Communicating Assurance on XBRL-Tagged Reports to the SEC:

Challenges and Opportunities

Eric E. Cohen PwC

Roger Debreceny University of Hawai’i at Mānoa

Stephanie Farewell University of Arkansas at Little Rock

Saeed Roohani Bryant University

Setting the Stage• This is a non-theoretical paper. There are no hypotheses.

As a matter of fact there isn’t even a single solution in the end.

• We are interested in providing a discussion of a potential problem and moving towards a solution.o Should we be proactive or reactive?

• The problems discussed pre-date XBRL.• Who thinks all managers are honest in financial reporting?• Who knows the movie Rogue Trader?

o What did Nick Leeson do when the auditors wanted a non-existent client confirmation?

• Does electronic communication of financial information change the risk of deception?

• If we can ensure the integrity and security of the instance document and the assurance report we can improve the consumption of financial information.

Prestigious Company

Two Obvious Interconnected Tracks

Management’s

Assertions (e.g., the financial

statement)

The Auditor’s Message (e.g., the auditor’s report)

“Mutually exclusive” goals• Maintain clear separation for responsibility and

authentication• Make inseparable so stakeholders get complete

message

Q: When Is a …… door not a door?A: When it’s ajar.

… Financial Statement not a document?A: When it’s digital.

http://pcaobus.org/Standards/Auditing/Pages/AU9550.aspx

E-Reporting and the AuditorIn March 1997[1], the AITF issued its interpretation

of AU 550 in the Journal of Accountancy, stating 'that electronic sites (including Internet sites) are a means of distributing information and are not "documents" as that term is used in SAS No. 8. Thus, auditors do not have an obligation pursuant to SAS No. 8, to read information in electronic sites or to consider the consistency of other information included in electronic sites with the original documents.' [1] http://www.aicpa.org/members/div/auditstd/opinion/apr97_3.htm

The interpretation is TO THIS DAY a PCAOB interim standardhttp://pcaobus.org/Standards/Auditing/Pages/AU9550.aspx

Management’s Assertions (e.g., the financial statement)

The Auditor’s Message (e.g., the auditor’s

report)

The chair of that committee, John L. Archambault, reported on its deliberations in CPA Journal, November 1999

Issue 1: What was the basis for the conclusion reached in Interpretation #4 to SAS No. 8, Other Information in Electronic Sites Containing Audited Financial Statements?

Discussion: On a given website, there may be no clear boundaries between the audited financial statements and other financial or nonfinancial information. Not only can a website include a substantial amount of information generated by the company (i.e., about products, employment, and nonfinancial data) but, through hyperlinks, it can also include information from outside sources. This information may also be continuously changing.

It is not only impractical, but almost impossible for an auditor to access all of the information that is on or linked to a client's website. This is analogous to the auditor attempting to access all of the client's internal information, reports, or documents and all external information about the client from other sources. Thus, under SAS No. 8, a website is not considered to be a "document" as that term is used in AU section 550, and an auditor is not required to read the information on a website or to consider whether it is consistent with information in original documents. Management’s

Assertions (e.g., the financial statement)

The Auditor’s Message (e.g., the auditor’s report)

What does the SEC have to say about XBRL

Assurance?• No audit of the instance document is required• The audit report on the financial statements

cannot be tagged

SEC: Auditor Involvement in XBRL

• We note that issuers can obtain third-party assurance under the PCAOB Interim Attestation Standard—AT sec. 101, Attest Engagements on interactive data, and can start and stop obtaining assurance whenever they choose.

• Although Rule 405 as adopted does not include a requirement that auditors’ reports be tagged, the rules do not prohibit issuers from indicating in the financial statements (such as in a footnote) the degree of auditor involvement in the tagging process. Accordingly, we believe that an issuer can make clear the level of auditor involvement or lack thereof in the creation of the interactive data exhibit. Management’s

Assertions (e.g., the financial statement)

The Auditor’s Message (e.g., the auditor’s

report)

Quiz Question:

What is envelope theory?

US SEC and Electronic Disclosure

• 2000 – “Envelope Theory”

• 2007 – disclosure on Corporate Web Sites

• 2009 – Audit on XBRL ok – but no audit report

• 2013 – Twitter and social media suitable for disclosures

http://www.sec.gov/rules/interp/34-42728.htm May 1, 2000

Sticking Your Neck Out

Do you want to lead or follow?

