Key Takeaways
- ISA 505 governs the auditor's use of external confirmation procedures — obtaining a direct written response from a third party to the auditor. This is one of the most reliable forms of audit evidence because it comes from an independent external source.
- The standard covers confirmations for many items: bank balances, receivables, payables, loans, investments held by custodians, property held by third parties, terms of agreements, and transactions with third parties.
- There are two types: positive confirmations (the respondent is asked to reply in all cases — either agreeing or providing different information) and negative confirmations (the respondent replies only if they disagree). Positive confirmations provide substantially more persuasive evidence.
- The auditor must maintain control over the confirmation process — selecting what to confirm, designing the request, sending it directly to the confirming party, and receiving responses directly. The entity must not intercept or alter the process.
- For non-responses to positive confirmations, the auditor must perform alternative audit procedures. Non-responses do not provide evidence — they leave a gap that must be filled.
- Exceptions (differences between the confirmation response and the entity's records) must be investigated — they may indicate misstatements, timing differences, or potential fraud.
- If management refuses to allow the auditor to send confirmations, the auditor must evaluate the reasonableness of the refusal, perform alternative procedures, and consider the implications for the risk assessment and audit opinion.
What is ISA 505?
ISA 505, titled "External Confirmations," provides the framework for one of the auditor's most powerful tools: going directly to an independent third party and asking them to verify information. While the entity's own records are inherently less reliable (the entity controls them), external confirmations bypass that risk by obtaining evidence from someone outside the entity's control.
The standard does not mandate the use of confirmations in all circumstances — that decision is driven by ISA 315 (risk assessment) and ISA 330 (response to assessed risks). But when the auditor determines that confirmations are an appropriate response to assessed risks, ISA 505 governs how the process must be conducted to produce reliable evidence.
Types of External Confirmations
Positive confirmations
A positive confirmation request asks the confirming party to respond directly to the auditor in all cases — whether they agree with the information provided, disagree, or need to provide different information.
Two variants exist:
| Type | How It Works | Pros | Cons |
|---|---|---|---|
| Standard positive | States the amount and asks the respondent to confirm or provide different information | Higher response rates than blank confirmations; straightforward for respondents | Respondent may simply agree without checking — particularly for small amounts |
| Blank (open) positive | Does not state the amount — asks the respondent to fill in the balance or provide information | More reliable — the respondent must independently determine the information | Lower response rates; more effort for respondents; may be unsuitable for complex items |
Negative confirmations
A negative confirmation request asks the confirming party to respond only if they disagree with the stated information. If they agree (or simply do not respond), no reply is expected.
ISA 505.15 permits negative confirmations as the sole substantive procedure only when all of the following conditions are met:
- The assessed risk of material misstatement is low.
- The auditor has not identified factors that suggest respondents are unlikely to respond to negative requests (e.g., respondents may ignore them).
- A large number of small, homogeneous account balances or transactions are involved.
- A very low exception rate is expected.
Because the absence of a response to a negative confirmation provides little actual evidence (it is impossible to distinguish between "the respondent agreed" and "the respondent ignored the request"), negative confirmations provide significantly less persuasive evidence than positive confirmations.
The rise of digital confirmations
The traditional paper-based confirmation process — printing letters, mailing them, waiting for postal returns — is being rapidly displaced by electronic platforms (Circit, Confirmation.com, CaseWare ConfirmConnect). These platforms provide secure electronic channels, verify respondent identity, create immutable audit trails, and dramatically reduce turnaround times. ISA (UK) 505 (Revised October 2023) specifically addresses electronic confirmations, and the broader profession is moving towards them as the default. If your firm still relies on paper-based confirmations, consider the transition — the reliability gains and efficiency improvements are substantial.
The Confirmation Process
Maintaining control
ISA 505.7 requires the auditor to maintain control over the external confirmation process. This means the auditor:
- Determines the information to be confirmed or requested.
- Selects the appropriate confirming party — the person at the third party who has the knowledge and authority to respond.
- Designs the confirmation request — ensuring it is clear, contains the right information, and includes appropriate return instructions (return directly to the auditor, not to the entity).
- Sends the request directly to the confirming party — the entity may prepare the letters, but the auditor must send them.
- Receives responses directly — responses should come to the auditor's office, PO box, or secure electronic platform, not through the entity.
This control requirement exists because the entire value of external confirmations depends on the entity not being able to intercept, alter, or suppress the responses.
Common items confirmed
| Item | Confirming Party | Typical Assertions Tested |
|---|---|---|
| Bank balances | Banks | Existence, completeness, rights |
| Accounts receivable | Customers | Existence, accuracy, cut-off |
| Accounts payable | Suppliers | Completeness, accuracy |
| Loans and borrowings | Lenders | Existence, completeness, terms, covenants |
| Investments | Custodians, registrars | Existence, rights |
| Inventory held by third parties | Warehouses, consignees | Existence, condition |
| Insurance coverage | Insurers | Terms, coverage, claims |
| Legal matters | External legal counsel | Completeness of litigation/claims |
Handling Non-Responses
ISA 505.12 requires the auditor, for each non-response to a positive confirmation request, to perform alternative audit procedures to obtain sufficient appropriate evidence.
Alternative procedures typically include:
- For receivables: examining subsequent cash receipts (evidence of existence and recoverability), examining shipping documents (evidence of the underlying transaction), examining the sales contract or purchase order.
- For bank balances: obtaining the bank statement directly, reviewing bank reconciliations, examining subsequent transactions.
- For payables: examining subsequent payments, examining purchase invoices and goods received notes.
