By Harsh Jogani, Director Commercial – Asia and Emerging Markets at Confirmation, and Vinod Kashyap, B.Com.(Hons.), FCA, DISA (ICAI), Director – Audit Services, NGDB, UAE

The rise of financial-statement fraud shows the increasing sophistication of fraudsters in exploiting the weaknesses of paper-based confirmation processes.

Audit confirmations are undertaken to obtain evidence about financial statement assertions made by a business and are an extremely important cog in the auditing wheel. However, high-profile confirmation fraud cases have revealed an urgency to upgrade from paper-based processes, a change that will also help meet the evolving needs of auditing and accounting industry standards.

The External Confirmation Process

To address the problems associated with traditional, paper-based audit confirmations, let us first examine the current external confirmation process. Indian auditing standards - SA 505 "External Confirmation" - defines external confirmations as:

“Audit evidence obtained as a direct written response to the auditor from a third party (the confirming party), in paper form, or by electronic or other medium”.

Paragraph 7 of the said auditing standard describes the requirements for “External Confirmation Procedures” as below:

“When using external confirmation procedures, the auditor shall maintain control over external confirmation requests, including:

• Determining the information to be confirmed or requested.
• Selecting the appropriate confirming party.
• Designing the confirmation requests, including determining that requests are properly addressed and contain return information for responses to be sent directly to the auditor; and
• Sending the requests, including follow-up requests when applicable, to the confirming party.

The reliability of third-party evidence (e.g. bank statements) is enhanced when it is obtained from a knowledgeable, but unbiased, respondent who is outside the company under audit. The respondent should have little or no motivation to falsify information.

In addition, when the response from a third party is direct (the auditor controls both the transmission and receipt of information), it may be considered more reliable than audit evidence derived indirectly or by inference. If evidence exists in documentary form (e.g. paper or electronic media), the evidence is even more reliable. However, responses in the form of faxes and e-mails are considered problematic because of the difficulty of validating their authenticity.

Paper-Based Confirmations – What Can Go Wrong?

The utility of paper-based confirmations, which are manual by nature, is extremely limited because humans can intervene and, intentionally or unintentionally, subvert the process. Some of the main weaknesses identified in paper-based confirmations are as below:

• The auditor selects the name of parties for confirmation based on information in the audit client's accounting records and books. Consequently, they do not test for completeness via tracing activities and may ignore information that was inadvertently or deliberately "kept off the books".
• The audit client provides the name of the person(s) to be contacted at third-party organizations (e.g. banks and customers) to confirm cash and accounts receivables. If the client does not name the "proper" respondents, the information obtained may be false.
• The audit client also provides each respondent's address, phone number, e-mail address, website, and other identifying information. Once again, if this data is bogus, the information obtained may be false.
• It is very difficult, if not cost prohibitive, to authenticate the respondent’s signature or to ensure non[1]repudiation of participation (i.e. to refute a respondent’s signature).
• The time and financial costs involved in the traditional confirmation process can be staggering. These costs include, but are not limited to, the preparation of written requests, paper and postage, verification of respondent names and addresses, snail-mail delays, and reconfirmation requests to clear up gaps in information or errors in responses.

Here are some of the major fraud cases in the past where the paper-confirmation process has failed:

• Parmalat (2003): Italy’s biggest $4.9 billion fake confirmation fraud where a fake bank postal address was provided to the auditor.
• Satyam Computer (2009): India’s biggest $800 million audit confirmation fraud, where an audit client forged a paper confirmation on bank letterhead and handed it over to the auditor.
• Olympus Corporate (2011): Japan’s biggest confirmation fraud amounting to Euro 1.1 billion. Bank staff colluded with the audit client and provided a fake bank confirmation certificate.
• Wirecard fraud (2020): Germany’s biggest scandal, where $1.9 billion reflected in financial statements was completely missing from Wirecard’s bank accounts.

Advantages of an Electronic Confirmation Process

Most of the frauds, such as the PFGBest (Peregrine Financial Group) fraud, were only uncovered through the use of electronic audit confirmation platforms. PFGBest manipulated financial data and reports for almost two decades. They manipulated the confirmation responses using photo editing software to show that the bank statements matched the company's financial statements.

Only when their auditors employed an electronic confirmation system did they identify the discrepancies in financial statements, thereby uncovering a more than US$200 million fraud of 20 years in a matter of 24 hours.

The advantage of electronic confirmations are:

• Zero client interference – the auditor maintains complete control over the audit confirmation process end-to-end from sending, tracking and receiving. This significantly improves the security of the process.
• Validated responders – auditors need not rely on clients to provide details of the bank contact for receiving confirmation certificates, eliminating any possibility of client and bank staff collusion. Every bank setup on the application and their users are pre-validated giving full comfort over the source of response.
• Encryption – balance confirmations (both in-transit and when stored) are completely encrypted with 256-bit encryption, eliminating the possibility of interception and forgery.
• Audit Efficiency – streamline and automate the entire confirmation process to send and receive confirmations from anywhere anytime with guaranteed response.
• Faster response – reduce confirmation timelines from weeks and months to days and save money by reducing the time to validate and authenticate the responding entry and responder.
• Eliminate low-end manual work – remove unnecessary grunt work; allow auditors to focus on high-value areas and reduce the cost per confirmation by removing unnecessary activities such as follow-up work to address lost or inaccurate confirmations.

What does a good electronic audit confirmation tool look like?

A good digital audit confirmation tool should eliminate client interference from the entire process, validating responders and encrypting confirmation data to eliminate possible interception, interference, and falsification. The user activity log will increase the audit process transparency and leave a digital trail on every confirmation request.

It's also important to have a secure network of validated banks and audit firms. In such a network, every responder is pre-validated, which helps the auditor maintain complete control of the sending and receiving of confirmation certificates. The increase of quality in external evidence can help the auditor raise the bar of audit quality.

Conclusion

All in all, the electronic audit confirmation tool can make the confirmation process fraud proof and enhance the efficiency of the audit firm. The cost of a confirmation fraud goes beyond financial consequences and impacts the reputation and longevity of business and its accounting firm.

The accelerating pace of business, increasing digitalisation, and the growing sophistication of fraud are creating the need for better risk management strategies and systems. To thrive in today's complex and volatile market, auditors must let go of traditional, paper-based audit confirmation processes and chose a more modern, trustworthy approach of digital confirmations.