ISA 505: External Confirmations: Complete Guide

What is ISA 505?

ISA 505, titled “External Confirmations,” provides the framework for one of the auditor’s strongest procedures: going directly to an independent third party and asking them to verify information. Where the entity’s own records are inherently less reliable (the entity controls them), external confirmations bypass that risk by obtaining evidence from someone outside the entity’s control.

The standard does not mandate the use of confs in every audit. That decision is driven by ISA 315 (risk assessment) and ISA 330 (response to assessed risks). But when the auditor determines that confs are an appropriate response to assessed risks, ISA 505 governs how the process must be conducted to produce reliable evidence.

Types of external confirmations

Positive confirmations

A positive confirmation request asks the confirming party to respond directly to the auditor in all cases, whether they agree with the information provided, disagree, or need to provide different information.

Two variants exist:

Negative confirmations

A negative confirmation request asks the confirming party to respond only if they disagree with the stated information. If they agree (or simply do not respond), no reply is expected.

ISA 505.15 permits negative confirmations as the sole substantive procedure only when all of the following conditions are met:

• The assessed risk of material misstatement is low.
• The auditor has not identified factors that suggest respondents are unlikely to respond to negative requests (e.g., respondents may ignore them).
• A large number of small, homogeneous account balances or transactions are involved.
• A very low exception rate is expected.

Because the absence of a response to a negative conf provides little actual evidence (it is impossible to distinguish between “the respondent agreed” and “the respondent ignored the request”), negative confs provide significantly less persuasive evidence than positive confs. Nobody enjoys chasing negative conf follow-ups, but skipping the evaluation is how files get flagged.

The confirmation process

Maintaining control

ISA 505.7 requires the auditor to maintain control over the external confirmation process. This means the auditor:

• Determines the information to be confirmed or requested.
• Selects the appropriate confirming party, the person at the third party who has the knowledge and authority to respond.
• Designs the confirmation request, ensuring it is clear, contains the right information, and includes appropriate return instructions (return directly to the auditor, not to the entity).
• Sends the request directly to the confirming party. The entity may prepare the letters, but the auditor must send them.
• Receives responses directly. Responses should come to the auditor’s office, PO box, or secure electronic platform, not through the entity.

This control requirement exists because the entire value of external confirmations depends on the entity not being able to intercept, alter, or suppress the responses.

Common items confirmed

Handling non-responses

ISA 505.12 requires the auditor, for each non-response to a positive confirmation request, to perform alternative audit procedures to obtain sufficient appropriate evidence.

In our experience, alternative procedures include:

• For receivables: examining subsequent cash receipts (evidence of existence and recoverability), examining shipping documents (evidence of the underlying transaction), examining the sales contract or purchase order.
• For bank balances: obtaining the bank statement directly, reviewing bank reconciliations, examining subsequent transactions.
• For payables: examining subsequent payments, examining purchase invoices and goods received notes.

The auditor must also consider whether the non-response itself has implications. A consistent pattern of non-responses from particular confirming parties, or non-responses for high-value items, may indicate a higher risk.

Handling exceptions

ISA 505.14 requires the auditor to investigate exceptions (differences between the confirmation response and the entity’s records).

Some exceptions represent genuine misstatements. Others are timing differences (the customer paid before year-end but the payment was not yet received by the entity), or measurement differences (the parties use different exchange rates or include different items in the balance), or clerical errors in the conf process itself.

The auditor must determine the cause of each exception and evaluate its implications. ISA 240 requires the auditor to evaluate whether misstatements identified through confs are indicative of fraud.

Management refusal

ISA 505.8 addresses the sensitive situation where management requests that the auditor not send confs to certain parties. The auditor has a defined path through this.

The auditor should inquire about management’s reasons. Are they legitimate (a genuine concern about disturbing a sensitive customer relationship or ongoing litigation) or are they potentially concealing something?

The auditor must then evaluate the reasonableness of the refusal. The more unreasonable the refusal, the greater the suspicion. A management team that refuses to allow any receivable confs raises serious fraud concerns.

The auditor should consider the implications for risk assessment. A refusal may indicate a higher RMM, including fraud, which affects the nature and extent of alternative procedures.

The auditor must perform alternative audit procedures. If the refusal is accepted as reasonable, the auditor must perform alternative procedures sufficient to obtain the evidence the conf would have provided.

If the auditor concludes that management’s refusal is unreasonable, or if the auditor cannot obtain sufficient evidence through alternative procedures, the auditor must communicate with those charged with governance (ISA 260) and consider the implications for the audit opinion (ISA 705).

