Blog

PCAOB’s revised AS 2310 is adopted for fiscal years ending June 15, 2025, and beyond. Here is what CPAs need to act on, precisely.

PCAOB audit standards: a standard that outlived its era

PCAOB AS 2310: The Auditor’s Use of Confirmation was initially written well over thirty years ago and has had few changes since its adoption in 2003 by the PCAOB, which received the standard from the AICPA’s AU section. It was created in an environment of paper correspondence and faxes, but it did not include the concept of electronic intermediaries or the associated fraud risks.

The PCAOB adopted the updated standard to improve audit quality, given changes in how communication takes place and how business is conducted, particularly in the confirmation process. While the update can be viewed as more than just a facelift, the PCAOB has comprehensively revised and replaced the previous version of AS 2310. 

This standard will become effective for audits of fiscal years ending on or after June 15, 2025, including audits for the calendar year ending December 31, 2025.

PCAOB confirmation rules: What this looks like on a real engagement

Now imagine an audit of a medium-sized issuer. Negative confirmations have been sent to the same high-volume customer list for accounts receivable in three consecutive years. Response rates are poor but consistent with past years. Cash is substantiated using bank statements obtained from management. No findings regarding the confirmation process were found in last year’s file.

In accordance with the updated standard AS 2310, this methodology is flawed in two ways. First, cash confirmed only by the client’s statement will not meet the requirements under the updated standard. The other flaw concerns the negative confirmations, which alone cannot be used as evidence for accounts receivable. Both methodologies will need to be altered: The bank statement methodology should be replaced with direct confirmation of the bank records, while the negative confirmation process needs to be supported by other substantive tests.

The prior-year file is not a safe baseline. It reflects a standard that no longer applies.

PCAOB audit confirmation requirements: Five provisions that change day-to-day audit work

Let’s understand how PCAOB confirmation rules affect auditors since they’ve changed: 

1. Cash confirmation is now mandatory.

The revised standard generally requires auditors to obtain third-party audit evidence to confirm cash and cash equivalents held by external parties or gather sufficient evidence through external confirmations in auditing. While confirming cash balances was already a common audit practice, the revised standard formalizes and strengthens the requirement. 

2. Negative confirmations alone are insufficient.

The revised standard states that negative confirmations alone ordinarily do not provide sufficient appropriate audit evidence. It provides examples of cases in which the auditor uses negative confirmations in conjunction with other substantive tests of transactions and account balances. In this case, the use of negative confirmations is considered an adjunctive technique, rather than the primary means. 

According to the PCAOB audit standards, it applies in rare instances where such a technique, combined with other techniques, constitutes adequate evidence when the level of risk assessment is relatively low, and there is adequate evidence of controls’ design and effectiveness; the population consists of numerous identical small units; and the expected exception rate is relatively low.

3. Auditor control is an explicit, enumerated requirement.

PCAOB updates for audit confirmations highlight the auditor’s responsibility to monitor the entire confirmation process. It is the auditor’s responsibility to select the items to be confirmed and to send the confirmation requests.

According to the PCAOB adopting release (Release No. 2023-008), there is a series of enforcement actions in which the auditors failed to fulfill their obligations under the standards of confirmations. Cases where the violations occurred in relation to confirmations include “In the Matter of PMB Helin Donovan, LLP” (Rel. No. 105-2019-031, December 2019). There have been several such cases in recent years, suggesting that this problem is still unsolved. Previously, it was more of an implicit obligation, but now it is an explicit one, with an inspection standard to follow.

4. Intermediaries require active, documented evaluation.

The auditor should gain knowledge of the controls in place at the intermediary to assess the possibility of interception and modification of the confirmation request and reply, and ascertain the effectiveness of such controls.

Appendix B of the revised standard governs this analysis and includes a requirement the PCAOB designed specifically to address fraud risk: the auditor must assess whether the intermediary has a relationship with the audited company that could compromise the independence of the confirmation process. Using a familiar confirmation platform without conducting this evaluation is not compliant. If the intermediary cannot be adequately assessed, confirmations must be sent without it, or alternative procedures performed under Appendix C.

5. Alternative procedures must match the assertion being tested.

If there is a refusal to respond or a partial response, the auditor should undertake other audit procedures related to the selected item in accordance with Appendix C. The use of standard audit procedures that do not appropriately address the specific assertion under examination, in lieu of an unsuccessful confirmation request, is considered unacceptable.

PCAOB updates for audit confirmations: the risk assessment and fraud connections

PCAOB updates for audit confirmations link the guidelines on auditors’ application of confirmations on assessing risks by applying a risk-based approach to confirmations, while also emphasizing the auditor’s responsibility to seek reliable audit evidence. The revised standard emphasizes that confirmation procedures should be designed in response to assessed risks, rather than applied as a routine or carry-forward exercise. Historical carry-over methods that have disregarded this reasoning have caused problems during inspections.

Regarding the fraud issue, it is covered explicitly. As mentioned by Erica Williams, the Chair of PCAOB, “The new standard will assist auditors in detecting fraud and protecting investors now and for years to come.”

A specific provision —AS 2310 in section .30 — requires that for significant risks of material misstatement associated with complex or unusual transactions, the auditor should consider confirming the terms of that transaction associated with a significant risk, including a fraud risk — examples include terms related to oral side agreements, bill and hold sales, and supplier discounts or concessions. Engagements with material related-party activity or non-standard transaction structures require evaluating whether this provision applies before the engagement closes.

The accounts receivable feasibility exception

In fact, the requirement regarding the confirmation of accounts receivable remains the same, while it provides more precise guidance on when such confirmation is not considered feasible. The revised standard retains the longstanding requirement to confirm accounts receivable unless the auditor concludes that confirmation is ineffective or impracticable. The update provides clearer guidance on when confirmation may not be feasible, including situations in which prior experience with the entity or similar entities indicates that responses are unlikely to be obtained and that alternative procedures would provide more reliable evidence. 

It is worth noting that both criteria should be met: the one related to experience and the other to expectations. Such an approach is especially relevant to business-to-consumer-oriented issuers and e-commerce entities.

What the inspection data tells CPAs

According to the PCAOB’s 2024 Inspection Spotlight, Part I.A deficiency rates declined year over year. The overall rate decreased to 39 percent in 2024, down from 46 percent in 2023. The Big Four rate decreased to 20 percent from 26 percent. For annually inspected non-affiliated firms, the rate decreased only marginally — to 52 percent in 2024 from 53 percent in 2023.

These inspections covered fiscal years ending in 2023, before the revised AS 2310 took effect. The first inspection cycle subject to the new confirmation standard covers fiscal years ending on or after June 15, 2025. Inspectors will have a more precise standard to test against. While the PCAOB does not expect the new standard to eliminate inspection deficiencies, it is intended to clarify auditor responsibilities. That clarity will likely increase consistency in inspection and enforcement evaluations. The five provisions above are exactly where that map points.

Conclusion: the standard is precise, your process should be too

The revised PCAOB confirmation rules raise the standard of care required to execute confirmation procedures — and provide a specific, enumerated framework for inspectors to evaluate that rigor.

The operational concerns for certified public accountants at this point are practical: Is the confirmation method based on the risk assessment process? Is the confirmation method used to replace the client-supplied bank statements? Have negative confirmation methods been reassessed in light of the three criteria? Does the intermediary system provide an evaluation of its interaction with the audited company beyond that of its performance? Do alternative procedures being applied correspond to the particular assertions that they replace? If receivables confirmation is not considered feasible, is that rationale captured?

These are not abstract compliance questions. They are the questions a PCAOB inspector will ask when reviewing the first wave of fiscal year 2025 engagements.

AuditConfirm is designed to support audit teams navigating the revised AS 2310 environment by enabling auditor-controlled confirmation workflows, centralized documentation, and transparency assessments for intermediaries. Its intermediary transparency framework supports the Appendix B evaluation, including the relationship-with-company assessment required by the standard. And its documentation infrastructure is aligned with the evidentiary standards PCAOB inspectors will now apply. Not just that, it also follows the PCAOB AS 1105 standards. 

The standard is precise. The platform built to meet it should be too.

FAQs

How do updated PCAOB confirmation rules affect third-party audit evidence?

This new standard emphasizes the requirement that reflects the increasing use of electronic communication and intermediaries in the confirmation process. The auditor should evaluate whether the electronic confirmation process produces sufficiently reliable audit evidence, including consideration of intermediary controls and fraud risks.

How can firms prepare for evolving PCAOB audit confirmation requirements?

Test your previous year’s confirmation procedures against the requirements of the newly issued AS 2310, which comprises five items, before the end of your next audit. It is advisable to conduct an internal training program on the new standard requirements. Also, organize your evidence centrally.

Are electronic confirmations acceptable under the updated PCAOB audit standards?

The new approach will be principles-based and applicable to both paper-based and electronic confirmations. The auditor should consider the controls of the intermediary for intercepting communications and examine any connection between the intermediary and the client firm. The auditor should ensure that the electronic response achieves the same level of reliability as a paper response.

Do PCAOB confirmation rules apply to emerging growth companies?

Yes, without exception. The PCAOB determined that applying the amendments to audits of emerging growth companies is necessary or appropriate in the public interest. EGC auditors are subject to the same revised AS 2310 requirements as those auditing large accelerated filers.

What happens if an auditor cannot obtain a confirmation response under the new PCAOB audit standards?

The non-response situation necessitates an alternative process rather than just noting it down. In the case of non-response, the auditor should conduct alternative procedures in accordance with the guidelines in Appendix C and consider the consequences for assessing the risks of material misstatement, including fraud risk.

The old-fashioned audit process, based on sampling, paper records, and professional skepticism, applied annually, is struggling to keep pace with the present era.

It is not because auditing today has flaws that artificial intelligence in auditing is required. It’s quite possible that it’ll change the very nature of auditing. This development could not have been more timely for those accountants who grew tired of doing the same work in the same way year after year. 

This guide does provide an account for professionals seeking substance.

What auditing still gets wrong

Before examining what artificial intelligence in auditing can do, consider what auditing still cannot do well without it.

Most audits examine a fraction of available data. Sampling is a compromise — a practical one, but a compromise nonetheless. A CPA testing 50 journal entries out of 500,000 is not performing a thorough review. They are performing a disciplined guess.

Material misstatements lie buried between samples, while the possibility of fraud is often right there. Then there is the human element to think about. Audit staff in the United States generally work 60 to 80 hours per week during busy times. The job can become monotonous during its most challenging periods or mentally taxing during its most rewarding moments. Burnout is a very real and measurable problem.

Artificial intelligence in accounting and auditing does not replace the judgment that auditors bring to their work. It removes the grind that prevents them from exercising.

What AI in auditing actually does precisely

“AI in Auditing” does not refer to one unified technological application. It is rather an ensemble of technologies used in different ways to address particular problems arising in auditing. The classification of such technologies may create unrealistic expectations; however, their differentiation contributes to the development of a more effective and productive toolkit.

Machine learning identifies anomalies in large datasets of transactions. It flags journal entries posted outside business hours, round-dollar transactions clustered around authorization thresholds, or unusual vendor payment patterns — across 100% of the population, in seconds.

Natural Language Processing (NLP) carefully analyzes and extracts data from various types of documentation, such as agreements, leases, meeting minutes, and regulatory documents. Tasks that took many hours of an associate’s time can now be completed in minutes and produce a structured output ready for inclusion in work papers and documentation.

Robotic Process Automation (RPA) technology performs routine tasks, such as verification, search, and reconciliation. Such automation never tires and reduces manual transcription errors. 

Analytics models are used to calculate account balances by considering historical data and current transactions. In case there is any deviation from normal behavior, an audit trail will be generated much faster and more accurately than in traditional analytics.

Overall, these tools define what artificial intelligence in auditing looks like: not a single solution, but a set of technologies that shift the assurance role from reactive to proactive.

It is important because there is a difference between artificial intelligence in accounting and auditing, which includes two interlinked categories of activities. While in accounting, AI deals with classification and period-end close, in auditing, its task is to assess risk and evaluate evidence. It helps in creating an approach fundamentally different from treating accounting and auditing as separate problems.

Real-world use cases CPAs need to know

1. Full-population transaction testing

The Big Four have each invested heavily in proprietary AI and advanced analytics platforms built specifically for audit. KPMG’s Clara platform uses AI to assess risk levels and standardize audit processes across global offices. Deloitte’s Argus extracts accounting information from electronic documents using machine learning and natural language processing. EY’s Helix integrates data sources to identify trends, outliers, and patterns in financial data. PwC’s Halo uses data analytics to test information reliability and surface audit risks and anomalies.

In all cases, the strength of these models is their ability to test every transaction in the population. Instead of relying solely on sampling, the auditor may examine the entire dataset to identify potentially risky transactions and test them further. It changes the way the debate around risk is framed entirely. 

Where once the question was, “Have we found the risk by using our sample?” now it becomes, “What can the whole population tell us about the risk?”

2. Continuous monitoring and real-time auditing

Some large organizations are using AI-enabled monitoring to identify control exceptions earlier. The audit process is not limited to waiting for year-end results but happens simultaneously with operational processes.

For external auditors, this opens possibilities for interim assurance engagements. For audit committees, it changes the risk posture from reactive to anticipatory.

It is one of the most consequential applications of artificial intelligence in auditing — not because the technology is sophisticated, but because the operational shift it enables is profound.

3. Lease and contract review under ASC 842

The adoption of ASC 842 created a significant manual burden for many organizations — requiring teams to review large volumes of contracts to identify embedded leases, extract key terms, and calculate right-of-use assets and lease liabilities. 

