Issues with the Communication and Integrity of Audit Reports when Financial Reporting Shifts to an Information-Centric Paradigm Eric E. CohenPwC Roger DebrecenyUniversity of Hawai’i at Mānoa Stephanie FarewellUniversity of Arkansas at Little Rock Saeed RoohaniBryant University
Setting the Stage This is a non-theoretical paper. There are no hypotheses. We are interested in providing a discussion of a potential problem and moving towards a solution. o Should we be proactive or reactive? Who thinks all managers are honest in financial reporting? Who knows the movie Rogue Trader? o What did Nick Leeson do when the auditors wanted a non-existent client confirmation? Does electronic communication of financial information change the risk of deception? The problems discussed pre-date XBRL. The issue does not depend on whether we are discussing assurance on the XBRL process or providing an XBRL tagged audit report. If we can ensure the integrity and security of the instance document and the assurance report we can improve the consumption of financial information.
Motivation The technology for communicating financial information has moved forward but critical tangential issues remain with regard to the communication of assurance. The issues need to be resolved soon because of international demands for XBRL assurance.
Outline Communicating Assurance on XBRL instance documents o Background o Historical Examples o Potential Alternatives Associating and Securing the assurance to the instance document Implication of inline XBRL
Q: When Is a … … door not a door? A: When it’s ajar. … Financial Statement not a document? A: When it’s digital. ges/AU9550.aspx
E-Reporting and the Auditor In March 1997 [1], the AITF issued its interpretation of AU 550 in the Journal of Accountancy, stating 'that electronic sites (including Internet sites) are a means of distributing information and are not "documents" as that term is used in SAS No. 8. Thus, auditors do not have an obligation pursuant to SAS No. 8, to read information in electronic sites or to consider the consistency of other information included in electronic sites with the original documents.' [1] [1] The interpretation is TO THIS DAY a PCAOB interim standard Management’s Assertions (e.g., the financial statement) The Auditor’s Message (e.g., the auditor’s report)
The chair of that committee, John L. Archambault, reported on its deliberations in CPA Journal, November 1999 Issue 1: What was the basis for the conclusion reached in Interpretation #4 to SAS No. 8, Other Information in Electronic Sites Containing Audited Financial Statements? Discussion: On a given website, there may be no clear boundaries between the audited financial statements and other financial or nonfinancial information. Not only can a website include a substantial amount of information generated by the company (i.e., about products, employment, and nonfinancial data) but, through hyperlinks, it can also include information from outside sources. This information may also be continuously changing. It is not only impractical, but almost impossible for an auditor to access all of the information that is on or linked to a client's website. This is analogous to the auditor attempting to access all of the client's internal information, reports, or documents and all external information about the client from other sources. Thus, under SAS No. 8, a website is not considered to be a "document" as that term is used in AU section 550, and an auditor is not required to read the information on a website or to consider whether it is consistent with information in original documents. Management’s Assertions (e.g., the financial statement) The Auditor’s Message (e.g., the auditor’s report)
SEC: Auditor Involvement in XBRL We note that issuers can obtain third-party assurance under the PCAOB Interim Attestation Standard— AT sec. 101, Attest Engagements on interactive data, and can start and stop obtaining assurance whenever they choose. Although Rule 405 as adopted does not include a requirement that auditors’ reports be tagged, the rules do not prohibit issuers from indicating in the financial statements (such as in a footnote) the degree of auditor involvement in the tagging process. Accordingly, we believe that an issuer can make clear the level of auditor involvement or lack thereof in the creation of the interactive data exhibit. Management’s Assertions (e.g., the financial statement) The Auditor’s Message (e.g., the auditor’s report)
How do we communicate assurance?
Document Level Assurance Report on Client Website
Historical Examples of Communicating XBRL Assurance BDO Spain and Software AG Spain PwC and UTC, WR Grace under SEC VFP Deloitte NL and EY NL auditor report with hash total Deloitte NL/EY NL and EY NL/BDO NL with digital signature Just released Deloitte NL on EY NL uses a detached digital signature
W. R. Grace under PCAOB Staff Q&A Is the auditor associated with this set of XBRL documents? Have they provided an auditor’s report?
