University of Waterloo Centre for Information Systems Assurance 5 th Symposium on Information Systems Assurance David H. Sharpe Discussant Notes October 12, 2007

Introductory Remarks My comments today are my own, and relate to the broader issues raised in the case study in order to respect client confidentiality. This is an important topic, and the case study represents an admirable effort and raises some interesting issues for market consideration. It is important to note that the subject attestation is the first and only of its kind – this had never been done before. My comments are intended to highlight areas in which the case study’s usefulness might be enhanced.

Major Discussant Points The authors should better –Clarify when they are dealing with PCAOB versus IFAC requirements, and audit versus attest versus other future assurance alternatives. –Differentiate between attestation issues, best practices (not “required”), and XBRL design issues. –Separate exceptions and anomalies from “errors.” –Maintain differentiation between management and auditor responsibilities.

Important Background Readers should be aware that the Assurance Working Group of XBRL International "ISAE 3000" framework would not be applicable to a US attestation engagement –It did not exist at the time of the UTC attestation in 2005 [page 18]. –The notion of “presents fairly” does not exist in the relevant US guidance [page 18]. Readers should be mindful that at times the paper is commenting in the context of AWG, while at other times in the context of PCAOB guidance (which was applied in the UTC engagement).

Surprising, or not? Given the taxonomies available in 2005, is it really all that surprising that company-specific extensions were required [page 28]? –XBRL US, with the support of a marketplace consortium, is building-out the complete USG Taxonomy as we speak. Does having “145” contexts, and the order of them, really matter [page 29]? Subject matter versus criteria [page 33] - not so “circular”, when considering company extension taxonomies as “criteria” as contemplated by AT 101?

“Technical” clarification points? Notwithstanding the paper’s title, PwC did not "audit" the XBRL instance document. The engagement was conducted in accordance with US “attestation” standards. –PCAOB Q&A on Attest Engagements on XBRL –AT 101, paragraph 5 “Attestation Engagements on Financial Information Included on XBRL Instance Documents” “Reading” an XBRL instance document would unlikely be an appropriate service [footnote 10]. “Furnish” versus “file” may be a distinction without a difference for the auditor [footnote 15]. MD&A assurance criteria – while no such assurance is provided in an XBRL attestation engagement, see AT 501 [pages 22 and 27]. Extensions [pages 17, 19, 24, and 28]? –Reduce or enhance comparability? –No guidance – see AT 101 guidance for evaluating “suitability and availability”?

Forward-looking considerations Assurance, while valuable, should not be the "primary" quality control mechanism? Need for additional preparer guidance? Today’s VFP participants process is essentially “paper to XBRL” – and may change in the future if XBRL is “embedded” in internal reporting process? Chairman Cox commentary at recent SEC Press Conference

Forward-looking Assurance issues for consideration Assurance objectives and alternatives? Scalability - sampling versus 100% validation? Other –Errors? –Materiality [page 19]? –Management representations?

Your questions?