The Audit of Corporate Reporting on the Internet:
Challenges and Institutional Responses
Andrew Lymer
University of Birmingham, UK
Roger Debreceny
Nanyang Technological University, Singapore
Paper presented at the
4th World Continuous Auditing and Reporting Symposium
April 18th and 19th, 2002
Salford University, Greater Manchester, England
Please note - this paper is currently in draft form. All comments gratefully welcomed and acknowledged. Please do not quote without authorization.
Monday, 15 April 2002
The Audit of Corporate Reporting on the Internet :
Challenges and Institutional Responses
I Introduction
The use of the Internet technology for corporate reporting is now a well-established activity in many countries that have developed securities markets (Lymer and Tallberg 1997; Deller, Stubenrath, and Weber 1999, Pirchegger, Schader, and Wagenhofer 1999; IASC 1999; Trites 1999; FASB 2000). From a supply perspective, it is now effectively a rule that any large corporation in the world wishing to build an international profile or tap international sources of funds must have a corporate Website that includes an investor relations component. From a demand perspective, investors increasingly rely on corporate Websites for periodic and annual financial statements and also for press releases, speeches, investor conference calls as well as links to product and other information. This range of corporate reporting is part of the complex web of mandated and voluntary disclosure to stakeholders (FASB 2000, 2001).
Whilst the use of the Internet is widespread, the regulation and creation of standards specifically aimed at Internet Financial Reporting (IFR), and particularly at the audit of such reporting, is limited (IASC 1999). This is not to say regulation in this area does not exist, as we shall see in this paper, but that what does exist is not in a focused form as would most easily support development of this area. This paper addresses one are of these standards – the role of the auditor in the provision of online financial information.
The role of the external audit in the promulgation of corporate financial reporting has been challenged from a number of perspectives including scope, coverage and technology. Such issues include the role of the audit function associated with IFR, the validity of the traditional boundaries of the audit function, and the appropriateness, and use, of the audit report associated with IFR. In this paper we describe and analyze these issues. Notwithstanding the recognition by the audit standards bodies that further guidance to auditors is needed, the paper concludes that the actual pronouncements so far made by the various bodies around the world reporting fall short as a response to the challenges that arise from current and future Internet technologies. We argue that particularly difficult issues will soon need to be dealt with as a direct result of the growth of online reporting activity and from current and forthcoming Internet technologies. We point in particular to the way in which users interact with IFR Websites, and the implications of this interaction, on what we term “information component” technologies such as the XML-based eXtensible Reporting Business Language (XBRL). We propose a set of institutional, standards setting and technological solutions to these issues. At the same time, we recognize that these solutions are partial only and that much research is required from both natural- and design-science perspectives (March and Smith 1995).
The remainder of this paper proceeds as follows: in the next section we set out some background to IFR and set out a range of issues that have been addressed in the literature on IFR. In Section III, we review and critique the relevant professional pronouncements on auditing and assurance of IFR. In the following section we point to a number of gaps we perceive between these pronouncements and both current and future IFR technologies. In this fourth section we also point to some technological solutions to these gaps and do so in the context of XBRL. In Section V we place these issues in the context of a continuous assurance rubric and in Section VI we make some concluding comments and examine a future research agenda.
II Background
The reporting of corporate performance has undergone a critical change in the period since the beginning of commercial use of the Internet some years ago. IASC (1999, 53) describes three stages in the way in which corporations use the Internet for business reporting. In the first stage corporations use the Internet solely as another distribution channel for their existing printed financial reports. Typically in this stage a corporation provided annual reports only, in HTML or Adobe Acrobat format. In the second stage, corporations move to disclose their information in a form with which Web browsers and search engines can readily interact. Finally, in the third stage, corporations provide not only the standard information that could be expected in a printed report, but also provide enhanced or expanded information that could not cost-effectively be produced in a print format. They may also provide interactive tools with which to analyze the information.
Over the three plus years we have seen many corporations moving along this three-stage process. Many corporations have developed detailed Investor Relations Websites containing a wide range of corporate reporting information, of which the financials are now only a relatively small part. The low cost of information provision and widespread availability offered by new Web technologies such as RealAudio has not only changed the reporting of existing types of information, but also enabled corporations to increase the range of information made available without significant increases in delivery cost. Investor relations sites now regularly contain not only annual reports, but also quarterly reports, corporate press releases, corporate presentations, white papers and links to product information, analysis tools, stock/share tracking facilities and often other features.
Whilst the annual financial statements and the audit report now play an arguably less important role in the tapestry of information transfer between corporations and stakeholders than they may have done so in the past, they continue to play a central role in maintaining the quality of such information flow, as pointed out by Arthur Levitt, recently retired Chairman of the SEC (Levitt 1999). The manner by which audit reports are transmitted to users in an IFR world remains a worthy matter for research and for professional endeavours. A fact clearly demonstrated by recent corporate failures (such as Enron) and the market/public reaction to these failures.
The Provision of Online Audit Reports
IFR has been the subject of many academic (e.g. Lymer & Tallberg 1997, Ashbaugh, Johnstone, and Warfield 1999; Ettredge, Richardson, and Scholz 1999) and professional studies by Canadian (Trites 1999), US (FASB 2000) and international (IASC 1999) accounting organizations. These reports show that more than two thirds of large corporations based in countries that have developed securities markets make some form of IFR. In markets such as the USA, UK, Australia, Canada and Hong Kong effectively all major corporations now make such disclosures (Allam & Lymer 2002).