Display on EY NL Web Site financial-statements-and-sustainability- information
BDO Assurance Report
Display on Deloitte NL Web Site
EY Report on Deloitte NL’s Financials
Breaking News 2013 Reports Just In
Attempt to Verify Signature on Filing
Content on Web Site Includes XBRL reporting
Drill Down Into XBRL
Download “Report” Files XBRL Instance Document XML Signature on XBRL Instance Document
Store Files
XBRL Document Is Clean, Valid
Signature Detached
Attached or Detached Signature? 2012: “Attached” Attached o Good news: You know It has been signed o “Bad” news: Enveloping : instance content is untouched but must be unwound from signature before using; can be used for multiple files (instance plus other files) Enveloped : Instance is changed, still must be unwound before validating or using. Question on separation of responsibilities, physical file “ownership” 2013: Detached There is no “physical” link from the instance Separation between responsibilities of management and auditor is maintain One detached signature can reference numerous external files (instance, schema, linkbases, auditor’s report) granularly (XML) or as a whole (XML, PDF, etc.)
Altova XML Verification
Problems with XML Spy Validation
Guidance on EY Web Site “Our auditors have used digital signing software to sign the instance documents for identification purposes, creating detached XML - Digital Signature (XML DSign) files. With for example DigiSeal Reader the integrity of the instance documents can be validated by verifying the digital signature files in combination with the XBRL instance documents. Due of technical limitations of the current version of DigiSeal Reader the verification cannot be performed online. Instead users have to install the certificate provided by our auditor into the directory C:\ProgramData\digisealreader\certificates\issuer_certificat es.”DigiSeal Reader
If You Don’t Follow the Guidance
If You Think You Followed the Guidance, But Didn’t Unzip the Certificate
If You Unzip the File
Signature approach No association of assurance report with signature EY digitally signs a copy of the instance, provides the signed copy as S/MIME file o /Deloitte_NL_annual_report_2012.xbrl.p7m /Deloitte_NL_annual_report_2012.xbrl.p7m DELOITTE (the Reporter, not the auditor) links to a tool consumers may use to check the signature
Communication Alternatives
Document Level Assurance Report: Document Level Assurance Report on Client and Auditor Website
Document Level Assurance Report: XLink Identification of Covered Facts
Securing Assurance Reports
Document Level Assurance Report: XLink Identification of Covered Facts
Document Level Assurance Report XLink Identification of Covered Facts
Item Level Assurance Report XLink Identification of Covered Facts Quasi- or Real-time Management Context
Inline XBRL Changes the game but doesn’t eliminate the problems
We have audited the financial statements of ABC BERHAD, which comprise the balance sheets as at 30 June 2009 of the Group and of the Company, and the income statements, statement of changes in equity and cash flow statements of the Group and of the Company for the year then ended, and a summary of significant accounting policies and other explanatory notes, as set out on Pages XX to XX. Directors’ Responsibility for the Financial Statements The Directors of the Company are responsible for the preparation and fair presentation of these financial statements in accordance with Financial Reporting Standards and the Companies Act, 1965 in Malaysia. This responsibility includes: designing, implementing and maintaining internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; selecting and applying appropriate accounting policies; and making accounting estimates that are reasonable in the circumstances. Auditors’ Responsibility Our responsibility is to express an opinion on these financial statements based on our audit. Except as described in the Basis for Qualified Opinion paragraph below, we conducted our audit in accordance with approved standards on auditing in Malaysia. Those standards require that we comply with ethical requirements and plan and perform the audit to obtain reasonable assurance whether the financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on our judgment, including the assessment of risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, we consider internal control relevant to the Company’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of accounting estimates made by the directors, as well as evaluating the overall presentation of the financial statements. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion. Qualified Opinion In our opinion, except for the effects of the adjustments on the financial statements, if any, as mentioned in the preceding paragraph, the financial statements have been properly drawn up in accordance with Financial Reporting Standards and the Companies Act, 1965 in Malaysia so as to give a true and fair view of the financial position of the Group and of the Company as at 30 June 2009 and of their financial performance and the cash flows for the financial year then ended. Qualified Opinion In our opinion, except for the effects of the adjustments on the financial statements, if any, as mentioned in the preceeding paragraph, the financial statements have been properly drawn up in accordance with Financial Reporting Standards and the Companies Act, 1965 in Malaysia so as to give a true and fair view of the financial position of the Group and of the Company as at 30 June 2009 and of their financial performance and the cash flows for the financial year then ended.
Take-aways It’s an old issue that is finally at fruition: what is the risk to the profession if we don’t get it right XBRL exacerbated the problem but can help resolve it Solving the problem enhances the consumption and reliability of financial information across multiple constituents
Need for formal evaluation Need for market discussion and collaboration Need for prototypes Need for technical, legal and professional guidance and change Evolutionary process Conclusions
Contact author: