View
221
Download
0
Category
Preview:
Citation preview
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 1/34
GUIDE TO
ELECTRONIC
CONFIRMATIONS
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 2/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
2
Contents
3 Introduction
5 The Conrmation Process
7 How Reliable Are Paper-Based Conrmations?
11 Requirements o an Electronic Conrmation
17 Driving Audit Eciency
21 The True Cost o Paper vs. Electronic
22 Success Stories
26 One Page Plan
27 Electronic Conrmation Security Assessment
30 About the Authors
32 About Conrmation.com
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 3/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
3
W
hen Brian Fox speaks at conerences, he likes to play a recorded sessiono messages received on their customer support hotline. Sta auditors
mistakenly believe their company is a bank, and call them to ollow up on the paper-based conrmations they mailed out weeks ago that were never returned.
“I’m calling to ollow up … We axed our third request last month … We really need this to nish up our audit. Could you please, PLEASE … sixth time I’ve called... ”
What comes through most vividly is the rustration. We’ve all been there. You’rea sta auditor, and it’s bad enough you have to spend time stung envelopes withconrmations. Now, to add insult to injury, you’re making rantic phone calls at the
eleventh hour, leaving voice messages, trying to track down a single piece o paper.
There is a Better Way
Paper-based conrmations have been with us since the beginning o the auditproession 130 years ago. Through numerous changes in technology, businesspractices and auditing rules and regulations, the paper and mail system or makingdirect contact with third parties has endured. In the process, it has becomeincreasingly outdated, less ecient and less secure every year.
But there is a better way!
In 2007, those who set auditingstandards approved the use o electronic conrmations as a much-needed replacement to the traditionalpaper and mail-based process. Inorder to preserve the integrity o the conrmation process, they careully dened what is and is not an electronicconrmation as well as the steps auditors must take to ensure a conrmation isreliable audit evidence.
There’s good reason why stewards o the proession want to encourage the use o electronic conrmations. You can’t do a 21st century audit using 19th century technology.
Introduction
Starting October 1, 2008, Bank of
America required all of its customers’
external auditors to use electronic
conrmations through Conrmation.com.
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 4/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
4
The auditors o Parmalat and CF FOODs recently discovered this the hard way.
The management o both companies concealed massive rauds by compromisingthe auditor’s paper-based conrmation process. A properly designed, electronicconrmation would have prevented this cover-up.
Academic research shows that electronic conrmations produce a much lower errorrate than the paper alternative. Similar research reveals that replacing paper-basedconrmations with electronic conrmations leads to tremendous audit eciencies.Some in the proession have declared the adoption o electronic conrmations tobe a “oregone conclusion,” and with leading banks now requiring auditors touse electronic conrmations, we expect the rate o adoption to continue its rapidincrease.
In this publication you’ll learn why and how to make the switch.
L. Gary Boomer, CPA.CITPC. Brian Fox, CPA
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 5/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
5
I
ndependent auditors are required to obtain “sucient appropriate audit
evidence” to support their opinion on the nancial statements.
“Sucient” relates to the quantity o audit evidence obtained. Has the auditorgathered enough?
“Appropriate” relates to relevance and reliability.
All three baseline elements must be in place or the auditor to ulll hisresponsibilities. It doesn’t matter how much audit evidence the auditor obtains; i that evidence isn’t reliable, then the audit quality has been compromised.
Questions regarding the use o conrmations relate to reliability. Areelectronic conrmations as reliable as paperconrmations? In act, evidence suggeststhat electronic conrmations are morereliable than paper.
The Conrmation Process
It doesn’t matter how much
evidence the auditor obtains;
if that evidence isn’t reliable,
then the audit quality has been
compromised.
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 6/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
6
Building a Reliable Conrmation
Process
The stewardship o audit quality rests upon a variety o standards setting organizations. Therules or auditor perormance are set by the
AICPA (audits o non-public companies), thePCAOB (audits o public companies) and theIAASB (international audits).
Although the language o the three standards may vary, undamentally they all agreeon the our tenets o perorming a proper conrmation.
• Communicatedirectlywithandreceiveanactiveresponsefromthethirdparty
• Exerciseprofessionalskepticism
• Identifyandvalidatearespondentwhoisfreefrombiasandauthorizedtorespond
• Maintaincontroloftheconrmationprocess
Only by ollowing these our tenets can theauditor ensure that the conrmation he orshe receives is meaningul.
“The auditor should consider
whether there is sufcient basis
for concluding that a conrmation
request is being sent to a valid
respondent from whom a response
will be meaningful and provide
competent evidential matter. If
there is not a sufcient basis for
that conclusion, the conrmation
process is useless.”
- Doug Carmichael Former Chief
Auditor of the PCAOB
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 7/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
7
M
any auditors believe that simply receiving a
signed response to a conrmation requestprovides the proper audit evidence. This is notso. Without a sucient basis or concludingthat the conrmation has been signed by a validrespondent, the conrmation lacks the high levelo reliability necessary to constitute competentaudit evidence.
The ollowing raud schemes identiy the allacy in this belie that a signedconrmation is all that is required. These examples serve as notice to auditors that,unless they apply the our tenets o a proper conrmation, they are not ollowing the
requirements o a Generally Accepted Auditing Standards (GAAS) audit.
Conrmation Fraud Schemes
Client provides alse contact inormation
In a survey o over 150 accounting rms, researchers discovered that almost all o the mailing addresses or conrmations are provided to the auditor by the client ortaken directly rom client-provided bank statements.