NLP tools now extract lease commencement dates, renewal options, payment escalations, and discount rate inputs directly from contract language. Weeks of associate time become structured data output. It is artificial intelligence in accounting and auditing working in tandem — the accounting team uses the output to record, the audit team uses it to test.

4. Fraud detection in accounts payable

In the domain of auditing, AI has proven to be highly effective and consistent in identifying fraud committed by vendors, ghost employees, and abuse of the expense reimbursement process. The machine learning algorithm detects patterns of what is considered “normal” within the specific organization, and then identifies anomalies based on those patterns. 

Researchers at the University of St. Gallen have explored deep-learning approaches for anomaly detection in journal-entry data. 

In practice, Organizations have reported that AI systems have flagged patterns such as vendor payments sharing address details with employee records — signals that had remained undetected for years because traditional sampling procedures repeatedly overlooked them.

5. Audit confirmation automation

The confirmation process — sending, tracking, and reconciling bank and accounts receivable confirmations — has historically been paper-intensive, slow, and prone to follow-up failures.

Modern confirmation platforms can automate request dispatch, tracking, matching, exception flagging, and documentation. It is AI in auditing, delivering immediate, verifiable results in perhaps the riskiest process in any audit. 

It is precisely what AuditConfirm is all about.

Here is a table to summarize: 

AI Use Case	Audit Area	Benefit
NLP Contract Review	ASC 842	Faster lease abstraction
Full-population testing	Journal entries	Better anomaly detection
Confirmation automation	Cash/AP/AR	Faster evidence collection

The benefits of AI in Auditing

Coverage: The application of artificial intelligence in auditing enables the testing of all transactions. AI enables broader population testing, reducing some of the limitations inherent in sampling. 

Speed: What used to take several days now takes only a few hours. The audit cycle is shortened.

Consistency: Artificial intelligence in auditing applies the same rule to the first transaction and the ten-millionth. Human reviewers do not — particularly not at hour seventy of a busy season week.

Documentation: AI applications generate structured output that is easier to audit, improving workpaper quality and decreasing the time needed for review.

Risk assessment: CPAs can use their time more efficiently by focusing on matters that require professional judgment, such as related-party transactions, management estimates, going concern, and complex financial instruments.

The net effect is not a smaller audit team. It is a more effective one — with professionals deployed where their expertise actually matters.

The challenges that come with AI in auditing

Explainability remains a structural problem: Many machine learning models function as black boxes. An auditor who cannot explain why an item was flagged cannot defend that flag to a client, a regulator, or a court. The PCAOB’s July 2024 Staff Spotlight on Generative AI noted that the integration of AI in audits is in its early stages but rapidly evolving — and that audit firms must ensure human oversight of AI-generated outputs remains robust. The standards have not fully kept pace with the technology. That gap carries real professional liability.

It is the quality of training data that ultimately determines the quality of results: If an AI algorithm is trained exclusively for a particular business sector, geographic area, or accounting regime, it may not perform well outside its comfort zone. But it should be remembered that this is precisely the point – the decisive one – on which the use of AI in auditing depends. It will depend on the training data whether an AI produces either correct answers or confidently wrong ones.

The integration process is trickier than vendors claim: Many audit clients use legacy systems, such as outdated SAP or pre-cloud Oracle setups. Getting the appropriate structured data from such systems can become quite a technical problem, often underestimated for its complexity.

Independence standards apply: Once the connection between an auditor and their clients via AI tools is established, the auditor must assess independence in accordance with AICPA, PCAOB, and, where necessary, IESBA standards.

The workforce transition is real: CPAs need to understand what an AI model is doing — its inputs, its assumptions, its failure modes. Firms that treat AI in auditing as plug-and-play without investing in training will misuse it. The audit will not improve. It will simply fail faster while producing better-looking documentation.

What the evidence actually shows

The empirical record on artificial intelligence in accounting and auditing is growing, though it remains limited by the recency of large-scale deployments.

New research on auditing in the Journal of Emerging Technologies in Accounting examines the transformation of auditing procedures through machine learning and data analytics. Findings from such studies indicate a higher anomaly-detection rate than that of traditional sampling-based approaches. On the other hand, another framework for applying machine learning to internal audits throughout their lifecycle, featured in the Research in Accounting Regulation journal in 2024, found that AI-supported procedures detect risks earlier and enable human judgment to be used more purposefully.

According to recent developments in the accounting world, PwC plans to invest about $1 billion over three years in training its existing staff on AI, recruiting AI experts, and adopting AI in its business operations. During the same period, KPMG announced an investment plan of around $2 billion in AI and cloud solutions to improve its consulting, auditing, and tax services.

What the evidence does not show — at least not yet — is that AI in auditing reduces audit failures to zero, eliminates fraud risk, or removes the need for professional skepticism. Any claim to those effects should be treated as a marketing statement, not a finding.

What this means for the CPA practice

The firms gaining ground are not necessarily the largest. They are the most technologically credible.

Mid-size regional firms in the US have deployed artificial intelligence in auditing and are competing directly with larger firms on efficiency, coverage, and turnaround time. The technology has lowered barriers to capabilities that did not exist a decade ago.

This scenario offers an opportunity on one side and a duty on the other side. The opportunity here is to use AI technology in audits, along with necessary training, to ensure good audits are conducted. However, at the same time, these organizations have the responsibility of maintaining professional ethics standards and exercising judgment wherever the model fails.

Independence. Objectivity. Due to professional care. Reasonable assurance. These standards do not yield to technology. They govern it.

The CPA who understands artificial intelligence in accounting and auditing — who can interrogate a model’s output, challenge its assumptions, and apply professional judgment to its findings — is not being replaced by the technology. That CPA is the point of the entire exercise.

AuditConfirm: built for what the audit profession is becoming

AuditConfirm is an audit technology company. We build confirmation automation software — not as a side product, but as our core focus. The platform automates the dispatch and tracking of bank confirmations, accounts receivable confirmations, and legal letter requests within a workflow designed to meet the standards CPAs must follow. Responses are matched, documented, and flagged for exception follow-up. The audit trail is complete.

Our view on the use of artificial intelligence in auditing is based on practice rather than theory. AuditConfirm focuses specifically on confirmation workflows, building tools that serve the profession’s present obligations while anticipating what the next decade of AI in auditing will demand.

A final observation

The auditors who will matter most in the next decade are not the ones who adopted AI earliest. They are the ones who used it most responsibly.

Artificial intelligence in auditing does not exercise judgment. It accelerates it. The quality of that judgment — the professional skepticism, the ethical rigor, the commitment to the public interest — still belongs entirely to the CPA.

What has changed is the scale at which that judgment can now be applied.

For a profession built on trust, that is not a minor development. It is a defining one.

Disclaimer: AuditConfirm is an audit technology company that provides confirmation automation software to accounting firms and internal audit teams. This blog reflects our perspective as an active participant in the audit technology space. All regulatory references, platform names, and research citations are independently verifiable and linked where available.

FAQs

What is AI in auditing, and how does it work?

AI in auditing uses techniques such as machine learning, natural language processing, and automation to analyze the entire set of transactions rather than taking samples. The procedure helps identify anomalies, extract data from contracts, and autonomously generate confirmations.

What are the advantages of using artificial intelligence in auditing?

Coverage, speed, and consistency. Artificial intelligence in auditing facilitates the analysis of all transactions, cuts days-long processes to mere hours, and uses consistent rules for millions of records. CPAs can concentrate on more judgment-based work.

How does artificial intelligence in accounting and auditing differ from conventional approaches?

Conventional auditing uses sampling and end-of-year processes. Artificial intelligence in accounting and auditing uses continuous, full-population testing to address risk identification, outlier detection, and evidence evaluation across whole databases rather than selective samples.

What are the main issues related to AI in auditing that CPAs need to know?

Explainability, data quality, and independence. AI systems often fail to provide reasons for detected abnormalities. Legacy systems pose challenges when retrieving raw information. Furthermore, deploying AI applications into client systems may require compliance with AICPA and PCAOB independence standards.

How does AuditConfirm use artificial intelligence in auditing for confirmation purposes?

The use of AI in AuditConfirm entails sending, tracking, and flagging of bank and accounts receivable confirmations in accordance with the recommendations stipulated under AU-C 505. There are many advantages to this system, including the efficiency and accuracy of audits and the creation of an audit trail.

Balance confirmation is one of the most powerful—and frequently misapplied—tools in an auditor’s toolkit. It has been established in auditing as an accepted procedure for quite some time now. Indeed, the AICPA and the PCAOB have both formalized their applications. 

In the United States, it has become an expected practice for accounting firms. But, despite being so commonplace, the implementation of the balance confirmation procedure tends to be rather inconsistent in practice. Many accounting firms cut corners in the process.

Indeed, the consequences of failing to implement the balance confirmation procedure properly can range from minor inconveniences to major risks. That’s why it is imperative to ensure that this procedure is implemented with discipline and precision during the audit.

This step-by-step guide on executing balance confirmation is designed specifically for CPAs and auditors who want to learn the ins and outs of this critical procedure.

Understanding what balance confirmation does

First, let us define the purpose of balance confirmation in auditing. As per AU-C Section 505 and applicable PCAOB auditing standards on confirmations, balance confirmation is used as a method to obtain direct audit evidence of the existence and accuracy of an item.

This procedure involves requesting a third party—whether a bank, a creditor, a debtor, or a counterparty—to verify the details reported by the client on their financial statements. Since the verifying party is a third party, not affiliated with the client, the process ensures independence in the validation.

The independence of this procedure has made it an effective source of direct audit evidence. As per the AICPA and the PCAOB, the results of a confirmation serve as direct audit evidence in the examination of accounting records. Thus, the balance confirmation process does not rely on the client for validation purposes.

However, the benefits that this procedure can provide are limited to the extent of its execution. A badly managed balance confirmation process yields low-quality audit evidence.

Indeed, courts, regulators, and even peer reviewers have criticized auditors for relying too heavily on inadequate balance confirmations in their work.

How to implement balance confirmation properly

Step 1: Assess whether balance confirmation is required

Balance confirmation might be an accepted procedure in auditing, but it is not necessarily required for all engagements. Certain criteria determine whether this procedure must be performed.

For starters, the first thing you have to consider is the nature of the item under examination. Accounts receivable, bank balances, loans payable, and investment accounts are the most common items used to confirm balances.

Second, the item’s risk assessment must be taken into account. For example, if the object in question has been identified as high-risk for the audit, then the balance confirmation is typically expected or strongly considered for the auditor.

Third, it is important to factor in the client’s control environment. Poor internal controls make it more likely that the auditor will use balance confirmation in the audit.

Finally, you need to document your choice. Even if you decide not to conduct the balance confirmation for a significant item, you need to document the rationale for that in your work file, along with the associated risk documentation.

Step 2: Choose the appropriate type of confirmation

There are two types of balance confirmation: positive and negative. The former is more common and preferred over the latter. You should use positive confirmation whenever the account in question is assessed to be high-risk for the audit.

Positive confirmation requests that the recipient respond with whether they agree or disagree with the client’s reported account balance. On the other hand, negative confirmation assumes that the recipient will agree with the reported balance unless they specify otherwise.

Negative confirmation is usually reserved for situations where:

• The item in question poses little to no risk for the audit
• The population contains many small accounts
• There is no reason to assume that the recipient will not respond to the confirmation request.

Indeed, negative confirmations are becoming less popular in the United States. Recent PCAOB inspections have raised concerns regarding overreliance on negative confirmations. In practice, it is safer to opt for the positive confirmation whenever you are unsure which type to choose.

A blank confirmation is a type of positive confirmation where no balance is stated in the request, and the recipient is asked to independently provide the amount.

Since the confirming party needs to confirm the actual balance themselves, a blank confirmation can provide stronger evidence when responses are received. Still, it may result in lower response rates than the regular positive confirmation.

Step 3: Choose the population for balance confirmation

The confirmation population refers to the group of items to be confirmed. This population can include accounts receivable, bank accounts, and other account types.

The selection of the population has to be based on sound judgment. In other words, the items that make up the population must be selected using appropriate sampling techniques, which may be statistical or judgmental, based on audit risk to prevent bias and fraud.

When dealing with accounts receivable, the population consists of all accounts outstanding as of the confirmation date. Among the accounts comprising the population, the auditor performs sampling to identify which accounts will be confirmed.

It is possible to apply 100 percent confirmation to large accounts, while smaller accounts can be selected using statistical or non-statistical sampling.

It is vital to note that the auditor must retain control over selection, even if the client assists in preparing data. If that doesn’t happen, the audit firm risks compromising the independence of the procedure.

Step 4: Write the confirmation request

The next step is to prepare the confirmation request. Each request should include:

• The account balance as of the confirmation date
• Adequate identification data to help the recipient locate the account—account numbers, reference numbers, contract terms, etc.
• Straightforward wording to ensure clarity

The contact details provided in the request must always belong to the auditor, not the client. Every response must be received directly by the auditor. If the client receives the response on the auditor’s behalf, the evidence is compromised.

The client’s letterhead should be used on the confirmation request. However, the return address must be the auditor’s.

The confirmation date must coincide with the balance sheet date or the date of the account balance being confirmed.

Step 5: Control the distribution of the confirmation requests

This step can easily cause issues for careless auditors. If the client distributes confirmation requests independently, they can manipulate the process.

Indeed, the distribution of requests should be handled solely by the auditor. If the client is distributing the requests, the entire process becomes flawed. Moreover, if the client can access the requests before mailing them, this is a potential avenue for fraud.