Evaluating reliability

ISA 505.10–11 requires the auditor to evaluate the reliability of conf responses. Even though external confs are generally among the most reliable forms of evidence, they are not infallible:

• Responses may be intercepted or altered, particularly paper-based responses that pass through the entity’s mail system.
• Responses may come from unauthorised persons (someone at the confirming party who does not have actual knowledge of the balance).
• Electronic responses carry risks if the transmission channel is not secure, although secure digital platforms significantly mitigate this.
• Respondents may confirm without actually checking, particularly for standard positive confirmations stating small amounts.

In our experience, the factors that indicate doubts about reliability include: the response appeared not to come from the intended party, the response was received through the entity rather than directly, the response was received by fax or email without appropriate security measures, and the handwriting or format appears inconsistent with prior correspondence from that party.

Worked example: receivables confirmation at Bakker Industrial B.V.

Bakker Industrial B.V. is a Dutch manufacturing company with €42M revenue, producing industrial valves for the petrochemical sector. The engagement team has set overall materiality at €420,000 (1% of revenue) and performance materiality (PM) at €315,000. Accounts receivable total €7.8M across 214 customers, and the engagement partner (EP) has flagged receivables as a significant risk. The team decides to confirm receivables as a primary substantive procedure under ISA 505 and uses the sampling calculator to determine sample size.

1. Select the sample and design the requests. The team stratifies the receivable population, selecting all 8 balances above €200,000 and a monetary unit sample of 25 from the remaining population. Each request is a standard positive confirmation addressed to the customer’s accounts payable department, stating the balance at 31 December. Documentation note: record the selection criteria, sampling methodology, stratification thresholds, and rationale for using positive rather than negative confirmations in the confirmation planning memo.
2. Send directly and track responses. The team sends all 33 requests via the firm’s Confirmation.com account, bypassing management entirely. After three weeks, 24 responses have been received. Nine remain outstanding. Documentation note: log each confirmation’s status (sent date, response date, response channel) in the confirmation control schedule. Confirm that no requests were routed through the client.
3. Investigate exceptions. Of the 24 responses, 21 agree with the recorded balance. Three show differences: one is a €14,200 timing difference (payment crossed in transit), one is a €3,800 pricing dispute the customer had already raised, and one shows a €47,500 balance the customer cannot trace. The team investigates the €47,500 item by examining the underlying sales invoice, shipping documentation, and signed delivery receipt. Documentation note: for each exception, document the nature of the difference, the corroborating evidence obtained, and whether the difference represents a misstatement or a timing/measurement issue.
4. Perform alternative procedures for non-responses. For the 9 non-responses (totalling €680,000), the team examines subsequent cash receipts received by mid-February. Seven of the nine balances are fully or substantially cleared by post-year-end payments. For the remaining two (totalling €95,000), the team examines shipping documents, signed customer purchase orders, and delivery confirmations. Documentation note: for each non-response, record the alternative procedures performed, the evidence obtained, and the conclusion on whether the balance is supported. Reference ISA 505.12.
5. Evaluate results and conclude. The €47,500 untraced item is discussed with management, who identify a revenue cut-off error (goods shipped 2 January, invoiced 28 December). The team records this as a misstatement on the summary of uncorrected misstatements. All other balances are supported. The TB foots, the conf schedule foots, TGIF (Thank God It Foots). The overall conclusion: receivables are not materially misstated.

A reviewer opening this file sees the sample rationale, the conf control schedule with every response tracked, the exception investigation for each difference, the alternative procedures for each non-response, and a clean conclusion tied back to the assertion tested.

Practical checklist

1. Confirm you control the entire process. Verify that you (not the client) selected the confirming parties, designed the request, sent it directly, and will receive responses directly. If any step was delegated to the entity, the evidence is compromised (ISA 505.7).
2. Set a non-response follow-up deadline before sending. Decide in advance how long you will wait before sending second requests, and at what point you switch to alternative procedures. Document this timeline in the confirmation planning memo (ISA 505.12).
3. Investigate every exception, not just material ones. A €500 difference could be a clerical error or the visible edge of a larger problem. Document the cause and your conclusion for each (ISA 505.14). Consider fraud indicators per ISA 240 when patterns emerge.
4. Document alternative procedures for every non-response individually. Do not write a blanket statement covering all non-responses. Each non-response is a separate evidence gap with its own alternative procedure and conclusion (ISA 505.12).
5. Evaluate whether management refusals are reasonable. If management asks you not to confirm a balance, record the reason, assess its validity, and document the alternative procedures that compensate. If the refusal is unreasonable, communicate with those charged with governance (ISA 505.8, ISA 260).
6. Assess reliability of electronic responses. Verify the platform’s security features, confirm that the respondent was authenticated, check that the response was not routed through the entity, and retain the platform’s audit trail in the WP. A response received via unsecured email does not carry the same weight as one received through Confirmation.com (ISA 505.10-11).

