Corporate reporting on the Internet

Corporate reporting on theInternet

Audit issues and content analysis of practices

Richard FisherLincoln University, Canterbury, New Zealand

Peter OyelereSultan Qaboos University, Oman and Lincoln University,

Canterbury, New Zealand, and

Fawzi LaswadMassey University, Palmerston North, New Zealand

Keywords Internet, Worldwide Web, Auditing management, Financial reporting,Content analysis, New Zealand

Abstract The use of the Internet for financial reporting creates unique opportunities andchallenges for the auditing profession. This exploratory study identifies the key audit implicationsof Internet financial reporting through a comprehensive review of the academic and professionalliterature. Further, the study analyses the contents of all listed company Websites in New Zealandto assess the nature and extent of current audit-related Web practices. The relatively high degree ofsimilarity between New Zealand’s auditing standards and those of other jurisdictions (e.g.International Standards of Auditing and auditing standards in countries such as the UK,Australia and the USA) contributes towards the international generalisability of the contentanalysis. The literature review highlighted issues relating to the auditor’s role and responsibilities,the audit report, and audit procedures. The results of the content analysis of auditor Web-relatedpractices reveal several significant concerns for the auditing profession in relation to thepresentation, context, and content of the audit report in a Web-based environment.

IntroductionThe use of the Internet as a channel for the dissemination of corporate information is arecent and fast growing phenomenon. In addition to corporate, marketing, andcustomer support information, many companies are choosing to make availablefinancial information on their corporate Websites, often under the banner ofinvestor/shareholder relations. This global trend is confirmed by an increasing numberof studies[1] and parallels the recent rapid growth in online investing and electroniccommerce.

It is likely that in the near future, the Internet will become the principal medium forthe distribution of traditional financial reports to users. The International AccountingStandards Committee (IASC) have stated that in the near future:

The Emerald Research Register for this journal is available at The current issue and full text archive of this journal is available at

www.emeraldinsight.com/researchregister www.emeraldinsight.com/0268-6902.htm

The authors gratefully acknowledge the financial assistance provided by the Institute ofChartered Accountants of New Zealand’s (ICANZ) Coopers & Lybrand Peter Barr Fellowship,and the helpful comments and suggestions provided by April Mackenzie, then the DivisionalDirector – Policy, ICANZ, and participants of both the 2002 Annual Conference of theAccounting Association of Australia and New Zealand and the 2003 Annual Conference of theBritish Accounting Association. The study’s data are available from the authors on request.

MAJ19,3

412

Managerial Auditing JournalVol. 19 No. 3, 2004pp. 412-439q Emerald Group Publishing Limited0268-6902DOI 10.1108/02686900410524418

[. . . business reporting to stakeholders will move almost entirely from the current primarilyprint-based mode to using the Web as the primary information dissemination channel, withthe print-based mode as secondary channel] (Lymer et al., 1999, p. 4).

In several jurisdictions, including New Zealand, many companies offer their users theoption of either being sent traditional hard-copy financial statements by mail or beingprovided with access to an electronic version on the Internet.

The use of the Internet for financial reporting creates unique opportunities,challenges and implications for the auditing profession. Despite the significance andurgency of the audit issues associated with Internet financial reporting (IFR), littleresearch has been conducted in this area, with the notable exception of Debreceny andGray (1999) and Lymer and Debreceny (2003). Further, few professional accountingbodies have taken steps to identify and address the relevant issues. Consequently, thepurpose of this paper is to provide initial answers to certain questions, which arisefrom this emerging reporting practice. As an exploratory study, the aim is to developinsight rather than test firm hypotheses. In particular, the paper focuses on thefollowing two research questions:

(1) What are the primary implications for the auditing profession of Internetfinancial reporting?

(2) What are auditors’ existing practices in relation to Internet financial reporting?

The first research question is addressed by undertaking a review of the relevantprofessional and academic literature, while the second research question is addressed byconducting a comprehensive content analysis of corporate Websites in New Zealand.

New Zealand was considered an interesting setting for the content analysis because,at the time the research was undertaken (January-July 2002), there was no specificprofessional guidance for auditors in New Zealand relating to the electronicpresentation of financial statements. This permitted the benchmarking of relevantcurrent audit practices in a relatively unregulated environment with practicesmandated by audit standard-setters from other countries, thereby providing insightsinto the need for regulation. Further, the relatively high degree of similarity betweenNew Zealand’s auditing standards and those of other jurisdictions (e.g. InternationalStandards of Auditing (ISAs) and auditing standards in countries such as the UK,Australia and the USA) contributes towards the international generalisability of thestudy’s findings[2].

The results of this study are of particular relevance to the accounting profession,standard-setters, and accounting academics internationally. With the exception ofrecent UK and Australian auditing guidelines and a recent exposure draft in NewZealand, there are currently no professional auditing pronouncements addressing thesignificant auditing issues associated with Internet financial reporting, despite itswidespread practice. Standard-setters will be able to refer to the results of this study indetermining appropriate responses to the growing IFR phenomenon.

The remainder of this paper is organised as follows. The next section identifiesemerging audit issues associated with the development of Internet-based financialreporting, and reviews empirical research and professional guidelines. The researchmethod employed in the study then follows. Next, the results of the content analysis ofcorporate Websites are presented, followed by discussion and conclusions in the finalsection.

Corporatereporting on the

Internet

413

Literature reviewElliot (1992) predicts that the information era will necessitate significant changes tobusiness models, organisational structures, and business information needs. To meetthe new demands of business decision-making in the information era, changes are alsobeing required of accounting – both to internal and external reporting. Elliot believesthat wide area networks (WANs) and relational databases will be the two most criticaltechnologies available to accountants for responding to the challenges of theinformation era. Since Elliot’s article, the Internet has moved from being a technologyof largely academic interest, to one which pervades commerce and society globally.The Internet is an extreme form of WAN, consisting of a global network of networks,and is used to provide a gateway to corporate databases.

Financial reporting on the InternetThe Internet is having a profound impact on external financial reporting. Manycorporations have established Websites on the Internet and a substantial proportion ofthese use them to provide financial information to corporate stakeholders. A recentNew Zealand study (Fisher et al., 2000) revealed that 56 per cent of listed New Zealandcompanies have corporate Websites, and of those, 73 per cent use them to disseminatefinancial information. Recent updates by McDonald and Lont (2001) and Lont (2003)indicate a further growth within a short period in the display of financial informationon the Web. Similar trends have been observed internationally: UK (Craven andMarston, 1999), USA (Ashbaugh et al., 1999), Austria and Germany (Pirchegger andWagenhofer, 1999), USA and Canada (Trites, 1999), USA, UK and Germany (Delleret al., 1999), Sweden (Hedlin, 1999), Spain (Gowthorpe and Amat, 1999), and aninternational comparison (Lymer et al., 1999).

The benefits arising from the provision of financial information on the Internet havebeen discussed at length by a number of authors (e.g. McCafferty, 1995; Louwers et al.,1996; Green and Spaul, 1997; Trites and Sheehy, 1997; Fisher et al., 2000). Briefly, thesebenefits include:

(1) Improved cost efficiency:. the reduction of production and distribution costs associated with

paper-based annual reports; and. the reduction of incidental requests for paper-based reports from

non-shareholder financial statement users.

(2) Improved user access to information:. allows flexible non-sequential access to information through the use of

hyperlinks;. the ability to provide specific information to users that meets their specific

information needs;. the opportunity for providing more information than available in the annual

report;. the opportunity to provide real-time information;. the ability to provide information in an interactive manner with the ability to

search the content of the reports by using keywords; and

MAJ19,3

414

. improving the accessibility of information that results in more equitableinformation dissemination.

In the near future, it is likely that the Internet will become the principal medium for thedistribution of financial reports to users. The US Securities and Exchange Commission(SEC) supports the view that the use of technology such as the Web enhances theefficiency of capital markets through the rapid dissemination of information tofinancial markets in a more cost efficient, widespread, and equitable manner thantraditional paper-based methods (SEC, 1995; FASB, 2000). Further, it stated that asmore investors have access to and use the Internet, the Commission will considerencouraging the use of the Internet as a prime dissemination tool (SEC, 2001).

Few countries currently regulate the disclosure of financial information on theInternet[3]. It is not surprising, then, that the previously mentioned studiessurveying actual corporate Web practices have revealed considerable variation inthe nature, extent, format, and quality of financial information disclosed on theWeb. For instance, the types of financial disclosures appearing on corporateWebsites have included comprehensive annual reports; interim, summary, and/orpartial financial statements; financial highlights; and other selected financialinformation. Financial information is typically published on the Web in eitherHypertext Mark-up Language (HTML)[4] or Adobe Acrobat’s Portable DocumentFormat (PDF)[5], and may also be augmented with data analysis tools,sophisticated graphics, and/or streaming audio and video.

The Institute of Chartered Accountants of England and Wales’ (ICAEW) report,The 21st Century Annual Report, indicates that “[c]orporate reporting hastraditionally been regulation-led with innovations arising principally from newaccounting standards and, less frequently, changes in legislation” (ICAEW, 1998,p. 2). The ICAEW report notes that there has been a fundamental shift in theprocess of accounting development. Technology and other factors, such asglobalisation and notions of accountability, are currently driving changes infinancial reporting practices. While external drivers, such as technology, helpensure the ongoing relevance of the accounting product, the speed with which theyare revolutionising accounting makes it difficult for regulators to keep pace. Forexample, in the absence of formal relevant professional promulgations, theadoption of the Web for corporate disclosure has seen the US SEC initiate morethan 200 Web-related enforcement actions as of March 2001 (Hodge, 2001), andrecently establish an office (the Office of Internet Enforcement) dedicatedexclusively to Web surveillance and enforcement.

As is the case with IFR, no national professional body has yet issued formalstandards, which address the specific auditing issues associated with this popularpractice[6]. This paper seeks to identify such issues, which will assist professionalbodies and regulators to develop well-informed policies, regulations, and standards inresponse to these issues.

A review of the extant literature reveals a number of factors specifically associatedwith IFR that have significant implications for auditors, such as the appropriateresponsibilities of auditors and the nature of audit reporting in such an environment.These factors include the following:


Internet

415

. Corporate disclosure over the Internet is currently unregulated and because ofthe global nature of the Internet the application of traditional nationalregulations and laws to the Internet environment may not be appropriate.

. The conversion/transposition process involved in publishing information on theInternet is susceptible to error.

. Information on the Internet is exposed to access and modification byunauthorised users both external and internal to the reporting entity.

. Information on Internet has the potential to be very fluid in nature. Informationcan be published, modified, or deleted remotely or locally at virtually any point intime without leaving any evidence of these actions ever having taken place.

. Information from external sources (e.g. Websites, ftp sites, etc.) can be easilyincorporated into a corporate Website through hyperlinks.

. Users are demanding both greater timeliness in corporate disclosure, and greaterdepth and breadth of disclosure (particularly non-GAAP information).

The following section of the paper examines specific auditing issues arising from thesefactors, thereby addressing the first of the paper’s two research questions: What are theprimary implications for the auditing profession of Internet financial reporting?

Auditing issues associated with corporate financial reporting on the InternetThe factors identified in the preceding section have potentially wide-rangingimplications for the audit profession internationally. Issues of particular concerninclude:

. the role and responsibility of auditors for information placed on corporateWebsites;

. the potential for an inappropriate association of the audit report with unauditedinformation located at the auditee’s Website or information linked to/fromexternal Websites;

. the inappropriate omission of the audit report from the Website;

. the appropriate audit procedures; and

. the nature, timing, form, and content of the audit report on the Internet.

These issues are discussed in turn in the following paragraphs.The role and responsibilities of auditors in relation to corporate financial reporting on

the Internet. IFR raises questions about the role and responsibilities of auditors inrelation to corporate financial reporting on the Internet. Do the external auditor’s dutiesextend to examining/monitoring annual reports that are placed on corporate Websites?If so, what are their responsibilities with regards to unaudited financial andnon-financial information, which may also appear on the Websites?

With the production of traditional audited financial statements, the hard-copy anddated audit report is supplied to the preparer for incorporation into the final printedannual report. The auditor would normally be expected to assess the conformance ofthe audited accounts with the final printed annual report. Conceptually, terms such as“publishing” and “document” in their broadest sense[7], apply similarly to traditionalhard-copy and Internet reporting – the company is simply employing the Internet as

MAJ19,3

416

an alternative medium for communication. Accordingly, there would appear to be astrong argument for auditors being responsible for checking that audited financialstatements correspond with those published on corporate Websites. Interestingly, theUS accounting profession seems to have adopted an alternative view. Bagshaw (2000,p. 22) states that in the US, “current thinking does not regard financial information onWebsites as constituting ‘published’ information at all. Auditors are therefore notrequired to read financial information onWebsites, nor are they required to consider itsintegrity or completeness, even if the audit report is published with the information”.Clearly, the courts may take a different interpretation in due course, particularly ifusers of Internet reports expect the audit process to include such procedures andauditors do not provide appropriate disclaimers.

If the premise is accepted that auditors’ responsibilities towards published financialstatements are similar regardless of the medium of communication, then auditors couldalso be responsible for ensuring the consistency between Web-based audited financialstatements and other information published on corporate Websites. The InternationalStandard on Auditing, ISA-720: Other Information in Documents Containing AuditedFinancial Statements (IFAC, n.d.), for example, indicates that auditors should readother information included in documents containing the audited financial statements,such as traditional print-based annual reports, to identify whether there are materialinconsistencies with the audited financial report. New Zealand’s correspondingauditing standard, AS-518: Other Information in a Document Containing an AuditedFinancial Report (Institute of Chartered Accountants of New Zealand, 1998a), statesthat the term “document” is not to be interpreted as only meaning the annual report:“This standard is equally applicable to . . . other documents and . . . regardless of thenature of the document that contains an audited financial report, the auditor has aresponsibility to read the other information to identify whether there are any materialinconsistencies with the audited financial report” (AS-518, para 3). Auditing standardssimilar to ISA-720 exist in other countries, such as Australia (AUS 212 OtherInformation in Documents Containing Audited Financial Reports (AustralianAccounting Research Foundation, 1996)).

A contrary view is adopted in the US where Interpretation No. 4 of Statement ofAuditing Standards (SAS) No. 8 (Other Information in Documents Containing AuditedFinancial Statements) indicates that auditors do not have a responsibility to readinformation contained in electronic sites or to consider the consistency of suchinformation with the audited financial statements which appear in conjunction withthat other information (AICPA, 1997).

The corresponding UK standard, Statement of Auditing Standard 160 OtherInformation in Documents Containing Audited Financial Reports, while similar to NewZealand’s AS-518, limits its scope to hard-copy documents. Thus, it is not clear how theprinciple of association set out in the Auditing Practice Board’s Auditors’ Code appliesto an Internet environment. This principle states that auditors should only allow theirreports to be included in documents containing other information, if they consider thatthe additional information is not in conflict with matters covered by their report andthey have no cause to believe it to be misleading.

Printed documents, such as traditional hard-copy annual reports are static in nature.Once printed, alterations are difficult to make without considerable effort and cost.However, a characteristic of Web-based documents is the ease, speed, and efficiency


Internet

417

with which they may be created, modified, or deleted. For example, real time stockprice information could be incorporated into a Web page such that it is updated on anear continuous basis. In a sense, then, corporate Websites contain “living” documents.In this environment, it could be argued that just as an auditor has a responsibility toconsider other information for consistency with Web-based audited financialstatements at the time such financial statements are first published on the Internet,so too does the auditor have a responsibility to ensure that consistency is maintainedsubsequent to publication. Clearly, the latter requirement would be an onerous one forauditors. Possible audit responses to this responsibility are discussed later in the paper.

Should auditors be responsible for communicating assurance directly to usersconcerning such “other information” appearing alongside audited financialstatements on corporate Websites? This would appear to be outside the scopeof the traditional financial statement audit, just as it would in relation to otherinformation appearing in a printed document which includes audited financialstatements[8]. However, providing assurance regarding “other information”, orindeed other aspects of the client’s Website (e.g. controls, security, etc.), may beoffered as a separate engagement.

Association of the audit report with unaudited and/or incomplete financialinformation. ISA-120 Framework of International Standards on Auditing indicates thatauditors have a responsibility to ensure that their name, and that of their firm, is notassociated with information without their consent (IFAC, 2003a). Such an associationcould occur when a report using the auditor’s name is attached to that information orthe auditor’s name is used in such a manner, which implies a professionalassociation[9]. Thus, even though auditee management have ultimate responsibility forthe presentation of financial information on corporate Websites, auditors would seemto have a vested interest in ensuring that their clients take adequate steps to preventinappropriate association of unaudited information with audited financial information.

A common feature of corporate Websites is that unaudited information isincorporated with audited information in such a way that it is difficult for users todistinguish between audited and unaudited information. Specifically, the use ofhyperlinks between different documents on corporate Websites allows efficientnavigation between documents but also contributes to a blending of information(Hodge, 2001). Web-based documents lack the physical distinctiveness of hard-copydocuments, which affects recall and also contributes to a blending effect (Hodge, 2001).From the auditors’ perspective, there is a risk that such blending will lead to usersinappropriately perceiving unaudited information as audited, and consequentlyascribing more credibility to it than is warranted.

“Ring fencing” audited information may be useful in mitigating the blendingproblem on the Web. This can be achieved in a number of ways. First, auditedinformation can be made more visually distinctive from unaudited information. Theuse of labelling, borders, or watermarks have all been mooted (Hodge, 2001). Second,“intermediate” pages can be displayed on entering and leaving audited sections of theWebsite, warning users that they are changing zones. Third, a different file format forencoding the audited accounts, such as Acrobat’s PDF, can be used. Last, Debrecenyand Gray (1999) suggest either applying a digital signature to the annual report, whichwill indicate the area of the Website that has been audited; or by placing all auditedWeb pages on the auditor’s Website[10].

MAJ19,3

418

Empirical evidence of the “blending” of unaudited and audited information by usersis provided in a recent laboratory study. Using a sample of MBA students, Hodge(2001) found that subjects who viewed a Website employing hyperlinks betweenaudited and (optimistic) unaudited documents, rather than viewing similar informationpresented in hard-copy form, were more likely to misclassify unaudited information asaudited. Further, these subjects also assessed the credibility of the unauditedinformation as higher than those reviewing the hard-copy documents. Those subjectswho assessed the unaudited information as more credible also judged the firm’searning potential to be higher. Hodge (2001) also found that a simple notifying aid(“audited” vs “not audited”) mitigated some of the previously mentioned blendingeffects.

The use of hyperlinks from Web-based audited financial information to content onexternal Websites, such as analysts’ reports, can exacerbate the blending problem, andexpose preparers and auditors to legal liability. For instance, the SEC have stated thatcompanies can be liable for the external hyperlinked information, if they are deemed tohave “adopted” (endorsed or approved) such information. Whether the company hasadopted the information will depend on factors such as the “context of the hyperlink”(e.g. what the company has said or implied about the hyperlink); the “risk of confusion”(e.g. the presence or absence of precautions against investor confusion about the sourceof the hyperlinked information); and the “presentation of the hyperlinked information”(e.g. company’s efforts to direct an investor’s attention to particular information byselectively providing hyperlinks) (SEC, 2000).

Omission of the audit report. Insufficient information can obscure important factsand create potential risk for auditors. For example, if only excerpts of the auditedfinancial statements or summary audited financial statements are published togetherwith an audit report on the Internet, then there is risk that a misleading view may havebeen presented. Similarly, the publication of a full audited annual report without anaudit report may again obscure important information, and consequently provemisleading. Company law in the UK (Section 240 of the Companies Act 1985)specifically addresses these issues, by requiring that whenever statutory accounts arepublished, they must always include the corresponding audit report; and whennon-statutory accounts are published, they must always exclude an audit report.However, as is the case in New Zealand, not all jurisdictions have such requirementsincorporated into their companies’ legislation.

Empirical evidence of selective omission of information pertaining to auditedfinancial statements was revealed in a US study by Ettredge et al. (2000). Their studyfound that companies receiving going concern modifications in their auditors’ reportswere more likely to omit the audit report from their Websites than companies receivingunmodified audit reports. This phenomenon has been observed in New Zealand. Forexample, it was recently reported that a delisted company suffering financialdifficulties failed to include with their on-line financial statements audit reportsrelating to several financial periods (Robb, 1999). These audit reports purportedly hadgoing concern qualifications.

Concern over the omission of auditors’ reports was also noted in a UK study(Hussey et al., 1998). The researchers in this study surveyed 63 UK FTSE companiespublishing financial information on the Web in 1998. Their analysis revealed thatwhere detailed accounts were published, 15 per cent of companies omitted an audit


Internet

419

report and gave no indication whether the information had been audited. This situationwas found to be even more common with respect to the following forms of Web-basedfinancial information: interim financial statements (18 per cent), preliminary financialinformation (24 per cent), summary financial statements (25 per cent), and financialhighlights (92 per cent). These results indicate that users may frequently be unsurewhether financial information appearing on corporate Websites are audited.

Audit procedures.Many of the issues raised in the preceding sections have potentialimplications for audit procedures. This section considers the nature of theseprocedures.

As discussed above, similar to hard-copy financial statements, the auditor shouldassess the correspondence of the electronic version of the financial statementspublished on the client’s Website with the audited version of the financial statements.Further, it is argued that auditors take ongoing responsibility for reviewing otherinformation contained in client Websites in order to consider the consistency of suchinformation with the Web-based audited financial statements both before and afterpublication of the latter. This would seem to require that auditors seek to be informedof all material changes to Web content in a timely manner, and to perform “spot check”Website reviews on an ongoing basis. Automated tools could be used by the auditor tofacilitate such continuous reviews. Resources are currently available on the Web whichallow auditors to be automatically notified of any changes to specified Web pages[11].

Annual reports and other information published on corporate Websites may includean array of multimedia features, such as animations and streaming audio and video.While such features provide companies with an opportunity to better improvecommunication of information to users relative to traditional print media, theirimproper construction may distort information and potentially mislead Websitevisitors. In a Web-based environment, auditors may have to consider whetherinformation communicated using such multimedia technology is materially consistentwith accompanying audited financial statements. However, no authoritative guidancecurrently exists to assist auditors in such a determination. Debreceny and Gray (1996)and Steinbart (1989) have noted the lack of research and guidance with respect to theaudit of non-financial and non-narrative information.

As with the traditional print-based distribution of financial statements, auditorswould not appear to have any responsibility for testing the security and controlssurrounding the publication process. The testing of security and controls over Websiteconstruction and ongoing operation and update, could, however, form part of aseparate assurance engagement.

As discussed earlier, the design of corporate Websites may lead to an inappropriateassociation of the audit report with unaudited and/or incomplete financial information;or the inappropriate omission of the audit report. It would seem appropriate thatauditors communicate their expectations with regards to these issues to managementat an early point in the engagement, perhaps via the engagement letter. Further, theauditor should make subsequent enquiries and perform checks during the course of theaudit to ascertain the techniques that management are employing to minimise thepossibility of inappropriate associations between audited and unaudited informationor the inappropriate omission of the audit report.

The format, content, and timing of the audit report.Financial reporting on theInternet necessitates consideration of the nature and content of the audit report.

MAJ19,3

420

Empirical studies show a diverse range of current audit reporting practices on theWeb. Debreceny and Gray (1999) conducted a survey concerning the Web reportingpractices of the 15 largest companies in the UK, France, and Germany. They found that44 out of the 45 sample companies maintained Websites, and of those, 36 incorporatedfinancial statements. The researchers focused their attention on the 17 companies thatpresented their financial statements in HTML format. Audit reports were included onthe Web for ten out of the 17 companies. None of the ten companies’ audit reportsincluded scanned auditors’ signatures. Further, none of the ten companies’ financialstatements contained hyperlinks to their corresponding audit reports. All of the auditreports were located on the companies’ Websites and only four audit reports containedlinks to the financial statements.

FASB’s Business Reporting Research Project report includes a 1999 survey of theWeb practices of the Fortune 100 companies (FASB, 2000). An interesting finding wasthat 22 per cent of the audit reports located online included hyperlinks, usually to notesmentioned in the audit reports. The authors commented that “[s]ince the auditors didnot deliver their reports with built-in hyperlinks, the companies must have added themlater. This will be an interesting topic for audit regulators to ponder” (FASB, 2000,p. 26).

Specific issues arise when auditors allow their reports to be published in anelectronic format. For example, audit reports presented on the Web are exposed tounauthorised alteration from sources both internal and external (e.g. hackers) to theclient. Further, the electronic nature of the audit report file can make such manipulationdifficult to detect. As is evident from Debreceny and Gray’s (1999) study, most auditreports appear to lack even a scanned image of the auditor’s signature, making auditreport authentication problematic.

Many of the issues associated with the integrity and authentication of the auditreport can be avoided through the application of standard cryptographic techniquescommonly used over the Internet. An auditor can digitally sign an audit report (orindeed a complete audited annual report) by attaching a digital signature file with theWeb-based audit report. This attachment would have been encrypted using theauditor’s secret key (private key) and can only be decrypted using the auditor’spublicly-known key (public key)[12]. The information encrypted by the auditor in thesignature file would be the result of a hashing function (algorithm) that would havebeen performed on the audit report file by the auditor. To verify the Web-based auditreport, the user of the audit report would obtain the auditor’s public key via a digitalcertificate issued by some trusted third party, such as a certificate authority, anddecrypt the digital signature. If the user then performs the same hashing function onthe Web-based audit report that the auditor had used in producing the digitalsignature, the user should come to the same hash result as included in the digitalsignature. Any difference in result would signify a discrepancy between the auditor’sversion of the audit report, and that obtained from the client’s Website. Assuming nodiscrepancy and that the auditor’s private key had not been compromised (discoveredby another party), the user would have confidence that the report had come from theaudit firm, as only the auditor’s private key could have been used to generateencrypted information that could subsequently be decrypted using the auditor’s publickey. Digital signatures and certificates can be processed by most recent versions of


Internet

421

common Web browsers, such as Netscapew Communicator and Microsoftw InternetExplorer.

Other techniques to assist in the authentication of the audit report, include locatingthe audit report on a server controlled by the audit firm, and the use of digitalwatermarks embedded in digital images, such as scanned images of the audit reportand/or signature (Debreceny and Gray, 1999).

Whether the conventional audit report format is the most appropriate format for thenew Web environment report requires further consideration. Alternatives to theconventional full report include an icon, such as that used for WebTrust, or adrop-down box on each relevant page (Elliot, 1994).

The content of the report may need to be altered to limit the risk that it is mistakenlyassociated with unaudited information appearing on the corporate Website. Forexample, the scope of the audit could be communicated in the audit report byspecifically naming or hyperlinking the financial statements subject to audit (or pagenumber references if the financial statements are in PDF format).

Other modifications to the content of the traditional audit report may be necessary.For instance, cautionary comments by the auditor concerning the general risks ofrelying on Internet financial reports may be considered warranted, as mightclarification of management’s and the auditor’s role with respect to the corporateWebsite content and security. Further, given that corporate Websites are accessibleglobally, auditors may also wish to clarify which national or international generallyaccepted accounting principles and generally accepted auditing standards areapplicable to the audited financial statements.

Responses of professional bodiesTwo national accounting bodies in Australia and the UK have issued promulgationsrelating to the auditing issues associated with the Internet financial reporting practices.Also, the IASC has issued a related discussion paper.

In December 1999, the Auditing and Assurance Standards Board of the AustralianAccounting Research Foundation became the first national accounting body toproduce an authoritative statement on the auditing implications of electronicpresentation of financial statements, when it issued the guidance statement, AGS 1050Audit Issues Relation to the Electronic Presentation of Financial Statements.(Australian Accounting Research Foundation, 1999). AGS 1050 states that thereporting entity is responsible for the electronic presentation of financial statements onits Website, and for ensuring adequate security and control. The guidance statementrecommends that these responsibilities should be communicated in the engagementletter and audit report. AGS 1050 indicates that assurance provided by the auditor overaspects of the client’s Website, other than the financial statements, represents aseparate Website assurance engagement and, consequently, do not form part of theaudit of financial statements.

AGS 1050 states the auditor should communicate with management regardingmatters relating to the electronic presentation of the audited financial statements, suchas:

. management’s responsibility for the Website and its content;

. legal provisions relating to the distribution of the financial reports;

MAJ19,3

422

. nature, extent, and format of financial information provided on the entity’sWebsite;

. steps taken to reduce the likelihood of the Website content being misleading orthe likelihood of an inappropriate association between the audit report andunaudited information;

. the structure of the Website (e.g. the use of hyperlinks to/from audited financialinformation or audit report); and

. security and integrity of the electronic financial report.

The guidance statement states that the auditor should consider whether these mattersimpact on the wording or format of the audit report, and, in extreme cases, whetherpermission for the electronic presentation of the audit report is to be denied.Importantly, it is clearly stated that after the financial report has been published, theauditor has no obligation to make any inquiry regarding the financial report, unless theauditor becomes aware that the audit report is being used inappropriately.

AGS 1050 addresses the auditor’s general responsibility to read other informationcontained in a document containing audited financial statements, by indicating that“the legal framework for electronic documents is not yet well established regardingwhat constitutes an “electronic” document . . .” (para 37) and therefore the auditorshould use professional judgement in this regard.

AGS 1050 recommends that the Web-based audit report include the followingadditional information:

. specific reference to the audited statements by name;

. a statement that the audit report does not provide an opinion on any otherinformation hyperlinked to/from the audited financial report; and

. a statement recommending that readers who are concerned with inherent risksarising from electronic data communications should corroborate Web-basedfinancial statements with hard-copy versions.

Where a reporting entity includes less than complete financial statements, e.g. financialhighlights, summary financial statements, etc., AGS 1050 recommends thatmanagement incorporate a cautionary note in their Website indicating that theextracts cannot be expected to provide a complete understanding of the entity’sfinancial situation.

The UK Auditing Practices Board’s recent Bulletin 2001/1: The ElectronicPublication of Auditors’ Reports (Auditing Practices Board, 2001) adopts a similar viewto AGS 1050. For example, it unambiguously ascribes management with responsibilityfor the maintenance and integrity of the corporate Website. Bulletin 2001/1 does,however, suggest some additional audit procedures. For instance, it recommends thatauditors should enquire whether directors have obtained a copy of the Institute ofChartered Secretaries and Administrators’ (ICSA) guidance document, ElectronicCommunications with Shareholders: A Guide to Recommended Best Practice[13], andwhether this guidance has been followed in connection with information presented oncorporate Websites. Further, Bulletin 2001/1 suggests that auditors retain a printout ordisk of the final electronic version of the audited financial statements for futurereference.


Internet

423

With respect to the audit report, Bulletin 2001/1 suggests the following additions tothe traditional hard-copy audit report:

. Management’s responsibility for the maintenance and integrity of the Website,and that work carried out by the auditors does not involve consideration of thesematters.

. Disclaimer of responsibility for changes to financial statements subsequent totheir initial publishing on the Website.

. The fact that legislation in the local country governing the preparation anddissemination of financial statements may differ from legislation in otherjurisdictions.

. Specific identification of the other information on the Website read by the auditorin order to consider whether it was consistent with the audited financialstatements.

. Specific identification of the financial statements covered by the audit report.

Although not an authoritative statement, the IASC’s 1999 discussion paper, BusinessReporting on the Internet (Lymer et al., 1999, p. 67), contains several recommendationsconcerning auditor responsibilities, which may influence future pronouncements of theIASC (now the International Accounting Standards Board). The discussion paperdevelops a proposed code of conduct, Standards for Web-based Business Reporting – ACode of Conduct for Current Application, which it believes should be the foundation ofa mutual agreement for use of the Web for business reporting. In particular, it suggeststhat auditors of listed companies should ensure that reporting entities conform fully tothe “code of conduct” where they claim to do so or that any deviations are noted in theaudit report. Further, auditors should actively monitor the entity’s Website forsignificant changes to information between periodic audits, and note, by changing theaudit report, any changes that could bring into question the continued validity of anyaudit report on the data.

The International Federation of Accountants (IFAC) is yet to issue an internationalauditing pronouncement relating to IFR. IFAC recently, however, released a staff paper(August 2002), which primarily focused on the responsibilities of directors andmanagement in relation to financial reporting on the Internet. A key recommendationof the paper is that management should formulate and openly publish a detailed policyconcerning the enterprise’s use of IFR. Among other things, the policy should requirethat management discuss and agree with the auditor the extent to which auditedinformation will be included on the enterprise’s corporate Website.

New Zealand issued an exposure draft, ED/AGS-1003: Audit Issues Relating to theElectronic Presentation of Financial Reports (Institute of Chartered Accountants of NewZealand, 2003), in June 2003, after the data for this study were collected. The exposuredraft is based on and is largely consistent with the Australian AGS 1050.

The preceding literature review identifies various audit-related issues associatedwith IFR. Given the relative recency of the IFR phenomenon, it is perhaps notsurprising that, like professional guidance and regulation of IFR, empirical evidence onthe extent and prevalence of such audit issues is relatively sparse. In order to ascertainthe nature of actual practices in this area, an in-depth content analysis of corporateWebsites was undertaken. This analysis helped address the second of the study’s two

MAJ19,3

424

research questions: “What are auditors’ existing practices in relation to Internetfinancial reporting?” The detail of the particular research approach employed isdiscussed in the next section.

Research methodBased on the review and analysis of the audit issues discussed in the preceding section,a Web collection instrument (shown in Table I) was developed. This instrument wasused to identify the nature and extent of audit-related Web practices on the corporateWebsites of listed New Zealand companies. It was structured to enable the capture ofdata relating to the format and location of the audit report, content of the audit report,and cases of inappropriate association of audited and unaudited information on theWeb.

Listed companies are described as “issuers” under New Zealand companylegislation and are required under sections 209 and 210 of the Companies Act 1993 to

Panel A: omission of the audit report or inappropriate association of audit report withunaudited/incomplete financial information(a) Are audited financial statements presented without an audit report?(b) Are there hyperlinks from within the audited financial statements to external unaudited

Websites?(c) Is each page of the audited financial statements designated “audited’ in any way (e.g. use of

term “audited’ in title, use of a watermark, icon, etc., indicating that financial statement audited)or is there an intermediate warning message displayed when entering/leaving the auditedannual report?

Panel B: format and location of the audit report(a) What file format is used for the audit report (e.g. PDF vs. HTML vs other)?(b) If the audit report is in PDF format, is it protected by PDF security features?(c) If the audit report is in PDF format, what is the quality of the scanned image?(d) Where is the audit report located (e.g. corporate Website vs auditor’s Website)?(e) How do users find the audit report (e.g. is it listed in a table of contents/menu)?(f) What is the form of the audit report signature (e.g. scanned handwritten vs typed text)?(g) Is cryptography used to ensure the authenticity and integrity of the audit report (e.g. digital

signature)?(h) Is the audit firm logo included on the audit report, and if so, is it hyperlinked to the auditor’s

Website?(i) What background and/or watermark is used (if any)?(j) Is the audit report’s background and/or use of borders consistent with those used in the audited

financial statements?(k) Apart from possible hyperlinks from the audit report to the audited financial statements, are

there any other links to/from the audit report?

Panel C: content of the audit report(a) Is the audit report on the Website an exact duplication of content of hard-copy report or is it

customised to Internet environment? If not, how does it differ?i. Does the audit report include any disclaimers or specific/general warnings pertaining to anyof the Website?

ii. Does the audit report clarify the auditor’s role/responsibilities with respect toWebsite and itscontents?

iii. Does the audit report highlight which jurisdiction’s GAAP and/or GAAS are/is relevant?(b) How does the report refer to the audited financial statements (e.g. page references vs

hyperlinks)?

Table I.Web collection

instrument


Internet

425

send shareholders an annual report incorporating audited financial statements, or, ifthe shareholder has elected to waive their right to receive an annual report, just thefinancial statements with audit report, not less than 20 working days before the annualmeeting of shareholders. New Zealand’s Financial Reporting Act 1993 also requiresthat issuers send copies of their financial statements and audit report to the Registrarof Companies within 20 working days after the date for signing the financialstatements by directors (s 18(1)). In addition to an annual report, listing requirements ofthe NZSE include disclosure of a half yearly report containing interim financialinformation, which may or may not be audited. There is currently no requirement forlisted companies in New Zealand to publish financial information, such as that found inthe annual report, on the Internet. In New Zealand, there is no central depository forelectronic reporting comparable to the Electronic Data Gathering, Analysis andRetrieval System (EDGAR) site maintained by the US SEC.

As at 30 September 2001 there were 210 companies listed on the New Zealand StockExchange (NZSE). Several methods were used to ascertain whether each listedcompany maintained a corporate Website and, if so, the address of that site.

First, the NZSE Website (www.nzse.co.nz/companies) was consulted. This siteprovides links to listed company Websites. Next, for those companies where no Webaddress was indicated on the NZSE Website, searches using the,www.metacrawler.com . search engine were carried out. Finally, the remainingcompanies were contacted by telephone to determine the existence and, if relevant,addresses of their corporate Websites. The use of multiple sources was considerednecessary given the speed of developments regarding Website establishment amongcompanies. Out of the 210 listed companies, 188 were found to have Websites.

Once identified, each listed company’s Website was visited and the entire siteimported into either the Adobe Acrobat application or, where this was not possible fortechnical reasons, Microsoft FrontPage, and subsequently saved onto a compact disk.This procedure was undertaken for several reasons. The WWW is a dynamicenvironment and the content of corporate Websites is very fluid, so the compact diskarchive of corporate Websites represents a snapshot of the Websites at a single point intime. Consequently, the compact disk enhances the reproducibility of the study’sresults; allowed the corroboration of the results of the initial application of the Websitecollection instrument by the researchers not involved in the instrument’s initialapplication; and provides a basis for future longitudinal studies of aspects of corporateWebsite content.

Table II provides descriptive information concerning those corporate Websites oflisted companies that were found to contain financial information. In total, 131companies were found to provide comprehensive annual financial statements, while 87displayed comprehensive interim financial statements. Disclosure of summarisedfinancial statements (which are not required under New Zealand GAAP) or otherfinancial information extracted from the financial statements was found to be a lessprevalent practice. A total of 70 companies displayed financial information that hadnot been extracted from the financial statements, such as stock information, dividendhistory, and statistical summaries; while seven presented electronic versions of theirprospectus or listing profile.

While most companies appear to restrict the location of financial information totheir own Websites, two companies had links to other Websites, which contained

MAJ19,3

426

financial information about the companies. Both companies had links to their financialstatements located on http://www.globalregister.co.nz, an independent Websitededicated to disseminating information about New Zealand listed companies.

ResultsTable III provides the results of the content analysis relevant to the omission of theaudit report or the inappropriate association of the audit report with either unauditedor incomplete financial information. The data in Table III correspond directly with thequestions in Panel A of Table II (the Web collection instrument).

In total, 128 of the 131 of companies providing comprehensive Web-based financialstatements (98 percent) included an audit report (Item a, Table III). Three omitted thecorresponding audit reports. This is likely to be of concern to the accounting professionand securities regulators. Hard-copy versions of all three omitted audit reports wereobtained and reviewed. This review revealed that one of the omitted audit reportscontained an emphasis of matter paragraph related to going concern issues. To put thisin perspective, of the 128 companies that did accompany their comprehensive annualfinancial statements with a corresponding audit report on their Websites, only oneaudit report was modified for an emphasis of matter paragraph or qualifiedopinion[14].

All four companies electing to have their interim financial statements subject to anindependent review engagement, also published the corresponding auditor’s reviewreport on their Websites. With respect to audited summarised financial statements, the13 companies’ Websites containing such information also incorporated acorresponding audit report. Unlike the situation with GAAP financial statements,accounting regulators may be concerned that auditors’ reports are being associatedwith non-GAAP financial information. Two of seven on-line prospectuses/listingprofiles were not subject to financial audit. The remaining five published auditedfinancial information on their Websites and elected to display electronic versions of the

Summarised financialstatementsa

Other financialinformation

Comprehensivefinancialstatements

Annual Interim Annual

Extractedfrom F/Sb andF/S displayed

Extractedfrom F/S and

F/S notdisplayed

Prospectus/listingprofile

NotpartofF/S

Companiespublishingfinancialinformation ontheir Web sites 131 87 18 13 2 7 70

Location ofinformation:

Corporate Website 129 87 18 13 2 7 52Other linked site 2 0 0 0 0 0 18

Notes: aAll companies that published summarised financial statements also publishedcomprehensive financial statements; b F/S = Financial statements

Table II.Presentation of financialinformation on the Web


Internet

427

corresponding audit reports. Audit reports were not provided on any other form offinancial information appearing in corporate Websites.

The comprehensive or summarised financial statements accompanying the auditreport did not appear to contain hyperlinks to information contained on externalWebsites (Item b, Table III). This fact would be of some comfort to accountingregulators. However, none of the audited HTML financial statements which wereaccompanied by auditors’ reports, used techniques such as watermarks to clearlyhighlight the information that had been audited (Item c, Table III). Perhaps thecommon use of a different file format (PDF) for the audited accounts from the rest ofthe corporate Website (see the discussion of Item a, Table IV) was considered anadequate method of differentiation by the companies concerned.

Table IV presents the results of the content analysis that relate to issuesassociated with the format and location of the audit report. The data in Table IVcorrespond directly with the questions in Panel B of Table II.

The format of the audit report generally mirrored that of the financial information.Table IV (Item a) indicates that the most prevalent format was PDF, although a small

Comprehensivefinancialstatements

Summarisedannualfinancialstatements

Prospectus/listingprofile

Annual Interimn (%) n (%) n (%) n (%)

(a) Audited financialstatementsaccompanied by anaudit reportYes 128 98 4 100 13 100 5 100No 3 2 0 0 0 0 0 0

(b) Link to externalunaudited Web sitewithin the auditedfinancial statementsYes 0 0 0 0 0 0 0 0No 128 100 4 100 13 100 5 100

(c) Web sites usingborders, watermarks,backgrounds,warning messages,or the term “audited”to distinguishaudited HTMLfinancial statementsfrom unauditedinformationYes 0 0 N/Aa 0 0 0 0No 7 100 N/A 1 100 1 100

Note: a No interim financial statements were presented in HTML format

Table III.Omission of the auditreport or inappropriateassociation of auditreport withunaudited/incompletefinancial information

MAJ19,3

428

Comprehensive financialstatements

Summarisedannualfinancial

statementsc

Annuala InterimbProspectus/

listing profiled

n (%) n (%) n (%) n (%)

(a) Electronic format of audit report:PDF 117 91 4 100 11 84 4 80HTML 1 1 0 0 0 0 1 20HTML and PDF 6 5 0 0 1 8 0 0Other 4 3 0 0 1 8 0 0

(b) Companies that secure their PDFaudit report from unauthorisedalternationYes 23 19 0 0 2 17 0 0No 100 81 4 100 10 83 4 100

(c) Scan quality of PDF audit reporte

Good 121 98 4 100 12 100 4 100Poor 2 2 0 0 0 0 0 0

(d) Location of audit reportCorporate Website 126 98 4 100 13 100 5 100Alternative Website 2 2 0 0 0 0 0 0Auditor’s Website 0 0 0 0 0 0 0 0

(e) Navigation to audit reportTable of contents hyperlinkwithin annual report 6 5 0 0 7 54 1 20Table of contents hyperlinkoutside annual report 5 4 0 0 1 8 0 0No hyperlink direct to audit report 117 91 4 100 5 38 4 80

(f) Scanned signature on audit reportYes 101 79 1 25 9 69 5 100No 27 21 3 75 4 31 0 0

(g) Digital signature with audit reportYes 0 0 0 0 0 0 0 0No 128 100 4 100 13 100 5 100

(h) Audit firm logoLogo with link 0 0 0 0 0 0 0 0Logo with no link 79 62 0 0 5 38 5 100No logo 49 38 4 100 8 62 0 0

(i) Presence of watermark for auditreportYes 0 0 0 0 0 0 0 0No 128 100 4 100 13 100 5 100

(j) Financial information and auditreport backgroundSame 117 91 4 100 13 100 5 100Different 11 9 0 0 0 0 0 0

(k) Links to/from audit reportLinks from audit report 1 1 0 0 0 0 0 0Links to audit report 11 9 0 0 8 62 1 20No links 116 90 4 100 5 38 4 80

Notes: a Except for Items b and c, n = 128; b n = 4; c Except for Items b and c, n = 13; d Except forItems b and c, n = 5; e Items b and c, n = 123 for comprehensive annual financial statements, 12 forsummarised annual financial statements and four for prospectus/listing profile

Table IV.The format and locationof the audit report on the

Web


Internet

429

number of reports were in HTML, Microsoft Word, or JIFF formats. Less than 20 percent of the companies that adopted the PDF file format (23 of the 123 that publishedcomprehensive accounts, and two of the 12 that published summarised accounts) usedAcrobat’s file security features to grant users rights to download and print the auditreport, but not the ability to modify them (Item b, Table IV).

A subjective assessment was made of the quality of scanned PDF audit report. Twoaudit reports associated with comprehensive annual financial statements were foundto be virtually illegible (Item c, Table IV). Both appeared to have been scanned at avery low resolution (lower than that used for the associated financial statements),resulting in the scanned images appearing severely pixilated. Interestingly, one of thepoor quality scanned reports was not on the page that the index indicated it was on.Further analysis of this report revealed that the auditors had modified their report byincluding a paragraph highlighting a fundamental uncertainty. Although there couldbe several explanations for this company’s behaviour, the study’s findings highlightthe possibility that some companies could be motivated to attempt to conceal auditreport content in this fashion.

Table IV (Item d) shows that the two companies identified in Table II as havinglinks to comprehensive financial statements located on external Websites, also haveaudit reports on those sites. As discussed earlier, the use of hyperlinks to externalWebsites could be taken to imply endorsement of the information targeted by thehyperlink. Consequently, the auditor should regard information appearing on the thirdparty’s Website as if it is being presented directly by the reporting entity. The fact thata third party, that is not in a contractual relationship with the auditor, has control ofthe presentation of both the audited financial information and the audit report, couldrepresent a significant risk to the auditor.

Navigation to the audit report was not easy in many cases. Most companies madeavailable audited financial information in one or a few large PDF files. As hyperlinkingcapabilities in PDF files are only available in the more recent versions of AdobeAcrobat and Acrobat Reader, few companies’ PDF files make use of this feature. Thismakes navigation to the audit report tedious. Table IV (Item e) indicates that 117companies (91 per cent) presented comprehensive financial statements with auditors’reports in this manner.

Table IV (Item f) reveals that not all auditors’ reports incorporated the auditors’signatures, as is required by New Zealand’s AS-702: The Audit Report on an AttestAudit (Institute of Chartered Accountants of New Zealand, 1998b)[15]. A total of 101 ofthe 128 auditors’ reports associated with comprehensive financial statements (79percent) included scanned versions of the auditors’ signatures, while only nine out of 13auditors’ reports associated with summarised financial statements (69 percent)incorporated such signatures. No evidence was found of the use of digital signatures byauditing firms in New Zealand (Item g, Table IV).

The audit firm’s logo is an important means by which the auditor can assist the userin distinguishing the audit report from other information in the financial statements,which are sourced directly from the company. Surprisingly, a considerable number ofauditors’ reports (49 auditors’ reports related to comprehensive financial statements(38 percent), and eight related to summarised financial statements (62 per cent)) had noaudit firm logo (Item h, Table IV). Further, those audit firms that did display theirfirms’ logos, did not take the opportunity to hyperlink the logo back to the audit firms’

MAJ19,3

430

Website, thus forgoing an opportunity to add further independence and credibility tothe auditors’ reports.

Watermarks and backgrounds to electronic documents can also be used todistinguish the audit report from its subject matter. Table IV (Items i and j) reveals thatsuch features are rarely used.

Finally, links from the audit report were only used in one instance, where the auditreport included hyperlinks to the financial statements subject to audit (Item k,Table IV). Hyperlinks to the audit report included only hyperlinks from tables ofcontents. There was no evidence that management of any company attempted toassociate non-audited quantitative or qualitative information with the auditors via ahyperlink to the audit report.

Table V presents the results of the content analysis which relate to issues associatedwith the content of the audit report. The data in Table V correspond with the questionsin Panel C of Table II.

Only two companies’ Websites (2 per cent) included audit reports that had beenspecifically modified for the Web environment (Item a, Table V). Both sites displayedthese modified audit reports for both comprehensive and summarised financialstatements. As can be seen in Table V, both reports are modified for the same issues.Both companies have head offices in Australia and have adopted the recommendedaudit report wording found in the Australia’s AGS 1050. Specifically, they indicate thatthe directors’ are responsible for the integrity of the Website, and that the auditorshave not been engaged to provide assurance over Website integrity; the audit reportonly refers to the statements identified in the audit report; the audit report does notprovide an opinion on any information that may have been hyperlinked to/from thefinancial statements; and that if users are concerned about the inherent risks arisingfrom electronic data communications, they should consult the hard-copy financialstatements. The relatively few number of audit reports that contain such statementshighlights the fact that a considerable number of audit firms are unnecessarilyexposing themselves to potential legal liability.

Table V (Item b) shows that seven audit reports that were associated withcomprehensive annual financial statements (5 per cent) used an inappropriate methodto highlight the specific financial statements and notes subject to the audit. Three ofthe seven auditors’ reports referred to financial statements by page number, when onlyHTML audited financial statements were published on the two companies’ Websites. Afurther three audit reports contained page references to financial statements which didnot correspond to the actual financial statement pages. Last, the remaining audit reportmade no reference to specific pages nor to specific financial statements subject to audit.To avoid confusing users of the auditors’ reports, the companies could have eithernamed the specific financial statements and/or provided hyperlinks thereto.

Discussion and conclusionThis paper set out to answer two research questions:

(1) What are the primary implications for the auditing profession of Internetfinancial reporting?

(2) What are auditors’ existing practices in relation to Internet financial reporting?


Internet

431

The first research question was addressed through an extensive review of theacademic and professional literature. Based on this review, this study identified anddiscussed the relevant auditing issues relating to the relatively new practice offinancial reporting on the Internet. The empirical evidence required to address thesecond research question was obtained through a comprehensive content analysis oflisted company Websites in New Zealand. This analysis provided critical insights intoextant external audit practices.

A number of factors associated with the practice of Internet financial reporting wereidentified which have significant implications for auditors. Such factors include theunregulated nature of corporate disclosure over the Internet; risks ofconversion/transpositional errors; risks of unauthorised access/modification of

Comprehensive financialstatements

Summarisedannualfinancialstatements

Prospectus/listing profile

Annual Interimn (%) n (%) n (%) n (%)

(a) Audit report refers tomatters relating toelectronic presentation ofaudit financialinformation?Yes 2 2 0 0 2 0 0 0No 126 98 4 100 11 100 5 100Matters referred to:Directors’ responsibility 2 0 2 0Clarification of auditor’srole with respect toWeb site 2 0 2 0No opinion provided oninformation hyperlinkedto/from financialstatements 2 0 2 0Refers users to hard-copyfinancial statements ifconcerned with inherentrisks of electronic datacommunications 2 0 2 0Warning regardingdomestic GAAP/GAASdiffering from overseasGAAP/GAAS 0 0 0 0

(b) Method of identifying thefinancial statements towhich the audit reportrelates appropriate forWeb site?Yes 121 95 4 100 13 100 4 80No 7 5 0 0 0 0 1 20

Table V.The content of the auditreport on the Web

MAJ19,3

432

accounting information; the fluid nature of information on the Internet; the ease withwhich external information can be incorporated into Websites through hyperlinks; andincreasing demands from users for greater timeliness, breadth, and depth of corporatedisclosures.

These factors were found to give rise to a number of issues for the auditingprofession. These issues were found to relate to the role and responsibility of auditorsfor information placed on corporate Websites; the potential for an inappropriateassociation of the audit report with unaudited information appearing on the auditee’sWebsite or information linked to/from external Websites and the inappropriateomission of the audit report from the Website; the appropriate audit procedures; andthe nature, timing, form, and content of the audit report on the Internet. Many of theissues identified had parallels in the world of hard-copy financial reporting. However,these issues required detailed analyses because they were either more problematic inthe newer Internet environment or potentially required a “new technology” solution.

The content analysis of corporate Websites in New Zealand reveals a number ofconcerns for the auditing profession. A number of companies publish audited financialreports without the corresponding audit report. This makes it difficult for users todetermine whether the published information has been audited, and whether the auditreport has been selectively withheld by management. Two instances were found ofauditors’ reports being incorporated with financial information on a third-party’sWebsite. The potential lack of control over the association between the financialinformation and the auditors’ reports arising from this situation would be of concern toauditors.

A surprising number of electronic auditors’ reports (about 79 per cent) failed toincorporate scanned signatures making it difficult for users to make an assessmentconcerning the authenticity of the audit report document. Further, no audit firm madeuse of digital signatures. Digital signatures offer the ability simultaneously toauthenticate and assure users of the integrity of signed documents.

No audit firms located their audit reports on their own Websites. Locating auditreports on the auditor’s Website gives the auditor greater control over the presentationand security of the report, and additionally, helps to distinguish it from the auditsubject matter. Further, it may increase the perceived independence of the auditor. Onthe other hand, it could also give the audit opinion greater weight than intended.

It appears that companies’ Websites blend audited information with unauditedinformation. The use of a different file format (typically PDF) for audited information ispossibly the only distinction. Increasing the distinctiveness of audited information,perhaps through the use of borders, backgrounds, watermarks, and alerts to users,helps mitigate the possibility of the two types of information being blended (Hodge,2001). This is essentially a design issue that is ultimately the company’s decision, butone which auditors should have an interest in, since it can have implications for auditrisk management.

Few audit firms modified the content of their traditional hard-copy audit report forthe new reporting environment. Only two highlighted the relative responsibilities ofmanagement and the auditors for the integrity of the Website. Clearly, auditors who donot modify their auditors’ reports to reflect the impact of the new reportingenvironment are at risk of legal liability.


Internet

433

These findings have immediate and important implications for the accountingprofession and regulators. Authoritative pronouncements are needed to increase theawareness of issues associated with financial reporting on the Internet among bothauditors and preparers, and to standardise audit responses thereto.

Auditors do not appear to be responding and adapting to the new reportingenvironment. No evidence was found in the study of auditors adapting their traditionalaudit approaches to the new environment, nor was there any evidence that they wereadopting technologies available to them, such as digital signatures. Guidance notesand other such pronouncements may be required to raise the general awareness of IFRissues among auditors, and to facilitate their education in the area of informationtechnology generally, and data communications, in particular. The results of thecurrent study also support amendments to existing auditing standards/guidelines.Auditing pronouncements covering engagement letters should be modified to require:

. clarification of the relative responsibilities of management and auditor withrespect to IFR; and

. communication of the auditor’s expectations concerning their client’s use of IFR.

Audit report pronouncements should also be revised to require modification of thestandard audit report wording when the auditor’s clients engage in IFR practices.

There are also significant implications for financial reporting standard settersarising from this study. The results of the study strongly support the development of“best practice” guidelines for IFR preparers, similar to those incorporated into IASC’srecommended code of conduct (Lymer et al., 1999), and the recently issued IFAC staffpaper, Financial Reporting on the Internet (IFAC, 2002).

Some argue that a slow adaptation to the IFR environment by regulators andauditors may significantly dampen the uptake of Internet financial reports by usersand may even place auditors at a competitive disadvantage relative to non-auditors inoffering new assurance services on the increasing quantity of non-financial andqualitative information appearing on corporate Websites (Xiao et al., 2002).

In the near future, we believe that new audit-related IFR issues will arise. In themedium term, it is likely that many firms will supplement or even substitute the typesof financial information currently presented on their Websites with information taggedaccording to the various eXtensible Business Reporting Language (XBRL)[16]taxonomies. The widespread adoption of XBRL will present auditors with newchallenges, such as the need to address the controls and procedures used in the XBRLtagging process (CICA, 2002), the need to assess the appropriateness of taxonomiesused, and consideration of the need to provide assurance on data at a disaggregatedlevel (Lymer and Debreceny, 2003)[17]. In the longer term, user demand is likely todictate the disclosure of more timely information, perhaps moving towards continuousreal-time disclosure and the disclosure of more disaggregated and diverse information(Elliot, 1994). Both of these demands suggest that traditional GAAP-based hard-copyfinancial statements will become less significant to users (Trites, 1999; FASB, 2000).

The implications for auditors of continuous reporting are many. In such anenvironment, the auditor will need to place more emphasis on preventative controlsand real-time detective controls. Audit technology employed will need to also becomemore continuous, perhaps involving embedded audit modules which constantlymonitor and report exceptions in real-time. As the reporting cycle becomes shorter, the

MAJ19,3

434

relevance of the traditional audit report is also brought into question. Should the auditreport be “short interval” (i.e. issued daily or weekly, etc.); “evergreen” (i.e. alwaysavailable and dated); or a “report on demand” (i.e. dated as at the time of the userrequest) (CICA, 1998)? The technical proficiency of the auditor will clearly be critical tothe conduct of such an audit. Questions concerning the skills and competence of theauditor can also be raised in relation to the expansion of the auditor’s subject matterbrought about by the expected user demand for more diverse and disaggregatedinformation.

Notes

1. Such studies have examined Internet financial reporting practices in New Zealand (Fisheret al., 2000; McDonald and Lont, 2001), UK (Craven and Marston, 1999), USA (Ashbaughet al., 1999), Austria and Germany (Pirchegger and Wagenhofer, 1999), USA and Canada(Trites, 1999), USA, UK and Germany (Deller et al., 1999), Sweden (Hedlin, 1999), Spain(Gowthorpe and Amat, 1999), in addition to an international comparison (Lymer et al., 1999).

2. New Zealand’s auditing standards are based on International Standards of Auditing (ISAs)issued by the International Federation of Accountants (IFAC).

3. The 1999 report commissioned by the IASC, Business Reporting on the Internet, notes that inFrance, the Commission des Operations de Bourse (COB) has regulated corporate Webdisclosure in a similar fashion to the long-standing regulation of the French national Minitelsystem (Lymer et al., 1999). The report also notes that the Toronto Stock Exchange inCanada has published guidelines for corporate reporting on the Web (Lymer et al., 1999,pp. 57-8).

4. HTML has been described as the lingua franca of the Web (Lymer et al., 1999, p. 26). Itessentially permits the “tagging” of the content of a page in order to describe how it shouldappear through the recipient’s Web browser software, e.g. Should text be indented? Should itbe in large font and bolded?, etc. HTML supports the hyperlinking of text and/or otherobjects within a page or between pages in order to facilitate on-screen navigation. Links arealso possible to non-HTML resources, such as downloadable programs, email addresses, etc.,even if they are located on other servers accessible through the Internet.

5. PDFs are created with Adobe’s Acrobat software. This application converts scannedversions of hardcopy documents or electronic versions of certain non-PDF documents toPDF. The resulting PDF documents preserve the look and content of the original documentsmaking them useful for the purposes of document exchange. Once created, they can beconveniently distributed through email, Web pages, and other media. PDF files created withAcrobat version 5 now incorporate many of the hypertext linking abilities of HTMLdocuments, and are now even searchable using certain popular Internet search engines, suchas Google (http://www.google.com).

6. The Australian Accounting Research Foundation and the UK’s Auditing Practices Boardhave issued guidance notes concerning auditor issues associated with IFR, and these arediscussed in a subsequent section of this paper.

7. Such interpretations are not unreasonable given recent moves by various governments tointroduce legislation designed to reduce the uncertainty regarding the legal effect ofelectronic information, and to allow certain paper-based legal requirements, such as arequirement for writing, a signature, or the retention of documents, to be met by usingelectronic technology. Examples include the UK’s Companies Act 1985 (ElectronicCommunications) Order 2000, and New Zealand’s Electronic Communications Bill whichwas tabled in October 2000.


Internet

435

8. In some jurisdictions, however, auditors have statutory responsibilities to consider andreport on the consistency of specific “other information” with the financial statements withwhich they are issued. For instance, in the UK, auditors of limited companies have astatutory responsibility under the S235(3) of the Companies Act 1985 to state in the auditreport when they believe that there are inconsistencies between information given in thedirectors’ report and the corresponding annual accounts.

9. Similar responsibilities exist for auditors in other jurisdictions, such as New Zealand(EXFWDRTG: Explanatory Foreword to Reporting Engagement Standards and Guidelines)and Australia (AUS 106 Explanatory Framework for Standards on Audit and Audit RelatedServices) (Australian Accounting Research Foundation, 2001).

10. However, placing audited financial statements on the auditor’s Website may convey greaterresponsibility for the financial report than is normally associated with the audit process.

11. ChangeDetect Pro (www.changedetect.com) and WatchThatPage (www.watchthatpage.com) are two such services, which allow the monitoring of specified pages for any changes orchanges to specified keywords.

12. This asymmetric key system is commonly referred to as public key cryptography. Interestedreaders may wish to refer to Kogan et al. (1999) or American Bar Association Section ofScience and Technology Information Security Committee (2002) for further informationconcerning the use of public key systems in the commercial environment.

13. According to Bulletin 2001/1, the ICSA guidance document was prepared in response to arequest by the Department of Trade and Industry. The Bulletin includes a relevant extractfrom the guidance document in its appendices. The extract identifies three key recommendedbest practices for companies in relation to IFR: companies should employ techniques, such aswatermarks, to clearly identify “statutory” information, and to indicate when displayedinformation forms part of the audited financial statements; companies should liaise closelywith and obtain clearance from their auditors prior to displaying audited information and theaudit report on their Websites; and companies should establish routine systems of checkingthat statutory or audited information displayed on their Websites has not been tamperedwith, and that the home pages of the statutory sections of their Websites contain a messageindicating the time and date when the contents of those sections were last verified.

14. As discussed later in the paper, this particular audit report was an extremely poor qualityscanned image of the original audit report. Further, it was buried in the middle of thefinancial statements and incorrectly indexed.

15. IFAC’s ISA-700 The Auditor’s Report on Financial Statements contains a similarrequirement in paragraph 26 (IFAC, 2003b).

16. XBRL is a Web-based business reporting specification based on the Extensible MarkupLanguage (XML). It permits the tagging of financial information in order to facilitate itsefficient (including automated) location, retrieval, collation, and analysis. See XBRLInternational’s Website (www.xbrl.org) for further information.

17. The Canadian Institute of Chartered Accountants has recently issued a white paper, whichprovides a preliminary analysis of the audit and control implications of XBRL (CICA, 2002).Lymer and Debreceny (2003) also provide a discussion of the audit issues associated withXBRL reporting.