To thwart the paper conrmation process, a dishonest client simply uses a scanningmachine to manipulate or even create a alse statement and provides incorrectcontact inormation in an eort to deraud the auditor. This appears to be one o the techniques employed by Parmalat executives, who committed that company’salmost $5 billion audit conrmation raud.
What an auditor must be aware o is that using today’s technology, a dishonest clientcan easily adjust the balance on a statement and change the contact inormation tobe a riend’s address, phone/ax number and email. Fraudsters do not have to usea riend’s address as Mark Morze, the ormer CFO o ZZZZ Best Carpet Cleaning,did. Instead, they can use a UPS Store mail account, which is presented as a real
street address and not a P.O. Box address. Phone numbers can be prepaid cell phonenumbers or a FedEx Oce store ax number. Email addresses can have extensionsthat closely resemble a legitimate client’s email extension.
How Reliable Are Paper-Based Conrmations?
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 8/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
8
In an attempt to ool an auditor, a raudster with $200 can easily establish three
sources o legitimate contact inormation (address, ax and phone lines) at any executive oce suite oering those services. In some cases they can establish anemail account, and a receptionist will answer the phone using the name o whatevercompany the raudster asks.
Ongoing improvements in scanning and printing capabilities will continue to makethese types o activities that much more dicult to detect, even as today’s regulatory scrutiny and public expectations demand that auditors catch such rauds.
Client provides the contact name
When auditors do spend the time and resources to independently validate theaddress, phone/ax number or email or a nancial institution, they oten do notindependently know or validate an individual clerk within the conrming entity.
To circumvent the paper conrmationprocess when auditors validate contactinormation, a raudster simply providesthe correct mailing address along withphone and ax numbers, but has a co-conspirator within that organization. Thisdishonest associate may be a riend orrelative who raudulently lls out the paperconrmation and may even sign it with thename o another employee in order to hideinvolvement rom the auditor.
In one case, the Director o Apparel Sales or Adidas America intentionally providedauditors alse inormation because o his motivation or uture sales to his client.Just or Feet’s auditors sent an accounts receivable conrmation directly to the
Adidas Director o Sales, who conrmed $2.2 million in receivables due when inreality Adidas only owed Just or Feet approximately $40,000.
This one event exposed both companies, every individual involved in the audit andthe audit rm itsel to a huge liability.
Maintaining control [of the
conrmation process] includes
performing procedures to verify
that the conrmation is being
directed to the intended recipient.
ASB Auditing Interpretation (AU
9330.04)
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 9/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
9
Client infuences the conrmation process
With a little eort, a dishonest client can create third-party credentials that closely resemble legitimate credentials. For example, an inexpensive ake website, displayedas i it were or a legitimate nancial institution, can be quickly created to provideillegitimate contact inormation.
In two separate cases during 2004, thievescreated ake U.S. Bank and Union PlantersBank websites to steal important onlinebanking inormation rom customers.These raudsters were even able to highjack
and use an email with the real bank emailextension to direct customers to the ake
websites. I the bank’s own customers could not distinguish a real website rom theake, how can those o us who might see it once a year determine whether it is realor ake?
Signature verication is impracticable
Given all the possible loopholes to circumvent the paper conrmation process, it isnot practical to think an auditor has the resources to validate the signature o theperson who responded to a conrmation request.
In today’s environment, unortunately, a cursory review o a signature nolonger provides a saeguard rom liability when presented to a jury that does notunderstand why a signature was not validated and does not appreciate the challengesassociated with checking the validity o a signature on a paper conrmation. Juriesdo not understand the tremendous resources that are required to accomplish suchan ongoing task.
Fraudsters know that the type o eort required to validate the signature o theconrming entity is rarely used proactively to prevent raud. Enormous costs are
involved, and it is only used once a potential raud is identied. At this stage itcould be too late to eliminate the liability associated with the raud exposure.
The fake signature of a legitimate
employee from the bank was used
by Parmalat executives to “verify”
almost $5 billion.
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 10/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
10
With this in mind, raudsters alsely responding
to a conrmation request simply scribble thesignature o anyone, to include the signature o alegitimate signatory, to eectively validate a paperconrmation response.
A ake signature was used to perpetrate theParmalat raud. Believing that the auditors mightattempt to validate the employment o the person
who signed the conrmation, the ake signature o a legitimate employee rom thebank was used by Parmalat executives to “veriy” almost $5 billion.
Cracking Down on Fraud Schemes
In response to these and similar raud schemes, the Auditing Standards Board issuedan interpretation in 2008 that more clearly dened the auditor’s responsibilities
when using conrmations to obtain audit evidence.
On all audits, the auditor should consider the reliability o the inormation obtainedthrough the conrmation process. To do that, he or she must assess the risks that:
• Theinformationprovidedinthe
conrmationmaynotbefroman
authenticsource
• Thepersonrespondingtothe
conrmationmaynotbeknowledgeable
abouttheinformationbeingconrmed
• Theintegrityoftheinformationmay
havebeencompromised
“The existing paper-based
conrmation process has exposed auditors to substantial legal liability
over the past two decades.”
George Aldhizer and James Cashell
“Automating the Conrmation
Process” The CPA Journal ; April,
2006
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 11/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
11
T
o ensure the reliability o electronic conrmations, the Auditing Standards
Board states that electronic conrmations can be considered reliable auditevidence i the auditor is satised that:
• Theelectronicconrmationprocessissecureandproperlycontrolled
• Theinformationobtainedisadirectcommunicationinresponsetoarequest
• Theinformationisobtainedfromathirdpartywhoistheintendedrespondent(See
AU9330.05)
Ensuring Reliability
The diagram below illustrates the relationship between the auditor and the
responder to an electronic conrmation request. It indicates that authentication, validation and security are required at three dierent levels.