Common mistakes

• Teams send confirmations but treat non-responses as “no news is good news.” The FRC’s 2025 inspection cycle found that alternative procedures for non-responses were among the weakest areas in confirmation files at Tier 2 and Tier 3 firms. ISA 505.12 is clear: a non-response to a positive confirmation provides zero evidence. The gap must be filled with specific alternative procedures for each item.
• The confirmation process runs through the client. Management prepares the letters, management mails them, and responses arrive at the client’s office before being forwarded to the auditor. The AFM has flagged insufficient auditor control over the confirmation process in multiple inspection cycles. Once the entity touches the process, the independence of the evidence is gone.
• Exception investigation stops at management’s explanation. When a confirmation response disagrees with the ledger, teams record management’s explanation (usually “timing difference”) and move on without corroboration. The PCAOB’s 2024 inspection findings identified revenue as a top deficiency area, and unverified confirmation exceptions feed directly into that risk. ISA 505.14 requires the auditor to determine the cause, not accept the client’s description of the cause.

Related content

• External confirmation (glossary): definition, types, and when the auditor must use external confirmations under the ISA framework.
• ISA 530 sampling calculator (tool): determine sample sizes for confirmation selections, including stratification thresholds and confidence levels.
• ISA 500: audit evidence guide (blog): the general evidence framework that ISA 505 supplements specifically for external confirmation procedures.

ISA 505 in your jurisdiction

Netherlands. COS 505 follows ISA 505 closely. The NBA provides guidance on bank confirmations through the standard Dutch bank confirmation process (bankverklaring). AFM inspections have focused on whether auditors maintain adequate control over the confirmation process and whether alternative procedures for non-responses are sufficiently rigorous.

Germany. IDW PS 505 adapts ISA 505. German practice has established conventions for bank confirmations (Bankbestätigung) and for the confirmation of receivables and payables (Saldenbestätigung). The WPK’s inspections examine whether the confirmation process is properly controlled and whether exceptions are adequately investigated.

United Kingdom. ISA (UK) 505 was substantially revised in October 2023, effective for periods commencing on or after 15 December 2024. The revised standard expands guidance on electronic confirmations, strengthens requirements for evaluating reliability, and restricts the use of negative confirmations. The FRC’s inspections have consistently highlighted confirmation procedures as an area requiring improvement.

France. NEP 505 implements ISA 505 within the French framework. French practice uses the circularisation (confirmation process) as a standard audit procedure, with specific conventions for bank confirmations and legal confirmations. The H3C’s inspections focus on whether the circularisation is properly managed and whether results are appropriately evaluated.

Frequently asked questions

Are external confirmations mandatory?

ISA 505 does not mandate confirmations in every audit. The decision to use confirmations is driven by the risk assessment (ISA 315) and the design of audit responses (ISA 330). However, ISA 330 requires the auditor to consider whether external confirmation procedures should be performed, and for many assertions (particularly bank balances and receivables), confirmations are often the most effective procedure available.

What is a blank confirmation?

A blank (or open) confirmation does not state the amount. It asks the respondent to fill in the balance or provide the information from their own records. This provides more reliable evidence because the respondent cannot simply agree with a stated figure without checking. However, blank confirmations tend to have lower response rates.

What should the auditor do about non-responses?

For positive confirmations, non-responses require the auditor to perform alternative procedures: examining subsequent receipts, underlying documentation, or other corroborating evidence. If alternative procedures cannot provide sufficient evidence for a particular item, the auditor must consider the implications for the audit opinion.

Can electronic confirmations be used?

Yes, and increasingly they are preferred. Secure electronic platforms provide better control over the process (verified sender and respondent identities, encrypted transmission, immutable responses) than traditional paper-based methods. ISA (UK) 505 (Revised 2023) provides specific guidance on electronic confirmations.

Further reading and source references

• IAASB Handbook 2024: ISA 505 full text (the authoritative source including all application material).
• ISA 500: Audit Evidence (the general framework that ISA 505 supplements for confs).
• ISA 330: The Auditor’s Responses to Assessed Risks (the standard within which the decision to use confs is made).
• ISA 240: The Auditor’s Responsibilities Relating to Fraud (relevant when management refuses confs or when exceptions indicate potential fraud).
• ISA (UK) 505 (Revised October 2023): the FRC’s updated standard with expanded electronic conf guidance.

This guide reflects the ISA 505 text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools: