Modernizing Audit Evidence: Analyzing the AICPA’s New SAS No. 150 Standards

modernizing-audit-evidence-analyzing-the-aicpas-new-sas-no-150-standards

The landscape of financial auditing is undergoing a profound transformation. As digital infrastructure, third-party intermediaries, and cloud-based financial data storage become the bedrock of modern business, the methodologies used by Certified Public Accountants (CPAs) to verify financial accuracy must evolve in tandem. Recognizing this shift, the American Institute of Certified Public Accountants (AICPA) has officially released Statement on Auditing Standards (SAS) No. 150, External Confirmations.

This update represents a significant recalibration of how auditors gather evidence, aiming to bridge the gap between legacy verification practices and the realities of a digitized, interconnected global economy. By formalizing new requirements for cash verification and addressing the role of intermediaries, the AICPA is setting a new benchmark for audit reliability.


Main Facts: What is SAS No. 150?

At its core, SAS No. 150 is designed to strengthen the reliability of audit evidence gathered through external confirmation procedures. External confirmations—the process of obtaining direct communication from a third party to verify information—have long been considered a "gold standard" in auditing. However, as business models have shifted toward using digital portals and centralized intermediaries, the traditional "mail-in" confirmation process has become increasingly antiquated.

Key Provisions

  1. Mandatory Cash Verification: The most prominent change is the requirement for auditors to perform external confirmation procedures for cash and cash equivalents held by third parties. While this has been common practice, it is now a codified requirement, with exceptions granted only under specific, clearly defined conditions.
  2. Acceptance of Digital Access: SAS No. 150 formally acknowledges that direct access to information maintained by a knowledgeable external source (such as secure bank portals or authorized data aggregators) can satisfy external confirmation requirements, provided the auditor maintains appropriate professional skepticism and validation of the source.
  3. Refining Negative Confirmations: The standard updates the criteria for using "negative confirmation requests"—requests where the respondent is only asked to reply if they disagree with the information provided. The new guidance establishes stricter conditions under which these can be considered reliable evidence.

Chronology: The Path to Modernization

The development of SAS No. 150 was not an overnight decision; it was the culmination of an extensive deliberative process aimed at keeping auditing standards relevant.

  • Initial Research and Exposure: Recognizing that technological shifts were outpacing existing guidance (primarily SAS No. 67), the AICPA Auditing Standards Board (ASB) initiated a comprehensive review of the external confirmation process several years ago.
  • The May 2024 Vote: Following months of public comment, feedback from firms, and deliberation on the role of digital intermediaries, the AICPA Auditing Standards Board voted to approve the standards update in May 2024.
  • Official Publication: The final standard was formally published in late 2024, providing firms with a clear, multi-year runway to update their audit methodologies and software tools.
  • Implementation Timeline: SAS No. 150 becomes effective for audits of financial statements for periods ending on or after December 15, 2028. Notably, the AICPA has permitted early adoption, allowing firms that have already transitioned to digital-first workflows to implement the new standards immediately.

Supporting Data: Why the Change?

The shift toward SAS No. 150 is driven by data regarding the increased risk of financial misstatement in an environment where cash is increasingly held in diverse, non-traditional accounts.

The Rise of Digital Intermediaries

Audit firms have reported that nearly 85% of their confirmation processes have shifted from paper-based mailings to digital platforms. However, the use of these platforms often involves intermediaries—third-party service providers that facilitate the transfer of data between the auditee and the auditor. Without standardized guidance, the risk of "man-in-the-middle" vulnerabilities or data tampering increases. SAS No. 150 provides the necessary framework to evaluate the controls of these intermediaries.

The "Cash and Cash Equivalents" Vulnerability

Historically, cash has been a high-risk area for audit fraud. By mandating external confirmations for cash held by third parties, the AICPA is addressing the risk of "window dressing" or the misrepresentation of liquid assets. Data from recent regulatory enforcement actions suggest that a significant percentage of financial statement frauds involve the overstatement of cash; thus, standardizing this verification process is a critical defensive measure for the profession.


Official Responses and Professional Outlook

The professional community has largely lauded the update, viewing it as a necessary evolution rather than a burdensome regulatory addition.

Jennifer Burns, CPA, the AICPA’s chief auditor, highlighted the necessity of the update during the May approval process. "External confirmations remain a critical source of reliable audit evidence," Burns stated. "These updates are designed to strengthen that foundation in today’s increasingly digital and intermediary-driven environment."

Industry Reaction

Many of the Big Four and large regional firms have already begun updating their audit software to align with the principles of SAS No. 150. Partners at these firms emphasize that the new standard provides a clearer "audit trail" for regulators. By explicitly permitting the use of direct digital access to bank records, the AICPA is reducing the administrative burden on banks and auditors alike, moving away from the cumbersome process of manually requesting and tracking paper signatures.


Implications: Preparing for 2028 and Beyond

The implications of SAS No. 150 extend far beyond a simple change in paperwork. It forces audit firms to rethink their engagement workflows and their relationship with technology providers.

1. Technology Integration

Firms will need to invest in platforms that provide "direct access" to data as contemplated by the new standard. This means deeper integration with financial institutions’ APIs. Auditors will no longer simply be "receiving" information; they will be "connecting" to it. This requires a higher level of IT literacy among audit staff.

2. Professional Skepticism

While digital access is more convenient, the AICPA warns that it does not replace professional skepticism. Under SAS No. 150, auditors must still verify that the digital source is "knowledgeable" and that the data has not been compromised. The standard places the onus on the auditor to perform risk assessments on the digital platforms themselves.

3. The End of Negative Confirmations as a "Default"

The stricter requirements for negative confirmations mean that auditors must now be much more deliberate in their planning. If an auditor chooses to use a negative confirmation, they must be able to justify why that method provides sufficient, appropriate evidence in the face of the specific audit risk. This will likely lead to a decline in the use of negative confirmations across the industry, with firms shifting toward positive confirmations to ensure higher audit quality.

4. Early Adoption Considerations

While the deadline is December 2028, firms should consider early adoption to capitalize on the efficiencies the new standard provides. Implementing these changes ahead of schedule allows firms to troubleshoot their internal procedures, train staff on new digital verification protocols, and demonstrate to clients that they are at the forefront of audit quality.


Conclusion: A New Era for Audit Evidence

SAS No. 150 is more than a technical update; it is a signal that the accounting profession is embracing the digital age. By codifying the use of digital intermediaries and mandating rigorous cash verification, the AICPA is reinforcing the trust that the public places in the audit process.

As firms prepare for the 2028 deadline, the focus should remain on the underlying objective of the standard: the protection of the financial system through the acquisition of high-quality, reliable evidence. Whether through traditional confirmation letters or modern API-driven data extraction, the goal remains the same—to provide an accurate, transparent, and defensible audit opinion.

For CPAs, the next few years will be a period of adaptation. By leaning into the technological guidance provided by SAS No. 150, practitioners can not only improve their audit efficiency but also contribute to a more robust, secure, and reliable financial reporting environment for the global marketplace.


To comment on this article or to suggest an idea for another article, contact Bryan Strickland at [email protected].