouse,
Bangalore, PCAOB Rel. No. 105-2011-002 (Apr. 5, 2011).
---------------------------------------------------------------------------
In several confirmation-related enforcement cases, the SEC alleged
that the deficient confirmation procedures by the auditors involved
companies that had engaged in widespread fraud, where properly
performed confirmation procedures might have led to the detection of
the fraudulent activity.\20\ Further, in a number of proceedings, the
SEC alleged that confirmation procedures were not properly designed
\21\ or, more frequently, that the auditors failed to adequately
evaluate responses to confirmation requests and perform alternative or
additional procedures in light of exceptions, nonresponses, or
responses that should have raised issues as to their reliability or the
existence of undisclosed related parties.\22\ Several of these
proceedings were brought in recent years, suggesting that problems
persist in this area.
---------------------------------------------------------------------------
\20\ See, e.g., In the Matter of CohnReznick LLP, SEC Rel.
No.34-95066 (June 8, 2022); In the Matter of Ravindranathan
Raghunathan, CPA, SEC Rel. No. 34-93133 (Sept. 27, 2021); In the
Matter of Mancera, S.C., SEC Rel. No. 34-90699 (Dec. 17, 2020); In
the Matter of Schulman Lobel Zand Katzen Williams & Blackman, LLP A/
K/A Schulman Lobel LLP, SEC Rel. No. 34-88653 (Apr. 15, 2020); In
the Matter of William Joseph Kouser Jr., CPA, SEC Rel. No. 34-80370
(Apr. 4, 2017).
\21\ See, e.g., In the Matter of RSM US LLP, SEC Rel. No. 34-
95948 (Sept. 30, 2022); In the Matter of Ravindranathan Raghunathan,
CPA, SEC Rel. No. 34-93133 (Sept. 27, 2021); In the Matter of
Winter, Kloman, Moter & Repp, S.C., SEC Rel. No. 34-83168 (May 4,
2018); In the Matter of Edward Richardson, Jr., CPA, SEC Rel. No.
34-80918 (June 14, 2017).
\22\ See, e.g., In the Matter of Jason Jianxun Tang, CPA, SEC
Rel. No. 34-96347 (Nov. 17, 2022); In the Matter of Steven Kirn,
CPA, SEC Rel. No. 34-95949 (Sept. 30, 2022); In the Matter of
Friedman LLP, SEC Rel. No. 34-95887 (Sept. 23, 2022); In the Matter
of Mancera, S.C., SEC Rel. No. 34-90699 (Dec. 17, 2020); In the
Matter of Schulman Lobel Zand Katzen Williams & Blackman, LLP A/K/A
Schulman Lobel LLP, SEC Rel. No. 34-88653 (Apr. 15, 2020); In the
Matter of Anton & Chia, LLP, SEC Rel. No. 34-87033 (Sept. 20, 2019);
In the Matter of Edward Richardson, Jr., CPA, SEC Rel. No. 34-80918
(June 14, 2017); In the Matter of William Joseph Kouser Jr., CPA,
SEC Rel. No. 34-80370 (Apr. 4, 2017).
---------------------------------------------------------------------------
Reasons To Improve Auditing Standards
The amendments to PCAOB standards being adopted are intended to
enhance audit quality by clarifying and strengthening the requirements
for the auditor's use of confirmation. The final amendments are also
more expressly integrated with the PCAOB's risk assessment standards by
incorporating certain risk-based considerations and emphasizing the
auditor's responsibilities for obtaining relevant and reliable audit
evidence through the confirmation process. The Board believes that
these improvements will enhance both audit quality and the credibility
of the information provided in a company's financial statements.
Areas of Improvement
The Board has identified two important areas where improvements are
warranted to existing standards, discussed below: (1) updating the
standards to reflect developments in
[[Page 71688]]
practice and (2) clarifying the auditor's responsibilities to evaluate
the reliability of evidence obtained through confirmation responses.
Updating the Standards To Reflect Developments in Practice
The new standard supports the auditor's use of electronic forms of
communication between the auditor and the confirming party. Since the
AICPA standard on the confirmation process adopted by the PCAOB took
effect in 1992, there has been a significant change in the auditing
environment and the means by which an auditor communicates with
confirming parties. Emails and other forms of electronic communications
between auditors and confirming parties have become ubiquitous, and
third-party intermediaries now often facilitate the electronic
transmission of confirmation requests and responses between auditors
and confirming parties.
In addition, the Board believes its auditing standards should allow
for continued innovation by auditors in the ways they obtain audit
evidence. Traditionally, auditors have used confirmation in
circumstances where reliable evidence about financial statement
assertions could be obtained directly from a third party that transacts
with the company (e.g., to confirm the existence of cash or accounts
receivable). Generally, audit evidence obtained directly from
knowledgeable external sources, including through confirmation, has
been viewed as more reliable than evidence obtained through other audit
procedures available to the auditor,\23\ especially where the auditor
identified a risk of fraud, chose not to test controls, or determined
that controls could not be relied on.\24\
---------------------------------------------------------------------------
\23\ The confirmation process involves obtaining audit evidence
from a confirming party. Under PCAOB standards, in general, evidence
obtained from a knowledgeable source that is independent from the
company is more reliable than evidence obtained only from internal
company sources. See, e.g., AS 1105.08.
\24\ See, e.g., Staff Audit Practice Alert No. 8, Audit Risks in
Certain Emerging Markets (Oct. 3, 2011) (``SAPA No. 8'') at 11
(stating that, when an auditor has identified fraud risks relating
to a company's bank accounts or amounts due from customers, ``it is
important for the auditor to confirm amounts included in the
company's financial statements directly with a knowledgeable
individual from the bank or customer who is objective and free from
bias with respect to the audited entity rather than rely solely on
information provided by the company's management''). The
requirements of the new standard are consistent with the guidance in
SAPA No. 8, which auditors should continue to consider when using
confirmations to address fraud risks in emerging markets.
---------------------------------------------------------------------------
The PCAOB staff's research indicates that some audit firms may have
developed or may yet develop audit techniques that enable the auditor
to obtain relevant and reliable audit evidence for the same assertions
by performing substantive audit procedures that do not include
confirmation, as discussed in more detail below. To reflect these
developments, the new standard allows the performance of other
procedures in lieu of confirmation for cash and accounts receivable in
situations where the auditor can obtain relevant and reliable audit
evidence by directly accessing information maintained by knowledgeable
external sources. Further, the new standard acknowledges that, in
certain situations, it may not be feasible for the auditor to obtain
audit evidence for accounts receivable directly from a knowledgeable
external source and provides that in those situations the auditor
should obtain external information indirectly by performing other
substantive procedures, including tests of details.
Clarifying the Auditor's Responsibilities To Evaluate the Reliability
of Confirmation Responses
While information obtained through the confirmation process can be
an important source of audit evidence, the confirmation process must be
properly executed for the evidence obtained to be relevant and
reliable. The enforcement actions discussed above and other recent
high-profile financial reporting frauds have also called attention to
the importance of well-executed confirmation procedures, including the
confirmation of cash.\25\ In addition, PCAOB oversight activities have
identified instances in which auditors did not obtain sufficient
appropriate audit evidence when using confirmation. Accordingly, the
new standard includes a new requirement to confirm certain cash
balances and clarifies the auditor's responsibilities to evaluate the
reliability of evidence obtained through confirmation responses (and,
when necessary, to obtain audit evidence through alternative
procedures).
---------------------------------------------------------------------------
\25\ See, e.g., In the Matter of Mancera, S.C., SEC Rel. No. 34-
90699 (Dec. 17, 2020) (failure by auditors to properly evaluate
confirmation responses to requests for information on cash balances
of a Mexican homebuilder subsequently found to have engaged in a
``multi-billion dollar financial fraud''). See also Olaf Storbeck,
Tabby Kinder, and Stefania Palma, EY failed to check Wirecard bank
statements for 3 years, Financial Times (June 26, 2020) (potential
failure by auditors to confirm cash balances purportedly held by
Wirecard AG, a German company whose securities were not registered
with the SEC, directly with a Singapore-based bank).
---------------------------------------------------------------------------
Comments on the Reasons for Standard Setting
Many commenters on the 2022 Proposal broadly expressed support for
revisions to the Board's standard on the auditor's use of confirmation
to reflect developments in practice since the AICPA standard on the
confirmation process adopted by the PCAOB took effect in 1992. A number
of commenters also agreed that the standard on the auditor's use of
confirmation should be more closely aligned with the Board's risk
assessment standards. In addition, some commenters stated that updates
to the PCAOB's standard on the auditor's use of confirmation would be
generally consistent with their prior recommendations to the Board that
the Board modernize its interim auditing standards. Other commenters
suggested that the Board should also engage in additional outreach with
investors or that it consider other mechanisms to engage with
stakeholders prior to the adoption of standards, such as roundtables
and pre-implementation ``field testing'' of proposed standards.
In addition, several commenters expressed support for the
proposition that the PCAOB's auditing standards should allow for
continued innovation by auditors in the ways they obtain audit
evidence. These commenters generally stated that standards should be
written to evolve with future technologies, including new methods of
confirmation that may arise from technological changes in auditing in
the future. A few commenters stated that the 2022 Proposal provided
flexibility to respond to the current use of technology in the audit
process, or left enough room for judgment-based application for further
advances in technology. In comparison, some commenters stated that the
proposed standard was not sufficiently forward-looking. Several
commenters cautioned against more explicitly addressing the use of
technology (i.e., by adding prescriptive requirements), noting that
doing so might not allow the standard to age effectively with time and
innovation.
Several commenters broadly expressed support for the Board's goal,
as described in the 2022 Proposal, of improving the quality of audit
evidence obtained by auditors when using confirmation. One of these
commenters stated that it was critical that confirmation requests are
properly designed and that confirmation responses are appropriately
evaluated, especially when there are confirmation exceptions or
concerns about their reliability. In addition, other commenters
generally expressed
[[Page 71689]]
support for the proposed requirements and stated they would lead to
improvements in audit quality. A number of commenters, primarily firms
and firm-related groups, asserted that certain requirements in the 2022
Proposal were unduly prescriptive and that the final standard should be
more principles-based and risk-based to allow for more auditor
judgment. In comparison, an investor-related group suggested that the
Board remind auditors that, in exercising professional judgment, their
judgments must be reasonable, careful, documented, and otherwise in
compliance with applicable professional requirements.
In adopting the new standard, the Board has considered these
comments on the 2022 Proposal, as well as the comments received on the
2010 Proposal and the 2009 Concept Release. Based on the information
available to the Board--including the current regulatory baseline,
observations from our oversight activities, academic literature, and
comments--the Board believes that investors will benefit from
strengthened and clarified auditing standards in this area. To the
extent that commenters provided comments or expressed concerns about
specific aspects of the proposed revisions to the Board's existing
standard on the auditor's use of confirmation, the Board's
consideration of these comments is discussed further below and
elsewhere in this exhibit. While the Board does not expect that the new
standard will eliminate inspection deficiencies observed in practice,
it is intended to clarify the auditor's responsibilities and align the
requirements for the use of confirmation more closely with the PCAOB's
risk assessment standards.
The new standard also reflects several changes that were made after
the Board's consideration of comments received about the potential
impact of the proposed new standard on auditors, issuers, and
intermediaries. In addition, some commenters called for a broader
alignment of PCAOB standards with standards issued by other standard
setters, namely the International Auditing and Assurance Standards
Board (``IAASB'') and the AICPA's Auditing Standards Board (``ASB''). A
few commenters stated that PCAOB standards should be harmonized with
IAASB standards, in the interest of global comparability, and, in the
view of one commenter, with ASB standards. A few commenters stated that
the Board should provide robust and detailed explanations of
differences between PCAOB standards and the standards of other standard
setters. One commenter indicated that the dual standard-setting
structure in the United States (i.e., the existence of both PCAOB and
ASB standards) creates issues that could erode audit quality.
The Board carefully considered the approaches of other standard
setters when developing the 2022 Proposal, and the new standard
reflects the approach that the Board believes best protects investors
and furthers the public interest. As a result, certain differences will
continue to exist between the Board's new standard and those of other
standard setters, including a number of provisions that the Board
believes are appropriate and consistent with its statutory mandate to
protect the interests of investors and further the public interest.
Discussion of Final Rules
Overview of New Standard
The new standard replaces existing AS 2310 in its entirety. The
provisions of the new standard the Board has adopted are intended to
strengthen existing requirements for the auditor's use of confirmation.
Key aspects of the new standard:
Include principles-based requirements that are designed to
apply to all methods of confirmation. The new standard is designed to
enhance requirements that apply to longstanding methods, such as the
use of paper-based confirmation requests and responses sent via regular
mail; methods that involve electronic means of communications, such as
the use of email or an intermediary to facilitate direct electronic
transmission of confirmation requests and responses; and methods that
are yet to emerge, thus encouraging audit innovation.
Expressly integrate the requirements for the auditor's use
of confirmation with the requirements of the Board's risk assessment
standards, including AS 1105. The new standard specifies certain risk-
based considerations and emphasizes the auditor's responsibilities for
obtaining relevant and reliable audit evidence when performing
confirmation procedures.
Emphasize the use of confirmation procedures in certain
situations. The new standard adds a new requirement that the auditor
should perform confirmation procedures for cash held by third parties,
carries forward an existing requirement that the auditor should perform
confirmation procedures for accounts receivable, and adds a new
provision that the auditor may otherwise obtain audit evidence by
directly accessing information maintained by a knowledgeable external
source for cash and accounts receivable. In addition, the new standard
carries forward an existing requirement to consider confirming the
terms of certain other transactions.
Address situations in which it would not be feasible for
the auditor to obtain information directly from a knowledgeable
external source. The new standard provides that if it would not be
feasible for the auditor to obtain audit evidence directly from a
knowledgeable external source for accounts receivable, the auditor
should perform other substantive audit procedures, including tests of
details, that involve obtaining audit evidence from external sources
indirectly.
Communicate to the audit committee certain audit responses
to significant risks. Under the new standard, for significant risks
associated with cash or accounts receivable, the auditor is required to
communicate with the audit committee when the auditor did not perform
confirmation procedures or otherwise obtain audit evidence by directly
accessing information maintained by a knowledgeable external source.
Reflect the relatively insignificant amount of audit
evidence obtained when using negative confirmation requests. Under the
new standard, the use of negative confirmation requests may provide
sufficient appropriate audit evidence only when combined with other
substantive audit procedures. The new standard includes examples of
situations in which the use of negative confirmation requests in
combination with other substantive audit procedures may provide
sufficient appropriate audit evidence.
Emphasize the auditor's responsibility to maintain control
over the confirmation process. The new standard states that the auditor
should select the items to be confirmed, send confirmation requests,
and receive confirmation responses.
Provide more specific direction for circumstances where
the auditor is unable to obtain relevant and reliable audit evidence
through confirmation. The new standard identifies situations where
other procedures should be performed by the auditor as an alternative
to confirmation. The new standard also includes examples of alternative
procedures that individually or in combination may provide relevant and
reliable audit evidence.
Introduction and Objective
(See paragraphs .01 and .02 of the new standard).
[[Page 71690]]
The 2022 Proposal included requirements for the auditor's use of
confirmation. As discussed in the proposal, the confirmation process
involves selecting one or more items to be confirmed, sending a
confirmation request directly to a confirming party, evaluating the
information received, and addressing nonresponses and incomplete
responses to obtain audit evidence about one or more financial
statement assertions. Confirmation is one of the specific audit
procedures described in PCAOB standards that an auditor could perform
when addressing a risk of material misstatement.\26\ As is the case
with other audit procedures, information obtained through confirmation
may support and corroborate management's assertions or it may
contradict such assertions.\27\
---------------------------------------------------------------------------
\26\ See, e.g., AS 1105.14 and .18.
\27\ See AS 1105.02.
---------------------------------------------------------------------------
Under the 2022 Proposal, the auditor's objective in designing and
executing the confirmation process was to obtain relevant and reliable
audit evidence about one or more relevant financial statement
assertions of a significant account or disclosure.\28\ Existing AS 2310
does not include an objective.
---------------------------------------------------------------------------
\28\ An account or disclosure is a significant account or
disclosure if there is a reasonable possibility that the account or
disclosure could contain a misstatement that, individually or when
aggregated with others, has a material effect on the financial
statements, considering the risks of both overstatement and
understatement. See footnote 33 of AS 2110, Identifying and
Assessing Risks of Material Misstatement; paragraph .A10 of AS 2201,
An Audit of Internal Control Over Financial Reporting That Is
Integrated with An Audit of Financial Statements.
---------------------------------------------------------------------------
As discussed below, the Board has modified the introduction and
objective in the proposed standard in several respects.
A number of commenters stated that the objective of the proposed
standard was clear. One commenter stated that the objective should be
to provide requirements and guidance in situations where the auditor,
as a result of its risk-assessment procedures, determines that
confirmation procedures provide an appropriate response to one or more
assertions related to an identified risk of material misstatement.
Another commenter asserted that the objective in the proposed standard
did not result in greater clarity than the proposed objective in the
2010 Proposal and created a wider gap between the PCAOB's standards and
the equivalent standard of the IAASB.
Having considered these comments, the Board has revised the
introduction to provide that the new standard establishes requirements
regarding obtaining audit evidence from a knowledgeable external source
through the auditor's use of confirmation. The introduction further
states that the new standard includes additional requirements regarding
obtaining audit evidence for cash, accounts receivable, and terms of
certain transactions. The Board believes that this language more
clearly aligns with the approach to the auditor's use of confirmation
in the new standard and the inclusion of specific requirements in the
new standard with respect to cash, accounts receivable, and terms of
certain transactions.
In addition, the Board has added the phrase ``from a knowledgeable
external source'' to the objective, such that the new standard provides
that the objective of the auditor in designing and executing the
confirmation process is to obtain relevant and reliable audit evidence
from a knowledgeable external source about one or more relevant
financial statement assertions of a significant account or disclosure.
This language underscores that, when properly designed and executed,
the confirmation process involves obtaining audit evidence regarding
specific items from a knowledgeable external source. A knowledgeable
external source, as referred to in the new standard, generally is a
third party who the auditor believes has knowledge of the information
that may be used as audit evidence. To the extent that this objective
differs from the objective in standards adopted by other standard-
setting bodies on the auditor's use of confirmation, the Board believes
it appropriately reflects the Board's approach in the new standard and
is consistent with its statutory mandate to protect the interests of
investors and further the public interest. The next section of this
exhibit further discusses the relationship of the confirmation process
to the auditor's identification and assessment of, and response to, the
risks of material misstatement.
Relationship of the Confirmation Process to the Auditor's
Identification and Assessment of and Response to the Risks of Material
Misstatement
(See paragraphs .03-.07 of the new standard).
When an auditor uses confirmation, the auditor should be mindful
of, and comply with, the existing obligation to exercise due
professional care in all matters relating to the audit.\29\ Due
professional care requires the auditor to exercise professional
skepticism, which is an attitude that includes a questioning mind and a
critical assessment of audit evidence. Professional skepticism should
be exercised throughout the audit process,\30\ including when
identifying information to confirm, identifying confirming parties,
evaluating confirmation responses, and addressing nonresponses. The
requirements related to exercising professional skepticism, in
combination with requirements in other PCAOB standards, are designed to
reduce the risk of confirmation bias, a phenomenon wherein decision
makers have been shown to actively seek out and assign more weight to
evidence that confirms their hypothesis, and ignore or assign less
weight to evidence that could disconfirm their hypothesis.\31\
---------------------------------------------------------------------------
\29\ See AS 1015, Due Professional Care in the Performance of
Work. The Board currently has a separate standard-setting project to
reorganize and consolidate a group of interim standards adopted by
the Board in Apr. 2003, including AS 1015. See Proposed Auditing
Standard--General Responsibilities of the Auditor in Conducting an
Audit and Proposed Amendments to PCAOB Standards, PCAOB Rel. No.
2023-001 (Mar. 28, 2023).
\30\ See AS 1015.07-.08.
\31\ For a discussion of confirmation bias, see, e.g., Raymond
S. Nickerson, Confirmation Bias: A Ubiquitous Phenomenon in Many
Guises, 2 Review of General Psychology, 175 (1998).
---------------------------------------------------------------------------
The 2022 Proposal described how the proposed standard would work in
conjunction with the PCAOB standards on risk assessment. AS 2110
establishes requirements regarding the process of identifying and
addressing the risks of material misstatement of the financial
statements, and AS 2301, The Auditor's Responses to the Risks of
Material Misstatement, establishes requirements regarding designing and
implementing appropriate responses to the risks of material
misstatement. Fundamental to the PCAOB's risk assessment standards is
the concept that as risk increases, so does the amount of evidence that
the auditor should obtain.\32\ Further, evidence obtained from a
knowledgeable external source generally is more reliable than evidence
obtained only from internal company sources.\33\
---------------------------------------------------------------------------
\32\ See AS 1105.05.
\33\ See AS 1105.08.
---------------------------------------------------------------------------
Where the auditor uses confirmation as part of the auditor's
response, the 2022 Proposal addressed the auditor's responsibilities
for designing and executing the confirmation process to obtain relevant
and reliable audit evidence. When properly designed and executed, the
confirmation process can be an effective and efficient way of obtaining
relevant and reliable external audit evidence, including in situations
where the auditor identifies an elevated risk of material misstatement
due to error or fraud.
[[Page 71691]]
The 2022 Proposal also recognized that performing confirmation
procedures can effectively and efficiently provide evidential matter
about certain financial statement assertions, including existence,
occurrence, completeness, and rights and obligations. For example,
confirmation may provide audit evidence related to the existence of
cash, accounts receivable, and financial instruments, or the
completeness of debt. However, the confirmation process generally
provides less relevant evidence about the valuation assertion (e.g.,
the confirming party may not intend to repay in full the amount owed,
or the custodian may not know the value of shares held in custody).
Confirmation could also be used to obtain audit evidence about the
terms of contractual arrangements (e.g., by verifying supplier
discounts or concessions, corroborating sales practices, or
substantiating oral arrangements and guarantees). Information in
confirmation responses may indicate the existence of related parties,
or relationships or transactions with related parties, previously
undisclosed to the auditor.
The Board also observed in the 2022 Proposal that, in some
situations, an auditor may determine that evidence obtained through
confirmation may constitute sufficient appropriate audit evidence for a
particular assertion, while in other situations performing other audit
procedures in addition to confirmation may be necessary to obtain
sufficient appropriate audit evidence. For example, for significant
unusual sales transactions and the resulting accounts receivable
balances, an auditor might confirm significant terms of the
transactions and the receivable balances with the transaction
counterparties and perform additional substantive procedures, such as
examination of shipping documents and subsequent cash receipts.
Determining the nature, timing, and extent of confirmation procedures,
and any other additional audit procedures, is part of designing and
implementing the auditor's response to the assessed risk of material
misstatement.
The Board adopted the provisions in the 2022 Proposal that address
the relationship of the confirmation process to the auditor's
identification and assessment of and response to the risks of material
misstatement, with certain modifications discussed below.
Overall, commenters expressed support for aligning the proposed
standard on confirmation with the PCAOB's existing risk assessment
standards. Several commenters stated that they had not identified
changes needed to the proposed standard to align further with the
PCAOB's risk assessment standards. Other commenters, as discussed
below, called for various changes to the proposed provisions:
Several commenters suggested that there could be further
alignment of the 2022 Proposal with the risk assessment standards to
enable the level of risk to drive the nature of the audit response. A
number of commenters asserted that the 2022 Proposal included certain
prescriptive requirements for the confirmation process, regardless of
the assessed level of risk, and that those provisions could detract
from the auditor's ability to apply professional judgment to determine
the appropriate audit response. Consistent with the objective of the
new standard, the requirements under the new standard apply to a
significant account or disclosure.\34\ The new standard thus does not
establish a presumption to confirm cash or accounts receivable if the
auditor has not determined cash or accounts receivable to be a
significant account. The auditor may choose to perform confirmation
procedures, however, in situations other than those specifically
addressed in paragraphs .24 through .30 of the new standard. The new
standard does not otherwise prescribe the timing or extent of
confirmation procedures, which are discussed as part of the auditor's
response to the risks of material misstatement in AS 2301.
---------------------------------------------------------------------------
\34\ AS 2110.59e directs the auditor to identify significant
accounts and disclosures and their relevant assertions.
---------------------------------------------------------------------------
Several commenters stated that paragraphs .06 and .07 of
the proposed standard overly emphasized confirmation as being the most
persuasive substantive audit procedure, with any other procedure
thereby viewed as being less persuasive. One commenter asserted that
that the 2022 Proposal appeared to be premised on an assumption that
third-party confirmations represent ``first best'' audit evidence,
regardless of the facts and circumstances. In addition, one commenter
questioned whether the Board intended for confirmation to be used
whenever possible to obtain evidence. Having considered these comments,
the Board has made several changes in the new standard to clarify
certain provisions. In the new standard, the Board has revised
paragraph .06, which discusses obtaining audit evidence from
knowledgeable external sources, to emphasize the source of the audit
evidence, rather than the type of audit procedure performed. The Board
understands that advances in technology, as well as changes in
attitudes towards confirmation (e.g., the potential hesitation of
confirming parties to reply to a confirmation request from auditors
because of the concern of falling victim to a phishing attack), have
led auditors to perform other types of audit procedures that can
provide relevant and reliable external evidence.