Requirements o an Electronic Conrmation
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 12/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
12
• Individualauditstaffandresponders.Authenticationandvalidationarerequired
toestablishtheidentityoftheauditormakingtherequestandthepersonresponding
toit.Bothpartieswillwanttoask:
» Is the person I’m communicating with who he or she claims? » Is that person authorized to communicate with me? » Is the person responding to the conrmation qualied and authorized to
respond?
• Auditrmandrespondingentity.Bothpartieswillwantassurancethattheentity
withwhichtheyaredealingislegitimate.
• Communicationchannel.Bothpartiesneedtoknowthattheyarecommunicating
informationthroughasecureservice.
Authentication and Validation
A reliable electronic conrmation process means that the auditor has assurance he orshe is sending the conrmation request to the intended recipient. At the entity level,the auditor should determine that the conrming entity is a legitimate enterprise by
validating inormation like:
• Primarymailingaddress
• Physicaladdress
• Website
• Telephonenumber
At the individual level, the auditor should veriy the identity o the respondent,obtain some assurance that he or she is qualied and authorized to respond, and hasaccess to the necessary data or a response.
The responding organization also needs assurance that the auditor is who he orshe claims to be and has the client’s permission to request the conrmation. Forexample, the responder will want to veriy the audit rm’s:
• Mailingaddress• Website
• CPAlicense
• Telephonenumber
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 13/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
13
Some electronic conrmation providers will have a
network o validated responders. Establishing sucha network requires the provider to take steps toauthenticate and authorize both the entity and theindividual responders to the conrmation request.
Data Security
Conrmations contain highly sensitive inormationsuch as the audit client’s bank account number, loan number and bank balances.For that reason, an electronic conrmation process must have controls that create asecure communication channel between the auditor and the conrmation responder.
Such controls typically include elements such as:
• Passwordsforindividualparticipants
• Dataencryption
• Firewallsthatprotectthesystemfromunauthorizedintrusion
• Intrusiondetectionandpreventionsystems
Ensuring the Security o the Electronic Conrmation Platorm
Both responders and auditors demand ahigh level o security rom any electronicconrmation platorm. Responders suchas banks rightly view the platorm as anextension o their own IT system, and they
want to make sure that the overall security o the system retains its integrity. It iscommon or banks that use an electronicconrmation process to perorm periodicin-depth security reviews o the electronic
conrmation provider’s IT system.
“An electronic conrmation process
that creates a secure conrmation
environment may mitigate the
risks of human intervention and
misdirection. The key lies in the
process or mechanism used by
the auditor and the respondent
to minimize the possibility that
the results will be compromised
because of interception, alteration
or fraud with respect to the
conrmation.”
AICPA Updated Practice Alert 03-1,
Audit Conrmations
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 14/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
14
Likewise, auditors should request a SAS 70 Type II and a SysTrust review as part o
their required security assessment o the electronic conrmation provider.
These Techniques Fail the Test
While auditors are nding alternatives to traditional paper-based conrmations,they should ensure these methods meet the requirements o the auditing standards.The Auditing Standards Board has weighed in on the two most prevalent non-paper-based conrmation techniques and determined that they do NOT meet theirrequirements.
• Conrmationssentorreceivedviae-mailaretypicallyalessreliableformofaudit
evidence,becauseitisdifcultifnotimpossiblefortheauditortoestablishtheoriginoftheemailordeterminewhethertherespondentisknowledgeableaboutthe
mattersbeingconrmed.(SeeAU9330.03)
• Anonlineinquiryofathirdparty’sdatabasedoesnotconstituteaconrmation,
butratheranalternativeprocedure.Thereasonisthataconrmationfromathird
partyrequiresanactiveresponsefromthatthirdparty,andanauditorlookingup
informationonadatabasedoesnotincludetheactiveinvolvementofthethirdparty
respondents.(AICPAUpdatePracticeAlert03-1)
In-Network Conrmation and an Out-o-Network Conrmation
Not all electronic conrmation processes are created equal. In order to select anappropriate solution, the auditor must understand the dierences in unctionality,the requirements o the auditor, and the response rates or the two main typeso electronic conrmation processes, the “in-network” process and the “out-o-network” process.
Both processes should include security measures to ensure data integrity. Wherethey dier is in the authentication and verication o responders to the conrmationrequest.
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 15/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
15
In-Network – Some electronic conrmation providers have established a network
o participating banks and other responding entities. Establishing such networksrequires the provider to take steps to authenticate and authorize both the entity andthe individual responders to the conrmation request. The auditor can rely on thein-network solution and is not required to perorm additional authentication andauthorization procedures.
Out-o-Network – An out-o-network electronic conrmation platorm does notinclude authentication and authorization o the respondent. The provider o anout-o-network service has perormed no procedures to validate either the entity or the individual responding to the conrmation. That responsibility alls to theauditor who is required to determine that the conrmation was sent to the proper
source and that the respondent was authorized to respond.
In general, in-network conrmations are more secure and ecient than out-o-network conrmations. Expect to pay more or this added protection andconvenience. The ollowing table summarizes the dierences between in-network and out-o-network conrmation processes.