Fraud risk is at its highest in this phase. A client planning to defraud can try to hijack outgoing messages, replace the correct contact information with incorrect data, and even generate an entire response. There have been cases in which management provided fictitious third-party contact details—diverting confirmation requests to colluding parties rather than to the true counterparts. It is imperative to verify contact information separately rather than relying solely on information provided by the client.

In practice, this step can involve taking control of the envelopes addressed to the recipients and sending the confirmation requests electronically.

Step 6: Track responses and follow up on non-responses

Auditors should actively monitor responses, in case there are none. To start, set a practical deadline for receiving responses by which you would like to receive responses. This is a reasonable deadline, typically based on engagement timelines. 

Track all the responses that you receive and document the date received, the account balance, and whether it matches the stated balance.

The threat of a low response rate is a significant risk factor that often receives less weight in the evaluation process. It not only raises the possibility of using other verification methods but is itself an important indicator. If a considerable number of confirmations receive no replies, particularly where there are large or irregular amounts, it would be advisable for the auditor to examine whether this low response rate could be indicative of problems within the accounting records.

If you have not received a response to a request by the deadline, follow up by sending another confirmation request. Sometimes, you may need to make more attempts to receive a response.

Remember that non-responses to positive confirmations should never be interpreted as agreement.

Sometimes, the recipient may be unable to respond to the confirmation request. In such cases, you should move to the alternative procedures listed below.

Step 7: Investigate exceptions

If the respondent disagrees with the stated balance, this creates an exception. Possible reasons for this include:

• The difference in the timing
• Payments in transit
• The goods that the recipient has not received
• Disagreements between the client and the recipient.

Some exceptions are harmless, but others can indicate deeper problems. Therefore, it is crucial to investigate each of them.

To start the investigation, ask the client to explain. Then, examine the evidence in the client’s work papers. Make sure that the explanation fits the available evidence.

Auditors must also be on the lookout for fabricated confirmations – responses that appear authentic but are actually false. Several indicators may indicate that a confirmation is fraudulent: confirmations received far too quickly, a confirmation without any exceptions at all from a considerable number of individuals or transactions, emails sent from addresses that are not affiliated with the company issuing the confirmation, or language that does not fit the normal tone for correspondence between a bank and its counterparties. 

When any of these signs are present, the auditor needs to authenticate the confirmation separately. This can be accomplished by calling the individual or organization that issued the confirmation using contact information that was obtained independently of the client.

Sometimes, multiple respondents point out the same discrepancy. In such cases, it is advisable to expand the scope of testing and reassess the account’s risk level.

Step 8: Perform alternative procedures for non-response

When the positive confirmation fails to yield a result after several attempts, the auditor should use alternative procedures to validate the account balance.

These procedures are intended to generate evidence as reliable and robust as the results of confirmation. Some examples of alternative procedures for accounts receivable include:

• Examining subsequent cash receipts
• Examining shipment documents
• Examining sales contracts

For instance, if a client’s debtor paid their invoice in full after the balance sheet date, this is persuasive evidence that the balance was accurate as of the date of examination.

Step 9: Electronic confirmation controls 

It is now common practice to use electronic confirmations. This is because they provide faster service, better record-keeping, and are ideal for large-volume transactions. While these benefits are improved, the controls cannot be avoided, but their application points will change.

Auditors should consider both the outcomes and the integrity of the confirmation platform when using one. Platform vendor SOC 2 Type II compliance is a preferred requirement. It means that the platform has been independently and continuously evaluated for its security, availability, and confidentiality over an extended period, rather than through a point-in-time examination. Always request a SOC 2 Type II report before using the electronic confirmation platform and review its findings.

Both data in transit and data at rest must be encrypted. The platform should implement TLS encryption for the former and AES-256 (or another equally robust algorithm) for the latter. Insecure confirmation data includes account balances, counterparties, and financial records. As such, all data must be encrypted; otherwise, they pose a considerable confidentiality threat and cannot be used in audits.

Access control is just as crucial as encryption. The platform should ensure that clients do not have access to or tamper with the confirmations until the auditors obtain them. Role-based access control, audit trail, and session logging are technical ways to accomplish this. Check the platform’s documentation on access controls and confirm that the client-side is not able to tamper with the confirmations.

Furthermore, auditors should assess the authentication controls that the confirmation platform applies to respondents. If a respondent can send in the confirmation without having their identity verified, the platform will be vulnerable to the same risks that paper confirmation faces. Multi-factor authentication, domain verification, and digital signature features significantly reduce this risk.

Step 10: Evaluate the results and document the results 

Once the auditor has completed the analysis of the responses and exceptions, they need to evaluate the overall results of the balance confirmation process:

• Has the objective been achieved? 
• Do the results of balance confirmation support the evidence collected by the auditor?
• Is there a need to change the item’s risk assessment based on the results obtained?
  

As always, the last step in balance confirmation involves documentation. The auditor needs to compile and organize all the evidence obtained from the process into a coherent package.

Under PCAOB rules, the confirmation results must be included in the final audit file. The documentation of the results must be completed within 45 days of report release (for PCAOB engagements). 

The need for purpose-built tools in high-volume confirmation work

High-volume balance confirmation can pose serious challenges for many accounting firms. Tracking dozens or hundreds of responses, managing follow-ups, and documenting everything thoroughly becomes increasingly difficult as the volume grows.

That is why purpose-built tools like AuditConfirm are highly useful for accounting firms and audit professionals. By leveraging software designed specifically for balance confirmation, CPAs can streamline the process significantly and reduce errors in their documentation.

AuditConfirm is designed for those auditors who would like to use balance confirmations as their main audit technique. It will enable you to control the entire process, from issuing the confirmation request to collecting the required evidence, such as reports.

AuditConfirm allows you to see clearly what’s going on with each task related to confirming balances. You will be able to track client-related responses or monitor confirmation status, handle exceptions, and apply an alternative approach when necessary.

AuditConfirm offers robust security features that are vital for managing confidential financial information. At the same time, the software is fully customizable and scalable. Thus, it is suitable for individual auditors, boutique firms, and international organizations alike. Book a demo now! 

FAQs

What sets a positive confirmation apart from a negative confirmation?

Positive confirmations are inquiries to which a reply is required, whether the addressee agrees or disagrees with the amount shown on the request. On the other hand, negative confirmations require a reply only when the addressee disagrees. The absence of a reply is considered. Positive confirmations usually result in more procedures and audit evidence and are generally more suitable for high-risk or material accounts. Only in defined situations are negative confirmations applicable.

What is the auditor’s course of action regarding an unanswered confirmation?

If no positive confirmation is received, it means sufficient evidence has not yet been obtained. The auditor must make an additional attempt to obtain an answer. If the additional attempt fails to produce a reply, the auditor needs to conduct alternative procedures and document the procedure used.

Is it okay to involve the client in the confirmation process?

The client can authorize the issuance of the confirmation. However, the client is not allowed to engage further in the process, which involves preparing and sending the letters and receiving replies. If any responses are delivered via the client, they are deemed unreliable

How should discrepancies in confirmation replies be addressed?

Each discrepancy must be examined, and the auditor is supposed to find out what caused it. This process includes receiving the client’s explanations and verifying them against other evidence. Similar discrepancies in various confirmation replies suggest expanding the testing to include additional amounts. Every investigation needs to be carefully recorded in the audit file.

Can electronic confirmations be used during audits?

Yes. Electronic confirmations are acceptable provided that the auditor controls the process, the system provides the possibility to ensure that responses reach the auditor directly, and does not provide access to the client. The quality of electronic evidence is contingent on the system’s reliability. Auditors need to consider possible risks and select an appropriate system.

A long-established ritual among public accountants involves writing and signing a confirmation letter, printing the letter, putting it in an envelope, and mailing it to an outside third party – whether that means a bank, a debtor, or even legal counsel. Then comes the waiting period.

This process is often seen as routine. That assumption is misleading.

Beneath the surface of the seemingly harmless ritual lies a system that is extremely vulnerable to human error, that fraudsters can actively exploit, and that runs counter to the regulatory requirements the profession now faces. All CPAs know about that, at least intuitively. Few talk about it openly.

This article attempts to break this silence.

The manual confirmation process that auditors rely too much on

According to AU-C section 505 of the AICPA, external confirmations are an important audit procedure for verifying certain account balances and transactions, particularly where third-party evidence is relevant.

The logic behind this is clear: an independent third party either confirms or denies a specific transaction or balance in question. The evidence obtained is external and, in theory, objective.

The problem starts with the manual process.

Sending confirmations via mail or fax introduces challenges in maintaining control over the process, particularly around ensuring the request reaches the intended recipient and that responses are authentic.

At some point in this process, something can go wrong.

Error risks in the manual confirmation process

Any manual process is inherently flawed because it lacks automation to ensure accuracy.

Consider just the journey of a single manual paper confirmation request:

– The auditor prepares the letter. It might contain a simple transposition error. The senior reviewer has too much on their plate. The letter goes out with this error untouched. The responding entity—a bank, say—matches it to a slightly different account. The response comes in. It seems right. No one makes sure that the account in question matches the trial balance.

That error becomes part of the audit file.

This scenario is not hypothetical. Audit regulators and professional bodies, including the AICPA and PCAOB, have repeatedly highlighted common issues with external confirmations, such as:

– Confirmation requests sent to addresses controlled by or favorable to management.

– Responses received orally without being documented correctly.

– No follow-up on non-responses. Such responses have been improperly assumed to confirm the information in question.

– Responses containing discrepancies left uninvestigated.

Each of these is an individual failure. Combined, these are symptoms of a systemic problem.

A manual process cannot ensure that those problems don’t arise automatically. An auditor needs to be attentive to those risks—and all people, including auditors, are imperfect. Especially when deadlines are approaching and budget constraints loom large.

Confirmation fraud: A known problem with a specific mechanism

There is a type of fraud that specifically exploits the weakness of the manual confirmation process. It is called confirmation fraud, or more commonly, response interception.

This scamming technique isn’t particularly elaborate. A client or a co-conspirator intercepts the confirmation request on the way out, and either responds on behalf of the third party or diverts it to another address.

The result is that the auditor receives a document that appears to be a third-party confirmation, but isn’t. The document is fake.

This type of fraud has been employed in some of the biggest scams in recent history. The Parmalat fraud scheme, which resulted in losses estimated at nearly €14 billion, included the fabrication of bank confirmations. The audit firm received papers confirming billions worth of cash holdings in Parmalat’s accounts. The papers were counterfeit.

The case highlighted significant audit failures, including over-reliance on falsified confirmation evidence. They used the process as prescribed. The process failed them, and the investors who trusted their opinions.

Parmalat may be an extreme example, but the vulnerability the scheme exploited is common to all manual confirmations, regardless of the size of an engagement.

Manual confirmations typically lack built-in security features such as encryption, automated validation, and traceable audit trails. There is no way to verify that the confirmation has indeed been generated by the responding third party using cryptography or other means. There is no auditable transmission record. There is no tamper-proof evidence in the confirmation letter.

Fraud always finds vulnerabilities. A manual process is one of them.

The new requirements for confirmations from auditors

Audit standards have evolved. The regulatory framework in which those standards apply is evolving even faster.

The PCAOB, which oversees public company audits in the United States, has increasingly emphasized the quality of the confirmation process. Many of the PCAOB inspection reports feature the same criticisms: failure to ensure that external confirmations were properly performed, lack of follow-up on exceptions discovered during the process, and acceptance of informal, possibly invalid responses.

The International Auditing and Assurance Standards Board (IAASB) approved revisions to ISA 505 in 2023, with the updated standard effective for audits of financial statements for periods beginning on or after December 15, 2024.

One of the most important changes introduced by the standard regards electronic confirmations. The standard describes the criteria necessary to make sure that electronic confirmations are processed using systems “with sufficient controls.”

These controls include proper validation of the responses. In other words, the standard explicitly acknowledges the necessity of a process that ensures the validity and reliability of the responses.

Implementing such controls manually is theoretically possible, but difficult to execute consistently and reliably in practice.

For US based firms, the IAASB report represents an important reference point even when dealing with PCAOB standards. The message is clear: an informal manual process isn’t enough anymore.

Not every firm understands this. The gap between the current regulatory requirements and a manual confirmation process widens.

The problem with the manual process and time limitations

There is an often-ignored aspect of the confirmation process that shapes every real-life audit engagement: time constraint.

The manual confirmation process is inherently time-consuming. A confirmation letter sent out by mail can take weeks to get a reply, if ever. Non-response rates can be significant in practice, particularly for certain types of confirmations. 

Non-responses need follow-ups. Follow-up confirmation requests take additional time. Sometimes, they generate alternative evidence of inferior value compared to direct confirmation.

This creates a perverse incentive structure. When time is of the essence, an auditor may choose inferior evidence simply because going after a non-response is prohibitively expensive.

It lowers audit quality. At the same time, the audit file indicates that a confirmation process was followed, without noting the lower quality of the obtained evidence.

Electronic confirmation systems greatly reduce the non-response rate, provide time stamps for delivery and receipt of responses, and structure the data so it’s easier to verify. None of this can happen with a manual process.

The time problem is, in addition, a risk problem. The longer the confirmation window, the more time for management to intervene. A fraudster aware that confirmation requests are on the way has plenty of time to intercept, divert, or fake a response. The electronic system that sends the confirmation and receives the response within hours eliminates the window.

The documentation issue in manual confirmations

There are two functions an audit file fulfills. The first is obvious: it is meant to support the audit opinion. The second is less obvious: it is required to prove, in the event of a future inspection, that all procedures were carried out appropriately.

In the context of the manual confirmation process, this second function presents serious difficulties. The original confirmation request is typically kept as a file copy. The response is a scanned paper copy saved in the file. There is virtually no information in an audit file to help determine who handled it and when, or when and where it was delivered and received.

If an auditor is asked by a peer reviewer from the AICPA or an inspector from the PCAOB how the audit firm ensured the response was truly from the third party, the best response would be “we just assumed that.”

That is not a valid response.

By contrast, the electronic confirmation systems create an automatic chain of custody. The timestamped delivery record, the response validation status, and encryption records are generated by default.

It takes no effort. This data is always accessible for future reference and, most importantly, passes the scrutiny of regulators and peer reviews. While this chain of custody could theoretically be created manually, it is rarely done with appropriate attention to detail in real life.

The cumulative effect of multiple weaknesses

All of the risks mentioned above—errors, the possibility of fraud, regulatory requirements that don’t align with the process used, a high non-response rate, and deficient documentation—can be addressed individually.

However, more importantly, the above risks compound. Using a manual confirmation system with a moderate error rate, limited fraud protection, poor regulatory fit, a low response rate, and deficient documentation means accepting increased risk for each audit engagement.

Not all engagements experience all failure modes. Yet in the course of a large audit practice, the cumulative effect of the multiple risks is inevitable.

This risk is not theoretical. It is a calculable probability.

Audit inspections and enforcement actions have, in several cases, cited deficiencies in confirmation procedures as contributing factors. Fraud and misstatement are rare in these cases, as are large-scale schemes. Far more frequent are smaller mistakes that result in misstatements, which eventually cause significant professional, financial, and reputational harm to the CPA.

Conclusion: Facing the threat head-on

No one designed a manual confirmation process to fail. The technology wasn’t available at the time.

Keeping a manual confirmation process in this day and age isn’t a neutral choice. By using a manual process, a CPA consciously accepts all risks of error, fraud, regulatory sanctions, and malpractice claims.

AuditConfirm was created to tackle this exact problem. It is an electronic confirmation management system that controls the transmission and response processes and provides all necessary documentation and verification in accordance with the latest standards and best practices.

Those risks discussed above aren’t new. Each manual confirmation request sent this year, last year, or over the past decade contained these risks.

The question a CPA managing an audit engagement has to ask him- or herself is no longer whether these risks exist. It is whether the CPA is still willing to accept them.

FAQs

Is the use of a manual confirmation process still considered a compliant approach under modern audit standards?

Audit standards do not prohibit manual confirmations. However, auditors must demonstrate control over the confirmation process, regardless of the method used. In this context, both ISA 505 (revised) and the PCAOB’s inspection standards require proof that the auditor controls three key aspects: transmission, authentication, and documentation. Where manual confirmation fails to control these factors, it faces considerable problems proving its value during regulatory scrutiny.

How realistic is the threat of confirmation fraud in the context of an average audit engagement?

The reality of confirmation fraud is far greater than most people acknowledge. Confirmation fraud doesn’t require an elaborate scheme; it only demands access to the outgoing request. This is precisely the type of risk that manual confirmations struggle to mitigate because they cannot provide a controlled, authenticated channel for the process.

What steps should a CPA take when the confirmation response is returned by the client rather than by the third party directly? 

The CPA should understand that such a response is considered unreliable external evidence. According to AU-C Section 505, a response that does not come directly from the confirming party is considered invalid. This means that the response can be classified as a non-response. At this point, the CPA needs to use additional audit techniques to collect sufficient evidence and ensure that everything is recorded in the working papers.

What is the situation with non-responses in the auditing process, and what actions can be taken by an audit firm in that situation?

A non-response is much more than nothing happening because it creates an absence of evidence that forms the core of audit evidence. To counter this, you would need to implement higher-level alternative procedures. According to AU-C 505, the auditor must consider whether the alternative evidence supports the assertion under consideration. The issue of non-response becomes a broader problem in a portfolio of audits because it is associated with traditional confirmation methods.

What could be the best way to minimize audit risks associated with confirmations?

Perform an evaluation of your confirmation process based on the following three dimensions: controls over the delivery of confirmations, authentication of replies received, and detailed record keeping of transactions. If your confirmation process is negative on any of the three mentioned dimensions, only manual corrections will not guarantee accuracy. That’s where technology comes in handy, like AuditConfirm.

Audit is a profession born out of skepticism. Challenge the number. Validate its source. Don’t take any number at face value. This instinct has not changed. Virtually everything else, however, has.

The tools are different. The volumes of data have grown beyond comprehension. Risks are increasingly fast-paced. Clients—boards, CFOs, regulators—require more than an opinion. They need insight. They demand agility. They seek an opinion that keeps up with business.

The future of audit represents a dramatic paradigm shift.

What sample-based audits miss

Audit has functioned under certain constraints throughout the decades. In the absence of technology to analyze entire transaction populations, auditors had to rely on examining only a subset of transactions. They sampled the population using statistical techniques that offered confidence within limits. It was meticulous. It was defensible.

If sampling covers 5% of transactions, the remaining 95% are not directly tested but evaluated through statistical inference. For a company that processes hundreds of thousands of transactions quarterly, this is a significant volume. As a result, any potential fraud, error, or other anomaly may go undetected. Not because of auditor negligence, but simply because there wasn’t a choice.

The advent of AI technology changes all of this.

Full population testing becomes possible due to machine learning algorithms that are increasingly used across various applications, provided they have good data. The journal entries, payments to all vendors, and reconciliations can identify abnormalities by spotting certain patterns.

The shift from sample-based audits to full population testing goes beyond an alteration; it fundamentally changes the nature of an audit. While it improves coverage, it does not change the nature of being a risk-based process.

In the 2023 AICPA audit technology survey, nearly 88% of finance leaders say AI will transform the profession within two years, but only 8% feel “very well-prepared” to adopt AI.

Continuous monitoring is now a must-have tool.

An annual audit cycle made sense in a pre-digital age. Auditors came in, examined the previous year’s transactions, and delivered an opinion months later. Markets, however, don’t operate in a vacuum. Neither do risks.

Firms in sectors such as finance, healthcare, IT, and energy are constantly evolving. Deals are finalized. Regulations are updated. Companies extend their operations into different locations, creating new threats. If there is a problem during a typical audit process, the damage is often done by then.

Real-time monitoring is increasingly becoming a competitive advantage. 

Automated controls testing and dashboards can detect anomalies in real time. Exception reporting that is instantly available to the auditor and to the client. This is not hypothetical; some forward-looking CPA firms already utilize such solutions. CPAs who learn how to leverage them will shape the future of audit as we know it.

Confirmation is the audit procedure that broke first

No single audit procedure better exposes the limitations of the traditional audit process than confirmation.

Historically, confirming balances meant sending letters via the postal service, receiving responses in the same manner, and, if necessary, following up by phone. The confirmation packets were physically stored, creating potential security risks, including interception, forgery, or loss. The massive Parmalat fraud in 2002 involved fabricated bank confirmations, among many other things.

Digital confirmations changed all of that.

It automated third-party letter generation and response collection while still requiring controls to ensure independence and reliability of responses. Audit trails and confirmed responses that can be quickly accessed and traced. The process became faster and easier to audit. Yet this is only the start.

Integrating AI into confirmation workflows

Introducing artificial intelligence into a traditional audit confirmation workflow changes everything. An AI model can automatically reconcile the response against a company’s general ledger balance, detect abnormalities in confirmed balances, or analyze free-form text within confirmations.

The confirmation process becomes much more effective. An auditor who would typically spend countless hours reconciling confirmation packets manually can save valuable time.

All that remains is judgment, exactly where the audit’s true value lies.

Smarter and more effective risk assessments

Traditionally, risk assessment in audit involved auditor expertise and judgment, combined with analytical procedures based on summarized financial data.

AI-based solutions offer a dramatic improvement on both counts.

First, integrating external data sources into the risk assessment process provides an additional layer of information. Imagine a scenario in which an auditor assessing inventory in a retail operation cross-references commodity prices, industry-wide supply chain risks, macroeconomic indicators, and other factors.

Secondly, a machine learning model can predict, for each client, the account areas with the highest likelihood of material misstatements, based on their particular characteristics and risks.

In summary, data analytics can significantly enhance any risk assessment, regardless of an auditor’s background or experience.

How document analysis is changing fieldwork

From leases and contracts to loan covenants, board minutes, and third-party relationships, auditing often involves examining extensive documentation to extract specific details.

With large language models, the entire approach can be transformed.

Imagine a CPA running an audit test that involves analyzing a portfolio of lease agreements. Within minutes, an AI system generates a report with lease commencement dates, renewal periods, variable lease payments, and related-party disclosures. The auditor verifies the results, analyzes anomalies, and takes appropriate action.

The benefits for the CPA firm are obvious. Instead of spending countless hours extracting details from documents, a CPA can focus on interpreting and analyzing data.

In addition, this creates a significant development opportunity for CPAs, allowing them to focus on exception reviews rather than mundane tasks.

The talent question the CPA firms are avoiding

There is an uncomfortable conversation taking place within the audit firms.

As more and more tasks, traditionally performed by junior CPAs, such as document extraction or vouching, are being automated through AI applications, what should the role of entry-level audit professionals look like?

It is not a trivial question. Historically, the audit career trajectory followed a certain pattern. Associate-level staff handled transactional matters; seniors reviewed associates’ work; managers evaluated transactions and resolved issues; and partners made judgments regarding the engagements as a whole.

When AI automation handles transactional matters, the audit firm needs to redesign the learning model. Junior CPAs should start learning about analytical procedures, risk assessments, and client management much earlier, ideally from day one.

The CPA firm that will find a solution to this challenge will attract and retain superior talent. Those who fail to address this issue will lose their early-career staff members.

Regulatory issues with the AI-based audit

Standard setters are beginning to adapt.

The PCAOB has begun exploring the implications of AI in auditing through guidance and research initiatives. The AICPA is revising its standards to accommodate automated tools, AI procedures, and data analytics. Internationally, the IAASB is considering similar questions.

However, the issue isn’t about the permission to use AI. The problem relates to the adequacy of the audit trail.

When an AI model produces results for a sample or population test, the auditor is responsible for explaining why they believe the model is valid. What did the model do? How were the exception criteria established? Was the model tested using relevant data? Why was a certain output generated?

Another aspect contributing to the complexity is that of independence and ethical concerns. If the auditor relies on external AI software applications in performing audits, the firm will have to determine whether the use of such software would pose any threat to independence, as prescribed by AICPA and SEC standards. The analysis of client data using third-party software raises data privacy issues, especially when audits are conducted against GDPR, CCPA, or other applicable regulatory requirements.

CPAs who can answer these questions competently will have a significant professional advantage. After all, auditing technology is only half the story.

The limitations auditors must not ignore.

The case for AI in audit is strong. But a one-sided case is not credible.

Indeed, there are very strong arguments supporting the use of AI in audit engagements. Yet, a one-sided discussion cannot be considered credible. Every Certified Public Accountant working with such solutions should know about their limitations – and what they mean.

Dependence on data quality: Any machine learning model relies on the quality of its input data for its effectiveness. If there is incorrect data, missing data, and coding inconsistencies in the client company’s ERP system, the output of the analysis using AI technology will be correct but not relevant to the situation at hand.

Risk of model bias: All machine learning algorithms reflect biases inherent in their training data. Thus, an AI solution built using transactional data collected throughout economically stable periods will perform worse when confronted with anomalies that haven’t been detected before.

Issues with black box: The commercially viable machine learning models tend to be opaque about their reasoning process. If the auditor is unable to explain how an anomaly arose, the impartiality of the audit process will be in doubt.

Risk of over-reliance: The biggest threat to the use of AI in auditing is over-reliance on algorithmic output. In fact, an auditor remains responsible for all decisions made in relation to the financial statements being analyzed.

The future of auditing with AI will also require rigorous human oversight.

What will the best audit teams of 2030 look like?

Predictions are difficult. However, certain developments seem fairly obvious.

By 2030, the best audit teams will be testing the entire population rather than samples. They will be monitoring controls continuously. They will provide insight along with opinions. They will integrate external data into risk assessments and analyze it. Their working papers will document the logic behind the machine learning models used.

The leading audit teams of 2030 will also hire CPAs with a completely different skill set. Not CPAs with less accounting knowledge, but more. CPAs can design monitoring programs rather than perform the task, and those with a knack for evaluating AI-generated output.

The future of audit is now. The profession will not be the same again.

AuditConfirm and the future of audit

AuditConfirm was built to transform the audit process. It provides the necessary audit evidence while addressing one of the most fundamental vulnerabilities in the traditional audit process. Digital confirmation that is instantaneous, verified, traceable, and secure.

In addition to a superior confirmation platform, however, AuditConfirm offers CPAs a glimpse of the future of audit itself.

Designed to integrate into a technology-enabled audit process seamlessly, AuditConfirm represents the future of auditing.

FAQs

What will the future of audit be for CPAs?

Audit in the future will be driven by data, continuous, and technology-enabled. The traditional auditing methods of CPAs will evolve from being detail-oriented and manual to becoming more focused on risk judgment and validation of AI outputs.

Will AI replace auditors in the future of auditing?

No. In the future of auditing, elements such as professional skepticism, client knowledge, and regulatory compliance will always remain with CPAs, as these require human skills. What AI will replace are auditors’ repetitive, high-volume, low-value-add activities.

What will be the new process of confirming balances in the future of audit?

It has already shifted from being paper-based to being digital. The next steps in the evolution of the confirmation process in the future of audit will include reconciliation, anomaly detection, and automated follow-up of confirmed balances.

Have current audit standards been prepared to accommodate the future of auditing?