Some commenters stated that the proposed standard could
give rise to unrealistic expectations about confirmation procedures
effectively addressing the risk of material misstatement due to fraud
in all circumstances. While the Board does not believe that the new
standard creates an unrealistic expectation about audit evidence
obtained through confirmation, the appropriate focus of the auditor
should be the obligation to obtain relevant and reliable audit
evidence. Accordingly, the Board did not adopt paragraph .07 of the
proposed standard, which had provided that ``in situations involving
fraud risks and significant unusual transactions, audit evidence
obtained through the confirmation process generally is more persuasive
than audit evidence obtained solely through other procedures.''
Several commenters recommended that the standard address
the current and anticipated use of technology to enable auditors to
obtain sufficient appropriate audit evidence through performing audit
procedures other than confirmation. Some commenters provided examples
of using technology-based procedures in lieu of confirmations,
including accessing company balances directly at the relevant financial
institution and testing internal data against external data sources
using audit data analytics. The Board considered these comments in
developing the new standard. In particular, as discussed below, the new
standard includes a presumption for the auditor to confirm cash and
accounts receivable, or otherwise obtain relevant and reliable audit
evidence for these accounts by directly accessing information
maintained by a knowledgeable external source.
One commenter suggested that the note to paragraph .05 of
the proposed standard should also direct the auditor to take into
account internal controls over cash, including segregation of duties,
when there are side agreements to revenue transactions. The Board did
not make this change in the new standard. The Board notes that internal
control considerations are addressed by existing PCAOB standards, which
[[Page 71692]]
require obtaining an understanding of the company's controls when
assessing the risk of material misstatement and identifying and testing
certain controls when the auditor plans to rely on controls to respond
to the assessed risk.\35\ The auditor would consider controls over cash
when performing these procedures.
---------------------------------------------------------------------------
\35\ See, e.g., AS 2110 and AS 2301.
---------------------------------------------------------------------------
With respect to the examples of assertions in paragraph
.06 of the proposed standard, one commenter asserted that a final
standard should more fully explain that a confirmation generally serves
to test the assertion of existence, but does not serve to test other
assertions such as valuation, including collectability. The Board did
not incorporate such language in the new standard because it believes
that limiting the use of confirmation to the existence assertion would
be overly prescriptive and might disallow use of confirmation in other
situations where the auditor has determined that confirmation could be
used to obtain relevant and reliable information to test other
assertions.
As discussed below, the Board continues to believe that
confirmation procedures generally would provide relevant and reliable
audit evidence for cash and accounts receivable. Accordingly, under the
new standard the auditor should perform confirmation procedures or
otherwise obtain relevant and reliable audit evidence by directly
accessing information maintained by a knowledgeable external source
when the auditor determines that these accounts are significant
accounts. In addition, the new standard specifies that when the auditor
has identified a significant risk of material misstatement associated
with either a complex transaction or a significant unusual transaction,
the auditor should consider confirming those terms of the transaction
that are associated with a significant risk of material misstatement,
including a fraud risk.
Other Use of Confirmation Procedures. The 2022 Proposal requested
commenters' views on whether there were additional accounts or
financial statement assertions for which the auditor should be required
to perform confirmation procedures. In addition, the 2022 Proposal
requested views on whether the proposal was sufficiently flexible to
accommodate situations where an auditor chooses to confirm information
about newer types of assets (e.g., digital assets based on blockchain
or similar technologies).
Two investor-related groups identified specific types of additional
transactions that should be subject to confirmation, including
transactions (1) with unusual terms and conditions, (2) with related
parties, (3) where the auditor has concern about whether side letters
may exist, (4) where financing is obtained, including bank debt or
supplier-provided financing, (5) involving certain sales practices,
such as bill-and-hold arrangements or supplier discounts or
concessions, (6) involving certain oral arrangements or guarantees, or
(7) involving sales, lending, or liability for custodianship of digital
assets. Another commenter suggested that confirmation of accounts
payable should be considered, but not required, when auditors assess
controls over the recording of liabilities to be ineffective. This
commenter also suggested that the Board state that the use of
confirmation is not limited to the circumstances discussed in the
proposed standard.
In comparison, many firms and firm-related groups stated that the
proposed standard should not prescribe additional other presumptive
requirements to use confirmation. These commenters noted that doing so
would be unduly prescriptive. Several commenters stated that the
proposed standard provided for an appropriate amount of auditor
judgment in determining when to perform confirmation procedures in
situations other than those specifically addressed in the standard. In
addition, several commenters indicated that the 2022 Proposal offered
sufficient flexibility to accommodate situations where an auditor
confirms information about newer types of assets.
Several commenters asserted that the effectiveness of confirmation
procedures is negatively affected by the fact that third parties are
not obligated, under legislation or regulation, to reply to an
auditor's confirmation request.
The new standard does not specify additional accounts or
transactions for which confirmation procedures are presumptively
required beyond those in the 2022 Proposal. The PCAOB's risk assessment
standards are foundational and are used by the auditor to determine the
appropriate response to identified risks of material misstatement. The
Board believes that confirmation can be an important tool for
addressing certain risks for cash and accounts receivable, and for
obtaining audit evidence about other financial relationships, and
certain terms of complex transactions or significant unusual
transactions, as discussed below. However, identifying additional
accounts or scenarios that require the auditor to use confirmation,
without regard to the specific facts and circumstances of the audit
including the assessed risk of material misstatement and whether other
audit procedures would provide sufficient appropriate audit evidence,
would be overly prescriptive.
The auditor's responsibilities relevant to the use of confirmation
are also addressed in several other PCAOB standards. AS 2315, Audit
Sampling, which discusses planning, performing, and evaluating audit
samples, is used if the auditor uses sampling in the confirmation
process. AS 2510, Auditing Inventories, addresses confirmation of
inventories in the hands of public warehouses or other outside
custodians. Additionally, the new standard does not address auditor
responsibilities regarding inquiries concerning litigation, claims, and
assessments, which are addressed in AS 2505, Inquiry of a Client's
Lawyer Concerning Litigation, Claims, and Assessments.
Designing Confirmation Requests
(See paragraphs .08-.13 of the new standard).
A properly designed and executed confirmation process may provide
relevant and reliable audit evidence. Auditor responsibilities
regarding designing a confirmation request are described in paragraphs
.08-.13, as follows:
Paragraph .08 discusses identifying information to
confirm;
Paragraphs .09 through .11 discuss identifying the
confirming parties for confirmation requests; and
Paragraphs .12 through .13 discuss using negative
confirmation requests.
The new standard does not prescribe a particular format for a
confirmation request. For example, requests could be paper-based or
electronic, specifying the information to be confirmed or providing a
blank response form, or sent with or without the involvement of an
intermediary that facilitates electronic transmission. As a practical
matter, the auditor determines the format of a confirmation request to
increase the likelihood that the request is received and clearly
understood by the confirming party, taking into consideration, among
other things, the facts and circumstances of the company and the
confirming party.
Identifying Information To Confirm
The 2022 Proposal provided that the auditor should, as part of
designing confirmation requests, identify information related to the
relevant assertions that the auditor plans to verify with confirming
parties or (when using a blank form) obtain from confirming parties.
Such information
[[Page 71693]]
could include transaction amounts, transaction dates, significant terms
of transactions, and balances due to or from the confirming party as of
a specific date. In addition, the 2022 Proposal discussed that using a
blank confirmation request generally provides more reliable audit
evidence than using a confirmation request that includes information
the auditor is seeking to confirm (e.g., a customer account balance).
In the latter scenario, it is possible that a confirming party could
agree to the information without verifying it against the confirming
party's records.
The Board adopted the proposed requirement relating to identifying
information to confirm with certain modifications discussed below.
Several commenters indicated that the provisions of the 2022
Proposal related to identifying information to confirm were clear and
appropriate. A few commenters requested retaining a statement analogous
to a statement in existing AS 2310 to emphasize in the standard that
responding to blank form confirmation requests generally requires
additional effort, which might lower the response rates and lead
auditors to perform alternative procedures. One commenter expressed
concern that fraudsters could use fake confirmation requests and, in
particular, fake blank form confirmation requests, to defraud bank
customers (e.g., by soliciting their bank details).
Existing AS 2310 includes details regarding the form of
confirmation requests, which includes general information regarding
blank form positive confirmation requests. This information has been
included in the new standard in a note to paragraph .08. Further, after
considering the comments received, the new standard includes language
not included in the proposed standard that is similar to language in
existing AS 2310. This language explains that responding to blank form
confirmation requests generally requires additional effort, which might
lower the response rates and lead auditors to perform alternative
procedures for more selected items. Despite the possibility of lower
response rates, responses to blank form confirmation requests may
provide more reliable audit evidence than responses to confirmation
requests using pre-filled forms.
Paragraph .17 of the proposed standard also included a reminder of
an existing requirement in AS 1105.10, pursuant to which the auditor
should test the accuracy and completeness of information produced by
the company that the auditor uses as audit evidence. The reminder
emphasized that, in the confirmation process, the requirement in AS
1105.10 applies to the information produced by the company (e.g.,
populations from which items are selected for confirmation, such as
detailed account listings, vendor listings, and contractual agreements)
that the auditor uses in selecting the items to confirm.
Several firms and firm-related groups indicated that the existing
requirement in AS 1105.10 for the auditor to evaluate information
produced by a company as audit evidence was sufficient and that
paragraph .17 of the proposed standard was duplicative. A few
commenters stated that confirmation requests are often designed to test
the accuracy of a given account balance or disclosure and, accordingly,
that the requirement should only focus on testing completeness.
Finally, a few commenters suggested that the standard, consistent with
AS 1105.10, should allow for the auditor to test controls over the
accuracy and completeness of information produced by the company that
the auditor uses in selecting items to confirm.
After considering these comments, in order to avoid duplication
with other PCAOB standards, the new standard does not include paragraph
.17 of the proposed standard.
Identifying Confirming Parties for Confirmation Requests
The 2022 Proposal provided that, to obtain reliable audit evidence
from the confirmation process, the auditor should direct the
confirmation requests to third parties (individuals or organizations)
who are knowledgeable about the information to be confirmed. That
provision was similar to existing AS 2310.26, which directs the auditor
to send confirmation requests to third parties who the auditor believes
are knowledgeable about the information to be confirmed, such as a
counterparty who is knowledgeable about a transaction or arrangement.
When designing confirmation requests, an auditor may become aware
of information about a potential confirming party's motivation,
ability, or willingness to respond, or about the potential confirming
party's objectivity and freedom from bias with respect to the audited
entity. Because this type of information can affect the reliability of
audit evidence provided by the confirming party to the auditor, the
2022 Proposal, similar to existing AS 2310.27, provided that the
auditor should consider any such information that comes to the
auditor's attention when selecting the confirming parties. The note to
paragraph .19 of the proposed standard further emphasized that such
information may indicate that the potential confirming party has
incentives or pressures to provide responses that are inaccurate or
otherwise misleading.\36\
---------------------------------------------------------------------------
\36\ See also paragraph .10 of AS 2401, Consideration of Fraud
in a Financial Statement Audit (stating that fraud may be concealed
through collusion among management, employees, or third parties, and
that an auditor may receive a false confirmation from a third party
that is in collusion with management); SAPA No. 8 at 12 (stating
that, when using confirmation to address fraud risks in emerging
markets, ``the auditor should evaluate who the intended recipient of
the confirmation request is and whether the company's management has
an influence over this individual to provide false or misleading
information to the auditor'' and that ``[f]or example, if the
company is the only or a significant customer or supplier of the
confirming entity, the staff of that entity may be more susceptible
to pressure from the company's management to falsify documentation
provided to the auditor'').
---------------------------------------------------------------------------
The 2022 Proposal also provided that the auditor should consider
the source of any such information. For example, if management
indicates to the auditor that a potential confirming party is unlikely
to respond to a confirmation request, management may have other reasons
to avoid a confirmation request being sent (e.g., concealing
management's fraudulent understatement of the amount the company owes
to that party).
In addition, the 2022 Proposal provided more specific direction
than existing AS 2310 for situations in which the auditor is unable to
identify a confirming party who, in response to a confirmation request,
would provide relevant and reliable audit evidence about a selected
item. In such a scenario, the 2022 Proposal prescribed that the auditor
should perform alternative procedures.
The 2022 Proposal also provided that the auditor should determine
that confirmation requests are properly addressed, thus increasing the
likelihood that they are received by the confirming party. The 2022
Proposal did not prescribe the nature or extent of procedures to be
performed by the auditor when making this determination, thereby
allowing the auditor to tailor the procedures to the facts and
circumstances of the audit. For example, in practice, some auditors
compare some or all confirming party addresses, which are typically
provided by the company, to physical addresses or email domains
included on the confirming party's website.
Alternatively, when using an intermediary to facilitate direct
electronic transmission of confirmation requests and responses,
Appendix B of the proposed standard required the
[[Page 71694]]
auditor to obtain an understanding of the intermediary's controls that
address the risk of interception and alteration of the confirmation
requests and responses and determine whether the relevant controls used
by the intermediary are designed and operating effectively. The Board
noted in the 2022 Proposal that, where an auditor determines that
controls that address the risk of interception and alteration also
include controls related to validating the addresses of confirming
parties, the auditor may be able to determine that audit procedures
performed in accordance with Appendix B are sufficient to determine
that confirmation requests are properly addressed. In situations where
the auditor determines that the intermediary's controls that address
the risk of interception and alteration do not also include controls
related to validating the addresses of confirming parties, the Board
also noted that the auditor would need to perform other procedures to
comply with the requirements of the proposed standard.
The Board adopted the requirements relating to identifying
confirming parties for confirmation requests as proposed, with certain
modifications discussed below.
Several commenters indicated that the provisions of the proposed
standard related to identifying confirming parties were sufficiently
clear and appropriate. One commenter indicated that the Board should
require the auditor to send confirmation requests directly to an
individual, rather than allow the auditor to choose between sending the
request either to an individual or an organization. In this commenter's
view, sending a confirmation request directly to an individual could
increase the reliability of audit evidence obtained through the
confirmation process. One commenter indicated that the Board should
amend paragraph .18 of the proposed standard to read ``the auditor
should direct confirmation requests to confirming parties (individuals
or organizations) who are expected to be knowledgeable about the
information to be confirmed and determine that the confirmation
requests are appropriately addressed.''
Because auditors often may have no or limited interaction with the
personnel of confirming organizations, they may not be able to select
an individual addressee for the confirmation request. As a result, the
Board believes that allowing the auditor to address a confirmation
request to an organization that is knowledgeable about the information
to be confirmed is practicable and appropriate. Paragraph .20 of the
proposed standard stated that the auditor should perform alternative
procedures when the auditor is unable to identify a confirming party
who, in response to a confirmation request, would provide relevant and
reliable audit evidence about the selected item.
The Board has modified this language, which appears in paragraph
.11 of the new standard, to emphasize that if the auditor is unable to
identify a confirming party for a selected item who would provide
relevant and reliable audit evidence in response to a confirmation
request, including considering any information about the potential
confirming party discussed in paragraph .10, the auditor should perform
alternative procedures in accordance with Appendix C. In addition, the
Board has added a note to paragraph .11 of the new standard to
reiterate that AS 1105.08 provides that the reliability of evidence
depends on the nature and source of the evidence and the circumstances
under which it is obtained.
These revisions are intended to underscore that auditors should
consider information that may indicate that a potential confirming
party has incentives or pressures to provide responses that are
inaccurate or misleading, and remind auditors that the reliability of
audit evidence depends not only on its nature and source, but also the
circumstances under which it is obtained. For example, restrictions on
access to a potential confirming party that cause the auditor to
identify and send a confirmation request to a different confirming
party or to perform alternative procedures may themselves raise
questions as to the reliability of the audit evidence that the auditor
subsequently obtains from the other confirming party or through
performing alternative procedures. In addition, the revisions to
paragraph .11 clarify that the paragraph applies to a confirming party
for an individual item selected for confirmation, rather than more
broadly to a group of confirming parties that might provide audit
evidence with respect to relevant assertions for an entire account,
such as accounts receivable.
Several commenters on the 2022 Proposal also indicated that the
requirement to send a confirmation request directly to the confirming
party and determine that the request is properly addressed was
sufficiently clear and appropriate. One of these commenters indicated
that the standard should address procedures to verify the recipient's
mailing or email address while the other commenters indicated there was
no need to include specific procedures in the standard. Another
commenter requested more guidance around verifying email addresses. One
commenter indicated that there should be no specific requirement to
check addresses, as such a requirement would not, in the commenter's
view, deter those intent on deceiving auditors. Lastly, one commenter
requested clarification as to whether an auditor should send either an
initial confirmation request or a second request when the auditor is
aware of information that indicates that the confirming party would be
unlikely to respond.
The Board continues to believe that requiring auditors to determine
that confirmation requests are appropriately addressed is critically
important to the effectiveness of the confirmation process. The Board
has noted above some of the ways in which an auditor might comply with
this requirement but is not including such examples in the text of the
new standard to avoid the possible misinterpretation that the examples
describe the only steps an auditor could take in determining whether a
confirmation request is properly addressed.
With respect to one commenter's suggestion that the Board clarify
whether an auditor should send a confirmation request if the auditor is
aware of information indicating that the confirming party would not
respond, the Board believes the new standard is sufficiently clear.
Paragraph .10 of the new standard states, in part, that if the auditor
is aware of information about a potential confirming party's
``willingness to respond,'' the auditor should consider this
information, including its source, in selecting the confirming parties.
Further, paragraph .11 of the new standard states that, if the auditor
is unable to identify a confirming party for a selected item who would
provide relevant and reliable audit evidence in response to a
confirmation request, the auditor should perform alternative procedures
for the selected item in accordance with Appendix C of the new
standard.
Using Negative Confirmation Requests
There are ``positive'' and ``negative'' types of confirmation
requests. A positive confirmation request is a confirmation request in
which the auditor requests a confirmation response. With a negative
confirmation request, the auditor requests a confirmation response only
if the confirming party disagrees with the information provided in the
request. The auditor generally obtains significantly less audit
evidence when
[[Page 71695]]
using negative confirmation requests than when using positive
confirmation requests. A confirming party might not respond to a
negative confirmation request because it did not receive or open the
request, or alternatively the confirming party might have read the
request and agreed with the information included therein.
Because of the limited evidence provided when using negative
confirmation requests, the 2022 Proposal provided that the auditor may
not use negative confirmation requests as the sole substantive
procedure for addressing the risk of material misstatement to a
financial statement assertion. Instead, the 2022 Proposal provided that
the auditor may use negative confirmation requests only to supplement
audit evidence provided by other substantive procedures (e.g.,
examining subsequent cash receipts, including comparing the receipts
with the amounts of respective invoices being paid; examining shipping
documents; examining subsequent cash disbursements; or sending positive
confirmation requests). In addition, Appendix B to the proposed
standard provided examples of situations in which the use of negative
confirmation requests, in combination with the performance of other
substantive audit procedures, may provide sufficient appropriate audit
evidence. In contrast, under existing AS 2310, the auditor may use
negative confirmation requests where certain criteria are present and
should consider performing other substantive procedures to supplement
their use.
The Board adopted the requirements for using negative confirmation
requests as proposed. Most commenters on this aspect of the 2022
Proposal expressed support for the proposed prohibition on using
negative confirmation requests as the sole substantive procedure with a
number of commenters stating that negative confirmation requests alone
do not provide sufficient appropriate audit evidence.
Another commenter suggested that the word ``generally'' should be
removed from paragraph .21 of the proposed standard to emphasize that a
negative confirmation is not as persuasive as a positive confirmation.
This commenter indicated that, in situations where the use of negative
confirmation requests, in combination with the performance of other
substantive audit procedures, may provide sufficient appropriate audit
evidence, auditors should be required to specifically document their
consideration of certain examples included in paragraph .B1 of the
proposed standard.
Lastly, a few commenters indicated that additional guidance on the
use of negative confirmations, and specifically on the use of
substantive analytical procedures to supplement the use of negative
confirmations, was needed while another commenter indicated that the
examples in Appendix B would assist auditors in applying the
requirements related to the use of negative confirmation requests.
After considering the comments on the 2022 Proposal, the Board has
determined that the requirements in the 2022 Proposal relating to the
use of negative confirmation requests are both appropriate and
sufficiently clear. For ease of reference, the examples of situations
in which the use of negative confirmation requests, in combination with
the performance of other substantive audit procedures, may provide
sufficient appropriate audit evidence now appear in paragraph .13 of
the new standard rather than Appendix B. The Board is not including in
the new standard additional examples of other substantive procedures
that may be used to supplement negative confirmation requests, as some
commenters had suggested. While such procedures may be appropriate in
some circumstances, including such examples in the new standard could
be misperceived as establishing a formal checklist, whereas determining
the necessary nature, timing, and extent of audit procedures that
provide sufficient appropriate audit evidence would depend on the facts
and circumstances of each audit.
Paragraph .12 of the new standard retains the word ``generally''
(i.e., ``[g]enerally, the auditor obtains significantly less audit
evidence when using negative confirmation requests than when using
positive confirmation requests'') to acknowledge that in some
circumstances using positive confirmations may not provide the auditor
with the amount of evidence that the auditor planned to obtain (e.g.,
if the auditor does not receive responses to some or all positive
confirmation requests).
Maintaining Control Over the Confirmation Process
(See paragraphs .14-.17 and .B1-.B2 of the new standard).
The Requirement for the Auditor To Maintain Control Over the
Confirmation Process
The 2022 Proposal included a provision, consistent with AS 2310,
that the auditor should maintain control over the confirmation process
to minimize the likelihood that information exchanged between the
auditor and the confirming party is intercepted and altered. This is
because the reliability of audit evidence provided by confirmation
depends in large part on the auditor's ability to control the integrity
of confirmation requests and responses. The 2022 Proposal also provided
that, as part of maintaining control, the auditor should send
confirmation requests directly to the confirming party and receive
confirmation responses directly from the confirming party.
The Board adopted the requirements for maintaining control over the
confirmation process as proposed, with one modification.
Commenters on this topic largely agreed that the auditor should
maintain control over the confirmation process. One commenter stated
that setting forth the requirement to maintain control over the
confirmation process and the requirement to send confirmation requests
directly to the confirming party in separate paragraphs might suggest
that there are different responsibilities for the auditor. This
commenter recommended combining the requirements to clarify that the
auditor's responsibility is to send the confirmation directly while
maintaining control of the process.
After considering the comments on the 2022 Proposal, the Board has
determined that the proposed requirements are both appropriate and
sufficiently clear, and adopted them as proposed, with the addition of
a new paragraph that clarifies how an external auditor can use internal
auditors in a direct assistance capacity as part of the confirmation
process, as further discussed below. Paragraph .14 of the new standard
establishes the auditor's responsibility for maintaining control over
the confirmation process, and the other paragraphs in this section of
the new standard specify auditor responsibilities regarding certain
aspects of maintaining control, as discussed below. For example,
consistent with the definition of ``confirmation process,'' \37\
paragraph .15 of the new standard requires that the auditor select the
items to be confirmed, send the confirmation requests and receive the
confirmation responses.
[[Page 71696]]
Selecting an item involves the auditor identifying the information to
be included on the confirmation request. Paragraph .16 of the new
standard specifies that maintaining control over the confirmation
process by the auditor involves sending the confirmation request
directly to and obtaining the confirmation response directly from the
confirming party.
---------------------------------------------------------------------------
\37\ The term ``confirmation process'' is defined in paragraph
.A3 of the new standard as ``[t]he process that involves selecting
one of more items to be confirmed, sending a confirmation request
directly to a confirming party, evaluating the information received,
and addressing nonresponses and incomplete responses to obtain audit
evidence about one or more financial statement assertions.''
---------------------------------------------------------------------------
Using and Intermediary To Facilitate Direct Electronic Transmission of
Confirmation Requests and Responses
Background and Requirements
As discussed above, certain financial institutions and other
companies have adopted the policy of responding to electronic
confirmation requests from auditors only through another party that
they, or the auditor, engage as an intermediary to facilitate the
direct transmission of information between the auditor and the
confirming party. The Board understands that such policies are intended
to facilitate the timeliness and quality of confirmation responses
provided by the confirming party to the auditor.
While the involvement of intermediaries is not discussed in
existing AS 2310, the use of an intermediary does not relieve the
auditor of the responsibility under PCAOB standards to maintain control
over confirmation requests and responses. Because an intermediary's
involvement may affect the integrity of information transmitted between
the confirming party and the auditor, the 2022 Proposal provided that
the auditor should evaluate the implications of such involvement for
the reliability of confirmation requests and responses. Specifically,
paragraphs .B2 and .B3 of the proposed standard provided that:
The auditor's evaluation should address certain aspects of
the intermediary's controls that address the risk of interception and
alteration of communications between the auditor and the confirming
party;
The auditor's evaluation should assess whether
circumstances exist that give the company the ability to override the
intermediary's controls (e.g., through financial or other
relationships); and
The auditor should not use an intermediary if information
obtained by the auditor indicates that (i) the intermediary has not
implemented controls that are necessary to address the risk of
interception and alteration of the confirmation requests and responses,
(ii) the necessary controls are not designed or operating effectively,
or (iii) circumstances exist that give the company the ability to
override the intermediary's controls.
The Board adopted the proposed requirements substantially as
proposed, with certain modifications discussed below.
A few commenters on the 2022 Proposal indicated that it is not
clear what an ``intermediary'' is and requested clarification. The
Board is not adding a definition of the term ``intermediary'' in the
new standard as it simply intends to use the term in describing a
particular scenario under the new standard where a third party is
engaged by the auditor or a confirming party to facilitate direct
electronic transmission of confirmation requests and responses between
the auditor and the confirming party. The Board believes that its
intent in using the term ``intermediary'' is sufficiently clear.
Overall, several commenters indicated that the requirements in the
2022 Proposal to evaluate the implications of using an intermediary to
facilitate direct electronic transmission of confirmation requests and
responses were appropriate. However, as discussed below, a number of
these commenters and other commenters stated that additional clarity
may be required to ensure that the proposed revisions are operational
in practice, or otherwise requested additional guidance. Conversely, a
few commenters expressed the view that requirements in the 2022
Proposal regarding the implications of using an intermediary were not
appropriate or sufficiently clear. One of those commenters asserted
that the requirement to assess the intermediary would result in
significant additional work for auditors and that it is not currently
common practice to directly assess intermediaries in this manner. As
discussed in Section IV of the 2022 Proposal, firm methodologies
reviewed by the staff generally include guidance on maintaining control
over the confirmation process, using intermediaries to facilitate the
electronic transmission of confirmation requests and responses, and
assessing controls at the intermediaries. The evidence from the PCAOB
staff's review does not suggest that the requirements in Appendix B of
the new standard would create significant additional work for auditors,
nor did the commenters provide evidence to the contrary.
Separately, as the 2022 Proposal provided that the auditor should
not use an intermediary if information obtained by the auditor
indicates that certain conditions are present, several commenters
stated that the presence of indicators would not necessarily mean that
the intermediary is not fit for use. For example, these commenters
stated that in a situation where an intermediary's control is not
designed or operating effectively, an auditor may be able to obtain an
understanding of whether a specific control failure impacts the
confirmation process and perform tests of other controls or other
procedures at the intermediary to address the control failure.
Having considered the comments, the Board is clarifying in
paragraph .B2 of the new standard that the auditor should not use an
intermediary to send confirmation requests or receive confirmation
responses if the auditor determines that (1) the intermediary has not
implemented controls that are designed or operating effectively to
address the risk of interception and alteration of the confirmation
requests and responses and the auditor cannot address such risk by
performing other procedures beyond inquiry, or (2) circumstances exist
that give the company the ability to override the intermediary's
controls. In the 2022 Proposal, the prohibition was based on an
indication, rather than determination, that such circumstances exist.
For example, when performing an evaluation required by paragraphs
.17 and .B1 of the new standard, an auditor could obtain a SOC report
stating that a particular access control at an intermediary is not
designed or operating effectively. The auditor may then be able to
identify and test other controls that could mitigate the control
failure described in the SOC report. In this scenario, if the auditor
determines that the identified controls are designed and operating
effectively and mitigate the control failure, or the auditor has
performed other procedures such as obtaining computer systems event
logs generated by the intermediary that provide evidence there was no
unauthorized access during the relevant period, the information in the
SOC report in this scenario would not necessarily mean that the auditor
is not allowed to use the intermediary under the new standard.
In addition, several commenters asserted that, if an auditor were
not allowed to use an intermediary under proposed paragraph .B3 and the
confirming party had a policy requiring the use of an intermediary for
receiving and responding to auditor confirmation requests, an auditor
may be unable to comply with the proposed requirement to confirm cash,
even if relevant and reliable audit evidence were otherwise available.
Considering these comments, the Board has modified paragraph .B2 of the
new standard to state that in
[[Page 71697]]
circumstances where the auditor, under paragraph .B2, should not use an
intermediary to send confirmation requests or receive confirmation
responses, the auditor should send confirmation requests without the
use of an intermediary or, if unable to do so, perform alternative
procedures in accordance with Appendix C of the new standard. The Board
believes that this modification and the adoption of a provision
regarding obtaining audit evidence by directly accessing information
maintained by a knowledgeable external source (see discussion below),
address commenters' concerns that an auditor may not be able to comply
with the requirement to confirm cash.
Certain commenters asked for additional guidance on what procedures
an auditor should or could perform to comply with the requirements in
Appendix B. Having considered these comments, the Board determined that
the new standard, consistent with the 2022 Proposal, will not specify
how the auditor should perform the particular procedures required by
paragraphs .B1 and .B2 regarding evaluating the implications of using
an intermediary. The new standard thus allows auditors to customize
their approach based on the facts and circumstances of the audit
engagement and the audit firm. For example, in obtaining an
understanding of the intermediary's controls that address the risk of
interception and alteration of confirmation requests and responses and
determining whether they are designed and operating effectively, the
auditor could (i) use, where available, a SOC report that evaluates the
design and operating effectiveness of the relevant controls at the
intermediary; or (ii) test the intermediary's controls that address the
risk of interception and alteration directly.\38\
---------------------------------------------------------------------------
\38\ See Spotlight: Observations and Reminders on the Use of a
Service Provider in the Confirmation Process (Mar. 2022), available
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------
Some commenters asked for guidance related to an acceptable window
of time to be covered by ``bridge letters.'' \39\ Where an auditor uses
an independent service auditor's report on a service organization's
controls, such procedures may involve using a bridge letter. The new
standard does not specify an appropriate window of time to be covered
by a bridge letter or a permissible window of time between the date
covered by a bridge letter and the period when the auditor uses the
intermediary to facilitate direct electronic transmission of
confirmation requests and responses. Auditors should use their
professional judgment based upon the facts and circumstances of the
audit to determine the nature of procedures required to comply with
paragraph .B1 of the new standard, including the note to paragraph
.B1(b).
---------------------------------------------------------------------------
\39\ Some intermediaries provide a ``bridge letter'' or ``gap
letter'' issued by the independent service auditor that addresses
the period from the date of the service auditor's SOC report through
a subsequent date, typically the most recent calendar year end.
---------------------------------------------------------------------------
One commenter stated that paragraph .B2(b) of the proposed standard
should have a specific documentation requirement. The Board believes
that adding a specific documentation requirement is not necessary, as
the auditor is required to document compliance with PCAOB standards
under existing documentation requirements.\40\
---------------------------------------------------------------------------
\40\ See, e.g., paragraph .05 of AS 1215, Audit Documentation.
---------------------------------------------------------------------------
Lastly, the new standard modifies the language of the 2022 Proposal
to provide in the note to paragraph .B1(b) of the new standard that, if
the auditor performs procedures to determine that the controls used by
the intermediary to address the risk of interception and alteration are
designed and operating effectively at an interim date, the auditor
should evaluate whether the results of the procedures can be used
``during the period in which the auditor uses the intermediary''--
rather than at ``period end,'' as described in the proposed standard--
or whether additional procedures need to be performed to update the
results. The Board believes that the modified provision more accurately
describes the timeframe during which the results of the procedures may
be used by an auditor. In addition, the modified provision clarifies
that the auditor should consider the nature and extent of any changes
in the intermediary's process and controls during the period between
the auditor's procedures and the period the auditor uses the
intermediary.
Interaction of New Standard and Proposed QC 1000
In November 2022 the Board issued for public comment a proposed
quality control standard, referred to as proposed QC 1000, A Firm's
System of Quality Control.\41\ Proposed QC 1000 addresses resources
used by a registered public accounting firm that are sourced from
third-party providers. An intermediary that facilitates direct
electronic transmission of confirmation requests and responses is one
example of a ``third-party provider'' under proposed QC 1000.
---------------------------------------------------------------------------
\41\ See A Firm's System of Quality Control and Other Proposed
Amendments to PCAOB Standards, Rules, and Forms, PCAOB Rel. No.
2022-006 (Nov. 18, 2022).
---------------------------------------------------------------------------
Under proposed QC 1000, a firm would consider the nature and extent
of resources or services obtained from third-party providers in its
risk assessment process and whether the use of third-party providers
poses any quality risks to the firm in achieving its quality
objectives. One of the required quality objectives relates to obtaining
an understanding of how such resources or services are developed and
maintained and whether they need to be supplemented and adapted as
necessary, such that their use enables the performance of the firm's
engagements in accordance with applicable professional and legal
requirements and the firm's policies and procedures.\42\
---------------------------------------------------------------------------
\42\ See paragraph .44.j of proposed QC 1000.
---------------------------------------------------------------------------
As noted above, the proposed standard on the auditor's use of
confirmation included specific procedures related to the use of an
intermediary, which included obtaining an understanding of the
intermediary's controls that address the risk of interception and
alteration of a confirmation request and response and determining
whether such controls are designed and operating effectively.
A few commenters on the 2022 Proposal observed that firms may
obtain and evaluate SOC reports centrally, rather than requiring that
individual engagement teams obtain and evaluate the reports. One of
these commenters suggested clarifying in the standard that the
evaluations required by Appendix B may be performed, and the
documentation may be retained centrally, as part of the firm's quality
control system. Another of these commenters suggested that the
requirements related to the use of an intermediary be removed entirely
from the proposed confirmation standard and instead be dealt with
solely in the proposed quality control standards. One commenter stated
that, depending on the identified quality risks, procedures performed
in accordance with QC 1000 need not align with the financial statement
period-end of each audit engagement performed by the firm, which the
commenter asserted was implied by paragraph .B2(b) and a related note
in the proposed standard. Lastly, a few commenters indicated that it
would be beneficial to explicitly link the provisions of the
confirmation standard regarding the use of an intermediary with QC
1000.
[[Page 71698]]
Having considered these comments, the Board believes that the
requirements in the new standard related to the auditor's use of
intermediaries, with the modifications discussed above to the
requirements in the proposed standard, are sufficiently clear and
appropriate. The auditor's evaluation of the intermediary's controls
could be performed by an engagement team, an audit firm's national
office, or a combination of both. Where the national office performs
procedures relating to the intermediary (either as part of the firm's
quality control activities or specifically to comply with the new
standard), the engagement team would still need to consider the
procedures performed by the national office and include in its audit
documentation considerations specific to the individual audit
engagement. For example, if a national office evaluated an
intermediary's controls at an interim date, the engagement team would
need to, in accordance with the note accompanying paragraph .B1(b) of
the new standard, evaluate whether the results of the interim
procedures could be used during the period in which the auditor uses
the intermediary to facilitate direct electronic transmission of
confirmation requests and responses or whether they needed to be
updated.
Using Internal Audit in the Confirmation Process
The 2022 Proposal identified certain activities in the confirmation
process where the auditor may not use the assistance of the company's
internal audit function. Under the 2022 Proposal, the auditor was not
permitted to use internal auditors for selecting items to be confirmed,
sending confirmation requests, and receiving confirmation responses,
because using internal audit in a direct assistance capacity for such
activities would not be consistent with the auditor's responsibility to
maintain control over the confirmation process.
Existing AS 2310 does not include analogous provisions. It states
instead that the auditor's need to maintain control does not preclude
the use of internal auditors and that AS 2605, Consideration of the
Internal Audit Function, provides guidance on considering the work of
internal auditors and on using internal auditors to provide direct
assistance to the auditor.\43\
---------------------------------------------------------------------------
\43\ See footnote 3 of AS 2310.
---------------------------------------------------------------------------
The Board adopted the proposed requirements substantially as
proposed, with certain modifications discussed below.
A number of commenters, including investor-related groups, firms,
and firm-related groups, agreed with the requirements proposed in the
2022 Proposal as being in line with the auditor's responsibility to
maintain control over the confirmation process. Additionally, a few
commenters observed that it is not current practice for auditors to use
internal audit in a direct assistance capacity for selecting items to
be confirmed, sending confirmation requests, or receiving confirmation
responses and, therefore, that the requirements in the 2022 Proposal
would not result in a significant change in practice. Conversely, one
commenter stated that the proposed restrictions would impact current
practice as it relates to direct assistance.
A significant number of commenters, including internal auditors and
companies with internal audit functions, took exception to the
provision in the 2022 Proposal to limit the external auditor's use of
internal auditors in a direct assistance capacity in the confirmation
process, and in some instances asserted that such limitations would be
inconsistent with AS 2605. Many of these commenters also challenged the
statement in the 2022 Proposal that ``[i]nvolving internal auditors or
other company employees in these activities [selecting items to be
confirmed, sending confirmation requests, and receiving confirmation
responses] would create a risk that information exchanged between the
auditor and the confirming party is intercepted and altered.'' These
commenters asserted that this language called into question internal
auditors' competence, objectivity, and independence. Additionally, a
few commenters expressed concern with the prescriptiveness of the
proposed restrictions on the use of internal auditors in the
confirmation process.
Having considered the comments received, the Board notes that the
discussion in the 2022 Proposal was not intended to cast doubt on the
qualifications, competence, or objectivity of internal auditors.
Internal auditors can and often do play an important role in enhancing
the quality of a company's financial reporting. At the same time, the
Board continues to believe that in order to maintain control over the
confirmation process the auditor should select items to be confirmed,
send confirmation requests, and receive confirmation responses.
In addition, after considering the comments received, the Board is
(i) relocating the requirements related to the auditor's use of
internal audit in the confirmation process to the section of the new
standard on maintaining control over the confirmation process and (ii)
rephrasing the requirements in terms of the auditor's affirmative
responsibilities, by describing procedures the auditor is required to
perform. In contrast, the proposed standard described procedures that
internal auditors were not allowed to perform. As stated in footnote 7
of the new standard, auditors are permitted to use internal auditors in
accordance with AS 2605, except for selecting items to confirm, sending
confirmation requests, and receiving confirmation responses. The new
standard does not impose any new limitations on how the internal
auditors' work may affect the external auditor's audit procedures.\44\
Instead, the new standard clarifies how an external auditor can use
internal auditors in a direct assistance capacity as part of the
confirmation process.\45\
---------------------------------------------------------------------------
\44\ AS 2605.12 states that ``the internal auditor's work may
affect the nature, timing, and extent of the audit,'' including
``procedures the auditor performs when obtaining an understanding of
the entity's internal control (paragraph .13),'' ``procedures the
auditor performs when assessing risk (paragraphs .14 through .16),''
and ``substantive procedures the auditor performs (paragraph .17).''
\45\ AS 2605.27 discusses how the auditor may use internal
auditors to provide direct assistance.
---------------------------------------------------------------------------
Evaluating Confirmation Responses and Confirmation Exceptions, and
Addressing Nonresponses and Incomplete Responses
(See paragraphs .18-.23 of the new standard).
Overall Approach
Under the 2022 Proposal, the auditor's responsibilities related to
the confirmation process included evaluating the information received
in confirmation responses and addressing nonresponses and incomplete
responses. The 2022 Proposal provided that if the auditor is unable to
determine whether the confirmation response is reliable, or in the case
of a nonresponse or an incomplete response (i.e., one that does not
provide the audit evidence the auditor seeks to obtain), the auditor
should perform alternative procedures.\46\ The 2022 Proposal built upon
requirements in existing AS 2310 that discuss addressing information
obtained from the performance of confirmation procedures.
---------------------------------------------------------------------------
\46\ Alternative procedures, including the relevant exception
described in Appendix C of the new standard, are discussed below.
---------------------------------------------------------------------------
The relevant requirements in the new standard include certain
modifications to the approach in the 2022 Proposal, as discussed in the
sections below.
[[Page 71699]]
Evaluating the Reliability of Confirmation Reponses
The 2022 Proposal was intended to provide additional direction
beyond what is set forth in existing AS 2310 to assist the auditor's
evaluation of the reliability of confirmation responses. Specifically,
the 2022 Proposal (i) described information that the auditor should
take into account when performing the evaluation, and (ii) provided
examples of indicators that a confirmation response may have been
intercepted or altered and thus may not be reliable. In particular, the
2022 Proposal provided that the auditor should take into account any
information about events, conditions, or other information the auditor
becomes aware of in assessing the reliability of the confirmation
response.
Under existing PCAOB standards, the auditor is not expected to be
an expert in document authentication but, if conditions indicate that a
document (e.g., a confirmation response) may not be authentic or may
have been altered, the auditor should modify the planned audit
procedures or perform additional audit procedures to respond to those
conditions and should evaluate the effect, if any, on the other aspects
of the audit.\47\ The 2022 Proposal did not alter these requirements,
but specified for the confirmation process that, if the auditor were
unable to determine that the confirmation response is reliable, the
auditor's response should include performing alternative procedures.
---------------------------------------------------------------------------
\47\ See AS 1105.09.
---------------------------------------------------------------------------
The requirements for evaluating the reliability of confirmation
responses were adopted substantially as proposed.
Several commenters indicated that the provisions of the 2022
Proposal related to evaluating the reliability of confirmation
responses were clear and appropriate. One commenter proposed
modifications to the proposed requirements, including replacing the
words ``taking into account'' with ``considering'' in paragraph .25 of
the proposed standard to reflect the commenter's perceived intent of
the Board. One commenter asserted that paragraph .25 of the proposed
standard could result in onerous documentation requirements in
situations where there is a clear reason why a particular indicator is
not necessarily indicative of interception or alteration of a
confirmation request or confirmation response (e.g., a confirmation
request is sent to a general email account but returned from an email
account belonging to an individual monitoring the general email
account). Another commenter proposed that the Board remove one of the
examples of indicators that a confirmation response may have been
intercepted or altered because it appeared to create a de facto
requirement that an auditor treat a confirmation response as not
reliable if the original confirmation request is not returned with the
confirmation response.
In addition, one commenter suggested modifying proposed paragraph
.26 of the proposed standard to provide that the auditor should perform
alternative procedures if the auditor became aware of any of the
factors identified in paragraph .25 and was unable to overcome those
factors to determine that the confirmation response is reliable.
Another commenter stated that the proposed standard should acknowledge
that, in certain specified circumstances, an unreliable confirmation
would likely result in a scope limitation.
Having considered the comments received, the Board notes that
assessing the reliability of confirmation responses is a critical
component of the confirmation process. If indicators of interception or
alteration are present, it is important for the auditor to address
them. When the auditor follows up on a particular indicator, an auditor
may determine that the confirmation requests and responses have not
been intercepted or altered. For example, an auditor could verify that
a difference in the confirming party's email address between the
confirmation request and confirmation response occurred because the
confirming party responds to confirmation requests from one central
email address. The note to paragraph .18 of the new standard (paragraph
.25 of the proposed standard) provides examples of information that the
auditor should take into account if the auditor becomes aware of it.
Under PCAOB standards, the auditor would document the procedures
performed in response to information that indicates that a confirmation
request or response may have been intercepted or altered. To minimize
any confusion, the Board replaced the word ``indicator'' in the note
with the phrase ``information that indicates,'' which has the same
meaning.
In addition, to clarify that the auditor performs alternative
procedures for the selected item if the auditor is unable to determine
that a confirmation response regarding that item is reliable, the Board
has added the phrase ``for the selected item'' after the words
``alternative procedures'' in paragraph .19 of the new standard. The
Board also revised the reference in paragraph .26 of the proposed
standard to performing alternative procedures ``as discussed in
paragraph .31'' to ``in accordance with Appendix C'' in paragraph .19
of the new standard to reflect that alternative procedures for a
selected item may not be necessary under certain circumstances, as
discussed below, and to reflect the relocation of the more detailed
discussion of alternative procedures from the body of the standard to
Appendix C.
AS 3105, Departures from Unqualified Opinions and Other Reporting
Circumstances, sets forth requirements regarding limitations on the
scope of an audit,\48\ including scope limitations relating to
confirmation procedures with respect to accounts receivable.\49\ One
example of such a scope limitation would be the auditor's inability to
confirm accounts receivable balances combined with an inability to
perform other procedures in respect of accounts receivable to obtain
sufficient appropriate audit evidence. The new standard does not repeat
such existing requirements, as doing so would merely duplicate those
requirements.
---------------------------------------------------------------------------
\48\ See AS 3105.05-.15.
\49\ See AS 3105.07.
---------------------------------------------------------------------------
Evaluating Confirmation Exceptions and Addressing Nonresponses and
Incomplete Responses
For various reasons, information in a confirmation response
received by the auditor could differ from other information in the
company's records obtained by the auditor. The 2022 Proposal provided
that the auditor should evaluate the confirmation exceptions and
determine their implications for certain aspects of the audit, as
discussed below. The direction in the 2022 Proposal was more detailed
than in existing AS 2310.
In particular, the 2022 Proposal provided that the auditor should
evaluate whether confirmation exceptions individually or in the
aggregate indicate a misstatement that should be evaluated in
accordance with AS 2810. The 2022 Proposal did not, however, require
investigating all confirmation exceptions to determine the cause of
each confirmation exception. The 2022 Proposal also included a
provision that the auditor should evaluate whether the confirmation
exceptions individually, or in the aggregate, indicate a deficiency in
the company's internal control over financial reporting (``ICFR'').
With regards to nonresponses and potential nonresponses, the 2022
Proposal provided that the auditor should send a second positive
confirmation request to the confirming
[[Page 71700]]
party unless the auditor has become aware of information that indicates
that the confirming party would be unlikely to respond to the auditor.
Additionally, the 2022 Proposal specified that if a confirmation
response is returned by the confirming party to anyone other than the
auditor, the auditor should contact the confirming party and request
that the response be re-sent directly to the auditor. If the auditor
does not subsequently receive a confirmation response from the intended
confirming party, the 2022 Proposal provided that the auditor should
treat the situation as a nonresponse.
Further, in contrast with existing AS 2310, which does not address
the auditor's responsibilities regarding incomplete responses, the 2022
Proposal provided that the auditor should perform alternative
procedures if a confirmation response is not received or is incomplete.
The Board adopted the requirements for evaluating confirmation
exceptions and addressing nonresponses as proposed, with certain
modifications discussed below.
Some commenters indicated that the proposed provisions regarding
evaluating confirmation exceptions and addressing nonresponses were
sufficiently clear and appropriate. A few commenters stated that the
Board should include requirements that limit an auditor's ability to
assess confirmation exceptions as merely ``isolated exceptions.''
Similarly, one commenter asserted that the Board should require
auditors to resolve any confirmation exceptions by examining other
third-party evidence such as purchase orders. In light of these
comments, the Board has added a new note to paragraph .20 of the new
standard that states that determining that a confirmation exception
does not represent a misstatement that should be evaluated in
accordance with AS 2810 generally involves examining external
information, which may include information that the company received
from knowledgeable external sources.
In the Board's view, in many circumstances examining external
evidence under the above provision is necessary, as doing so is
consistent with both the goal of obtaining relevant and reliable audit
evidence and the type of audit evidence sought from confirmation. For
example, an auditor might send a confirmation request for a selected
item to a knowledgeable confirming party regarding a $20,000 accounts
receivable invoice and the confirming party (i.e., the customer)
indicates that the outstanding balance for this invoice at the date
specified in the confirmation request is $18,000. Having investigated
the $2,000 difference, the auditor learns that it does not represent a
misstatement, as the customer overpaid for a different invoice but
applied the overpayment to the invoice selected for confirmation and
the company applied the overpayment differently. In this scenario,
determining that there is not a $2,000 misstatement for the selected
item would involve the auditor examining audit evidence from
knowledgeable external sources, such as applicable purchase orders and
customer cash payments, in addition to information generated by the
company, such as customer invoices.
The note to paragraph .20 of the new standard uses the word
``generally'' to acknowledge that in some circumstances examining
external audit evidence may not be necessary. For example, an auditor
may have included an incorrect figure in the confirmation request and
later determined that the amount confirmed by the confirming party
agrees to the amount in the company's general ledger. Determining that
such a confirmation exception does not represent a misstatement to be
evaluated in accordance with AS 2810 would not require examining audit
evidence from external sources.
One commenter suggested that the Board consider reminding auditors
that, when using audit sampling, the auditor should project the
misstatement results of the sample to the items from which the sample
was selected in accordance with AS 2315. The Board considered this
comment, but did not add a reminder regarding projecting the results of
a sample as the new standard states in footnote 4 that AS 2315
addresses evaluating audit samples.
One commenter suggested that the Board restructure paragraph .27 of
the proposed standard, as the auditor generally considers whether a
confirmation exception is a misstatement and then determines whether
there is a deficiency in internal control. In consideration of this
comment, the Board has restructured paragraph .20 of the new standard
to align with the typical order in which the auditor considers the two
matters discussed therein (i.e., an auditor typically considers whether
a confirmation exception indicates a misstatement that should be
evaluated in accordance with AS 2810, Evaluating Audit Results, and
then considers whether the confirmation exception represents a
deficiency in the company's ICFR).
One commenter expressed the view that the Board should not require
auditors to evaluate whether a confirmation exception constitutes a
control deficiency if the exception was a result of a clerical error or
caused by a timing difference. The Board continues to believe that
requiring the auditor to evaluate exceptions in such circumstances is
appropriate and the auditor should consider whether all confirmation
exceptions are control deficiencies. A clerical error or timing
difference could be indicative of a deficiency in a company's ICFR.
One commenter indicated that the proposed requirement about sending
a second positive confirmation request unless the auditor has become
aware of information that indicates that the confirming party would be
unlikely to respond to the auditor was sufficiently clear and
appropriate. However, several firms commented that the requirement was
too prescriptive, with one commenter asserting that the requirement
could result in unnecessary and potentially ineffective administrative
effort. Additionally, a few commenters expressed concern that following
up on a confirmation request would not constitute sending a second
confirmation request under the proposed standard, but asserted that it
should be so treated.
The Board considered the comments about the requirement to send a
second positive confirmation request. The use of confirmation is not
required under the new standard other than for cash and accounts
receivable when they are significant accounts or disclosures. Under the
new standard, for cash and accounts receivable, the auditor may perform
other audit procedures to obtain audit evidence by directly accessing
information maintained by a knowledgeable external source. Further, for
accounts receivable, in certain situations the new standard allows the
auditor to obtain external information indirectly (see discussion of
cash and accounts receivable below).
Because the auditor may have a choice of the audit procedure to
perform, the Board believes that the auditor will select confirmation
in those situations where confirming parties will be more likely to
respond to the auditor. In situations where a confirming party does not
respond to a confirmation request, the Board has concluded it is
appropriate to require the auditor, in the case of a nonresponse to a
positive confirmation request, to follow up with the confirming party.
The requirement to follow up with the confirming party is included in
paragraph .21 of the new standard. The new standard does not prescribe
a form of the auditor's follow-up. For example, following up using the
[[Page 71701]]
same form of communication as in the original confirmation request
(e.g., email, direct electronic transmission facilitated by an
intermediary) would be appropriate under the new standard. In the case
of an electronic confirmation request, a follow-up request could be in
the form of a reminder or automated reminder.
If the auditor subsequently receives a confirmation response, the
new standard provides that the auditor should evaluate that response in
accordance with paragraphs .18-.19 and evaluate any confirmation
exception in accordance with paragraph .20. If the auditor's follow-up
does not elicit a confirmation response, paragraph .23 of the new
standard instructs the auditor to perform alternative procedures for
the selected item in accordance with Appendix C of the new standard.
To clarify that the auditor performs alternative procedures for the
selected item, the Board has added the phrase ``for the selected item''
after the words ``alternative procedures'' in paragraph .23 of the new
standard. The Board also revised the reference in paragraph .30 of the
proposed standard to performing alternative procedures ``as discussed
in paragraph .31'' to refer to ``in accordance with Appendix C'' in
paragraph .19 of the new standard to reflect that alternative
procedures for a selected item may not be necessary under certain
circumstances, as discussed below, and to reflect the relocation of the
more detailed discussion of alternative procedures from the body of the
standard to Appendix C.
Additional Considerations for Cash, Accounts Receivable, and Terms of
Certain Transactions
(See paragraphs .24-.30 of the new standard).
In general, evidence obtained from a knowledgeable external source
is more reliable than evidence obtained only from internal company
sources. When cash or accounts receivable are significant accounts,
there is a presumption in the new standard that the auditor should
obtain audit evidence from a knowledgeable external source by
performing confirmation procedures or using other means to obtain audit
evidence by directly accessing information maintained by knowledgeable
external sources. In addition, the new standard addresses other
situations in which the auditor should consider the use of
confirmation.
The Board discusses below the provisions of the new standard
relating to confirming cash held by third parties, confirming accounts
receivable, performing other audit procedures for accounts receivable
when obtaining audit evidence directly from a knowledgeable external
source would not be feasible, communicating with the audit committee in
certain situations, and confirming the terms of certain other
transactions. To improve the flow of the requirements in the new
standard, these provisions have been placed after the general
provisions that describe the auditor's responsibilities related to the
confirmation process (i.e., after paragraphs .08-.23).
Figure 1 depicts the relationship of the requirements in the new
standard for cash and accounts receivable when they are significant
accounts (paragraphs .24-.28) to the general provisions of the new
standard applicable to the confirmation process (paragraphs
.08-.23).\50\
---------------------------------------------------------------------------
\50\ The information in Figure 1 is intended to be for
illustrative purposes and is not a substitute for the new standard;
only the new standard provides the auditor with the definitive
requirements.
---------------------------------------------------------------------------
BILLING CODE 8011-01-P
[[Page 71702]]
[GRAPHIC] [TIFF OMITTED] TN17OC23.008
BILLING CODE 8011-01-C
Cash Held by Third Parties
Confirming Cash
The 2022 Proposal provided that the auditor should perform
confirmation procedures when auditing cash and cash equivalents held by
a third party. Existing AS 2310 does not address auditor
responsibilities for confirming cash.
The Board noted in the 2022 Proposal that an auditor need not
necessarily confirm all cash accounts in all cases. Under PCAOB
standards, the alternative means of selecting items for testing are
selecting all items, selecting specific items, and audit sampling.\51\
An auditor selects individual cash items to confirm following the
relevant direction in PCAOB standards, including identifying and
assessing the risk of misstatement and developing an audit
response.\52\ The particular means or combination of means of selecting
cash items to confirm depend on, for example, the characteristics of
the cash items and the evidence necessary to address the assessed risk
of material misstatement.\53\
---------------------------------------------------------------------------
\51\ See AS 1105.22.
\52\ See, e.g., AS 2110 and AS 2301.
\53\ See AS 1105.23 and AS 2301.03.
---------------------------------------------------------------------------
The 2022 Proposal emphasized that, in selecting the individual
items of cash to confirm, the auditor should take into account the
auditor's understanding of the company's cash management and treasury
function, and the substance of the company's arrangements and
transactions with third parties. For example, an auditor might select
bank accounts with balances over a certain amount, accounts with a high
volume of
[[Page 71703]]
transactions, accounts opened or closed during the period under audit,
or accounts the auditor identifies as particularly risk-prone.
Alternatively, the auditor might determine it is appropriate to confirm
all cash accounts. The auditor also follows the direction in PCAOB
standards when determining whether performing procedures in addition to
confirmation is necessary to address the assessed risk of material
misstatement relating to cash.\54\
---------------------------------------------------------------------------
\54\ See, e.g., AS 2301.09.
---------------------------------------------------------------------------
The Board adopted the proposed requirements to confirm cash, with
certain modifications discussed below.
A number of commenters supported the proposed requirement for the
auditor to confirm cash held by third parties. Some of these commenters
stated that confirming cash has long been an audit best practice and
that requiring cash confirmation would lead to more consistency in
practice. In addition, several commenters stated that the standard was
sufficiently risk-based (i.e., by allowing the auditor to select cash
accounts and other financial relationships to confirm based on the risk
of material misstatement associated with cash).
Several commenters asserted that a requirement to confirm cash was
not sufficiently risk-based, despite the provisions in the 2022
Proposal that described that the auditor should take into account their
understanding of the company's operations in making selections of
individual cash items to confirm. In particular, several commenters
stated that the proposed standard would require an auditor to confirm
cash without regard to the level of risk that the auditor had
determined for cash in their risk assessment or when other audit
procedures could produce sufficient appropriate audit evidence. Other
commenters expressed the view that the requirement to confirm cash, as
well as accounts receivable, should be removed, with some of these
commenters suggesting that the auditor should be able to determine the
audit procedure that would be most effective in obtaining relevant and
reliable audit evidence, without confirmation being the ``default''
procedure.
The Board continues to believe that a presumption to confirm cash
is appropriate. As discussed above, this presumption to confirm cash is
consistent with current practice. Consistent with the objective of the
new standard, the requirement to confirm cash, as well as accounts
receivable, only applies when the auditor has determined that that
these accounts are significant accounts.
With respect to confirming cash, many commenters, primarily firms
and firm-related groups, expressed concern that the 2022 Proposal did
not contain a provision about overcoming the presumption to confirm
cash. A number of commenters also expressed the view that auditors
could obtain direct-access view of bank information (or would be able
to do so in the future), which could provide a more effective means of
directly obtaining external evidence than sending a confirmation.
The Board agrees that if the auditor is able to perform other audit
procedures that allow the auditor to obtain audit evidence by directly
accessing information maintained by knowledgeable external sources,
such audit evidence would be at least as persuasive as audit evidence
obtained through confirmation procedures. The Board therefore added to
the presumption to confirm cash (and accounts receivable) in the new
standard the phrase ``or otherwise obtain relevant and reliable audit
evidence by directly accessing information maintained by a
knowledgeable external source.''
By way of example, the auditor might satisfy this requirement to
obtain relevant and reliable audit evidence under the new standard by
obtaining read-only access to information maintained by a financial
institution concerning its transactions or balances with the company
directly online through a secure website of the financial institution
using credentials provided to the auditor by the financial institution.
The Term ``Cash and Cash Equivalents Held by Third Parties''
The 2022 Proposal provided that the term ``cash'' comprised both
cash and cash equivalents. Cash equivalents generally refer to short-
term, highly liquid investments that are readily convertible to known
amounts of cash and are so near their maturity that they present
insignificant risk of changes in value because of changes in interest
rates.\55\ Such assets are commonly used by companies to manage their
cash holdings. The 2022 Proposal also described that the requirements
for confirming cash would apply to cash held by third parties, and not
limited to cash held by financial institutions. In the Board's view,
this expansion of confirmation requirements was appropriate, as company
funds can be held by third parties other than financial institutions,
such as money transfer providers.
---------------------------------------------------------------------------
\55\ See, e.g., definition of ``cash equivalents'' in the Master
Glossary of the Financial Accounting Standards Board (``FASB'')
Accounting Standards Codification and of ``cash equivalents'' in the
International Financial Reporting Standards (``IFRS'').
---------------------------------------------------------------------------
The Board adopted this provision as proposed in the 2022 Proposal.
There was one comment related to this aspect of the 2022 Proposal,
suggesting that the new standard should specify that ``third parties''
are not limited to financial institutions. The Board believes the
reference to ``third parties'' was sufficiently clear as proposed and,
accordingly, has not expanded this description.
Confirming Other Financial Relationships
The 2022 Proposal provided that the auditor should consider
confirming other financial relationships with the third parties with
which the auditor determines to confirm cash. Such relationships can
include lines of credit, other indebtedness, compensating balance
arrangements, or contingent liabilities, including guarantees. As
proposed, the auditor would be required under PCAOB standards to
document the consideration given to the confirmation of other financial
relationships and the conclusions reached.\56\ Existing AS 2310 does
not have an analogous requirement to confirm other financial
relationships.
---------------------------------------------------------------------------
\56\ See Note to PCAOB Rule 3101(a)(3), which states that ``(i)f
a Board standard provides that the auditor ``should consider'' an
action or procedure, consideration of the action or procedure is
presumptively mandatory, while the action or procedure is not,'' and
AS 1215.05-.06 (audit documentation should ``[d]emonstrate that the
engagement complied with the standards of the PCAOB'' and must
``document the procedures performed . . . with respect to relevant
financial statement assertions''). See also Audit Documentation and
Amendment to Interim Auditing Standards, PCAOB Rel. No. 2004-006
(June 9, 2004), at 3 (``the auditor documents not only the nature,
timing, and extent of the work performed, but also the professional
judgments made by members of the engagement team and others'').
---------------------------------------------------------------------------
The Board adopted this provision as proposed, with certain
modifications discussed below.
Several commenters stated that the requirements for the auditor to
consider confirming other financial relationships were clear. One
commenter suggested that confirming other financial relationships
should be required, and that overcoming the presumption to confirm
should be available only when the financial entity with which the
company does business does not offer services that would give rise to
other financial relationships.
A number of commenters asserted that auditors would be required to
[[Page 71704]]
produce additional documentation of their considerations, even when a
financial relationship(s) is not an area of significant risk of
material misstatement. Some commenters recommended that the provision
that the auditor ``should consider'' other financial relationships be
changed to ``may consider,'' in order to allow for more auditor
judgment in determining the audit procedures to perform.
The Board continues to believe that information about financial
relationships, including off-balance sheet relationships, could be
important for the audit, as it could be part of significant disclosures
in a company's financial statements. Accordingly, paragraph .29 of the
new standard provides that, in addition to obtaining audit evidence
from a knowledgeable external source regarding cash in accordance with
paragraph .24, the auditor should consider sending confirmation
requests to that source about other financial relationships with the
company, based on the assessed risk of material misstatement. The
phrase ``based on the assessed risk of material misstatement'' was
added to clarify that the auditor has flexibility in tailoring audit
procedures to the level of assessed risk (e.g., by including or not
including confirmation in the audit response based on the auditor's
assessed risk of material misstatement of other financial
relationships). In addition, paragraph .29 retains the examples of
other financial relationships that were included in the 2022 Proposal.
Accounts Receivable
Confirming Accounts Receivable
The 2022 Proposal carried forward the requirement in existing AS
2310 to confirm accounts receivable. Similar to existing AS 2310, the
2022 Proposal did not specify the extent of confirmation procedures for
accounts receivable. As noted above, the timing and extent of
confirmation procedures are part of the auditor's response to the risks
of material misstatement under PCAOB risk assessment standards. The
2022 Proposal instead required the auditor to take into account the
auditor's understanding of the substance of the company's arrangements
and transactions with third parties and the nature of the items that
make up the company's account balances in selecting the individual
accounts receivable to confirm. For example, an auditor might assess
the risk of material misstatement relating to accounts receivable
higher for a company that is being audited for the first time by the
auditor, or for accounts receivable from a newly acquired operation in
a foreign location.
The Board adopted the proposed requirements to confirm accounts
receivable, with certain modifications discussed below.
Most commenters on this aspect of the 2022 Proposal generally
supported the retention of a presumption to confirm accounts
receivable, and most of those commenters stated that the requirement
for the auditor to confirm accounts receivable was sufficiently clear
and appropriate. Two investor-related groups stated that confirmation
of cash and accounts receivable was necessary, in their view, to obtain
persuasive, sufficient, and competent audit evidence.
On the other hand, a number of commenters, primarily firms and
firm-related groups, expressed concerns about carrying forward the
presumption for auditors to confirm accounts receivable from existing
AS 2310. The common theme of those commenters was that requiring the
auditor to use confirmation for certain accounts may not allow the
auditor to exercise professional judgment in determining an appropriate
response to the assessed risk of material misstatement for those
accounts.
Regarding the selection of accounts receivable to confirm, several
commenters agreed that the 2022 Proposal was sufficiently principles-
based to allow auditors to use professional judgment in determining the
extent of confirmation of accounts receivable.
The Board continues to believe that a presumption to confirm
accounts receivable is appropriate to emphasize that audit evidence
obtained from a knowledgeable external source is generally more
reliable than evidence obtained only from internal company sources.
Consistent with the objective of the new standard, the requirement to
confirm cash and accounts receivable, or otherwise obtain relevant and
reliable audit evidence by directly accessing information maintained by
a knowledgeable external source, only applies when the auditor has
determined that these accounts are significant accounts.
As with cash balances discussed above, the Board believes that when
the auditor is able to perform other audit procedures to obtain audit
evidence about accounts receivable by directly accessing information
maintained by knowledgeable external sources (e.g., information
maintained by the receivable counterparty), such evidence would be at
least as persuasive as audit evidence through confirmation procedures.
The Board therefore added to the presumption to confirm cash and
accounts receivable in the new standard the phrase ``or otherwise
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source.''
Audit evidence that an auditor obtains by accessing a third party's
information directly can be at least as persuasive as audit evidence
obtained through confirmation procedures because the auditor is able to
observe first-hand the information providing such evidence. As
technology continues to develop, The Board believes it is important for
the new standard to reflect that there may be additional opportunities
for the auditor to obtain audit evidence directly beyond sending a
confirmation request. The new standard would allow for future
innovations in audit techniques that might involve the auditor
obtaining evidence for accounts receivable by directly accessing
information maintained by a counterparty or other knowledgeable
external source. As noted in the new standard, consistent with
selecting a confirming party, when selecting the knowledgeable external
source providing the auditor with access to information directly, the
auditor would be required to consider whether the knowledgeable
external source would have any incentive or pressure to provide the
auditor with access to information directly that is inaccurate or
otherwise misleading.
Situations where it would not be feasible for the auditor to obtain
audit evidence for accounts receivable directly from a knowledgeable
external source, through confirmation procedures or other means, are
discussed below.
The Term ``Accounts Receivable''
The 2022 Proposal described ``accounts receivable'' as comprising
receivables arising from the transfer of goods or services to a
customer or from a financial institution's loans. Existing AS 2310
describes accounts receivable as the entity's claims against customers
that have arisen from the sale of goods or services in the normal
course of business, and a financial institution's loans. The 2022
Proposal was designed to apply to the same types of items as existing
AS 2310, with a modified description to align more closely with the
terminology of current accounting requirements, which have been updated
since existing AS 2310 was written.\57\
---------------------------------------------------------------------------
\57\ See, e.g., FASB Accounting Standards Codification Topic
606, Revenue from Contracts with Customers, and IFRS 15, Revenue
from Contracts with Customers.
---------------------------------------------------------------------------
[[Page 71705]]
The Board adopted this provision as proposed.
Commenters on this aspect of the 2022 Proposal stated that the
description of accounts receivable was clear. These commenters also
noted that there was no need to further broaden the description to
include additional types of receivables.
The description of accounts receivable in the new standard includes
receivables that arise from the transfer of goods or services to a
customer. These types of receivables generally arise from the company's
ordinary revenue-generating activities, and include items for which
revenue has been or will be recognized by a company, such as
receivables from selling manufactured products or providing a service
to customers. The description of accounts receivable also includes a
financial institution's loans, including loans to customers that the
institution has originated or purchased from another institution.
Examples of financial institutions are banks, non-bank lenders, and
mortgage companies that provide financing to customers.
Situations When Obtaining Audit Evidence for Accounts Receivable
Directly Would Not Be Feasible
Performing Other Substantive Procedures, Including Tests of Details
In the 2022 Proposal, the presumption to confirm accounts
receivable could be overcome when the auditor determined that an audit
response that only included substantive audit procedures other than
confirmation would provide audit evidence that is at least as
persuasive as evidence the auditor might expect to obtain through
performing confirmation procedures. The 2022 Proposal did not carry
forward the provisions in existing AS 2310 addressing overcoming the
presumption to confirm accounts receivable under certain conditions,
which are (i) immateriality, (ii) ineffectiveness of confirmation, or
(iii) a certain combination of the assessed risk and expected results
from other auditing procedures.\58\
---------------------------------------------------------------------------
\58\ See AS 2310.34.
---------------------------------------------------------------------------
As discussed below, the new standard includes a provision to
address situations when obtaining audit evidence directly from
knowledgeable external sources, whether through confirmation procedures
or other means, would not be feasible to execute.
Many commenters addressed the provision in the 2022 Proposal to
overcome the presumption to confirm accounts receivable. A few
commenters noted that the ability to overcome the presumption to
confirm accounts receivable was clear and appropriate. As discussed
below, many commenters focused on the proposed provision that evidence
obtained through other substantive procedures should be ``at least as
persuasive as'' evidence obtained through confirmation:
A number of investor-related groups stated that the
provision gave too much leeway to auditors to overcome the presumption
to confirm accounts receivable. These commenters asserted that
exceptions to confirming accounts receivable should only be available
when other audit procedures would provide more persuasive or greater
accumulated evidence than that obtained through confirmation. These
commenters recommended additional requirements, such as allowing the
auditor to overcome the presumption only if they document the evidence
and basis for their conclusion and have communicated the conclusion to
the audit committee and investors.
Several firms and firm-related groups stated that the
relevant provisions were not clear or more guidance would be needed
about overcoming the presumption to confirm accounts receivable when
other substantive procedures would be ``at least as persuasive as'' the
evidence expected to be obtained through confirmation. A few commenters
observed that the absence of a definition of the term ``persuasive'' in
AS 1105 contributed to a lack of clarity as to the Board's expectations
and requested more guidance about how to measure or evaluate
persuasiveness. Several commenters emphasized that, rather than focus
the requirement for overcoming the presumption to confirm accounts
receivable on whether audit evidence obtained through audit procedures
other than confirmation is ``at least as persuasive as'' evidence
expected to be obtained through confirmation, the Board should focus
the requirement on obtaining evidence that is sufficient and
appropriate to address the assessed risk of material misstatement or,
as one commenter suggested, on the reliability of the audit evidence.
Several commenters suggested that the Board retain
provisions similar to those in existing AS 2310.34 for allowing the
auditor to overcome the presumption to confirm accounts receivable. In
addition, several firms and firm-related groups suggested that the
auditor's ability to overcome the presumption to confirm should be
based on risk assessment, similar to the provision in existing AS 2310
addressing when the assessed level of inherent and control risk is low.
Many firms and firm-related groups expressed concern that
the criteria for overcoming the presumption would result in auditors
having to use confirmation even in situations where historically
confirmations were determined by the auditor to be ineffective and not
to provide persuasive audit evidence.
One commenter stated that, if the proposed language were
adopted, auditors would likely default to confirming accounts
receivable over other audit procedures to avoid second-guessing of
their determinations of the persuasiveness of audit evidence.
Several commenters, primarily firms and firm-related
groups, stated that the 2022 Proposal imposed a higher threshold than
the existing standard for auditors to overcome the presumption to
confirm accounts receivable without a corresponding increase to audit
quality.
As previously discussed, the new standard creates a presumption
that the auditor performs confirmation procedures or otherwise obtains
relevant and reliable audit evidence by directly accessing information
maintained by a knowledgeable external source. Under PCAOB standards,
in general, evidence obtained directly by the auditor from a
knowledgeable external source is more reliable than evidence obtained
indirectly.\59\ However, the Board appreciates that there are instances
where the auditor determines that performing confirmation procedures in
response to a risk of material misstatement related to accounts
receivable would not be feasible. For example, commenters described
situations involving a history of low response rates to confirmation
requests in certain industries (e.g., healthcare, utilities), or where
customers have been advised by a government agency to avoid providing
personal or financial information in response to an unexpected request.
The Board further understands that companies in other industries (e.g.,
large retailers, defense and aerospace companies that contract with the
federal government) do not, as a matter of policy, respond to
confirmation requests. There may also be instances in which the
performance of confirmation procedures would not result in reliable
audit evidence.
---------------------------------------------------------------------------
\59\ See AS 1105.08.
---------------------------------------------------------------------------
Accordingly, paragraph .25 allows the auditor to perform other
substantive procedures in response to a risk of
[[Page 71706]]
material misstatement, as long as such procedures include tests of
details, if the auditor determines it is not feasible to obtain audit
evidence directly from a knowledgeable external source pursuant to
paragraph .24. Paragraph .25 specifically provides that the auditor's
determination should be based on the auditor's experience, such as
prior years' audit experience with the company or experience with
similar engagements where the auditor did not receive confirmation
responses, and the auditor's expectation of similar results if
procedures were performed pursuant to paragraph .24. Any such
determination would be performed as part of conducting the audit based
on the available facts and circumstances at that time and properly
supported in the audit documentation for the engagement.\60\ In
addition, as described below, for significant risks associated with
accounts receivable, the auditor would be required to communicate with
the audit committee when the auditor did not perform confirmation
procedures or otherwise obtain audit evidence by directly accessing
information maintained by a knowledgeable external source.
---------------------------------------------------------------------------
\60\ See AS 1215.05.
---------------------------------------------------------------------------
This provision replaces the concept in the 2022 Proposal about
obtaining audit evidence that was ``at least as persuasive as'' the
evidence expected to be obtained through confirmation procedures. It
also specifies that the auditor should perform other substantive
procedures, including tests of details, in these situations to make
clear that performing only substantive analytical procedures would not
be sufficient to overcome the presumption to confirm. These other
substantive procedures should involve obtaining external information
indirectly.
For accounts receivable, the auditor may be able to satisfy this
requirement by obtaining information that is in the company's
possession that the company received from one or more knowledgeable
external sources.\61\ Examples of such external information may
include, for example, subsequent cash receipts, shipping documents from
third-party carriers, customer purchase orders, or signed contracts and
amendments thereto. This information may be in electronic form (e.g., a
purchase order initiated by a customer through a company's website) or
in paper form (e.g., a signed contract).
---------------------------------------------------------------------------
\61\ See also Proposed Amendments Related to Aspects of
Designing and Performing Audit Procedures that Involve Technology-
Assisted Analysis of Information in Electronic Form, PCAOB Rel. No.
2023-004 (June 26, 2023) (proposing amendments to PCAOB auditing
standards to specify auditor responsibilities regarding certain
company-provided information that the auditor uses as audit
evidence, including information that the company received from
external sources).
---------------------------------------------------------------------------
Conversely, when performing other substantive procedures under this
provision, it would not satisfy the requirements of the new standard to
use or rely solely on the company's internally produced information.
For example, an audit procedure that involves an automated matching
analysis of a company's revenue, accounts receivable, and cash journal
entries recorded by the company would be insufficient on its own
because such an analysis only involves the company's internally
produced information. On the other hand, when such internally produced
information is evaluated in conjunction with external information that
the company received from a knowledgeable external source, such as
checks that the company received directly from customers or information
on subsequent cash receipts that the company received from a financial
institution, the procedures would involve audit evidence from a
knowledgeable external source.
