The American Institute of CPAs' Auditing Standards Board has
The guidance notes that confirmations obtained electronically can be considered to be reliable audit evidence if the auditor is satisfied that (a) the electronic confirmation process is secure and properly controlled, (b) the information obtained is a direct communication in response to a request and (c) the information is obtained from a third party who is the intended respondent.
Various means might be used to validate the source of the electronic information and the respondent's knowledge about the requested information. For example, the use of encryption, electronic digital signatures and procedures to verify Web site authenticity may improve the security of the electronic confirmation process.
If a system or process that facilitates electronic confirmation between the auditor and the confirmation respondent is in place, and the auditor plans to rely on it, an assurance trust services report, or another auditor's report on that process, may assist the auditor in assessing the design and operating effectiveness of the electronic and manual controls.