Yes, but slowly. Regulators such as the PCAOB, AICPA, and IAASB have started issuing guidance on the new procedures involving AI and data analytics. CPAs who document well any new technology-enabled procedures they undertake will be better off once all standards are updated.

How should firms be preparing for the future of audit now?

They should begin with the most manual and error-prone procedures, including confirmations, document extraction, and controls testing. Once these areas are modernized, CPA firms will be able to develop expertise in reviewing AI outputs.

Vendor balances lie quietly in the general ledger. They look clean. They reconcile. Then, during litigation, a regulatory review, or a routine accounts payable confirmation audit, a discrepancy surfaces. It was always there. Nobody bothered to confirm it.

Accounts payable confirmations are not glamorous. They sit in the background of audit planning, often reduced to a procedural formality. But for CPAs conducting financial statement audits, especially in the US, where PCAOB and AICPA standards demand substantive testing, this process is a material risk control. Get it wrong, and the consequences run from qualified opinions to regulatory penalties.

This guide walks through a practical checklist and sample templates for conducting accounts payable confirmations. No boilerplate. No theory padded with filler. Just what you actually need.

Why accounts payable confirmations matter

Accounts payable carries a distinct audit risk profile compared to receivables. With receivables, the bias is overstatement. With payables, the risk runs the other way: understatement.

Companies, knowingly or unknowingly, may:

• Omit vendor invoices received close to year-end
• Delay recording accruals to manage reported liabilities
• Exclude related-party payables from disclosed balances
• Misclassify short-term obligations as long-term

Intentional understatement of liabilities is a common financial reporting fraud risk, particularly in periods of earnings pressure. Accounts payable confirmations primarily address the completeness assertion, but may also provide insight into cutoff and accuracy where discrepancies arise.

Under AU-C Section 505 (AICPA) and AS 2310 (PCAOB), external confirmation is one of the most reliable forms of audit evidence available. It comes from a source independent of the client. That independence is precisely its value.

Accounts payable confirmation audit checklist

The following checklist is structured by audit phase. CPAs can adapt it to engagements of any size, from mid-market private companies to publicly listed entities filing with the SEC.

Phase 1: pre-confirmation planning

1. Assess confirmation necessity

Not every audit requires external AP confirmations. Consider:

• Materiality of accounts payable to total liabilities
• Results of prior-year audit procedures
• Risk of management override or fraud indicators
• Effectiveness of internal controls over the procure-to-pay cycle

If controls are weak or fraud risk is elevated, external confirmation should be strongly considered as a primary substantive procedure.

2. Identify the population

Define what constitutes the confirmation population. Standard options:

• All vendors with balances above a dollar threshold
• All vendors active in the final 60 days of the fiscal year
• Zero-balance vendors with significant prior-year activity (a common omission)
• Related parties: always confirm regardless of balance

A critical audit note: zero-balance accounts deserve specific attention. An unrecorded liability hides best when the ledger shows nothing.

3. Select the sample

Sampling methodology should be defensible and documented. Common approaches for accounts payable confirmations include:

• Monetary Unit Sampling (MUS) for large populations
• Judgmental selection for high-risk or related-party vendors
• Stratified random sampling for mixed-risk populations

For US audits under PCAOB standards, document the rationale for any exclusions from the confirmation population.

4. Obtain vendor contact details

Verify mailing addresses and email addresses directly against source documents — not management-provided lists. This is non-negotiable. Sending confirmations using client-provided contact data undermines independence.

5. Prepare confirmation letters

Use blank-form confirmations wherever practical. Blank-form requests ask vendors to report the balance they carry for the client. Blank-form requests generally provide more persuasive evidence than standard positive confirmations, particularly when testing for completeness.

Phase 2: sending confirmations

6. Maintain control of the process

The auditor, not the client, must control the dispatch and receipt of confirmation requests. This means:

• Using the auditor’s return address on all correspondence
• Sending directly from the audit firm’s email or postal address
• Never routing confirmation requests through client staff

7. Document dispatch

Record the date, method, and recipient details for every confirmation sent. This is your evidence trail.

8. Set a response deadline

Standard practice: 10 to 15 business days for initial response. Include a clear deadline in the letter.

9. Follow up on non-responses

A non-response is not audit evidence. It is an absence of evidence. For material balances with no response:

• Send a second request
• Follow up by phone and document the conversation
• If still unresolved, apply alternative procedures

Phase 3: alternative procedures for non-responses

When vendors do not respond, alternative procedures must be rigorous. Common procedures:

• Examine subsequent cash disbursements and trace them to invoices
• Review vendor statements received independently
• Inspect receiving reports, purchase orders, and contracts
• Compare recorded payable to invoice amounts and delivery documentation

The alternative procedure must test the same assertion that the confirmation was designed to address.

Phase 4: analyzing responses and exceptions

10. Record all responses

Log every response, including the vendor-reported balance and any differences from the client’s ledger.

11. Investigate exceptions

An exception is any discrepancy between the confirmed balance and the recorded balance. Categories include:

• Timing differences: invoices or payments in transit at year-end (often benign, but document)
• Unrecorded invoices: potential understatement of liabilities
• Pricing or quantity disputes: may indicate accrual errors
• Related-party adjustments: always escalate for management and auditor review

12. Evaluate aggregate misstatement

Apply your materiality framework. Individually immaterial exceptions may aggregate to a material misstatement. This requires judgment and documentation.

Phase 5: documentation and wrap-up

13. Prepare the confirmation control schedule

A complete confirmation control schedule includes:

• Vendor name
• Confirmation type (positive/negative/blank)
• Date sent
• Date of response (if any)
• Balance per client ledger
• Balance per vendor response
• Difference
• Disposition (resolved / alternative procedure applied / exception reported)

14. Retain all correspondence

Original confirmation letters, envelopes, and email chains are audit evidence. Retain them in the permanent or current audit file in accordance with your firm’s retention policy. Under PCAOB AS 1215, audit documentation must be complete before the report release date.

15. Summarize findings for the workpaper

The summary should include the population, sample size, response rate, exceptions identified, and the auditor’s conclusion on the completeness assertion.

Sample template: blank-form accounts payable confirmation letter

<Audit firm letterhead>

<Date>

<Vendor name> <Vendor address>

RE: Audit confirmation request — <client name> — fiscal year ended <date>

Dear Sir or Madam,

We are the independent auditors for <client name>. In connection with our audit of the financial statements for the year ended <date>, we are performing procedures relating to amounts payable to your organization.

Please furnish directly to our firm, not to our client, the following information as of <confirmation date>:

1. The total amount owed to you by <client name> as of the date above
2. A description of any open invoices, credits, or disputes
3. The terms of payment applicable to the outstanding balance

Please return your response in the enclosed pre-addressed envelope, or email directly to: <auditor email address>

This request is for audit purposes only. Your response is requested regardless of whether the balance is in agreement or dispute.

Please respond by <response deadline>.

<Authorized signatory — audit firm> <title, firm name, contact details>

Sample template: confirmation control schedule

#	Vendor name	Balance per ledger (USD)	Conf. sent	Response received	Balance per vendor (USD)	Difference	Disposition
1	Vendor A	142,500	MM/DD	MM/DD	142,500	—	Agreed
2	Vendor B	87,300	MM/DD	MM/DD	94,100	6,800	Timing — invoice in transit
3	Vendor C	213,000	MM/DD	No response	N/A	N/A	Alternative procedures
4	Vendor D	0	MM/DD	MM/DD	18,400	18,400	Unrecorded liability escalated
5	Vendor E	55,000	MM/DD	MM/DD	55,000	—	Agreed

Note: Vendor D’s unrecorded liability of $18,400 requires assessment against materiality and management inquiry.

Practical notes for US-based CPAs

There are nuances specific to accounts payable confirmations in a US-based context.

PCAOB requirements for audits of public companies: AS 2310 does not establish a presumption in favor of accounts payable confirmations (unlike accounts receivable), but emphasizes the need for sufficient, appropriate evidence in response to assessed risks.

AICPA requirements for audits of private companies: AU-C 505 applies to non-issuer (private company) audits and carries similar principles, though it is subject to AICPA rather than PCAOB oversight.

State CPA board requirements: Some state boards require additional documentation for sole practitioners and small firms that conduct compilation engagements near audit engagements. It is best to check state requirements.

Electronic confirmations: Many electronic confirmation platforms are acceptable under both PCAOB and AICPA standards, provided the auditor maintains control over the process and can validate the reliability of the response source. They are more efficient and increase response rates. However, they still require auditor control, dispatch, and receipt.

Conclusion: precision is the standard

An accounts payable confirmations audit is not a checkbox. It is a substantive test. The level of evidence is only as good as the level of process: the selection of the population, dispatch control, intensive follow-up, and disciplined exception analysis.

In this process, any shortcuts can result in significant liability risk. For CPAs, particularly those auditing public companies or in heavily regulated industries, issues in this process can result in scrutiny by the PCAOB, the SEC, and state licensing boards.

AuditConfirm is for the audit professional who understands the importance of this process. It is built specifically for managing external confirmations, such as accounts payable confirmations, with the level of control and documentation required by professional standards. It eliminates the operational complexity of the process while maintaining the independence and rigor necessary for reliable evidence.

For CPAs who desire a faster, more efficient, and more effective process for confirmations, the workflow belongs in AuditConfirm.

FAQs

What is the purpose of accounts payable confirmations in an audit?

Accounts payable confirmations provide the auditor with independent evidence that the general ledger is complete and accurate with respect to the company’s liabilities. It’s done by asking the vendors directly how much they believe the company owes them. It is one of the few procedures that can identify unrecorded liabilities that would never be discovered through company documents.

Are accounts payable confirmations required under US auditing standards?

While neither AS 2310 nor AU-C Section 505 mandates accounts payable confirmations, auditors must be able to justify their audit approach and demonstrate that sufficient appropriate evidence was obtained through alternative procedures when confirmations are not used. In cases where fraud is suspected, controls are weak, and related-party payables are significant, the decision not to perform an accounts payable confirmation is hard to justify.

What is the difference between a positive and a blank-form confirmation of accounts payable?

A positive confirmation is when the auditor sends the vendor a request to agree or disagree with the presented balance. A blank-form confirmation is when the auditor simply sends the vendor a request for the balance without providing any information. In the case of accounts payable confirmations, the auditor is better off using the blank-form confirmation because the risk is unrecorded debt, not overstatement.

How do CPAs deal with vendors who do not respond to confirmations?

A non-response does not provide audit evidence in an accounts payable confirmation audit. The CPA must take further steps to address vendors who do not respond to confirmations. Moreover, the CPA must look for additional transactions, independently obtain vendor statements, and receive reports and contracts. The non-responses and alternative procedures have to be documented.

Can CPAs use electronic means to confirm accounts payable?

Yes, CPAs can use electronic means to confirm accounts payable. Both the PCAOB and the AICPA standards allow the use of electronic means for accounts payable confirmations. The CPA must ensure they have full control over dispatch and receipt. The client must be denied any opportunity to intercept or influence, irrespective of how the client receives them. The use of electronic means is advantageous to CPAs who deal with large numbers, as it is likely to produce high response rates and documentation.

Audits rarely fail because numbers are missing. They fail because the numbers can’t be supported with reliable evidence. For an auditor, the figures mentioned in the ledger are just the beginning. What is important is the accuracy of the figures. Here, the accounts receivable confirmation audit is essential. When companies recognize revenue from credit sales, they typically record accounts receivable representing amounts owed by customers. 

However, the presence of accounts receivable in the ledger does not imply that the customers will agree to the amount. Hence, it becomes essential to verify the accounts receivable. Verification of accounts receivable is conducted through an accounts receivable confirmation audit. 

Auditors have been using the confirmation audit method to verify accounts receivable for decades. The method is a core audit procedure and is formally addressed in global auditing standards, including confirmation guidance under standards such as AU-C Section 505 External Confirmations in the United States. However, the method is changing rapidly as the audits become more digital and global. 

This article will cover the complete accounts receivable confirmation audit process, the types of confirmation auditors use, and the best practices modern CPA firms use to streamline and secure the procedure.

Why is accounts receivable confirmation essential in audits

Receivables are one of the largest assets on the company’s balance sheet and one of the most vulnerable to manipulation. Problems with revenue recognition, fictitious sales, and premature customer billing tend to inflate accounts receivable balances, rendering the financial statements unreliable. 

The accounts receivable confirmation procedure helps mitigate the risk of misstatements in accounts receivable. Instead of using the company’s accounting documents as evidence of accounts receivable, the auditor requests that the customer confirm the balances. 

The auditor asks the customer to confirm whether the balance recorded by the company matches the customer’s records. The customer’s confirmation of the accounts owed to the company is considered more reliable audit evidence compared to the company’s accounting documents. 

To the CPA firm, the accounts receivable confirmation process provides evidence of the: 

• Existence of receivables
• Accuracy of receivable balances
• Rights to receivables
• Revenue cutoff and timing

Therefore, the accounts receivable confirmation process is essential and provides evidence for various audit procedures.

When auditors perform an accounts receivable confirmation audit

Not every receivable balance requires confirmation. Auditors use professional judgment to determine when confirmations are necessary. However, confirmations are commonly used when:

• Accounts receivable balances are material to financial statements
• Internal controls over revenue are weak or untested
• The company has complex or international customers
• There is a higher risk of fraud or misstatement
• Prior audits revealed discrepancies

In the United States, confirmation procedures are strongly supported by auditing standards. Auditors often treat receivable confirmations as one of the most persuasive forms of evidence.

In practice, many CPA firms include receivable confirmations in most mid-size and large audit engagements, particularly when receivables are material.

