What do UK auditors need to know about the revised ISA (UK) 505 on external confirmations? Kyle Gibbons offers some insights.
This year sees the enactment of the Financial Reporting Council’s (FRC) revised ISA (UK) 505, the UK auditing standard for external confirmations, which takes effect for all audits of financial statements for periods commencing on or after 15 December 2024.
It is vital that auditors seek and obtain relevant and reliable audit evidence as a basis for their opinion on the financial statements of their clients. If derived directly from a source independent of their client, this can enhance the quality of such evidence and increase the level of assurance an auditor obtains.
Audit confirmation used to be an outdated analogue process. Ten years ago, I remember making requests via the post as a first-year auditor. The world has moved on and, since 2017, I have been working to transform the confirmation process across the UK and Europe into a fast and reliable service, so auditors can rapidly access high-quality third-party evidence.
Modern approaches to the process (such as using digital platforms) are among the main features of the FRC’s revisions to ISA (UK) 505, along with enhanced requirements in relation to investigating exceptions, and a prohibition on negative confirmations. As the FRC highlighted when it published the revised standard, changes also reflect recent FRC enforcement findings.
Modern approaches to obtaining external confirmations
The revised standard directs auditors to adjust their approach to obtaining audit evidence, in light of its redefinition of external confirmations. The revised standard acknowledges the benefits of modern technologies such as digital platforms and the risks inherent in their improper use.
I welcome the increased emphasis on using digital technology to request and receive confirmations. UK auditors should take note, however, of certain steps to be taken to enhance "the reliability of the related responses” (ISA (UK) 505 (Para. A12)). As per the ISA and as performed as a matter of course by the Confirmation platform, these include validation of parties, encryption, electronic digital signatures, and website authenticity checks.
The revised standard acknowledges the benefits of modern technologies such as digital platforms and the risks inherent in their improper use
Enhanced requirements in relation to investigating exceptions
Any exceptions auditors uncover that may be indicative of fraud or of a deficiency in the entity’s system of internal control should be considered as per the revised standard.
In its Invitation to Comment, the FRC explained that this revision was prompted by enforcement findings that in some cases “auditors are not appropriately considering risk when confirmations are not as expected”. These cases indicate that some audit firms have foregone the confirmation attempt entirely, as is demonstrated in the FRC’s 2023 Audit Firm Specific Reports.
A prohibition on negative confirmations
A negative confirmation request is defined by the revised standard as “a request that the confirming party respond directly to the auditor only if the confirming party disagrees with the information provided in the request”.
The previous version of ISA (UK) 505 had followed the International Auditing and Assurance Standards Board (IAASB) and ISA 505 in allowing the use of negative confirmations under certain limited circumstances. The revised UK version now states that “the use of negative confirmations is prohibited in an audit conducted in accordance with ISAs (UK)”.
Negative confirmations are rare in the UK, so to some extent this revision codifies common practice. As they may still exist elsewhere, ruling them out entirely and definitively highlights the risks of relying on them as audit evidence. This revision also emphasises the need for auditors to apply professional scepticism at all times during the audit and to be rigorous in their approach to obtaining third-party evidence.
In its Feedback Statement and Impact Assessment, the FRC noted that – as a result of submissions received – it was making a conforming amendment to ISA (UK) 600. This instructs group auditors to communicate the prohibition to component auditors undertaking work “in respect of the opinion on the group financial statements”.
How technology can help with implementing and managing ISA (UK) 505
All of these concerns are central to our work at Confirmation, where we maintain a digital platform for obtaining reliable confirmations as promptly as possible. I was therefore keen to share our expertise during the FRC’s Invitation to Comment phase.
High-quality, technology-enabled confirmation tools that operate robust validation procedures can play a key role in the implementation of revised ISA (UK) 505
As I wrote in Thomson Reuters’ submissions to the FRC, I fully support the regulator’s heightened focus on independent third-party confirmation in audit engagements. I am encouraged by the attention to modernisation, with the FRC addressing the use of new technologies as a vital component of the auditor’s armoury.
High-quality, technology-enabled confirmation tools that operate robust validation procedures can play a key role in the implementation of revised ISA (UK) 505 and improving the quality of evidence.
I believe the FRC’s revisions – reinforced by these digital tools – will serve to expand fraud detection opportunities, further the public interest, and enhance the performance of audits and the overall reputation of the audit profession.
Kyle Gibbons, Managing Director Europe & MENA, Confirmation, part of Thomson Reuters