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 16/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
16
Requirements for Audit Confirmations
Requirements Electronic Confirmations Alternative Procedures*(Email & Direct Access)
PaperConfirmations
In-Network Out-of-Network
S A S 6 7 / A U 3 3
0
Control the process Electronic confirmationprovider
Electronic confirmationprovider
Auditor
Knowledgeable and freefrom bias respondent
Electronic confirmationprovider
Auditor Auditor
Determine respondingindividual is authorizedto respond
Electronic confirmationprovider
Auditor Auditor
P r a c t i c e A l e
r t 2 0 0 3 - 0
1
Establish directcommunication withrespondent
Electronic confirmationprovider
Electronic confirmationprovider
Auditor Auditor
I n t e r p r e t a t i o n 9 3 3 0
Maintain integrity of the data and datatransmission
Electronic confirmationprovider
Electronic confirmationprovider
Auditor
Authenticate respondingentity
Electronic confirmationprovider
Auditor Auditor
SAS 70 Type II andSysTrust certification
Electronic confirmationprovider
Electronic confirmationprovider
Auditor
Website authentication Electronic confirmationprovider
Electronic confirmationprovider
Auditor
Comparative Results
Efficiency Statistics Electronic Confirmations Electronic AlternativeProcedures
PaperConfirmations
In-Network Out-of-Network
Response rates 100% 50 - 60% 50-60% 71%
Average turnaroundtimes
1.08 days 3 - 5 days 3-5 days 21 - 40 days
Reconfirmation rates 9.7% 20 - 25% 20-43% 43%
Pros and Cons
Pros and Cons Electronic Confirmations Electronic AlternativeProcedures
PaperConfirmations
In-Network Out-of-Network
Pros Reduces auditor’s exposureto fraud
Efficient Faster than paper Same results for thelast 80 years
Greatest efficiency
Cons Auditor must assess thedesign and operating
effectiveness of controls.SysTrust and SAS 70Type II may assist the
auditor in performing theirassessment.
Auditor must assess thedesign and operating
effectiveness of controls.SysTrust and SAS 70 TypeII may assist the auditor in
performing their assessment.
Not a valid audit confirmation Slowest turnaroundtime
Auditor must perform
procedures to authorize andauthenticate responding
entity and individual
Difficult to assess and validate
the respondent
High error rate
High exposure to fraud High exposure tofraud
* Electronic alternative procedures like email and direct access to a database, while they may provide audit evidence, they are not a confirmation for audit andattest purposes.
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 17/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
17
T
he use o electronic conrmations leads to a more ecient audit process.
Research indicates that compared to paper-based conrmations, electronicconrmations result in dramatic improvements in three key audit eciency metrics:response rates, turnaround times and reconrmation rates.
Conrmation Response Rates
Non-responses to conrmation requests require the auditor to perorm alternativeprocedures. Not only are alternative procedures time consuming, they are a lessreliable orm o audit evidence.
ResponseRates
Driving Audit Eciency
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 18/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
18
Turnaround Times
Slow turnaround times require the auditor to spend more time ollowing up withthird parties to get a response. Faster turnaround also gives the auditor more timeto ollow up on discrepancies and exceptions.
AverageTurnaroundTime(inDays)
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 19/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
19
Error Rates
It is not uncommon or responders to conrm incorrect inormation or otherwisemake errors in the conrmations they return to the auditors. When the respondermakes an error, the auditor must either reconrm with the responder or perormadditional procedures to gather the audit evidence originally sought throughconrmation.
ReconrmationRates
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 20/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
20
Centralize the Conrmation Process
Many CPA rms have secured audit ecienciesby centralizing their conrmation eorts. They assign one person in the rm to coordinate thesending and receiving o conrmations or allaudit engagements, and individual audit teams
work directly with that one individual.
An electronic conrmation process is ideal or rms that use or are looking toimplement a centralized conrmation process.
Paperless Audits
Many rms have adopted paperless auditing to increase eciency. Most paperlessaudit solutions like CaseWare Working Papers, CCH’s ProSystem x® Engagementand Thomson Reuters Engagement CS™ now integrate directly withConrmation.com, an electronic conrmation service. This integrated solutiondrives urther eciencies, because audits no longer require manual intervention tomanage the conrmation process or to scan and upload paper-based conrmationresponses.
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 21/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
21
C
onsider one sta member at a typical CPA rm. Suppose over the course o
her busy season she works on six dierent audits and audits a total o 40 bank accounts. How much time would she spend on a paper-based conrmation process,and what would it take her to do it electronically? Assume the ollowing:
In-Network Electronic Out-o-Network Electronic Paper-Based
Assumption Total Assumption Total Assumption Tota
Prepare and sendconrmations, log-in results
10 mins per job; 6 jobs
1 hr. 20 mins per job; 6 jobs
2 hrs. 30 mins per job; 6 jobs
3 hrs
Reconrm non-responses 5% reconrmrate; 40 original
conrmations;2 conrms toreconrm
0.1 hr. 25% reconrmrate; 40 original
conrmations;10 conrms toreconrm
0.25 hr. 40% reconrmrate; 40 original
conrmations;16 conrms toreconrm
1 hr.
Alternative procedures ornon-responses
0% non-responses 0 hrs. 40% non-responses;40 originalconrmations;16 alternativeprocedures at 10minutes per
2.5 hrs. 29% non-responses;40 originalconrmations;12 alternativeprocedures at 10minutes per
2 hrs
General ineciency causedby excessive delays in
response
All responsesreceived in one
business day
0 hrs. 5 minutes per job;6 jobs
0.5 hr. 20 minutes per job;6 jobs
2 hrs
Total Time 1.1 hrs. 5.25hrs.