The auditor must also consider whether the non-response itself has implications — a consistent pattern of non-responses from particular confirming parties, or non-responses for high-value items, may indicate a higher risk.
Handling Exceptions
ISA 505.14 requires the auditor to investigate exceptions — differences between the confirmation response and the entity's records.
Some exceptions represent genuine misstatements. Others are timing differences (the customer paid before year-end but the payment was not yet received by the entity), measurement differences (the parties use different exchange rates or include different items in the balance), or clerical errors in the confirmation process itself.
The auditor must determine the cause of each exception and evaluate its implications. ISA 240 requires the auditor to evaluate whether misstatements identified through confirmations are indicative of fraud.
Management Refusal
ISA 505.8 addresses the sensitive situation where management requests that the auditor not send confirmations to certain parties. The auditor must:
Inquire about management's reasons — are they legitimate (a genuine concern about disturbing a sensitive customer relationship or ongoing litigation) or are they potentially concealing something?
Evaluate the reasonableness of the refusal — the more unreasonable the refusal, the greater the suspicion. A management that refuses to allow any receivable confirmations raises serious fraud concerns.
Consider the implications for risk assessment — a refusal may indicate a higher risk of material misstatement, including fraud, which affects the nature and extent of alternative procedures.
Perform alternative audit procedures — if the refusal is accepted as reasonable, the auditor must perform alternative procedures sufficient to obtain the evidence the confirmation would have provided.
If the auditor concludes that management's refusal is unreasonable, or if the auditor cannot obtain sufficient evidence through alternative procedures, the auditor must communicate with those charged with governance (ISA 260) and consider the implications for the audit opinion (ISA 705).
Evaluating Reliability
ISA 505.10–11 requires the auditor to evaluate the reliability of confirmation responses. Even though external confirmations are generally among the most reliable forms of evidence, they are not infallible:
- Responses may be intercepted or altered — particularly paper-based responses that pass through the entity's mail system.
- Responses may come from unauthorised persons — someone at the confirming party who does not have actual knowledge of the balance.
- Electronic responses carry risks if the transmission channel is not secure — although secure digital platforms significantly mitigate this.
- Respondents may confirm without actually checking — particularly for standard positive confirmations stating small amounts.
Factors that may indicate doubts about reliability include: the response appeared not to come from the intended party, the response was received through the entity rather than directly, the response was received by fax or email without appropriate security measures, and the handwriting or format appears inconsistent.
ISA 505 in Your Jurisdiction
Netherlands. COS 505 follows ISA 505 closely. The NBA provides guidance on bank confirmations through the standard Dutch bank confirmation process (bankverklaring). AFM inspections have focused on whether auditors maintain adequate control over the confirmation process and whether alternative procedures for non-responses are sufficiently rigorous.
Germany. IDW PS 505 adapts ISA 505. German practice has established conventions for bank confirmations (Bankbestätigung) and for the confirmation of receivables and payables (Saldenbestätigung). The WPK's inspections examine whether the confirmation process is properly controlled and whether exceptions are adequately investigated.
United Kingdom. ISA (UK) 505 was substantially revised in October 2023, effective for periods commencing on or after 15 December 2024. The revised standard enhances guidance on electronic confirmations, strengthens requirements for evaluating reliability, and restricts the use of negative confirmations. The FRC's inspections have consistently highlighted confirmation procedures as an area requiring improvement.
France. NEP 505 implements ISA 505 within the French framework. French practice uses the circularisation (confirmation process) as a standard audit procedure, with specific conventions for bank confirmations and legal confirmations. The H3C's inspections focus on whether the circularisation is properly managed and whether results are appropriately evaluated.
Related Ciferi Content
Continue building your understanding of the ISA framework:
Put audit concepts into practice with these free tools:
Frequently Asked Questions
Are external confirmations mandatory?
ISA 505 does not mandate confirmations in every audit. The decision to use confirmations is driven by the risk assessment (ISA 315) and the design of audit responses (ISA 330). However, ISA 330 requires the auditor to consider whether external confirmation procedures should be performed, and for many assertions (particularly bank balances and receivables), confirmations are often the most effective procedure available.
What is a blank confirmation?
A blank (or open) confirmation does not state the amount — it asks the respondent to fill in the balance or provide the information from their own records. This provides more reliable evidence because the respondent cannot simply agree with a stated figure without checking. However, blank confirmations tend to have lower response rates.
What should the auditor do about non-responses?
For positive confirmations, non-responses require the auditor to perform alternative procedures — examining subsequent receipts, underlying documentation, or other corroborating evidence. If alternative procedures cannot provide sufficient evidence for a particular item, the auditor must consider the implications for the audit opinion.
Can electronic confirmations be used?
Yes, and increasingly they are preferred. Secure electronic platforms provide better control over the process (verified sender and respondent identities, encrypted transmission, immutable responses) than traditional paper-based methods. ISA (UK) 505 (Revised 2023) provides specific guidance on electronic confirmations.
Further Reading and Source References
- IAASB Handbook 2024 — The authoritative source for the complete ISA 505 text, including all application material.
- ISA 500 — Audit Evidence — the general framework that ISA 505 supplements for confirmations.
- ISA 330 — The Auditor's Responses to Assessed Risks — the standard within which the decision to use confirmations is made.
- ISA 240 — The Auditor's Responsibilities Relating to Fraud — relevant when management refuses confirmations or when exceptions indicate potential fraud.
- ISA (UK) 505 (Revised October 2023) — The FRC's updated standard with enhanced electronic confirmation guidance.