Under existing PCAOB standards, the quantity of audit evidence
needed is affected by its quality, including its reliability, and in
general evidence obtained directly by the auditor is more reliable than
evidence obtained indirectly. This applies to all information
(including external information) used by the auditor in arriving at the
conclusions on which the auditor's opinion is based. For example, as
the quality of the evidence increases, the need for additional
corroborating evidence decreases. The auditor should be mindful of
these requirements when determining an appropriate audit response to a
risk of material misstatement that involves obtaining external
information indirectly under the new standard.
Further, when performing audit procedures that involve obtaining
external information, the auditor should be mindful of other relevant
PCAOB standards that address the documentation of the procedures
performed and the relevance and reliability of the audit evidence
obtained.\62\ Audit documentation must clearly demonstrate the work
performed by the auditor. In addition, the reliability of that audit
evidence depends on the nature and source of the evidence and the
circumstances under which it is obtained.
---------------------------------------------------------------------------
\62\ See e.g., AS 1215.05-.06 and AS 1105.07-.08.
---------------------------------------------------------------------------
Communicating With the Audit Committee About the Auditor's Response to
Significant Risks for Cash and Accounts Receivable
The 2022 Proposal included a requirement for the auditor to
communicate to the audit committee \63\ instances where the auditor had
determined that the presumption to confirm accounts receivable had been
overcome. In proposing that requirement, the Board considered the long-
standing practice by auditors in the United States to confirm accounts
receivable, and noted that a communication requirement when the
presumption to confirm is overcome could enhance the audit committee's
understanding of the auditor's strategy. In this regard, existing
standards require the auditor to communicate to the audit committee
about the auditor's overall audit strategy, significant risks
identified during risk assessment procedures, significant changes to
the planned audit strategy, and significant difficulties encountered
during the audit.\64\ Existing AS 2310 does not have a requirement to
communicate to the audit committee about overcoming the presumption to
confirm accounts receivable.
---------------------------------------------------------------------------
\63\ The term ``audit committee,'' as used in the new standard,
has the same meaning as defined in Appendix A of AS 1301,
Communications with Audit Committees.
\64\ See AS 1301.09, .11, .23.
---------------------------------------------------------------------------
The new standard contains a requirement for the auditor to
communicate with the audit committee about the auditor's response to
significant risks associated with cash or accounts receivable when the
auditor did not perform confirmation procedures or otherwise obtain
audit evidence by directly accessing information maintained by a
knowledgeable external source.
Several commenters, primarily investor-related groups, supported
the proposed requirement in the 2022 Proposal that the auditor
communicate to the audit committee when an auditor overcomes the
presumption to confirm accounts receivable. One of the commenters
referred to a statement in the 2022 Proposal that a requirement to
communicate to the audit committee when overcoming the presumption to
confirm accounts receivable ``may reinforce the auditor's obligation to
exercise due professional care in making that determination.'' This
commenter also noted that overcoming the presumption could result in a
critical audit matter under AS 3101, The Auditor's Report on an Audit
of
[[Page 71707]]
Financial Statements When the Auditor Expresses an Unqualified
Opinion.\65\
---------------------------------------------------------------------------
\65\ A critical audit matter is defined in AS 3101.A2 as ``[a]ny
matter arising from the audit of the financial statements that was
communicated or required to be communicated to the audit committee
and that: (1) relates to accounts or disclosures that are material
to the financial statements and (2) involved especially challenging,
subjective, or complex auditor judgment.''
---------------------------------------------------------------------------
Many commenters on this aspect of the 2022 Proposal, primarily
firms and firm-related groups, disagreed with a specific requirement to
communicate with the audit committee on this matter. These commenters
asserted that such a requirement did not align with principles in AS
1301 to communicate with the audit committee about significant risks,
including audit matters arising from the audit that are significant to
the oversight of the company's financial reporting process. A number of
these commenters also noted that, if there were a significant risk in
accounts receivable or associated with a critical audit matter, the
auditor would already be required to communicate these matters under AS
1301. Several other commenters indicated that they did not object to a
more targeted requirement to communicate with the audit committee about
overcoming the presumption to confirm when accounts receivable was
assessed as a significant risk.
In addition, several commenters asserted that a requirement to
communicate to the audit committee about overcoming the presumption to
confirm would not improve audit quality, and could be detrimental if
this communication became a compliance exercise for auditors,
detracting them from performing effective audit procedures. A few
commenters also stated there would not be a benefit to audit quality if
the Board were to mandate that auditors treat instances of overcoming
the presumption to confirm as a critical audit matter.
The 2022 Proposal stated that there may be some expectation by
audit committees that the auditor would use confirmation as part of a
planned audit response. One commenter encouraged the Board to perform
outreach with audit committees to understand whether this expectation
was, in fact, widespread and whether the proposed communication
requirement would be relevant and meaningful.
Having considered the comments received, the Board does not believe
it is necessary to require the auditor to inform the audit committee in
every instance where the auditor performed substantive audit procedures
other than confirmation to address the risk of material misstatement of
cash or accounts receivable. However, the Board believes the auditor
should inform the audit committee when the auditor did not perform
confirmation procedures or otherwise obtain audit evidence by directly
accessing information maintained by a knowledgeable external source
when responding to significant risks associated with either cash or
accounts receivable.
This targeted requirement is consistent with the views expressed by
several commenters, as discussed above. It is also consistent with the
existing obligation of auditors under PCAOB standards to communicate to
the audit committee an overview of the overall audit strategy and to
discuss with the audit committee the significant risks of material
misstatement identified during the auditor's risk assessment
procedures.\66\ In addition, as with other matters arising from the
audit of financial statements and communicated or required to be
communicated to the audit committee, the auditor is required to
determine whether these matters are critical audit matters in
accordance with AS 3101.\67\
---------------------------------------------------------------------------
\66\ See AS 1301.09.
\67\ See AS 3101.11-.12.
---------------------------------------------------------------------------
Confirming Terms of Certain Transactions
The 2022 Proposal provided that, for significant risks of material
misstatement associated with either a complex transaction or a
significant unusual transaction, the auditor should consider confirming
terms of the transaction with the counterparty to the transaction. This
provision updates a requirement in existing AS 2310.08 that the auditor
should consider confirming the terms of certain transactions that are
associated with high levels of risk. The 2022 Proposal used the
terminology ``significant risk'' and ``significant unusual
transactions,'' but the provision was intended to be similar to that in
existing AS 2310.
The Board adopted the proposed requirements to consider confirming
terms of certain transactions, with certain modifications discussed
below.
Several commenters noted that the provision in the 2022 Proposal
was sufficiently clear and appropriate. Other commenters suggested
various modifications to the provision that they asserted would improve
its clarity, such as elaborating on the meaning of the term ``complex
transaction'' and stating that the provision applies when the
assertions related to the significant risk of material misstatement can
be adequately addressed through confirmation. Several commenters
indicated that other audit procedures, not including confirmation, may
adequately address an assessed significant risk over the existence
assertion, such as obtaining and reviewing an original executed
contract and verifying the execution of its terms over a period of
time.
To provide additional clarity, the new standard provides that the
auditor should consider confirming those terms of a complex transaction
or significant unusual transaction that are associated with a
significant risk of material misstatement, including a fraud risk.
Under the new standard, examples of such terms may include terms
relating to (i) oral side agreements, or undisclosed written or oral
side agreements, where the auditor has reason to believe that such
agreements exist, (ii) bill and hold sales, and (iii) supplier
discounts or concessions. When such arrangements or agreements are part
of a complex transaction or significant unusual transaction identified
by the auditor, there may be a heightened risk that the transaction has
been entered into to engage in fraudulent financial reporting or
conceal misappropriation of assets. Likewise, a complex transaction or
a significant unusual transaction could have a heightened risk of error
whereby confirmation could lead to identification of an additional term
that, under an accounting standard, might have accounting implications
not previously recognized by either the company or the auditor.
Accordingly, the auditor's confirmation of terms related to such
arrangements or agreements may assist the auditor in evaluating the
business purpose, or lack thereof, of the transaction.\68\ These
examples are not intended to be an exhaustive list. An auditor may
identify other terms to confirm relating to a complex transaction or a
significant unusual transaction if the auditor decides that
confirmation could result in obtaining relevant and reliable audit
evidence about that transaction.
---------------------------------------------------------------------------
\68\ See AS 2401.67.
---------------------------------------------------------------------------
One investor-related group recommended that the provision in the
2022 Proposal addressing the terms of complex transactions and
significant unusual transactions should be mandatory and read
``should'' instead of ``should consider.'' In contrast, other
commenters asserted that the provision was unduly prescriptive. Several
commenters recommended that the Board change the phrase ``should
consider'' to ``may consider'' to allow for more auditor judgment in
[[Page 71708]]
determining the audit procedures to perform to address significant
unusual transactions or other complex transactions. The Board believes
that the provision stating that the auditor ``should consider''
confirming terms of complex transactions or significant unusual
transactions associated with a significant risk of material
misstatement is sufficiently risk-based for the auditor to have
flexibility in selecting the audit procedures that are best suited to
address significant risks of material misstatement, depending on the
facts and circumstances of individual transactions.
Another commenter suggested that the Board place additional
emphasis on the auditor having a heightened degree of professional
skepticism, similar to a provision in existing AS 2310.27, and that
doing so would allow auditors to make appropriate judgments in
determining whether facts and circumstances indicate that confirmation
procedures may not produce sufficient appropriate evidence to address
the assessed risks. The Board did not include additional language in
the new standard about the auditor's potential need to exercise a
heightened degree of professional skepticism related to confirmation
because the auditor's obligation to apply professional skepticism is
relevant to all aspects of the audit.\69\
---------------------------------------------------------------------------
\69\ See AS 1015.07.
---------------------------------------------------------------------------
Performing Alternative Procedures for Selected Items
(See paragraphs .C1-.C2 of the new standard).
The 2022 Proposal provided that the auditor should perform
alternative procedures in certain scenarios involving identifying
confirming parties or evaluating the reliability of confirmation
responses, as well as in scenarios involving nonresponses and
incomplete responses.\70\ This range of scenarios was broader than
under existing AS 2310, which provides that, with certain exceptions,
the auditor should apply alternative procedures where the auditor has
not received replies to positive confirmation requests. In addition,
existing AS 2310 provides examples of alternative procedures, and
requires the auditor to evaluate the combined evidence provided by
confirmation and any alternative procedures and send additional
confirmation requests or perform other audit tests, as needed, to
obtain sufficient appropriate audit evidence.
---------------------------------------------------------------------------
\70\ See paragraphs .20 (inability to identify a confirming
party), .26 (unreliable response), and .30 (nonresponse or
incomplete response) of the proposed standard.
---------------------------------------------------------------------------
The 2022 Proposal provided examples of alternative procedures that
may provide relevant and reliable audit evidence regarding accounts
receivable, accounts payable, and the terms of a transaction or
agreement. These provisions expanded upon the examples of alternative
procedures discussed in existing AS 2310.
The 2022 Proposal did not specify whether performing alternative
procedures for the items the auditor was unable to confirm, alone or in
combination with other audit procedures, is necessary to obtain
sufficient appropriate audit evidence. Under the 2022 Proposal, the
auditor would make that determination based on the facts and
circumstances of the audit. Further, an auditor might determine that,
without obtaining a reliable confirmation response, the auditor is
unable to obtain sufficient appropriate audit evidence for a relevant
assertion through performing alternative procedures for the items the
auditor could not confirm, other audit procedures, or both (e.g., if
the auditor observes conditions during the confirmation process that
indicate a heightened fraud risk). In such scenarios, the 2022 Proposal
provided that the auditor would consider the impact on the audit
opinion in accordance with AS 3105.
The 2022 Proposal also provided that performing alternative
procedures may not be necessary where items selected for confirmation
for which the auditor was not able to complete audit procedures would
not--if misstated--change the outcome of the auditor's evaluation of
the effect of uncorrected misstatements performed in accordance with AS
2810.17.\71\ For example, following the direction in AS 2810.17, under
the 2022 Proposal an auditor may have determined that an item that the
auditor was unable to confirm would not be material individually or in
combination with other misstatements. In such situations, the auditor
would not have been required to perform alternative procedures.\72\
Existing AS 2310 includes an analogous exception.
---------------------------------------------------------------------------
\71\ The auditor's evaluation of materiality under AS 2810.17
takes into account both relevant quantitative and qualitative
factors.
\72\ In certain circumstances, auditors may have obligations
independent of the Board's auditing standards to perform either
confirmation procedures or other auditing procedures. See, e.g.,
Section 30(g) of the Investment Company Act of 1940, 15 U.S.C. 80a-
29(g) (providing that the auditor's report on the financial
statements of a registered investment company ``shall state that
such independent public accountants have verified securities owned,
either by actual examination, or by receipt of a certificate from
the custodian, as the Commission may prescribe by rules and
regulations'').
---------------------------------------------------------------------------
The Board adopted the requirements substantially as proposed, with
certain modifications discussed below.
In the 2022 Proposal, the additional discussion of alternative
procedures appeared in the main body of the proposed standard
(paragraph .31). To enhance the readability of these provisions and
facilitate their implementation, the Board has relocated them to
Appendix C, which includes one paragraph that describes when performing
other audit procedures may be necessary (paragraph .C1) and a second
paragraph that provides further direction as to when alternative
procedures are required under the new standard and includes examples of
alternative procedures (paragraph .C2).
In addition, to remind auditors that the auditor's assessment of
risks of material misstatement, including fraud risks, should continue
throughout the audit, including the confirmation process, paragraph .C1
of the new standard states that, when the auditor is unable to obtain
relevant and reliable audit evidence about the selected item through
confirmation, the auditor should evaluate the implications for the
auditor's assessment of the relevant risks of material misstatement,
including fraud risks.
Several commenters indicated that the circumstances in the 2022
Proposal under which the auditor generally would be required to perform
alternative procedures were sufficiently clear and appropriate.
However, multiple commenters suggested that the Board include an
example of an alternative procedure for cash. In consideration of these
comments, the Board has incorporated an example of an alternative
procedure that may provide relevant and reliable audit evidence
regarding cash, which involves the auditor verifying information about
the company's cash account maintained in a financial institution's
information system by viewing this information directly on a secure
website of the financial institution. In this example, the auditor
might verify such information by determining the validity of the
financial institution's website and viewing the information directly on
the secure website. The information viewed by the auditor could be
accessed either by the auditor, using login credentials provided by the
company, or by company personnel. This additional example is intended
to address some commenters' misperception that the 2022 Proposal would
not allow the
[[Page 71709]]
auditor to perform alternative procedures in the event that a positive
confirmation request related to cash does not result in a confirmation
response.
Several commenters asserted that the note in the 2022 Proposal
identifying situations where alternative procedures may not be
necessary was not clear, with one commenter indicating that the
analogous exception in existing AS 2310 was clearer because it
addressed audit sampling. In consideration of these comments, the Board
has revised the note to paragraph .C2 of the new standard to clarify
how the exception from performing alternative procedures for selected
items should be applied and revised the footnote in the paragraph to
further explain how the exception is applied in scenarios involving
audit sampling.
The following example further illustrates applying this provision
in an audit: An auditor selects a sample of 50 accounts receivable
invoices for confirmation and receives confirmation responses for 45
invoices that do not indicate a need for the auditor to perform
alternative procedures. For two nonresponses, the auditor performs
alternative procedures and obtains relevant and reliable audit evidence
identifying no misstatements. For the three remaining nonresponses, the
auditor does not perform alternative procedures because the auditor
appropriately determines that, even if the amounts associated with the
invoices were projected as 100 percent misstatements to the population
from which the sample was selected and added to any other accounts
receivable misstatements (i.e., accounts receivable misstatements
identified through audit procedures other than confirmation), the
outcome of the auditor's evaluation performed in accordance with AS
2810.17 would not change.
Another commenter recommended that, for nonresponses, the Board
require that the auditor ``must'' perform alternative procedures that
include examining third-party evidence. This commenter also suggested
that the Board revise the example of alternative procedures for
accounts receivable by removing the phrase ``one or more,'' such that
the auditor would perform all of the procedures identified in the
example (i.e., examining subsequent cash receipts, shipping documents,
and other supporting documentation).
Having considered these comments, the Board believes that, with the
modifications discussed above, the requirements in paragraph .C1 of the
new standard provide appropriate direction regarding when alternative
procedures are required. Additionally, the Board believes that
including examples in paragraph .C2 of alternative procedures that may
provide relevant and reliable audit evidence about selected items,
without mandating specific procedures, is appropriate, as it is
impracticable to describe specific procedures for all scenarios that
could occur in an audit.
Additionally, as discussed above, the Board has modified paragraph
.B2 of the new standard to provide that in circumstances where the
auditor should not use an intermediary to send confirmation requests or
receive confirmation responses, the auditor should send confirmation
requests without the use of an intermediary or, if unable to do so,
perform alternative procedures in accordance with Appendix C of the new
standard. In light of this modification, the Board has added a
reference to paragraph .B2 to Appendix C of the new standard.
Evaluating Results
(See paragraph .31 of the new standard).
The 2022 Proposal did not carry forward a requirement, included in
existing AS 2310, for the auditor to evaluate in the aggregate audit
evidence obtained from performing confirmation procedures and any
alternative procedures. Excluding this requirement from the 2022
Proposal was intended to avoid the duplication of certain requirements
of AS 2810 that discuss the auditor's responsibilities for evaluating
audit results and determining whether the auditor has obtained
sufficient appropriate audit evidence.
As discussed above, however, paragraph .24 of the new standard
allows the auditor to perform audit procedures other than confirmation
for cash and accounts receivable to obtain relevant and reliable audit
evidence by directly accessing information maintained by a
knowledgeable external source. The Board therefore decided to remind
the auditor in paragraph .31 of the new standard that the auditor
should evaluate the combined audit evidence provided by confirmation
procedures, alternative procedures, and other procedures to determine
whether sufficient appropriate audit evidence has been obtained in
accordance with AS 2810.
Other Matters
This section addresses certain additional matters that were also
discussed in the 2022 Proposal. In addition, this section discusses
definitions included in the new standard and related amendments to
PCAOB auditing standards.
Management Requests Not To Confirm
Consistent with existing AS 2310, the 2022 Proposal did not
address, nor does the new standard address, situations in which
management requests that the auditor not confirm one or more items.
Several commenters agreed with the approach in the 2022 Proposal
and indicated that auditor responsibilities in such situations are
already addressed by existing PCAOB standards. One commenter suggested
that the Board consider adding a requirement that, if management
requests an auditor not to confirm a certain item, the auditor should
both request management to indicate the reason for the request and, as
appropriate, consider whether the request is indicative of a risk of
material misstatement. Another commenter agreed that the potential
scope limitation or fraud risk from a management request not to confirm
is addressed in other PCAOB standards, but expressed the view that
including guidance in the new standard unique to confirmation would be
appropriate. A different commenter did not suggest changes to the
Board's approach, but observed that management requests not to confirm
are primarily relevant in the financial services industry and that it
had experienced infrequent management requests not to confirm in other
industries.
Having considered the comments received, the Board believes that
existing PCAOB standards appropriately address situations involving
management requests not to confirm. In particular, AS 1301 requires
that the auditor communicate to the audit committee disagreements with
management \73\ and difficulties encountered in performing the audit,
including unreasonable management restrictions encountered by the
auditor on the conduct of the audit (e.g., an unreasonable restriction
on confirming transactions or balances).\74\ AS 3105 also sets forth
requirements regarding limitations on the scope of an audit,\75\
including scope limitations relating to confirmation.\76\
---------------------------------------------------------------------------
\73\ See AS 1301.22.
\74\ See AS 1301.23.
\75\ See AS 3105.05-.17.
\76\ See AS 3105.07.
---------------------------------------------------------------------------
Further, AS 2110 and AS 2401 describe the auditor's
responsibilities regarding identifying, assessing, and responding to
fraud risks. For example, AS 2401.09 states that fraud may be concealed
by withholding evidence. A management request to limit audit
[[Page 71710]]
testing by not obtaining external audit evidence through confirmation
could be relevant to the auditor's consideration of fraud risk factors,
including the consideration of management incentives, opportunities,
and rationalization for perpetrating fraud. Considering the
applicability of existing provisions to situations involving management
requests not to confirm, as discussed above, the Board believes that
including analogous requirements in the new standard could lead to
unnecessary duplication of existing requirements and potential
confusion.
Restrictions and Disclaimers
The requirements in the proposed standard relating to the auditor's
evaluation of the reliability of confirmation responses included a
reminder, in the form of a footnote, of the auditor's responsibilities
under AS 1105 as they relate to restrictions and disclaimers. A similar
reminder does not exist in existing AS 2310.
The Board is including this reference to AS 1105.08 as proposed, in
a footnote to paragraph .18 of the new standard. No comments were
received on this aspect of the 2022 Proposal. In accordance with AS
1105.08, the auditor should evaluate the effect of restrictions,
limitations, or disclaimers in confirmation responses on the
reliability of audit evidence.\77\
---------------------------------------------------------------------------
\77\ See AS 1105.08.
---------------------------------------------------------------------------
Direct Access
The 2022 Proposal did not describe direct access as a confirmation
procedure. Existing AS 2310 currently does not address such a
procedure, but the 2010 Proposal had provided that direct access could
be considered a confirmation procedure in certain circumstances.
A few commenters on the 2022 Proposal either agreed with, or
indicated that they did not object to, the Board's stated position that
direct access does not constitute a confirmation procedure. However,
several firms and firm-related groups stated that, when properly
executed, audit evidence obtained by the auditor through direct access
can provide persuasive evidence about the existence of cash. One
commenter recommended that the PCAOB consider aligning with the AICPA's
position on this matter by acknowledging that the auditor's direct
access to information held by a confirming party may meet the
definition of a confirmation procedure when, for example, the
confirming party provides the auditor with the electronic access codes
or other information necessary to access a secure website where data
that addresses the subject matter of the confirmation is held.
Having considered these comments, the Board adopted the new
standard as proposed in relation to direct access.
While direct access does not constitute a confirmation procedure
under the new standard, the new standard provides that the auditor may
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source, as discussed
above.
Definitions
To operationalize the requirements included in the 2022 Proposal,
the proposal included definitions for ``confirmation exception,''
``confirmation process,'' ``confirmation request,'' ``confirmation
response,'' ``confirming party,'' ``negative confirmation request,''
``nonresponse,'' and ``positive confirmation request.''
The Board adopted the definitions as proposed, with certain
modifications discussed below.
Several commenters stated that, in general, the definitions in the
2022 Proposal were sufficiently clear and appropriate. Other commenters
either did not provide comments on the proposed definitions or
suggested certain modifications, as discussed below.
Some commenters stated that the Board should modify the proposed
definition of ``nonresponse'' to reflect that a nonresponse includes a
situation where the auditor does not receive a confirmation response to
a positive confirmation request directly from the intended confirming
party. Having considered this comment, the Board is aligning the
definition of ``nonresponse'' with the definition of ``confirmation
response'' and the requirements of paragraph .16 of the new standard.
This modification clarifies that a confirmation response that is not
received directly from the confirming party would constitute a
nonresponse. The Board has also modified the definition of ``negative
confirmation request'' to use the defined term ``confirmation request''
rather than ``request.''
One commenter proposed modifications to the definitions of
``confirmation exception'' and ``confirmation process'' to specify that
(i) sending a confirmation request may include transmitting the request
in electronic form and (ii) only differences between a confirmation
response and information the auditor obtained from the company that the
auditor had originally sought to confirm constitute a confirmation
exception. Having considered the comment, the Board notes that the
proposed definition of ``confirmation process'' intentionally did not
prescribe the method or methods by which confirmation requests can be
sent and by which confirmation responses can be received, as the
standard is intended to apply to all methods of sending and receiving
confirmation requests and responses. Further, the Board believes that
any instance where information in a confirmation response differs from
information the auditor obtained from the company, even if the
information in the confirmation response was not information that the
auditor originally sought to confirm, should constitute a confirmation
exception. Accordingly, the Board adopted the definition of
``confirmation exception'' as proposed and adopted the definition of
``confirmation process'' as proposed, with one modification to include
``selecting one or more items to be confirmed'' in the definition to
align with the requirements specifically related to the confirmation
process in the new standard.
The 2022 Proposal also indicated that an oral response to a
confirmation request was a nonresponse. One commenter stated that a
video recording of a call between an auditor and an individual at a
confirming party ought not be considered less reliable audit evidence
than a written response from an organization. Another commenter
suggested that the PCAOB define the term ``confirmation'' because the
2022 Proposal stated that an oral response was a nonresponse but did
not provide guidance as to whether other forms of response would be
evidence of confirmation.
As the Board continues to believe that obtaining direct written
communication, in paper or electronic form, from a confirming party is
necessary for a response to constitute a confirmation response, the
Board has not made further modifications to the definition in the new
standard beyond those described above. Accordingly, a video recording
of a call between an auditor and an individual at a confirming party or
an oral response would constitute nonresponses under the new standard,
although the auditor could still consider the relevance and reliability
of the audit evidence provided by a video recording or an oral response
when determining the nature and extent of alternative procedures
required to be performed under the new standard.
