PowerPoint Presentation

Issues with the Communication and Integrity of Audit Reports when Financial Reporting Shifts to an Information-Centric ParadigmEric E. CohenPwC

Roger DebrecenyUniversity of Hawaii at Mnoa

Stephanie FarewellUniversity of Arkansas at Little Rock

Saeed RoohaniBryant UniversitySetting the StageThis is a non-theoretical paper. There are no hypotheses. We are interested in providing a discussion of a potential problem and moving towards a solution.Should we be proactive or reactive?Who thinks all managers are honest in financial reporting?Who knows the movie Rogue Trader?What did Nick Leeson do when the auditors wanted a non-existent client confirmation?Does electronic communication of financial information change the risk of deception?The problems discussed pre-date XBRL.The issue does not depend on whether we are discussing assurance on the XBRL process or providing an XBRL tagged audit report.If we can ensure the integrity and security of the instance document and the assurance report we can improve the consumption of financial information.MotivationThe technology for communicating financial information has moved forward but critical tangential issues remain with regard to the communication of assurance.The issues need to be resolved soon because of international demands for XBRL assurance.

OutlineCommunicating Assurance on XBRL instance documentsBackgroundHistorical ExamplesPotential AlternativesAssociating and Securing the assurance to the instance documentImplication of inline XBRLQ: When Is a

door not a door?A: When its ajar.

Financial Statement not a document?A: When its digital.

http://pcaobus.org/Standards/Auditing/Pages/AU9550.aspxE-Reporting and the AuditorIn March 1997[1], the AITF issued its interpretation of AU 550 in the Journal of Accountancy, stating 'that electronic sites (including Internet sites) are a means of distributing information and are not "documents" as that term is used in SAS No. 8. Thus, auditors do not have an obligation pursuant to SAS No. 8, to read information in electronic sites or to consider the consistency of other information included in electronic sites with the original documents.' [1] http://www.aicpa.org/members/div/auditstd/opinion/apr97_3.htm

The interpretation is TO THIS DAY a PCAOB interim standardhttp://pcaobus.org/Standards/Auditing/Pages/AU9550.aspx1997, 2001

6Additional slide SAS 98The chair of that committee, John L. Archambault, reported on its deliberations in CPA Journal, November 1999

Issue 1: What was the basis for the conclusion reached in Interpretation #4 to SAS No. 8, Other Information in Electronic Sites Containing Audited Financial Statements?Discussion: On a given website, there may be no clear boundaries between the audited financial statements and other financial or nonfinancial information. Not only can a website include a substantial amount of information generated by the company (i.e., about products, employment, and nonfinancial data) but, through hyperlinks, it can also include information from outside sources. This information may also be continuously changing.It is not only impractical, but almost impossible for an auditor to access all of the information that is on or linked to a client's website. This is analogous to the auditor attempting to access all of the client's internal information, reports, or documents and all external information about the client from other sources. Thus, under SAS No. 8, a website is not considered to be a "document" as that term is used in AU section 550, and an auditor is not required to read the information on a website or to consider whether it is consistent with information in original documents.19997SEC: Auditor Involvement in XBRLWe note that issuers can obtain third-party assurance under the PCAOB Interim Attestation StandardAT sec. 101, Attest Engagements on interactive data, and can start and stop obtaining assurance whenever they choose.Although Rule 405 as adopted does not include a requirement that auditors reports be tagged, the rules do not prohibit issuers from indicating in the financial statements (such as in a footnote) the degree of auditor involvement in the tagging process. Accordingly, we believe that an issuer can make clear the level of auditor involvement or lack thereof in the creation of the interactive data exhibit. How do we communicate assurance?

Document Level Assurance Report on Client Website Historical Examples of Communicating XBRL AssuranceBDO Spain and Software AG SpainPwC and UTC, WR Grace under SEC VFPDeloitte NL and EY NL auditor report with hash totalDeloitte NL/EY NL and EY NL/BDO NL with digital signatureJust released Deloitte NL on EY NL uses a detached digital signature

W. R. Grace under PCAOB Staff Q&A

http://sec.gov/Archives/edgar/data/1045309/000110465907086296/0001104659-07-086296-index.htm

Is the auditor associated with this set of XBRL documents? Have they provided an auditors report?

