XBRL Kansas Elsas

On Positioning
XBRL Assurance Business Rules
in a Computational Infrastructure
for Modern Auditing
Philip Elsas
ComputationalAuditing.com
Lawrence, Kansas April 24-25, 2009
2009 Annual University of Kansas
International Conference on XBRL
A Practical View of XBRL in the 21st
Century

Introduction
• Since 2003: Company - Canada, Netherlands
• 1988-2003: Deloitte.
with intermezzo at Bakkenist Management Consultants, sold to Deloitte.
• 1990- 1996: PhD Computational Auditing
- Principal, Chief Architect & inventor of Smart Audit Support
- Smart Audit Support is since 1994 key in Deloitte’s worldwide
audit practice. Currently integrated in “The Deloitte Audit”
- System blueprint in Chapter 5 of …
- PhD in Mathematics & Computing Science on Financial Auditing
- Parallel to Smart Audit project, in part-time at Vrije Universiteit
- Directly after appearance awarded with the biennial
Alfred Coini Prize for the best publication in Auditing
Offering software and consultancy services to
audit practices and audit software firms
1
The Dutch Tax Office used Computational Auditing in 2001-2003 as Frame of
Reference to compare Big 4 firm’s planning and decision-support models and
systems to investigate how to improve audit productivity (57 page report);
considers Smart Audit Support “leader of the pack”.

Agenda
On Positioning XBRL Assurance Business Rules
in a Computational Infrastructure for Modern Auditing
• How XBRL Works, by Charles Hoffman
• Charles’ Smart XBRL App & Deloitte’s Smart Audit Support
• Killer App for XBRL Assurance:
Early Warning System for Systemic Risk
2
• XBRL Assurance, Business Rules and XBRL Formula
• Looking into Builder-Based XBRL Assurance App’s
Killer App (Wikipedia): any computer program that is so necessary or desirable
that it proves the core value of some larger technology, such as computer
hardware like a gaming console, operating system or other software.
A killer app can substantially increase sales of the platform that it runs on.

How XBRL Works
by Charles Hoffman, CPA
Source at http://www.youtube.com/watch?v=nATJBPOiTxM
3

Unstructured Text
Inventory
Inventory consists of produce purchased for resale and supplies and are stated at the
lower of cost or market using the first-in, first-out (FIFO) method. Inventory as of
December 31, 2006 and 2005 amounted to $45,594 and $34,456, respectively.
Source: Charles Hoffman
4

Structured Text
<InventoryInformation>
Inventory
Inventory consists of produce purchased for resale and supplies and are stated at the lower
of cost or market using the first-in, first-out (FIFO) method. Inventory as of December 31,
2006 and 2005 amounted to $45,594 and $34,456, respectively.
</InventoryInformation>
5

Structured for Presentation
<html>
<p><bold>Inventory</bold></p>
<p>Inventory consists of produce purchased for resale and supplies and are stated at the
December 31, 2006 and 2005 amounted to <bold>$45,594</bold> and
<bold>$34,456 </bold>, respectively.</p>
</html>
Inventory
6

Structured for Meaning
<Inventory>
<ConsistsOf>produce purchased for resale and supplies</ConsistsOf>
<StatedAt>lower of cost or market</StatedAt>
<ValuationMethod>FIFO</ValuationMethod>
<Value2006>$45,594</Value2006>
<Value2005>$34,456</Value2005>
</Inventory>
Inventory
7

Structured for Meaning, Global
Standard
<InventoryComponents contextRef=“D-2006”>produce purchased for resale and
supplies</InventoryComponents>
<InventoryCostBasis contextRef=“D-2006”>lower of cost or market</InventoryCostBasis>
<ValuationMethod contextRef=“D-2006”>FIFO</ValuationMethod>
<Value2006 contextRef=“D-2006” unitRef=“USD” decimals=“0”>45594</Value2006>
<Value2005 contextRef=“D-2006” unitRef=“USD” decimals=“0”>$34,456</Value2005>
Inventory
8

9
This isn’t your Daddy’s Financial
Reporting Application!
Current approach, type this into Word:
Inventory
Smart XBRL Application:
Or:
Put a grid (neutral format table) here
Inventory

Agenda
10

XBRL Assurance
11
IFAC and other accounting organizations are discussing the topic to decide on a common
approach and XBRL auditing standards. The auditor may give assurance to an XBRL financial
statement, an XBRL business report and XBRL real-time reporting (often referred to as
continuous reporting). The short term focus is on XBRL financial statements and regulatory
reports, while the future focus is expected to be more on real-time reporting.
The XBRL standard has the ability to define business rules. These business
rules can be found in different places (i.e. datatypes or linkbases) in the
XBRL taxonomy. Application of these business rules will contribute to the
reliability of the XBRL report. The business rules can be used by the
reporting company (preparer), the taxonomy author (i.e. regulator) or the
auditor.
Source: Marc van Hilvoorde, 2008, http://en.wikipedia.org/wiki/XBRL_assurance
XBRL assurance is the auditor’s opinion on whether a financial statement
or other business report published in XBRL, is relevant, accurate, complete,
and fairly presented. An XBRL report is an electronic file and called
instance in XBRL terminology.

How to articulate, validate and execute a
specification of an XBRL assurance process?
12
In XBRL Assurance we are particularly interested
in articulating a methodology-based audit
approach, or audit process, that guides how to
achieve assurance
Isn’t it too low?
Isn’t it too high?
For example: Charles’ Smart XBRL Application
Inventory(Inflow:Purchase) + Inventory(Begin) – Inventory(End) →
Inventory(Outflow:Resale,Suppliers) in products or money (gross profit)
1st interpretation: Bold font = Completeness Regular font = Correctness
2nd interpretation: Bold font = Correctness Regular font =
Completeness
Example audit equation

13
• declare function my:withinTolerance( $x as xdt:anyAtomicType,
$y as xdt:anyAtomicType ) as xdt:boolean* { fn:abs( $x - $y) lt 500 }
– tax:withinTolerance ($Assets,($CurrentAssets + $FixedAssets))
– sec:withinTolerance ($Equity,$EquityPrev + $Earnings)
– withinTolerance ($Assets,$Liabilities + $Equity)
• …
• if (…) then … else if (…) then … else …
Source: Charles Hoffman, 2009, http://xbrl.squarespace.com/journal/2009/1/11/things-
generally-missed-about-business-rules-validation.html
Source: XBRL Formula Requirements by Hamscher, Shuetrim and Vun Kannon, 2005,
http://www.xbrl.org/technical/requirements/Formula-Req-CR-2005-06-21.htm
In articulating an XBRL assurance process,
a central role is considered for Business Rules
using XBRL Formula
For example, fragments from corresponding XBRL Formula
• Assets = Liabilities + Equity (i.e. the balance sheet balances)
• The invoice total equals to the sum of the invoice line item amounts
• If you report Property, Plant and Equipment on your balance sheet, you
need to provide specific policies and disclosures relating to that line item
For example, Business Rules

14
Having a computer-interpretable articulation of business rules
offers main advantages:
1. automatic validation, and
2. automatic execution, like workflow software app’s for
document transformations (BPEL, XPDL, YAWL, Wf-XML)
And, as a consequence of having one standard language to
specify assurance business rules, users have extra advantages:
• A global standard way to express business rules
• A global standard way of exchanging such rules between applications
• Business rules are separate from, instead of integrated in, applications
• XBRL engines support a large user base, reducing cost per user
• You can apply your own XBRL rules on incoming XBRL information
Source: Charles Hoffman, 2009, http://xbrl.squarespace.com/journal/2009/1/11/things-
generally-missed-about-business-rules-validation.html [with point #2 extended]
Advantages

15
1. avoids handcrafting XBRL Formula expressions…
Being focused on capturing audit methodology
in Business Rules expressed in XBRL Formula,
let’s now look into an approach that:
2. …by using a tailored website builder
and generates these expressions ‘behind the screens’ for
validation and ‘executable code’-generation purposes
• applicable to XBRL reports as Cascading Style Sheets
• ‘inside scripting’ (inside the audit team):
data analysis tasks, with form-driven configuration and
methodologically embedded in an audit planning context:
“When to do which task?” and “What to do with results?”
• client-side scripting and
• server-side scripting (e.g. JSP Standard Tag Library),
• technically embedding executable scripts, via 3-way scripting:
• automatically generating XML, XBRL and XBRL Formulas
• publish/upload these smart forms as dynamic web pages
• by specifying smart, interactive document/form templates
to articulate guidance on how to achieve XBRL assurance:
“What keeps
Audit Leaders
up at night?”,
ACL, 2008

16
Why is it worthwhile to look into such a
builder approach? To gain extra advantages
Since a dedicated builder for XBRL Assurance is easy
to use, it enables autonomous use by auditors, to
prepare methodological guidance for auditors,
without content intermediaries: quality & speed
An executable specification of an audit methodology
supports driving integral planning, execution and
documentation of each audit instance
Choosing document templates as ‘embedders’ of the audit
methodology enables levels of documentation, both
prescribing (setting standards) & describing (client instance)
If it’s Not Documented,
it’s Not Audited
Evidence Acquisition
Strategy that’s
Executable

Agenda
17

ComputationalAuditing.com18
Charles’ Smart
XBRL Application:
Built in Yahoo!
SiteBuilder
Played in an
arbitrary browser

p.334 19
p.337
Audit
methodology
specification
drives integral
planning,
execution and
documentation
Illustrative
case:
Classification
of the
Client’s Use
of Computers
Proven Architecture for Interactive
Audit Documentation and Guidance
Conditional relevancy:
An outgoing arrow −labeled with choice−
specifies an activation dependency to a
question, section, table, form, task, etc.
Effective: don’t miss relevant issue
Efficient: less relevant issue is not accessible
Mitigation of litigation risk
‘Correctness by
Construction’
Deloitte’s Smart Audit Support:
Interactive Audit Documentation
published in Word and browsers
World’s strongest audit support

Smart Audit Support’s
Document Index related to
Deloitte’s International Audit Approach
(1990’s)
p.336
20
PERFORM PRE-
ENGAGEMENT
ACTIVITIES
Assess Engagement Risk
Establish Terms of Engagement
Perform Preliminary Analytical Procedures
Understand the Client's Business
Understand the Accounting Process
Determine Planning Materiality
Develop Client-Service Objectives
Understand the Control Environment
Assess Risk at the Account
and Potential-Error Level
Rely on Controls ? Control Reliance Strategy ?
Identify Controls
Identify Controls and,
if Efficient, Establish
a Rotation Plan
Test Controls
Perform Focused
Substantive Tests
Perform Basic Level
of Substantive Tests
Perform Intermediate
Level of
Substantive Tests
Evaluate Results of Tests
Perform Financial Statement Review
Perform Subsequent Events Review
Obtain Management Representations
Report on Financial Statements
and Render Management Letter
PERFORM
PRELIMINARY
PLANNING
ASSESS
RISK
DEVELOP
AUDIT
PLAN
PERFORM
AUDIT
PLAN
CONCLUDE
AND
REPORT
That Mitigate Risk
Specific Identified Risk No Specific Identified Risk
NO YES YES NO
p.62
All planning docs
are smart forms
All planning docs
are smart forms
All planning docs
are smart forms
All planning docs
are smart forms
All planning docs
are smart forms
All planning docs
are smart formsAudit pack is a
bundle of forms
Deloitte’s Audit
Methodology

Why builder-based approach?
extra benefits to gain for XBRL Assurance
21
The main challenge in specifying an executable assurance methodology:
preserve operational integrity and consistency
That’s where science steps in: mathematical proofs that show how each ‘rewriting step’
in the executable methodology specification preserves integrity and consistency
E.g. the processing structure of all
connected questions, tables, etc. is
guarded to be a Directed Acyclic Graph
a specification huge in size, complex in structure, globally distributed, regionally refined,
daily used by many, in groupware, and, as wanted and encouraged, regularly updated
• Assurance expert makes own application & uploads it (business model)
• Jumpstart: only a few hours learning curve on how to use builder tool
• Comfortable: builder prevents classes of technical errors, no debugging
• No need for cumbersome ‘knowledge elicitation’ from expert to engineer
• No need to transfer ‘knowledge engineer’ specs to XBRL Formula expert
• No need for the expert to verify the app made by XBRL Formula expert
Since a dedicated tool to build assurance guidance is easy to understand
and use, assurance experts are enabled to autonomously construct
executable guidance material, leading to extra benefits:
‘Correctness by Construction’ in Domain-Specific Language (DSL)