The accounts receivable confirmation process

At first glance, the accounts receivable confirmation process seems simple. Send confirmation requests. Wait for responses. 

But in reality, the process requires careful planning and strict control to ensure the evidence’s reliability.

Below is the step-by-step structure most auditors follow.

1. Selecting the sample

The process starts by selecting the customer accounts to confirm. Note that the auditor does not request confirmation of all receivable balances. 

Only a sample of the balances is requested based on the risks and materiality of the balances. Common selection criteria include:

• Large balances
• Overdue balances
• New customers
• Unusual transactions
• Random sample selections

The auditor should focus on requesting the high-risk balances.

2. Preparing confirmation requests

The second step in sending AR confirmations is preparing the requests. After selecting the sample of balances, the auditor prepares the request letters. 

Each request should include the following: 

• The customer’s name and address
• The amount of the balance due based on the company’s records
• Instructions explaining how the customer should confirm or dispute the balance
• A method for returning the responses

The auditor should have control over the entire process of sending and receiving AR confirmations.

3. Sending AR confirmations

The auditor should now send the requests to the customers. Traditionally, auditors would use the postal service to send request letters. 

However, with technological advances and the use of digital platforms in the CPA industry, CPA firms are sending AR confirmations via these platforms. These platforms have greatly improved the process of sending AR confirmations.

4. Receiving customer responses

The customer has two options: Verify that the amount is correct or indicate a discrepancy between their records and the company’s balance. If the responses match the recorded balance, the confirmation provides strong audit evidence supporting the receivable balance.

However, if there are discrepancies, further investigation is necessary. The most common reasons for discrepancies are timing differences in payments, shipping disagreements, credit memos not recorded by the company, or billing disagreements.

5. Following up on non-responses

One of the biggest challenges auditors face is dealing with customer non-response during AR confirmation audits. 

In many cases, customers simply do not respond to confirmation requests. In such a scenario, auditors send out a second letter to customers to encourage a response. However, if that doesn’t work, auditors are forced to use other procedures that provide some evidence.  

When no response is received, auditors perform alternative procedures such as:

• Reviewing subsequent cash receipts
• Examining shipping documents
• Reviewing sales invoices

These procedures are usually less reliable compared to confirmation responses.

Types of accounts receivable confirmations

Not all confirmation requests are the same. Auditors use different confirmation requests depending on their needs. The two major types of confirmation requests are positive and negative.

Positive confirmations

In positive confirmation requests, customers are required to respond regardless of whether they agree or disagree with the confirmation. They are the most reliable form of confirmation evidence. 

Positive confirmation requests are usually employed when:

• Individual balances are large
• Controls are weak
• The risk of fraud is high 
• The customer population is relatively small

Positive confirmations provide stronger evidence, but response rates can sometimes be low because customers do not always prioritize responding to audit requests.

Negative confirmations

On the other hand, negative confirmations work differently: Customers respond only if they disagree with the balance. If the customer does not respond, the auditor may treat the lack of response as implicit agreement, but only when the risk of misstatement is low.

Negative confirmations are used in situations where:

• The risk of misstatement of financial statements is low
• There are a large number of small accounts
• The client has good internal controls
• There are no reasons to assume that customers will not respond

Negative confirmations are considered weaker evidence than positive confirmations because they are based on customers’ failure to respond, which is taken as evidence of agreement. Most auditors prefer positive confirmations.

Challenges in the traditional confirmation process

The traditional audit confirmation process has been around for decades. However, it has various challenges. Some of these challenges include:

• The process is slow due to the postal services. For international customers, this is particularly difficult. 
• Some customers do not take the audit confirmation process seriously. 
• Traditional confirmation processes can be vulnerable to interception or manipulation if proper auditor control is not maintained.
• There is considerable administrative work involved in sending out audit confirmations and tracking responses. 

This leaves less time for actual audit analysis.

Best practices in AR confirmations

Audit teams today are redefining AR confirmations to achieve efficiency and security, not just completeness. Several best practices are being implemented today to achieve these objectives:

Maintain strict auditor control: Audit standards require that the auditor control the audit confirmation process. Several best practices are being implemented to ensure this:

Sending audit confirmations from the auditor’s office is recommended. The auditor should verify customer information. The auditor should be independent from clients to ensure reliability. The auditor should not allow clients to access responses to audit confirmations.

Use risk-based sampling: Most audit teams now use it. This involves selecting high-risk customers. High-risk customers include those with high balances, related parties, unusual transactions, and new customers. 

Risk-based audit sampling is efficient without compromising audit efficiency. 

Track responses to audit confirmations: A structured tracking system is recommended. This involves tracking audit confirmations sent to customers, responses received, disputed balances, and non-responses requiring follow-up. 

Document discrepancies thoroughly: When customers identify differences in audit responses, documentation is critical. Documentation should include:

• Nature of differences
• Documentation provided by customers
• Audit conclusion

Adopt digital confirmation platforms: The first significant advancement in AR confirmations is the move toward digital confirmations. Digital confirmations provide a safer and more reliable option for sending, verifying, and tracking responses. This is particularly significant for large businesses with hundreds of confirmations to be handled.

AR confirmations in a global audit environment

The global nature of modern businesses is a reality. Companies operate globally, and their customers are located in different countries. This also means receivables may be denominated in foreign currencies.

Therefore, in a global environment, AR confirmations are more significant. When conducting international confirmations, several challenges arise, such as: 

• Time zone differences
• Language
• Postal delays
• Financial documentation standards

However, with the help of digital confirmation systems, global confirmations have become much simpler, and companies can reach their customers instantly. This has reduced potential wait times from several weeks to days.

The future of accounts receivable confirmation audits

Audit confirmation procedures are evolving alongside advances in audit technology and regulatory expectations.

In the context of AR confirmation, the process is gradually shifting from traditional methods toward technology-driven systems.  The key trends shaping the future include:

• Secure digital confirmation networks
• Real-time response tracking
• Automated follow-ups
• Integrated audit documentation

These developments allow auditors to obtain confirmation evidence faster while maintaining strict compliance with auditing standards.

For CPA firms managing complex global audits, digital confirmation systems are quickly becoming essential infrastructure.

Conclusion

The accounts receivable confirmation has long been one of the most trusted audit procedures that is conducted during financial reporting. By obtaining independent verification from customers, auditors can obtain direct evidence that the balances exist and are correctly reported. 

The traditional method of conducting an accounts receivable confirmation is time-consuming and often cumbersome. However, auditors can now use new technologies to provide a secure solution for conducting audit confirmation procedures. 

AuditConfirm provides a secure digital platform that enables CPAs to manage accounts receivable confirmations and other external confirmations efficiently. For example, the solution allows auditors to connect with thousands of financial institutions across more than 195 countries. Moreover, it enables auditors to complete a confirmation procedure in minutes rather than weeks. 

For CPAs seeking a more efficient solution with greater control over confirmation requests and a fully documented confirmation process, AuditConfirm is tailored to meet the needs of auditors in today’s environment. In the world of auditing, reliable evidence is a necessity. 

FAQs

What is accounts receivable confirmation in auditing?

Accounts receivable confirmation is an audit procedure where auditors ask customers to verify the amount they owe a company. The response provides independent evidence supporting receivable balances reported in the financial statements.

What is the accounts receivable confirmation process?

The accounts receivable confirmation process involves selecting customer balances, sending confirmation requests to these customers, and receiving their responses. These responses are used as independent confirmation in an accounts receivable confirmation engagement.

What are the types of accounts receivable confirmation?

The two types of accounts receivable confirmation are positive and negative. Positive confirmation involves obtaining a response from customers, whereas negative confirmation involves obtaining a response from customers only if the balance is incorrect. Both types are used in accounts receivable confirmation.

Why is accounts receivable confirmation important in auditing?

The importance of accounts receivable confirmation is that it provides third-party validation of customer balances. An accounts receivable confirmation process is used to validate the existence of accounts receivable.

Is the accounts receivable confirmation process digital?

Sometimes. Many CPA firms now conduct confirmations through secure digital platforms that allow auditors to send, track, and document confirmation requests electronically.

Auditing has transformed over the years, not through dramatic announcements but through technology and software innovation. Auditors today handle volumes of data that were unimaginable two decades ago. Financial systems are cloud-based. Transactions happen through APIs. Organizations operate across borders. Auditors now face stricter documentation requirements and faster response expectations.

However, there has been a major disconnect. Auditing has advanced rapidly in some areas but has remained stuck in time in others. Auditing software has thus emerged as a crucial component of audits today. Leading auditing software now helps auditors with data analysis, workpaper documentation, risk assessment, and team collaboration. For CPA firms dealing with complex organizations, the right auditing software reduces weeks of work to mere hours.

This article reviews the top auditing software of 2026, including its features, pricing models, and use cases. It is a practical review of auditing software that helps CPAs deliver audits that are not only efficient but also reliable.

Top auditing softwares of 2026

Here’s the list: 

1. AuditConfirm

Before we dive into more general auditing software, it is important to talk about an age-old problem with audits: confirmations. Third-party confirmations are an important audit procedure for verifying financial data, such as bank balances, accounts receivable, and accounts payable. Auditors have thus far struggled with:

• Bank-managed confirmation processes
• Fax or email-based confirmations
• Delays or no response 
• Inadequate network infrastructure
• Inconsistent documentation

AuditConfirm solves this problem. It is designed to modernize the confirmation process by enabling auditors to send, track, and manage confirmations electronically as part of modern auditor software tools and audit workflows.

What sets AuditConfirm apart

AuditConfirm helps CPAs electronically send, track, and receive audit confirmations in minutes instead of weeks. Moreover, CPAs no longer have to rely on manual confirmation processes such as email, fax, or postal mail.

Key capabilities

Direct access to 44,000+ banks in 195 countries: AuditConfirm provides CPAs with direct access to 44,000 banks in 195 countries, including Bank of America, Citibank, Chase, Goldman Sachs, HSBC, Barclays, Deutsche Bank, UBS, and Royal Bank of Canada. This significantly reduces the gaps often experienced when performing audit confirmations.

Instant audit confirmations: With client permission, CPAs can now electronically receive audit confirmations in minutes rather than weeks.

Access to audit confirmation evidence: CPAs can also obtain bank balance confirmations, bank statements, and bank transaction data exports (CSV) that can be easily added to working papers.

New AI-powered audit capabilities: AuditConfirm is also introducing AI-powered audit analytics on bank transactions and an AI chat that provides CPAs with enhanced audit capabilities to identify anomalies and patterns in bank transactions.

Audit compliance and end-to-end security: AuditConfirm is designed to support audit procedures consistent with global audit standards, including PCAOB AS 2310, AU-C 505, and ISA 505. AuditConfirm is compliant with SOC 2 Type II, ISO 27001, GDPR, and CCPA, and provides tamper-resistant audit trails, giving CPAs a secure environment in which to perform audits and obtain bank confirmation evidence.

Pricing

AuditConfirm provides a gateway to entry-level usage, with 10 free audit confirmations to allow a CPA firm to try the tool before moving to wider usage. 

Best for

CPA firms that specialize in financial statement audits, audits that require bank confirmations, and global audits that require multiple financial institution confirmations. AuditConfirm is often used as part of a broader audit tool solution.

2. AuditBoard (now Optro)

AuditBoard (now Optro) is a leading audit and compliance management tool.

Key features

• Risk-based audit planning
• SOX compliance
• Control testing
• Issue tracking
• Real-time dashboards

AuditBoard provides a centralized platform for internal audit, risk management, and compliance teams.

Pricing

AuditBoard is a SaaS-based tool that is based on user numbers, the number of tools in use, and company size. Most implementations are annual-based. 

Best for

Internal audits, SOX compliance solutions, and large corporate environments. 

3. TeamMate+

TeamMate+, a tool from Wolters Kluwer, is a leading audit management system. It is widely used by internal audit teams in large enterprises and multinational organizations.

Key features

• Risk-based audit solutions
• Analytics
• Multi-location audits
• Custom audit solutions
• Interactive dashboards

With TeamMate+, audit managers can manage audits across multiple business units and locations. 

Pricing

Pricing is determined based on implementation and usage. 

Best for

Multinationals and large enterprises require a comprehensive audit solution and need to manage multiple business units and locations. 

4. Workiva

Workiva takes a broader approach by bringing financial reporting, audit documentation, and compliance management onto a single cloud-based platform.

Key features

• Connected financial reporting
• Real-time collaboration
• Integrated audit documentation
• ESG reporting
• Automated data linking

Workiva is particularly beneficial for companies that must manage multiple reporting systems simultaneously.

Pricing

Workiva follows a subscription-based pricing model. Pricing is affected by the number of users, data integration, and financial reporting.

Best for

Workiva is suitable for use by public companies, financial reporting teams, and integrated reporting systems.

5. Diligent One Platform

Diligent One brings together governance, risk management, and auditing into a single software platform to support enterprise-wide governance and board-level decision-making.

Key features

• AI-driven risk analysis
• Automated audit workflows
• Governance
• Board reporting
• Data analytics

Pricing

The pricing for this platform is enterprise-based, depending on the company’s size and the modules to be integrated.

Best for

The platform is suitable for use by large companies, governance and compliance teams, and board reporting systems.

6. CaseWare IDEA

CaseWare IDEA is an audit data analytics tool designed to work alongside engagement management platforms to help users analyze data.

Key Features

• Statistical sampling
• Fraud detection analysis
• Benford’s Law
• Database connectivity
• Custom scripting

Many CPA firms use it to analyze entire data populations instead of relying solely on statistical sampling.