8 hrs
Time Savings 6.9 hrs. 2.75hrs.
0 hrs
A paper-based, bank conrmation eort might take a day or just one sta personover the course o a busy season; an electronic conrmation process requires a littlemore than an hour. What would seven hours per sta person do or your rm’srealization?
The True Cost o Paper vs. Electronic
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 22/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
22
W
ith over 500 auditors located in
10 oces, The Reznick Groupis one o the largest accounting rmsin the nation. As a way to drive auditeciency and address raud risk, several
years ago the rm decided to makethe switch to electronic conrmations.Rather than replace paper conrmations nationwide, the rm decided to pilotelectronic conrmations starting in its Atlanta oce.
Centralized Conrmation Eort Provides Even Greater Eciency
Previously, each audit team had been responsible or sending and receiving theconrmations or its client. Together with the switch to electronic conrmations,the rm elt that even more eciencies could be realized i it centralized itsconrmation eort.
Responsibility or managing the conrmation process was transerred romindividual audit teams to two paraproessionals in the Atlanta oce. The two o them received personalized training rom Capital Conrmation on how to operateits system, and the electronic conrmation process was up and running.
Paraproessional John Huynh estimates that each busy season he sends and receivesthousands o bank conrmations. “Beore, you never saw how much work it really took because conrmations weren’t centralized in one place. Now I can see it all.It’s a huge eort.”
John Pushes a Button
The Conrmation.com system stores audit client and bank data in its system, whichmakes it easy to reprise each client’s conrmation requests rom year-to-
year. Once the audit team begins its eldwork they make any necessary changes tothe previous year’s data, John pushes a button, and the conrmations are sent.
“I can literally get a response within an hour,” says John. “It goes right to thebank’s queue, and they have to give me some kind o response. It doesn’t get lost.”
Success Stories
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 23/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
23
Beore using electronic conrmations, each audit team would send out paper
conrmations and wouldn’t expect an answer back or several weeks. The time andaggravation spent ollowing up on conrmation requests was signicant.
Continuous Improvement
Like other Conrmation.com clients, The Reznick Group paraproessionals provide valuable insight into uture enhancements to the system. Clark Hudgins, VicePresident Accounting Proession, routinely gathers input rom clients on how toimprove the user experience.
Says John, “Clark will call and ask ‘hey, John, what do you think o this?’ and I tell
him.” Many o these user suggestions eventually become system upgrades.
Nationwide Roll Out
Because o the success o the Atlanta oce pilot, The Reznick Group now useselectronic conrmations on all audits nationwide. They’ve created even moreeciency by ollowing the lead set by the Atlanta oce to centralize all auditconrmations.
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 24/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
24
G
reg Shelton, CPA is a sole practitionerin Bartlett, Tennessee. He has our audit
clients and sends out about 20 conrmations each year. He has been an auditor or 25 years and wasone o the rst users o electronic conrmations.
When he rst made the switch rom paper, he wassurprised that he was the only sole practitioneror small local rm in the list o users. But theadvantages o using electronic conrmations can be realized by any rm, regardlesso their size.
Just Get It Done
When he rst learned o electronic conrmations, Greg immediately recognized thebenets o making the switch rom paper. “I hate waiting three or our weeks to geta conrm rom a bank. I like to just get it done. Now I can get a conrm returnedrom the bank beore I even start eldwork,” says Greg.
Once a company is set up on the Conrmation.com system, sending conrmationsin subsequent years is a ve minute task: change the date and the auditor is done
with a single click o his mouse.
Conrming Liabilities
Greg is quick to point out that a standard bank conrmation does more than simply conrm bank balances, it also gathers inormation about loans, letters o credit andother liabilities. Obtaining this inormation is crucial especially when auditing asmall business, where many times the liability may not appear on the books.
“You have situations where a loan was obtained to purchase equipment, and thecash never fowed through the company. Or the company got a line o credit andthe owner took a draw directly that was never recorded on the company’s books.”
Using electronic conrmations allows the auditor to identiy those unrecordedliabilities immediately, rather than waiting several weeks (sometimes ater theconclusion o eldwork) to receive a paper conrmation.
Success Stories
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 25/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
25
Pass Through the Cost
Greg passes through the cost o the electronic conrmation service directly to hisclients. Even though his clients are billed about $100 on each audit, overall they end up saving money because Greg spends essentially no time on the conrmationeort. “It’s a win-win situation because it saves money or the client and improveseciency or my business,” says Greg.
A No-Brainer
Greg is sold on electronic conrmations. Like anything else, there’s a learningcurve, but with electronic conrmations that curve isn’t too steep. “Once you get
past your rst one, it’s a breeze,” he says. “It’s really a no-brainer.”
There’s only one downside to his switch to electronic conrmations. Greg has astack o paper bank conrmations he ordered eight years ago taking up space in hisstorage cabinet. I you see them show up on e-Bay, you’ll know why.
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 26/34
2 6
S t r a t e gi c O b j e c t i v e
M e a s ur em en t
S t r a t e g y / I ni t i a
t i v e
D u eD a t eTi m
eF r am e
A s s i gn e d T o
1 .
R e s e a r c h , a n a l yz e t h e
a v a i l a b l e o p t i on s .
•
D e v el o p a s h or t l i s t
•
C om pl e t e t h e a t t a c h e d E l e c t r oni c
C onf r m a t i on S e c ur i t yA s s e s s m en t or e a c h
o p t i on
2 w e e k s
E l e c t r oni c C onf r m a t i on
T a s k F or c e
2 .
S el e c t a s e c ur e el e c t r oni c
c onf r m a t i on s er vi c e a n d
d e t er mi n ei m pl em en t a t i on
m e t h o d - C en t r a l i z e d
or
D e c en t r a l i z e d .
•
E l e c t r oni c c onf r m a t i on
s er vi c e s el e c t e d
•
C en t r a l i z e d i m pl em en t a t i on
i s wh er e a n o f c e
c en t r a l i z e s t h e c onf r m a t i on
r e s p on s i b i l i t y t o
a p a r a pr o e s s i on a l or a d mi ni s t r a t i v e a s s i s t a n t
wi t h i n t h ef r m
•
D e c en t r a l i z e d i m pl em en t a t i oni s wh er e
e a c h en g a g em en t t e a mm a n
a g e s t h ei r o wn
c onf r m a t i on s
1 w e e k
CE O / E l e c t r oni c
C onf r m a t i onT a s k F or c
e
3 .
I m pl em en t a s e c ur e
el e c t r oni c c onf r m a t i on
s er vi c e .
•
E l e c t r oni c c onf r m a t i on
s er vi c ei m pl em en t e d
1 . C omm uni c a t e t oP a r t n er s ,M a n a g er s a n d K e y
S t a k eh ol d er s t h e d e c i s i on t o a d o p t el e c t r oni c
c onf r m a t i on s a n d en s ur e t h
e y wi l l s u p p or t
t h en e w d i r e c t i on
2 .P r o vi d e a n o v er vi e w o t h e s er vi c e t o en t i r e
f r m ( c a n b e d on e vi a n e w s l e t t er , c on er en c e
c a l l ,m e e t i n g )
3 .H a v e t h e u s er s g o t h r o u gh t h e onl i n en a r r a t e d
t r a i ni n g t u t or i a l
4 . Wi t h C en t r a l i z e d i m pl em en
t a t i on s ,i n c l u d e a
s h or t t r a i ni n g on t h er ol e s a
n d r e s p on s i b i l i t i e s
o t h e en g a g em en t t e a m ( n e w s l e t t er ,
c on er en c e c a l l , s t a m e e t i n
g )
1 w e e k
E l e c t r oni c C onf r m a t i on
T a s k F or c e
4 .
I m pr o v e c u s t om er
r el a t i on s h i p s
•
C omm uni c a t e t h e
i m pr o v e d pr o c e s s t o y o ur
c l i en t s
•
C omm uni c a t i on t o c l i en t s c a n b e d on e a t t h e
b e gi nni n g o e a c h a u d i t .E x
pl a i n t o t h em t h e
n e w pr o c e s s , t h ei r r ol e , a n d
t h ei m pr o v em en t s
i n s e c ur i t y a n d e f c i en c y wi t h el e c t r oni c a u d i t
c onf r m a t i on s .
On g oi n g
A l l E n g a g em en t T e a m s
5 .
M oni t or t h e pr o c e s s a n d
a d o p t i on
1 .P er c en t a g e o f r m a n d
a u d i t s a d h er i n g t o t h e
n e w pr o c e s s
2 .T ur n a r o un d t i m e s
3 . R e s p on s er a t e s
4 . R e c onf r m a t i onr a t e s
•
D e v el o p d e a d l i n e or f r m w
i d e a d o p t i on
•
I n c l u d e onl i n en a r r a t e d t r a i ni n g t u t or i a l or
el e c t r oni c c onf r m a t i on s i nn e wh i r e t r a i ni n g
On g oi n g
CI O / E l e c t r oni c
C onf r m a t i onT a s k F or c
e
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 27/34
2 7
R e q ui r e d or
R e vi e w e d ,A p pr o pr i a t e &I nP l a c e
I n- N e t w or k
O u t - o - N e
t w or k
Y e s
N o
N o t e s
R e vi e w er
1 . S A S 7 0 T y p eI I
√
√
1 . 0 1
P er or m e d e v er y 6 m on t h s
√
√
1 . 0 2
C o
n t r ol s or Or g a ni z a t i on &A d mi ni s t r a t i on
√
√
1 . 0 3
C o
n t r ol s or S y s t em s D e v el o pm en t & Ch a n g e
M a n a g em en t
√
√
1 . 0 4
C o
n t r ol s or C om p u t er O p er a t i on s
√
√
1 . 0 5
C o
n t r ol s or P h y s i c a l A c c e s s &E n vi r onm en t a l C
on t r ol s
√
√
1 . 0 6
C o
n t r ol s or A u t h en t i c a t e d P r o p er S o ur c e
√
N / A
1 . 0 7
C o
n t r ol s or A u t h or i z e d U s er s
√
N / A
1 . 0 8
C o
n t r ol s or P r o p er Cl i en t A u t h or i z a t i on
√
√
1 . 0 9
C o
n t r ol s or D a t a I n t e gr i t y & S y s t emT r a n s mi s s i on
I n t e gr i t y
√
√
1 .1 0
C o
n t r ol s or E l e c t r oni c S i gn a t ur e s
√
√
1 .1 1
C o
n t r ol s or B a c k u p & R e c o v er y / D a t a R e t en t i on
√
√
2 . S y s Tr u s t C er t i f c a
t i on
√
√
2 . 0 1
P er or m e d e v er y 6 m on t h s
√
√
2 . 0 2
I n c l u d e s P r i n c i pl e o A v a i l a b i l i t y
√
√
2 . 0 3
I n c l u d e s P r i n c i pl e o C onf d en t i a l i t y
√
√
2 . 0 4
I n c l u d e s P r i n c i pl e o P r o c e s s i n gI n t e gr i t y
√
√
2 . 0 5
I n c l u d e s P r i n c i pl e o S e c ur i t y
√
√
2 . 0 6
I n c l u d e s P r i n c i pl e o P r i v a c y
√
√
3 .P r i v a c yP o l i c y
√
√
3 . 0 1
C e
r t i f e d b yr e c o gni z e d 3 r d P a r t y ( e . g .T R U S T e )
√
√
3 . 0 2
