Guide to Electronic Confirmations

8/9/2019 Guide to Electronic Confirmations

http://slidepdf.com/reader/full/guide-to-electronic-confirmations 1/34

GUIDE TO

ELECTRONIC

CONFIRMATIONS



The BOOMER Advantage Guide to ELECTRONIC CONFIRMATIONS

2

Contents

3 Introduction

5 The Conrmation Process

7 How Reliable Are Paper-Based Conrmations?

11 Requirements o an Electronic Conrmation

17 Driving Audit Eciency

21 The True Cost o Paper vs. Electronic

22 Success Stories

26 One Page Plan

27 Electronic Conrmation Security Assessment

30 About the Authors

32 About Conrmation.com




3

W

hen Brian Fox speaks at conerences, he likes to play a recorded sessiono messages received on their customer support hotline. Sta auditors

mistakenly believe their company is a bank, and call them to ollow up on the paper-based conrmations they mailed out weeks ago that were never returned.

“I’m calling to ollow up … We axed our third request last month … We really need this to nish up our audit. Could you please, PLEASE … sixth time I’ve called... ”

What comes through most vividly is the rustration. We’ve all been there. You’rea sta auditor, and it’s bad enough you have to spend time stung envelopes withconrmations. Now, to add insult to injury, you’re making rantic phone calls at the

eleventh hour, leaving voice messages, trying to track down a single piece o paper.

There is a Better Way

Paper-based conrmations have been with us since the beginning o the auditproession 130 years ago. Through numerous changes in technology, businesspractices and auditing rules and regulations, the paper and mail system or makingdirect contact with third parties has endured. In the process, it has becomeincreasingly outdated, less ecient and less secure every year.

But there is a better way!

In 2007, those who set auditingstandards approved the use o electronic conrmations as a much-needed replacement to the traditionalpaper and mail-based process. Inorder to preserve the integrity o the conrmation process, they careully dened what is and is not an electronicconrmation as well as the steps auditors must take to ensure a conrmation isreliable audit evidence.

There’s good reason why stewards o the proession want to encourage the use o electronic conrmations. You can’t do a 21st century audit using 19th century technology.

Introduction

Starting October 1, 2008, Bank of

America required all of its customers’

external auditors to use electronic

conrmations through Conrmation.com.




4

The auditors o Parmalat and CF FOODs recently discovered this the hard way.

The management o both companies concealed massive rauds by compromisingthe auditor’s paper-based conrmation process. A properly designed, electronicconrmation would have prevented this cover-up.

Academic research shows that electronic conrmations produce a much lower errorrate than the paper alternative. Similar research reveals that replacing paper-basedconrmations with electronic conrmations leads to tremendous audit eciencies.Some in the proession have declared the adoption o electronic conrmations tobe a “oregone conclusion,” and with leading banks now requiring auditors touse electronic conrmations, we expect the rate o adoption to continue its rapidincrease.

In this publication you’ll learn why and how to make the switch.

L. Gary Boomer, CPA.CITPC. Brian Fox, CPA




5

I

ndependent auditors are required to obtain “sucient appropriate audit

evidence” to support their opinion on the nancial statements.

“Sucient” relates to the quantity o audit evidence obtained. Has the auditorgathered enough?

“Appropriate” relates to relevance and reliability.

All three baseline elements must be in place or the auditor to ulll hisresponsibilities. It doesn’t matter how much audit evidence the auditor obtains; i that evidence isn’t reliable, then the audit quality has been compromised.

Questions regarding the use o conrmations relate to reliability. Areelectronic conrmations as reliable as paperconrmations? In act, evidence suggeststhat electronic conrmations are morereliable than paper.

The Conrmation Process

It doesn’t matter how much

evidence the auditor obtains;

if that evidence isn’t reliable,

then the audit quality has been

compromised.




6

Building a Reliable Conrmation

Process

The stewardship o audit quality rests upon a variety o standards setting organizations. Therules or auditor perormance are set by the

AICPA (audits o non-public companies), thePCAOB (audits o public companies) and theIAASB (international audits).

Although the language o the three standards may vary, undamentally they all agreeon the our tenets o perorming a proper conrmation.

• Communicatedirectlywithandreceiveanactiveresponsefromthethirdparty

• Exerciseprofessionalskepticism

• Identifyandvalidatearespondentwhoisfreefrombiasandauthorizedtorespond

• Maintaincontroloftheconrmationprocess

Only by ollowing these our tenets can theauditor ensure that the conrmation he orshe receives is meaningul.

“The auditor should consider

whether there is sufcient basis

for concluding that a conrmation

request is being sent to a valid

respondent from whom a response

will be meaningful and provide

competent evidential matter. If

there is not a sufcient basis for

that conclusion, the conrmation

process is useless.”

- Doug Carmichael Former Chief

Auditor of the PCAOB




7

M

any auditors believe that simply receiving a

signed response to a conrmation requestprovides the proper audit evidence. This is notso. Without a sucient basis or concludingthat the conrmation has been signed by a validrespondent, the conrmation lacks the high levelo reliability necessary to constitute competentaudit evidence.

The ollowing raud schemes identiy the allacy in this belie that a signedconrmation is all that is required. These examples serve as notice to auditors that,unless they apply the our tenets o a proper conrmation, they are not ollowing the

requirements o a Generally Accepted Auditing Standards (GAAS) audit.