14Display on EY NL Web Site

http://www.ey.com/NL/nl/About-us/XBRL-financial-statements-and-sustainability-information

BDO Assurance Report

Display on Deloitte NL Web Site

http://2011-2012.deloitteannualreport.nl/xbrl/

EY Report on Deloitte NLs Financials

Breaking News 2013 Reports Just InAttempt to Verify Signature on FilingContent on Web Site

Includes XBRL reportingDrill Down Into XBRL

Download Report Files

XBRL Instance DocumentXML Signature on XBRL Instance DocumentStore Files

XBRL Document Is Clean, Valid

Signature Detached

Attached or Detached Signature? 2012: AttachedAttached Good news:You know It has been signedBad news:Enveloping: instance content is untouched but must be unwound from signature before using; can be used for multiple files (instance plus other files)Enveloped: Instance is changed, still must be unwound before validating or using.Question on separation of responsibilities, physical file ownership2013: DetachedThere is no physical link from the instanceSeparation between responsibilities of management and auditor is maintainOne detached signature can reference numerous external files (instance, schema, linkbases, auditors report) granularly (XML) or as a whole (XML, PDF, etc.)Altova XML Verification

Problems with XML Spy Validation

Guidance on EY Web SiteOur auditors have used digital signing software to sign the instance documents for identification purposes, creating detached XML - Digital Signature (XML DSign) files. With for example DigiSeal Reader the integrity of the instance documents can be validated by verifying the digital signature files in combination with the XBRL instance documents. Due of technical limitations of the current version of DigiSeal Reader the verification cannot be performed online. Instead users have to install the certificate provided by our auditor into the directory C:\ProgramData\digisealreader\certificates\issuer_certificates.If You Dont Follow the Guidance

If You Dont Follow the Guidance

If You Think You Followed the Guidance, But Didnt Unzip the Certificate

If You Unzip the File

Signature approachNo association of assurance report with signatureEY digitally signs a copy of the instance, provides the signed copy as S/MIME filehttp://2011-2012.deloitteannualreport.nl/fbcontent.ashx/downloads/2011-2012/Deloitte_NL_annual_report_2012.xbrl.p7mDELOITTE (the Reporter, not the auditor) links to a tool consumers may use to check the signatureCommunication Alternatives

Document Level Assurance Report: Document Level Assurance Report on Client and Auditor Website

Document Level Assurance Report:XLink Identification of Covered Facts Securing Assurance Reports

Document Level Assurance Report:XLink Identification of Covered Facts

Document Level Assurance Report XLink Identification of Covered Facts

Item Level Assurance Report XLink Identification of Covered Facts Quasi- or Real-time Management Context Inline XBRLChanges the game but doesnt eliminate the problemsWe have audited the financial statements of ABC BERHAD, which comprise the balance sheets as at 30 June 2009 of the Group and of the Company, and the income statements, statement of changes in equity and cash flow statements of the Group and of the Company for the year then ended, and a summary of significant accounting policies and other explanatory notes, as set out on Pages XX to XX.Directors Responsibility for the Financial StatementsThe Directors of the Company are responsible for the preparation and fair presentation of these financial statements in accordance with Financial Reporting Standards and the Companies Act, 1965 in Malaysia. This responsibility includes: designing, implementing and maintaining internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; selecting and applying appropriate accounting policies; and making accounting estimates that are reasonable in the circumstances.Auditors ResponsibilityOur responsibility is to express an opinion on these financial statements based on our audit. Except as described in the Basis for Qualified Opinion paragraph below, we conducted our audit in accordance with approved standards on auditing in Malaysia. Those standards require that we comply with ethical requirements and plan and perform the audit to obtain reasonable assurance whether the financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on our judgment, including the assessment of risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, we consider internal control relevant to the Companys preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the Companys internal control. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of accounting estimates made by the directors, as well as evaluating the overall presentation of the financial statements.We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.Qualified OpinionIn our opinion, except for the effects of the adjustments on the financial statements, if any, as mentioned in the preceding paragraph, the financial statements have been properly drawn up in accordance with Financial Reporting Standards and the Companies Act, 1965 in Malaysia so as to give a true and fair view of the financial position of the Group and of the Company as at 30 June 2009 and of their financial performance and the cash flows for the financial year then ended.Qualified OpinionIn our opinion, except for the effects of the adjustments on the financial statements, if any, as mentioned in the preceeding paragraph, the financial statements have been properly drawn up in accordance with Financial Reporting Standards and the Companies Act, 1965 in Malaysia so as to give a true and fair view of the financial position of the Group and of the Company as at 30 June 2009 and of their financial performance and the cash flows for the financial year then ended.Take-awaysIts an old issue that is finally at fruition: what is the risk to the profession if we dont get it rightXBRL exacerbated the problem but can help resolve itSolving the problem enhances the consumption and reliability of financial information across multiple constituents

Need for formal evaluationNeed for market discussion and collaborationNeed for prototypesNeed for technical, legal and professional guidance and changeEvolutionary processConclusionsContact author:roger@debreceny.com

Questions?