Discussion on Issues with the Communication and Integrity of audit reports when financial reporting shifts to an information-centric paradigmRajendra P. SrivastavaErnst & Young Distinguished ProfessorUniversity of Kansas, Lawrence, KS

Presented at University of Waterloo Symposium on Information Integrity and Information Systems Assurance (UWCISA)October 4, 20131OutlineResearch issues consideredHighlights of the Strengths on the paperSome suggestions to improve the paperSummary and Conclusion

2Research issues consideredCommunication of audit and assurance reportsSecurity of audit and assurance reportsResearch questions related to these issues

3Issues related to communicationContent and Coverage (XBRL)Three ScenariosSeparate audit report and instance document with electronic signatureProblem: No signal between audit report and what is audited and what is not auditedIntegrated audit report and FS through XlinkProblem: Increased Expectation gapIntegrating assurance report into other forms of disclosure (color coding to distinguish what is covered and what is not covered)

Scenario 1: audit report and audited instance document with electronic signature. Both could be on clients site or auditor may like to have a copy of its report on its own site. There is no signal between the instance document and the audit report as to what is audited and what is not audited.Scenario 2: Xlink used to inform what facts have been audited and what facts have not been audited. But user may misunderstand that each atomic level piece of information is audited.Scenario 3: Integrating the assurance report into other forms of disclosure-XBRL & HTML, use of color codes to distinguish what is audited and what is not audited

4StrengthsWell developed concepts for both communication and securityVarious scenarios discussed for both communication and securityUnderstandable discussion on Inline XBRL

5

ConcernsCommunication and Security discussed separatelySecurity concerns are closely tied to communication approachExpectation gap: Totality versus individual pieces, no solution provided Technical aspects, sometimes, are beyond the reach. The authors need to elaborate on these concepts, provide a discussion in a footnote ..Since it is a conceptual piece, why not talk about level of assurance for each individual piece. This is closely related to the expectation gapAuditors cannot provide the same level of assurance for each atomic piece, then how would one express the opinion (use the example of sustainability reports)

Communication and Security discussed separately as if hey are disjointed dimensions. I think they go together. What kind of security is needed depends on how one communicates.

Even if the auditor can provide assurance on each individual piece, but it cannot be the level of assurance.

6

Figures 5-6

Communication and Security discussed separately as if hey are disjointed dimensions. I think they go together. What kind of security is needed depends on how one communicates.

Even if the auditor can provide assurance on each individual piece, but it cannot be the level of assurance.

7

Figures 7-8

Communication and Security discussed separately as if hey are disjointed dimensions. I think they go together. What kind of security is needed depends on how one communicates.

Even if the auditor can provide assurance on each individual piece, but it cannot be the level of assurance.

8

Figure 9

Communication and Security discussed separately as if hey are disjointed dimensions. I think they go together. What kind of security is needed depends on how one communicates.

Even if the auditor can provide assurance on each individual piece, but it cannot be the level of assurance.

9

Figure 10

Communication and Security discussed separately as if hey are disjointed dimensions. I think they go together. What kind of security is needed depends on how one communicates.

Even if the auditor can provide assurance on each individual piece, but it cannot be the level of assurance.

10

More ConcernsControl over audit report and Instance document for its content using hash totalThe term MD5 is not as common, a footnote explanation would be helpfulLooking at the EY audit report, it appears to me that they are giving hash total for the FS instance document and not the hash total of the report.Explain SHA-2I do not understand the concern raised by the authors about MD5 or SHA-2 that it shows that the report is changed even though the change is only the order of things that does not matter. I think this is important, change is a change. Semantic equivalence versus byte-by-byte equivalence. Communication and Security discussed separately as if hey are disjointed dimensions. I think they go together. What kind of security is needed depends on how one communicates.

Even if the auditor can provide assurance on each individual piece, but it cannot be the level of assurance.

11

More Concerns: Use of Inline XBRLI liked this part of the paper: Inline XBRL embeds XBRL metadata and instance data facts within HTML or XHTML documentI would like to see an explicit example of how Inline XBRL would look like: the hidden and visible partsI did not find any discussion on the security issues of Audit Report in Inline XBRL

12

Example of Sustainability Assurance Report of France Telecom Orange 2010This is another option for an overview slide.

Various Levels of AssuranceWhat will the audience be able to do after this training is complete? Briefly describe each objective and how the audience will benefit from this presentation.14

CSR Assurance ReportUse a section header for each of the topics, so there is a clear transition to the audience.

15Summary and ConclusionInteresting thought pieceI enjoyed reading it and learnt new things, especially about Inline XBRLProvides various scenarios to communicate and secure the assurance reportRaises several concerns about communicating what is assured and what is not assuredSuggestionsNeeds to answer some of the questions raisedElaborate on technical termsProvide a specific example on Inline XBRL usageProvide some thoughts on various level of assurance and how to report themLook at other reporting models such as CSR assurance reportsRead the manuscript carefully, the automated feature of MS Words has its own mind, it puts its own word.Summarize presentation content by restating the important points from the lessons.What do you want the audience to remember when they leave your presentation?16Thanks!!!&Questions?Microsoft Engineering ExcellenceMicrosoft Confidential17