I n c l u d e s E U S a eH a r b or C er t i f c a t i on ( h i gh e s t
a v a i l a b l e )
√
√
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 28/34
2 8
R e q ui r e d or
R e vi e w e d ,A p pr o pr i a t e &I nP l a c e
I n- N e t w or k
O u t - o - N e
t w or k
Y e s
N o
N o t e s
R e vi e w er
4 . W e b s i t eA u t h en t i c a t i on
√
√
4 . 0 1
E x t en d e d V a l i d a t i on S S L C er t i f c a t i on b yr e c o g
ni z e d 3 r d
P a r t y ( e . g . V er i S i gn )
√
√
5 .Di s a s t er R e c o v er y
P l an
√
√
5 . 0 1
T e s t e d a t l e a s t Q u a r t er l y
√
√
6 .H o s t i n gF a c i l i t i e s
√
√
6 . 0 1
P r i m a r yH o s t i n gF a c i l i t y wi t h S A S 7 0 T y p eI I o
r I S O
C e
r t i f c a t i on ,mi ni m umT i er 4 a c i l i t y
√
√
6 . 0 2
S e p a r a t e B a c k u pH o s t i n gF a c i l i t y wi t h S A S 7 0 T
y p eI I or
I S O C er t i f c a t i on ,mi ni m umT i er 4 a c i l i t y
√
√
7 .I n s ur an c e s
√
√
7 . 0 1
R a
t i n gA + or b e t t er i n t h e c ur r en t B e s t ’ s I n s ur a n c e
R e
p or t s p u b l i s h e d b yA .M . B e s t C om p a n y
√
√
7 . 0 2
E - c omm er c eT e c h n ol o g yL i a b i l i t y
√
√
7 . 0 3
U s
er P r i v a c yP r o t e c t i on t o c o v er 1 y e a r w or t h o
C o
n s um er Cr e d i t M oni t or i n gi n t h e e v en t o a S e c ur i t y
B r e a c h
√
√
7 . 0 4
C o
mm er c i a l G en er a l L i a b i l i t y
√
√
7 . 0 5
P r o e s s i on a l P r a c t i c e
√
√
7 . 0 6
Um
b r el l a C o v er a g e
√
√
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 29/34
2 9
R e q ui r e d or
R e vi e w e d ,A p pr o pr i a t e &I nP l a c e
I n- N e t w or k
O u t - o - N e t w
or k
Y e s
N o
N o t e s
R e vi e w er
8 . S e c ur i t y
√
√
8 . 0 1
C om pl i a n t wi t h I S O2 7 0 0 1 C on t r ol O b j e c t i v e s
8 . 0 2
A l l I T
i n r a s t r u c t ur e & a c c e s s l i mi t e d t o onl y c om p
a n y
em pl o
y e e s ( e . g .i n c l u d i n g S y s t emA d mi ni s t r a t i on /
R o o t
A c c e s s )
√
√
8 . 0 3
P h y s i c a l a n d l o gi c a l a c c e s s c on t r ol i s a m a n a g e d pr o c e s s
( e . g . a c c e s s c on t r ol l i s t s , c h a n g em a n a g em en t ,m on
i t or i n g
&l o g
gi n g )
√
√
8 . 0 4
Onl y
d e d i c a t e d s er v er s a r e u t i l i z e d ( e . g .n o s h a r e d
c om p u t i n g en vi r onm en t s )
√
√
8 . 0 5
A l l c o
m p a n y em pl o y e e s h a v eF e d er a l & S t a t e b a c k gr o un d
c h e c k
s , a nn u a l d r u g t e s t i n g , a n d a r ef n g er pr i n t e d
√
√
8 . 0 6
S en s i t i v e c onf r m a t i on d a t a s t or e d u s i n g c r y p t o gr a ph i c
a l g or i t h m s mi ni m um k e yl en g t h 1 9 2 - b i t ( e . g .T r i pl e
DE S )
√
√
8 . 0 7
C onf
r m a t i on D a t a i s t r a n s mi t t e d wi t h a mi ni m um
o
1 2 8 - b
i t S S L u s i n gr e c o gni z e d 3 r d P a r t y en c r y p t i on
c er t i f
c a t e ( e . g . V er i s i gn )
√
√
8 . 0 8
I n t r u s i onP r e s en t a t i on S y s t em ( I P S ) a n d I n t r u s i on
D e t e c
t i on S y s t em ( I D S ) a r e b o t h d e pl o y e d or s e c ur i t y
√
√
8 . 0 9
W e b A p pl i c a t i onF i r e w a l l or HT T P S t r a f c i n s p e c t i on
√
√
8 .1 0
D e en
s ei n D e p t h s t r a t e g y d e pl o y e d
√
√
8 .1 1
E x t er n a l V ul n er a b i l i t y &P en e t r a t i onT e s t i n g p er o
r m e d
b yr e c
o gni z e d 3 r d P a r t y ( e . g .M c A e e S e c ur e )
√
√
8 .1 2
I n t er n a l V ul n er a b i l i t y &P en e t r a t i onT e s t i n g p er or m e d
u s i n g
i n d u s t r y s t a n d a r d t o ol s ( e . g .A p p S c a n , W e b i n s p e c t )
√
√
8 .1 3
Vi r u s
pr o t e c t i onr un s on a l l s er v er s
√
√
9 .E l e c t r oni c C onf r m a t i onP r o c e s s
√
√
9 . 0 1
A u s er c a nn o t el e c t r oni c a l l y s i gn s om e on e el s e’ s n a
m e on
t h e c o
nf r m a t i on
√
√
9 . 0 2
U s er a c t i vi t yi s l o g g e d
√
√
1 0 .A d d i t i on a l I t em s
√
√
1 0 . 0 1
D ef n e d S er vi c eL e v el A gr e em en t wi t h E s c a l a t i on
P r o c e
d ur e s
√
√
1 0 . 0 2
R e vi e w S er vi c eA gr e em en t
√
√
1 0 . 0 3
R e vi e wP r i v a c yP ol i c y
√
√
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 30/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
30
About the Authors
L
Gary Boomer is CEO o Boomer Consulting,
Inc., an organization that provides planningand consulting services to leading rms in theaccounting industry. Boomer strategies chart atransormation roadmap that results in increasedrevenue, goal-oriented personnel and businessgrowth.
