Key Takeaways
- The AICPA Auditing Standards Board approved a new external confirmations standard on May 14, 2026.
- The standard adds a cash and cash equivalents confirmation requirement unless specific conditions exist.
- Negative confirmations, intermediaries and direct access to knowledgeable external sources all need procedure updates.
- The effective date is Dec. 15, 2028, but small firms should update templates before staff learn bad habits.
What changed in the AICPA audit confirmation standard?
The AICPA update changes how auditors document external confirmations, especially for cash, intermediaries and negative confirmations.
The American Institute of CPAs' Auditing Standards Board approved the update on May 14, according to CPA Practice Advisor. The new Statement on Auditing Standards: External Confirmations is expected to be available through AICPA & CIMA in July and effective for firms on Dec. 15, 2028. Early adoption is possible.
That sounds far away. It isn't. Confirmation procedures sit inside ordinary audit programs, bank confirmation templates, AR testing steps and review checklists. If a firm waits until 2028, the cleanup will land during engagement season.
Which procedures should small audit firms review first?
Small firms should review cash confirmations, negative confirmations, intermediary use, direct access procedures and evidence documentation first.
The first change to flag is cash. CPA Practice Advisor reports that the new SAS introduces a requirement for auditors to use external confirmation procedures for cash and cash equivalents held by third parties unless certain conditions exist. That means a small firm should not treat bank confirmations as a habit it can skip without a documented reason.
The second change is negative confirmations. The update adds conditions that must be met before a firm uses them. Negative confirmations can be tempting because they create less follow-up work. They also provide weaker evidence when response risk is high. Under the new standard, firms should expect reviewers to ask why a negative confirmation was suitable, not just whether one was sent.
The third change is evidence obtained through intermediaries or direct access. The standard gives guidance on directly accessing information maintained by a knowledgeable external source. That matters because confirmation work has moved away from paper letters and toward electronic confirmation platforms, portals and other third-party sources.
| Area | What Changes | Small-Firm Action |
|---|---|---|
| Cash and cash equivalents | External confirmation procedures become the expected route unless conditions exist | Add a required cash-confirmation decision point to the audit program |
| Negative confirmations | New conditions apply before relying on them | Require manager signoff when negative confirmations are used |
| Intermediaries | Use of service providers receives updated guidance | Document platform reliability, control and response handling |
| Direct access | Auditors get guidance for knowledgeable external sources | Define who controls access and what evidence gets retained |
Does this force every firm onto electronic confirmations?
The AICPA update does not turn every small audit firm into a platform buyer, but electronic evidence now deserves a formal review.
Thomson Reuters describes a confirmation market already moving toward electronic methods, automation and direct access. Treat that as vendor market context, not a rulebook. Still, the direction is clear enough: reviewers will expect firms to understand how electronic confirmation platforms work, who controls the request and what audit trail supports the response.
A small firm can still make practical choices. A 20-engagement practice may not need the same technology stack as a regional firm. But it does need a documented standard for when it uses a platform, when it contacts a third party directly and how the engagement file proves the auditor controlled the confirmation process.
What should change in the audit methodology file?
The methodology file should spell out confirmation decisions, evidence retained, platform controls and reviewer expectations in plain language.
Start with AU-C Section 505 references in your audit program. Then add a short decision memo for cash and cash equivalents: whether confirmation procedures were used, what source was contacted, how the request was controlled and what conditions supported any alternative path.
Update negative confirmation language next. The old shortcut, "send negatives for low-risk balances," is too thin. The file should explain why recipients are likely to respond if information is wrong, why expected misstatement risk is low and why the procedure fits the assertion being tested.
Finally, add a platform or intermediary checklist. It should ask who initiated the request, whether the response came from a knowledgeable external source, how identity was validated, whether the platform altered the data and what evidence the firm keeps.
That checklist should name the tool, too. If the firm uses Confirmation.com, a bank portal or direct read-only access to a client's financial institution, the file should say which path was used and why that path produced reliable audit evidence.
What is the small-firm risk if nothing changes until 2028?
The risk is not a missed deadline. The risk is a file full of confirmation habits nobody can defend later.
Small audit firms often reuse last year's workpapers because the engagements look familiar. That is efficient until the standard moves and the template keeps pulling staff backward. The first weak file under the new standard will not fail because nobody knew the term "external confirmations." It will fail because the file does not show why the auditor trusted the source.
There is a second problem: staff training. New seniors and managers will learn whatever the template asks them to do. If the template keeps treating electronic confirmations, negative confirmations and cash confirmation exceptions as informal decisions, the firm will have to retrain the same people later.
The practical read
This is not a panic story. It is a template story. The firms that update the checklist early will turn the 2028 effective date into a quiet transition instead of a retrofit.
What should firms do this quarter?
This quarter, firms should update confirmation templates, assign an owner, train reviewers and test one file against the new standard.
Use one recently completed audit as the test case. Walk the cash confirmations, AR confirmations, legal letters and any negative confirmations. Ask whether the file would explain the source, control, response, exception handling and review conclusion to someone who did not work on the engagement.
Then turn that test into training. One partner or audit manager should brief staff on the new cash-confirmation expectation, negative confirmation limits and electronic evidence documentation before templates get reused again.
If the answer is no, fix the template before the next busy cycle. Tie the update to related audit technology work, including your broader AI audit tool validation and audit evidence discipline. The same question runs through all of it: would the work survive review?
That is the Accounting Desk answer. Do not wait for the effective date to discover the workpaper was the weak control.