Conrmation Fraud Schemes

Client provides alse contact inormation

In a survey o over 150 accounting rms, researchers discovered that almost all o the mailing addresses or conrmations are provided to the auditor by the client ortaken directly rom client-provided bank statements.

To thwart the paper conrmation process, a dishonest client simply uses a scanningmachine to manipulate or even create a alse statement and provides incorrectcontact inormation in an eort to deraud the auditor. This appears to be one o the techniques employed by Parmalat executives, who committed that company’salmost $5 billion audit conrmation raud.

What an auditor must be aware o is that using today’s technology, a dishonest clientcan easily adjust the balance on a statement and change the contact inormation tobe a riend’s address, phone/ax number and email. Fraudsters do not have to usea riend’s address as Mark Morze, the ormer CFO o ZZZZ Best Carpet Cleaning,did. Instead, they can use a UPS Store mail account, which is presented as a real

street address and not a P.O. Box address. Phone numbers can be prepaid cell phonenumbers or a FedEx Oce store ax number. Email addresses can have extensionsthat closely resemble a legitimate client’s email extension.

How Reliable Are Paper-Based Conrmations?




8

In an attempt to ool an auditor, a raudster with $200 can easily establish three

sources o legitimate contact inormation (address, ax and phone lines) at any executive oce suite oering those services. In some cases they can establish anemail account, and a receptionist will answer the phone using the name o whatevercompany the raudster asks.

Ongoing improvements in scanning and printing capabilities will continue to makethese types o activities that much more dicult to detect, even as today’s regulatory scrutiny and public expectations demand that auditors catch such rauds.

Client provides the contact name

When auditors do spend the time and resources to independently validate theaddress, phone/ax number or email or a nancial institution, they oten do notindependently know or validate an individual clerk within the conrming entity.

To circumvent the paper conrmationprocess when auditors validate contactinormation, a raudster simply providesthe correct mailing address along withphone and ax numbers, but has a co-conspirator within that organization. Thisdishonest associate may be a riend orrelative who raudulently lls out the paperconrmation and may even sign it with thename o another employee in order to hideinvolvement rom the auditor.

In one case, the Director o Apparel Sales or Adidas America intentionally providedauditors alse inormation because o his motivation or uture sales to his client.Just or Feet’s auditors sent an accounts receivable conrmation directly to the

Adidas Director o Sales, who conrmed $2.2 million in receivables due when inreality Adidas only owed Just or Feet approximately $40,000.

This one event exposed both companies, every individual involved in the audit andthe audit rm itsel to a huge liability.

Maintaining control [of the

conrmation process] includes

performing procedures to verify

that the conrmation is being

directed to the intended recipient.

ASB Auditing Interpretation (AU

9330.04)




9

Client infuences the conrmation process

With a little eort, a dishonest client can create third-party credentials that closely resemble legitimate credentials. For example, an inexpensive ake website, displayedas i it were or a legitimate nancial institution, can be quickly created to provideillegitimate contact inormation.

In two separate cases during 2004, thievescreated ake U.S. Bank and Union PlantersBank websites to steal important onlinebanking inormation rom customers.These raudsters were even able to highjack

and use an email with the real bank emailextension to direct customers to the ake

websites. I the bank’s own customers could not distinguish a real website rom theake, how can those o us who might see it once a year determine whether it is realor ake?

Signature verication is impracticable

Given all the possible loopholes to circumvent the paper conrmation process, it isnot practical to think an auditor has the resources to validate the signature o theperson who responded to a conrmation request.

In today’s environment, unortunately, a cursory review o a signature nolonger provides a saeguard rom liability when presented to a jury that does notunderstand why a signature was not validated and does not appreciate the challengesassociated with checking the validity o a signature on a paper conrmation. Juriesdo not understand the tremendous resources that are required to accomplish suchan ongoing task.

Fraudsters know that the type o eort required to validate the signature o theconrming entity is rarely used proactively to prevent raud. Enormous costs are

involved, and it is only used once a potential raud is identied. At this stage itcould be too late to eliminate the liability associated with the raud exposure.

The fake signature of a legitimate

employee from the bank was used

by Parmalat executives to “verify”

almost $5 billion.




10

With this in mind, raudsters alsely responding

to a conrmation request simply scribble thesignature o anyone, to include the signature o alegitimate signatory, to eectively validate a paperconrmation response.

A ake signature was used to perpetrate theParmalat raud. Believing that the auditors mightattempt to validate the employment o the person

who signed the conrmation, the ake signature o a legitimate employee rom thebank was used by Parmalat executives to “veriy” almost $5 billion.

Cracking Down on Fraud Schemes

In response to these and similar raud schemes, the Auditing Standards Board issuedan interpretation in 2008 that more clearly dened the auditor’s responsibilities

when using conrmations to obtain audit evidence.

On all audits, the auditor should consider the reliability o the inormation obtainedthrough the conrmation process. To do that, he or she must assess the risks that:

• Theinformationprovidedinthe

conrmationmaynotbefroman

authenticsource

• Thepersonrespondingtothe

conrmationmaynotbeknowledgeable

abouttheinformationbeingconrmed

• Theintegrityoftheinformationmay

havebeencompromised

“The existing paper-based

conrmation process has exposed auditors to substantial legal liability

over the past two decades.”