Agenda
22

23Case I: Charles’ Smart XBRL App: extended for assurance
Lower of Cost or Market (LCM) is an
approach to valuing and reporting inventory.
Normally ending inventory is stated at
historical cost (what was paid to obtain it)
but there are times when the original cost of
the ending inventory is greater than the cost
of replacement thus the inventory has lost
value. If the inventory has decreased in
value below historical cost then its carrying
value is reduced and reported on the
balance sheet. The criterion for reporting
this is the lesser of the value of the original
cost or the market value. Any loss resulting
from the decline in the value of inventory is
charged to Cost of Goods Sold (COGS) if
non-material, or Loss on the reduction of
inventory to LCM if material.
http://en.wikipedia.org/wiki/Lower_of_Cost
_or_Market
Functionality looked for by DecisionSoft, 2003 Available in Deloitte’s Smart Audit Support

Standard lib
24Case I: Charles’ Smart XBRL App: getting ‘Formula in Form’
Inventory(Inflow:Purchase) + Inventory(Begin) – Inventory(End) →
Inventory(Outflow:Resale,Suppliers) in products or money (gross profit)
Example audit equation
Excel library with
XBRL functions
The ‘Formula in Form’ is
automatically generated
by an off-the-shelf
spreadsheet add-on
Sector packs of
prefab sheets

25Case II: Raj Srivastava’s Information Security Assessment
Based on:
Sun,
Srivastava
and Mock,
2006
“An Informa-
tion Systems
Security Risk
Assessment
Model under
Dempster-
Shafer
Theory”,
pp.43-48
dual-thumb sliders with range highlights

26Case II: Raj’s Information Security Assessment
This can almost be expressed, in a slightly different way, in Deloitte’s Smart Audit Support

M: Majority Owner-Manager
S: Sales department
B: Buy/Purchase department
F: Financial department
T: IT department
W: Warehouse manager
L: Labor/salary accounts
P: Planning department
C: Creditor accounts
D: Debtor accounts
A: Application
Agent Legend
C b f t
F m d
D s t
A t
L f t
P t
P t
W t
A t
A t
S
A
A
L F
L F
L F
MM D F
D
C
B F
B F
W
P
P
P
P
W
A
A
A
A
C m
D f t
S t
A t
F t
B f t B f t
P t
W t
L f
225
25 200
225
500
25
25
1,000
400
400100
20
20
20
20
500
400
Agent’s access is associated to:
1. Transactions
2. States
3. Flows
A capital letter is authorized, legitimate access
A small letter is illegitimate access, arising mainly as consequence of being authorized
Quantitatively motivated
process decomposition
27Case III: EY’s & Hans’ Smart Flowchart Pilot Study
Output in XML,
XBRL and scripts:
1. Audit equations
2. Segregation of
Duties analysis
Case by Hans Verkruijsse & EY team
Enterprise-level Process Documentation
incorporating Automatic Audit Analytics
Approach: Powerful and easy system
to support practice, founded in theory
The world’s strongest
process-oriented Auditing
Theory: classical Dutch
Auditing Theory (80+ yrs)
& its best-fitting rigorous
Process Theory:
Petri nets tailored to the
Auditing Domain
Dynamic: Transaction
Profit & Loss Item
T
Static: State Balance ItemS
Systematic framework guides
input preparation process
Input: diagram
Top-level is Supercycle. Overview connecting
traditional cycles. Clarifying. Refreshing.
Case used in Efrim Boritz’ CAATs class
Fit recognized by
Jagdish Gangolly

28Case IV: Conceptual Positioning &
Computational Infrastructure
• Executable External Controls, or audit tests, to test ‘Ist’ ICs to ‘Soll’ ICs;
external auditor, to identify and, if possible, mitigate weaknesses in
client’s Internal Controls (ICs)
• Normative Internal Controls in ‘Soll’, ‘To Be’ modality; external auditor
• Executable Internal Controls in ‘Ist’, ‘As Is’ modality; internal auditor
XBRL Assurance Business Rules as:
• Methodological context for data analysis tasks, answering: “When to do
which test ?” and “What to do with the test results ?” (ACL AuditExchange)
• Standard setters develop high-level guidance packs, and strict forms à
la tax, as basis to be refined, but not overruled, by other pack builders
• External auditors develop sector or client packs for internal auditors,
strengthening client relationship (source trade, vendor lock-in & ‘open’)
• Uploading by fee-earning experts. Downloading and applying by fee-
paying engagement teams. With a broker fee for the platform provider
• By auditors, for auditors - no content mediators, only platform provider
Audit Pack Platform, Business Model:

