Audit Confirmation Letters: ISA 505 Guide

The bank confirmation comes back with a balance that doesn't match the client's records. The difference is €340K. The client's finance team says it's a timing difference. You have four days until the file review. Most teams accept the explanation and move on. The ones who don't are the ones who find the unrecorded loan, the undisclosed guarantee, or the cash sweep arrangement that changes the going concern assessment.

External confirmations under ISA 505 are audit evidence obtained as a direct written response to the auditor from a third party (the confirming party), in paper or electronic form, and they provide evidence that is more reliable than client-generated information because the source is independent of the entity being audited (ISA 500.A31).

When to use external confirmations and when not to

ISA 505 does not require you to use confirmations on every engagement. The decision sits within your overall response to assessed risks under ISA 330. External confirmations are one of several procedures available. But for certain assertions, they are the strongest evidence you can get.

Bank confirmations are close to universal in practice. ISA 505.A1 identifies bank balances, accounts receivable balances, terms of agreements, and property title deeds as common confirmation targets. For bank balances specifically, a confirmation provides direct evidence of existence, completeness (when the request covers all accounts), and rights and obligations. No other single procedure covers all four of those assertions from a single independent source.

Receivables confirmations are common but not always the best approach. If your client has a high volume of small balances with short payment cycles, the debtor may have already paid by the time the confirmation arrives. In that case, subsequent receipts testing under ISA 330 may provide better evidence with less effort. Confirmations work best for large individual balances, long-outstanding items, related party receivables, and balances where you have specific fraud risk indicators.

Legal confirmations (sometimes called lawyer's letters) provide evidence of litigation and claims. ISA 501.9 requires you to design procedures to identify litigation, and a confirmation to the entity's external legal counsel is the standard method. But the response you get depends entirely on how you phrase the request. A vague request produces a vague response. A confirmation that lists specific cases and asks the lawyer to confirm or deny each one produces usable evidence.

Designing the confirmation request

ISA 505.7 requires you to determine three things before sending a confirmation: what information to confirm or request, which confirming party to select, and how to design the request itself.

The information must link directly to the assertion you're testing. If you're testing existence of a bank balance, the confirmation asks the bank to confirm the balance at the reporting date. If you're testing completeness, you need the bank to disclose all accounts held, not just the ones the client has listed. These are different requests and they produce different evidence. A confirmation that asks the bank to confirm the balance on account number 12345 tests existence. A confirmation that asks the bank to list all accounts, loans, guarantees, and security held in the entity's name tests completeness. Most bank confirmation templates (including the standard European banking templates) cover both, but you need to verify that the template you're using actually requests the information that addresses your assessed risk.

The confirming party must be knowledgeable about the information being confirmed. For bank confirmations, this is straightforward. For receivables, it's less obvious. Confirming with a junior clerk at the debtor's office produces weaker evidence than confirming with the debtor's credit controller or finance manager. ISA 505.A2 flags this: the reliability of the response depends on the competence and independence of the confirming party.

The request itself must be clear enough that the confirming party can respond without ambiguity. Positive confirmations ask the confirming party to respond in all cases, either agreeing with the information provided or stating what their own records show. Blank (or "zero balance") confirmations ask the confirming party to fill in the information rather than confirming a pre-populated figure. Blank confirmations are stronger evidence because the confirming party cannot simply agree with whatever number you've put in front of them, but they also have lower response rates because they require more effort.

The four types of confirmation and what each proves

Positive confirmations ask the recipient to respond regardless of whether they agree or disagree. You send the balance; they confirm it or state their own figure. This is the workhorse of confirmation procedures and the only type that provides affirmative evidence.

Blank confirmations omit the balance and ask the confirming party to fill in their own records. Stronger evidence of accuracy because the response is generated independently, but lower response rates. Use these when fraud risk is elevated or when you have reason to doubt the accuracy of the client's records.

Negative confirmations ask the recipient to respond only if they disagree. No response is treated as implicit agreement. This is the weakest form of confirmation evidence. The FRC's revised ISA (UK) 505 (effective for audits of periods commencing on or after 15 December 2024) now bans negative confirmations entirely in UK audits. The international standard still permits them under limited conditions (ISA 505.15), but the direction of travel is clear. If you're working under international ISAs, consider whether your reliance on negative confirmations would survive a quality review.

Electronic confirmations through digital platforms are increasingly common. The revised ISA (UK) 505 explicitly addresses these: for a response to qualify as an external confirmation, the auditor must have accessed the third-party information directly, not through the client (ISA (UK) 505.A12). If the client logs into their bank portal and shows you a screen, that's client-generated evidence, not a confirmation. If you log into a secure confirmation platform that connects directly to the bank's systems, that is a confirmation. The distinction matters.

Digital platforms like Confirmation.com and CaseWare ConfirmConnect have changed the mechanics of the process. Response rates are higher, turnaround times are shorter, and the platforms handle authentication and encryption. But the underlying ISA 505 requirements haven't changed. You still need to control the process, verify the identity of the confirming party, and evaluate the response. A digitally received confirmation that the auditor cannot trace to a verified sender is no more reliable than a paper letter with an illegible signature. ISA (UK) 505.A12 lists specific reliability indicators for electronic confirmations: validation of the confirming party, encryption, electronic digital signatures, and website authenticity checks. If your platform doesn't provide these, your confirmation procedure has a gap.

Management refuses to let you send it

ISA 505.8 requires the auditor to perform alternative procedures if management refuses to allow you to send a confirmation request. But it also requires you to evaluate the reasonableness of that refusal first.

Start by asking why. Legitimate reasons exist. A client in active litigation may not want you confirming a disputed receivable because the confirmation itself could be used as evidence of the claimed amount. A client in sensitive commercial negotiations may not want a counterparty to know their auditor is independently verifying the relationship. These are real situations.

Illegitimate reasons are also common. A client who says "we've never done confirmations" or "the bank takes too long" or "our customers will be annoyed" is not providing a reason that overrides your professional obligation under ISA 505.8. The standard is explicit: if the refusal is unreasonable, the auditor treats it as a limitation on the scope of the audit.

ISA 505.9 goes further. If management's refusal prevents you from obtaining sufficient appropriate audit evidence through alternative procedures, this affects your opinion under ISA 705. A scope limitation caused by management's refusal to permit a confirmation can lead to a qualified opinion or a disclaimer, depending on how material and pervasive the affected balance is.

Handling non-responses and exceptions

A non-response is not evidence. ISA 505.12 requires you to perform alternative audit procedures when you don't receive a response to a positive confirmation. The most common alternatives are testing subsequent receipts for receivables, reviewing supporting documentation (invoices, shipping records, contracts), and inspecting bank statements obtained directly from the bank.

The key word is "directly." If you're performing alternative procedures on bank balances because the bank didn't respond to the confirmation, and you're testing bank statements that the client printed, you've replaced third-party evidence with client-generated evidence. Obtain the bank statements yourself. Download them from the bank portal with your own credentials, or request them through a direct channel. The reliability of the alternative procedure must be comparable to what the confirmation would have provided.

An exception is a response that disagrees with the client's records. ISA 505.14 requires you to investigate every exception. Not sample them. Not assess materiality before investigating. Every one.

Some exceptions are harmless. A receivable confirmation that shows a €2K difference because the debtor paid on 30 December and the client recorded the receipt on 2 January is a timing difference. Document it, check that the cash arrived, move on. An exception where the debtor says they don't recognise the balance at all, or where the bank reports an account the client didn't disclose, is a different situation entirely. The former may indicate a fictitious receivable. The latter may indicate an undisclosed bank account, loan, or guarantee. Both require investigation that goes beyond the confirmation procedure itself.

Worked example: Van der Berg Holding N.V.

Van der Berg Holding N.V. is a Dutch investment holding company (€92M total assets, fiscal year ending 31 December 2025) with four bank relationships, €14.2M in trade receivables across 86 debtors, and ongoing litigation with a former joint venture partner. You've assessed a significant risk of material misstatement on completeness of bank disclosures (the entity had an undisclosed credit facility two years ago) and a normal risk on receivables existence.