George Aldhizer and James Cashell

“Automating the Conrmation

Process” The CPA Journal ; April,

2006




11

T

o ensure the reliability o electronic conrmations, the Auditing Standards

Board states that electronic conrmations can be considered reliable auditevidence i the auditor is satised that:

• Theelectronicconrmationprocessissecureandproperlycontrolled

• Theinformationobtainedisadirectcommunicationinresponsetoarequest

• Theinformationisobtainedfromathirdpartywhoistheintendedrespondent(See

AU9330.05)

Ensuring Reliability

The diagram below illustrates the relationship between the auditor and the

responder to an electronic conrmation request. It indicates that authentication, validation and security are required at three dierent levels.

Requirements o an Electronic Conrmation




12

• Individualauditstaffandresponders.Authenticationandvalidationarerequired

toestablishtheidentityoftheauditormakingtherequestandthepersonresponding

toit.Bothpartieswillwanttoask:

» Is the person I’m communicating with who he or she claims? » Is that person authorized to communicate with me? » Is the person responding to the conrmation qualied and authorized to

respond?

• Auditrmandrespondingentity.Bothpartieswillwantassurancethattheentity

withwhichtheyaredealingislegitimate.

• Communicationchannel.Bothpartiesneedtoknowthattheyarecommunicating

informationthroughasecureservice.

Authentication and Validation

A reliable electronic conrmation process means that the auditor has assurance he orshe is sending the conrmation request to the intended recipient. At the entity level,the auditor should determine that the conrming entity is a legitimate enterprise by

validating inormation like:

• Primarymailingaddress

• Physicaladdress

• Website

• Telephonenumber

At the individual level, the auditor should veriy the identity o the respondent,obtain some assurance that he or she is qualied and authorized to respond, and hasaccess to the necessary data or a response.

The responding organization also needs assurance that the auditor is who he orshe claims to be and has the client’s permission to request the conrmation. Forexample, the responder will want to veriy the audit rm’s:

• Mailingaddress• Website

• CPAlicense

• Telephonenumber




13

Some electronic conrmation providers will have a

network o validated responders. Establishing sucha network requires the provider to take steps toauthenticate and authorize both the entity and theindividual responders to the conrmation request.

Data Security

Conrmations contain highly sensitive inormationsuch as the audit client’s bank account number, loan number and bank balances.For that reason, an electronic conrmation process must have controls that create asecure communication channel between the auditor and the conrmation responder.

Such controls typically include elements such as:

• Passwordsforindividualparticipants

• Dataencryption

• Firewallsthatprotectthesystemfromunauthorizedintrusion

• Intrusiondetectionandpreventionsystems

Ensuring the Security o the Electronic Conrmation Platorm

Both responders and auditors demand ahigh level o security rom any electronicconrmation platorm. Responders suchas banks rightly view the platorm as anextension o their own IT system, and they

want to make sure that the overall security o the system retains its integrity. It iscommon or banks that use an electronicconrmation process to perorm periodicin-depth security reviews o the electronic

conrmation provider’s IT system.

“An electronic conrmation process

that creates a secure conrmation

environment may mitigate the

risks of human intervention and

misdirection. The key lies in the

process or mechanism used by

the auditor and the respondent

to minimize the possibility that

the results will be compromised

because of interception, alteration

or fraud with respect to the

conrmation.”

AICPA Updated Practice Alert 03-1,

Audit Conrmations




14

Likewise, auditors should request a SAS 70 Type II and a SysTrust review as part o

their required security assessment o the electronic conrmation provider.

These Techniques Fail the Test

While auditors are nding alternatives to traditional paper-based conrmations,they should ensure these methods meet the requirements o the auditing standards.The Auditing Standards Board has weighed in on the two most prevalent non-paper-based conrmation techniques and determined that they do NOT meet theirrequirements.

• Conrmationssentorreceivedviae-mailaretypicallyalessreliableformofaudit

evidence,becauseitisdifcultifnotimpossiblefortheauditortoestablishtheoriginoftheemailordeterminewhethertherespondentisknowledgeableaboutthe

mattersbeingconrmed.(SeeAU9330.03)

• Anonlineinquiryofathirdparty’sdatabasedoesnotconstituteaconrmation,

butratheranalternativeprocedure.Thereasonisthataconrmationfromathird

partyrequiresanactiveresponsefromthatthirdparty,andanauditorlookingup

informationonadatabasedoesnotincludetheactiveinvolvementofthethirdparty

respondents.(AICPAUpdatePracticeAlert03-1)

In-Network Conrmation and an Out-o-Network Conrmation

Not all electronic conrmation processes are created equal. In order to select anappropriate solution, the auditor must understand the dierences in unctionality,the requirements o the auditor, and the response rates or the two main typeso electronic conrmation processes, the “in-network” process and the “out-o-network” process.

Both processes should include security measures to ensure data integrity. Wherethey dier is in the authentication and verication o responders to the conrmationrequest.




15

In-Network – Some electronic conrmation providers have established a network

o participating banks and other responding entities. Establishing such networksrequires the provider to take steps to authenticate and authorize both the entity andthe individual responders to the conrmation request. The auditor can rely on thein-network solution and is not required to perorm additional authentication andauthorization procedures.

Out-o-Network – An out-o-network electronic conrmation platorm does notinclude authentication and authorization o the respondent. The provider o anout-o-network service has perormed no procedures to validate either the entity or the individual responding to the conrmation. That responsibility alls to theauditor who is required to determine that the conrmation was sent to the proper

source and that the respondent was authorized to respond.

In general, in-network conrmations are more secure and ecient than out-o-network conrmations. Expect to pay more or this added protection andconvenience. The ollowing table summarizes the dierences between in-network and out-o-network conrmation processes.




16

Requirements for Audit Confirmations

Requirements Electronic Confirmations Alternative Procedures*(Email & Direct Access)

PaperConfirmations

In-Network Out-of-Network

S A S 6 7 / A U 3 3

0

Control the process Electronic confirmationprovider

Electronic confirmationprovider

Auditor

Knowledgeable and freefrom bias respondent


Auditor Auditor

Determine respondingindividual is authorizedto respond


Auditor Auditor

P r a c t i c e A l e

r t 2 0 0 3 - 0

1

Establish directcommunication withrespondent



Auditor Auditor

I n t e r p r e t a t i o n 9 3 3 0

Maintain integrity of the data and datatransmission



Auditor

Authenticate respondingentity


Auditor Auditor

SAS 70 Type II andSysTrust certification



Auditor

Website authentication Electronic confirmationprovider


Auditor

Comparative Results

Efficiency Statistics Electronic Confirmations Electronic AlternativeProcedures

PaperConfirmations


Response rates 100% 50 - 60% 50-60% 71%

Average turnaroundtimes

1.08 days 3 - 5 days 3-5 days 21 - 40 days

Reconfirmation rates 9.7% 20 - 25% 20-43% 43%

Pros and Cons

Pros and Cons Electronic Confirmations Electronic AlternativeProcedures

PaperConfirmations


Pros Reduces auditor’s exposureto fraud

Efficient Faster than paper Same results for thelast 80 years

Greatest efficiency

Cons Auditor must assess thedesign and operating

effectiveness of controls.SysTrust and SAS 70Type II may assist the

auditor in performing theirassessment.

Auditor must assess thedesign and operating

effectiveness of controls.SysTrust and SAS 70 TypeII may assist the auditor in

performing their assessment.

Not a valid audit confirmation Slowest turnaroundtime

Auditor must perform

procedures to authorize andauthenticate responding

entity and individual

Difficult to assess and validate

the respondent

High error rate

High exposure to fraud High exposure tofraud

* Electronic alternative procedures like email and direct access to a database, while they may provide audit evidence, they are not a confirmation for audit andattest purposes.




17

T

he use o electronic conrmations leads to a more ecient audit process.

Research indicates that compared to paper-based conrmations, electronicconrmations result in dramatic improvements in three key audit eciency metrics:response rates, turnaround times and reconrmation rates.

Conrmation Response Rates

Non-responses to conrmation requests require the auditor to perorm alternativeprocedures. Not only are alternative procedures time consuming, they are a lessreliable orm o audit evidence.

ResponseRates

Driving Audit Eciency




18

Turnaround Times

Slow turnaround times require the auditor to spend more time ollowing up withthird parties to get a response. Faster turnaround also gives the auditor more timeto ollow up on discrepancies and exceptions.

AverageTurnaroundTime(inDays)




19

Error Rates

It is not uncommon or responders to conrm incorrect inormation or otherwisemake errors in the conrmations they return to the auditors. When the respondermakes an error, the auditor must either reconrm with the responder or perormadditional procedures to gather the audit evidence originally sought throughconrmation.

ReconrmationRates




20

Centralize the Conrmation Process

Many CPA rms have secured audit ecienciesby centralizing their conrmation eorts. They assign one person in the rm to coordinate thesending and receiving o conrmations or allaudit engagements, and individual audit teams

work directly with that one individual.

An electronic conrmation process is ideal or rms that use or are looking toimplement a centralized conrmation process.

Paperless Audits

Many rms have adopted paperless auditing to increase eciency. Most paperlessaudit solutions like CaseWare Working Papers, CCH’s ProSystem x® Engagementand Thomson Reuters Engagement CS™ now integrate directly withConrmation.com, an electronic conrmation service. This integrated solutiondrives urther eciencies, because audits no longer require manual intervention tomanage the conrmation process or to scan and upload paper-based conrmationresponses.




21

C

onsider one sta member at a typical CPA rm. Suppose over the course o

her busy season she works on six dierent audits and audits a total o 40 bank accounts. How much time would she spend on a paper-based conrmation process,and what would it take her to do it electronically? Assume the ollowing:

In-Network Electronic Out-o-Network Electronic Paper-Based

Assumption Total Assumption Total Assumption Tota

Prepare and sendconrmations, log-in results

10 mins per job; 6 jobs

1 hr. 20 mins per job; 6 jobs

2 hrs. 30 mins per job; 6 jobs

3 hrs

Reconrm non-responses 5% reconrmrate; 40 original

conrmations;2 conrms toreconrm

0.1 hr. 25% reconrmrate; 40 original


0.25 hr. 40% reconrmrate; 40 original


1 hr.

Alternative procedures ornon-responses

0% non-responses 0 hrs. 40% non-responses;40 originalconrmations;16 alternativeprocedures at 10minutes per

2.5 hrs. 29% non-responses;40 originalconrmations;12 alternativeprocedures at 10minutes per

2 hrs

General ineciency causedby excessive delays in

response

All responsesreceived in one

business day

0 hrs. 5 minutes per job;6 jobs

0.5 hr. 20 minutes per job;6 jobs

2 hrs

Total Time 1.1 hrs. 5.25hrs.