Pricing

CaseWare IDEA follows a user-based pricing model, including optional maintenance.

Best for

The platform is suitable for data-intensive audits, fraud detection, and forensic accounting.

7. Inflo Audit Platform

Inflo is a new, innovative, and cloud-based auditing platform centered on data analytics and workflow automation.

Key features

• Full-population transaction testing
• Visual analytics
• Data analytics
• Workflow automation
• Transaction testing
• Automated audit workflow
• Accounting system integration
• Cloud collaboration

This platform is commonly used by firms that apply data-driven audit methodologies.

Pricing

Inflo is offered through a subscription model depending on firm size.

Best for

Small to mid-size CPA firms and data analytics-driven audits in cloud-based environments.

Comparison of the top audit software in 2026

Software	Primary Focus	Key Strength	Best Users
AuditConfirm	Audit confirmations	Global bank access and instant confirmations	CPA firms
AuditBoard	Internal audit	Compliance workflows	Enterprises
TeamMate+	Risk-based auditing	Enterprise audit management	Global companies
Workiva	Reporting and audit	Connected financial reporting	Public companies
Diligent One	Governance and risk	Integrated GRC platform	Large enterprises
CaseWare IDEA	Data analytics	Fraud detection analytics	Audit analytics teams
Inflo	Cloud auditing	Full-population testing	Modern CPA firms

Each of these audit software solutions is designed to address a particular aspect of the overall audit process. These solutions represent the current state of the audit technology marketplace.

Emerging trends in auditing software

There are various technology trends currently changing the face of auditing software in 2026:

AI-driven audit analytics: AI is increasingly used to analyze large datasets to identify anomalies and unusual transactions within organizations.

Continuous auditing: There is greater emphasis on real-time monitoring of financial data rather than waiting for periodic audits. New technologies offer tools for continuous monitoring.

Integrated compliance platforms: There is more integration of auditing with governance, risk management, and compliance.

Cloud collaboration: New auditor software is available in the cloud, enabling teams of auditors to collaborate remotely.

Confirmation automation: New technologies are modernizing confirmation processes that were traditionally manual and time-consuming.

How CPAs should evaluate auditing software

CPA firms must look at more than just how auditing software stacks up against its competitors in terms of its individual features and functionalities. There are key considerations to keep in mind when selecting the right auditing software for firms. These considerations include:

• Workflow: Is it aligned with how audit teams work?
• Data: Is it able to integrate with ERPs, accounting systems, and financial data?
• Analytics: Can it support full population testing and analytics?
• Regulations: Does the software support compliance with standards issued by bodies such as the PCAOB and AICPA?
• Scalability: Can it scale with future business needs?

The most successful firms build a technology stack that includes multiple auditing software solutions. They do not use only one solution.

Final thoughts

Auditing is entering a new technology-driven phase. It is no longer purely document-driven; it is increasingly data-driven. With this, there are many benefits to being efficient in auditing. 

One of the most important things to realize is that it is not necessarily about being efficient with analytical tools or even about displaying information in a useful way. Sometimes, it is about perfecting small yet important processes in auditing. One of these is the confirmation process. 

For many years, confirmation processes have hindered auditors’ efficiency. Tools like AuditConfirm are helping modernize this process. With instant confirmations and direct bank connectivity, it is now a key component of any auditor’s software. 

If you are a CPA firm looking to update your audit technology in 2026, this is a key component now considered standard.

FAQs

What is auditing software?

Auditing software is a software solution that helps CPAs with audit workflow management, data collection, and analysis. Modern auditing software is efficient and accurate, with automated documentation and in support of, e.g., PCAOB and AICPA standards.

What features should good auditing software have?

Leading auditing software solutions provide automation, data analysis, workpaper management, and cloud collaboration. Good auditing software solutions should also integrate with accounting software and enable auditors to analyze financial data efficiently.

What auditing software solutions are commonly used by CPA firms?

CPA firms commonly use multiple auditing software solutions to improve their audit workflow. Leading auditing software solutions used by CPA firms include AuditConfirm, AuditBoard (now Optro), TeamMate+, Workiva, and Inflo.

How does good auditing software improve audits?

Auditing software solutions improve audits by providing automation and full-population data testing. With good auditing software, a software auditor can easily identify discrepancies and improve audit documentation.

Do audit softwares integrate with other audit software solutions?

Yes. Modern audit softwares integrate with ERPs, accounting software, and other software to provide a software-auditor solution that integrates multiple auditing software solutions.

Auditing has experienced a major shift over the last ten years. The traditional audit approach relied heavily on sampling, documentation review, and manual testing procedures. Today, however, the auditing approach has evolved significantly. Auditing now often relies on analyzing the entire data set. It detects anomalies, uncovers potential risks, and provides deeper insights for clients.

This shift towards a more data-driven approach to auditing is made possible by audit data analytics.

For CPAs and audit professionals, understanding data analytics in audits is no longer optional. It is a necessity. Regulatory requirements suggest a stronger analytical approach. Clients demand more insights. The audit firms are looking for faster results.

This article will discuss the concept of audit data analytics, the tools used, the techniques involved, and the impact of auditing analytics on the current approach to auditing.

What is audit data analytics?

Audit data analytics is the use of tools and techniques to analyze an organization’s data during the audit process. In addition to using the conventional sampling approach, the auditors now often analyze the full data set. The data analyzed typically includes structured financial and operational data, and in some cases, unstructured data such as logs or documents.

The concept of audit data analytics is straightforward and powerful. It aims to improve audit quality, detect potential risks, and strengthen the overall assurance process.

In the current digital age, organizations have adopted various software to improve efficiency. This has led to the generation of large volumes of data. This is where the concept of data analytics in audit becomes crucial.

Auditors now often analyze the entire dataset. They identify unusual transactions. They identify fraud. They also review the financial statements with tools. The approach to data analysis for audits has become more efficient.

Auditors now need to move from the conventional approach of using a spreadsheet to using the tools of audit analytics.

Why audit data analytics is becoming essential

Several factors are accelerating the adoption of audit data analytics.

Increasing data volumes

Modern organizations rely on Enterprise Resource Planning (ERP) systems such as SAP, Oracle, and NetSuite. These systems produce millions of financial data points each year.

The traditional sampling approach cannot fully analyze such large data sets. Audit data analytics helps to analyze the entire data rather than relying on sampling.

Higher regulatory expectations

The U.S. regulatory environment, particularly oversight from the Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC), requires stronger audit evidence and documentation.

Audit data analytics helps to create better audit procedures.

Growing fraud risks

The complexity of fraud schemes has grown significantly. Traditional approaches to auditing cannot identify the schemes’ subtle nature.

Audit data analytics helps to identify unusual data, such as:

• Duplicate payments
• Suspicious journal entries
• Unusual vendor activity
• Patterns of revenue manipulation

Pressure for efficiency

Audit firms face pressure to improve efficiency and lower costs. Audit data analytics helps to automate the process. The result is faster audits with better insights and higher-quality evidence.

Core components of an audit analytics database

A central component of many audit analytics environments is the audit analytics database. An audit analytics database collects, stores, and organizes large datasets for audits. It is well-structured and includes the following components:

Financial transactions

These include:

• General ledger transactions
• Accounts payable transactions
• Accounts receivable transactions
• Payroll transactions

Analyzing the above data helps to identify unusual data.

Master data

Master data contains critical information that is vital for any business, including:

• Vendor information
• Customer information
• Product information
• Employee information

Auditors can identify duplicate information, suspicious vendors, or suspicious relationships by reviewing this information.

System logs

System logs monitor activities within an accounting system. They contain information about:

• User activities
• Changes to financial information
• Reviewing these logs can also help an auditor identify suspicious changes in an accounting system.

Historical data

Having historical information enables an auditor to perform trend analysis on an organization’s finances. Changes in patterns can enable an auditor to identify areas that may require more attention.

Combining these data sources enables auditors to build an audit analytics database for comprehensive analysis.

Key techniques used in audit data analytics

Auditors use several analytical techniques when performing audit data analytics, including the following:

Data profiling

Data profiling is the analysis of the quality of the information in a dataset.

Auditors will examine:

• Missing information
• Duplicate information
• Inconsistency in information
• Data integrity

This analysis is critical in ensuring that the information provided is valid for analysis.

Trend analysis

Trend analysis examines information over time.

Auditors will examine unusual changes in:

• Revenue
• Expenses
• Inventory
• Cash flows

Unexpected changes can help an auditor identify areas that require further analysis.

Outlier detection

Outliers are transactions that have occurred but do not fit normal business patterns.

For example:

• Large payments
• Transactions occurring outside normal business hours
• Payments that have occurred just below approval limits
• Audit analytics tools can easily identify these outliers.

Benford’s law analysis

This technique analyzes the distribution of leading digits in numerical data to identify patterns that may indicate manipulation or fraud. This method is frequently applied in audit data analysis.

Journal entry testing

Journal entries are one of the biggest audit risks, as they are often subject to financial manipulation.

Auditors can utilize audit data analytics to identify:

• Entries that are made during late nights
• Entries that are adjusted manually
• Entries that unauthorized users make
• Entries that are of large round numbers

Such findings can improve fraud detection capabilities.

Network analysis

Network analysis involves examining relationships among entities.

For example:

Auditors can use audit data analytics to identify connections between employees and vendors, as well as suspicious payment relationships among related parties.

This method can frequently be applied in forensic audit data analysis.

Common audit analytics tools used by CPAs

Various software tools can support the analysis of audit data. Auditors can use these data analysis tools to process large volumes of data efficiently.

Data extraction tools

Before starting audit data analysis, auditors are required to extract data from various accounting systems. Some of the common tools that can be applied for data extraction are as follows:

• ERP data connectors and APIs
• SQL-based data extraction tools
• Automated data pipelines

Such tools can provide data to the audit analytics database.

Audit analytics software

Various audit software tools can support audit data analysis of financial data. Some of these tools are as follows:

• ACL Analytics (now part of Galvanize / HighBond)
• IDEA Data Analysis Software
• Power BI or Tableau for visualization
• Python or R for advanced analytics

Such tools can support advanced analysis of audit data.

Visualization platforms

Data visualization can play a crucial role in improving audit data analysis capabilities.

Auditors can use tools such as an audit dashboard and visual charts to identify trends, patterns, and anomalies in complex datasets.

Visualization can also improve communication with clients and stakeholders.

Machine learning platforms

Some audit firms are now starting to utilize machine learning platforms in audit data analysis.

Machine learning is beginning to support several advanced capabilities in auditing, including:

• Predicting audit risk areas
• Automatically identifying unusual patterns
• Learning from previous audit results

Machine learning can play an important role in the analysis of audit data.

How data analytics is transforming the audit process

Every step of the audit process is being revolutionized by the integration of data analytics in auditing.

Risk assessment

Traditionally, risk assessment relied heavily on management interviews and historical financial information. Today, auditors use entire data sets to pinpoint high-risk areas before the audit even begins. This is improving the audit planning process.

Audit testing

Traditionally, auditors have only used a sample of the data to perform the audit test. Today, auditors can use the entire data set to perform the audit tests.

This improves the audit test by considering the entire data set, thereby reducing the risk of missing something important.

Continuous monitoring

Many firms are now using data analytics in audits for continuous monitoring.

Traditionally, firms have used data analytics only for audit purposes; today, some organizations use continuous monitoring systems that analyze transactions throughout the year.

Fraud detection

Advanced audit analytics tools are highly effective at identifying fraud indicators.

Automated anomaly-detection systems highlight suspicious activity that manual review might miss.

Improved documentation

Automated analytical workflows are improving the audit documentation.

Benefits of audit data analytics for CPA firms

CPA firms are benefiting from the use of audit data analytics in the following ways:

Higher audit quality: CPA firms are improving audit quality by using audit data analytics. CPA firms can now perform the audit test on the entire data set, thereby improving the quality of the audit.

Greater efficiency: CPA firms are improving the efficiency of audit services through the use of audit data analytics. CPA firms can test entire datasets instead of small samples, significantly improving audit coverage and assurance.

Better client insights: CPA firms are improving client insight through the use of audit data analytics. CPA firms can now perform the audit test on the entire data set, thereby improving client insight.

Stronger fraud detection: CPA firms are improving their ability to perform audit tests on the entire data set, thereby enhancing fraud detection. Firms that use audit analytics tools are viewed as progressive and forward-thinking.

Challenges of implementing audit data analytics

Although auditing analytics is beneficial, its implementation is challenging.

Data accessibility: Extracting data from complex ERP systems can be challenging. Many companies use different data systems.

Skill gaps: There is a need to acquire new skills in data analytics, statistics, and visualization. Training is important.

Data quality issues: Inconsistent data quality may also be a problem. Auditors must also verify the quality of the data before carrying out data analysis.

Technology investment: There is a need to invest in software and infrastructure to enable the use of advanced data analytics tools. However, the benefits often outweigh the cost.

The future of data analytics in auditing

The use of data analytics in auditing will continue to grow.

Many trends are shaping the future of auditing.

Artificial intelligence in auditing: Artificial intelligence and advanced analytics are expected to play a growing role in risk identification, anomaly detection, and predictive audit procedures. These tools will be able to carry out complex auditing tasks.

Real-time auditing: Continuous auditing may be the future. Financial activities may be monitored in real time.

Integrated audit platforms: In the future, the auditing environment may be fully integrated. There may be a single tool used in the entire auditing environment.

Deeper collaboration between IT and audit teams: As data analytics in auditing becomes more complex, the two teams may be expected to collaborate. There may be a new form of interdisciplinary teams.

