A Common Peer Review Problem

The accounts receivable standards are older than you; its time to get them right.
BY DONALD K. MCCONNELL, JR. AND GEORGE Y. BANKS

EXECUTIVE SUMMARY
  • AICPA STANDARDS CLEARLY STATE procedures for confirmation of accounts receivable. Nevertheless, and despite an auditing procedure study, peer reviews continue to find that CPA firms have problems understanding the various processes.

  • RECEIVABLE CONFIRMATIONS ARE NOT ALWAYS required if accounts receivable are immaterial, the use of confirmations would be ineffective or combined inherent risk and control risk are low and analytics or other substantive tests would detect misstatements.

  • FOR MOST ENGAGEMENTS, AUDITORS must use positive, not negative, requests. Negative requests are acceptable only when combined inherent and control risks are low, balances are small and practitioners have no reason to believe recipients wont respond.

  • WHEN THEY CAN USE NEGATIVE confirmations, auditors should be aware that unreturned negative confirmation requests only provide evidence about some aspects of the existence assertion.

  • AUDITORS SHOULD CONSIDER WHETHER misstatements are isolated events or part of a systemwide problem.

  • RECEIVED CAN BE OPEN TO interpretation. Auditors should take special care with faxed responses and document oral responses in the workpapers. Auditors can use blank forms, but these may result in a lower response rate.

  • IF POSITIVE REQUESTS ARE NOT RECEIVED, auditors should apply certain specific alternative procedures, although there are some exceptions. Nonresponses by themselves do not provide audit evidence.
DONALD K. McCONNELL, JR., CPA, PhD, is associate professor of accounting, the University of Texas at Arlington.
GEORGE Y. BANKS, CPA, is an audit partner of Grant Thornton LLP, Dallas.


Confirmation of accounts receivable has been a nearly sacrosanct auditing procedure for over 50 years. Before most of todays practicing CPAs were even born, the AICPA issued Statement on Auditing Procedure no. 1, Extensions of Auditing Procedure , requiring auditors to confirm accounts receivable whenever they were material to the financial statements. SAS no. 67, The Confirmation Process , followed in 1991 with significant changes in procedure. Despite those pronouncements and the publication in 1995 of the AICPA Auditing Procedure Study Confirmation of Accounts Receivable , problems continued to crop up. In fact, the Institutes peer review division (now the practice monitoring division) released a 1995 report in the Practicing CPA citing fundamental violations of the provisions of SAS no. 67. Even though the principle of confirmation is long-standing, perhaps these peer review deficiencies reflect auditors inadequate understanding of the requirements.

Audit quality will be enhanced if practitioners have a sound understanding of the provisions of SAS no. 67. The flowchart on pages 4041 portrays the major aspects of the confirmation process. Additionally, this article emphasizes those commonly identified peer review confirmation deficiencies.

KNOW WHAT IS NECESSARY
SAS no. 67 provides that confirmations are not required if any one of three conditions is met:

View Flow Chart Defining Confirmation Of Accounts Receivable
  • Accounts receivable are immaterial.

  • The use of confirmations would be ineffective.

  • Combined inherent risk and control risk are low (assuming that evidence from analytical procedures or other substantive tests would achieve acceptably low levels of audit risk).

Practice observations, as noted in the 1995 report, led to this change from SAP no. 1. One of these observations was the concern with recipient say yes behavior in which the confirmation is signed and returned without actual verification. Say yes behavior may be suggested from the results of other related substantive testing and observations when the recipient does not adequately investigate the accuracy of balances being confirmed. The AICPA also observed that recipients might lack the financial sophistication to provide reliable responses or might simply ignore the requests. For example, auditors often dont confirm hospital receivables, because response rates are usually inadequate. Similarly, the federal government and some companies have a policy of not responding to confirmation requests. Because the current standard makes clear the presumption that auditors need to confirm accounts receivable, practitioners must document carefully when they have not sent confirmations.

Auditors should consider other auditing procedures when they do not confirm accounts receivable, especially when the balances are material. SAS no. 67 offers no specific guidance, but auditors can apply the following two substantive tests:

  1. Examination of subsequent cash collections to corroborate the valuation assertion.

  2. Examination of relevant documentation that the sales took place for most other key assertions.

In a manufacturing or distribution company, for example, the documentation includes examination of customer purchase orders (POs), client invoice copies, shipping documents and third-party evidence of delivery. Audit problems that might be found in such documentation include, for example, evidence in customer POs of consignment arrangements rather than sales, as well as shipping documents indicating improper sales cutoffs. Additionally, auditors using the examination of subsequent cash collections as a primary substantive procedure might consider performing procedures to provide evidence that the source of the payment was the customer. The ZZZZ Best fraud clearly taught this lesson.


CHOOSE THE RIGHT REQUESTS
Auditors have to decide whether they can use negative accounts receivable requests. Peer reviewers often discover that auditors inappropriately select negative confirmation requests. Auditors must use positive confirmations unless all of the following conditions are met:

  • Combined inherent and control risks are assessed low.

  • Balances involved are small.

  • The auditors believe that recipients are likely to give the confirmations consideration.

The first condition makes it clear that positive requests are the norm. For example, auditors usually assess control risk at high levels when auditing small clients because of their inadequate controls. Similarly, auditors routinely assess inherent risk at moderate or even higher levels for the revenue cycles of most audit clients because of concerns with proper cutoffs and adequacy of relevant accounting estimates. Auditors cannot assess combined inherent and control risks as low if either component is high.