Historical Examples of XBRL Assurance

• BDO Spain and Software AG Spain• PwC and UTC, WR Grace under SEC VFP• Deloitte NL and EY NL auditor report with hash• Deloitte NL/EY NL and EY NL/BDO NL with digital

signature

W. R. Grace under PCAOB Staff Q&A

http://sec.gov/Archives/edgar/data/1045309/000110465907086296/0001104659-07-086296-index.htm

Is the auditor associated with this set of XBRL documents? Have they provided an auditor’s report?

Display on EY NL Web Site

http://www.ey.com/NL/nl/About-us/XBRL-financial-statements-and-sustainability-information

BDO Assurance Report

Potential Solutions for Ensuring Integrity and

Security

This represents the examples we just examined.

Document Level Assurance Report on Client Website (5)

Document Level Assurance Report: Document Level Assurance Report on Client and Auditor Website (6)

Document Level Assurance Report:XLink Identification of Covered Facts (7)

Document Level Assurance Report:XLink Identification of Covered Facts

(8)

Document Level Assurance Report XLink Identification of Covered Facts

(9)

Item Level Assurance Report XLink Identification of Covered Facts Quasi- or Real-time Management Context (10)

Communicating Assurance: Human

Interaction

Fool-proof Agreed-Upon User Interface

Search for: XYZ Corp. financials

Financials for XYZ Corp

Balance Sheet

Income Statement

Performance metrics

More info at www.xyzmgmtinfo.com

http://assuredfinancials.iasc.org.uk

Key:Assurance provided No assurance provided

Signature check: Company CPA

Certified repositories or data sources

Best practices data searches

Color coding or other tool to

highlight whether

assurance is provided.

Digital signature

check: green is clear, yellow is questionable,

red is bad.

Why Yello? e.g., firm

checks ok; signer is not on

file …

Call to action

Inline XBRLChanges the game but doesn’t eliminate the problems

• We have audited the financial statements of ABC BERHAD, which comprise the balance sheets as at 30 June 2009 of the Group and of the Company, and the income statements, statement of changes in equity and cash flow statements of the Group and of the Company for the year then ended, and a summary of significant accounting policies and other explanatory notes, as set out on Pages XX to XX.

• Directors’ Responsibility for the Financial Statements • The Directors of the Company are responsible for the preparation and fair presentation of these financial

statements in accordance with Financial Reporting Standards and the Companies Act, 1965 in Malaysia. This responsibility includes: designing, implementing and maintaining internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; selecting and applying appropriate accounting policies; and making accounting estimates that are reasonable in the circumstances.

• Auditors’ Responsibility• Our responsibility is to express an opinion on these financial statements based on our audit. Except as described

in the Basis for Qualified Opinion paragraph below, we conducted our audit in accordance with approved standards on auditing in Malaysia. Those standards require that we comply with ethical requirements and plan and perform the audit to obtain reasonable assurance whether the financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on our judgment, including the assessment of risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, we consider internal control relevant to the Company’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of accounting estimates made by the directors, as well as evaluating the overall presentation of the financial statements.

• We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.Qualified Opinion

 In our opinion, except for the effects of the adjustments on the financial statements, if any, as mentioned in the preceding paragraph, the financial statements have been properly drawn up in accordance with Financial Reporting Standards and the Companies Act, 1965 in Malaysia so as to give a true and fair view of the financial position of the Group and of the Company as at 30 June 2009 and of their financial performance and the cash flows for the financial year then ended.

Qualified Opinion In our opinion, except for the effects of the adjustments on the financial statements, if any, as mentioned in the preceeding paragraph, the financial statements have been properly drawn up in accordance with Financial Reporting Standards and the Companies Act, 1965 in Malaysia so as to give a true and fair view of the financial position of the Group and of the Company as at 30 June 2009 and of their financial performance and the cash flows for the financial year then ended.

Microformat Audit Reports and AssociationFinancialStatement(HTML)

Auditor’s Report(HTML)

Assembler

XBRL Instance

Take-aways• It’s an old issue that is finally at fruition: what is

the risk to the profession if we don’t get it right• XBRL exacerbated the problem but can help

resolve it• Solving the problem enhances the consumption

and reliability of financial information across multiple constituents

Conclusions• Need for formal evaluation• Need for market discussion and collaboration• Need for prototypes• Need for technical, legal and professional guidance

and change• Evolutionary process … (WhatsApp exceeds Twitter)• Need agile solution

Contact author:roger@debreceny.com

Questions?