APPENDIX A Audit Procedure Checklist - Student Deliverable Date Initial Audit Procedures Go to https://edu.Confirmation.com, the educational platform created by Confirmation.com for the purpose of this case, and sign up as a new user. Watch the 3 minute narrated tutorial of the edu.Confirmation.com service presented at log in and also under Help. Download: (1) Simply Soups Inc. Case Study (2) Support Materials (Annotated Instructional Guide for Students); (a) A step-by-step guide on how to complete the case using edu.Confirmation.com; (b) Shortcuts to assist in trouble shooting any questions that might arise as you complete the case; and (c) Relevant excerpts of technical guidance and professional standards to assist you. Review the video tutorials from the \"Guides\" section under the \"Help\" tab. Review the client prepared documents and audit workpapers (Exhibit 1-4). Assess the controls in place around the edu.Confirmation.com service. (1) Carefully examining the SOC3 report found on edu.Confirmation.com under the security tab. (2) Consider whether or not the details of this report address all the control objectives stipulated by the professional standards in order to rely on edu.Confirmation.com. (3) Document your considerations and understanding of the controls obtained in the Confirmation Testing Memo. Be sure to document any additional SOC reports you may need to request in order to comply with the professional standards as well as the evidence each report would provide. Add Simply Soups Inc. as a new client. Add a TEAM NAME if workgroups are used. From the Bank Account Listing, add the first four cash accounts you will be confirming. ADVANCED: Also add the last two cash accounts, one of which is Out-ofNetwork. Send the Client Authorization Code request to client contact. Initiate first confirmations. Evaluate the information received and its appropriateness as persuasive audit evidence. As necessary, prepare and send reconfirmations or second confirmation requests. For reconfirmations or second requests, evaluate the information received and assess its appropriateness as persuasive audit evidence. Document your procedures which include: (1) Agreeing the confirmed account detail to the bank account listing on the key information summary and reconciling any differences; (2) Agreeing the confirmed balance to the reported bank balance on the bank reconciliation testing summary and reconciling any differences; and (3) Considering whether the information provided by the bank is persuasive audit evidence. Submit Case Study Deliverables to be reviewed by your manager: (1) Audit Procedure Checklist; (2) Confirmation Testing Workpaper and Memo; (3) Confirmation Log (export from edu.Confirmation.com); and (4) Confirmations Received (export from edu.Confirmation.com). Simply Soups Inc.: A Teaching Case Designed to Integrate the Electronic Cash Confirmation Process into the Auditing Curriculum ABSTRACT: Simply Soups Inc., a producer of organic canned soups, has hired your firm, Putnam and Jacobs LLP, to perform a financial statement audit for the year ended December 31, 20CY. Using the PCAOB's proposed standard on confirmations and electronic confirmations, you are to complete the testing of the cash balance reported by Simply Soups Inc. at year-end. Today, a majority of large banks require auditors to use electronic cash confirmation requests and, as a result, mostly all large audit firms use them. When using electronic confirmation requests, audit firms typically rely on a third-party intermediary to provide a secure technological platform to transmit information between the bank and the auditor as well as to validate the authenticity of the respondent. In requiring you to electronically confirm cash balances using a third-party intermediary, this case provides an opportunity to improve your understanding of current audit practice, strengthen your technical knowledge of applicable standards, and develop the professional judgment skills necessary to appropriately evaluate and document the persuasiveness of audit evidence. Keywords: Electronic cash confirmations, substantive tests of details, cash, SOC reporting Forthcoming in Issues in Accounting Education CASE Company Overview Founded in 1985, Simply Soups Inc. is an American producer of organic canned soups and related products. Simply Soups Inc. products are sold in 120 countries around the world. The company's mission is to craft fresh, delicious and nourishing soup using only the highest quality organic ingredients and spices. Simply Soups Inc. makes its fresh soups by hand, using local organic ingredients and savory spices without added preservatives or artificial ingredients. Each year, nearly 100 million U.S. households, or more than 80 percent of all U.S. households, purchase soup from Simply Soups Inc. Packaged in recyclable blue and white cans, Simply Soups Inc. is currently the fastest growing soup company in the world. Simply Soups Inc. is also known for giving back to the local community by donating 2% of their fresh soup to help support families in need. In addition, Simply Soups Inc. is recognized for their excellent employee benefit programs and flexible work arrangements. Simply Soups Inc. went public in 2005 and is currently listed on one of the major stock exchanges (ticker symbol - SSPS). As a publicly traded company, Simply Soups Inc. is required to file audited financial statements with the Securities and Exchange Commission. For several years, Simply Soups Inc. has retained Putman and Jacobs LLP to perform their annual audit. Year-End Cash Balance As of December 31, 20CY Simply Soups Inc. has reported the following cash balances, shown in Exhibit 1, for each of the Company's six cash accounts. The engagement intern has already agreed the total cash balance reported for the six cash accounts to the Company's Balance Sheet and did not note any discrepancies. [Insert Exhibit 1] 1 In total, the Company's cash balance has remained generally consistent from December 31, 20PY, with only a small increase noted in the overall balance as of December 31, 20CY. However, in looking at the disaggregated balances for each of the six cash accounts, shown in Exhibit 2, there appears to be a significant fluctuation in the Company's Bank of Citizens account. This fluctuation has yet to be investigated by the audit team, but is likely to be something the team follows up on with management during the course of the audit. [Insert Exhibit 2] The Audit of Cash In order to begin the audit of the Company's cash balance, the experienced associate obtained the bank reconciliation for each cash account, prepared by Simply Soups Inc. As shown in Exhibit 3, the experienced associate assigned to the engagement has already tested all reconciling items and traced the Company's reported bank balance into the 12/31/20CY bank statements.1 The bank reconciliation testing performed by the experienced associate provides some support for management's existence and completeness assertions related to cash. However, in order to obtain stronger or more persuasive evidence, the \"bank balance\" reported by the Company on the bank reconciliations must be confirmed directly with each bank. In general, evidence obtained from an independent source, such as a bank, is considered more reliable than evidence obtained from an internal source at the audit client (PCAOB 2010a). [Insert Exhibit 3] Please note that although the testing of the bank reconciliation provides further audit evidence over management's assertion of existence and completeness for cash, this procedure is beyond the scope of this case and is not required to complete this assignment. 1 2 Although confirming the Company's cash balance with each bank generally provides reliable evidence, the confirmation process is subject to the risk of interception and alteration of confirmation responses (PCAOB 2010b). When an unauthorized individual attempts to intercept and alter a confirmation response, the ultimate intention of the individual is likely to overstate the Company's cash balance. This risk is present regardless of whether confirmation requests are sent electronically or on paper (PCAOB 2010b). Thus, when completing the external confirmation process, the professional standards require the auditor to control the delivery and receipt of the confirmation request, and take steps to authenticate the identity of the person completing the request (PCAOB 2010b). Third-party intermediaries can assist auditors in securely transmitting information to the bank and validating the authenticity of the respondent. As a result, and most importantly, electronic confirmations sent through secure third-party intermediaries can make it more difficult for a fraudster to intercept and alter confirmation requests. Peregrine Financial Group, Inc. (PFGBest) is a recent example of a cash confirmation fraud that was detected in large part through the use of electronic confirmations. For twenty years the CEO at PFGBest defrauded investors. To help conceal his fraud, the CEO rented a post office box to intercept bank confirmation requests and then forged official bank signatures to \"confirm\" the fraudulent bank balances and mislead regulators about the cash balance maintained by his brokerage firm (Rothfeld, Patterson, and Bunge 2012). However, when the regulators switched to electronic confirmations processed by a secure third-party intermediary, the CEO was unable to intercept or alter the confirmations any longer and his 215 million dollar fraud was exposed (Bunge, Patterson, and Steinberg 2012). Unfortunately, in recent years, there has been an increase in the use of the cash account as a mechanism to help perpetrate fraudulent actions by management. As a result, and perhaps not 3 surprisingly, several other cash confirmation frauds like PFGBest have been perpetrated over the last decade (e.g., Satyam, Parmalat, China Media Express), which is why it is essential that all audit staff develop a thorough understanding of applicable standards and the procedures required to appropriately confirm cash balances. In that spirit, this company context is designed to help you understand the unique risks associated with the external confirmation process. The auditor must always be professionally skeptical and carefully consider whether Company management has incentives to overstate the cash balance. When the incentives exist, the confirmation process, if executed correctly, is designed to detect any overstatements. Auditor's Responsibilities and An Overview Of Applicable Standards In confirming a Company's cash balance, there are two types of confirmation requests an auditor may rely on: the positive form and the negative form (AICPA 1992). Positive confirmations require the recipient to respond as to whether he or she agrees or disagrees with the information in the request (AICPA 1992). Since responding entities are required to return positive confirmations regardless of whether they agree or disagree with the information in the request, positive confirmations provide audit evidence only when the auditor receives the responses from the responding entity (AICPA 1992). In contrast, negative confirmations require the recipient to respond only if he or she disagrees with the information stated on the request and may therefore provide audit evidence even if the responding entity does not complete the confirmation request (AICPA 1992). While negative confirmations are efficient in this way, a risk exists that the respondent may not respond because the request was never received or the respondent did not attend to it. Therefore, negative confirmations are recommended only in instances where: (1) the combined assessed level of inherent and control risk is low; (2) a large number of small balances 4 are involved; (3) low exception rate is expected; and (4) the auditor has no reason to believe that the recipients of the requests are unlikely to give them consideration (AICPA 1992). When performing confirmation procedures, it is critical that the auditor maintain control over the confirmation requests by establishing direct communication with the intended recipient to minimize the possibility that the results will be biased because of interception and alteration of the confirmation requests or responses (AICPA 1992; PCAOB 2010b). In addition, the auditor must authenticate the responding entity by: (1) validating the legitimacy of the entities that the confirmations will be sent to; and (2) identifying and validating that the respondent is free from bias and authorized to respond (PCAOB 2010b). Due to the importance of confirmations in the audit process, the extent of confirmation frauds that have occurred in recent years, and the poor execution of these requirements by audit professionals, the PCAOB has proposed a new confirmation standard (PCAOB 2010b). The prior confirmation standard in use by the PCAOB has been in effect since 1992. The proposed standard not only modernizes, but also strengthens the confirmation requirements to better protect investors and other users of audited financial statements. Expanding the Scope of Required Confirmations Whereas the prior confirmation standard in use by the PCAOB requires the use of confirmations only for the audit of accounts receivable, the proposed standard expands the scope of the confirmation requirement to include the audit of cash. The expanded requirement recognizes that due to the involvement of third parties, properly designed and executed confirmations provide a highly reliable source of audit evidence over the existence of cash (PCAOB 2010b). Moreover, to ensure that confirmations yield reliable evidence, the proposed standard enhances the requirements for evaluating confirmations (PCAOB 2010b). It is critical that an auditor exercise 5 professional skepticism throughout the confirmation process, including evaluating the results of the confirmation procedures. PCAOB standards define professional skepticism as an attitude that includes a questioning mind and a critical assessment of audit evidence, and it is essential to the performance of effective audits (PCAOB 2012). PCAOB observations suggest that too often auditors focus solely on agreeing the confirmed balance to the Company's records and do not fully consider the implications of the other information provided. For instance, the reliability of the confirmation may be compromised by the existence of disclaimers or the absence of a signature by the confirming party (PCAOB 2010b). Furthermore, there may be situations in which the respondent, because of timeliness or other considerations, responds to a confirmation request other than in a direct communication to the auditor. When such responses are received, additional evidence may be required to support their validity (PCAOB 2010b). To reduce the risks associated with these types of responses and treat the confirmations as valid audit evidence, the auditor should consider taking certain precautions, such as verifying the source and contents of the response in a telephone call to the purported sender (if fax or email is used) (AICPA 1992; PCAOB 2010b). Changes in Confirmation Practices Electronic confirmations are helping auditors effectively meet the enhanced requirements proposed by the PCAOB, while reducing the time and errors experienced during the confirmation process. Auditors' increasing reliance on electronic confirmations constitutes a significant change in confirmation practice, one that the PCAOB recognizes in the proposed standard. For example, by using a third party intermediary, such as learn.confirmation.com, to execute its confirmation process, the auditors are now relying on the security of the intermediary's computing environment to prevent hackers from gaining access to the system thereby compromising the integrity of the 6 audit evidence. In addition, the auditors are now relying on a third party intermediary to ensure that the bank balance information has been obtained from a bona-fide respondent from the bank. As a result of this reliance, the PCAOB's proposed standard requires the auditor to understand and assess that the intermediary's system of internal control has been designed and is operating effectively to ensure: (1) that the electronic confirmation process is properly controlled; (2) that the integrity of the confirmation transmission with the bank is not compromised; and (3) that a bona-fide bank employee responded to the request (PCAOB 2010b, A1-15). This requirement is important because in relying on a third party like learn.confirmation.com the auditor becomes susceptible to the risks of the intermediary's control weaknesses or deficiencies (AICPA 2013). In other words, despite the auditor's best efforts, if a control realted to one of the above control objectives breaks down at learn.confirmation.com, the risk that the auditor's confirmation procedures may fail to detect a material misstatement increases. As a result, any auditor using a third party like learn.confirmation.com must assess the intermediary's system of internal controls. To obtain assurance that the intermediary's system of internal controls is effective, the auditor could perform procedures over a third party like learn.confirmation.com on its own. However, it would be very costly and time consuming if each of the many auditors and firms that relied on the intermediary tested the third party's controls on its own. As a result, it is common for a third party like learn.confirmation.com to hire an independent audit firm to examine and report on the effectiveness of its relevant internal control processes. Specifically, the hired firm tests the design and effectiveness of the controls in place at the third party intermediary and presents its findings in a Service Organization Controls (SOC) report. An auditor using the learn.confirmation.com platform then obtains the SOC report issued by the hired firm, which 7 allows the auditor to efficiently and effectively assess whether or not the intermediary's controls can be relied upon. There are three different SOC reports (i.e., SOC1, SOC2, and SOC3), each of which is designed to report upon different types of control objectives. A SOC1 report focuses on assessing the controls that are most likely to impact the users' financial statements (AICPA 2010). Moreover, a SOC1 report is intended to be used in a financial statement audit to assit the auditor in obtaining assurance over management's financial statement assertions (AICPA 2012). There are two types of SOC1 reports, Type 1 and Type 2. Both of these reports provide an opinion on management's decription of the internal control system as well as the suitability of its design. However, only a Type 2 report provides an opinion on the operating effectiveness of the internal control system and describes the tests performed by the independent auditor (AICPA 2010). Although learn.confirmation.com does not perform a direct service for an audit client's management team, in effect, the electronic platform is relied upon to maintain internal controls that ultimately provides support for the auditor's work related to management's assertions of existence and completeness related to cash. Indeed, the professional auditing standards stipulate that learn.confirmation.com must maintain controls to verify the authenticity of the bank employee responding to the confirmation request (PCAOB 2010b). Importantly such controls are tested and reported on only in a SOC1 report, which is intended to be a restricted form of communication directly to the auditors about the effectiveness of the intermediary's control system (AICPA 2010).2 2 Importantly our understanding around SOC reporting was shaped by detailed conversations with assurance professionals who lead service organization control engagements for Big 4 firms and are experts on the attestation standards that introduced SOC reports to the accounting profession in 2011 (i.e., SSAE No. 16). 8 In contrast to a SOC1 report, SOC2 and SOC3 reports are focused on communicating the effectiveness of controls over specific technology-related attributes to a wide array of stakeholders (AICPA 2010). Specifically, each report can be tailored to assess technology related controls in the areas of privacy, availability, confidentiality, processing integrity, or security (PwC 2011). While a SOC2 and SOC3 report focus on the same subject matter, there are important differences between the two. Similar to SOC 1 reports, there are two types of SOC 2 reports. A SOC2 - Type 1 report describes the design of the intermediary's control system and provides an opinion as to whether the description of the system is fairly presented and the design of the controls is appropriate (AICPA 2010). A SOC2 - Type 2 report additionally provides a description of the testing performed by the independent auditor and the detailed results of that testing (AICPA 2010). In contrast, a SOC3 report does not include a detailed description of the internal control system, the testing performed by the independent auditor, or the detailed results of that testing. Rather, a SOC3 provides only the independent auditor's opinion as to whether the intermediary's system of controls, related to a specific attribute or attributes, are effective. Per their website, learn.confirmation.com undergoes SOC1, SOC2, and SOC3 audits every six months to meet the assurance demands of its customers. However, only a SOC3 report is made publically avaiable on the learn.confirmation.com website. This is because SOC3 reports are general use reports, meaning the use of the report is not restrictued to any specific party (AICPA 2010). In contrast, neither a SOC1 or a SOC2 report are made publically available as their use is restricted to specific individuals (AICPA 2010). For the purposes of this case, only a SOC3 report is available. In order to assess whether or not the intermediary's controls can be relied upon the auditor must carefully review the assurance provided by the independent auditor in the SOC3 report and determine if it adequately addresses the risks associated with relying on the third party 9 intermediary. If the auditor feels that the SOC report received does not adequately address such risks, the auditor may request a SOC1 report to more completely understand the control testing performed and the results of that testing. In addition, the auditor can also perform additional procedures to address applicable risks if they so choose. Importance of Documentation Finally, auditors must carefully document the results of their audit procedures performed. Indeed, in order to comply with all the requirements set forth by the professional standards, the auditor must thoroughly document his or her work in order for the audit evidence to be considered sufficient and appropriate. Specifically, the PCAOB standard on audit documentation requires that auditors provide enough detail for a technically competent person unfamiliar with the audit to understand the confirmation testing performed, the evidence gathered, and conclusions reached (PCAOB 2004). This documenation must be clearly organized to permit identified issues to be easily recognized and contradicting information or inconsistencies to be appropriately highlighted (PCAOB 2004). Additionally, the documentation must clearly demonstrate how the professional standards were satisfied and provide adequate support for the auditors conclusion through the use of memos, workpapers, and confirmations (PCAOB 2004). Unless auditors properly document and retain this evidence, their work cannot be relied on by new auditors, supervisors, quality reviewers, successor auditors, inspection teams, or regulators. Case Requirements Assume that you are a new audit associate assigned to Simply Soups Inc. The engagement manager has given you the responsibility of confirming the cash balances of Simply 10 Soups Inc.'s bank accounts using electronic confirmations. Putnam and Jacobs LLP relies on learn.confirmation.com to process confirmations. Confirmation.com, which built learn.confirmation.com, is a web-based audit confirmation solution that is relied on by over 13,000 accounting firms in more than 140 countries, bringing efficiency and security to the confirmation process for cash, debt, accounts receivable, legal, employee benefits and more than 50 other confirmation types. To complete the testing of cash balances by using electronic confirmations, you are now required to perform a series of audit procedures and conclude on the audit step entitled \"Confirm Cash Balances\". Exhibit 4, below, provides key information that you will need to confirm each of the Company's six bank accounts. [Insert Exhibit 4] Ultimately, to conclude on the audit step entitled \"Confirm Cash Balances\