8 hrs

Time Savings 6.9 hrs. 2.75hrs.

0 hrs

A paper-based, bank conrmation eort might take a day or just one sta personover the course o a busy season; an electronic conrmation process requires a littlemore than an hour. What would seven hours per sta person do or your rm’srealization?

The True Cost o Paper vs. Electronic




22

W

ith over 500 auditors located in

10 oces, The Reznick Groupis one o the largest accounting rmsin the nation. As a way to drive auditeciency and address raud risk, several

years ago the rm decided to makethe switch to electronic conrmations.Rather than replace paper conrmations nationwide, the rm decided to pilotelectronic conrmations starting in its Atlanta oce.

Centralized Conrmation Eort Provides Even Greater Eciency

Previously, each audit team had been responsible or sending and receiving theconrmations or its client. Together with the switch to electronic conrmations,the rm elt that even more eciencies could be realized i it centralized itsconrmation eort.

Responsibility or managing the conrmation process was transerred romindividual audit teams to two paraproessionals in the Atlanta oce. The two o them received personalized training rom Capital Conrmation on how to operateits system, and the electronic conrmation process was up and running.

Paraproessional John Huynh estimates that each busy season he sends and receivesthousands o bank conrmations. “Beore, you never saw how much work it really took because conrmations weren’t centralized in one place. Now I can see it all.It’s a huge eort.”

John Pushes a Button

The Conrmation.com system stores audit client and bank data in its system, whichmakes it easy to reprise each client’s conrmation requests rom year-to-

year. Once the audit team begins its eldwork they make any necessary changes tothe previous year’s data, John pushes a button, and the conrmations are sent.

“I can literally get a response within an hour,” says John. “It goes right to thebank’s queue, and they have to give me some kind o response. It doesn’t get lost.”

Success Stories




23

Beore using electronic conrmations, each audit team would send out paper

conrmations and wouldn’t expect an answer back or several weeks. The time andaggravation spent ollowing up on conrmation requests was signicant.

Continuous Improvement

Like other Conrmation.com clients, The Reznick Group paraproessionals provide valuable insight into uture enhancements to the system. Clark Hudgins, VicePresident Accounting Proession, routinely gathers input rom clients on how toimprove the user experience.

Says John, “Clark will call and ask ‘hey, John, what do you think o this?’ and I tell

him.” Many o these user suggestions eventually become system upgrades.

Nationwide Roll Out

Because o the success o the Atlanta oce pilot, The Reznick Group now useselectronic conrmations on all audits nationwide. They’ve created even moreeciency by ollowing the lead set by the Atlanta oce to centralize all auditconrmations.




24

G

reg Shelton, CPA is a sole practitionerin Bartlett, Tennessee. He has our audit

clients and sends out about 20 conrmations each year. He has been an auditor or 25 years and wasone o the rst users o electronic conrmations.

When he rst made the switch rom paper, he wassurprised that he was the only sole practitioneror small local rm in the list o users. But theadvantages o using electronic conrmations can be realized by any rm, regardlesso their size.

Just Get It Done

When he rst learned o electronic conrmations, Greg immediately recognized thebenets o making the switch rom paper. “I hate waiting three or our weeks to geta conrm rom a bank. I like to just get it done. Now I can get a conrm returnedrom the bank beore I even start eldwork,” says Greg.

Once a company is set up on the Conrmation.com system, sending conrmationsin subsequent years is a ve minute task: change the date and the auditor is done

with a single click o his mouse.

Conrming Liabilities

Greg is quick to point out that a standard bank conrmation does more than simply conrm bank balances, it also gathers inormation about loans, letters o credit andother liabilities. Obtaining this inormation is crucial especially when auditing asmall business, where many times the liability may not appear on the books.

“You have situations where a loan was obtained to purchase equipment, and thecash never fowed through the company. Or the company got a line o credit andthe owner took a draw directly that was never recorded on the company’s books.”

Using electronic conrmations allows the auditor to identiy those unrecordedliabilities immediately, rather than waiting several weeks (sometimes ater theconclusion o eldwork) to receive a paper conrmation.

Success Stories




25

Pass Through the Cost

Greg passes through the cost o the electronic conrmation service directly to hisclients. Even though his clients are billed about $100 on each audit, overall they end up saving money because Greg spends essentially no time on the conrmationeort. “It’s a win-win situation because it saves money or the client and improveseciency or my business,” says Greg.

A No-Brainer

Greg is sold on electronic conrmations. Like anything else, there’s a learningcurve, but with electronic conrmations that curve isn’t too steep. “Once you get

past your rst one, it’s a breeze,” he says. “It’s really a no-brainer.”

There’s only one downside to his switch to electronic conrmations. Greg has astack o paper bank conrmations he ordered eight years ago taking up space in hisstorage cabinet. I you see them show up on e-Bay, you’ll know why.



2 6

S t r a t e gi c O b j e c t i v e

M e a s ur em en t

S t r a t e g y / I ni t i a

t i v e

D u eD a t eTi m

eF r am e

A s s i gn e d T o

1 .

R e s e a r c h , a n a l yz e t h e

a v a i l a b l e o p t i on s .

•

D e v el o p a s h or t l i s t

•

C om pl e t e t h e a t t a c h e d E l e c t r oni c

C onf r m a t i on S e c ur i t yA s s e s s m en t or e a c h

o p t i on

2 w e e k s

E l e c t r oni c C onf r m a t i on

T a s k F or c e

2 .

S el e c t a s e c ur e el e c t r oni c

c onf r m a t i on s er vi c e a n d

d e t er mi n ei m pl em en t a t i on

m e t h o d - C en t r a l i z e d

or

D e c en t r a l i z e d .

•

E l e c t r oni c c onf r m a t i on

s er vi c e s el e c t e d

•

C en t r a l i z e d i m pl em en t a t i on

i s wh er e a n o f c e

c en t r a l i z e s t h e c onf r m a t i on

r e s p on s i b i l i t y t o

a p a r a pr o e s s i on a l or a d mi ni s t r a t i v e a s s i s t a n t

wi t h i n t h ef r m

•

D e c en t r a l i z e d i m pl em en t a t i oni s wh er e

e a c h en g a g em en t t e a mm a n

a g e s t h ei r o wn

c onf r m a t i on s

1 w e e k

CE O / E l e c t r oni c

C onf r m a t i onT a s k F or c

e

3 .

I m pl em en t a s e c ur e

el e c t r oni c c onf r m a t i on

s er vi c e .

•

E l e c t r oni c c onf r m a t i on

s er vi c ei m pl em en t e d

1 . C omm uni c a t e t oP a r t n er s ,M a n a g er s a n d K e y

S t a k eh ol d er s t h e d e c i s i on t o a d o p t el e c t r oni c

c onf r m a t i on s a n d en s ur e t h

e y wi l l s u p p or t

t h en e w d i r e c t i on

2 .P r o vi d e a n o v er vi e w o t h e s er vi c e t o en t i r e

f r m ( c a n b e d on e vi a n e w s l e t t er , c on er en c e

c a l l ,m e e t i n g )

3 .H a v e t h e u s er s g o t h r o u gh t h e onl i n en a r r a t e d

t r a i ni n g t u t or i a l

4 . Wi t h C en t r a l i z e d i m pl em en

t a t i on s ,i n c l u d e a

s h or t t r a i ni n g on t h er ol e s a

n d r e s p on s i b i l i t i e s

o t h e en g a g em en t t e a m ( n e w s l e t t er ,

c on er en c e c a l l , s t a m e e t i n

g )

1 w e e k

E l e c t r oni c C onf r m a t i on

T a s k F or c e

4 .

I m pr o v e c u s t om er

r el a t i on s h i p s

•

C omm uni c a t e t h e

i m pr o v e d pr o c e s s t o y o ur

c l i en t s

•

C omm uni c a t i on t o c l i en t s c a n b e d on e a t t h e

b e gi nni n g o e a c h a u d i t .E x

pl a i n t o t h em t h e

n e w pr o c e s s , t h ei r r ol e , a n d

t h ei m pr o v em en t s

i n s e c ur i t y a n d e f c i en c y wi t h el e c t r oni c a u d i t

c onf r m a t i on s .

On g oi n g

A l l E n g a g em en t T e a m s

5 .

M oni t or t h e pr o c e s s a n d

a d o p t i on

1 .P er c en t a g e o f r m a n d

a u d i t s a d h er i n g t o t h e

n e w pr o c e s s

2 .T ur n a r o un d t i m e s

3 . R e s p on s er a t e s

4 . R e c onf r m a t i onr a t e s

•

D e v el o p d e a d l i n e or f r m w

i d e a d o p t i on

•

I n c l u d e onl i n en a r r a t e d t r a i ni n g t u t or i a l or

el e c t r oni c c onf r m a t i on s i nn e wh i r e t r a i ni n g

On g oi n g

CI O / E l e c t r oni c

C onf r m a t i onT a s k F or c

e



2 7

R e q ui r e d or

R e vi e w e d ,A p pr o pr i a t e &I nP l a c e

I n- N e t w or k

O u t - o - N e

t w or k

Y e s

N o

N o t e s

R e vi e w er

1 . S A S 7 0 T y p eI I

√

√

1 . 0 1

P er or m e d e v er y 6 m on t h s

√

√

1 . 0 2

C o

n t r ol s or Or g a ni z a t i on &A d mi ni s t r a t i on

√

√

1 . 0 3

C o

n t r ol s or S y s t em s D e v el o pm en t & Ch a n g e

M a n a g em en t

√

√

1 . 0 4

C o

n t r ol s or C om p u t er O p er a t i on s

√

√

1 . 0 5

C o

n t r ol s or P h y s i c a l A c c e s s &E n vi r onm en t a l C

on t r ol s

√

√

1 . 0 6

C o

n t r ol s or A u t h en t i c a t e d P r o p er S o ur c e

√

N / A

1 . 0 7

C o

n t r ol s or A u t h or i z e d U s er s

√

N / A

1 . 0 8

C o

n t r ol s or P r o p er Cl i en t A u t h or i z a t i on

√

√

1 . 0 9

C o

n t r ol s or D a t a I n t e gr i t y & S y s t emT r a n s mi s s i on

I n t e gr i t y

√

√

1 .1 0

C o

n t r ol s or E l e c t r oni c S i gn a t ur e s

√

√

1 .1 1

C o

n t r ol s or B a c k u p & R e c o v er y / D a t a R e t en t i on

√

√

2 . S y s Tr u s t C er t i f c a

t i on

√

√

2 . 0 1

P er or m e d e v er y 6 m on t h s

√

√

2 . 0 2

I n c l u d e s P r i n c i pl e o A v a i l a b i l i t y

√

√

2 . 0 3

I n c l u d e s P r i n c i pl e o C onf d en t i a l i t y

√

√

2 . 0 4

I n c l u d e s P r i n c i pl e o P r o c e s s i n gI n t e gr i t y

√

√

2 . 0 5

I n c l u d e s P r i n c i pl e o S e c ur i t y

√

√

2 . 0 6

I n c l u d e s P r i n c i pl e o P r i v a c y

√

√

3 .P r i v a c yP o l i c y

√

√

3 . 0 1

C e

r t i f e d b yr e c o gni z e d 3 r d P a r t y ( e . g .T R U S T e )

√

√

3 . 0 2

I n c l u d e s E U S a eH a r b or C er t i f c a t i on ( h i gh e s t

a v a i l a b l e )

√

√



2 8

R e q ui r e d or


I n- N e t w or k

O u t - o - N e

t w or k

Y e s

N o

N o t e s

R e vi e w er

4 . W e b s i t eA u t h en t i c a t i on

√

√

4 . 0 1

E x t en d e d V a l i d a t i on S S L C er t i f c a t i on b yr e c o g

ni z e d 3 r d

P a r t y ( e . g . V er i S i gn )

√

√

5 .Di s a s t er R e c o v er y

P l an

√

√

5 . 0 1

T e s t e d a t l e a s t Q u a r t er l y

√

√

6 .H o s t i n gF a c i l i t i e s

√

√

6 . 0 1

P r i m a r yH o s t i n gF a c i l i t y wi t h S A S 7 0 T y p eI I o

r I S O

C e

r t i f c a t i on ,mi ni m umT i er 4 a c i l i t y

√

√

6 . 0 2

S e p a r a t e B a c k u pH o s t i n gF a c i l i t y wi t h S A S 7 0 T

y p eI I or

I S O C er t i f c a t i on ,mi ni m umT i er 4 a c i l i t y

√

√

7 .I n s ur an c e s

√

√

7 . 0 1

R a

t i n gA + or b e t t er i n t h e c ur r en t B e s t ’ s I n s ur a n c e

R e

p or t s p u b l i s h e d b yA .M . B e s t C om p a n y

√

√

7 . 0 2

E - c omm er c eT e c h n ol o g yL i a b i l i t y

√

√

7 . 0 3

U s

er P r i v a c yP r o t e c t i on t o c o v er 1 y e a r w or t h o

C o

n s um er Cr e d i t M oni t or i n gi n t h e e v en t o a S e c ur i t y

B r e a c h

√

√

7 . 0 4

C o

mm er c i a l G en er a l L i a b i l i t y

√

√

7 . 0 5

P r o e s s i on a l P r a c t i c e

√

√

7 . 0 6

Um

b r el l a C o v er a g e

√

√



2 9

R e q ui r e d or


I n- N e t w or k

O u t - o - N e t w

or k

Y e s

N o

N o t e s

R e vi e w er

8 . S e c ur i t y

√

√

8 . 0 1

C om pl i a n t wi t h I S O2 7 0 0 1 C on t r ol O b j e c t i v e s

8 . 0 2

A l l I T

i n r a s t r u c t ur e & a c c e s s l i mi t e d t o onl y c om p

a n y

em pl o

y e e s ( e . g .i n c l u d i n g S y s t emA d mi ni s t r a t i on /

R o o t

A c c e s s )

√

√

8 . 0 3

P h y s i c a l a n d l o gi c a l a c c e s s c on t r ol i s a m a n a g e d pr o c e s s

( e . g . a c c e s s c on t r ol l i s t s , c h a n g em a n a g em en t ,m on

i t or i n g

&l o g

gi n g )

√

√

8 . 0 4

Onl y

d e d i c a t e d s er v er s a r e u t i l i z e d ( e . g .n o s h a r e d

c om p u t i n g en vi r onm en t s )

√

√

8 . 0 5

A l l c o

m p a n y em pl o y e e s h a v eF e d er a l & S t a t e b a c k gr o un d

c h e c k

s , a nn u a l d r u g t e s t i n g , a n d a r ef n g er pr i n t e d

√

√

8 . 0 6

S en s i t i v e c onf r m a t i on d a t a s t or e d u s i n g c r y p t o gr a ph i c

a l g or i t h m s mi ni m um k e yl en g t h 1 9 2 - b i t ( e . g .T r i pl e

DE S )

√

√

8 . 0 7

C onf

r m a t i on D a t a i s t r a n s mi t t e d wi t h a mi ni m um

o

1 2 8 - b

i t S S L u s i n gr e c o gni z e d 3 r d P a r t y en c r y p t i on

c er t i f

c a t e ( e . g . V er i s i gn )

√

√

8 . 0 8

I n t r u s i onP r e s en t a t i on S y s t em ( I P S ) a n d I n t r u s i on

D e t e c

t i on S y s t em ( I D S ) a r e b o t h d e pl o y e d or s e c ur i t y

√

√

8 . 0 9

W e b A p pl i c a t i onF i r e w a l l or HT T P S t r a f c i n s p e c t i on

√

√

8 .1 0

D e en

s ei n D e p t h s t r a t e g y d e pl o y e d

√

√

8 .1 1

E x t er n a l V ul n er a b i l i t y &P en e t r a t i onT e s t i n g p er o

r m e d

b yr e c

o gni z e d 3 r d P a r t y ( e . g .M c A e e S e c ur e )

