Financial Reporting On the Internet

Transcription

1 IFAC August 2002 Financial Reporting On the Internet Paper Issued by the Staff of the International Federation of Accountants

2 IFAC STAFF PAPER AUGUST 2002 This paper results from research undertaken by IFAC Technical Staff in the course of work on other projects. It has not been approved or endorsed by any IFAC Technical Committee. It is reproduced here in the interests of sharing research with those who might be studying the same topic. Readers are encouraged to consider the thoughts in this paper. Any comments should be sent to: Jim Sylph Technical Director, IAASB International Federation of Accountants 535 Fifth Avenue, 26 th Floor New York, New York These comments will be forwarded to any of IFAC s technical committee who may initiate research in this area at a future date. New York August 2002 Financial Reporting On the Internet Responsibilities of Directors and Management Introduction Scope 1. Many enterprises are using the Internet to communicate with customers, stakeholders and others in a variety of ways, from on-line ordering of goods and services, to the provision of information for investors, creditors, analysts and other interested users. This IFAC staff paper deals with the use of the Internet to provide financial information about an enterprise through that enterprise s corporate web site. It describes control considerations when an enterprise uses the Internet for communicating with investors, creditors, analysts and other interested users, and how management might implement such controls. Status 2. In November 1999, the International Accounting Standards Committee (IASC) Staff issued a Discussion Paper, Business Reporting on the Internet, which discussed various aspects of reporting financial information on the Internet. This document builds on the November 1999 Discussion Paper and has been prepared by the staff of the International Federation of Accountants (IFAC), with the co-operation of the staff of the IASC, in consultation with interested parties. It has not been approved or otherwise reviewed by IFAC or any of its 2

3 committees and, therefore, does not necessarily represent the views of IFAC or any of its committees. Consequently, this document does not have the status of a document issued by one of IFAC s committees. 3. This staff paper is issued to stimulate discussion regarding issues faced by enterprises that, in addition to communicating financial information through the traditional paper medium, also choose to communicate financial information on their corporate web site. In the future, as the web supersedes and complements paper, there is a need to establish a reliable model to identify the source of information and ensure its integrity. The underlying principles of such a model need to be defined together with recommended protocols designed to ensure global compatibility. This staff paper does not address this topic; rather it is intended to provide guidance for enterprises that choose to supplement their paper reporting with reporting on their corporate web site. 4. Readers are encouraged to provide comment on these issues. IFAC staff will review the responses received to determine whether any of the issues raised should be referred to any of the IFAC committees for consideration. Responsibilities of Directors and Management 5. Reporting financial information is a highly developed area and has achieved some level of consistency in the information provided and how it is reported. There is an established body of guidance and standards in most countries in the world, which (by and large) addresses an environment in which the financial information is printed on paper. In this traditional environment, the parties involved know and understand their roles and responsibilities. Those who have responsibilities in the traditional environment have similar responsibilities when the information is also communicated by the Internet, and ultimately the interest is the same to ensure high-quality, transparent financial reporting on the Internet, or otherwise. 6. Corporate governance is the supervision, control and direction of an enterprise s business and affairs by its board of directors 1 and, by delegation, its senior management. It includes the means by which governance responsibilities are fulfilled and accountability is achieved, the processes used to ensure that an enterprise will operate in a safe and sound manner and comply with applicable laws and regulations, and the processes used to gather, evaluate and communicate financial and other information and to monitor and assess an enterprise s performance. 7. Many countries have developed principles of corporate governance as a point of reference for the establishment of good corporate behavior. There is no single model of good corporate governance. Board structures and practices vary from country to country. A common principle, however, is that the entity should have in place a governance structure which enables the board to exercise objective judgment on corporate affairs, including financial reporting, independent in particular from management. 1 This guidance uses the term board of directors to mean that body within an enterprise that is elected by the shareholders having a responsibility to oversee the conduct of the business and to monitor management and to endeavor to ensure that all major issues affecting the business and affairs of the enterprise are given proper consideration. 3

4 8. In its Principles of Corporate Governance, the Organisation for Economic Cooperation and Development states that a corporate governance framework should ensure that timely and accurate disclosure is made on all material matters regarding the corporation, including the financial situation, performance, ownership, and governance of the company. The Internet can assist management to meet this objective. However, as with communication in other media, it is important to establish proper governance and control procedures to ensure that only authorized information is disseminated and that the information that is available on the enterprise s corporate web site has not been altered without authorization. An Internet Reporting Policy 9. As with financial reporting in the traditional paper environment, there are many decisions that need to be taken to ensure that there are effective controls and procedures for the provision of financial information on the enterprise s corporate web site. The directors and senior management need to ensure that any financial information provided has the same integrity as that published in paper form. 10. Management has a responsibility to determine how the enterprise s corporate web site will be used to provide financial information, what information is to be provided, the format of such information and when it will be provided. These decisions should be formulated into an approved policy that is published on the enterprise s corporate web site so that users are aware of the enterprise s approach to the provision of financial information on the enterprise s corporate web site. Management may wish to take legal advice when considering and formulating this policy. 11. A published policy to which the enterprise is committed to adhere enables a consistent approach to the provision of financial information on the enterprise s corporate web site, improves efficiency, increases the information s utility to investors and stakeholders and decreases the opportunity for accidental breaches of companies and securities legislation. POLICY MATTERS OF PRINCIPLE 12. The enterprise s policy on the provision of financial information on the enterprise s corporate web site would normally include consideration of the following matters: (i) The type of information to be provided Currently, some enterprises provide only annual and interim financial statements on the Internet, while some enterprises view their corporate web sites as an integral part of their communications strategy and provide not only annual and interim financial statements, but also analysts briefings, experts reports on aspects of their operations, press statements from senior management and provide for webcasts and other interactive facilities. Management has a responsibility to determine what information is provided on the enterprise s corporate web site, weighing the need for transparent reporting, full disclosure and equal access to information against the cost of maintaining the information in a secure manner. 4

5 (ii) The involvement of the auditor Management should discuss and agree with the auditor the extent to which audited information will be included on the enterprise s corporate web site. (iii) In what format information will be provided Management needs to determine the format in which data will be provided, assessing the trade-off between utility of information provided versus the security and integrity of that data. The Internet provides several different ways for an enterprise to provide data, each having varying levels of security. These issues are discussed further below. (iv) When information will be provided Management needs to determine when information will be posted to the enterprise s corporate web site, and whether notification should be given (for example, by an automatic message to registered users). (v) The approvals necessary before information is provided Management needs to develop approval processes governing the release of financial information on the corporate web site. POLICY PRACTICAL ISSUES 13. The policy should ensure that the enterprise s corporate web site distinguishes clearly between information that has been audited and information that has not been audited. The appropriate mode of differentiation will be dependent on the electronic format selected, and the nature and extent of other information presented on the web site. 14. The policy should consider how the enterprise distinguishes information subject to securities and market regulation, such as statutory information, filings with companies and securities regulators, press releases, etc. If the enterprise is listed in more than one jurisdiction, the policy should consider each set of securities regulations to which it is subject. 15. The policy should address how information intended to supplement financial information, such as press and analysts briefings, are distinguished from other information and items of a promotional or marketing nature, which may not be as robust. Certain non-financial information, such as press releases, speeches by officers of the enterprise, media briefings, etc., may assist investors and others to understand the background to financial information released by the enterprise. 16. The policy should address the maintenance of any hyperlinks to third party Internet sites, for example, financial analysts following the enterprise or its sector. Given the subjectivity of choosing one third-party over another, the policy should state that such links will be maintained and not changed frequently. For example, if management has historically linked its corporate web site to that of a particular analyst, that link ought to be maintained even if the analyst s opinion of the enterprise becomes neutral or negative. 17. Management should consider carefully before establishing a hyperlink to a third party site that contains analyses based on financial information provided to the public by the enterprise but which it has not prepared itself. In particular, management should consider what warnings or disclaimers are necessary to warn users that they are leaving the enterprise s web 5