Source: Rick Bookstab(b)er at http://rick.bookstaber.com/2009/02/markup-languages-
and-mapping-market.html, speaker at the XBRL Risk Governance Forum, hosted by the
IBM Data Governance Council, February 2009 [emphasis added]:
“Within the work of this Forum are the seeds of reducing the risk of future market
crisis. Indeed, it could be the foundation for a quantum leap in risk management.”
29Case V: Rick Bookstaber’s proposal to set up an early
warning system to identify build-up of systemic risk + mitigation
“Having the proper tags – the proper bar code, if you will – for financial products,
ranging from bonds and equities to structured products and swaps will allow us to
understand the potential for crisis events and system risk. It will help us anticipate
the course of a systemic shock. It will identify cases where many investors might be
acting prudently, but where their aggregate positions lead to a level of risk which
they on their own cannot see. It also will give us the means to evaluate crises after
the fact.”
Why not have the external auditors do the first data aggregation ? They already visit
all the major companies, know about auditing risks and know how to aggregate
data to relevant, accurate, complete and fairly presented information on the
business level. They only have to bundle and aggregate this individual business
information to sector information. Furthermore, they are also familiar with all
confidentiality issues involved. The audit firms submit their audited sector
information to a central governmental agency, who is responsible for the new
anticipation tasks.
Comment posted by Philip Elsas on Rick’s blog

Agenda
30
Killer App (Wikipedia): any computer program that is so necessary or desirable
that it proves the core value of some larger technology, such as computer
hardware like a gaming console, operating system or other software.
A killer app can substantially increase sales of the platform that it runs on.

2. First release: matter of weeks or months, not years
2. The audit firms, as first aggregators of systemic risk indicators,
connect ‘micro to macro’ in XBRL (i.e. who is leveraged, what do they
own and what do they owe to whom?), and submit their audited
sector indicators to a government agency responsible for the new
anticipation and mitigation tasks
How far away?
31Priority for Urgency:
Early Warning System as Killer App for XBRL Assurance,
speeding up getting XBRL’s ‘Place & Future’ into ‘Here & Now’
1. For computational functionality: stop expecting more from XML,
start expecting more from the builder-based approach
1. An off-the-shelf system for bar-code tracking and tracing and
configured for XBRL tag-coded financial products
Proposed Solution
Risks to be identified: crowding in markets,
‘hot spots’ of high leverage, linkages in
event of crisis based on investor positions
Jumpstart by co-operation of top-specialists Rick Bookstaber, Raj Srivastava
and Charles Hoffman, and preferably in co-operation with a Big 4 audit firm
Small step for XBRL,
quantum leap for financial world
XBRL Assurance is closer than ever

“Limperg described the essence of the Theory of Inspired Confidence as follows:
“The normative core of the Theory of Inspired Confidence is therefore this:
the [auditor] is obliged to carry out his work in such a way that he does not
betray the expectations which he evokes in the sensible layman and;
conversely, the [auditor] may not arouse greater expectations than can be
justified by the work done.” [1932, 1933]
This takes the principles-based approach to its logical extreme. At this extreme, there are no
definite rules for what procedures an auditor must perform in a particular case, but the general
principle that guides the auditor is to perform enough work to meet the expectations the
auditor has aroused in society. Thus, the most important factor is society’s needs, and the
related factor that interacts with it is the ability of auditing methods to meet society’s needs.
However, society’s needs are not fixed and change over time. Also, auditing methods can
change and improve over time.”
32Why the audit profession welcomes increase of their
usefulness by being pivotal in ‘systemic early warning’
“The dynamic theory [of inspired confidence] that connects society’s need for reliable
financial information to the ability of auditing methods to meet this need is the
essence of the process that the PCAOB must follow.” …
“The PCAOB’s process must be directed by what is necessary to protect investors and
further the public interest.”
Source of quotes: Douglas R. Carmichael, first PCAOB Chief Auditor, 2004,
http://aaahq.org/audit/midyear/04midyear/papers/Carmichael%20Speech.doc
“The PCAOB and the Social Responsibility of the Independent Auditor”
Limperg Institute Symposium, the Netherlands, June 10, 2009, organized by
Hans Blokdijk & Ruud Veenstra, with contribution of ComputationalAuditing.com
[emphasis added]

XBRL Kansas Elsas

XBRL Kansas Elsas

Recommended

More Related Content

Similar to XBRL Kansas Elsas

Similar to XBRL Kansas Elsas(20)

Recently uploaded

Recently uploaded(20)

XBRL Kansas Elsas

Editor's Notes