The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:
- No human verification has been conducted of the converted content.
- While we strive for accuracy errors or omissions may exist.
- This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
- For the official and verified version of the publication, refer to the original PDF document.
If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].
External Confirmations (Feedback Statement and Impact Assessment)
The FRC's mission is to promote transparency and integrity in business. The FRC sets the UK Corporate Governance and Stewardship Codes and UK standards for accounting and actuarial work; monitors and takes action to promote the quality of corporate reporting; and operates independent enforcement arrangements for accountants and actuaries. As the Competent Authority for audit in the UK the FRC sets auditing and ethical standards and monitors and enforces audit quality.
The FRC does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any person relying on or otherwise using this document or arising from any omission from it.
The Financial Reporting Council Limited 2023 The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number 2486368. Registered Office: 8th Floor, 125 London Wall, London EC2Y 5AS
Feedback Statement and Impact Assessment
International Standard on Auditing (UK) 505 (Revised October 2023) External Confirmations
Introduction
1The Financial Reporting Council (FRC) is committed to acting as a proportionate and principles-based regulator and balances the need to minimise the impact of regulatory requirements on business, while working to support the delivery of high-quality audit and assurance work, to maintain investor and wider stakeholder confidence in audit and assurance.
2The ISAs (UK) are based on the corresponding international standards issued by the IAASB. Where necessary, the international standards have been augmented with additional requirements to address specific UK legal and regulatory requirements; and additional guidance that is appropriate in the UK national legislative, cultural, and business context.
3ISA (UK) 505 External Confirmations includes the requirements and application material relevant to auditors when using external confirmations as a source of audit evidence. Since the previous revision of ISA (UK) 505, new digital means of obtaining confirmations have become prevalent. Stakeholders indicated that whilst the core requirements in ISA (UK) 505 were still relevant, it would be beneficial to understand the regulatory position on the use of these digital means to obtain confirmations.
4Recent enforcement findings have demonstrated that the work undertaken by auditors in relation to investigating exceptions, for example when confirmations do not contain the information expected, has sometimes been insufficient, and that some auditors have over-relied on negative confirmations when it was unlikely to provide sufficient evidence to support a conclusion.
5With both these factors in mind the FRC convened a working group to consider the revision of ISA (UK) 505, comprising FRC staff from the Audit and Assurance Policy, Audit Quality Review and Enforcement teams, along with representatives from audit firms within the UK. This working group developed ISA (UK) 505 with the aim of improving the quality of audit evidence obtained through the use of external confirmation procedures, making the following key changes: - Additional clarification on what constitutes an electronic external confirmation, - Prohibition on the use of negative confirmations, - Designing confirmations to provide evidence for relevant assertions, - Enhanced requirements in relation to investigating exceptions.
6In May 2023 the FRC issued a public consultation on proposed revisions to ISA (UK) 505.We received 9 formal responses to our exposure draft, 4 from audit firms and 5 from professional bodies and other stakeholders. Overall, all respondents were supportive of the FRC's proposal to revise ISA (UK) 505.
Summary of Key Revisions, Consultation Feedback and FRC Responses
7The additional UK specific material we proposed is set out below, along with the consultation feedback received and the FRCs response:
| Consultation Question | ISRE (UK) 505 Reference | Explanation | Consultation Feedback and Response |
|---|---|---|---|
| Q1: Do you agree with the additional material included in respect of digital means of confirmation? If not, please provide your reasons. | 6(a) | The requirements in ISA (UK) 505, though they make reference to an electronic medium, are structured in a way which most closely aligns with the sending and receiving of a physical letter. As such auditors have made repeated enquires of the FRC as to the acceptability of other forms of confirmation, such as direct access to third party information through software interfaces. | All respondents agreed with the additional material which clarified the scope of electronic external confirmations, though one respondent questioned if the definition of external confirmation could include direct access to information given the use of the phrase “written response" in paragraph 6(a). |
| In response to this, we have added in wording to paragraph 6 (a) which reflects the fact that confirmations may be obtained thorough directly accessing information held by third parties through web portals or software interfaces. | As such, we have updated paragraph 6(a) as follows to clarify that direct access to information held by a third party can constitute an external confirmation: “External confirmation Audit evidence obtained as a direct written response to the auditor, or by the auditor directly, from a third party (the confirming party), in paper form, or by electronic or other medium. Electronic or other medium could include auditors directly accessing information held by third parties through web portals, software interfaces or other digital means.” |
||
| For example, auditors might make use of the provisions within Open Banking legislation to access client bank accounts for the purposes of confirming the accuracy of amounts held, though we have not referred to any specific solution or means of access in order to ensure the ISA remains up to date. | |||
| 7 (c) | In order to support the additions to paragraph 6(a) we have included additional material in paragraph 7(c) to ensure that auditors design confirmations in order to obtain sufficient appropriate audit evidence in relation to all assertions identified in respect of ISA (UK) 330.1 | One respondent suggested that the application material within A18 is updated to reflect the fact that observing audited entity personnel accessing banking information may form part of alternative procedures but is not itself a confirmation procedure given it was not received directly by the auditor or accessed directly by them. We agree with this suggestion and have updated A18 accordingly. | |
| This is applicable to all means of confirmation but can be particularly relevant to certain forms of digital confirmation where the software interface or application may provide the auditor with evidence over some assertions, such as accuracy or valuation, but not completeness. In these instances, the auditor would have to ensure they have alternative evidence over other relevant assertions. | |||
| Q2: Do you support the prohibition on negative confirmations? If not, please provide your reasons. | 6 (c) | Negative confirmations, where the confirming party responds directly only if the confirming party disagrees with the information provided in the request, have been prohibited in proposed ISA (UK) 505, to aid in improving the quality of audit evidence obtained when auditors make use of external confirmations. | All respondents agreed with the prohibition on the use of negative confirmations, noting that though they are not used extensively, they are sometimes used inappropriately. As such respondents agreed that this was a positive step to aid improvements in audit quality. |
| This is primarily due to enforcement findings where auditors have inappropriately relied on negative confirmations, for example where a response was unlikely ever to be received even if there were relevant matters, thus calling into question the suitability of a negative confirmation. They are also generally considered a less persuasive form of audit evidence than positive confirmations. | Two respondents suggested that a conforming amendment is made to ISA (UK) 600 (Revised September 2022) Group Audit to remind group auditors that they should communicate this prohibition to component auditors undertaking work in respect of the opinion on the group financial statements. | ||
| Discussion within the working party indicated agreement that negative confirmations were not as effective as positive ones, and that better alternatives existed to obtain audit evidence when a positive confirmation request was not obtainable. | One respondent expressed concern that the prohibition would prevent the use of negative confirmations in agreeing intercompany loans and receivables. As such confirmations are provided by other group entities that are consolidated into the group financial statements being audited, they are not considered external confirmations for the purposes of this prohibition and are thus permissible. | ||
| Q3: Do you support the enhanced requirements in relation to auditors investigating exceptions? If no, please provide your reasons. | 14-1 | We have included enhanced requirements in relation to auditor responsibilities when investigating exceptions in response to enforcement findings that in some cases auditors are not appropriately considering risk when confirmations are not as expected. | All respondents supported the additional requirements in relation to investigating exceptions. |
| As such, the enhanced requirements direct auditors to consider if exceptions are indicative of fraud or a deficiency in the entity's system to internal control and how follow-up procedures will allow the auditor to obtain sufficient appropriate audit evidence. | |||
| Q4: Is the proposed effective date appropriate? If not, please give reasons and indicate the effective date that you would consider appropriate? | - | The proposed effective date for revised ISA (UK) 505 is for it to be effective for audits of group financial statements for periods beginning on or 15 December 2024, with early adoption permitted. All respondents agreed that this was an appropriate effective date. |
Impact Assessment
8As a matter of policy, the FRC's auditing standards are based on the corresponding international standards issued by the IAASB. Where necessary the international standards are augmented with additional requirements to address specific UK legal and regulatory requirements; and additional guidance that is appropriate in the UK national legislative, cultural and business context.
9We believe that ISA (UK) 505 (Revised October 2023) introduces changes that are appropriate and proportionate to address issues that have been identified since the current standard was issued. We believe that benefits in the public interest, enhancing the quality of group audit engagements, will outweigh the costs of changes that may be necessary to audit firms' methodologies.
Financial Reporting Council
October 2023
Financial Reporting Council 8th Floor 125 London Wall London EC2Y 5AS
+44 (0)20 7492 2300 www.frc.org.uk
-
ISA (UK) 330 (Revised July 2017) The Auditor's Responses to Assessed Risks ↩