References

American Bar Association Section of Science and Technology Information Security Committee(2002), “Digital signature guidelines tutorial”, available at: www.abanet.org/scitech/ec/isc/dsg-tutorial.html (accessed 4 February).

MAJ19,3

436

American Institute of Certified Public Accountants (AICPA) (1997), Other Information inDocuments Containing Audited Financial Statements, Interpretation No. 4 of Statement ofAuditing Standards (SAS) No. 8, AICPA, New York, NY, March.

Ashbaugh, H., Johnstone, K. and Warfield, T. (1999), “Corporate reporting on the Internet”,Accounting Horizons, September, pp. 241-57.

Auditing Practices Board (2001), Bulletin 2001/1: The Electronic Publication of Auditors’Reports, Auditing Practices Board, London, January.

Australian Accounting Research Foundation (1996), AUS 212 Other Information in DocumentsContaining Audited Financial Reports, Australian Accounting Research Foundation,Melbourne.

Australian Accounting Research Foundation (1999), AGS 1050: Audit Issues Relating to theElectronic Presentation of Financial Reports, Australian Accounting Research Foundation,Melbourne.

Australian Accounting Research Foundation (2001), AUS 106 Explanatory Framework forStandards on Audit and Audit Related Services, Australian Accounting ResearchFoundation, Melbourne.

Bagshaw, K. (2000), “Financial information on the Internet”, Accountants’ Digest, No. 429, July.

Canadian Institute of Chartered Accountants (CICA) (1998), Continuous Auditing, CICA, Toronto.

Canadian Institute of Chartered Accountants (CICA) (2002), Audit and Control Implications ofXBRL, White Paper, CICA, Information Technology Advisory Committee, Toronto.

Craven, B. and Marston, C. (1999), “Financial reporting on the Internet by leading UKcompanies”, The European Accounting Review, Vol. 8 No. 2, pp. 321-33.

Debreceny, R. and Gray, G. (1996), “The impact of the Internet on traditional assurance servicesand opportunities for new assurance services: challenges and research opportunities”,available at: www.summa.org.uk/corp/papers/debreceny/audit_Web.htm (accessed4 February).

Debreceny, R. and Gray, G. (1999), “Financial reporting on the Internet and the external audit”,The European Accounting Review, Vol. 8 No. 2, pp. 335-50.

Deller, D., Stubenrath, M. and Weber, C. (1999), “A survey on the use of the Internet for investorrelations in the USA, the UK and Germany”, The European Accounting Review, Vol. 8No. 2, pp. 351-64.

Elliot, R. (1992), “The third wave breaks on the shore of accounting”, Accounting Horizons, June,pp. 61-85.

Elliot, R. (1994), “Confronting the future: choices for the attest function”, Accounting Horizons,Vol. 8 No. 3, pp. 106-24.

Ettredge, M., Richardson, V. and Scholz, S. (2000), “Going concern auditor reports at corporateWeb sites”, Research in Accounting Regulation, Vol. 14, pp. 3-22.

Financial Accounting Standards Board (FASB) (2000), Business Reporting Research Project:Electronic Distribution of Business Reporting Information, FASB, Norwalk, CT.

Fisher, R., Laswad, F. and Oyelere, P. (2000), “Financial reporting on the Internet”, CharteredAccountants’ Journal, April, pp. 68-72.

Gowthorpe, C. and Amat, O. (1999), “External reporting of accounting and financial informationvia the Internet in Spain”, The European Accounting Review, Vol. 8 No. 2, pp. 365-71.

Green, G. and Spaul, B. (1997), “Digital accountability”, Accountancy, international edition, May,pp. 49-50.


Internet

437

Hedlin, P. (1999), “The Internet as a vehicle for investor relations: the Swedish case”, TheEuropean Accounting Review, Vol. 8 No. 2, pp. 373-81.

Hodge, F. (2001), “Hyperlinking unaudited financial information to audited financial statements”,The Accounting Review, Vol. 74 No. 4, pp. 675-91.

Hussey, R., Gulliford, J. and Lymer, A. (1998), Corporate Communication: Financial Reporting onthe Internet, Deloitte & Touche, London.

Institute of Chartered Accountants of England and Wales (ICAEW) (1998), The 21st CenturyAnnual Report, Institute of Chartered Accountants of England and Wales, London,November.

Institute of Chartered Accountants of New Zealand (1998a), AS-518: Other Information in aDocument Containing an Audited Financial Report, Institute of Chartered Accountants ofNew Zealand, Wellington, June.

Institute of Chartered Accountants of New Zealand (1998b), AS-702: The Audit Report on anAttest Audit, Institute of Chartered Accountants of New Zealand, Wellington, November.

Institute of Chartered Accountants of New Zealand (2003), ED/AGS-1003: Audit Issues Relatingto the Electronic Presentation of Financial Reports, Institute of Chartered Accountants ofNew Zealand, Wellington, June.

International Federation of Accountants (IFAC) (n.d.), ISA-720: Other Information in DocumentsContaining Audited Financial Statements, IFAC, New York, NY.

International Federation of Accountants (IFAC) (2002), IFAC Staff Paper, Staff of the IFAC,New York, NY, August.

International Federation of Accountants (IFAC) (2003a), IFAC ISA-120: Framework ofInternational Standards on Auditing, IFAC, New York, NY, August.

International Federation of Accountants (IFAC) (2003b), ISA-700: The Auditor’s Report onFinancial Statements, IFAC, New York, NY, January.

Kogan, A., Sudit, F. and Vasarhelyi, M. (1999), Some Auditing Implications of InternetTechnology, available at www.rutgers.edu/Accounting/raw/miklos/tcon3.htm (accessed13 July).

Lont, D. (2003), “Financial reporting on the Internet”, Chartered Accountants Journal, August,pp. 64-6.

Louwers, T., Pasewark, W. and Typpo, E. (1998), “Silicon Valley meets Norwalk”, Journal ofAccountancy, August, pp. 20-4.

Lymer, A. and Debreceny, R. (2003), “The auditor and corporate reporting on the Internet:challenges and institutional responses”, International Journal of Auditing, Vol. 7,pp. 103-20.

Lymer, A., Debreceny, R., Gray, G. and Rahman, A. (1999), Business Reporting on the Internet, areport prepared for the International Accounting Standards Committee, Washington, DC,November.

McCafferty, J. (1995), “Investor relations, how much to reveal online”, CFO, December, p. 12.

McDonald, R. and Lont, D. (2001), “Financial reporting on the Web – a 2001 review”, CharteredAccountants Journal, pp. 64-8.

Pirchegger, B. and Wagenhofer, A. (1999), “Financial information on the Internet: a survey of thehomepages of Austrian companies”, The European Accounting Review, Vol. 8 No. 2,pp. 383-95.

Robb, A. (1999), “Auditors let power beat off hook despite ‘going concern’ issues”, The NationalBusiness Review, October.

MAJ19,3

438

Securities Exchange Commission (SEC) (1995), “Use of electronic media for delivery purposes”,Securities Act Interpretive Release, No. 33-7233, SEC, New York, NY, p. 6.

Securities and Exchange Commission (SEC) (2000), SEC Interpretation: Use of Electronic Mediafor Delivery Purposes, File number S7-11-00, SEC, New York, NY.

Securities and Exchange Commission (SEC) (2001), Special Study: Regulation Fair DisclosureRevisited, SEC, New York, NY, available at: www.sec.ov/news/studies/regfdstudy.htm(accessed 3 May).

Steinbart, P. (1989), “The auditor’s responsibility for the accuracy of graphs in annual reports:some evidence of the need for additional guidance”, Accounting Horizons, September,pp. 60-70.

Trites, G. (1999), The Impact of Technology on Financial and Business Reporting, CanadianInstitute of Chartered Accountants, Toronto.

Trites, G. and Sheehy, D. (1997), “Electronic disclosure making a hit on the Net“, CA Magazine,March, p. 10.

Xiao, Z., Jones, M. and Lymer, A. (2002), “Immediate trends in Internet reporting”, The EuropeanAccounting Review, Vol. 11 No. 2, pp. 245-75.

Further reading

Auditing Practices Board (1996), The Auditors’ Code, Auditing Practices Board, London.

Auditing Practices Board (1999), SAS 160: Other Information in Documents Containing AuditedFinancial Reports, Auditing Practices Board, London.

Institute of Chartered Accountants of New Zealand (1994), EXFWDRTG: Explanatory Forewordto Reporting Engagement Standards and Guidelines, Institute of Chartered Accountants ofNew Zealand, Wellington, May.

Institute of Chartered Accountants of New Zealand (1998), AS-404: Audit ConsiderationsRelating to Entities Using Service Organisations, Institute of Chartered Accountants ofNew Zealand, Wellington, June.

Public Oversight Board (2000), The Panel on Audit Effectiveness: Report and Recommendations,available at: www.pobauditpanel.org (accessed 30 September).


Internet

439

Date post:	10-Dec-2016
Category:	Documents
Upload:	fawzi
View:	216 times
Download:	0 times