Insert table 1 about here
While these studies show that corporations have rapidly adopted IFR, they also show that extent to which the audit report was displayed on a corporation’s Website varied considerably. The audit report was rarely fully associated with the full annual reports to which it related. Table 2 , drawn from IASC (1999) and Allam & Lymer (2002) illustrates this point.
Insert Table 2 about here.
This position reflects little change from a study made in Europe in late 1998 by Debreceny and Gray (1999). Their study indicated that of the fifteen largest corporations in each of the UK, Germany and France (forty five in total), each of which already had a Website by that point, only ten provided their audit report online in any form. Not one firm linked back their audit report to the relevant auditors’ Website. Nor did any site provide any kind of signature on the document, even an image of the signature. Only four Websites had hyperlinks between the report and other parts of the financial displayed on their site. This indicates that the corporations did not place a high degree of emphasis on the role offered by these reports as value bearing documents.
Similarly in a study performed in the UK on the reporting of Internet-based interim, summary statements, highlights and preliminary information Hussey, Gulliford, and Lymer (Hussey, Gulliford, and Lymer 1998) found that the very few corporations provided any indication of the audited status of this information, as required for example, by the relevant ASB guidance on Preliminary Statements at the time. For example, the study revealed that only 27% of top 100 UK corporations provided audit reports or statement about the audited nature of the information on their Website related to interim statements, although they all were providing these statements themselves online. This study also highlighted the concerns over the provision of incomplete annual reports data with, and without, audit reports.
The IASC study (1999 – using early 1999 data across 22 countries) found only 36% of companies surveyed provided auditor reports. The FASB survey of US companies in late 1999 (FASB 2000) suggested 35% of their sample did not provide reports at the time, 19% providing unsigned versions of audit reports and the remaining 46% providing signed reports as would be expected to be associated with paper versions of the annual reports.
The most recent review available of audit report use in association with online financial data (Allam & Lymer, 2002) suggests much greater availability of audit reports is now the case (see Table 2 for country specific details). They report 96.4% of companies across heir sample of 250 companies provide such data (maximum 100% availability in Canada to a low of a respectable 89.8% in Hong Kong). Of these, however, 44.6% of the sample still provided unsigned reports (although the name of the auditor or auditing firm was usually present).[1]
The Issues
The development of IFR creates, or at least brings into focus, a number of issues for the external audit function. This section reviews the important issues that are likely to result from IFR.
The scope of verification: Many authors highlight the change in roles that may be required of the external auditor as reporting activity moves from paper-based to online reporting (for example Wallman 1996; AICPA 1996; Wyatt 1997). These concerns are illustrated with the use of the diagram expressed in Figure below.
Insert Figure 1 about here.
This diagram illustrates the moving of a boundary of responsibility for verification from the existing focus on financial information expressed in accordance with accounting rules, to the need to address wider investor relations information available as contextual information to the financials.
In a paper-based reporting environment the extent to which auditors are required to specifically examine other information is limited to that produced as part of the package of the annual report (Debreceny and Gray 1999). As IFR are normally delivered as just one part of a corporate Website, there is much greater potential for misleading information to be presented alongside the financials for which the auditor is primarily responsible. The determination of the boundary of the external auditor’s responsibility may therefore become problematic. There will not necessarily be a clean line of demarcation as shown in Figure . This line may also be drawn in different places for different jurisdictions creating further confusion for the users of these accounts that may now access IFR from various jurisdictions.
Allam & Lymer (2002) discuss the latest techniques used by companies to provide this type of guidance to users of their information – ‘Inside Annual Report indicators (FASB 2000). They report 58% of their sample of 250 companies (top 50 from 5 sophisticated capital market countries) used some form of indication to remind users of the audited status of the information they were viewing.
Width of reviewed information: Current rules already require the auditor to review more information than is illustrated by the hashed area in Figure . For example in the UK context, requirements include examination of the Director’s Report, the Operating and Financial Review (OFR) now provided by many corporations as part of their annual reporting process (Arthur Andersen 2000). The further a user traverses the corporate Website from the IFR component, the less information displayed that is of a business reporting nature (with the associated clearer reporting restrictions). This creates a potentially misleading situation for the user of this data.
Depth of reviewed information: The depth to which data is audited has also been questioned within the context of the scope of verification (for example, Cushing 1989; IASC 1999). An online reporting environment may enable users to ‘drill down’ into reported data to remove layers of aggregation. If this facility is provided a point will soon be reached at which information could not be considered as audited as the traditional audit function will not be able to place acceptable levels of verification on such disaggregated data as part of the traditional audit engagement.[2] This issue is perhaps the most hotly debated of those raised in this sections and the recent auditing guidance on the audit of the use of the Internet in business activity has much to say on this issue (e.g. IFAC 2001, AASB 2001).
Reporting Issues: A number of papers highlight specific issues of concern in relation to the audit of IFR. Debreceny and Gray (1999) discuss the following issues:
· Is the audit opinion safe from change by the client or other party?
· Should the web-based auditor’s report reside at the auditor’s or the client’s Website?
· What weight should be given to an auditor’s report date when documents on the web can be changed?
· Should the auditor allow hyperlinks to, and/or from, the auditor’s report?
· Auditor’s report look and feel
· The expression of authority of audit statements.
Most of these issues are still current and have not been addressed as yet by professional standards-setting bodies. Ashbaugh, Johnstone, and Warfield (1999) also addressed the role of the auditor in ensuring the reliability of reported data online. In their examination of US online corporate reporting activity, Ashbaugh, Johnstone, and Warfield reported that only 35% of responding firms[3] provide any form of direct assurance to users of their Websites as to the accuracy of the information they provide online. They also suggest that even where this assurance is provided, the extent to which this is fully provided and clearly visible to users is very limited.