[[Page 71711]]
Amendments to Related PCAOB Auditing Standards
The Board adopted amendments to several existing PCAOB auditing
standards to align with the new standard.
Amendments to AS 1105
(See paragraph .18 of AS 1105, as amended).
The 2022 Proposal included proposed amendments to AS 1105 to (i)
align the description of a ``confirmation response'' in AS 1105 with
the definition of the same term included in the 2022 Proposal and (ii)
clarify that the terms ``confirmation response,'' ``confirmation
request,'' and ``confirming party,'' as used in AS 1105, have the same
meaning as defined in Appendix A of the 2022 Proposal.
The Board adopted the amendments as proposed.
Existing AS 1105.18 states that ``[a] confirmation response
represents a particular form of audit evidence obtained by the auditor
from a third party in accordance with PCAOB standards.'' The 2022
Proposal used the defined term ``confirming party'' in lieu of ``third
party.'' One commenter suggested retaining the phrase ``third party''
in AS 1105.18 to provide further clarity. The Board is not using this
term because the new standard describes a confirming party as ``a third
party, whether an individual or an organization, to which the auditor
sends a confirmation request,'' thus making it clear that a confirming
party is a third party.
Another commenter suggested that the Board strike the word
``independent'' from AS 1105.08, which states that ``[e]vidence
obtained from a knowledgeable source that is independent of the company
is more reliable than evidence obtained only from internal company
sources.'' This commenter asserted that, although confirmation evidence
may be more reliable, it is not truly ``independent.'' The Board is not
striking the word ``independent'' from AS 1105.08 as it believes the
concept expressed in AS 1105.08 is well understood by auditors and does
not purport to be a definitive statement about the ``independence'' of
evidence from a confirming party.
Amendments to AS 1301
(See Appendix B to AS 1301, as amended).
The 2022 Proposal included a proposed requirement for the auditor
to communicate to the audit committee instances in which the auditor
has determined that the presumption to confirm accounts receivable has
been overcome and the basis for the auditor's determination. The 2022
Proposal included a conforming amendment to AS 1301 that would refer to
the proposed requirement.
The Board adopted the conforming amendment to AS 1301 that refers
to the audit committee communication requirement contained in the new
standard. The required communication with the audit committee about the
auditor's response to significant risks associated with cash or
accounts receivable when the auditor did not perform confirmation
procedures or otherwise obtain audit evidence by directly accessing
information maintained by a knowledgeable external source is discussed
above.
Amendments to AS 2401
(See paragraphs .54 and .66A of AS 2401, as amended).
The 2022 Proposal included a proposed amendment to AS 2401 to refer
to the title of the confirmation standard as proposed in the 2022
Proposal (i.e., ``The Auditor's Use of Confirmation'').
The Board adopted the amendment as proposed and adopted an
additional conforming amendment to AS 2401, as discussed below.
One commenter suggested that the Board consider a conforming
amendment to AS 2401 to acknowledge a requirement in proposed paragraph
.15 to consider confirming terms of the transaction for significant
risks of material misstatement associated with either a complex
transaction or significant unusual transaction. Having considered the
comment, the Board adopted a conforming amendment to the note to AS
2401.66A to remind the auditor of the requirement in paragraph .30 of
the new standard that for significant risks of material misstatement
associated with either a complex transaction or a significant unusual
transaction, the auditor should consider confirming those terms of the
transaction that are associated with a significant risk of material
misstatement, including a fraud risk.
Amendments to AS 2510
(See paragraph .14 of AS 2510, as amended).
AS 2510.14 includes a statement that ``if inventories are in the
hands of public warehouses or other outside custodians, the auditor
ordinarily would obtain direct confirmation in writing from the
custodian.'' The 2022 Proposal included a proposed amendment to AS 2510
to remind auditors that AS 2310 establishes requirements for the
auditor's use of confirmation.
The Board adopted the amendment as proposed.
One commenter stated that the Board should address the confirmation
of inventory in the new standard instead of making conforming
amendments to AS 2510. The Board continues to believe that including
requirements related to inventory in a single standard is appropriate.
However, the Board acknowledges that AS 2510.14 includes two
requirements related to the confirmation of inventory. First, AS
2510.14 provides that ``[i]f inventories are in the hands of public
warehouses or other outside custodians, the auditor ordinarily would
obtain direct confirmation in writing from the custodian.'' Second, AS
2510.14 further states that the auditor should perform one or more of
four additional procedures, as considered necessary by the auditor, if
such inventories represent a significant proportion of current or total
assets. One such procedure is to confirm pertinent details of pledged
receipts with lenders (on a test basis, if appropriate), if warehouse
receipts have been pledged as collateral. The Board has added a cross-
reference to AS 2510 in footnote 4 of the new standard to clarify that
AS 2510 also includes auditor responsibilities relevant to the
auditor's use of confirmation.
Amendments to AS 2605
(See paragraphs .22 and .27 of AS 2605, as amended).
AS 2605.22 includes a statement that ``for certain assertions
related to less material financial statement amounts where the risk of
material misstatement or the degree of subjectivity in the valuation of
the audit evidence is low, the auditor may decide, after considering
the circumstances and the results of work (either test of controls or
substantive tests) performed by internal auditors on those particular
assertions, the audit risk has been reduced to an acceptable level and
that testing of the assertions directly by the auditor may not be
necessary.'' The paragraph then includes assertions about the existence
of cash, prepaid assets, and fixed-asset additions as examples of
assertions that might have a low risk of material misstatement or
involve a low degree of subjectivity in the evaluation of audit
evidence.
The 2022 Proposal included a proposed amendment to strike the word
``cash'' from AS 2605.22 to avoid confusion, as the 2022 Proposal
required the auditor to perform
[[Page 71712]]
confirmation procedures in respect of cash.
In addition, the 2022 Proposal included a proposed amendment to
acknowledge in paragraph .27 of AS 2605, which discusses using internal
auditors to provide direct assistance to the auditor, the proposed
restrictions on the use of internal audit in a direct assistance
capacity in the confirmation process.
The Board adopted the amendments substantially as proposed, with
certain modifications discussed below.
One commenter indicated that the proposed amendment to AS 2605.22
(i.e., striking the word ``cash'' from the list of accounts that might
have a low risk of material misstatement), inappropriately assumed that
there is always a heightened risk of fraud related to cash accounts in
all audit engagements. Having considered the comment, the Board notes
that neither the 2022 Proposal nor the new standard suggests that there
is heightened risk of fraud associated with cash in every engagement.
However, the Board believes that where an auditor identifies a risk of
material misstatement for cash (i.e., where cash is a significant
account) it is necessary for the auditor to perform confirmation
procedures or otherwise obtain relevant and reliable audit evidence by
directly accessing information maintained by a knowledgeable external
source in respect of cash. Accordingly, the Board continues to believe
that the conforming amendment to AS 2605.22 is appropriate.
Another commenter indicated that the proposed amendment to AS
2605.27 would not be necessary should the Board adopt the commenter's
other recommendation to remove the proposed restrictions regarding the
use of internal audit in the new standard. As discussed above, the
Board continues to believe that in order to maintain control over the
confirmation process the auditor should select items to be confirmed,
send confirmation requests, and receive confirmation responses. The
Board modified the conforming amendments to AS 2605.27, however, to
align with paragraph .15 of the new standard.
Effective Date
The Board determined that the amendments will take effect, subject
to approval by the SEC, for audits of financial statements for fiscal
years ending on or after June 15, 2025.
As part of the 2022 Proposal, the Board sought comment on the
amount of time auditors would need before the proposed standard and
related amendments would become effective, if adopted by the Board and
approved by the SEC. Many commenters, primarily firms and firm-related
groups, supported an effective date of no earlier than two years after
SEC approval, which some commenters indicated would give firms the
necessary time to update firm methodologies and to develop and
implement training. Additionally, as part of recommending an effective
date no earlier than two years after SEC approval, a number of
commenters observed that confirmation procedures are often performed as
part of interim procedures and that, as a result, the new standard will
impact engagement teams during the period under audit. Some commenters
also stated that intermediaries involved in the confirmation process
may also need to update their processes and controls as a result of the
new standard. One commenter supported an effective date three years
after SEC approval, while citing reasons similar to those expressed by
commenters who supported an effective date of no earlier than two years
after SEC approval.
The Board recognizes the preferences expressed by commenters.
Nonetheless, having considered the requirements of the new standard, as
well as the extent of differences between the new standard and AS 2310
and our understanding of firms' current practices, the Board believes
that the effective date for fiscal years ending on or after June 15,
2025, will provide auditors with a reasonable period of time to
implement the new standard and related amendments, without unduly
delaying the intended benefits resulting from these improvements to
PCAOB standards, and is consistent with the Board's mission to protect
investors and protect the public interest.
D. Economic Considerations and Application to Audits of Emerging Growth
Companies
The Board is mindful of the economic impacts of its standard
setting. This section describes the economic baseline, need, and
expected economic impacts of the new standard, as well as alternative
approaches considered by the Board. Because there are limited data and
research findings available to estimate quantitatively the economic
impacts of the new standard, the economic analysis is largely
qualitative in nature.
Baseline
Important components of the baseline against which the economic
impact of the new standard can be considered are described above,
including the Board's existing standard governing the audit
confirmation process, firms' current practices when performing
confirmation procedures, and observations from the Board's inspections
program and enforcement cases. The Board discusses below two additional
components that inform its understanding of the economic baseline: (i)
the PCAOB staff's analysis of audit firm methodologies and the use of
technology-based tools in the confirmation process, and (ii) a summary
of academic and other literature on the confirmation process.
Auditing Practices Related to the Confirmation Process
Through its inspection and other oversight activities, the PCAOB
has access to sources of information that help inform its understanding
of how firms currently engage in the confirmation process. As part of
this standard-setting project, the PCAOB staff has reviewed a selection
of firms' audit methodologies, as well as other information about
firms' use of technology-based tools when performing confirmation
procedures. While this information is not a random sample that can be
extrapolated accurately across all registered public accounting firms,
the Board is able to make some general inferences that help inform
development of the economic baseline.
PCAOB Staff Analysis of Audit Methodologies
PCAOB staff has reviewed the methodologies of selected registered
public accounting firms to determine how they currently address the
confirmation process and the extent to which changes to those
methodologies will be necessary to implement the new standard.
Specifically, the staff compared methodologies of selected global
network firms (``GNFs'') \78\ and some methodologies commonly used by
U.S. non-affiliate firms (``NAFs''),\79\ which are smaller than GNFs,
to existing AS 2310 as well as to the new standard. The review focused
on the following aspects of the new standard which represent more
notable changes relative to existing AS 2310:
---------------------------------------------------------------------------
\78\ GNFs are the member firms of the six global accounting firm
networks (BDO International Ltd., Deloitte Touche Tohmatsu Ltd.,
Ernst & Young Global Ltd., Grant Thornton International Ltd., KPMG
International Ltd., and PricewaterhouseCoopers International Ltd.).
\79\ NAFs are both U.S. and non-U.S. accounting firms registered
with the Board that are not GNFs. Some of the NAFs belong to
international networks.
---------------------------------------------------------------------------
Substantive procedures for confirming cash and cash
equivalents (paragraphs .24, .26, and .29);
[[Page 71713]]
Substantive procedures for confirming accounts receivable
(paragraphs .24-.25 and .27);
The auditor's use of negative confirmation requests
(paragraphs .12-.13);
Maintaining control over the confirmation process,
including when an intermediary is used (paragraphs .14-.17 and
.Appendix B); and
Other areas addressed in the new standard, including the
evaluation of the reliability of confirmation responses (paragraphs
.18-.19), and the performance of alternative procedures (Appendix C).
For the GNF methodologies reviewed, PCAOB staff observed that the
methodologies generally reflect requirements in existing AS 2310 and
other auditing standards on external confirmation, such as ISA 505 and
AU-C 505. In addition, some of the methodologies already incorporate
certain concepts included in the new standard, although revisions to
the methodologies will nonetheless be needed to implement the new
standard.
Specifically, some GNF methodologies, but not all, include
requirements for confirmation of cash and cash equivalents held by
third parties similar to the new requirements described in the new
standard. Other GNF methodologies suggest, but do not require, that
engagement teams consider specific confirmation procedures for cash and
cash equivalents held by third parties. GNF methodologies for
confirmation of accounts receivable are generally consistent with
existing AS 2310. Some also include guidance that is similar in certain
respects to the requirements in the new standard when the auditor is
unable to obtain relevant and reliable audit evidence through
confirmation procedures. With respect to negative confirmation
requests, GNF methodologies acknowledge that negative confirmation
requests provide less persuasive evidence than positive confirmation
requests. However, some GNF methodologies still allow the use of
negative confirmation requests as the sole substantive procedure under
certain conditions.\80\
---------------------------------------------------------------------------
\80\ See AS 2310.20 for these conditions.
---------------------------------------------------------------------------
The PCAOB staff also observed that GNF methodologies generally
include guidance on maintaining control over the confirmation process,
using intermediaries to facilitate the electronic transmission of
confirmation requests, and assessing controls at the intermediaries.
The firms' guidance in this area focuses on the performance of audit
procedures to ensure that the electronic confirmation process occurs in
a secure and controlled environment and that confirmation responses
received are reliable. For example, the methodologies of some firms
provide that an auditor may obtain a SOC report that would assist the
engagement team in assessing the design and operating effectiveness of
the intermediary's controls that address the risk of interception and
alteration of confirmation requests and responses. Finally, although
current GNF methodologies include guidance on the other areas being
modernized or clarified in the new standard, GNFs may be required to
make certain modifications to their methodologies to conform to the new
standard, such as whether to perform alternative procedures.
For the NAF methodologies reviewed, the PCAOB staff observed that
the methodologies generally align with existing AS 2310 across each of
the areas studied, but include some guidance related to the new
requirements in the new standard. For example, in some of the NAF
methodologies, the confirmation of cash and cash equivalents held by
third parties is a consideration but not a requirement. In other NAF
methodologies, the confirmation of cash and cash equivalents held by
third parties and negative confirmation requests are not discussed at
all. NAF methodologies for confirmation of accounts receivable are
generally consistent with existing AS 2310. Some include guidance that
is similar in certain respects to the requirements described in the new
standard when the auditor is unable to obtain relevant and reliable
audit evidence through confirmation procedures.
The NAF methodologies also generally include guidance on
maintaining control, using intermediaries in the confirmation process,
and assessing controls at the intermediaries. Similar to GNF
methodologies, NAF guidance in this area focuses on the performance of
audit procedures to ensure that the electronic confirmation process
occurs in a secure and controlled environment and that confirmation
responses received are reliable. For example, a firm's methodology may
provide that an auditor may obtain a SOC report that would assist the
engagement team in assessing the design and operating effectiveness of
the intermediary's controls that address the risk of interception and
alteration of confirmation requests and responses.
Commenters on the 2022 Proposal did not provide additional
information on firm methodologies beyond the staff's analysis. In
general, the PCAOB staff's review indicates that all firms will likely
need to revise their methodologies to some extent to implement the new
standard. For example, all firms will need to update their
methodologies to ensure that negative confirmation requests are not
used as the sole source of audit evidence. NAF methodologies will
likely require more revisions than the GNF methodologies, which have
incorporated certain concepts included in the new standard.
Use of Technology-Based Tools
The PCAOB staff has also reviewed information collected through
PCAOB oversight activities on firms' use of technology-based tools in
the confirmation process. The staff's review focused primarily on the
use of technology-based tools by GNFs, but also encompassed certain
technology-based tools used by some NAFs. In addition, the review
encompassed information on both proprietary technology-based tools that
firms have developed internally and third-party or ``off-the-shelf''
tools that firms purchase and use (in certain cases, with further
customizations) to assist in performing confirmation procedures as part
of the audit process. The staff found that the number of technology-
based tools used in the confirmation process varies across firms, and
also varies based on the facts and circumstances of specific
engagements. Generally speaking, firms allow engagement teams to select
a tool but do not provide that the use of one or more tools is
required.
Both GNFs and NAFs within the scope of the PCAOB staff's review use
third-party tools to automate certain confirmation procedures, or to
independently verify balances, terms of arrangements, or other
information under audit. GNFs appear to be more likely to invest in
customizing off-the-shelf tools they have purchased to their particular
environment. For example, such modifications may permit a firm to
automate the reconciliation of confirmed balances to client records. In
comparison, NAFs tend to use the off-the-shelf tools without
customization.
The PCAOB staff's review also found that GNFs have developed
proprietary applications to facilitate various aspects of the
confirmation process, whether conducted manually or electronically.
These applications may facilitate the preparation of confirmation
requests, their dissemination to recipients (including the preparation
of logs to track confirmation requests and receipts), and the analysis
of confirmation responses to determine
[[Page 71714]]
their completeness and accuracy. GNFs have also developed tools used
when auditing specific accounts, other than cash and accounts
receivable, where confirmation may provide audit evidence. For example,
tools are used to prepare, log, and track confirmation requests and
responses for various deposit, loan, and liability accounts.
As discussed above, auditors or confirming parties may engage an
intermediary to facilitate the direct electronic transmission of
confirmation requests and responses between the auditor and the
confirming party.\81\ In one area, market forces have influenced firms'
willingness to use an intermediary: a majority of financial
institutions will only respond to confirmation requests through a
centralized process and with a specified intermediary. As a result, all
firms' methodologies required, and in practice firms did use, the
specified intermediary in these circumstances.
---------------------------------------------------------------------------
\81\ See Spotlight: Observations and Reminders on the Use of a
Service Provider in the Confirmation Process (Mar. 2022), available
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------
The PCAOB staff has observed diverse practices related to the
procedures auditors perform to support their reliance on an
intermediary's controls when establishing direct communication between
the auditor and the confirming party.\82\ In some situations where the
procedures performed included obtaining a SOC report, the staff has
observed insufficient evaluation of SOC reports, lack of consideration
of the period covered and complementary user entity controls, and
insufficient coordination of procedures performed centrally by the
audit firm and by the engagement team.\83\
---------------------------------------------------------------------------
\82\ Id.
\83\ Id.
---------------------------------------------------------------------------
These observations suggest that there may be a need for uniform
guidance for situations involving the use of intermediaries. For
example, enhanced procedures to be performed when auditors place
reliance on an intermediary's controls could help address the risk of
interception and alteration of communications between the auditor and
the company and address the risk of override of the intermediary's
controls by the company.
Commenters did not provide information about firms' use of
technology-based tools that contradicted the staff's assessment. One
commenter stated that some larger audit firms have established
confirmation centers to centralize the sending and receiving of
confirmation requests. Another commenter cited a study that noted the
use of robotic process automation for confirming accounts receivable by
a GNF.\84\
---------------------------------------------------------------------------
\84\ See Feiqi Huang and Milos A. Vasarhelyi, Applying Robotic
Process Automation (RPA) in Auditing: A Framework, 35 Internal
Journal of Accounting Information Systems 100433, 100436 (2019).
---------------------------------------------------------------------------
Literature on the Confirmation Process
There is limited data on auditor confirmation decisions and
research findings on the confirmation process.\85\ The literature
documents that confirmation is ``extensively used'' and that
confirmation responses received directly from a third party are often
perceived by practitioners to be among ``the most persuasive forms of
audit evidence.'' \86\ Consistent with the PCAOB staff's observations
from PCAOB oversight activities,\87\ studies find that the use of
electronic confirmation has become prevalent.\88\ One study also
observes that current U.S. auditing standards do not fully address how
auditors should authenticate confirmations sent or received
electronically, and asserts that there is a need for audit guidance
related to electronic forms of evidence.\89\ Further, an earlier study
reviews enforcement actions described in the SEC's Accounting and
Auditing Enforcement Releases and concludes that additional direction
regarding when cash and accounts receivable confirmation requests are
required or recommended may be needed.\90\ Additionally, the literature
suggests that more guidance may be necessary to identify when the risk
is sufficiently low to justify the use of negative confirmation
requests in certain areas.\91\ Moreover, an article on bank
confirmation advocates a risk-based approach to the determination of
confirmation procedures.\92\ Finally, a study finds that ``anecdotal
evidence and some research suggest confirmation response rates are
declining.'' \93\ Commenters did not provide information contradicting
the staff's summary of the relevant literature.
---------------------------------------------------------------------------
\85\ See Paul Caster, Randal J. Elder, and Diane J. Janvrin, A
Summary of Research and Enforcement Release Evidence on Confirmation
Use and Effectiveness, 27 Auditing: A Journal of Practice & Theory
253, 254 (2008).
\86\ See id. at 253.
\87\ See Spotlight: Data and Technology Research Project Update
(May 2021), available at https://pcaobus.org/resources/staff-publications. See also Spotlight: Observations and Reminders on the
Use of a Service Provider in the Confirmation Process (Mar. 2022),
available at https://pcaobus.org/resources/staff-publications.
\88\ See, e.g., Paul Caster, Randal J. Elder, and Diane J.
Janvrin, An Exploration of Bank Confirmation Process Automation: A
Longitudinal Study, 35 Journal of Information Systems 1, 5 (2021).
\89\ See id. at 2.
\90\ See Paul Caster, Randal J. Elder, and Diane J. Janvrin, A
Summary of Research and Enforcement Release Evidence on Confirmation
Use and Effectiveness, 27 Auditing: A Journal of Practice & Theory
253, 261-62 (2008).
\91\ See id. at 266.
\92\ See L. Ralph Piercy and Howard B. Levy, To Confirm or Not
to Confirm-Risk Assessment is the Answer, 91 The CPA Journal 54, 54
(2021).
\93\ See Paul Caster, Randal J. Elder, and Diane J. Janvrin, A
Summary of Research and Enforcement Release Evidence on Confirmation
Use and Effectiveness, 27 Auditing: A Journal of Practice & Theory
253, 254 (2008). The PCAOB staff has also observed that the use of
electronic confirmation may affect the confirmation response rate.
See Spotlight: Data and Technology Research Project Update (May
2021), available at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------
Accordingly, the academic literature is consistent with the
conclusion that the Board's auditing requirements for the confirmation
process should (i) accommodate electronic communications and address
the implications of using an intermediary, (ii) address the
confirmation of cash and accounts receivable, (iii) limit the use of
negative confirmation requests, and (iv) align with the PCAOB's risk
assessment standards.
Need
Several attributes of the audit market support a need for the PCAOB
to establish effective audit performance standards. First, the company
under audit, investors, and other financial statement users cannot
easily observe the services performed by the auditor or the quality of
the audit. This leads to a risk that, unbeknownst to the company,
investors, or other financial statement users, the auditor may perform
a low-quality audit.\94\
---------------------------------------------------------------------------
\94\ See, e.g., Monika Causholli and Robert W. Knechel, An
Examination of the Credence Attributes of an Audit, 26 Accounting
Horizons 631, 632 (2012): During the audit process, the auditor is
responsible for making decisions concerning risk assessment, total
effort, labor allocation, and the timing and extent of audit
procedures that will be implemented to reduce the residual risk of
material misstatements. As a non-expert, the auditee may not be able
to judge the appropriateness of such decisions. Moreover, the
auditee may not be able to ascertain the extent to which the risk of
material misstatement has been reduced even after the audit is
completed. Thus, information asymmetry exists between the auditee
and the auditor, the benefit of which accrues to the auditor. If
such is the case, the auditor may have incentives to: Under-audit,
or expend less audit effort than is required to reduce the
uncertainty about misstatements in the auditee's financial
statements to the level that is appropriate for the auditee.
---------------------------------------------------------------------------
Second, the federal securities laws require that an issuer retain
an auditor for the purpose of preparing or issuing an audit report.
While the appointment, compensation, and oversight of the work of the
registered public accounting
[[Page 71715]]
firm conducting the audit is, under the Act, entrusted to the issuer's
audit committee,\95\ there is nonetheless a risk that the auditor may
seek to satisfy the interests of the issuer audit client rather than
the interests of investors and other financial statement users.\96\
This risk can arise out of an audit committee's identification with the
company or its management (e.g., for compensation) or through
management's exercise of influence over the audit committee's
supervision of the auditor, which can result in a de facto principal-
agent relationship between the company and the auditor.\97\ Effective
auditing standards help to address these risks by explicitly assigning
responsibilities to the auditor that, if executed properly, are
expected to lead to high-quality audits that satisfy the interests of
audited companies, investors, and other financial statement users.
---------------------------------------------------------------------------
\95\ See Section 301 of the Act, 15 U.S.C. 78f(m). As an
additional safeguard, the auditor is also required to be independent
of the audit client. See 17 CFR 210.2-01.
\96\ See, e.g., Joshua Ronen, Corporate Audits and How to Fix
Them, 24 Journal of Economic Perspectives 189 (2010).
\97\ See id.; see also, e.g., Liesbeth Bruynseels and Eddy
Cardinaels, The audit committee: Management watchdog or personal
friend of the CEO?, 89 The Accounting Review 113 (2014). Cory
Cassell, Linda Myers, Roy Schmardebeck, and Jian Zhou, The
Monitoring Effectiveness of Co-Opted Audit Committees, 35
Contemporary Accounting Research 1732 (2018); Nathan Berglund,
Michelle Draeger, and Mikhail Sterin, Management's Undue Influence
over Audit Committee Members: Evidence from Auditor Reporting and
Opinion Shopping, 41 Auditing: A Journal of Practice 49 (2022).