1. Design the bank confirmation

You send positive confirmations to all four banks using the standard Dutch banking confirmation template (the NVB model letter). The request covers all accounts, loans, credit facilities, guarantees, and security interests in Van der Berg's name. You address it to the bank's audit confirmation department and send it directly from your firm, not through the client.

2. Design the receivables confirmation

Of the 86 debtors, you select 12 for positive confirmation: the five largest balances (covering €8.1M of the €14.2M total), four balances outstanding more than 90 days, and the balance with Van der Berg's former joint venture partner (a related party under IAS 24). For the remaining 74 debtors, you plan subsequent receipts testing under ISA 330.

You use blank confirmations (no balance pre-populated) for the related party balance and the four overdue items. You use positive confirmations with the balance stated for the five largest balances.

3. Evaluate the responses

Responses received: all four banks respond. Ten of twelve debtor confirmations return. The related party debtor does not respond. One of the largest debtors reports a balance €340K lower than Van der Berg's records.

Bank responses: three banks match the client's disclosures. The fourth bank reports a €2.5M revolving credit facility that is not recorded in Van der Berg's financial statements. This is a material finding. The facility was drawn to zero at year-end but the commitment exists.

Debtor exception (€340K): investigation reveals the debtor issued a credit note on 28 December for damaged goods. Van der Berg processed the credit note on 4 January. This is a cut-off error, not a timing difference. The receivable is overstated by €340K at year-end. Document the misstatement on the summary of audit differences.

Related party non-response: you perform alternative procedures. You inspect the underlying contract, verify the invoiced amounts against the joint venture agreement, and test subsequent cash receipts through March 2026. The balance is confirmed through alternative evidence.

Practical checklist

1. At planning, identify which balances require confirmation based on your risk assessment under ISA 330, not based on what was confirmed last year. The assessed risk drives the procedure.
2. For bank confirmations, use the standard banking template for your jurisdiction (NVB in the Netherlands, BBA in the UK) and verify it requests all accounts, loans, guarantees, and security interests, not just the accounts the client has disclosed.
3. Send every confirmation directly from your firm. Never route confirmations through the client. If you use a digital confirmation platform, verify that you (not the client) have direct access to the third-party data.
4. For receivables, use blank confirmations when fraud risk is elevated or when you are testing a related party balance. Use positive confirmations for large balances at normal risk.
5. Follow up on every non-response within two weeks. Send a second request before switching to alternative procedures.
6. Investigate every exception without first filtering by materiality. A €2K timing difference requires investigation just as a €340K cut-off error does. The investigation effort differs, but the obligation doesn't.

Common mistakes

• Sending the same receivables confirmation selection as the prior year without updating it for the current year's risk assessment. The FRC's 2022–23 inspection cycle found that some auditors did not tailor confirmation selections to current-year risks, particularly where new significant customers had been onboarded.
• Accepting a client explanation for a bank confirmation exception (such as a timing difference on a facility draw) without obtaining independent corroborating evidence. The facility reported by the bank that does not appear in the client's records is the finding. The explanation must be proved, not accepted.
• Relying on negative confirmations for receivables testing when ISA 505.15's conditions are not met. Even before the UK ban, the conditions for negative confirmations were rarely satisfied on non-Big 4 engagements where debtor populations are concentrated and individual balances are large relative to materiality.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024: the authoritative source for the complete ISA 505 text, including all application material.
• ISA 500, Audit Evidence: the hierarchy of audit evidence reliability that underpins confirmation procedures.
• ISA 330, The Auditor's Responses to Assessed Risks: confirmations as part of the overall response to assessed risks.
• ISA 501, Audit Evidence — Specific Considerations for Selected Items: includes requirements for legal confirmations and litigation evidence.
• ISA (UK) 505 (Revised December 2024): the UK revision that bans negative confirmations and adds digital confirmation requirements.
• ISA 240, The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements: the fraud risk considerations triggered by confirmation exceptions.