Gary is recognized in the accounting proessionas the leading authority on technology and rmmanagement. For the past twelve years, he hasbeen named by Accounting Today as one o
the 100 most infuential people in accounting.He consults and speaks around the globe onmanagement and technology related topicsincluding strategic and technology planning,compensation and developing a training/learningculture. He acts as a planning acilitator, providescoaching and serves on many advisory boards.
As a member o The Advisory Board, Gary collaborates in a partnership o esteemed accountingrm consultants. He is the past chairman o the
AICPA’s Inormation Technology ExecutiveCommittee and a member o the AICPA Council.He has also served on the AICPA’s Academic andCareer Development Executive Committee and the
ACUTE Board o Directors. Gary currently servesas the President o the Kansas Society o CPAs andon the accounting advisory board at Kansas StateUniversity.
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 31/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
31
A
s the ounder o Capital Conrmation,
Inc. (CCI),BrianFox
has been thedriving orce or CCI’s eective response torapidly evolving accounting industry standards.Brian previously worked in Audit or Ernst &
Young LLP and Mergers and Acquisitions orPricewaterhouseCoopers LLP. Early on as asta and senior accountant, Brian identied theineciencies and potential or raud inherentin the current conrmation process. His visionresulted in the creation o a new, innovative andaward-winning patented process, which today
places CCI at the oreront o accounting industry service providers.
In 2006 Brian was named by The CPA Technology Advisor as one o the accounting proession’sinaugural “40 Under 40”. Brian is a member o the
AICPA and The Tennessee Society o CPAs, wherehe sits on the Accounting and Auditing SymposiumCommittee or the Society. He has authorednumerous articles on raud, and his writing andquotes have appeared in The CPA Journal , New York
Times , The CPA Technology Advisor , AP Matters , The Auditor’s Report , The International Herald Tribune and many other proessional publications. He alsoteaches continuing proessional education classeson nancial raud and is oten a guest lecturer atproessional conerences and business schools.
Brian completed his MBA at Vanderbilt University with a dual concentration in Finance and ElectronicCommerce and received a BBA in Accounting rom
Southern Methodist University’s Cox BusinessSchool.
About the Authors
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 32/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
32
Capital Conrmation, Inc. provides secure electronic conrmation services orauditors, those responding to conrmation requests and their shared client.
Capital Conrmation’s patented Conrmation.com service minimizes raud andbrings eciency to the audit conrmation process.
This easy to use, web-based service guarantees responses and has an averageturnaround time o less than two business days. Using Conrmation.com,auditors will spend less time tracking down conrmations and have more timeto spend on other critical engagement activities.
Conrmation.com provides both In-Network and Out-o-Network delivery options, allowing you to send conrmation requests to 100 percent o banks and other responding companies worldwide. For the greatest levelo eciency and security, Conrmation.com’s In-Network applicationuses a unique Authentication and Authorization process to validate theauthenticity and authorization o each user. Capital Conrmation alsoreceives a SAS 70 Type II and SysTrust certication every six months toensure that the highest level o security standards are used or privacy and
data integrity.
As a result, Conrmation.com received the coveted CPA Technology Advisor ’s Tax & Accounting Technology Innovation award or2009 as well as the 2009 Reader’s Choice Award. That’s why several hundred responding companies and over 6,000 accountingrms in 52 countries trust Conrmation.com or their auditconrmation needs.
About Conrmation.com
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 33/34
The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS
33
The Boomer Advantage Guides™
Order your copies today at www.boomer.com
8/9/2019 Guide to Electronic Confirmations
http://slidepdf.com/reader/full/guide-to-electronic-confirmations 34/34
© 2010 Boomer Consulting Inc All Rights Reserved No part of this publication
Think. Plan. Grow!
I you would like urtherinormation about The Boomer
Technology Circles or otherBoomer Consulting, Inc. services
and products, please visit our website
www.boomer.com
This publication is not a substituteor the advice o your advisors,
personal and proessional.
Recommended