Understanding Audit Confirmation Risks

Shared by the accounting and legal professions


If a company or organization is at risk of losing or winning a material lawsuit, then stakeholders should know about it, and transparency is expected. Such outcomes can impact decisions made by readers of an audited financial statement. Readers can range from company owners to capital market participants, such as a financial institution issuing loans, a private equity firm making an investment or regulators providing oversight. With so many interests at stake, accounting firms and law firms adhere to procedures and policies set forth by their professions in regard to the audit confirmation process.

For every audit, auditors perform required procedures to determine if existing legal contingencies are fairly presented and properly disclosed in an entity’s audited financial statement. Although disclosure requirements can differ by country or policy setter, the process for gathering information to make a fair assessment is the same throughout the world. The same is true for the external counsel or law firms engaged by companies and organizations subject to an audit. However, differences in laws from country to country, particularly regarding what is considered discoverable vs. not, have lead to variations of policy for responding to auditors’ requests for information. All this considered, auditors continue to seek information from their clients’ legal counsel and do so for the purpose of completing a high-quality audit for all stakeholders.

To better understand the process for obtaining information to make an assessment of legal contingencies, a review of the legal confirmation process unbiased to varying accounting disclosure requirements and attorney-client privilege consideration is necessary.


The Legal Confirmation Process

The process starts with auditors reviewing legal invoices and interviewing company management, including in-house counsel to gain an understanding of potential and in-progress litigation. External counsel or law firms engaged to handle such matters may be contacted by auditors for confirmation of the status of legal matters and potential risk of financial gain or loss. In coordination with the client, auditors prepare an audit inquiry or legal representation letter. The letter is signed by the client, and the auditor must then control delivery of the letter to the law firm. Auditors ask that lawyers respond by their anticipated audit completion date.

Once the letter is received, a law firm administrator or paralegal generates a billing report to determine which attorneys have dedicated substantial time to the client during the period under audit and through the anticipated audit completion date. Those lawyers are contacted by the administrator and asked to weigh in for the purpose of an audit response letter. Some law firms have a firm policy of canvassing all attorneys prior to responding to auditors. The firm prepares an audit response letter based on the appropriate attorney’s input. It is common for the law firm and its client to discuss what information will be shared with the auditors. Many firms have an audit letter committee that reviews audit response letters prior to issuance. Finally, the law firm sends the response directly to the auditors, and a copy is sent to the client.

The audit response letter is analyzed by the accounting firm and sometimes discussed further with the client. Prior to issuance of the audit opinion, the law firm may be consulted a final time to ensure no further material developments or new issues have arisen. Any disclosures are included in a contingencies or legal matters footnote, and any accruals are reflected in the balance sheet.


Risks of the Traditional Process

The primary risks of the traditional process are encountered when validation is skipped or auditor control of the process is lost. After the audit inquiry is prepared and signed by the client, auditors must and lawyers should consider these two risks and take steps to reduce or eliminate them.

1. Validation
Contact information for the law firm is often provided to auditors by the client. It is essential that auditors validate the authenticity of the responding entity regardless of the information the auditor seeks to confirm. Audit confirmations for cash, debt, receivables and contingencies are common to every engagement, and having complete confidence in the authenticity of the responding party is critical to the quality of the audit.

While validation is required for auditors to maintain professional skepticism in accordance with auditing standards, it is equally as important for law firms. Considering law firms are the keepers of highly confidential information, it is in everyone’s best interest to share such information only with those properly authorized. For this reason, authenticating the accounting firm to which law firms send audit responses is also critical.

2. Auditor Control
Orchestrating audit confirmations is often a task delegated to first- or second-year audit staff, and their inexperience can be problematic. Once the audit inquiry is signed by the client, auditors are required to deliver the letter directly to the law firm. Auditors may include specific issues in the audit inquiry letter for the law firm to consider in their response, and if the client does not approve, it could be considered a scope limitation. For this reason, it is important that the audit inquiry letter the client and auditors mutually approved is the one the law firm reads prior to submitting their audit response.

It is equally as important that auditors receive audit responses directly from law firms. In the event that control is lost, an opportunity for the client to intercept and modify the request or response document exists. If the audit inquiry is intentionally modified by the client, then an accurate assessment of contingencies is not possible by auditors. Not all attorneys are experts in auditing standards, and for that reason, lawyers sometimes unintentionally
break auditor control by sending their audit response to the client who then hands it off to the auditors. An inexperienced auditor may just place the document in the audit file, and others who review the file would not know the audit response was intercepted by the client and potentially modified.

While a paper-and-mail process endures, technology does offer solutions to these risks.


Audit Confirmation Risk Management

As a much-needed replacement for a risky and inefficient paper-and-mail process, in 2009 and 2010, auditing standard-setting bodies approved the use of online confirmations. The advent of online confirmations mitigates audit confirmation risk, offers a streamlined process and has since become the standard for audit confirmations. Online confirmations also brought with
them updated criteria to ensure the integrity of the audit process, including the steps auditors must take to ensure a confirmation from a third party is reliable audit evidence.

Also critically important, through technology, auditors can always maintain control over the confirmation process — this means ensuring auditors control the delivery of the audit inquiry and receipt of the audit response. Below is an audit confirmation best practices workflow emphasizing the importance of validation and auditor control over the confirmation process.


Final Thoughts

It is fair to say auditors and lawyers may not always agree on the standardization of the content of audit inquiries and audit responses; however, the logistics of the audit confirmation process are acceptable and can be adhered to by both accounting and legal professionals. By doing so, all stakeholders, including accounting firms, law firms, clients and capital markets, are better protected.

For more information, please visit