√

√

8 .1 2

I n t er n a l V ul n er a b i l i t y &P en e t r a t i onT e s t i n g p er or m e d

u s i n g

i n d u s t r y s t a n d a r d t o ol s ( e . g .A p p S c a n , W e b i n s p e c t )

√

√

8 .1 3

Vi r u s

pr o t e c t i onr un s on a l l s er v er s

√

√

9 .E l e c t r oni c C onf r m a t i onP r o c e s s

√

√

9 . 0 1

A u s er c a nn o t el e c t r oni c a l l y s i gn s om e on e el s e’ s n a

m e on

t h e c o

nf r m a t i on

√

√

9 . 0 2

U s er a c t i vi t yi s l o g g e d

√

√

1 0 .A d d i t i on a l I t em s

√

√

1 0 . 0 1

D ef n e d S er vi c eL e v el A gr e em en t wi t h E s c a l a t i on

P r o c e

d ur e s

√

√

1 0 . 0 2

R e vi e w S er vi c eA gr e em en t

√

√

1 0 . 0 3

R e vi e wP r i v a c yP ol i c y

√

√




30

About the Authors

L

Gary Boomer is CEO o Boomer Consulting,

Inc., an organization that provides planningand consulting services to leading rms in theaccounting industry. Boomer strategies chart atransormation roadmap that results in increasedrevenue, goal-oriented personnel and businessgrowth.

Gary is recognized in the accounting proessionas the leading authority on technology and rmmanagement. For the past twelve years, he hasbeen named by Accounting Today as one o

the 100 most infuential people in accounting.He consults and speaks around the globe onmanagement and technology related topicsincluding strategic and technology planning,compensation and developing a training/learningculture. He acts as a planning acilitator, providescoaching and serves on many advisory boards.

As a member o The Advisory Board, Gary collaborates in a partnership o esteemed accountingrm consultants. He is the past chairman o the

AICPA’s Inormation Technology ExecutiveCommittee and a member o the AICPA Council.He has also served on the AICPA’s Academic andCareer Development Executive Committee and the

ACUTE Board o Directors. Gary currently servesas the President o the Kansas Society o CPAs andon the accounting advisory board at Kansas StateUniversity.




31

A

s the ounder o Capital Conrmation,

Inc. (CCI),BrianFox

has been thedriving orce or CCI’s eective response torapidly evolving accounting industry standards.Brian previously worked in Audit or Ernst &

Young LLP and Mergers and Acquisitions orPricewaterhouseCoopers LLP. Early on as asta and senior accountant, Brian identied theineciencies and potential or raud inherentin the current conrmation process. His visionresulted in the creation o a new, innovative andaward-winning patented process, which today

places CCI at the oreront o accounting industry service providers.

In 2006 Brian was named by The CPA Technology Advisor as one o the accounting proession’sinaugural “40 Under 40”. Brian is a member o the

AICPA and The Tennessee Society o CPAs, wherehe sits on the Accounting and Auditing SymposiumCommittee or the Society. He has authorednumerous articles on raud, and his writing andquotes have appeared in The CPA Journal , New York

Times , The CPA Technology Advisor , AP Matters , The Auditor’s Report , The International Herald Tribune and many other proessional publications. He alsoteaches continuing proessional education classeson nancial raud and is oten a guest lecturer atproessional conerences and business schools.

Brian completed his MBA at Vanderbilt University with a dual concentration in Finance and ElectronicCommerce and received a BBA in Accounting rom

Southern Methodist University’s Cox BusinessSchool.

About the Authors




32

Capital Conrmation, Inc. provides secure electronic conrmation services orauditors, those responding to conrmation requests and their shared client.

Capital Conrmation’s patented Conrmation.com service minimizes raud andbrings eciency to the audit conrmation process.

This easy to use, web-based service guarantees responses and has an averageturnaround time o less than two business days. Using Conrmation.com,auditors will spend less time tracking down conrmations and have more timeto spend on other critical engagement activities.

Conrmation.com provides both In-Network and Out-o-Network delivery options, allowing you to send conrmation requests to 100 percent o banks and other responding companies worldwide. For the greatest levelo eciency and security, Conrmation.com’s In-Network applicationuses a unique Authentication and Authorization process to validate theauthenticity and authorization o each user. Capital Conrmation alsoreceives a SAS 70 Type II and SysTrust certication every six months toensure that the highest level o security standards are used or privacy and

data integrity.

As a result, Conrmation.com received the coveted CPA Technology Advisor ’s Tax & Accounting Technology Innovation award or2009 as well as the 2009 Reader’s Choice Award. That’s why several hundred responding companies and over 6,000 accountingrms in 52 countries trust Conrmation.com or their auditconrmation needs.

About Conrmation.com




33

The Boomer Advantage Guides™

Order your copies today at www.boomer.com

http://www.boomer.com/

http://www.boomer.com/



© 2010 Boomer Consulting Inc All Rights Reserved No part of this publication

Think. Plan. Grow!

I you would like urtherinormation about The Boomer

Technology Circles or otherBoomer Consulting, Inc. services

and products, please visit our website

www.boomer.com

This publication is not a substituteor the advice o your advisors,

personal and proessional.

Documents

Guide to Electronic Confirmations