Coming out of busy season, having once again chased paper confirmations until we’re blue in the face with frustration (one definition of insanity is continuing to do things the same way while expecting different results), this was the perfect opportunity to present the latest tools and guidance on confirmations, especially in light of the fact that 2007 provided the first significant updated guidance on confirmations in the 16 years since AU 330 was published.

When AU 330 was released in 1991 there were no electronic audit files, no laptops; the Internet was still known as ARPANET; our professional standards did not acknowledge our responsibility to identify fraud (the word “fraud” did not appear in our standards until 2002 with SAS no. 99); and we had not been hit with the confirmation frauds of Parmalat, Refco (twice), Ahold, Kmart, CF Foods, SafeScript, and, most recently, Take-Two, among others. In 2007, all the following took place:

March 2007—AITF issues Interpretation No. 1 of AU 330 allowing for properly controlled electronic confirmations.

June 2007—PITF’s sole revision to Practice Alert 2003-1, Confirmations , was the additional language allowing for properly controlled electronic confirmations.

 October 2007—IAASB issues exposure draft of ISA 505 (Revised and Redrafted), External Confirmations , updating the definition of a confirmation to include electronic confirmations.

 October 2007—PCAOB names confirmations as a Top Priority.

 October 2007—The ASB commissions a task force to draft a revised AU 330, The Confirmation Process .

 December 2007—60% of the top 50 U.S. banks have adopted secure electronic confirmations.

With the events and changes since 1991, I expected an evaluation of the recent confirmation frauds and a discussion on the impact of the newly released and proposed guidance coupled with an in-depth evaluation of confirmation technologies available. What technology should or shouldn’t we use? What is a “properly controlled” electronic confirmation? How do we evaluate the options with the goal to stop chasing paper and to reduce the chances that a fraud goes undetected?

Additionally, the latest research shows that failure to uncover fraud involving confirmations is often because we rely on the client to tell us whom to send the confirmation to without validating that information (which is a focal point in the IAASB exposure draft comment letters). So, I expected to read about the latest techniques and criteria used to validate whom we send the confirmation to before the confirmation is sent out and what tools are available to help us efficiently do this.

C. Brian Fox, CPA
Nashville, Tenn.

On the topic of risk silos, two related concepts are available to help ensure that the risk silos can be eliminated, because without elimination as a goal, the company will never have an effective ERM model. The first concept is control self-assessment (CSA). CSA is well-known but perhaps not so widely practiced. CSA is a recognized rigorous method of identifying business risks in a group, like using a facilitator, voting technology, etc. Second, we believe quite strongly that each manager’s performance management plan needs to include criteria for specific ERM metric goals. With ERM metrics established as goals upon which their performance, compensation and incentive will be measured, this will provide the incentive to “stay the course regarding ERM.”

On page 48, the discussion of probability and impact: once the risks are ranked, but prior to a risk response, the company needs to compare these rankings to the stated risk tolerance, which should have been previously established at the executive management level of the company. It is important to initially measure how much risk exists and then compare this measurement to what the board is willing to live with. It is not appropriate to embark on a risk treatment plan until this important step has been taken, since each risk treatment decision has costs vs. benefits associated with it.

Though the article focuses mostly on the COSO ERM Framework, the authors do refer briefly to the Australian/New Zealand Standard 4360. We do not want to diminish importance of the landmark COSO ERM document. We just believe that the Australian framework is far easier to implement.

On page 51, Exhibit 5 provides an example of defining risk probability and impact assessments. We would add that after the risks have been identified, it is time to assess/evaluate them. Part of this assessment/evaluation comprises quantifying the risks, which can be done qualitatively, semi-quantitatively or quantitatively. Qualitative “quantification” is an easier-to-use method and is better known by the terms “nominal” and “ordinal” measurement. What the authors have presented in Exhibit 5 is a form of ordinal measurement, where narrative terms are used to describe the likelihood and the severity. These ratings will be used to evaluate each risk. It is the simplest form of risk quantification. Many organizations are moving towards more sophisticated methods if their business justifies it.

Arnold H. Schanfield, CPA,
and Dan Helming, CPA
Fort Lee, N.J.