6 site. For example, procedures might be implemented to generate a warning to users to the effect that by following these hyperlinks you are leaving the enterprise s corporate web site. The enterprise neither endorses nor adopts the information in the linked site. The link is provided for general reference purposes only, or similar words. It may be appropriate to seek legal advice before establishing such links. 18. The policy should address whether third party analyses and other information should be included directly in the enterprise s web site. Including such information directly in the enterprise s web site runs the risk of confusing investors and other users about the enterprise s involvement in its preparation and the degree of credibility and reliability users should attach to it. Where the enterprise does include third-party analyses and information directly in its Web site, it should clearly identify the information that the enterprise did not create and state the source of the information. However, such disclaimers might not prevent the courts and/or securities regulators from considering the information as being adopted or endorsed by the enterprise. 19. The policy should address the frequency of changes to financial information provided on the enterprise s corporate web site. In addition, there should be included in a prominent location on the web site a statement to the effect that the directors and management have exercised their best endeavours to ensure that the data provided is accurate and is maintained in a secure environment, and that any breaches of this security are investigated and remedial action taken as quickly as possible. POLICY CONTROL ISSUES 20. When considering its policy, management should address the following controls: (i) Authority of information The enterprise should ensure that it has controls over the approval of financial information provided on its corporate web site and that such controls are effective. For example, the enterprise may choose to make real time information, such as day s sales, available on its corporate web site. Controls need to be in place to ensure that such information is appropriate before it is provided on the enterprise s corporate web site. (ii) Security of information In establishing control procedures over financial information provided on its corporate web site, the security framework implemented to manage the security of information included in the enterprise s corporate web site should be considered. The purpose of this framework would be to ensure that the risk of unauthorised alteration of data on the enterprise s corporate web site is reduced to an acceptably low level. A security framework may include an information security policy, information security risk assessment, the technology architecture acquired and maintained to support business applications, and the installation, security and control of system software including change and maintenance controls. The security infrastructure is particularly important when external parties are able to access the enterprise s system via the Internet (for example, when financial information is available for analysis using XBRL (extensible Business Reporting Language) or other reporting languages). 6

7 (iii) Enterprise contact The enterprise s web site ought to indicate clearly from where users can obtain further information in electronic or written form. This should include contacts, telephone and fax details and other information such as postal addresses. Other Considerations MANAGEMENT S RESPONSIBILITIES FOR CONTENT 21. Management should implement controls and procedures to ensure that financial information included in an enterprise s web site is and remains accessible. The following matters should be considered: (i) Stability Controls and procedures are necessary to ensure that all pages containing financial information can be identified and that users are able to bookmark and return to data on repeated occasions. Management should consider these needs in relation to its policy on retention of data. (ii) Changes in the information Management should establish controls and procedures to ensure that financial information provided on the enterprise s corporate web site is the same as that approved for release and that no alterations are made subsequent to its being made available. (iii) Retention of financial information Management should establish retention policies for classes of financial information on its web site and design controls to ensure that information that is stale is removed. Some financial information is of continuing use to investors, analysts and other users. Management should consider the extent to which it wishes to retain prior periods financial information on the enterprise s web site for such purposes. In particular, management should ensure that prior period financial information is dated clearly so that users are aware that more current financial information is available. (iv) Changes in accounting policies When a change in accounting policy is made (either as a result of a new accounting standard or as a result of a voluntary change), comparative information in financial statements may be required to be restated. Management should consider the disclosures necessary to inform users of financial information on the enterprise s corporate web site of the extent to which financial information issued in periods prior to the accounting change has been restated to reflect the change. Restated information should be subject to the same review and approval procedures and controls as other financial information included in the enterprise s web site. 7

8 TIMELINESS 22. Management should establish procedures to ensure that information releases are dated so that investors and others know how recent the information is so that they can assess its relative importance. 23. Many jurisdictions require publicly traded enterprises to release any information in its possession that could reasonably be expected to affect the pricing of its securities to the market on a timely basis. This requirement extends to information that might have a negative impact on the enterprise as well as that which is expected to have a positive effect. This requirement helps to ensure that the market has access to all information and that all investors are treated equally and fairly. Management should establish controls and procedures to ensure that financial information is provided on the enterprise s corporate web site only after securities regulations have been satisfied. CONTENT FINANCIAL INFORMATION 24.(i)Access to the Auditor s report Management should implement procedures to ensure access to the auditor s report. This might be accomplished in several ways, including reproducing it in full and identifying clearly the financial information provided by the enterprise on its web site subject to the audit opinion, or by providing a link to the auditor s own web site. (ii) Annual Report It is preferable if the entire annual report is available on the enterprise s web site. However, should an enterprise wish to post only the annual financial statements, details of how the full annual report may be obtained should be provided. (iii) Interim Financial Report Management should provide the interim financial reports on the enterprise s web site. Controls and procedures similar to those required for information from the annual report would be appropriate. Where the interim financial report has been audited, this fact should be disclosed. (iv) Other Financial Information An enterprise may also make available financial information that is more or less detailed than that contained in its annual financial statements or interim financial report. This information may be more highly aggregated, more disaggregated or presented differently from the data that is in the annual financial statements or interim financial report. This additional data ought to be reconciled to amounts reported in the financial statements. SECURITY 25. In the reporting medium of hard copy reporting, information remains static. In contrast, electronic reporting occurs in an environment, which allows all or part of a report, once published to be updated or replaced without it becoming apparent that a revision has occurred. This dynamic environment on a web site makes it easier for inaccurate information to be included. Inaccurate information could be potentially added by: 8

9 (i) an employee of the enterprise who is not fully aware of the consequences of amendments; (ii) an employee of the enterprise who deliberately makes misleading and inaccurate amendments; and (iii) a person outside the enterprise who is able to access the web site and alter the information presented. 26. In the absence of appropriate security measures, information on the enterprise s web site might be changed or manipulated without the knowledge of the enterprise. Therefore, management is responsible for implementing an appropriate security infrastructure and control procedures to reduce as far as possible the risk that changes are not only properly authorized, but that all changes can be detected and monitored. Management s responsibilities are not diminished when the enterprise uses a third party to maintain its web site that is, even though the maintenance of the web site has been put in the hands of a third party, management cannot outsource its responsibilities. 27. To protect the integrity of the information presented on the web site, management should address the following security and control issues: (a) responsibility for public release of financial information; (b) the security controls to prevent and detect unauthorized changes over financial information on the enterprise s web site; and (c) the planning, construction and maintenance of the enterprise s web site. 28. Users of financial information reported electronically by an enterprise may presume that the enterprise is taking legal responsibility for the accuracy and completeness of financial information made available on its web site. For this reason, an enterprise should monitor such information to ensure that no breaches of security have occurred. 29. Languages An enterprise may wish to provide translations of its financial information as a convenience to investors. Where it does so, the enterprise ought to state clearly whether the translations are as authoritative or whether the financial information prepared in a particular language should be considered to the primary financial information and the other languages are essentially translations for convenience. 30. Usability (i) Downloads Management should consider procedures for the provision of key data in a format that may be downloaded for off-line analysis. This information should include, as a minimum, the statutory filings made with the securities regulator by the enterprise in its primary jurisdictions. (ii) Change notification Management should consider establishing procedures to inform interested users of significant changes to the web site. This could be achieved by offering an 9

10 Conclusion electronic mail notification service and/or by providing a date order listing of changes to the site. 31. Financial reporting in the traditional printed paper environment is well established and generally highly developed. Many of the issues associated with the traditional paper environment are also relevant when enterprises choose to supplement their paper reporting with reporting on their corporate web site. This paper raises issues that need to be considered to ensure that financial information on an enterprise s corporate web site has the same integrity as that published in paper form. 10