Whether the auditor uses positive or negative requests, SAS no. 67 sanctions confirming individual transactions rather than entire account balances. Thus, auditors may use sampling to select accounts for confirmation or for individual unpaid transactions from the entire population of unpaid transactions. Some vendors process payables through voucher systems, which, in their simplest form, involve no accounts payable sub accounts. While vendors with voucher systems may say they are unable to confirm an entire balance, other vendors will acknowledge willingness to confirm a few transactions. Whether using positive or negative confirmations, auditors must carefully control the mailing of the requests and should investigate any timing differences or exceptions indicated by respondents.

In engagements meeting all conditions for negative confirmations, the auditors must recognize that unreturned requests rarely provide evidence concerning assertions other than aspects of the existence assertion. In addition, unreturned requests do not provide explicit evidence of actual successful delivery or even that any of the information was actually verified. Therefore, it is often considered prudent for the auditors to send more negative requests than might be the case had positive requests been used.

PROJECT IDENTIFIED MISSTATEMENT
Returned negative confirmation requests may provide evidence about assertions other than existence, such as the valuation assertion. Auditors should evaluate carefully any responses that are not reconcilable as normal timing differences (for example, payments in transit at yearend) to ascertain their effects on combined inherent and control risks. They also should evaluate the responses in terms of their effects on planned audit procedures and ask themselves: Do misstatements indicate isolated instances? Or are they indicative of systematic or pervasive problems?

SAS no. 39, Audit Sampling , requires auditors to project known misstatement results identified in a sample as likely misstatements in the underlying population. The auditors then must compare those likely misstatement amounts with the tolerable misstatement amounts derived during audit planning to determine whether sampling risk is acceptably low for the account balance. However, peer reviewers have found that auditors sometimes fail to make this required projection and concomitant evaluation.

KNOW WHAT IS RECEIVEDAND WHAT ISNT
As noted above, when an engagement does not meet all the conditions for sending negative confirmation requests, positive requests become the default option. But what constitutes receipt? SAS no. 67 raises questions about the validity of faxed responses. Auditors should consider verifying fax sources and contents by phone and requesting the original confirmation. As the original request may not ever be received, it is prudent to reproduce the fax copy, because fax ink can fade over time. Auditors need to document in the workpapers the oral responses to confirmation requests. The auditors should consider asking the oral respondent to mail back (as opposed to e-mailing or faxing) the actual confirmation request.

The auditors may want to use blank-form positive confirmations, which ask that respondents fill in balance or other data, to minimize the possibility of say yes behavior. However, blank forms may lead to lower response rates, as well as a greater likelihood that incorrect balances will be reported. Auditors should send second requests to nonrespondents because nonresponses do not provide evidence about financial statement assertions. Third requests, however, often are not very fruitful. Auditors facing nonresponses to subsequent positive confirmation requests generally have to use alternative procedures, as noted below.

APPLY NECESSARY ALTERNATIVE PROCEDURES
Alternative procedures typically entail examining subsequent cash collections and, most important, assuring that payments received are on the receivable balances in question, in order to address the valuation assertion. If a client company has not received payment, the auditors might next examine shipping documents (assuming adequate controls, such as segregation of duties), external customer POs, third-party evidence of delivery, sales invoices, contracts or other relevant documentation for assurances regarding other assertions. Auditors should apply those procedures when they are concerned about control risk for sales cutoff, even if they have examined subsequent collections. The AICPA practice management staff found that CPAs in public practice commonly fail to apply alternative procedures to nonresponding positive confirmation requests. Auditors should note: SAS no. 67 clearly states that nonresponses provide no audit evidence.

Some of the confusion may stem from SAS no. 67s introduction of a new concept: the acceptability of omitting alternative procedures in limited instances . If both of the following two conditions are met, auditors may omit alternative procedures:

  1. The auditors have not perceived any unusual identifiable bias or commonality among the nonresponding customers. For example, the customers are all located in one sales territory, they are all new customers or they are all consignees.

  2. The aggregate nonresponses, projected as being 100% misstated, are not material when they are added to the sum of other adjustments passed in the audit.

Auditors must combine and project to the population being examined any misstatements either revealed in the investigation of responding positive requests or identified in the process of applying alternative procedures to nonresponses. Peer review teams sometimes find that practitioners do not properly compare extrapolated misstatement with tolerable misstatement.

In general, auditors should send positive requests to confirm large accounts receivable balances, as no sampling risk is acceptable for individual receivable balances exceeding tolerable misstatement for a given engagement. Because such positive requests constitute a subpopulation that has been audited in its entirety rather than sampled, any misstatement amount revealed would be equivalent to likely misstatement. Auditors then would combine any actual misstatement amount from large accounts receivable with projected misstatement amounts identified from confirmations selected through sampling procedures.

A KEY PROCESS
Properly applied confirmation procedures, in conjunction with analytical procedures and related substantive alternative procedures, provide significant evidence about most financial statement assertions. This is particularly true for the existence and valuation assertionstypically key assertions in the audit of the revenue and collections cycle. Consequently, auditors should be especially careful to apply confirmation procedures properly and be alert to possible errors in their firms confirmation procedures. No firm with an audit practice wants to wait until a peer review to discover any problems.

SPONSORED REPORT

How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.

VIDEO

Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.

COLUMN

Deflecting clients’ requests for defense and indemnity

Client requests for defense and indemnity by the CPA firm are on the rise. Requests for such clauses are unnecessary and unfair, and, in some cases, are unenforceable.