---------------------------------------------------------------------------
This section discusses the specific problem that the new standard
is intended to address and explains how the new standard is expected to
address it.
Problem To Be Addressed
Focus on Obtaining Reliable Audit Evidence From the Confirmation
Process
In situations where audit evidence can be obtained from a
knowledgeable external source, the resulting audit evidence is likely
to be more reliable than audit evidence obtained only from internal
company sources. For evidence obtained through confirmation to be
reliable, the confirmation process must be properly executed. Proper
execution involves assessing the reliability of a confirmation response
and performing robust, additional alternative procedures when the
auditor is unable to determine that a confirmation response is
reliable. Similarly, proper execution may entail the performance of
alternative procedures when the auditor is unable to identify a
confirming party, the auditor does not receive a confirmation response
from the intended confirming party, or the confirmation response is
incomplete.
As discussed above, the PCAOB staff has observed situations where
auditors did not perform procedures to assess the reliability of
confirmation responses or, where applicable, perform sufficient
alternative procedures.\98\ In addition, the staff has noted that, in
the case of some financial reporting frauds, the company's misconduct
possibly could have been detected at an earlier point in time had the
auditor made an appropriate assessment of the reliability of
confirmation responses received, or performed additional procedures
needed to obtain reliable audit evidence.\99\ These observations
suggest a need for enhancements to auditing standards to more clearly
address those situations where confirmation can be expected to provide
reliable audit evidence, including the requirements for evaluating the
reliability of confirmation responses and, if appropriate, performing
alternative procedures.
---------------------------------------------------------------------------
\98\ See above for observations from the PCAOB's audit
inspections and from SEC enforcement cases.
\99\ See also Diane Janvrin, Paul Caster, and Randy Elder,
Enforcement Release Evidence on The Audit Confirmation Process:
Implications for Standard Setters, 22 Research in Accounting
Regulation 1, 10 (2010).
---------------------------------------------------------------------------
Developments in Practice
There are areas of the confirmation process where developments in
practice have outpaced existing requirements in the Board's auditing
standards. In particular, existing AS 2310 does not reflect significant
changes in technology and the methods by which auditors perform the
confirmation process, including the use of electronic communication and
the involvement of third-party intermediaries.
Regulatory standards that do not reflect changes in practice may
lead to inconsistency in their application, potential
misinterpretation, and ineffective regulatory intervention. For
example, the PCAOB staff has observed diverse practices and audit
deficiencies related to the procedures performed by auditors to support
their use of an intermediary to facilitate the electronic transmission
of confirmation requests and confirmation responses with confirming
parties.\100\
---------------------------------------------------------------------------
\100\ See Spotlight: Observations and Reminders on the Use of a
Service Provider in the Confirmation Process (Mar. 2022), available
at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------
How the New Standard Addresses the Need
The new standard helps address the need by (i) strengthening
requirements in certain areas to focus on the need to obtain reliable
audit evidence from the confirmation process; and (ii) modernizing
existing AS 2310 to accommodate certain developments in practice,
including the use of electronic communications and intermediaries. The
new standard is expected to promote consistent and effective practice
relating to the confirmation process in audits subject to PCAOB
standards, reducing the risk of low-quality audits caused by (i) the
lack of observability of audit quality and (ii) the influence of the
auditor-client relationship discussed above.
Focus on Obtaining Reliable Audit Evidence From the Confirmation
Process
The new standard strengthens the Board's requirements in certain
areas to focus on the need to obtain reliable audit evidence when
executing the confirmation process. Specifically, the new standard
includes a presumption for the auditor to confirm certain cash and cash
equivalents held by third parties, or otherwise obtain relevant and
reliable audit evidence by directly accessing information maintained by
a knowledgeable external source. In addition, the new standard
strengthens the requirements for evaluating the reliability of
confirmation responses. It also continues to emphasize the importance
of maintaining control over the confirmation process and provides
additional examples of information that indicates that a confirmation
request or response may have been intercepted and altered. When
confirmation responses are deemed to be unreliable, the auditor is
directed to perform alternative procedures to obtain audit evidence.
Moreover, as discussed above, electronic communications likely have
reduced the efficacy of negative confirmation requests. Under the new
standard, the auditor is not able to use negative confirmation requests
as the sole substantive procedure for addressing the risk of material
misstatement for a financial statement assertion.
Developments in Practice
Under the new standard, the requirement to maintain control over
the confirmation process addresses both traditional and newer, more
prevalent forms of communication between the auditor and confirming
parties, including emailed confirmation requests and responses and
intermediaries facilitating electronic communication of confirmation
requests and responses. The new standard is intended to apply to
methods of confirmation currently in
[[Page 71716]]
use and to be flexible enough to apply to new methods that may arise
from technological changes in auditing in the future.
The new standard emphasizes that in general, evidence obtained from
a knowledgeable external source is more reliable than evidence obtained
only from internal company sources. For cash and accounts receivable,
if the auditor is able to perform audit procedures other than
confirmation that allow the auditor to obtain audit evidence by
directly accessing information maintained by knowledgeable external
sources, such audit evidence could be as persuasive as audit evidence
obtained through confirmation procedures, and the new standard allows
the auditor to perform such procedures. Accordingly, to the extent that
there are newer tools available to auditors now or in the future that
enable them to obtain such audit evidence directly, the new standard
would accommodate their use and future development.
Economic Impacts
This section discusses the expected benefits and costs of the new
standard and potential unintended consequences. Overall, the Board
expects that the economic impact of the new standard, including both
benefits and costs, will be relatively modest, especially for those
firms that have already incorporated into practice some of the new
requirements. The Board also expects that the benefits of the new
standard will justify the costs and any unintended negative effects.
Benefits
The Board expects the new standard to improve the consistency and
effectiveness of the confirmation process, reducing the risk of low-
quality audits caused by (i) the lack of observability of audit quality
and (ii) the influence of the auditor-client relationship discussed
above. Specifically, there exists a risk that, unbeknownst to the
company under audit, investors, or other financial statement users, the
auditor may perform a low-quality audit since audit quality is
difficult to observe. In addition, some auditors may aim to satisfy the
interests of the company or their own financial interests rather than
the interests of investors and other financial statement users--
interests that may lead them to perform insufficiently rigorous
confirmation procedures to minimize the burden on clients and their
counterparties to respond to confirmations, or to minimize audit costs.
The new standard helps to mitigate these risks in the audit
confirmation process by strengthening and modernizing the requirements
for the auditor regarding the design and execution of the confirmation
process. Specifically, a confirmation process designed and executed
under the new standard should benefit investors and other users of
financial statements by reducing the likelihood that financial
statements are materially misstated, whether due to error or fraud.
Some commenters explicitly stated that the requirements described in
the 2022 Proposal would improve the consistency of confirmation
practices and enhance audit quality.
The enhanced quality of audits and financial information available
to financial markets should also increase investor confidence in
financial statements. In general, investors may use the more reliable
financial information to improve the efficiency of their capital
allocation decisions (e.g., investors may reallocate capital from less
profitable companies to more profitable companies). Investors may also
perceive less risk in capital markets generally, leading to an increase
in the supply of capital. An increase in the supply of capital could
increase capital formation while also reducing the cost of capital to
companies.\101\
---------------------------------------------------------------------------
\101\ See, e.g., Hanwen Chen, Jeff Zeyun Chen, Gerald J. Lobo,
and Yanyan Wang, Effects of audit quality on earnings management and
cost of equity capital: Evidence from China, 28 Contemporary
Accounting Research 892, 921 (2011); Richard Lambert, Christian
Leuz, and Robert E. Verrecchia, Accounting Information, Disclosure,
and the Cost of Capital, 45 Journal of Accounting Research 385, 410
(2007).
---------------------------------------------------------------------------
Auditors also are expected to benefit from the new standard,
because the additional clarity provided by the new standard (e.g., the
accommodation of current practices, including the use of electronic
communications and intermediaries) will reduce regulatory uncertainty
and the associated compliance costs. Specifically, the new standard
provides auditors with a better understanding of their responsibilities
and the Board's expectations.
The following discussion describes the benefits of key changes to
existing confirmation requirements that are expected to impact auditor
behavior. As discussed above, the changes aim to (1) enhance the
auditor's focus on obtaining reliable audit evidence from the
confirmation process, and (2) accommodate certain developments in
practice. As further discussed below, the changes that enhance the
auditor's focus on obtaining reliable audit evidence are expected to
strengthen confirmation procedures for cash held by third parties,
promote consistency in practice, improve the reliability of
confirmation responses, improve the quality of audit evidence, and
increase the auditor's likelihood of identifying potential financial
statement fraud. The changes that accommodate developments in practice
are expected to clarify the auditor's responsibilities regarding the
use of electronic communications in the confirmation process,
standardize the procedures that auditors perform to support their use
of intermediaries, and allow for the use or development of more
sophisticated and effective technology-based auditing tools. To the
extent that a firm has already implemented certain of the provisions of
the new standard into its firm methodology, the benefits described
below will be reduced.
Focus on Obtaining Reliable Audit Evidence From the Confirmation
Process
The new standard should benefit investors and other users of a
company's financial statements by placing additional emphasis on the
auditor's need to obtain reliable audit evidence when performing
confirmation procedures. In this regard, the new standard: (1)
identifies certain accounts for which the auditor should perform
confirmation procedures, (2) enhances the requirements for assessing
the reliability of confirmation responses, (3) addresses the
performance of alternative procedures when the auditor is unable to
obtain relevant and reliable audit evidence through confirmation, (4)
strengthens requirements regarding the use of negative confirmation
requests, and (5) specifies certain activities in the confirmation
process that should be performed by the auditor and not by other
parties.
Specifically, the new presumption for the auditor to confirm
certain cash and cash equivalents held by third parties or otherwise
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source may reduce
the risk of material errors in financial statements and strengthen
investor protection to the extent that auditors are not already
confirming cash pursuant to their existing audit methodologies.\102\
This requirement also
[[Page 71717]]
specifies that the extent of audit evidence to obtain through cash
confirmation procedures should be based on the auditor's understanding
of the company's cash management and treasury function.
---------------------------------------------------------------------------
\102\ As discussed above, the PCAOB staff's review of firm
methodologies indicated that some firms are already confirming cash
balances, while other firms' methodologies do not require auditors
to perform procedures beyond those required by AS 2310. The growth
in corporate cash holdings also highlights the need to confirm cash
and cash equivalents. See, e.g., Kevin Amess, Sanjay Banerji, and
Athanasios Lampousis, Corporate Cash Holdings: Causes and
Consequences, 42 International Review of Financial Analysis 421, 422
(2015).
---------------------------------------------------------------------------
The standard does not require that all cash accounts or all
accounts receivable should be selected for confirmation. The auditor's
assessment of the risk of material misstatement is an important
consideration when designing audit procedures, including the use of
confirmation. Consistent with the objective of the new standard, the
requirement to confirm cash and accounts receivable, or otherwise
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source, only applies
when the auditor has determined that these accounts are significant
accounts. Further, for both cash and accounts receivable, the new
standard specifies that the auditor should take into account the
auditor's understanding of the substance of a company's arrangements
and transactions with third parties when selecting the individual items
to confirm. These provisions in the new standard should encourage the
auditor to determine the extent of confirmation procedures with regard
to an assessment of the risk of material misstatement and avoid more
work than necessary to obtain sufficient appropriate audit evidence.
However, to the extent that cash or accounts receivable fall within
the scope of the new standard, the new standard strengthens the
requirement to obtain relevant and reliable audit evidence, whether
through performing confirmation procedures or otherwise obtaining audit
evidence by directly accessing information maintained by a
knowledgeable external source. At the same time, the new standard also
addresses situations where, based on the auditor's experience,
confirmation would not be feasible for accounts receivable. The
additional clarity provided by these requirements in the new standard
should reduce uncertainty in auditor responsibilities and promote
consistency in practice with respect to the confirmation of cash and
accounts receivable.
The new standard strengthens requirements addressing the
reliability of confirmation responses by describing information that
the auditor should take into account when evaluating the reliability of
confirmation responses and providing examples of information that
indicates that a confirmation request or response may have been
intercepted or altered. These requirements are expected to improve the
reliability of confirmation responses and therefore increase the
quality of the audit evidence obtained by the auditor.
The requirement to communicate to the audit committee instances
where, for significant risks associated with cash or accounts
receivable, the auditor did not perform confirmation procedures or
obtain audit evidence by directly accessing information maintained by a
knowledgeable external source is expected to reinforce the auditor's
obligation to exercise due professional care in determining not to
perform confirmation procedures or otherwise obtain audit evidence by
directly accessing information maintained by a knowledgeable external
source.
The new standard also expands on the existing requirement to
address the auditor's potential need to apply alternative procedures.
The enhanced requirements for alternative procedures provide a greater
level of detail and clarity to auditors for situations that are not
currently addressed explicitly in existing AS 2310, potentially raising
the quality of evidence obtained by auditors.
Under the new standard, the auditor may only use negative
confirmation requests to supplement other substantive audit procedures;
negative confirmation requests may not be used as the sole substantive
audit procedure. As discussed above, the amount of electronic
correspondence has increased dramatically over the years, leading to an
increased likelihood that a negative confirmation request would not be
appropriately considered by the confirming party and, therefore, would
provide less persuasive audit evidence. The new standard addresses this
issue by providing examples of situations in which negative
confirmation requests, in combination with the performance of other
substantive audit procedures, may provide sufficient appropriate audit
evidence. As negative confirmation requests cannot be the sole source
of audit evidence obtained, insofar as the new standard affects
practice, the overall quality of audit evidence obtained by the auditor
likely will increase.\103\
---------------------------------------------------------------------------
\103\ The Board understands through its oversight activities
that few, if any, GNFs use negative confirmation requests as the
sole substantive procedure in practice. As discussed above, however,
the PCAOB staff's firm methodology review suggests that all the GNFs
and NAFs reviewed will need to update their methodologies to ensure
that negative confirmation requests are not used as the sole source
of audit evidence.
---------------------------------------------------------------------------
Overall, the additional requirements and examples discussed above
are expected to improve the reliability of confirmation responses and,
therefore, increase the quality of the audit evidence obtained by the
auditor. By introducing a new requirement to confirm certain cash
balances (or otherwise obtain relevant and reliable audit evidence by
directly accessing information maintained by a knowledgeable external
source) and enhancing the requirements for evaluating the reliability
of confirmation responses, the new standard may also increase the
auditor's likelihood of identifying potential financial statement
fraud. Early detection of accounting fraud is an important aspect of
investor protection because such fraud can cause significant harm to
investors in the companies engaged in fraud, as well as indirect harm
to investors in other companies.\104\ In addition, by clarifying and
strengthening the auditor's responsibilities, including by specifying
additional situations where alternative procedures may be necessary and
providing additional examples of information that indicates that a
confirmation request or response may have been intercepted and altered,
the new standard takes into account past inspection findings by the
Board that auditors did not obtain sufficient appropriate audit
evidence when using confirmation.
---------------------------------------------------------------------------
\104\ See Yang Bao, Bin Ke, Bin Li, Y. Julia Yu, and Jie Zhang,
Detecting Accounting Fraud in Publicly Traded US Firms Using a
Machine Learning Approach, 58 Journal of Accounting Research 199,
200 (2020).
---------------------------------------------------------------------------
One commenter on the proposing release expressed the view that the
proposed standard would not achieve a significant reduction in
inspection findings or improvements to audit quality because adverse
inspection findings have historically focused on a failure to
appropriately execute existing requirements. As discussed above,
however, the need for this rulemaking is not limited to noncompliance
with the current standard detected through our inspections program, but
also reflects undetected financial reporting frauds and developments in
practice. The Board continues to believe, therefore, that the rule will
achieve its intended benefits, which include increased clarity from the
new standard.
Developments in Practice
The new standard modernizes existing AS 2310 by accommodating
certain developments in practice,
[[Page 71718]]
including the use of electronic communications and intermediaries.
Specifically, the new standard accommodates changes in how
communications occur between the auditor and confirming parties. It
clarifies the auditor's responsibilities by taking into account current
confirmation practices among auditors and acknowledging differing
methods of confirmation. These methods include longstanding methods,
such as the use of paper-based confirmation requests and responses sent
via postal mail. They also include methods that have become commonplace
since the existing standard was adopted, including confirmation
requests and responses communicated via email and the use of
intermediaries to facilitate the direct electronic transmission of
confirmation requests and responses. This additional clarity may
enhance the reliability of audit evidence by decreasing the risk that a
confirmation request or response is intercepted and altered. In
addition, the new standard includes requirements specific to an
intermediary's controls that mitigate the risk of interception and
alteration. The requirements are expected to standardize the procedures
auditors perform to support their use of intermediaries and reduce
audit deficiencies in this area.
With regard to both cash and accounts receivable, the new standard
accommodates the potential for future evolution of audit tools by
allowing auditors to directly obtain access to relevant and reliable
audit evidence from knowledgeable external sources other than through
confirmation without the involvement of the company. This change allows
for the use or development of technology-based auditing tools, subject
to the requirement that they provide audit evidence by directly
accessing information maintained by knowledgeable external sources
about the relevant financial statement assertion. Accordingly, this
change could potentially improve the efficiency and effectiveness of
the audit.
Some commenters on the 2022 Proposal questioned the benefits of the
proposed requirements, arguing that the auditor's inability under the
proposed standard to overcome the presumption to confirm cash and a
high threshold to overcome the presumption to confirm accounts
receivable unduly restricted the ability to use professional judgment
to determine the appropriateness of confirmation procedures. While the
Board agrees that professional judgment plays an important role in the
execution of audit procedures, the Board's experience indicates that it
is also important for investor protection that auditors obtain relevant
and reliable audit evidence for both cash and accounts receivable when
they are significant accounts. With regard to accounts receivable, the
new standard retains the presumption to perform audit procedures to
obtain relevant and reliable evidence through confirmation, or
otherwise by directly accessing information maintained by a
knowledgeable external source, so would not decrease or remove the
auditor's current responsibility. Furthermore, the new standard
includes a provision to address situations when obtaining audit
evidence directly from knowledgeable external sources, whether through
confirmation procedures or other means, would not be feasible to
execute for accounts receivable. Accordingly, the new standard strikes
a balance intended to benefit investors by recognizing the value of
professional judgment generally with respect to the use of confirmation
while ensuring that cash and accounts receivable, when they are
significant accounts, are subject to confirmation or other audit
procedures designed to obtain relevant and reliable audit evidence from
knowledgeable external sources.
Costs
The Board expects the costs associated with the new standard to be
relatively modest. The PCAOB staff's review of audit firm methodologies
related to the confirmation process indicates that some firms have
already incorporated into practice some of the new requirements. For
example, the methodologies of some GNFs include requirements for
confirmation of cash that are similar to the requirements in the new
standard. Both the GNF and NAF methodologies reviewed generally include
guidance on maintaining control over the confirmation process and the
use of intermediaries to facilitate the electronic transmission of
confirmation requests and responses.
To the extent that audit firms need to make changes to meet the new
requirements, they may incur certain fixed costs (i.e., costs that are
generally independent of the number of audits performed) to implement
the new standard. These include costs of updating audit methodologies
and tools, and costs to prepare training materials and conduct internal
training. GNFs are likely to update methodologies using internal
resources, whereas NAFs are more likely to purchase updated
methodologies from external vendors. The costs of updating these
methodologies likely depend on the extent to which the new requirements
have already been incorporated in the firms' current methodologies. For
firms that have implemented confirmation procedures like those required
by the new standard, the costs of updating methodologies may be lower
than for firms that currently do not have such procedures. In this
regard, large firms may also benefit from economies of scale. As
mentioned above, one commenter indicated that some larger audit firms
have already established confirmation centers to centrally process the
sending of confirmation requests and receiving of confirmation
responses. For these firms, costs to implement the new standard may be
further diminished as these firms may benefit from lower training costs
and more efficient performance of the enhanced procedures. Smaller
audit firms may not have adequate resources to establish such
confirmation centers and may not recognize similar efficiency gains.
The commenter observed that the establishment of confirmation centers
within audit firms would require significant resources, which smaller
audit firms may not have.
In addition, audit firms may incur certain engagement-level
variable costs related to implementing the new standard. For example,
the requirement to confirm certain cash balances or otherwise obtain
relevant and reliable audit evidence by directly accessing information
maintained by a knowledgeable external source could impose engagement-
level costs on some auditors if additional procedures need to be
performed. Similarly, limiting the use of negative confirmation
requests to situations where the auditor is also performing other
substantive audit procedures could lead to additional time and effort
by the auditor to perform the other audit procedures.
The magnitude of the variable costs likely depends on the extent to
which existing practice differs from the new requirements. As discussed
above, the PCAOB staff's review of firm methodologies, which included
the methodologies of certain NAFs, suggests that the new standard
likely will lead to a greater impact on confirmation procedures
performed by smaller firms. Because the new standard generally applies
a risk-based approach (i.e., by providing that the use of confirmation
may be part of the auditor's response to the assessed risks of material
misstatement), the costs of performing the additional procedures are
unlikely to be disproportionate to the benefits.
To the extent that auditors incur higher costs to implement the new
standard and are able to pass on at least
[[Page 71719]]
part of the increased costs through an increase in audit fees,
companies being audited could incur an indirect cost.\105\ Moreover,
confirming parties could incur additional costs from supporting the
confirmation process as a result of the enhanced requirements of the
new standard, although the additional costs are expected to be limited.
One commenter agreed that confirming parties may incur additional costs
as they may have to allocate resources to respond to confirmation
requests. As discussed above, however, confirmation is already commonly
used by audit firms, and the Board therefore does not expect confirming
parties to incur significant additional costs to respond to
confirmation requests as a result of the new standard.
---------------------------------------------------------------------------
\105\ One commenter stated that the cost of audit would increase
if auditors were required to send confirmations on any and all
information that can be confirmed by external parties. While the
Board notes that the new standard does not require confirmations on
any and all information that can be confirmed, it agrees that
companies being audited can incur indirect costs to the extent that
auditors pass on at least part of the increased costs in terms of
increased audit fees to companies.
---------------------------------------------------------------------------
Some requirements under the new standard may result in more costs
than others. The following discussion describes the potential costs
associated with specific changes to existing confirmation requirements.
Focus on Obtaining Reliable Audit Evidence From the Confirmation
Process
The new standard: (1) identifies certain accounts for which the
auditor should perform confirmation procedures or otherwise obtain
relevant and reliable audit evidence by directly accessing information
maintained by a knowledgeable external source, (2) enhances the
requirements for assessing the reliability of confirmation responses,
(3) addresses the performance of alternative procedures when the
auditor is unable to obtain relevant and reliable audit evidence
through confirmation, (4) strengthens requirements regarding the use of
negative confirmation requests, and (5) specifies certain activities in
the confirmation process that should be performed by the auditor and
not by other parties.
For some firms, the requirement in the new standard to confirm
certain cash balances or otherwise obtain relevant and reliable audit
evidence by directly accessing information maintained by a
knowledgeable external source could be expected to result in the
revision of firm methodologies and the performance of additional audit
procedures. As discussed above, the methodologies of some GNFs already
include requirements for cash confirmation that are similar to the new
requirement described in the new standard. In addition, the risk-based
approach in the new requirement should encourage the auditor to
determine the extent of confirmation with regard to an assessment of
the risks of material misstatement and conduct only the work necessary
to obtain sufficient audit evidence.
Commenters on the 2022 Proposal asserted that confirming cash
balances under the proposed standard would lead to increased costs,
given the lack of discretion and ability to overcome the presumption in
the proposed standard. In addition, some commenters on the 2022
Proposal asserted that the ``at least as persuasive as'' threshold in
the proposed standard for overcoming the presumption to confirm
accounts receivable would limit the auditor's use of professional
judgment and could result in greater costs without a commensurate
benefit to audit quality.
As discussed above, there is a presumption in the new standard that
the auditor should obtain audit evidence from a knowledgeable external
source by performing confirmation procedures or using other means to
obtain audit evidence by directly accessing information maintained by
knowledgeable external sources. In addition, the new standard provides
that if, based on the auditor's experience, it would not be feasible
for the auditor to obtain audit evidence about accounts receivable
pursuant to paragraph .24, the auditor should obtain external
information indirectly by performing other substantive procedures,
including tests of details. Insofar as the final standard does not
otherwise provide auditors with the discretion to avoid obtaining audit
evidence directly from a knowledgeable external source for cash, and
the only exception applicable to accounts receivable is for situations
where obtaining audit evidence directly from a knowledgeable external
source would not be feasible, firms may, therefore, incur additional
costs to comply with the presumptive requirements of the new standard
for cash and accounts receivable. These costs, however, are necessary
to the achievement of the standard's intended benefits of emphasizing
the quality and strength of the audit evidence to be obtained from
knowledgeable external sources.
The new standard also requires the auditor to evaluate the
reliability of confirmation responses and provides examples of
information that indicate that a confirmation response may have been
intercepted and altered. The costs associated with this requirement,
however, are expected to be limited. First, the Board's auditing
standards already require the auditor to obtain sufficient appropriate
audit evidence to provide a reasonable basis for the auditor's report,
and to evaluate the combined evidence provided by confirmation and
other auditing procedures performed when the auditor has not received
replies to confirmation requests (i.e., nonresponses) to determine
whether sufficient evidence has been obtained about all the applicable
financial statement assertions.\106\ Second, the methodologies of some
firms reflect application material in ISA 505 regarding factors
(similar to indicators in the new standard) that may indicate doubts
about the reliability of a confirmation response. One of these factors
is analogous to the requirement in the new standard (i.e., the
confirmation response appears not to come from the originally intended
confirming party), which may further limit the potential costs for
firms that have incorporated this factor in their methodologies. One
commenter on the 2022 Proposal stated that the proposed standard's
requirement for evaluating the reliability of confirmation responses
might cause the auditor to need to authenticate confirmation responses,
which would add significant expense to the audit. However, as discussed
above, AS 1105 already establishes the requirements for evaluating the
reliability of audit evidence, and the new standard does not change
those requirements.
---------------------------------------------------------------------------
\106\ See AS 1105.04; AS 2310.33.
---------------------------------------------------------------------------
The requirement for the auditor to communicate with the audit
committee when the auditor did not perform confirmation procedures or
otherwise obtain audit evidence by directly accessing information
maintained by knowledgeable external sources for significant risks
associated with either cash or accounts receivable could impose a
modest incremental cost. Some commenters on the 2022 Proposal had
expressed concern about the proposed requirement to communicate with
the audit committee in all instances where the presumption to confirm
accounts receivable had been overcome, which could be detrimental if
the communication became a mere compliance exercise for auditors and
audit committees. The new standard's requirement to communicate with
the audit committee, however, is more risk-based and therefore, the
Board continues to believe that the incremental costs will be modest.
[[Page 71720]]
Insofar as the new standard identifies additional situations in
which the auditor generally would be required to perform alternative
procedures, firms may incur additional costs. Specifically, the new
standard extends the requirement in existing AS 2310 to perform
alternative procedures in relation to nonresponses to positive
confirmation requests to other situations, including the auditor's
inability to identify a confirming party and the receipt of an
unreliable response.
In contrast with existing AS 2310, negative confirmation requests
may not be used as the sole substantive audit procedure under the new
standard. This limitation reflects, among other things, the increase in
the volume of electronic correspondence since existing AS 2310 was
issued and the increasing likelihood that a recipient of a negative
confirmation request would not consider the request. As a result,
auditors may have to perform other substantive audit procedures for
certain financial statement assertions. Although the Board understands
through its oversight activities that few, if any, GNFs use negative
confirmation requests as the sole substantive procedure in practice, as
discussed above, the PCAOB staff's firm methodology review suggests
that all the GNFs and NAFs reviewed will need to review their
methodologies to ensure that negative confirmation requests are not
used as the sole source of audit evidence.
Developments in Practice
As discussed above, the new standard includes requirements that
clarify the procedures auditors should perform to support their use of
intermediaries to facilitate the direct electronic transmission of
confirmation requests and responses between the auditor and the
confirming party. These requirements may lead to modifications to firm
methodologies. Further, the required procedures may involve additional
auditor time and effort. The resulting costs likely depend on the
extent to which the new requirements have already been incorporated in
a firm's current methodologies. One commenter expressed concern that
the proposed requirement to assess the intermediary's controls would
result in significant additional work for auditors because it is not
currently common practice to directly assess intermediaries in this
manner. The PCAOB staff's review of firm methodologies discussed above
did not suggest that the requirements in Appendix B of the new standard
would create significant additional work for auditors. In particular,
both the GNF and NAF methodologies reviewed generally already include
guidance on maintaining control over the confirmation process and the
use of intermediaries, which may limit the costs. In addition, the
Board notes that the requirements in the new standard relate to
relevant controls that address the risk of interception and alteration
of confirmation requests and responses and that some intermediaries
currently make information about relevant internal controls available
to auditors through a SOC report.
If the auditor is able to obtain audit evidence by directly
accessing information maintained by knowledgeable external sources
instead of confirmation, such audit evidence could be at least as
persuasive as audit evidence obtained through confirmation procedures,
and the new standard allows the auditor to perform such procedures.
This provision is not expected to impose new costs on firms, as firms
would only obtain relevant and reliable audit evidence by directly
accessing information maintained by a knowledgeable external source to
the extent that technological advancements render it more efficient
than performing confirmation procedures. Thus, to the extent that the
auditor is able to replace confirmation procedures with obtaining audit
evidence by directly accessing information maintained by a
knowledgeable external source, the new standard could reduce costs for
firms.
Potential Unintended Consequences
In addition to the benefits and costs discussed above, the new
standard could have unintended economic impacts. The following
discussion describes potential unintended consequences the Board has
considered and, where applicable, factors that mitigate the negative
consequences, such as steps the Board has taken or the existence of
other countervailing forces.
Potential Decline in Auditors' Usage of Confirmation
An unintended consequence of the new standard would occur if,
contrary to the Board's expectation, there were a significant reduction
in the use of confirmation procedures by auditors in circumstances
where confirmation would provide relevant and reliable audit evidence.
Under the new standard, auditors retain the ability to use
confirmation as one procedure, among others, to audit one or more
financial statement accounts or disclosures. At the same time, the new
standard strengthens the requirements for an auditor regarding
evaluating the reliability of confirmation responses and addressing
confirmation exceptions and incomplete responses, including performing
alternative procedures to obtain audit evidence. Further, the new
standard describes the types of procedures the auditor should perform
in evaluating the effect of using an intermediary on the reliability of
confirmation requests and responses, including determining whether
relevant controls of the intermediary are designed and operating
effectively. In addition, the new standard does not allow the auditor
to use negative confirmation requests as the sole substantive
procedure. As a result, when not required to use confirmation, auditors
might decline to use confirmation and use other audit procedures more
frequently than under existing AS 2310 if they perceive there could be
more time or cost involved in the confirmation process relative to the
performance of other procedures.
This potential unintended consequence is mitigated, however, by the
requirement that the auditor should perform confirmation procedures for
cash and accounts receivable, or otherwise obtain audit evidence by
directly accessing information maintained by knowledgeable external
sources. In addition, the Board's standards already provide that the
auditor should evaluate whether the combined evidence provided by
confirmation and other auditing procedures provide sufficient evidence
about the applicable financial statement assertions. Several of the
changes to existing requirements in the new standard align with the
Board's understanding of current practice. For example, many audit
firms' methodologies include guidance on maintaining control and the
use of intermediaries. Additionally, the potential unintended
consequence may be mitigated to the extent that a firm has experienced
efficiencies from using newer audit tools for confirmation through
reduced time or costs. Further, the Board does not anticipate that the
requirements of the new standard will cause a significant change in the
timing or extent of confirmation procedures for auditors, as the Board
has not amended the requirements of AS 2301, which is the auditing
standard that addresses those matters. Accordingly, the Board does not
believe that the new standard will lead to a significant decline in the
use of confirmation.
[[Page 71721]]
Potential Misinterpretation of the Requirements in the New Standard
Relating to the Confirmation of Cash and Accounts Receivable
An unintended consequence of the presumed requirement in the new
standard to confirm cash and accounts receivable would arise if
auditors misinterpreted the language in the new standard as requiring
the confirmation of cash and accounts receivable in all situations. For
example, the new standard does not carry forward a provision included
in existing AS 2310 that an auditor could overcome the presumption to
confirm accounts receivable if, among other things, ``[t]he use of
confirmations would be ineffective.'' It is possible that some auditors
might misinterpret the elimination of this language as precluding the
exercise of auditor judgment with respect to the confirmation of
accounts receivable. Some commenters on the 2022 Proposal appeared to
misinterpret the proposed requirement and suggested that confirmation
would be required in all situations. For example, one commenter
asserted that using confirmation regardless of risk assessment may
promote a checklist mentality that does not contribute to audit quality
and an audit approach that may be less efficient and effective.
The Board does not intend, however, that an auditor send
confirmation requests for accounts receivable in all situations or when
such procedures do not provide relevant and reliable audit evidence. If
the auditor has not determined cash or accounts receivable to be a
significant account, the new standard does not require the confirmation
of cash or accounts receivable. Moreover, to clarify the Board's
intent, it has modified the language in the proposed standard in
several respects. First, paragraph .25 of the new standard addresses
situations when obtaining audit evidence about accounts receivable
directly from knowledgeable external sources, whether through
confirmation procedures or other means, would not be feasible to
execute. If it is not feasible for the auditor to obtain audit evidence
about accounts receivable directly from a knowledgeable external
source, the auditor should obtain external information indirectly by
performing other substantive procedures, including tests of details.
In addition, the Board is not adopting paragraph .07 of the
proposed standard, which referred to situations where evidence obtained
through the confirmation process ``generally is more persuasive than
audit evidence obtained solely through other procedures'' and may have
contributed to a misperception that the Board was proposing to require
confirmation in all circumstances. In the Board's view, the language in
the new standard acknowledges the role of professional judgment in the
auditor's selection of audit procedures to obtain sufficient
appropriate audit evidence, while retaining a presumption to confirm
cash and accounts receivable or otherwise obtain relevant and reliable
audit evidence by directly accessing information maintained by a
knowledgeable external source. This should mitigate the potential
unintended consequence described above.
Alternatives Considered
The development of the new standard involved considering a number
of alternative approaches to address the problems described above. This
section explains: (i) why standard setting is preferable to other
policy-making approaches, such as providing interpretive guidance or
enhancing inspection or enforcement efforts; (ii) other standard-
setting approaches that were considered; and (iii) key policy choices
made by the Board in determining the details of the new standard-
setting approach.
Why Standard Setting Is Preferable to Other Policy-Making Approaches
The Board's policy tools include alternatives to standard setting,
such as issuing additional interpretive guidance, or increasing our
focus on inspections or enforcement of existing standards. The Board
considered whether providing guidance or increasing inspection or
enforcement efforts would be effective mechanisms to address concerns
with the auditor's use of confirmation.
Interpretive guidance inherently provides additional information
about existing standards. Inspection and enforcement actions take place
after insufficient audit performance (and potential investor harm) has
occurred. Devoting additional resources to interpretive guidance,
inspections, or enforcement activities, without improving the relevant
performance requirements for auditors, would at best focus auditors'
performance on existing standards and would not provide the benefits
discussed above associated with improving the standards. The new
standard, on the other hand, is designed to improve existing
requirements for the auditor's use of confirmation. For example, the
new standard, unlike existing AS 2310, includes requirements relating
to the confirmation of cash accounts, imposes additional limitations on
the use of negative confirmation requests, clarifies the circumstances
in which auditors would be expected to perform alternative procedures,
and includes explicit provisions addressing the auditor's
responsibility for selecting items to be confirmed, sending
confirmation requests, and receiving confirmation responses.
Other Standard-Setting Alternatives Considered
Several alternative standard-setting approaches were also
considered, including: (i) making amendments to the existing standard;
and (ii) adopting an approach based on ISA 505, with certain
modifications to reflect the PCAOB's statutory responsibilities with
respect to audits of public companies and registered broker-dealers.
Amendments to Existing Standard
The Board considered, but decided against, limiting the amendments
to AS 2310 solely to modifications relating to changes in technology
that have affected the confirmation process. While this approach could
result in fewer changes to firms' audit methodologies, the Board
believes there are a number of other areas discussed throughout this
release, beyond amending AS 2310 to reflect the increasing use of
technology in the confirmation process, where the existing standard
should be improved.
Standard Based on ISA 505
Some commenters on the 2009 Concept Release and the 2010 Proposal
suggested that the Board should consider adopting ISA 505, the IAASB's
standard on audit confirmation, which was issued in 2008. The Board has
taken the requirements and application material of ISA 505 into account
in developing the new standard (e.g., the ISA 505 application material
relating to the use of a third party to coordinate and provide
responses to confirmation requests).
The Board concluded, however, that the new standard should also
establish certain requirements that are not included in ISA 505 (e.g.,
requirements to confirm cash and accounts receivable or otherwise
obtain relevant and reliable audit evidence by directly accessing
information maintained by a knowledgeable external source), and should
not include certain provisions that are described in ISA 505 (e.g.,
regarding management's refusal to allow the auditor to send a
confirmation request). In addition, audit practices have continued to
evolve since ISA 505
[[Page 71722]]
was issued in 2008, and the Board believes that the new standard should
reflect these developments (e.g., by addressing electronic
communication and the use of intermediaries in the requirements of the
standard rather than in application materials).
Key Policy Choices
Given a preference for replacing existing AS 2310 in its entirety,
the Board considered different approaches to addressing key policy
issues.
Use of Confirmation Procedures for Specific Accounts
The new standard provides that when addressing an assessed risk of
material misstatement of cash and cash equivalents held by third
parties, as well as of accounts receivable that arise from the transfer
of goods or services to a customer or a financial institution's loans,
the auditor should perform confirmation procedures or otherwise obtain
relevant and reliable audit evidence by directly accessing information
maintained by a knowledgeable external source. In addition, under the
new standard, when obtaining audit evidence from a knowledgeable
external source regarding cash, the auditor should consider sending
confirmation requests to that source about other financial
relationships with the company, based on the assessed risk of material
misstatement. Also, when the auditor has identified a complex
transaction or a significant unusual transaction, the auditor should
consider confirming those terms of the transaction that are associated
with a significant risk of material misstatement, including a fraud
risk. The new standard does not specify other significant accounts or
disclosures that the auditor should confirm or consider confirming. The
Board considered several alternatives to this approach, as discussed
below.
First, the Board considered an approach that would have no
requirement for the auditor to confirm specified accounts or
transactions. In the Board's view, this approach might result in the
selection by some auditors of audit procedures that provide less
relevant and reliable audit evidence than confirmation with respect to
cash and accounts receivable (e.g., if an auditor mistakenly assessed
the risk of material misstatement too low for cash or accounts
receivable). Further, confirmation of cash and accounts receivable is
already a standard practice for many auditors and is consistent with
the concept that audit evidence obtained from a knowledgeable external
source is more reliable than evidence obtained only from internal
company sources. Accordingly, the Board has decided against an approach
that does not require the confirmation of any accounts and disclosures
in the new standard.
In addition, the Board considered including in the new standard a
requirement that the auditor should confirm other accounts in addition
to cash and accounts receivable, such as investments. The Board has
decided against this approach because it would limit auditor judgment
in circumstances where the performance of other auditing procedures
might provide relevant and reliable audit evidence, could be viewed as
unduly prescriptive, and would not allow the auditor to take company-
specific facts and circumstances into account. Instead, under the new
standard, the auditor could decide to perform confirmation procedures
with respect to financial statement assertions relating to other
accounts and disclosures but is not required to do so.
The Board also considered an additional requirement that the
auditor should perform confirmation procedures in response to
significant risks that relate to relevant assertions, when such
assertions can be adequately addressed by confirmation procedures.
However, the Board believes that such a requirement would be
inconsistent with the Board's risk assessment standards, which allow
for auditor judgment in determining the audit response to significant
risks identified by the auditor. The Board has not included this
provision in the new standard.
Management Requests Not To Confirm
The Board considered addressing situations where management
requests that the auditor not confirm one or more items in the new
standard. Specifically, the Board considered requiring the auditor to
obtain an understanding of the reasons for management's request,
perform alternative procedures as discussed in Appendix C of the new
standard, and communicate the request to the audit committee. In
addition, the Board considered a requirement that the auditor should
evaluate the implications for the auditor's report if the auditor
determines that management's request impairs the auditor's ability to
obtain sufficient appropriate audit evidence or indicates that one or
more fraud risk factors are present. For the reasons discussed above,
the Board has decided not to include such provisions in the new
standard.
Special Considerations for Audits of Emerging Growth Companies
Pursuant to Section 104 of the Jumpstart Our Business Startups Act
(``JOBS Act''), rules adopted by the Board subsequent to April 5, 2012,
generally do not apply to the audits of EGCs, as defined in Section
3(a)(80) of the Exchange Act, unless the SEC ``determines that the
application of such additional requirements is necessary or appropriate
in the public interest, after considering the protection of investors,
and whether the action will promote efficiency, competition, and
capital formation.'' \107\ As a result of the JOBS Act, the rules and
related amendments to PCAOB standards that the Board adopts are
generally subject to a separate determination by the SEC regarding
their applicability to audits of EGCs.
---------------------------------------------------------------------------
\107\ See Public Law 112-106 (Apr. 5, 2012). Section
103(a)(3)(C) of the Act, as added by Section 104 of the JOBS Act,
also provides that any rules of the Board requiring (1) mandatory
audit firm rotation or (2) a supplement to the auditor's report in
which the auditor would be required to provide additional
information about the audit and the financial statements of the
issuer (auditor discussion and analysis) shall not apply to an audit
of an EGC. The new standard does not fall within either of these two
categories.
---------------------------------------------------------------------------
To inform consideration of the application of auditing standards to
audits of EGCs, PCAOB staff prepares a white paper annually that
provides general information about characteristics of EGCs.\108\ As of
the November 15, 2021, measurement date, PCAOB staff identified 3,092
companies that self-identified with the SEC as EGCs and filed audited
financial statements in the 18 months preceding the measurement date.
---------------------------------------------------------------------------
\108\ For the most recent EGC report, see White Paper on
Characteristics of Emerging Growth Companies and Their Audit Firms
at November 15, 2021 (Jan. 5, 2023) (``EGC White Paper''), available
at https://pcaobus.org/resources/other-research-projects.
---------------------------------------------------------------------------
Confirmation is a longstanding audit procedure used in nearly all
audits, including audits of EGCs. The discussion of benefits, costs,
and unintended consequences above is generally applicable to audits of
EGCs. The economic impacts of the new standard on an EGC audit depend
on factors such as the audit firm's current methodologies, the audit
firm's ability to distribute implementation costs across engagements,
and the auditor's assessed risk of material misstatement.
EGCs are likely to be newer companies, which may increase the
importance to investors of the external audit to enhance the
credibility of management disclosures.\109\ Further,
[[Page 71723]]
compared to non-EGCs, EGCs are more likely to be audited by NAFs.\110\
As discussed above, NAFs are expected to make more changes to their
methodologies and practice to comply with the new standard. Therefore,
all else equal, the benefits of the higher audit quality resulting from
the new standard may be larger for EGCs than for non-EGCs, including
improved efficiency of market capital allocation, lower cost of
capital, and enhanced capital formation.\111\ In particular, because
investors who face uncertainty about the reliability of a company's
financial statements may require a larger risk premium that increases
the cost of capital to companies, the improved audit quality resulting
from applying the new standard to EGC audits could reduce the cost of
capital to those EGCs.\112\
---------------------------------------------------------------------------
\109\ Researchers have developed a number of proxies that are
thought to be correlated with information asymmetry, including small
issuer size, lower analyst coverage, larger insider holdings, and
higher research and development costs. To the extent that EGCs
exhibit one or more of these properties, there may be a greater
degree of information asymmetry for EGCs than for the broader
population of companies, which increases the importance to investors
of the external audit to enhance the credibility of management
disclosures. See, e.g., Mary E. Barth, Wayne R. Landsman, and Daniel
J. Taylor, The JOBS Act and Information Uncertainty in IPO Firms, 92
The Accounting Review 25, 25 (2017); Steven A. Dennis and Ian G.
Sharpe, Firm Size Dependence in the Determinants of Bank Term Loan
Maturity, 32 Journal of Business Finance and Accounting 31, 59
(2005); Michael J. Brennan and Avanidhar Subrahmanyam, Investment
Analysis and Price Formation in Securities Markets, 38 Journal of
Financial Economics 361, 363 (1995); David Aboody and Baruch Lev,
Information Asymmetry, R&D, and Insider Gains, 55 Journal of Finance
2747, 2755 (2000); Raymond Chiang and P. C. Venkatesh, Insider
Holdings and Perceptions of Information Asymmetry: A Note, 43
Journal of Finance 1041, 1047 (1988); Molly Mercer, How Do Investors
Assess the Credibility of Management Disclosures?, 18 Accounting
Horizons 185, 194 (2004). Furthermore, research has shown that
reduced disclosure requirements for EGCs are associated with lower
audit effort. The academic literature has also documented evidence
of lower audit quality for EGCs. To the extent that the new standard
will increase auditor effort, EGCs are expected to benefit from
higher audit quality. See, e.g., Tiffany J. Westfall and Thomas C.
Omer, The Emerging Growth Company Status on IPO: Auditor Effort,
Valuation, and Underpricing, 37 Journal of Accounting and Public
Policy 315, 316 (2018); Essam Elshafie, The Impact of Reducing
Reporting Requirements on Audit Quality, Auditor Effort and Auditor
Conservatism, 35 Accounting Research Journal 756, 756 (2022).
\110\ EGC White Paper at 22.
\111\ The enhanced quality of audits and financial information
available to financial markets may result in investors perceiving
less risk in capital markets. This, in turn, may lead to an increase
in the supply of capital which could increase capital formation.
See, e.g., Hanwen Chen, Jeff Zeyun Chen, Gerald J. Lobo, and Yanyan
Wang, Effects of audit quality on earnings management and cost of
equity capital: Evidence from China, 28 Contemporary Accounting
Research 892, 921 (2011); Richard Lambert, Christian Leuz, and
Robert E. Verrecchia, Accounting Information, Disclosure, and the
Cost of Capital, 45 Journal of Accounting Research 385, 410 (2007).
\112\ For a discussion of how increasing reliable public
information about a company can reduce risk premium, see David
Easley and Maureen O'Hara, Information and the Cost of Capital, 59
The Journal of Finance 1553, 1578 (2004).
---------------------------------------------------------------------------
While the associated costs may also be higher for EGC audits than
for non-EGC audits, because of the scalability of the risk-based
requirements, the costs of performing the procedures are unlikely to be
disproportionate to the benefits of the procedures. Moreover, if any of
the new amendments were determined not to apply to the audits of EGCs,
auditors would need to address differing audit requirements in their
methodologies, or policies and procedures, with respect to audits of
EGCs and non-EGCs, which would create the potential for confusion. The
new standard could impact competition in an EGC product market if the
indirect costs to audited companies disproportionately impact EGCs
relative to their competitors. However, as discussed above, the costs
associated with the new standard are expected to be relatively modest.
Therefore, the impact of the new standard on competition, if any, is
expected to be limited. Overall, the new standard is expected to
enhance audit quality and contribute to an increase in the credibility
of financial reporting by EGCs.
Accordingly, and for the reasons explained above, the Board is
requesting that the Commission determine that it is necessary or
appropriate in the public interest, after considering the protection of
investors and whether the action will promote efficiency, competition,
and capital formation, to apply the new standard to audits of EGCs. One
commenter specifically supported the application of the 2022 Proposal
to EGCs.
III. Date of Effectiveness of the Proposed Rules and Timing for
Commission Action
Within 45 days of the date of publication of this notice in the
Federal Register or within such longer period (i) as the Commission may
designate up to 90 days of such date if it finds such longer period to
be appropriate and publishes its reasons for so finding or (ii) as to
which the Board consents, the Commission will:
(A) By order approve or disapprove such proposed rules; or
(B) Institute proceedings to determine whether the proposed rules
should be disapproved.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views and
arguments concerning the foregoing, including whether the proposed
rules are consistent with the requirements of Title I of the Act.
Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/pcaob); or
Send an email to [email protected]. Please include
file number PCAOB-2023-02 on the subject line.
Paper Comments
Send paper comments in triplicate to Vanessa A.
Countryman, Secretary, Securities and Exchange Commission, 100 F Street
NE, Washington, DC 20549-1090.
All submissions should refer to file number PCAOB-2023-02. This file
number should be included on the subject line if email is used. To help
the Commission process and review your comments more efficiently,
please use only one method. The Commission will post all comments on
the Commission's internet website (https://www.sec.gov/rules/pcaob).
Copies of the submission, all subsequent amendments, all written
statements with respect to the proposed rules that are filed with the
Commission, and all written communications relating to the proposed
rules between the Commission and any person, other than those that may
be withheld from the public in accordance with the provisions of 5
U.S.C. 552, will be available for website viewing and printing in the
Commission's Public Reference Room, 100 F Street NE, Washington, DC
20549, on official business days between the hours of 10 a.m. and 3
p.m. Copies of such filing will also be available for inspection and
copying at the principal office of the PCAOB. Do not include personal
identifiable information in
[[Page 71724]]
submissions; you should submit only information that you wish to make
available publicly. We may redact in part or withhold entirely from
publication submitted material that is obscene or subject to copyright
protection. All submissions should refer to File Number PCAOB-2023-02
and should be submitted on or before November 7, 2023.
---------------------------------------------------------------------------
\113\ 17 CFR 200.30-11(b)(1) and (3).
For the Commission, by the Office of the Chief Accountant.\113\
Vanessa A. Countryman,
Secretary.
[FR Doc. 2023-22491 Filed 10-16-23; 8:45 am]
BILLING CODE 8011-01-P