Skip to content

New PCAOB Resource Covers Audit Firm’s Use of Service Providers for Audit Confirmation

Soyoung Ho  Senior Editor, Accounting and Compliance Alert

· 5 minute read

Soyoung Ho  Senior Editor, Accounting and Compliance Alert

· 5 minute read

The PCAOB issued a new spotlight document after observing that some auditors were not properly applying the board’s standards when they rely on a service provider as part of their audit confirmation process. And the board may focus on this in upcoming audit inspections.

Many auditors use a service provider to send and get electronic audit confirmations from third parties, such as banks or brokerage firms, to verify balances or other information of the audit client. And this practice is becoming more common.

“Recently, we observed diverse practices related to the procedures auditors perform to support such reliance,” the PCAOB said in the new publication. “In some cases, audit firms were not giving any consideration to support whether, as required by PCAOB standards, the auditor maintains control over the confirmation requests and responses in audits where a service provider is used to send and receive confirmations.”

The PCAOB issued Spotlight: Observations and Reminders on the Use of a Service Provider in the Confirmation Process on March 21, 2022.

This is not staff guidance, but it suggests procedures that auditors might find helpful.

PCAOB Auditing Standard (AS) 2310The Confirmation Process, requires auditors to maintain control over the confirmation requests and responses during the confirmation process. Moreover, the board’s quality control standard, QC Section 20, System of Quality Control for a CPA Firm’s Accounting and Auditing Practice, requires an audit firm to have a quality control (QC) system so that its audit personnel comply with professional standards. This includes maintaining control over confirmation requests and responses.

The board said that auditors must determine that they can rely on the service provider’s processes and controls for direct communication between the auditor and the confirming third-party.

But the PCAOB said that some audit firms did not perform procedures to support their use of a service provider to send and receive confirmations.

Sometimes, audit firms use an Independent Service Auditor’s Report on Service Organization Controls (SOC reports) in evaluating the service provider’s controls related to confirmations. But some firms did not sufficiently evaluate SOC reports, among other issues the PCAOB has observed.

“We encourage audit firms to ensure their QC systems are appropriately designed and operate effectively so that policies and procedures related to the use of a service provider to send and receive confirmations provide reasonable assurance that engagement teams comply with professional standards as it pertains to maintaining control over confirmation requests and responses,” the guide stated.

The following are some suggested procedures that audit firms could perform:

  • Assessing a service provider’s processes and controls;
  • Timely evaluation of SOC reports to consider factors that may affect the risk of misstatement;
  • Inquiring about any changes in the service provider’s controls;
  • Evaluation of complementary user entity controls; and
  • Periodic communications with the service provider.

In the meantime, it is not clear whether the PCAOB will pick back up its standard-setting project on confirmations.

The Spotlight document “is a stand-alone document unrelated to anything else,” PCAOB Spokesperson Jackie Cottrell said.

The board issued a proposal in 2010 in Release No. 2010-003Confirmation, which was intended to modernize an old interim standard when electronic communications were far less advanced than they are today. There was some pushback on the proposal at the time, and the board seemed to have put it on the backburner. (See Revised Proposal for Audit Confirmations May Be Issued in the April 6, 2015, edition of Accounting & Compliance Alert.)

The board, in a standard-setting agenda in 2015, said that the staff had been working toward a revised proposal. However, nothing materialized since then. And it was subsequently removed from the rulemaking agenda.


This article originally appeared in the March 23, 2022 edition of Accounting & Compliance Alert, available on Checkpoint.

Subscribe to our Checkpoint Daily Newsstand email to get all the latest tax, accounting, and audit news delivered to your inbox each weekday. It’s free!

More answers

Tenth Circuit Holds That ERISA Preempts Oklahoma PBM Law

Pharm. Care Mgmt. Ass’n v. Mulready, 2023 WL 5218138 (10th Cir. 2023) Available at The Tenth Circuit has held …