How confirmation data fits into audit analytics

External confirmations are one of the most reliable forms of audit evidence. Bank confirmations, accounts receivable confirmations, and other third-party verifications are independent confirmations of financial records.

Once it is incorporated into audit data analytics, the power of confirmation data can be multiplied many times over. For example, it may be compared with internal transactions recorded within the audit analytics database. This enables faster and more efficient reconciliation and the identification of discrepancies. Digital confirmation platforms can streamline the audit confirmation process and reduce the manual effort required. 

Conclusion

The auditing profession is undergoing a monumental revolution. The sheer volume of financial data, combined with increasing regulatory expectations and fraud risks, is pushing audit firms to adopt more sophisticated analytical techniques.

Audit data analytics enables CPAs and other auditors to transcend traditional audit sampling techniques and analyze entire datasets using audit analytics tools. It enables CPAs and audit teams to provide stronger audit assurance to clients and stakeholders. Trend analysis, anomaly analysis, and journal entry analysis are now an integral part of modern audit data analysis techniques. 

An efficient, well-structured audit analytics database enables CPAs and audit teams to organize and analyze large volumes of financial data effectively. Nevertheless, the success of data analytics for audits depends not only on technology but also on data availability and the verification process. At this point, modern digital confirmation platforms are helpful tools.

Platforms like AuditConfirm help CPAs and other auditors verify third-party confirmations more quickly and efficiently. As the auditing profession continues to evolve, organizations that use data analytics for audits and digital confirmation platforms will be able to deliver higher-quality audits in an evolving, complex financial environment.

FAQs

What is audit data analytics in auditing?

Audit data analytics is the practice of using analytical tools to examine large volumes of financial and operational data during the auditing process. Instead of relying on sampling data, the auditor uses audit data analytics to analyze large datasets, which helps detect potential risks and irregularities in the business.

What is audit data analytics in auditing?

Audit data analytics is the practice of using analytical tools to examine large volumes of financial and operational data during the auditing process. Instead of relying on sampling data, the auditor uses audit data analytics to analyze large datasets, which helps detect potential risks and irregularities in the business.

What are the most commonly used audit analytics tools?

Several audit analytics tools are available to the auditor for data analytics. Some of the most commonly used tools for data analytics include ACL Analytics, IDEA Data Analysis Software, and data visualization tools such as Power BI. These tools help the auditor analyze large datasets and perform data analytics.

How does data analytics improve the audit process?

Data analytics improves the audit process by enabling auditors to analyze entire datasets, identify anomalies, automate testing procedures, and strengthen risk assessment. This leads to more accurate, efficient, and insightful audits.

What is an audit analytics database?

An audit analytics database is a data repository that holds all financial transactions, master data, and system log data for the auditor to perform data analytics during the audit.

Why is audit data analysis important for CPAs?

Audit data analysis is important for CPAs, as it helps them perform audits more accurately and efficiently. In today’s environment, the amount of data generated by the client is often enormous, and using auditing analytics and audit analytics tools helps the CPA perform the audit with greater accuracy and quality. 

Audit evidence must be reliable, relevant, and sufficient. In financial statement audits, external confirmations remain among the most persuasive audit evidence techniques.

For CPAs, understanding the differences between positive vs. negative vs. blank confirmations is essential. Each method carries different levels of assurance, risk, and operational complexity. Each fits different audit circumstances.

This guide explains the mechanics, advantages, limitations, and appropriate use cases of each confirmation type. It also outlines how technology is reshaping confirmation practices across the United States and globally.

Why are confirmations important?

Confirmations of external information are considered reliable audit evidence because they are based on third-party information. The United States has specific guidelines for confirmations, as outlined by the Public Company Accounting Oversight Board (PCAOB) and the American Institute of Certified Public Accountants (AICPA). Under PCAOB standards and AU-C 505, External Confirmations, confirmations are commonly used for significant accounts such as: 

• Accounts receivable
• Cash
• Debt
• Investments
• Legal contingencies

Confirmations can help mitigate detection risk by verifying existence, rights, and obligations, and by preventing fraud. However, the effectiveness of a confirmation will depend on the method used.

What are positive, negative, and blank confirmations

Before examining each of the confirmation methods in detail, the following definitions apply:

• Positive Confirmation: The recipient of the confirmation will respond by indicating whether they agree or disagree.
• Negative Confirmation: The recipient will respond only if they disagree.
• Blank Confirmation: The respondent will fill in the balance or information without being provided with the amount.

Each of these has different response expectations and evidential strengths.

Positive confirmations

Positive confirmations require a response. The auditor asks another party to confirm information, e.g., the accounts receivable balance, and that party needs to respond.

How it works

• The auditor sends a confirmation request to a third party.
• The confirmation request indicates a specific balance.
• The third party confirms or indicates any discrepancies.
• The response must be made.

Strength of evidence

Positive confirmations generally provide more persuasive audit evidence than negative confirmations, particularly when responses are received directly from independent third parties. The requirement to respond eliminates ambiguity and ensures the third party is involved.

When to use positive confirmations

Positive confirmations are used when:

• Balances are significant
• The risk of material misstatement by management is high
• Internal controls are weak
• There is a fraud risk
• Balances are large

Under PCAOB standards, auditors are generally required to confirm accounts receivable unless they can justify that confirmations are unnecessary. In most higher-risk situations, this results in the use of positive confirmations.

Advantages

• High reliability
• Strong fraud deterrence
• Audit trail
• Direct verification by the third party

Limitations

• Lower response rates
• More time-consuming
• Potential delay
• Cost factors

Despite these disadvantages, positive confirmations are considered the gold standard, especially when the risks are high.

Negative confirmations

Negative confirmations require that the recipient respond only if they have reason to disagree.

How it works

• The auditor sends a message asking for a balance.
• A reply is issued if the balance was incorrect.
• A lack of reply amounts to implicit consent.

Strength of evidence

Evidence from negative confirmations is weaker than that from positive confirmations. Lack of reply does not necessarily mean consent, as the recipient may simply not reply. This method provides less persuasive audit evidence and is subject to significant limitations.

When negative confirmations are acceptable

In the U.S., negative confirmations are acceptable when:

• The risk of material misstatement in the financial statements is low.
• Internal controls are effective.
• The population to be confirmed contains many small balances.
• There are no reasons to suspect non-response.

They are usually used in large consumer receivables portfolios.

Advantages

• They are less expensive.
• They involve less work.
• They are efficient.
• They are effective in low-risk audits.
• They are effective in large populations.

Disadvantages

• They are less reliable.
• There is a high non-response bias.
• They are not effective in detecting fraud.
• They are under significant regulatory pressure during high-risk audits.

CPAs must be able to justify their choice of negative confirmations.

Blank confirmations

Blank confirmations are a form of positive confirmations. Here, a blank space for a balance is sent to the third party for completion.

How it works

• The auditor asks for a balance in a message.
• The recipient of the message enters the balance from their records.
• The reply is compared to the recorded balance.

Strength of evidence

Blank confirmations can provide more persuasive evidence than standard positive confirmations because the respondent must independently supply the information, reducing the risk of confirmation bias.

When to use blank confirmations

Blank confirmations are used when:

• There are increased fraud risks.
• Management override of controls.
• Balances are large.
• More assurance is required.

Blank confirmations are usually employed in bank confirmations and debt verifications.

Advantages

• More reliable.
• Confirmation bias is reduced.
• Better fraud detection.
• Independent balance generation.

Disadvantages

• Response rate decreases.
• Increased respondent burden.
• Increased time required.
• Administrative complexities.

Blank confirmations are more time-consuming, but offer increased assurance.

Comparing positive vs. negative vs. blank confirmations

Criteria	Positive	Negative	Blank
Response Required	Yes	Only if disagreement	Yes
Evidence Strength	High	Low to Moderate	Very High
Fraud Detection	Strong	Limited	Stronger
Suitable Risk Level	Moderate to High	Low	High
Response Rate	Moderate	Low	Lower
Cost	Moderate	Low	Higher

The choice depends on risk assessment, materiality, internal controls, and engagement objectives.

Risk assessment drives selection

CPAs must correlate the type of confirmations to be used with the audit risk. In high-risk audits, negative confirmations are rarely effective, as positive or blank confirmations are more suitable. For low-risk audits involving a high volume of receivables, negative confirmations are more effective.

Regulatory expectations in the United States

The PCAOB focuses on the auditors’ control of confirmations. The auditor must maintain control over:

• Selection of items
• Preparation
• Sending
• Receipt
• Evaluation

Management must not control the confirmation process. Electronic confirmations are acceptable if the integrity and authenticity of the process are ensured. Non-compliance with the confirmation process results in inspection and enforcement.

Common challenges in confirmation processes

Confirmation processes are not without challenges despite the existence of strict audit standards. The challenges are as follows:

• Low response rates
• Risk of fraud if the intercepted confirmations are not handled properly
• Delays in the process due to the involvement of humans
• Inefficiency in the process when paper is used
• Verification of the authenticity of the respondents
• Challenges associated with international confirmations due to differences in jurisdictions
• The involvement of technology in the process is a welcome change.
  

The rise of digital confirmations

Digital confirmation processes have come to the rescue of the audit process by addressing the challenges associated with the traditional process. Digital confirmation processes are more efficient and secure than traditional paper-based methods, directly addressing many long-standing confirmation challenges. This is especially important in the U.S. audit process because CPAs are often inspected, and findings are often associated with the confirmation process.

Fraud considerations

Confirmation processes are increasingly targeted by fraud schemes, particularly where auditor control over the process is weak. The various ways in which the process is being manipulated are as follows:

• The use of fake emails
• Changing the addresses
• The involvement of the management
• The use of spoofed emails

Blank confirmations are more secure than positive confirmations. Auditors need to verify the respondents’ identity and authenticity. The risk of fraud is especially associated with revenue recognition audits. Accounts receivable confirmations are among the major audit procedures used to detect fraud.

International considerations

Although the standards in the U.S. are high, global audit practices are also guided by the International Auditing and Assurance Standards Board (IAASB). In international confirmations, there is a potential for:

• Language barriers
• Data privacy regulations
• Banking secrecy regulations
• Time zone challenges

Technology is helping CPAs to conduct international confirmations efficiently. CPAs need to ensure the integrity of international confirmations.

Best practices for CPAs

To ensure that confirmation procedures are effective, CPAs need to:

• Conduct a thorough risk assessment
• Select the type of confirmation based on the level of risk
• Maintain auditor control
• Use blank confirmations in cases of high fraud risk
• Document their rationale
• Follow up on non-responses
• Use alternative procedures
• Use electronic systems

It is important to understand that the quality of confirmations is directly related to audit quality.

Documentation expectations

It is important to understand that audit documentation is expected to include:

• Risk assessment
• Selection of confirmation type
• Population details
• Control over sending and receipt of confirmations
• Follow-up procedures
• Evaluation of exceptions
• Alternative procedures

It is important to understand that audit regulators expect audit documentation to be complete, transparent, and adequate. Lack of audit documentation will undermine good audit work.

The future of confirmation procedures

It is important to understand that the audit environment is changing, with regulators becoming more aggressive, fraud schemes becoming more sophisticated, and clients becoming global. CPAs need to ensure that audit stakeholders demand greater transparency, while technology will play a significant role in changing audit confirmations in the near future. 

Technology will improve response rates, while artificial intelligence will assist in anomaly identification. However, CPAs need to understand that professional judgment is still required in audit confirmations, while knowledge of Positive, Negative, and Blank Confirmations remains fundamental.

Conclusion: strengthening confirmations with AuditConfirm

Among all types of audit evidence, external confirmations remain among the most persuasive. The choice of positive, negative, or blank confirmations influences reliability, efficiency, and regulatory compliance. Positive confirmations offer high reliability, negative confirmations offer efficiency in low-risk situations, and blank confirmations offer improved fraud resistance and independence. 

The choice of confirmation method requires professional judgment, and execution requires control. Modern audits require efficient, secure, and compliant confirmation processes, and AuditConfirm plays a critical role in this. Given these regulatory and operational challenges, many firms are turning to secure electronic confirmation platforms.

AuditConfirm provides a digital confirmation solution specifically designed for CPAs and audit firms. The solution enhances control, reduces fraud risk, increases response rates, centralizes documentation, and helps ensure compliance with U.S. and global standards. 

For CPAs committed to audit quality, the use of secure electronic confirmations is no longer a nice-to-have, but a must-have. Indeed, in a time of heightened scrutiny and elevated risk of fraud, the effectiveness of confirmation procedures can be the measure of audit success. The confirmation method used and the security of the confirmation process are critical to the strength of the audit evidence.

FAQs

What are positive vs. negative vs. blank confirmations in auditing?

Positive confirmations require a reply in all cases; negative confirmations require a reply only if the information is incorrect; and blank confirmations require the respondent to provide the balance independently. The three methods differ mainly in assurance level and response expectations.

Which type of confirmation provides the strongest audit evidence?

Blank confirmations generally provide the strongest evidence, followed by positive confirmations. Negative confirmations provide the least assurance, as a lack of response may not indicate agreement.

When should CPAs use negative confirmations instead of positive confirmations?

CPAs may use negative confirmations when the risk of material misstatement is low, internal controls are strong, and there are many small balances. They are not appropriate for high-risk engagements.

Are blank confirmations required for accounts receivable audits in the U.S.?

They are not specifically required, but auditors often prefer positive or blank confirmations when risk is higher. Blank confirmations are especially useful when fraud risk or management override concerns exist.

Why is choosing between positive vs. negative vs. blank confirmations important?

The selection affects audit reliability, regulatory compliance, and fraud detection. Using the wrong confirmation type can weaken audit evidence and lead to inspection findings.