Dr. Saeed J. Roohani Bryant College Research monograph funded by: Pric - PDF document

Dr. Saeed J. Roohani Bryant College Research monograph funded by: PricewaterhouseCoopers LLP Trust and Data Assurances The Role of Technology SolutionsMarch 2003 rust and Data Assurances in Capital Markets: The Role of Technology SolutionsResearch monograph funded by: PricewaterhouseCoopers LLPEdited by: Dr. Saeed J. Roohani (Bryant College) SmithÞeld, RI 02917 or e-mail: sroohani@bryant.eduMarch 2003Opinions, views, and conclusions expressed in this monograph are those of the editor and contributors. They may differfrom views of PricewaterhouseCoopers LLP and Bryant College. Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1XML, XBRL, and The Future of Business and Business Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3A commentary by Ron Weber (The University ofQueensland)The Supply and Demand for Continuous Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . 7James Hunton (Bentley College),Arnie Wright (Boston College) and Sally Wright (University ofMassachusetts Ð Boston)Assurance Reporting for XBRL: XARL (eXtensible Assurance Reporting Language) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17J.E.Boritz and W.G.No (both at University ofWaterloo)Demand for Data Assurances in Electronic Commerce: An Experimental Examination of a Web-Based Data Exchange Using XML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Andreas I.Nicolaou,Alan T.Lord and MS.Li Liu (all at Bowling Green State University)Transaction Agents in eCommerce, A Generalized Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Rob Nehmer (Berry College)The Implications of Economic Theories and Data Level Assurance Services: Research Opportunities. . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Eric E.Cohen (PricewaterhouseCoopers),Barbara Lamberton (University ofHartford),and Saeed Roohani (Bryant College) ewordFOREWORD1The accounting profession is facing many challenges andopportunities in the 21st century.For more than 100 years ofserving the capital markets,trust and knowledge have beenthe guiding principles ofthe profession.While informationtechnology (IT) has introduced enormous complexity to thebusiness environment and signiÞcantly increased the speedofbusiness processes,it has also increased expectationsamong investors and creditors for more timely businessreports to help with decision making.The existing Þnancialreporting system needs to catch up and live up to new expectations.Overall,reporting that provides real-time reporting ofbusiness information may have a signiÞcant value to business information customers but it can be a burden to traditional accounting systems.For example,revenue recognition in an e-commerce transaction relies heavily oninformation technology because the ownership ofgoods and services are transferred,recorded,and reported in afraction ofa second.As a result,matching revenues withrelated expenses for a period,which is essential for properrecording and reporting oftransactions,presents challengesto the accounting system.The 21st century will be Þlled with surprises and innovations in measuring,recording,and reporting ofbusiness activities,that respond to the needs ofa variety ofbusiness information customers.Information communi-cation technologies such as eXtensible Business ReportingLanguage (XBRL) can play a major role in delivery oftimelybusiness information and respond to the needs ofvariousentities or professionals who produce and use business information.In time,there will be a grater demand forassurance services on such business information.Whenbusiness reporting and assurances on business informationapproach real-time on the Internet,there will be a need foradded security,privacy,and authentication schemes oftheinformation communication technology to establish trust inglobal business information markets.The speed ofInternet and emerging information technologies most likely will not impact elements oftheaccounting equation:assets = liabilities + ownersÕequity(revenues Ð expenses).More frequent reporting ofthese elements,however,will be dependent on the informationcommunication technology innovations.Reporting thatapproaches real time reporting may also break the existingperiodicity barrier in the accounting world,potentially making quarterly and annual reporting less desirable fortimely decision-making purposes.It took the accountingprofession and the Security and Exchange Commission(SEC) a few years to Þnally supplement the annual Þnancialstatements report with more frequent reports called quarterly reports because the literature suggested that quarterly Þnancial statements have information content thatis useful for capital markets efÞciency.When businessreporting that approaches real-time reporting becomes areality,investors,creditors,and regulators will expect theaccounting profession to extend its current services toinclude more frequent assurances on vital business information in the capital markets.Overall,the accounting profession has a long and successful history ofproviding accounting and auditingservices that have contributed to the enormous size andintensity ofthe todayÕs capital markets.In the 21st century,advances in information technology will cause public expectation for more frequent (continuous) business reporting,and when the demand is there,the accountingprofession will be expected to provide more frequent (continuous) assurance services on such reports.Also,various levels ofassurances as well as assurances on certainaccounts or data level will be demanded in the future.Articles in this monograph feature the new opportunitiesin business information reporting and assurances,and therole ofthe information communication technology solutionssuch as XBRL.Each paper was peer reviewed by two externalreviewers.I would like to thank authors and all anonymousreviewers.My special thanks and appreciation to Pricewater-houseCoopers LLP,for making this monograph possible bytheir Þnancial support.Finally,I am indebted to Eric E.Cohen and Mike Willis,who introduced me to XBRL,for their support and dedication to the profession andaccounting education.Saeed J.RoohaniBryant College XML, XBRL, and the Future of Business and Business ReportingRon WeberThe University ofQueenslandXML,XBRL,ANDTHEFUTUREOFBUSINESSANDBUSINESSREPORTING3©2003The eXtensible Markup Language (XML) is a languagethat deÞnes a set ofcodes or tags that can be attached to textto deÞne the meaning ofthe text.XBRL is a variant ofXML speciÞcally,designed to provide the semantics oftextassociated with business reporting.Both are designed to help achieve the goal ofinteroperability.In other words,oneorganization should be able to exchange data and use theinformation system services provided by another organiza-tion independent ofthe technology platforms that both use.Potentially,XML and XBRL will have a major impact on the way businesses operate and the way reporting isundertaken in future.I am delighted,therefore,to see thepublication ofthis monograph in which some colleaguesaddress the impact ofXML and XBRL on business.Whilethey address the potential generalimpact ofXML and XBRLon business,the monograph has a particular focus on theconsequences ofXML and XBRL for business reporting.Given the prominence ofbusiness reporting within manynational economies and the global economy overall,thismonograph is timely and important.It lays a valuable foun-dation for us to better understand the ways in which busi-ness reporting is likely to evolve and the issues we need toaddress ifthe adoption ofthese technologies is to be cost-effective.In this briefintroduction to this monograph,I hope to whet the readersÕappetite for the feast that follows.SpeciÞcally,I wish to offer some briefreßections on how I believe XML and XBRL might impact four major stake-holders (Figure 1):businesses,investors,regulators,andresearchers.The remaining papers in this book tease outthese reßections in more detail.FIGURE1:XML,XBRL,ANDMAJORSTAKEHOLDERSPotential Impact of XML and XBRL onBusinessesMuch ofthe excitement surrounding XML originatesfrom the idea that businesses will be able to capture the beneÞts that arise from specialization in the provision ofinformation systems services.To take a simple example,assume that we need a computer-based,shop-ßoor controlsystem ifour business is to compete effectively in the marketplace.At present,the most-likely solution we wouldadopt is to either develop our own system or purchase (andperhaps adapt) packaged software such as an enterpriseresource planning (ERP) system.In an XML environment,however,the notion is that we would capture data about our shop ßoor and transmit it in XML format to a serviceprovider to obtain the processing and reporting function-ality we require.In short,we would outsource many oftheinformation systems functions that previously we wouldhave performed in house.As the argument goes,the serviceproviders would reap the gains from economies ofspecial-ization,scale,and scope.Businesses would capture some ofthese beneÞts through competition among the serviceproviders.My own view is that XML is taking us down a familiartrack Ð namely,the outsourcing track.Given the increasingcomplexity ofthe information systems and reporting activi-ties that businesses now must undertake,it is easy to see thatXML offers some attractive possibilities for many managers.We know from sometimes-bitter experience,however,that outsourcing ofinformation systems activities is fraughtwith problems.Ifa business decides to use XML essentiallyto outsource its information systems processing and report-ing activities,it ought to carefully consider the followingsorts ofquestions:1.How integral are the processing and reporting capabilities to the core competencies ofthe business? Will use ofXML to outsource these activities to a service provider fundamentally undermine these corecompetencies ofthe business over time?2.What will happen ifthe particular service market on which the business relies ends up as an oligopoly or monopoly? Will a Òhold-upÓsituation arise in which the service provider can extract ÒrentsÓfrom the business? 3.Can the business place reliance on the service providerÕs system ofinternal control? What implica-tions will reliance on the service provider have on the conduct ofthe businessÕs audit?4.As more businesses place reliance on the service provider,will the service provider increasingly become a target for attack by malicious parties? For instance,will hackers attempt to perpetrate denialof-service attacks with a view to blackmail the service provider or impact the share price ofthe service provider or the businesses that rely on the service provider?Besides the outsourcing possibilities that XML offers,some businesses may be attracted to it because ofthe ßexibilityit provides.For example,mergers and acquisitionsshould be easier to effect ifthe businesses involved operatein an XML environment.Some problems that arose previ-ously during attempts to integrate disparate informationtechnology platforms should be mitigated.Similarly,internalreorganizations are likely to be easier to effect because theyare less constrained by incompatible information technologyplatforms.On the other hand,businesses that operate in an XML environment become more amenable to takeover.They have fewer barriers in place to prevent a takeover.Relative to XML,my view (at least for the moment) isthat the effects ofXBRL on business will be somewhat moremuted.Recall,XBRL is intended to provide a standardizedlanguage to facilitate business reporting.For large businessesthat cross business-reporting jurisdictions,advantages oughtto accrue because disparate business reporting proceduresare easier to integrate.The existence ofXBRL is also clearlymotivating regulators in different business-reporting jurisdictions to seek standardization ofthe ways in whichthey ask businesses to report.For smaller businesses thatoperate within a single business-reporting jurisdiction,how-ever,the advantages ofusing XBRL at this time are not clear.In the short run,all businesses are likely to incur highercosts as they add XBRL capabilities to their existing infor-mation systems to enable them to comply with regulationsthat require them to report in XBRL format.In this regard,a number ofsoftware vendors are now seeking to reduce theadaptation costs that their customers will incur by makingtheir packages XBRL-compliant.This move is occurringamong vendors ofsoftware meant to support large-sizedbusinesses as well as among vendors ofsoftware meant tosupport small- to medium-sized businesses.The existence ofXBRL is also likely to motivate regulators and investors to place increased pressure on businesses to provide continuous reporting oftheir Þnancial position.At least in the short run,responding to this pressure is likely to resultin businesses incurring higher costs.In the longer run,perhaps XBRL will reduce the costs of(a) compliance with reporting regulations and (b) data-quality assurance services (e.g.,audits).As reporting anddata-quality assurance processes become standardized,economies ofscale and scope will accrue.In the longer run,also,perhaps XBRL will enable businesses to communicatemore effectively with Þnancial markets,thereby reducingtheir cost ofcapital.Both XML and XBRL facilitate the operations ofbusinessintermediaries.For example,consider a business that operates a Web site that enables hotels to sell rooms that otherwise would be unoccupied.As a particular date getscloser and a room remains unoccupied,a hotel offersincreasing discounts on the room.Customers using the Web site can take advantage ofthe discount offered.The Web site provider charges a small fee on each transaction.The Web site provider has to capture information continuously from many hotels on the availability and price ofhotel rooms.It must interact with many disparateinformation technology platforms.At the same time,it mustcontinuously provide information on purchases ofrooms by customers using the Web site and reports that enabletransaction settlement between the Web site provider andthe hotels to be affected.The hotels might also demandreports that enable them to evaluate the value oftheir business relationship with the Web site provider.To theextent exchanges ofinformation can occur within an XMLand XBRL environment,costs are minimized.Initially,it was predicted that the Web and the Internet would lead todisintermediation Ð that is,customers and suppliers wouldinteract directly with each other rather than via an interme-diary.There is already evidence to show,however,that intermediaries still have a place within a Web and Internetenvironment (e.g.,the existence and success ofWeb-basedauction providers).XML and XBRL may facilitate thereemergence ofintermediaries as important actors withinsome types ofmarkets.The more general problem facing businesses is the kindofbusiness model they should choose as the basis for theiroperations in an XML and XBRL environment.For example,are we likely to see a growth in direct-to-consumere-business models because XML and XBRL facilitate interoperability between information technology platformsofa business and its consumers? Alternatively,are we likelyto see e-business models that rely on intermediation begin to dominate because intermediaries can focus more onbringing sellers and buyers together and less on the ,XBRL,ANDTHEFUTUREOFBUSINESSANDBUSINESSREPORTING5difÞculties associated with lack ofinteroperability acrossinformation technology platforms? For the moment,thetypes ofbusiness models that are likely to emerge as mostcost-effective are somewhat unclear.For managers,however,continually discerning which business models are likely to bemost appropriate for their businesses and positioning theirbusinesses to be able to implement these business models areimperatives.Otherwise,the proÞtability oftheir businessesmight be undermined severely and quickly.Their businessesmight also become the focus ofa hostile takeover bid.Potential Impact of XML and XBRL onInvestorsI suspect that investors will view XML and XBRL like anyother innovation.To the extent XML and XBRL are expectedto be value-increasinginnovations in a business,investorswill mark the businessÕs share price upwards.For instance,investors will have a positive view ofXML and XBRL iftheyperceive that use ofthese markup languages will enable thebusiness to operate more efÞciently or better leverage its corecapabilities.To the extent XML and XBRL are expected to be value-decreasinginnovations in a business,however,investors will mark the businessÕs share price downwards.For instance,investors will have a negative view ofXML and XBRL ifthey perceive that use ofthese markup languages will lead to a loss ofcore competencies by a business over time.Because XML and XBRL are important innovations,investors need to understand the nature and possible implications ofthese markup languages for the businesses in which they invest.On the one hand,XML and XBRL maycreate markets and opportunities that previously did notexist.On the other hand,XML and XBRL create more complex and dynamic business environments,which areoften the downfall ofuninformed or unwary investors.Likemanagers,investors must be able to predict the impact thatXML and XBRL will have on business models.Moreover,investors need to evaluate carefully how well businesses have assimilated the business models that are best suited toan XML and XBRL environment into their own operations.Otherwise,they may make poor investment decisions.Potentially XML and XBRL will lay the foundation forconßicts between investors and businesses.Increasingly,investors (especially institutional investors) are demandinggreater amounts oftimely,high-quality information frombusinesses.Given the technology that is now available,some investors argue that businesses should report continuously on their operations.XML and XBRL facilitatesuch reporting.By enabling capture,integration,processing,and reporting ofdisparate information in common formats.Nonetheless,many businesses are reluctant to report on acontinuous basis.Managers argue that they must be able tocontrol the nature and timing ofreporting,at least to someextent.Otherwise,competitors may acquire important infor-mation that will disadvantage their businesses.Investors alsomay make inappropriate decisions because they lack fullknowledge ofthe context in which the businesses are operating.On the basis ofprior research,we also know that man-agers seek to manage the ßow ofinformation about theirÞrms for their own,as well as their ÞrmsÕadvantage.As XMLand XBRL reduce barriers to continuous reporting by busi-nesses,therefore,presumably some type ofequilibrium willemerge.The demands ofinvestors will be balanced againstthe demands ofbusinesses.Ofcour,regulators will alsohave their say on what constitutes an appropriate equilibriumreporting position.Potential Impact of XML and XBRL onRegulatorsIn many countries,regulators concerned with businessreporting have already shown a keen interest in XBRL.Many are participating in the development ofXBRL and the dissemination ofknowledge about XBRL.For regulators,XBRL offers at least two major beneÞts.First,it reduces the costs associated with their obtaining andassimilating information from businesses.Regulators are notforced to reenter information or expend resources on dealingwith the problems that arise as a result ofincompatibilitiesbetween their own information technology platforms andthose ofthe businesses that fall within their jurisdiction.Second,the existence ofXBRL allows them to argue morestrongly for the standardization and harmonization ofinter-national business reporting standards.Use ofXBRL miti-gates some ofthe costs that businesses would otherwiseincur in complying with such standards.Thus,any argu-ments made by businesses against proposed standards onthe basis ofthe costs ofcompliance are undermined.Relative to XBRL,my perceptions are that regulators areless interested in XML,except to the extent that XBRL is avariant ofXML and thus must conform to XML standards.This situation might change,however,ifgreater use ofXMLleads to the emergence ofservice providers that specialize inproviding systems that will allow businesses to comply moreeasily with local and international reporting standards.Suchservice providers have an incentive to see regulators extendand enforce business reporting standards.Regulators alsomight prefer dealing with a smaller group ofstakeholders whose interests are more aligned with their own.Moreover,regulators can also argue that businesses can reduce the costsofcomplying with business reporting standards simply byusing the service provider to prepare their reports.Regulators are likely to be interested in the potentialimprovements in data quality and assurance services thatarise in an environment where XML and XBRL are used.Presumably,over the long run,only the most cost-effectiveservice providers will survive in the marketplace.To theextent businesses use these service providers for their information processing and business reporting,higher-quality data and reports should result.XML also facilitatesthe emergence ofspecialist service providers in the areas ofassurance and audit.Businesses can transmit their data tothese service providers to have its quality assessed.XBRL,in turn,allows business reports to be tagged to indicate whatelements have been subjected to assurance services (e.g.,byan auditor).Links might also be established to Þles contain-ing the evidence associated with particular assurance tags.Potential Impact of XML and XBRL onResearchersMuch accounting and Þnance research now relies on theexistence oflarge databases ofÞnancial information.Thedevelopment and maintenance ofthese databases is oftencostly because ofincompatibilities between data formats andinformation technology platforms.As a result,data is oftenincomplete,inaccurate,and out ofdate.Some data also cannot be accessed and processed in cost-effective ways(e.g.,free-form text in annual reports).XBRL ought to enable the construction ofmore-extensive,higher-quality,less-costly databases ofÞnancialinformation.For instance,as indicated above,data-qualityassurance activities should be easier to undertake,and disparate data and text should be easier to integrate.In addition,the existence ofXML might lead to the emergenceofservice providers that mine and undertake experimentsusing this information at the behest ofcustomers who areresearchers.As specialists,these service providers might beless prone to errors in the conduct ofexperiments and better able to exercise control over the quality ofdata used in experiments.Overall,XBRL and XML should facilitate the conduct ofresearch,which hopefully will lead in duecourse to more efÞcient operations in Þnancial markets.A Few ConclusionsIn my briefcomments above,I hope that I have givensome sense ofthe potential impact that XML and XBRL will have on the way businesses might operate and report,and the ways that trust and assurance services might evolve.The papers that follow delve more deeply into the issues Ihave raised.They also canvas other issues that I have notaddressed.All highlight the rich array ofopportunities thatnow confront us as practitioners and researchers.All alsohighlight some pitfalls we should seek to avoid.I commendthe papers to you for your careful reading.AcknowledgementsI am indebted to Peter Green and Saeed Roohani forhelpful discussions on the topics canvased in this paper and comments on an earlier version ofthis paper. SUPPLYANDDEMANDFORCONTINUOUSREPORTING7©2003The Supply and Demand For Continuous ReportingJames HuntonArnie WrightSally WrightBentley CollegeBoston CollegeUniversity ofMassachusetts - BostonAbstractWith todayÕs dynamic business environment there areincreasing calls for more frequent Þnancial reporting to ensure investors,bankers,and other users have access to timely information to make informed decisions.Further,recentadvances in information and communication technology (ICT)infrastructures such as enterprise-wide systems,wide-area,high-bandwidth networks and XBRL (eX tensible B usinessR eporting L anguage) make it feasible to do so.Nonetheless,we have yet to see a groundswell ofÞrms voluntarily providingmore frequent monthly,daily,or continuous Þnancial disclo-sures,raising the obvious question ofÒwhy?Ó.In this paper,wereview factors affecting the supply and demand for continuousreporting (CR) and identify issues that promote or inhibit the implementation ofCR.Accordingly,we consider the information economics perspective,the effect ofCR on companiesÕabilities to manage earnings,potential costs ofdisclosing Þrm proprietary information,the likely effects ofCR on capital market behavior,litigation exposure,and relatedconsiderations associated with continuous assurance.I. IntroductionThe objectives ofthis article are to examine supply anddemand factors associated with continuous reporting (CR)and to identify issues that might promote or inhibit theimplementation ofCR.With respect to the time it takes to process and report economic events,deÞnitions ofCRrange from nanoseconds to months.Regardless ofwhere CR eventually falls along this spectrum,one outcome seems inevitable.Ifthe accounting profession does not takeproactive steps aimed at increasing the timeliness ofbusinessreporting,decision makers will search elsewhere for relevantinformation.Recent advances in information and communi-cation technology (ICT) infrastructures provide the meansto meet the ever-increasing demand for more rapid process-ing and reporting ofeconomic events,thereby diminishingor at least constraining the value ofthe profession to information consumers.Technology is no longer the binding constraint ofCRimplementation,as recent advances in information and communication technology (ICT) infrastructures providethe means to meet the ever-increasing demand for morerapid processing and reporting ofeconomic events.Forexample,continuous delivery ofcustomized and standard-ized external reporting is now possible through enterprise-wide systems,wide-area,high-bandwidth networks,andXML (eX tensible M ark-up L anguage).In particular,XMLand its accounting offspring XBRL (eX tensible B usinessR eporting L anguage) facilitate drill down,multiple rendi-tion,and data exchange reporting.Unlike Hypertext Mark-up Language (HTML),which merely deÞnes datapresentation,XBRL offers a richer form ofcommunicationby ascribing semantic meaning to data via tags and over-arching taxonomies (Hoffman and Strand 2001).Dend pressures and technological developments haveled the FASB (2000) and the SEC (2000a) to recognize theneed for and inevitability ofCR.IfCR is technologically feasible,why are most Þrms still publishing quarterly Þnan-cial statements rather than disseminating more frequent com-pilations? The following sections explore factors that provideincentives to either provide or not provide more continuousreporting,such as consideration ofan information economicsperspective,ßexibility to manage earnings,and potentialcosts ofdisclosing Þrm proprietary information.II. Information For EconomicsInformation economics provides a normative frameworkfor considering the value ofalternative information systems(Demski 1980;Demski and Feltham 1976;Feltham 1972).CR involves a fundamental change in the current informa-tion system,as it demands quicker processing ofeconomicevents and timelier reporting ofbusiness results.Informa-tion economics indicates that the evaluation ofalternativeinformation systems entails an economic,cost-beneÞt,trade-offdecision.Information holds the intrinsic potential valueofallowing individuals to revise their beliefs about the likeli-hood ofevents and states ofnature,and then to take appro-priate actions that will maximize expected utilities (payoffs).The overriding issue is whether the incremental beneÞts ofaproposed information system exceed the incremental costs. Incremental BeneÞts of CROne ofthe speciÞc information attributes consideredunder the information economics framework is timeliness,which in the context ofCR involves the reporting interval(the frequency ofreporting periods) and publication delay(the time to compile and distribute the information at theend ofa reporting period).Ifthe interval ofÞnancial report-ing is relatively long,there are likely to be events occurringduring the period ofwhich investors are not aware.Theextent to which this happens depends on the rate ofchangein the environment,which is very fast-paced in todayÕs highly dynamic marketplace.Thus,without current information,investors are unable to revise their beliefstates and take appropriate actions on a timely basis.As a result,long reporting periods and lengthy publica-tion delays can lead to signiÞcant changes in stock prices and portfolio mixes once information is released.Further,high uncertainty between reporting periods can result in signiÞcant information risk,for which investors are likely to compensate by demanding higher,stock-price premiumsand cost ofcapital for the Þrm (Botosan 1997).Finally,lengthy delays between reporting periods increase the riskthat individuals will seek insider information,as pressure forinsiders to Òwhisper in the earsÓofselect parties (i.e.,insidertipping) increases with longer reporting periods (SEC 2000).These factors reßect the primary reasons why the Þnancial reporting interval was shortened from an annualto a quarterly basis in the Þrst place.The same argumentsand expectations logically follow to even shorter reportingintervals,thereby suggesting that CR is likely to lead to betterinvestor decisions,less market price volatility,and a lowercost ofcapital.Financial reports are also relied on for internal decision-making.Hence,longer reporting intervals,for the reasonscited above,can sub-optimize managersÕdecisions ifthey do not fully incorporate contemporaneous changes in economic conditions on a timely basis.The timeliness ofinternal processing and reporting has accelerated consider-ably in recent years,particularly due to the advent ofcomplex enterprise-wide information systems such asE nterprise R esource P lanning (ERP) systems.Nevertheless,it is important to keep in mind that the development ofan Information and Communication Technology (ICT)infrastructure capable ofsupporting CR can beneÞt bothexternal and internal information consumers.It is difÞcult to place a precise number on the expectedbeneÞts ofimplementing CR,as there are many potentialrecipients and myriad ways to estimate beneÞts.Evidence ofthis value is provided by Rezaee and Hoffman (2001),whoÞnd that more than 80 percent ofthe public companies theysampled already voluntarily provide some type ofÞnancialdisclosure on the Internet,indicating that Þrms perceiveÔvalueÕin providing more timely information to externalstakeholders.Thus,there are indications that the potentialbeneÞt ofoffering CR to internal and external informationconsumers is in the positive category.We next consider thecost side ofthe equation.Incremental Costs of CRAs stated earlier,for an alternative information system to be adopted,incremental beneÞts must exceed incrementalcosts.Once a Þrm fully implements an integrated enterprise-wide information system,it is already capable ofcapturingand processing Þnancial and non-Þnancial information inÔnearÕreal-time;therefore,such Þrms need only to develop a method ofrapid reporting to the public.Converly,ifaÞrm operates a patchwork ofdisparate applications that do not (easily) communicate with each other (often referred to as legacy systems),there can be considerable time lags,timebetween information capturing,processing,and disseminating(internally and externally).Hence,thncremental cost ofdeveloping an ICT infrastructure capable ofhandling CRcan range from minimal to extensive.Once the infrastructure is in place and operating efÞ-ciently,costs associated with publishing (or pushing) Þrminformation on the Internet are fairly negligible,particularlywith the advent ofXBRL and ÔpushÕtechnology.In fact,thewhole reporting process can be reliably automated,therebyrequiring little human intervention.Costs associated withallowing stakeholders to interrogate or ÔpullÕinformationfrom the company database (with appropriate permissionsand restrictions) can be higher,yet not prohibitive.Hence,ifa ÞrmÕs ICT infrastructure is already in place,the incre-mental cost ofCR remains quite low.On the other hand,CR costs can be very high for Þrms with fragile and under-developed infrastructures.As depicted in Figure 1,the break-even point for Þrms withhigh-complexity ICT infrastructures is at a higher reportingfrequency than Þrms that currently have low-complexityinfrastructures.Over time,however,increasing demand for CR coupled with low-cost,powerful ICT may thrustreporting frequencies for all Þrms ever closer to real-time.Economic feasibility reßects one reason why CR is not moreprevalent in the marketplace.The next section discussesanother possible reason Ð the impact ofCR on earningsmanagement attempts. SUPPLYANDDEMANDFORCONTINUOUSREPORTING9FIGURE1Incremental BeneÞts and Costs ofContinuous Reporting For Firmswith Initial Low-Complexity or High-Complexity Information andCommunication Technology (ICT) InfrastructuresNotice that the break-even point with respect to reporting frequencyfor Þrms with initial low-complexity ICT infrastructures is less thanÞrms with initial high-complexity infrastructures.Ofcourse,over along time horizon,the break-even point will eventually move to higher reporting frequencies for initial low-complexity Þrms as theyabsorb the cost ofhigher complexity infrastructures.III. Quality EarningsQuality ofearnings is central to both the reliability and relevance ofexternal Þnancial reporting.Research evidence on stock-market reaction to earnings announce-ments indicates that investors consider earnings to be moreinformative and value-relevant than cash ßows,and theyprefer a smooth-time series ofincreasing income (Healy andWahlen 1999).Accordingly,some Þrms manage earnings tocorrespond with investorsÕpreferences (Burgstahler andDichov 1997;Degeorge,Patel,and Zeckhauser 1999).Additionally,since the capital markets reward companiesthat meet or beat analystsÕexpectations,some Þrms routinelymanage earnings to match such expectations (Brown 2002;Nelson,Elliott,and Tarpley 2002).The SEC,charged withoverseeing the reliability ofÞnancial reporting,recognizesthe pressures placed on public companies to satisfy investorsÕand analystsÕexpectations and frequently warns Þrms not to succumb (SEC 2000b).The issue ofearnings management is at the heart oftheconcept known as Ôquality ofearnings.ÕThat is,earnings aredeemed to be ofhigh quality ifthey faithfully represent theunderlying economic activity for the reporting period.Tothe extent that Þrms manage reported earnings away fromfair and truthful representation ofeconomic reality,qualityofearnings is compromised.To assess the potential impactofcontinuous reporting and related assurance on quality ofearnings,we need to understand how and why Þrms manageearnings.Earnings management refers to the selection ofaccounting estimates,accruals,disclosures,and choices thatbias reporting and,thus,do not accurately reßect underlyingeconomic activity (Healy and Wahlen 1999).Because suchissues involve human judgment,opportunities to manageearnings arise.For instance,estimates include the selectionofasset lives and salvage values,obligations for pension andpost-retirement beneÞts,and determination ofbad-debtlosses.Accruals can facilitate earnings management throughthe choice ofinventory levels and timing ofinventory ship-ments.Disclosures include judgments such as recognition ofpotential liabilities and R&D expenditures.Examples ofaccounting choices include the selection ofinventory (LIFO,FIFO,weighted average) and depreciation (straight-line oraccelerated) methods.Discretionary accounting judgmentscan,thus,be used to align reported earnings with investorand analyst expectations,thereby misrepresenting the trueunderlying economic picture.Earnings management may not,however,go unnoticedor unpunished,as some evidence shows that the marketreacts negatively when earnings management is detected or alleged.For instance,Þrms that were criticized in theÞnancial press for misleading Þnancial reporting practicessuffered an average drop in stock price of8 percent on publi-cation date (Foster 1979).Dechow et al.(1996) reported thatÞrms targeted by the SEC for allegedly managing earningsexperienced an average stock price decline of9 percent whenthe probe was announced.Despite the threat ofsanctions,why does the practice ofearnings management continue to persist?Research in the area ofcompensation contracts suggeststhat some managers liberally apply discretionary accountingjudgments to increase earnings-based bonus awards (Guidry et al.1999).Further incentives to manage earningsare rooted in valuation-based awards;that is,to the extentthat bonuses are tied to stock price valuations,managers are more likely to manage earnings when they anticipatereporting an earnings loss,earnings decline,or expectationsdisappointment (Burgstahler and Dichev 1997;Degeorge et al.1999).This is particularly important to upper-levelmanagers because positive investor reaction to reportedearnings is often associated with higher CEO cash compen-sation and a lower probability ofCEO dismissal (Murphyand Zimmerman 1993;Coughlin and Schmidt 1985).Thus,as long as managementsÕcompensation contractsare tied to improvements in reported earnings and stockprice valuations,earnings management attempts and Low-complexityenefit ofComplexity ICTReal-Time (Relative compression of continuous reporting time) = Breakeven Points practices are likely to continue.Since extant earnings management strategies have evolved within the context oftraditional periodic Þnancial reporting,how might CRchange the nature and extent ofsuch practices?Continuous Reporting and EarningsManagementInvestors and analysts are placing less emphasis on traditional Þnancial statements because such reports are not issued in a timely enough fashion to impact currentdecisions and do not include many non-Þnancial value drivers;hence,there is growing evidence ofa marketdemand for more continuous reporting coupled with moremeaningful disclosure ofnon-Þnancial information (Elliottand Pallais 1997).Regarding reporting frequencies,opposingtension may come from management ifthey deem that time-lier reporting will hinder their ability to manage earnings.Limited empirical evidence suggests that earnings management practices,which were initially considered to be a year-end phenomenon,exist on an interim basis.Forinstance,there is some indication that managers use workingcapital accruals at interim reporting periods to smooth earnings and exceed analystsÕforecasts (Defond and Park2002).Further,auditors claim to have been enlisted by clients throughout the year to help structure transactions to ensure Generally Accepted Accounting Principles (GAAP) compliance yet achieves desired earnings targets,thus suggesting that earnings management attempts occurfrequently (Nelson,Elliott,and Tarpley 2002).Hence,whilethere is some evidence ofcontinual earnings managementthroughout the year,at least on an interim reporting basis,questions remain with respect to how readily managementwill embrace continuous Þnancial reporting,even thoughrecent technological advances are quickly rendering tradi-tional reporting periods and formats obsolete.Resistance in this regard centers on the extent to which managementperceives CR will signiÞcantly reduce their ability to engagein discretionary earnings management activities.Ifmanagers fear that CR will severely restrict earningsmanagement opportunities by making it too difÞcult toswitch accounting estimates,accruals,disclosures,and choices from transaction-to-transaction without immediatedetection,their desire to voluntarily offer more frequentreporting might be dampened.As illustrated in Figure 2,there exists a theoretical inßection point somewhere alongthe time continuum where managementÕs desire to imple-ment continuous reporting drops precipitously.The upwardinßection point on the cost curve occurs where the perceivedincremental costs associated with the loss ofmanagersÕself-interests begin to overwhelm the incremental beneÞts provided to external users.A related CR factor potentiallyimpacting quality ofearnings is continuous assurances fromindependent parties.FIGURE2Incremental Cost ofContinuous Reporting Associated WithRestrictions on ManagementÕs Ability to Manage Earnings Continuous Assurance and EarningsManagementBoth the SEC and Public Oversight Board (POB) havevoiced concerns that assurers might knowingly enable their clients to manage earnings (SEC 2000c;POB 2000).As mentioned above,clients often ask auditors to help structure accounting transactions such that GAAP compliance and earning targets are simultaneously achieved(Nelson,Elliott,and Tarpley 2002).The issue here is notwhether continuous assurance will eventually accompanycontinuous reporting;rather,we are interested in the extentto which continuous assurance might impact the quality ofearnings.To answer this question,we should Þrst articulatethe notion ofcontinuous assurance.Propelled by continuing changes in technology,the auditing function is likely to change from the traditionalannual Þnancial statement opinion to an ongoing integratedset ofassurance services.Some assurances will be mandatedby statute,and others will be made available on a demandbasis (Vasarhelyi 2002).For instance,continuous assurancemight someday be provided on 1) the authenticity,integrity,and non-repudiation ofelectronic commerce transactions,2) internal controls over electronic commerce systems,3) Web site security,4) speciÞc Þnancial information,5) marketing intelligence,and 6) internet privacy,as well as GAAP-based Þnancial statements.Hence,the emergingcontinuous assurance model will encompass a much broader Witenefit of SUPPLYANDDEMANDFORCONTINUOUSREPORTING11set ofÞnancial and non-Þnancial information than currentlyoffered by the traditional audit.Importantly,continuousassurance will likely take a forward-looking,rather than historical,perspective.Toward this end,assurance providersare expected to continuously monitor clientsÕsystems andreport material exceptions as they arise (Kogan,Sudit,andVasarhelyi 1999).To the extent that real-time exception reporting offeredby continuous assurance includes changes in accountingestimates,accruals,disclosures,and choices,managementmight be reluctant to voluntarily adopt the continuous assurance model since earnings management attempts ofamaterial nature would be quickly identiÞed and immediatelyreported.One could argue that audit clients might seek theadvice oftheir auditors with respect to structuring account-ing transactions when attempting to manage earnings,whichwould lessen the likelihood that the auditors would reportsuch changes.Such economic pressure for auditors to ÔcooperateÕwith clients in this regard only works ifthe clientpays the auditor.However,ifthe continuous assurance model evolves such that external information consumers(e.g.,investors,creditors and governments) pay for speciÞcassurances,the picture changes dramatically.For example,investors might demand to know when material changes indiscretionary accounting judgments arise and be willing topay the auditors to promptly report such changes.Under thisscenario,the auditorsÕallegiance switches from the client tothe investor;therefore,the likelihood that auditors willreport earnings management attempts increases.All things considered,it would seem that managerswould not readily embrace continuous assurance on a volun-tary basis,as real-time oversight might hamper their abilityto manage earnings.Accordingly,the Financial AccountingStandards Board (FASB) and SEC need to consider the public interest aspect ofcontinuous assurance and decidethe nature and extent ofregulation in this regard.In a relatedline ofreasoning,another motivation for regulators,stan-dard setters,and investors to advocate CR to the public is toreduce,and hopefully eradicate,information asymmetry inthe marketplace,as next discussed.IV. Information AsymmetryBy providing decision-relevant information to all stake-holders simultaneously,violations ofinsider trading rulescan be averted,investor conÞdence in the capital marketsstrengthened,and informational opportunism by companymanagement minimized.The SEC took a major step forward in this regard when it issued Regulation FD (FullDisclosure),which is aimed at eliminating the selective disclosure ofmaterial non-public information to a discreteset ofindividuals,such as security brokers,institutionalinvestors,and Þnancial analysts (SEC 2000b).The SECÕs primary motivation for issuing Regulation FDwas that selective disclosure practices and insider trader tactics closely resembled one another.Yet,prior toRegulation FD,the former had been condoned while the latter was punishable under the anti-fraud provisions ofthefederal securities law.Thus,the SEC was concerned that toomany corporate managers were treading in murky watersbetween selective disclosure and insider ÒtippingÓ.Anothermajor concern ofthe SEC was that selective disclosureappeared to be eroding investor conÞdence in the integrityofthe capital markets.Such erosion can occur when,forinstance,investors observe a large swing in the price ofasecurity only to learn after the swing the reason(s) for theprice change.In this scenario,disadvantaged investors might question the extent to which they are equal players in the marketplace.A third worry ofthe SEC was that corporate management used selective disclosure as a meansofdispensing rewards and punishments to key marketplaceparticipants,such as Þnancial analysts and institutionalinvestors.For example,management would ÔwhisperÕinto the ears ofanalysts and investors who treated them favor-ably,while lowering the Ôcone ofsilenceÕaround those whoexpressed less optimistic views ofthe issuer.Additionally,selective disclosure could be used to enhance the value oftheÞrm by strategically timing the release ofgood and bad newsin ways that maximize the long-term beneÞts ofsubsequentreleases (Tan,Libby,and Hunton,2002).Regulation FD is a landmark development with respect to information asymmetry,as it attempts to level the playingÞeld for all capital market participants by taking informa-tional advantages away from closely knit groups and sharing material,decision-relevant information with thepublic (McCarthy 2001).The SEC notes that the environ-ment is ripe for the enactment ofRegulation FD,as recenttechnological advancements make possible the immediatedissemination and ubiquitous availability ofcorporate information directly to the marketplace without having torely on information intermediaries.The SEC insists thattechnological limitations ofthe past are no longer acceptableexcuses for tolerating the threats represented by selective disclosure;hence,Regulation FD effectively issues a Ôceaseand desistÕorder to such practices (SEC 2000b). V. How Much Disclosure Is Too Much?Continuous reporting can be a blessing as well as a curse.The blessing is that real-time disclosure ofinformation canbe made available to the entire marketplace at once,therebydecreasing the potential for information asymmetry andincreasing the decision usefulness ofsuch information.Thecurse,however,is that the same technological improvementsthat give rise to timelier and more equitable disclosures canalso be used to offer richer disclosures.As such,stakeholderscan demand that companies open their databases to makeavailable an expanded set ofÞnancial and non-Þnancialinformation.A major concern in this regard is the extent towhich a company that discloses Ôtoo muchÕin the market-place might impair its competitive advantage.This concernis supported by Bamber and Cheon (1998),as they report anegative relationship between proprietary information costsand discretionary earnings forecast disclosures.Preliminary research related to the advantages ofincreased disclosure suggests that greater disclosure is betterthan less in only some circumstances.SpeciÞcally,Botosan(1997) indicates that richer disclosure is signiÞcantly relatedto lower cost ofcapital for Þrms with relatively light analystfollowing.However,there was no signiÞcant relationshipbetween disclosure level and cost ofcapital for Þrms withrelatively heavy analyst following.The reason for these Þnd-ings is that the information content ofdisclosures is greaterfor Þrms with light analyst following because less is knownin the marketplace about such Þrms,as they are dependenton intermediaries for information dissemination.It appearsas though small and thinly traded Þrms are currently disadvantaged with respect to cost ofcapital;accordingly,continuous reporting that disseminates corporate informa-tion to all stakeholders at once holds potential beneÞts inthis regard.While ICT places powerful information query,retrieval,and analysis tools in the hands ofthe masses,questionsremain regarding how much information management can realistically be expected to be revealed to the publicwithout harming the ÞrmÕs competitive position.Eventhough information consumers might strongly insist thatcorporations open their entire databases to the public,atsome point management acting as good faith agents have to draw a line in the sand and say Ôenough is enough.ÕIt isunlikely that the SEC or FASB will or should address suchissues,as they are concerned with capital market integrityand truthful Þnancial reporting.Instead,the laws ofsupplyand demand will most likely seek equilibrium betweentransparency and privacy ofcorporate information.VI. Should Continuous Reporting BeMandated?Statement ofFinancial Accounting Concepts #2(Qualitative Characteristics ofAccounting Information)issued by the FASB articulates two primary informationquality attributes (reliability and relevance) and two second-ary attributes (comparability and consistency).For the mostpart,the focal interest ofthe SEC,FASB and InternationalAccounting Standards Board (IASB) over the past years hasbeen on the primary attribute ofreliability (composed ofveriÞability,representational faithfulness,and neutrality),as well as the secondary attributes.The other primary,information-quality attribute ofrelevance,which includespredictive value and timeliness,often takes a backseat withrespect to regulations and standards.Any move by thesebodies to mandate continuous Þnancial reporting wouldrequire a fundamental shift in focus from reliability to relevance (i.e.,timeliness),which,in our view,is unlikely to happen soon.Thus,it seems that the odds are low that regulatory orstandard-setting bodies will mandate CR in the foreseeablefuture.As with disclosure richness (discussed above),theextent to which continuous reporting evolves,in the nearterm at least,will likely be left to the laws ofsupply anddemand.Perhaps it should be this way.That is,ifthe capitalmarket places a premium on more frequent disclosure ofinformation,Þrms that respond accordingly will reap Þnancial beneÞts such as lower cost ofcapital and highershare price values.Firms that refuse to address marketplacedemands for more timely information will suffer the economic consequences.Over time,Þrms will eventually Þndtheir break-even point with respect to the incremental cost ofproviding more frequent information (i.e.,technology,opportunism,and competitiveness) and resulting beneÞts.Another issue to consider with respect to CR is the extent to which more frequent reporting will lead investors to overreact to each new piece ofinformation as it is releasedon a more disaggregated basis.VII. Investor Reactions To ContinuousFinancial ReportingAs discussed earlier,economic theory suggests that morefrequent disclosure ofÞnancial information to the public willresult in less stock price volatility.However,an alternativepsychological viewpoint indicates that stock price volatilitymight actually increase with more frequent disclosure undercertain conditions. SUPPLYANDDEMANDFORCONTINUOUSREPORTING13Prior research suggests that the frequency with whichinformation is released to investors can alter decision-making processes and judgments (Shiller 1981;Carter and Manaster 1990;and Mitchell and Mulherin 1994).Inparticular,research Þndings suggest a positive relationshipbetween the frequency ofinformation dissemination andstock price volatility.The reasoning behind this phenome-non is rooted in the anchoring and adjustment phenome-non,as described by Hogarth and Einhorn (1992).Two aspects ofanchoring and adjustment deal with how new evidence is presented (presentation mode) andassimilated into an existing judgment or belief(processingmode).One way to process new information is to update a beliefstate as each piece ofnew evidence is presented,referred to as a step-by-step (SbS) processing mode.Anotherapproach is to update a beliefstate only after all evidence hasbeen presented,referred to as an end-of-sequence (EoS) processing mode.Holding information constant,continuousreporting disaggregates a set ofinformation and presentseach informational item in a SbS presentation mode,whereasperiodic reporting presents the same information in an EoS mode.Hogarth and Einhorn (1992) suggest that thepresentation mode will evoke a comparable (EoS) processingmode,which indicates that continuous reporting (SbS presentation mode) is likely to evoke a SbS processing mode with respect to stock price valuations.Many researchers have noted a recency effect associatedwith either SbS or EoS processing modes meaning greaterdecision weight is ascribed to later,as compared to earlier,information in a sequence ofreleases (e.g.,GrifÞn andTversky 1992;Maines 1995;Tuttle et al.1997).Furthermore,several studies indicate that the longitudinal impact oftherecency effect on beliefadjustments is greater with SbS,ascompared to EoS,processing because more anchoring andadjusting takes place (Trotman and Wright 1996;Kennedy1993,Ashton and Ashton 1988)1.This suggests that after a series ofpositive news releases pertaining to a given company,stock price valuations will be higher (lower) ifinformation is presented in a continuous (periodic) formatsince SbS presentation will evoke a SbS processing.Conversely,after a series ofnegative news releases,valuationswill be lower (higher) with continuous,as compared to periodic,reporting.2Accordingly,one can argue that as themarket ebbs and ßows with sequential series ofgood andbad news information releases,stock price valuations will be higher after sequences ofgood news and lower aftersequences ofbad news with continuous reporting,as com-pared to periodic reporting.Hence,contrary to conventionaleconomic theory,stock prices could become more volatilewith continuous Þnancial reporting.One more aspect ofCR on human judgment deals withthe concept ofinformation overload.That is,individualstend to resort to heuristics,or simplifying rules-of-thumb,in light oftoo much information.For decision makers withconsiderable experience,the use ofheuristics can lead to amore efÞcient decision-making process while maintaining ahigh level ofdecision quality,as experts have learned how toprocess orthogonal,redundant,and irrelevant informationcues.However,decision makers with less expertise mightalso resort to heuristics due to information overload,butsince their decision-making schema is less developed,theymight unknowingly ignore important orthogonal decisioncues inappropriately attending to redundant and irrelevantinformation.The discussion ofthe behavioral effects ofCR does notmean that more frequent reporting and richer disclosingshould not take place.Rather,we bring up these issues sothat researchers,preparers and regulators can consider waysto minimize unintended yet deleterious inßuences ofCR onhuman judgment.Finally,we brießy address potential legalramiÞcations associated with CR.VIII. Continuous Reporting and LitigationRiskTraditional quarterly and yearly accounting reports stressreliability,thereby theoretically reducing litigation risk.However,the tradeoffofmyopically focusing on reliability is the severe restriction ofÞnancial statement relevance.Alternatively,continuous reporting that dramaticallyimproves relevance without appropriate consideration forreliability may generate less precise accounting informationthat is inappropriately relied on by Þnancial report users,thus increasing the potential for litigation.Hence,the FASBmust carefully consider and balance reliability versus rele-vance issues in the context ofcontinuous reporting.Further,as discussed earlier,ifCR results in less severe volatility insecurity prices,litigation may be reduced since suits are mostfrequently precipitated by a signiÞcant drop in share prices.Another legal ramiÞcation ofcontinuous reportinginvolves a potential paradigm switch from tort to contractlaw.Electronic reporting via Internet Web sites allows Þrmsto identify who accessed what information at what time.1Hogarth and Einhorn (1992) also noted a primacy effect (i.e.,greater decision weight ascribed to earlier information) associated with complex tasks and long series ofinformational cues,although this Þnding has not been universally supported in subsequent studies.2Trotman and Wright (2000) review prior recency studies and note that other than response and presentation mode the magnitude oforder effects also seems to depend on the type oftask and the motivation and experience ofthe individual. Since users would actively seek information,rather than pas-sively receive information,a contract is formed between thecompany and user.Through evolving electronic commercelaw,contracting procedures such as non-repudiation andauthentication can verify the existence ofsuch a contract.Litigation under contract law,as opposed to tort law,is likelyto result in lower litigation costs and increased inducementfor all parties to behave in a proper manner (Elliott 2001).IX. SummaryThis article provides a review ofthe foundations for the supply and demand for continuous reporting (CR).Information economics suggests that a cost-beneÞt perspec-tive is appropriate when evaluating and comparing the valueofalternative information systems,such as CR versus thecurrent quarterly reporting model.On the beneÞt side ofthe equation,CR provides decision makers with timelierinformation,which allows for more rapid revisions ofbeliefstates.As a result,more frequent dissemination ofdecision-relevant information can decrease stock price volatility,information risk,transaction premiums,cost ofcapital,and pressures for providing insider information.The costs ofCR largely entail the development and implementation ofadvanced information and communication technology(ICT) infrastructures that allow for real-time processing ofeconomic events.Once the ICT infrastructure is in place and operating efÞciently,incremental costs associated withpublishing Þrm information on the Internet are fairly negligible,particularly with the advent ofthe high-band-width networks,enterprise-wide information systems,XBRLand push/pull technologies.While implementation ofCR appears feasible from economic and technological standpoints,another importantconsideration is organizational feasibility that is,the extentto which management is ready to accept this change.Onereason managers might resist adopting CR is that theiropportunities to manage earnings could be diminished.There is widespread evidence that some managers attempt to Òmanage earningsÓto meet market expectations with the underlying motive ofmaximizing incentives set forth in principle-agent compensation contracts.Therefore,ifmanagers believe that CR will severely restrict their ability to manage earnings toward this end,they will likely resist its implementation.Indeed,future research in this area iswarranted.CR follows in the spirit ofthe SECÕs (2000b) recent enactment ofRegulation FD (Full Disclosure),which has the objective ofminimizing information asymmetry amongmarket participants and increasing the transparency ofeconomic transactions.However,there are signiÞcant concerns by management regarding how much disclosureand access to company databases are reasonable withoutharming the ÞrmÕs competitive position.Thus,a key issue is the extent to which CR should remain voluntary or bemandated.In this regard,regulatory bodies and academicresearchers need to evaluate whether the demand premiumplaced on CR is sufÞcient to induce Þrms to voluntarilyadopt more frequent reporting,particularly ifCR leads to Ôopen accessÕto sensitive company information for thesake ofimproved transparency.While information economics suggests that CR has thepotential to reduce market price volatility,psychological theory would predict an opposite effect.This expectation is based principally on a framework known as anchoringand adjustment (i.e.,individuals update prior beliefs as newevidence is received).CR disaggregates information,therebyresulting in Step by Step (SbS) presentation and processingmodes,whereas traditional periodic reporting aggregates the same information into a set,which results in End ofSequence (EoS) presentation and processing modes.Whileresearchers have reported a recency effect with either SbS or EoS modalities (i.e.,greater decision weight is ascribed to later,as compared to earlier,information),this effect ismore pronounced in the SbS condition since beliefs are re-evaluated more frequently.This is especially ofconcernwhen evidence is mixed (positive and negative),with thesame information resulting in different conclusions based on the order received.Further,there is the potential forincreased information processing overload associated withCR.Hence,psychology-based research is needed to evaluatethe extent ofthese behavioral concerns.The demand for more frequent reporting ofbusinessinformation is already intense.Ifthe accounting professionas a whole continues to lag behind such demand by notproactively engaging the SEC and business Þrms to bring CR to the forefront,the entire spectrum ofinformation consumers from lenders to investors is likely to seek relevant,decision-making information from alternate sources.As aresult,the current and future value ofthe profession will beconstrained and possibly diminished.We neither suggestthat we have addressed all ofthe challenges associated withCR in this paper nor believe that the obstacles are easilyovercome.However,ifpracticing accountants and academicresearchers wish to go down the CR path together,it is substantially more likely that we can address the difÞcultissues before us and lift the profession to a new level ofvalue-added service opportunities. SUPPLYANDDEMANDFORCONTINUOUSREPORTING15ReferencesAshton,A.H.and R.H.Ashton.1988.Sequential beliefrevi-sion in auditing.TheAccounting Review(October) 4:623-41.Bamber,L and Y.S.Cheon.1998.Discretionary managementearnings forecast disclosures:Antecedents and outcomesassociated with forecast venue and forecast speciÞcity choices.Journal ofAccounting Research36 (2):167-190.Botosan,C.A.1997.Disclosure level and the cost ofequitycapital.The Accounting Review72 (3):323-349.Brown,L.D.2002.Managerial behavior and the bias in analystsÕearnings forecasts.Journal ofAccounting Research(Forthcoming).Burgstahler,D.and I.Dichev.1997.Earnings management toavoid earnings decreases and losses.Journal ofAccountingand Economics24 (1):99-126.Carter,R.and S.Manaster.1990.Initial public offerings andunderwriter reputation.The Journal ofFinance(September)45 (4):1045-67.Coughlin,A.T.and R.M.Schmidt.1985.Executive compensation,management turnover,and Þrm performance.Journal ofAccounting and Economics7:43-66.Dechow,P.,R.G.Sloan,and A.P.Sweeney.1996.Causes andconsequences ofearnings manipulation:An analysis ofÞrms subject to enforcement actions by the SEC.Contemporary Accounting Research13 (1):1-36.Defond,M.L.and C.W.Park.2002.The use ofabnormalaccruals in managing earnings to meet market expectations.The Accounting Review(Forthcoming).Degeorge,F.,J.Patel,and R.Zeckhauser.1999.Earningsmanagement to exceed thresholds.Journal ofBusiness72:1-33.Demski,J.1980.Information Analysis.Reading,MA:Addison-Wesley.Demski,J.and G.Feltham.1976.Cost Determination:AConceptual Approach.Ames,Iowa:Iowa State UniversityPress.Elliott,R.2002.Twenty-Þrst century assurance.Auditing:AJournal ofPractice & Theory(Forthcoming).Elliott,R.K.and D.M.Pallais.1997.Know your market.Journal ofAccountancy184 (1):30-34.FASB.2000.Electronic Distribution ofBusiness ReportingInformation.Steering Committee Report Series.BusinessReporting Research Project.Feltham,G.1972.Information Evaluation.Studies inAccounting Research #5.Sarasota,Fl.:American AccountingAssociation.Foster,G.1979.Briloffand the capital market.Journal ofAccounting Research17 (Spring):262-274.GrifÞn,D.,and A.Tversky.1992.ÒThe Weighting ofEvidenceand the Determinants ofConÞdence.ÓGuidry,F.,A.Leone,and S.Rock.1999.Earnings-basedbonus plans and earnings management by business unitmanagers.Journal ofAccounting and Economics(January) 26:113-142.Healy,P.and J.M.Wahlen.1999.A review ofthe earningsmanagement literature and its implications for standard setting.Accounting Horizons13 (4):365-383.Hoffman,C.and C.Strand.2001.XBRL Essentials.AmericanAccounting Association:Sarasota,FloridaHogarth,R.M.and H.J.Einhorn.1992.Order effects in beliefupdating:The belief-adjustment model.Cognitive Psychology24:1-55.Kennedy,J.1993.Debiasing audit judgment with accounta-bility:A framework and experimental results.Journal ofAccounting Research:231-245.Kogan,A.,E.F.Sudit,and M.A.Vasarhelyi.1999.Continuousonline auditing:A program ofresearch.Journal ofInformation Systems(Fall):87-103.Maines,L.A.1995.Judgment and decision-making researchin Þnancial accounting:Areview and analysis,Part II,Chapter 4.ÓJudgment and Decision-Making Research inAccounting and Auditing,by Ashton and A.Ashton (eds.),Cambridge University Press.McCarthy,E.2001.After Regulation FD:Talking to YourConstituents.Journal ofAccountancy191 (2):28-30.Mitchell,M.L.and J.H.Mulherin.1994.The impact ofpublic information on the stock market.The Journal ofFinanceXLIX (3):923-950.Murphy,K.and J.Zimmerman.1993.Financial performancesurrounding CEO turnover.Journal ofAccounting andEconomics16:273-316.Nelson,M.W.,J.A.Elliott,and R.L.Tarpley.2002.Evidencefrom auditors about managersÕand auditors earnings-man-agement decisions.The Accounting Review(Forthcoming).Public Oversight Board.2000.Panel on Audit Effectiveness:Report and Recommendations.AICPA:New York,NY.Rezaee,Z.and C.Hoffman.2001.XBRL:Standardized elec-tronic Þnancial reporting.Internal Auditor(August):46-51.Securities and Exchange Commission (SEC).2000a.ReleaseNo.34-42728.Interpretation:Use ofElectronic Media. ____________________________________.2000b.Final Rule:Selective Disclosure and Insider Trading.Release Numbers 33-7881 & 34-43154.____________________________________.2000c.Final Rule:Revision ofthe CommissionÕs AuditorIndependence Requirements.Washington D.C.Shiller,R.J.1981.Do stock prices move too much to be justiÞed by subsequent changes in dividends? The AmericanReview(June):421-36.Tan,H.T.,R.Libby and J.Hunton.2002.AnalystsÕreactionsto earnings preannouncement strategies.Journal ofAccounting Research(Forthcoming).Trotman.K.and A.Wright.2000.Order effects and recency:Where do we go from here? Accounting & Finance(July):169-182._____________________.1996.Recency effects:Task complexity,decision mode,and task-speciÞc experience.Behavioral Research in Accounting:175-193.Tuttle,B.,M.Coller,and F.G.Burton.1997.An examinationofmarket efÞciency:Information order effects in a laboratory market.Accounting,Organizations and Society22 (1):89-103.Vasarhelyi,M.A.2002.Concepts in Continuous Assurance.Researching Accounting as an Information Systems Discipline,V.Arnold and S.Sutton (Eds),forthcoming monograph bythe Information Systems Section ofthe AmericanAccounting Association. SSURANCEREPORTINGFORXBRL:XARL17©2003Assurance Reporting for XBRL: XARL (eXtensible Assurance Reporting Language)J.E.Boritz and W.G.NoBoth at University ofWaterlooAbstractAccounting was developed in response to the demands ofbusiness and other organizations and users for relevant andreliable Þnancial information for decision making.Currently,many companies are providing users with Þnancial informa-tion via the Internet on the World Wide Web (WWW or theWeb).However,such information must often be reentered by users seeking to analyze it because as yet there are no common,generally accepted formats for exchanging businessinformation on the Web.XBRL (eXtensible Business ReportingLanguage) is currently being developed to overcome this limitation and provide Þnancial information users with a standardized method to prepare,publish,and exchange Þnancial information.Although there are several beneÞts ofusing XBRL to createdocuments,one limitation is that it does not take into accountthe quality ofthe information particularly whether XBRL-coded information is reliable.The reliability ofÞnancial information depends on the reliability ofthe processes used tocreate an XBRL document;the nature,extent and timing ofassurance procedures performed on that information;and the security measures taken to protect the integrity ofthe information as it travels over the Web.Information on the Web,including XBRL documents,can be created and easily revisedand is vulnerable to interception and tampering.Therefore,users who depend on Þnancial information for critical deci-sions should be concerned about its reliability and would bewise to obtain assurance about the reliability and authenticityofthe information before using it for important decisions.This paper describes XARL (eXtensible AssuranceReporting Language),an Extensible Markup Language(XML)-based extension ofXBRL designed to enable assuranceproviders to report on the reliability ofinformation distributedover the Internet.A related paper,Boritz et al.(2002),addressesthe infrastructure requirements to enable XARL to be implemented.First,this paper brießy traces the development ofXBRL from its origins in Standard Generalized MarkupLanguage (SGML) to its reÞnement through XML,and summarizes the beneÞts ofXBRL.Next,it describes XARL,a means by which assurance providers can add credibility to XBRL documents.XARL,when supported by an effectiveinfrastructure,can help users and companies place warrantedreliance on Þnancial information on the Internet.I. IntroductionSince Pacioli deÞned the double-entry bookkeeping system in his 1494 book,Summa de Arithmetica,Geometria,Proportioni et Proportionalita,there have been many newdevelopments in accounting and these continue,contribut-ing to economic prosperity.Today,accounting information is being provided on the Internet,especially the World WideWeb (WWW or the Web),to enable the timely and efÞcientexchange ofinformation among preparers and variousstakeholders.However,despite the increased access to information that the Web offers,such information often cannot be easily incorporated into spreadsheets and otheranalysis software,requiring tedious,costly,and error-pronecutting and pasting or transcription.Also,there is little toassure users that the accounting information being providedon the Internet is reliable and authentic.Some attempts are being made to overcome these limita-tions.One such initiative is XBRL (eXtensible BusinessReporting Language).XBRL is a freely available,open speciÞcation based on XML that provides a method bywhich Þnancial professionals can prepare,extract,exchange,and analyze Þnancial statements and the information theycontain,simplifying some ofthe previously tortuous phasesofÞnancial statement analysis.In this paper,we brießy tracethe development ofXBRL from its conceptual origins inSGML and XML.Second,we will explain the importance ofXBRL and its limitations in connection with informationreliability.A more extensive discussion ofXBRL can befound in Hoffman and Strand (2001).Then we address themain topic ofthis paper,a set ofproposed extensions toXBRL that we have termed eXtensible Assurance ReportingLanguage (XARL) designed to address the issue ofinforma-tion reliability on the Internet.We discuss the infrastructurerequirements to facilitate the implementation and effectiveuse ofXARL in a separate paper (please refer to Boritz et al.,2002).From SGML to HTML, and to XML: ANew Paradigm for Internet DocumentsThe astonishing growth ofthe Web has been fueled bythe ability that it gives information providers to easily andcheaply distribute electronic documents to audiences on the Internet.The tremendous popularity ofthe Internet in largemeasure is due to the Web and HyperText Markup Language(HTML).Most documents on the Web are stored and transmitted in HTML,a simple language that was developedto provide hypertext and multimedia functions for the Inter-net.HTML is based on Standard Generalized MarkupLanguage (SGML),a standard for deÞning and formattingdocuments.SGML was established in 1986 as an international stan-dard by the International Organization for Standardization(ISO) for deÞning and using document structure and con-tent.1SGML was intended to be a language that wouldaccount for every possible data format and presentation.Thus,it enables users to create tags,to deÞne document formats,and to exchange data among various applications.Since SGML is system and platform independent and cansave a documentÕs structure,it can be used in various ways,such as for searching and exchanging data.However,SGMLis very complex and contains many optional features that arenot needed by many Internet applications.Furthermore,it is costly to develop software that supports SGML.As a result,there are few SGML applications for the Internet.The complexity ofSGML led to the development ofHTML (HyperText Markup Language).HTML,the basiclanguage for creating a Web page,is easy to learn and use.Most ofthe language consists ofcodes or tags inserted into a document to specify how information should be displayedin a browser window for example,&#xp000;o start a paragraphoftext an&#x/p00;d o end a paragraph.The simplicity and convenience ofHTML have aided the explosion ofinterest in the Internet.Nevertheless,HTML has some fundamentallimitations.It merely facilitates presentation oftext and multimedia.It does not allow intelligent search,dataexchange,and non-HTML forms such as database andspreadsheet forms.As e-commerce grows,it becomesincreasingly important to exchange data,use more meaningful search,manipulate data,and generate multipleviews ofdata.As a result,HTMLÕs limitations are becomingincreasingly noticeable.XML was established by the W3C (World Wide WebConsortium) in 1996 to overcome those limitations.2XMLstands for eXtensible Markup Language.It is extensiblebecause the language can be extended by anyone who wantsto create additional tags for new and unforeseen purposes.It is a markup language because XML is a method ofpre-senting information that has accepted rules and formats to give deÞnition to text and symbols.XML was created byadapting the key functions ofSGML while excluding the lessessential ones.Whereas HTML tags generally indicate onlyhow the content should appear in a browser window,XML tags indicate what the content is.Whereas HTML was designed to display data and to focus on how data looks,XML was designed to describe data and to focus on what thedata represents.Content therefore becomes more readilyaccessible through XML.XBRL: A New Way to Prepare, Publish,and Exchange Financial Information XML is a general-purpose language offering many possi-bilities.However,a generic Web browser cannot understandXML tags unless those tags are deÞned for it,as will be illus-trated later.XML is particularly valuable when the tags areagreed to by a community ofusers who can then exchangetagged information easily.XBRL,formerly code-namedXFRML (eXtensible Financial Reporting Markup Language)is the Þnancial professionÕs adaptation ofXML for Þnancialreporting.A joint industry and government consortiumestablished in the fall of1999,including the AmericanInstitute ofCertiÞed Public Accountants (AICPA),six information technology companies,and the Þve largestaccounting and professional services Þrms,developed thisXML-based speciÞcation for the preparation and exchangeofÞnancial reports and data.XBRL does not establish newaccounting standards but is intended to enhance the value or usability ofexisting standards.Also,it does not requireproviding additional Þnancial information to outside users.XBRL.org does,however,have a process for approving taxonomies (dictionaries ofdeÞned tags) to be used withXBRL.XBRL provides several beneÞts to Þnancial professionalsand the business community.First,data in XBRL is codedwith tags that describe content and structure.Therefore,XBRL provides more efÞcient,accurate,and relevant searchmechanisms for users ofÞnancial information.Second,since XBRL documents are prepared by using an agreed-upon taxonomy,3data can be exchanged and processed without modiÞcation.Third,XBRL is technology-platformindependent.This further enhances the interchangeability ofdata.Fourth,XBRL information is coded once and isready for extraction electronically into a variety ofreportsfor a variety ofinformation users.This facilitates paperlessÞnancial reporting and cuts down on data manipulation.As a result,the cost ofproducing Þnancial and regulatoryinformation can be substantially reduced.Fifth,XBRL Þlescan be parsed,edited,and manipulated.Thus,XBRL docu-ments can be transformed to a variety offormats such as aWeb page and a data Þle for spreadsheet and database soft-ware.Consequently,data in XBRL may be displayed in a Web SSURANCEREPORTINGFORXBRL:XARL19browser,sent to a database,sent to printer,and used to createother XBRL documents.In addition,the same document can be used by many different applications.Sixth,XBRLimproves the analysis ofmultiple company Þnancial infor-mation;users can obtain and analyze several companiesÕÞnancial data simultaneously.Although XBRL does not byitselfguarantee that more companiesÕdata will be released to the public electronically over the Internet,it does offer the ability for interested parties to easily access the data thatexist.Finally,as mentioned previously,XBRL is an openspeciÞcation developed by XBRL.org,a not-for-proÞt consortium.4II. XARL: A Challenge For The AuditProfessionAlthough XBRL offers several key beneÞts,it is importantto note that XBRL does not address the reliability oftheinformation it is used to describe.For example,an incorrector unauthorized taxonomy may be used.Consider the following scenario.In 2001,XBRL.org announces an ofÞcialtaxonomy,called CI_V1.Assume that several companies create XBRL documents based on the CI_V1 taxonomy.In 2002,in response to changes in accounting principles,XBRL.org creates a CI_V2 taxonomy to incorporate theaccounting principle changes.In this situation,the oldCI_V1 taxonomy may still be appropriate to create the XBRL document for the pre-2002 Þnancial statements.However,it could be misapplied to post-2001 documents.Misapplication ofXBRL tags representing taxonomy elements is another potential problem.One entity may apply the tag for cash to its cash and cash equivalents,whileanother may apply the tag for cash only to cash.These typesofinconsistencies may lead to errors in the interpretation ofvarious ratio calculations and other inter-company comparisons.Also,XBRL does not restrict anyone from producing and disseminating Þnancial information electronically,evenifthat information lacks integrity.Because information onthe Internet,especially the Web,can be easily created andrevised without proper authorization,the reliability andauthenticity ofinformation should be carefully consideredby entities and individuals using XBRL to produce and consume information over the Internet.XARL (eXtensible Assurance Reporting Language) is an application ofXML that is designed to extend XBRL tocontribute to the reliability ofthe information provided byusing XBRL.XARL is an XML-based speciÞcation that relieson accepted assurance processes and security techniquessuch as the Public Key Infrastructure (PKI),as well as XML security features still being developed,to enhance thereliability ofinformation disseminated over the Internet.When combined with XBRL and an information integrityinfrastructure,XARL provides a method for preparing andproviding assurance about the reliability ofÞnancial infor-mation transmitted over the Internet.An XARL-based document includes speciÞc tags that explain assurance type,assurance date,auditorÕs digital signature,system reliability,and so forth.Therefore,users can easily identify the type ofassurance,the period oftime covered by the assurance,theassurerÕs name,and the source ofthe assurance standardsapplied (e.g.,U.S.Generally Accepted Auditing Standards(GAAS)).This paper describes XARL.However,the infrastructurerequired for the effective implementation ofXARL isdescribed in a separate paper by Boritz et al.(2002).Asdescribed here,XARL does not attempt to establish newassurance standards but rather to enhance the value ofXBRL by deÞning a digital language to provide and communicate assurance based on existing standards.5It is noteworthy that the U.S.Generally AcceptedAccounting Principles (GAAP) version ofXBRL includessome tags designed to code the content ofthe accountantÕsreport on the Þnancial statements;however,these tags arenot protected in any way.Thus,anyone could add or modify(erroneously or intentionally) the tags,conveying assuranceeven ifno independent veriÞcation was performed.Also,thetags that are provided are designed to address the Þnancialstatements as a whole and are not developed to communicateassurance about individual Þnancial statements or individualÞnancial statement items.Also,there are no tags to commu-nicate assurance about the systems and controls underlyingthe Þnancial statements or other matters relevant to assessingthe reliability ofthe information provided through XBRL.In contrast,documents coded with XARL would provideauthentic evidence that the information in XBRL documentswas audited or otherwise assured by a public accountant.This would reduce uncertainty about possible risks and provide users with credible information.Table 1,shown inthe XARL taxonomy section,summarizes the extensions that XARL makes to XBRL.How XARL WorksSuppose a public company,Toronto Inc.,wishes to provide Þnancial statements to creditors,investors,and ana-lysts,and engages an assurance services company,WaterlooAssurance Co.to provide assurance on that information.(Please refer to Figure 1.) d c Waterloo Assurance Co. User Internet XARLDocument pplicationsuch asEDP t Systemand Systrust XARL TaxonomyOther Taxonomies Application(XARLthicationSystem) AssuranceServiceCompanyDatabase BRL TaxonomyOther TaxonomiesApplicationsuch asAccounting SystemToronto Inc.DatabaseOther FormatsApplication DataPDFHTML·¹¸¶ º tyle SheetXBRL Document· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·· · · · · · · · · ·· · · · ·· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · º¹¸·± XB Document± User's Request± XBRL Document± User Information± XARL Document Encrypted with Digital SignatuUsing User's Public Key d Pa SSURANCEREPORTINGFORXBRL:XARL21taxonomy pertain to Þnancial statements and Þnancialstatement items;however,the taxonomy itselfis designed toaccommodate a broad range ofelements,including Þnancialreporting systems and controls and other systems (e.g.,an entityÕs e-commerce system).These elements can be extended as professional standards expand to deÞne relevant assurance attributes to be translated into XARL tags forexample,the Trust Services criteria underlying a SysTrust or WebTrust seal.11FIGURE2:OVERVIEWOFXARL TAXONOMYTables 1 and 2 summarize the extensions that XARLmakes to the assurance tags provided in XBRL.TABLE1:XARL EXTENSIONSTOXBRLExtensionXBRLXARLAssurance ElementsPart ofXBRL taxonomyStand-alone taxonomyInformationOnly provides information Provides comprehensiveabout accountantÕs reportinformation about assurance Assurance RangeAssurance for whole Not only assurance for wholeÞnancial statementsÞnancial statements but also for individual Þnancial statement,individual Þnancialitems,system and control,where standards permitSeparationAssurance information is Assurance information can beincluded as a part ofXBRL provided to users as a separatedocuments document or along with XBRL documentsElementsSee Table 2,left columnSee Table 2,right columnTABLE2:COMPARISONOFASSURANCEELEMENTSBETWEENXBRL ANDXARLFigure 3 illustrates the XML-coded XARL taxonomy previously presented in Figure 2. resAssurerure FIGURE3:EXAMPLEOFAXARL TAXONOMYSince XARL taxonomy Þles are XML Þles,they can beviewed using a text editor as shown in Figure 3.It is also possible for users to view taxonomy information with a taxonomy viewer application to obtain a better and fasterunderstanding ofthe structure ofthis information.12The XARL taxonomy is eXtensible.Therefore,iftheXARL taxonomy described in this paper does not containtags that meet usersÕneeds,then users can create their owntags.For example,Elliott (2002) suggests a variety offutureassurance tags such as:Òproduct ofan information systemwith SysTrust assurance,ÓÒproduct ofan information systemunder statistical quality control with parametersÉ,ÓÒreliablesubject toÉ,ÓÒreliable to within + or Ð percent at nn conÞ-dence,ÓÒunassured,ÓÒnot reliable,Óetc.Example XARL DocumentFigure 4 is an illustration ofan XARL document.13XARL tags are added to the XBRL document to provideassurance information about the Þnancial information suchas assurance type,assurance period,accountant information,and so on.FIGURE4:XARL EXAMPLE(XARL-EXAMPLE.XML)The document in Figure 4 contains two examples ofXARL adapted to an XBRL balance sheet document developed by using the taxonomy for Business Reporting ofCommercial and Industrial Companies,US GAAP,dated2000-07-31.14XARL tags are embedded in this document to provide assurance information about the accountant,assurance type,assurance period,overall auditorÕs opinion,and so on.15Figure 5 shows the use ofXARL tags for theoverall balance sheet.FIGURE5:XARL TAGEXAMPLE1:BALANCESHEETFigure 6 illustrates the use ofXARL tags for a single balance sheet item,ÒCash and cash equivalents.Ó SSURANCEREPORTINGFORXBRL:XARL23FIGURE6:XARL TAGEXAMPLE2:SINGLEBALANCESHEETITEMDisplaying XARL Assurance InformationXBRL documents are not designed for direct viewing by people.In many instances,the documents would byprocessed by software for a variety ofpurposes,includingconversion to HTML format to enable Web browsers to display them.While HTML uses predeÞned tags,whosemeaning is well understood for example,&#xp000;eans a paragraph and abl&#xt000;e means a table,and a browser knows how to display them,this is not the case with XMLdocuments such as XBRL and XARL.In order to displaydocuments tagged with XBRL and XARL codes,it is neces-sary to have a mechanism for this purpose.This is done bymeans ofa style sheet,prepared with a style-sheet language.Two ofthe most popular style-sheet languages areCascading Style Sheets (CSS)16and eXtensible StylesheetLanguage Transformations (XSLT).17CSS and XSLT overlapto some extent.XSLT is more complicated and harder tolearn and use than CSS,and CSS is more broadly supportedthan XSLT.Thus,most Web browsers support CSS,but onlya few accept XSLT.However,XSLT is more powerful thanCSS,and CSS only provides for formatting ofcontents.It does not allow users to change or reorder contents.In contrast,XSLT enables formatting and transforming XMLdocuments into other documents such as HTML,database,and spreadsheets,and Þltering and sorting XML data.XSLTcan be used to deÞne how an XML document should be displayed by transforming the XML document into HTML.XSLT performs this by transforming each XML element intoan HTML element.In addition,XSLT can add new elementsinto the output Þle,or remove elements.It can also rearrangeand sort the elements.Figure 7 shows a XSLT document thatis applied to the XARL example.FIGURE7:XSL EXAMPLE(XARL-EXAMPLE.XSL)After an XARL document and an XSLT style sheet forthat document are prepared,the XARL document can beshown in the Web browser window by including an instruc-tion in the XML document specifying the style sheet to be used (l-stylesheet type=Ótext/xslÓhref=ÓXARL-example.xsl&#x?xm0;Ó?).18Figure 8 shows the XARL example inInternet Explorer.19FIGURE8:XARL-EXAMPLE.XMLININTERNETEXPLORERIn this illustrative example,the icon,ÒAuditedÓ,indicatesthat the balance sheet was audited by a public accountant.Therefore,users may obtain conÞdence about the overallreliability ofthe balance sheet information.This examplealso illustrates the possibility ofproviding assurance for asingle balance sheet item,ÒCash and cash equivalents.ÓAccordingly,the item,ÒCash and cash equivalents,Ócan beutilized with conÞdence by users for its analysis in the reliability ofthat information since the icon,ÒAuditedÓ, indicates that the item was audited.(In practice,both iconswould not appear.)When users need assurance information details such asaccountant information and the auditorÕs report,they canclick on the icon and obtain such details by applying theirprivate key to decrypt the assurance information provided.Figures 9 and 10 show an example ofthe decrypted assur-ance information on the overall balance sheet provided bythe assurer using XARL.FIGURE9:DECRYPTEDASSURANCEINFORMATIONONTHEOVERALLBALANCESHEETFIGURE10:DECRYPTEDASSURANCEINFORMATIONONTHEOVERALLBALANCESHEETSecurity Issues in XARLXARL is an application ofXML that is designed toextend XBRL to help assure the reliability ofÞnancial infor-mation disseminated over the Internet.However,there arecritical security issues related to XARL.Like XBRL,XARL is primarily an Internet-based communication method.The Internet is insecure.Without a security infrastructure to support it,XARL is vulnerable to being intercepted,spoofed and altered.Traditional access control techniquessuch as passwords are not sufÞcient to authenticate informa-tion on the Internet.They can protect Þles or data fromunauthorized access but cannot guarantee the integrity andauthenticity ofthe information.Some attempts are beingmade to overcome such security issues.In this paper,we onlydiscuss the encryption ofall or part ofa XML document(XML Encryption) and the use ofdigital signatures appliedto XML (XML Signature) because they form the minimumrequirements for controlling the security ofXBRL/XARL-coded documents.A related paper by Boritz et al.(2002) discusses the infrastructure requirements to enable the dissemination ofreliable Þnancial information over theInternet using XBRL and XARL.XML Encryption Encryption is the transformation ofdata into a form only readable by someone with a decryption key.The goal ofencryption is to ensure conÞdentiality by keeping the SSURANCEREPORTINGFORXBRL:XARL25infortion hidden from anyone for whom it is not intended.Proper encryption is crucial for XML data security,particu-larly for sensitive data that is passed across unprotected networks such as the Internet.Private key encryption (also termed symmetrical orsecret key encryption) is based on the sender and the receiver ofa message knowing and using the same secret key(e.g.,a password).In other words,the sender uses the secretkey to encrypt the message or data,and then the receiveruses the same secret key to decrypt the message or data.However,the problem with this secret key cryptography isthat the sender and receiver must share a secret key withoutanyone else Þnding out.Ifthey are located in different places,they have to trust a communication channel such as thepostal system,the telephone system,or the Internet whencommunicating the secret key.Public key cryptography was developed to overcome thelimitations ofsecret key cryptography.Under public keycryptography,each person has a mathematically-generatedpair ofkeys called the public key and the private key.Thepublic key ofeach person is published while the private key is kept secret.No other key can decipher a messageencrypted by one ofthese keys except the other key in thepair.A message sender encrypts the message or data byusing his or her private key and the intended receiverÕs public key,while the receiver decrypts the message or databy using his or her private key and the senderÕs public key.The sender and receiver do not have to share or transmit any secret key information.It is not necessary to trust a communication channel to be secure.XML Encryption20uses both asymmetric and symmetricencryption.First,a public key generated by some algorithmis sent to a potential information recipient who wants tosend a secret key to the potential information sender.Withthe senderÕs public key,the receiver encrypts his or her private key (this could be randomly generated for one-timeuse) and sends the encrypted key to the sender.The senderthen decrypts the key with his or her private key.Once thesender has obtained a secret key from the recipient throughasymmetric encryption,the secret key is used for encryptingor decrypting data at both ends.This process can speed upthe creation and exchange ofencrypted information and cansimplify key administration.Figure 11 illustrates the use ofXML Encryption tags for an XARL document.21XML Encryption could be used to encrypt the entire XML document,one element,elementcontent,attribute,or attribute value.In the example,XMLencryption tags are used to encrypt XARL assurance tags for the entire set ofassurance information related to oneÞnancial statement.The ÒEncryptedDataÓelement containsthe XML namespace used for encryption.The completeÒCipherDataÓelement appears within an ÒEncryptedDataÓelement.The actual encrypted data appears as contents ofthe ÒCipherValueÓtag.Please note that this example is amock-up only.These features have not yet been fully developed by W3C.It is important to note that this method by itselfwill notguarantee the authenticity ofthe message,since it providesno control over the identity ofthe key pair generator.Toauthenticate the sender and receiver,it is necessary to use the Public Key Infrastructure (PKI) whereby a CertiÞcateAuthority (CA) authenticates their identity and controls thecreation ofprivate/public key pairs.For example,the certiÞ-cate authority may issue the public key and the software that generates the private key to an individual or an entitywhose identity has been authenticated.The authenticity ofthe individual depends on the sufÞciency ofthe authentication procedures applied by the CA and the CAÕskey management security and general trustworthiness.FIGURE11:XML ENCRYPTIONEXAMPLEXML Signature Authentication is a process by which the receiver ofdigital information can be conÞdent ofthe identity ofthesender.However,it is also necessary to establish the integrityofthe information being sent.This involves the use ofdigitalsignatures.Digital signatures play a role for digital docu-ments similar to that played by handwritten signatures forpaper documents,although digital signatures can be morepowerful than handwritten signatures.Since the digital sig-nature is an enforceable data element,the digital signatureauthenticates the integrity ofthat document as well as theidentity ofthe sender who attached his or her signature tothe document. A digital signature works as follows.An algorithm is used to calculate a message digest22value,which is a uniquenumber that can only be calculated from the contents ofthemessage.The digest value is analogous to the ÒÞngerprintÓofthe data contents being sent,a means to assure the integrity ofthe contents.The digest value is then encryptedwith the senderÕs private key and sent with the message sothat the recipient can decrypt it using the senderÕs public key,recalculate the message digest,and compare it with themessage digest received with the message to establish theintegrity ofthe message.A change in even a single characterin the message will alter the message digest,alerting therecipient that the message has been tampered with.Themessage itselfneed not be encrypted unless there is a needfor conÞdentiality.As discussed in the previous section,the digital signatureby itselfdoes not guarantee the authenticity ofthe sender,since a fraudster could intercept the original message,poseas the sender,and replace the original message with anotherdigitally signed message.To counter this possibility,theauthenticity ofthe sender must be guaranteed through theuse ofthe Public Key Infrastructure (PKI) whereby a CAauthenticates the identity ofthe sender and controls the creation ofprivate/public key pairs.23XML Signature24deÞnes the syntax required to sign all or part ofa XML instance including speciÞc elements in adocument,to add more than one signature to a single docu-ment and to deal with the transformation ofsigned data.XML signatures consist oftwo parts.One part is a method ofsigning a document such that the signatures are veriÞed,which provides sufÞcient integrity,authentication,and non-repudiation.25The other part is a method ofverifying that asignature was actually generated by whomever it represents.Although XML has extensive capabilities and extremeßexibility,it does not satisfy the needs ofdigital signatures.For example,digital signatures misplaced in XML docu-ments can be interpreted in completely different ways.To address these issues,W3C introduced Canonical XML(XML-C14N).Canonical XML is a form ofXML documentthat accounts for permissible changes,and refers to an XMLdocument that is in canonical form.Therefore,iftwo docu-ments have the same canonical form,the two documents arelogically equivalent within the given application context.The information in a signed XML instance contains thefollowing elements:canonicalization method,signaturemethod,digest method,reference information,optional signature properties,and optional manifest.¥The canonicalization method (Canonical XML) simpliÞes and structures an XML document prior to signature.This method provides a means to ensure that the proper form ofthe data content is signed.Therefore,the recalculation ofthe message digest can be expected to verify whether the data contents have been modiÞed.¥The signature method identiÞes the algorithm used to sign the message digest.This method validates the person or process that signs the data contents,thus ensuring authentication and non-repudiation.¥The digest method identiÞes the algorithm used to create the message digest signed by the signature method.This method ensures that data contents can be reprocessed with the same algorithm to enable the comparison with the message digest value received with the message.¥The reference information provides information about the data contents that were signed.¥The optional signature properties are the context added to a signature such as a timestamp or serial number.¥Finally,the optional manifest is a way ofgrouping multiple references and creating a single digest value for signatures by one or more users.Thus,it will provide a mechanism to allow a signer to approve a number ofindividually signed transactions in one group,rather than individually approving and signing each transaction.Figure 12 shows the use ofXML Signature tags for anXARL document.The ÒSignatureÓelement contains the XMLnamespace used for the signature.The ÒCanonicalization-MethodÓ,ÒSignatureMethodÓ,and ÒReferenceÓelementsappear within the ÒSignedInfoÓelement.The ÒCanonic-alizationMethodÓelement indicates the algorithm used tocanonize the ÒSignedInfoÓelement.The ÒSignatureMethodÓelement speciÞes the algorithm used to produce the signa-ture value.Each referenced resource is speciÞed through aÒReferenceÓelement,and its digest is placed in a ÒDigest-ValueÓelement.The resources can be identiÞed through aUniform Resource IdentiÞer (URI).The ÒReferenceÓelementcontains the ÒDigestMethodÓelement that identiÞes the algorithm used to calculate the digest.The signature value ofthe digest ofthe ÒSignedInfoÓelements appears in aÒSignature-ValueÓelement.Ifkey information is included,it appears in a ÒKeyInfoÓelement.Please note that this example is a mock-up only.These features have not yet been fully developed by W3C. SSURANCEREPORTINGFORXBRL:XARL27FIGURE12:XML SIGNATUREEXAMPLEBeneÞts of Adopting XARLXBRL is developed to provide a more efÞcient and effective means ofpreparing and exchanging Þnancial information.However,Þnancial information in XBRL documents can be easily created and manipulated withoutauthorization.Also,business and Þnancial information inXBRL can be used and interpreted without the organizationÕsconsent or knowledge.As a result,threats to the reliabilityand quality ofinformation can undermine the success ofXBRL.Adding XARL to XBRL can provide several beneÞts.For companies that prepare Þnancial statements,XARL canreduce their costs ofsignaling the reliability oftheir infor-mation.For Þnancial information users,XARL can reducetheir uncertainty over perceived authenticity and integrityrisks and provide them with trustworthy information.Foraudit professionals,XARL provides an opportunity.Assurance services can be performed for XBRL-coded Þnancial statements as a whole,for selected items in theÞnancial statements,and for information systems and controls underlying those Þnancial items.Assurance typeand assurance duration can vary as well.XARL tags can help users and companies better under-stand the assurance properties ofinformation disseminatedover the Internet.Indeed,once the infrastructure for suchassurance is in place,it is possible to envisage the provisionofassurance on demand,tailored to user needs,possiblyeven paid for by the user automatically upon clicking theassurance icon.III. Issues For Future ConsiderationXARL is being developed to ensure the reliability oftheXBRL-coded information.XBRL documents enhanced withXARL tags will be less susceptible to tampering and will bemore credible,enabling users to place warranted reliance onÞnancial information disseminated over the Internet.Although this paper describes XARL and illustrates how itcan be implemented,it is only a beginning,since there are anumber ofadditional issues to be addressed:¥Part ofthe XARL infrastructure described in this paper involves public accountants creating the XARL Þles based on XBRL data received from client sys-tems.Since the Þnancial statements are the clientÕs,dual signatures may be required for the documents transmitted to users containing the XBRL and XARL information.Although this sounds complicated,once the infrastructure is in place,it may involve nothing more than a signal from a secure device such as a smart card or electronic token.Already,many organi-zations are issuing security tokens to their executives to provide security over remote access to organiza-tional systems and knowledge bases.Managing such ÒkeysÓwill be an important control process in both client entities and assurance-providing organizations.¥The Internet is global;however,the infrastructure required for XARL such as digital signatures,CertiÞcate Authorities,and other aspects ofPKI may not evolve at the same pace throughout the world.Thus,it may be necessary to create a profession-wide,or major,Þrm-sponsored,international infrastructure for managing assurance certiÞcates.¥Once the XARL infrastructure is in place,it could be used to provide continuous,real-time assurance upon demand.This could require the development ofnew assurance standards to address issues such as materiality,subsequent events,etc.In addition,new evidence-gathering techniques may be required.These will beneÞt from the susceptibility ofinformation on the Web to being audited by intelligent automated tools.¥Under the traditional model,the entity pays for the assurance.The current paper continues relying onthis model.However,once the infrastructure for XARL is created,it is possible to introduce an alterna-tive model for some or all assurance services,whereby users pay directly for the assurance provided.The economics ofsuch a model need to be explored in future research.¥Given the limited understanding that exists about traditional assurance,it will be important to educate Þnancial statement preparers,assurance providers and users about the potential beneÞts and limitations ofthis new system for providing assurance on infor-mation disseminated over the Internet. AcknowledgementsThe authors gratefully acknowledge the Þnancial support provided by the University ofWaterloo Centre forInformation Systems Assurance,sponsored by the CanadianInstitute ofChartered Accountants and the InformationSystems Audit and Control Association.The authors aregrateful to Eric E.Cohen ofPricewaterhouseCoopers for his many helpful comments on earlier drafts ofthis chapter.ReferencesewsFlash!1999.AICPA,Information TechnologyCompanies,and Five Largest Accounting and Professional ServiceFirms Join Forces in Developing XMLad Financial ReportingLangge.ugust 30).Online.ttp://www.aicpa.org/news/p083099a.ht&#xh000;mBoritz,J.Efrim and Won G.No.Business Reporting with XML:XBRL (eXtensible Business Reporting LanggEncyclopedia ofthe Internet,edited by Hossein BidgolJohWiley,forthcoming.Boritz,J.Efrim,R.de Haas,and W.G.No.2002.InfrastructureRequirements for Communicating Assurance on the Internet.Manuscript,School ofAccountancy,University ofWaterloo(August).BoJohn.1997.XML,Javanhe Future ofthe Web.Webreview.(December).Online.http://Webreview.com/1997/12_19/developerhtmBosaJohn and Tim Bray.1999.Feature Article:XML and theSecond Generation Web.ScientiÞc American,(May 1).Online.ttom/1999/0599issue/0599bok.htm&#xh000;lEllio,Robert K.2002.Twenty-First Century Assurance.Auditing:A Journal ofPractice & Theory,21,No.1,(March):139-146.Elliotte,R.Harold.1999.XML Bible.Hungry Minds,Incorporated.Greenstein,Marilyn and MloVarhelyi.ElectronicCommerce:Security,Risk Management,and Control,McGraw HillIrwin.Hoffman,Charles and Carolyn Strand.2001.XBRL Essentials,New York:AICPA.Hoffman,Charles,Christopher Kurt and Richard J.Koreto.1999.The XML Files.AIommerce.Online.ttp://www.aicpa.org/pubs/jofa/may1999/hoffman.ht&#xh000;mLindstrom,Pete.2001.Special Report:The LanggfXMLSecurity.Neoragizine.com.Online.ttp://www.network-magazine.com/article/NM&#xh000;G20010518S0010Mactaggart,Murdoch.2001.Enabling XML security:An intro-duction to XML encryption and XML signature.IBM.Online.ttp://www.106.ibm.com/developerworks/xml/library/sxmlsec.html/index.htmDN Library.2001.XML Tutorl.DOnline.ttp://microsoft.com/library/default.asp?url=/library/enus/xmlsdk30/htm/xmtutxmltutors&#xh000;pMSDN online Web Worhop.XML (eXtensible MarkupLanggMSDN Online.ttp://microsoft.com/xml/general/index.ht&#xh000;mSchmidt,Walter C.and Eric E.Cohen.1999.A better langgorutilizing the Web.The CPA Journal.Online.ttp://www.nysscpa.org/cpajournal/f201199m.htmHalfhill,To.1999.XML:the next big thing.IBM ResearchMagazine.(Nov.1).Online.ttp://www.research.ibm.com/resources/magazine/1999/number_1/xml199.htmome Page.Overview / Facts Sheet.Online.ttp://www.xbrl.org/Faq.ht&#xh000;m_____.XBRL FAQ.Online.ttp://www.xbrl.org/Overview.ht&#xh000;m_____.2000.Financial Reporting for Commercial and IndustrlCompanies,.(July).Online.ttp://www.xbrl.org/us/gaap/ci/2000-07-31/us-gaap-ci-2000-07-31.ht&#xh000;m_____.2000.eXtensible Business Reporting LanggSpeciÞcation.(July).Online.ttp://www.xbrl.org/TR/2000-07-31/XBRL-2000-07-31.ht&#xh000;mXBRL Resource Center.XBRL Educational Resource Section.Online.ttp://Web.bryant.edu/~xbrl/index.htmWaon,Liv A.,BrMcGuire and Eric E.Cohen.2000.Looking at Business Reports Through XBRL-Tinted Glasses.Strategic Finance.(September).Online.ttp://www.mamag.com/strategicÞnance/2000/09g.ht&#xh000;mW3C.1999.XML in 10 points.Online.ttp://www.w3.org/XML/1999/XMLoints.htm2001.XML Signature WG.Online.ttp://www.w3.org/Signatur&#xh000;e/_____.2001.XML Encryption WG.Online.ttp://www.w3.org/Encryptio&#xh000;n/2001/Zarowin,Stanley,and Wayne E.Harding.2000.Finally,BusinessTalks the Same Langge.JournafAccountancy.(August):24-30. Appendix 1ASSURANCEREPORTINGFORXBRL:XARL29 resssurerure e fore forrocurese forernernssuressurerssurerssure arnin TaxTaxrovTaxTax TypProceduresernnAssertion] or[Subject Matter]TypTo Pro Presentation ofInformatioinreemirementontrolsProceresreeProceres A Justifiedfrom nformationernAppnformationAssurerJustifiededuresAudanation fornformation Dual Date ofConclusionAt DateFrom DateTo Data Endnotes 1ISO (International Organization for Standardization),founded in 1974,is a worldwide federation ofnational standards bodies from some 100 countries,one from each country.Among the standards it fosters is Open Systems Interconnection (OSI),a universal reference model for communication protocols.Many countries have national standards organizations such as the American National Standards Institute (ANSI) that participate in and contribute to ISO standards.2The W3C (World Wide Web Consortium) is an industry consortium led by not-for-proÞt entities.The Consortium seeks to enhance interoperability among Web technologies by developing speciÞcations,guide-lines,software,and tools to lead the Web to its full potential.3A taxonomy is a dictionary ofthe Þnancial terms used in preparing Þnancial statements or other business reports and the corresponding XBRL tags.Since the same tags are used by all ÒpublishersÓofXBRL docu-ments who rely on the same taxonomy,all users ofthose documents will recognize the tagged data the same way.For example,the tag roup type= Òci:balanceSheet.assets&#xg000;Ó indicates that the data after the tag relates to assets on the balance sheet.4Additional information about the relationship between HTML,XML,and XBRL,and examples oftheir application to Þnancial information are contained in our paper on ÒBusiness Reporting with XMLÓin the Encyclopedia ofthe Internetedited by Hossein Bidgoli,John Wiley,forthcoming.5Current auditing and review standards already contem-plate the possibility that the auditor might provide assurance about Þnancial information and non-Þnancial information.For example,refer to AICPA Professional Standardssection 623.6There are several XBRL document validation programs.One is available from XBRL Solutions Inc.(http://www.xbrlsolutions.com)7Due to the advances ofinformation technology,more organizations depend on it to run their businesses,pro-duce products and services,and communicate with customers and business partners.It is very important that their systems be secure and reliable and produce accurate information.In response to this business need,the AICPA and the Canadian Institute ofChartered Accountants (CICA) have introduced system assurance services such as SysTrust and WebTrust,which enable public accountants to provide assurance that a system is reliable.8This step is not mandatory;however,the advantages ofdoing so are that a log can be created ofall parties relying on the Þnancial statements for purposes ofprivity or for notiÞcation in case ofrestatements.Some parties may be reluctant to supply such information.9Currently,W3C is working on XML Encryption and XML Signature speciÞcations.These will provide a practical way ofimplementing the ideas expressed in this paper.10This illustration raises several issues that are beyond the scope ofthis paper,such as the risk offree-riding,etc.Whether there would be an economic demand for the approach described herein is an open issue for future research.However,one beneÞt ofusing a public key cryptography approach is that only users who are allowed to access the XARL document directly by the assurance provider would have privity (i.e.,able to sue for negligence).We assume that at a low enough cost,users would be motivated to purchase the assurance from the assurance provider and that the assurance provider would be economically motivated to provide such assurance through the combination offees paid by the reporting entity and user fees.11Trust Services Principles and Criteria Version 1.0is published by the American Institute ofCertiÞed Public Accountants and the Canadian Institute ofChartered Accountants.12A taxonomy viewer application is available from XBRL Solutions Inc.(http://www.xbrlsolutions.com).Please note,that this viewer is designed for XBRL and requires certain minor modiÞcations in the XARL taxonomy to enable the viewer to recognize it.To properly view the taxonomy provided in this paper,this version ofthe viewer requires the global replacement ofÒXARLÓwith ÒXBRLÓ.13This and other examples ofthe XBRL and XARL documents used as illustrations in this paper can be downloaded from the following Web site:http://arts.uwaterloo.ca/~jeboritz/XARL.14Please note that all XBRL examples used in this article are based on version 1 ofXBRL.The XBRL speciÞca-tion version 2.0 was publicly announced on Dec.14,2001.This speciÞcation is to be used to create XBRL taxonomies.However,at the time this article was prepared,no XBRL taxonomy based on version 2.0 was available.Version 2.0 is signiÞcantly different from version 1,but the key concepts described in this article are still applicable.15In the example,assurance information is embedded in the XBRL document by using XARL tags.However,assurance information can be provided as a separate document. SSURANCEREPORTINGFORXBRL:XARL3116Cascading Style Sheets,level 1 (CSS1) is a W3C Recommendation.It describes the CSS language as well as a basic formatting model.Cascading Style Sheets,level 2 (CSS2),which is also a W3C Recommendation,builds on CSS1.It includes media-speciÞc style sheets (e.g.printers and aural devices),and element positioning and tables.17eXtensible Stylesheet Language Transformations (XSLT) has evolved from the early eXtensible Stylesheet Language (XSL) standard.XSL consists ofa language for transforming XML documents and a language for formatting XML documents.The XSL formatting language,often called eXtensible Stylesheet Language Formatting Objects (XSL-FO),provides means to display data in some format and/or media.XSL trans-formations language,known as XSLT,provides means to parse an XML document into a tree ofnodes,and then convert the source tree into a result tree.XSLT was proposed and later accepted as a separate standard for XML data transformation only.XSL is now generally referred to as XSL Formatting Objects (XSL-FO),to distinguish it from XSLT.18The stylesheet is embedded into the XARL document to make the example simple.Like XBRL and XML,a XARL document with stylesheets can be transformed into other formats such as HTML,text,spreadsheet,and database.19Microsoft Internet Explorer 6.0 is recommended for viewing this example.Internet Explorer 5.0 and 5.5 include the Microsoft XML Parser (MSXML),which includes an implementation ofeXtensible Stylesheet Language (XSL) that is based on a working draft ofthe XSLT speciÞcation.The XSLT speciÞcation was Þnalized on November 19,1999.The MSXML parser installed in Internet Explorer 5.0 and 5.5 does not support the most current XSLT speciÞcation.Thus,a reader ofthis article who uses Internet Explorer 5.0 or 5.5 must install MSXML version 3.0 or higher from MSDN.microsoft.com/xml.Unfortunately,Netscape 6.2 does not support the XSLT speciÞcation.Therefore,the example will not work in Netscape.20XML Encryption deÞnes a format,data model,and encryption syntax for encrypting content,along with the information an intended recipient would be required to decrypt to access data or Þles.Thus,XML Encryption provides an encrypted key mechanism and a method for providing a Uniform Resource IdentiÞer (URI) for a known key.It also supports XML Signature,and interoperates with XML Schemas,as well as supports the requirements ofthe Organization for the Advancement ofStructured Information Standards (OASIS) XML-Based Security Services Technical Committee (SSTC).OASIS is a not-for-proÞt,global consortium that drives the development,convergence,and adoption ofe-business standards.For further information,visit the XML Encryption Web site http://www.w3.org/Encryption/2001/.21Please note that the example is based on the second W3C Candidate Recommendation from the XML Encryption Working Group.The Þnal W3C Recommendation may differ from this recommenda-tion,but the key concepts described in this article are still applicable.22In public key cryptography,the entire message is typically not transformed with the private key,mainly due to performance considerations.As an alternative,a small unique part ofthe document,called a ÒhashÓor ÒdigestÓ,is transformed instead ofthe whole document.Since the digest is very sensitive to changes in the original document,recipients can easily determine whether the data was changed by comparing the digest that was sent to them with the digest they calculated from the data they received.In addition,recipients can verify the source ofthe message by transforming the hash with their private key.23For additional information please refer to Chapter 10 ofElectronic Commerce:Security,Risk Management,and Controlby Marilyn Greenstein and Miklos Vasarhelyi,McGraw Hill Irwin,2002.24XML Signature is being developed by a joint Working Group ofthe W3C and the Internet Engineering Task Force (IETF).IETF is an open international community ofnetwork designers,operators,vendors,and researchers concerned with the evolution ofthe Internet architecture and the smooth operation ofthe Internet.Their mission is Òto develop an XML-compliant syntax used for representing the signature ofWeb resources and portions ofprotocol messages (anything reference-able by a URL) and procedures for computing and verifying such signatures.ÓIt is open to any interested individual.For further information,visit the XML Signature Web site (http://www.w3.org/Signature/).25Non-repudiation means that the signer ofa document cannot later disown the digital signature by claiming it was forged. ©2003Demand for Data Assurances in Electronic Commerce: An Experimental Examination of a eb-based Data Exchange Using XMLAndreas I.NicolaouAlan T.LordLi LiuAll at Bowling Green State UniversityAbstractThe emergence ofelectronic commerce exchanges in the organizational supply chain has created a demand forincreased accountability and control among transacting parties.The provision ofassurance services has the potential to satisfy this demand,as a compensatory service for exchangepartners who would otherwise not have the capability to exer-cise control over a speciÞc exchange they are involved with.In business-to-business electronic commerce (B2B EC)exchanges,there is a demand for assurance services to ensuredata integrity in many situations and types ofevents.Trusorthiness must be communicated to users when anexchange occurs;a possible way to accomplish this is throughthe use ofcontrol templates,which can validate the content ofdocuments involved in the exchange.In consequence,this typeofvalidation must be provided through assurances at the datalevel and must be based on the ÞrmÕs data model and its struc-tural constraints.The present study examines the impact ofdata-level assurances in minimizing the extent ofrelationalrisk in an inter-organizational exchange.A simulated ECexchange using eXtensible Markup Language (XML) was custom-developed for this experiment to examine the extent to which data assurances that are provided in a data exchangeinßuence the level ofassessed risk in an inter-organizationalexchange.The results ofthe study indicate that the provision ofdata-level assurances have a signiÞcant effect on the reductionofrelational risk.Furthermore,perceived risk within a speciÞcdecision context was found to interact with the availability ofdata-level assurances when subjects evaluated the overall riskofengaging in transactions with the B2B EC exchange.Theseresults present implications for the demand and supply ofdata-level assurances in information systems used in B2B ECenvironments.The study makes important contributions toboth researchers and professionals that are evaluating the effect ofdata-level assurances on the overall risk associatedwith EC exchanges.I. IntroductionThe emergence ofelectronic commerce exchanges in the organizational supply chain has created a demand forincreased accountability and control among transacting parties.The provision ofassurance services has the potentialto satisfy this demand as a compensatory service forexchange partners who would otherwise not have the capability to exercise control over a speciÞc exchange they are involved with.A diverse set ofstakeholders in contemporary organizations desire increased and more valid information about the potential consequences oftheiractions before they enter into risky behaviors.The AmericanInstitute ofCertiÞed Public Accountants (AICPA) has shownan early interest in the assurance market.According to theAICPA,assurance services are Òindependent,professionalservices that improve the quality ofinformation or its context ofuse for decision makersÓ(Elliott 1998).Thus,assurance services can be described as activities conductedby trusted professionals to certify and/or validate businesstransactions in an organizationÕs supply chain,as in transac-tions between trading partners and/or between businessesand consumers.Such services could be used to satisfy assurance needsabout the authenticity oftrading partners,the availabilityand performance ofservices as promised,and compliancewith regulatory and/or operating procedures,as well as theadequacy ofinternal control mechanisms (security andintegrity oftransactions).Some ofthese assurance goals can be satisÞed through extant assurance services whereorganizational policies and procedures for Web-based transactions are reviewed and a seal ofapproval is providedto signify satisfactory performance.The legitimacy that is attributed to an organizationthrough such third-party assurances,as in the AICPAÕsWebTrust and SysTrust services,can enhance the level oftrust that might be perceived for that organizationÕs infor-mation systems and processes.However,these assuranceservices are periodic in nature and do not consider thedynamic status ofdata that is exchanged between tradingpartners on a day-to-day basis,nor do they ensure that theintegrity ofthe exchanged data elements is continuouslymaintained during processing and storage procedures.In anopen,Web-based electronic exchange between two tradingpartners,i.e.,in business-to-business electronic commerce(B2B EC),data integrity must be ensured in all situations EMANDFORDATAASSURANCESINELECTRONICCOMMERCE33and for all types ofevents.The trustworthiness ofexchangeddata,therefore,cannot be adequately assessed by judging the overall reliability ofthe information system on a periodicreview basis,as is being done in a SysTrust engagement.Trustworthiness must be communicated to users in everyinstance an exchange occurs.A possible way to accomplishthis is through the use ofcontrol templates,which can validate the content ofdocuments involved in the exchange.As a result,this type ofvalidation must be provided throughassurances at the data level and must be based on the ÞrmÕsdata model and its structural constraints.Relational risk in an inter-organizational exchange hasbeen conceptualized in prior research as an outcome ofatrusting relationship (Mayer,Davis,and Schoorman 1995;Sitkin and Pablo 1992).Relational risk is deÞned in thisresearch as the overall level ofrisk that is assessed in aninter-organizational exchange.In B2B EC exchanges,a certain degree ofrisk exists that is relative to the transactingparties involved in the exchange.This overall assessed levelofrisk is what is referred to in this work as relational risk.The purpose ofthe present study is to examine the extent to which data-level assurances in B2B EC can contribute tominimize relational risk in an inter-organizational exchange.A simulated EC data exchange using XML was custom-developed for this study and employed in a controlled,experimental setting to examine the extent to which theavailability ofdata assurances in the exchange inßuence thelevel ofoverall assessed risk.Our results from a controlledexperimental setting indicate that the provision ofdata-levelassurances have a signiÞcant effect on the reduction ofrelational risk.Furthermore,the degree ofimportance andcriticality attributed to the decision context was found tointeract with the availability ofdata-level assurances inreducing relational risk.The results suggest signiÞcant impli-cations for the demand and supply ofdata-level assurancesin information systems used in B2B EC environments.Professional organizations such as the AICPA exhibit greatinterest in identifying and making available such assurancesand could therefore beneÞt from these results.Additionalcontributions ofthis research include making available asimulated exchange that can be employed in experimentalsettings,and a research instrument with measurement itemsthat can be used in future studies that examine the effect ofdata-level assurances on EC transactions.II. Conceptual Background And ReseachHypothesesThe demand for data-level assurances is conceptually justiÞed by the need to establish a sense oftrust amongtransacting parties in B2B EC.Trust among the parties,however,can be effective when the level ofdata assurancesprovided minimizes the negative effects ofperceived risk inthe decision context.As a result,the conceptual model ofthestudy draws from the body ofresearch that examines trustand risk in inter-organizational exchanges.Basic Concepts in Research ModelIn the most recent inter-organizational research,the con-cept oftrust has been critical in supplementing traditionalforms ofgovernance that are presumed to describe business-to-business relationships (Das and Teng 1998;Hewett andBearden 2001;Nooteboom,Berger,and Noorderhaven 1997;Rousseau,Sitkin,Burt,and Camerer 1998;Sako and Helper1998).Trust also has been very instrumental in explainingincidents oforganizational behavior that assume a certaindegree ofrisk,especially business exchanges where risk isrelative to the speciÞc partner with whom an organizationinteracts (Nooteboom et al.1997;Sheppard and Sherman1998).Recent work in organizational behavior and theoryhas attempted to better deÞne the concept ofinter-organizational trust and distinguish its antecedents and consequences (Mayer et al.1995).The need for trust arises only in a risky situation.As a result,a perception ofrisk is prerequisite to trust;in a business-to-business exchange,for example,a perception ofrisk might be related to the sensitivity ofthe data trans-mitted between the two partners or the criticality ofthe data exchange in terms oftimeliness and accuracy.Theseexamples illustrate the degree ofperceived risk that exists in a speciÞc situation.Perceived risk,therefore,describes the situational risk that might exist in a speciÞc decisionenvironment and is distinguished from other types ofriskdeÞned here,such as relational risk.For a party to accept thelevel ofrelational risk involved in an exchange and engage in risk-taking behavior,however,a relationship oftrustshould Þrst be established.The deÞnition oftrust in a B2Bexchange could be based on a generalized deÞnition fromthe inter-organizational exchange literature (e.g.,Mayer et al.1995).Trust in B2B exchanges,therefore,can be deÞnedas the willingness ofa party (the trustor) to be vulnerable to the actions ofanother party (the trustee) based on theexpectation that the other will perform a particular actionimportant to the trustor,irrespective ofthe ability to monitor or control the trustee.In the early information technology research (e.g.,Bakos1991;Malone et al.1987),analogous theoretical argumentswere provided to explain vertical and hierarchical forms ofcooperation among trading partners in electronic relationships as mechanisms to reduce relational risk.Information links among trading partners in a vertical mar-ket were explained in terms ofan electronic hierarchy,whereinformation systems exist at the interface ofthe value-addedchain ofa supplier and a customer.Traditional ElectronicData Interchange (EDI) systems,for example,are character-ized by these relationships.In these situations ofbilateralintegration,entrance ofnew trading partners is oftenrestricted by the proprietary nature ofthe exchange and by the high initial investment in hardware,software,andtraining required.As a result,asset speciÞcity oftheexchange is increased,thus enhancing the value ofsmallnumber exchanges (Williamson 1975) and providing a cost advantage ofinternal organization (hierarchical governance),leading to a reduction in relational risk.In open-market exchanges where horizontal forms ofcoop-eration among trading partners exist,these parties may no longer be subjected to the same type ofconstraints as in vertical markets.In addition,the role ofa Value-AddedNetwork (VAN) to both facilitate and reduce the risk ofpossible losses (threats) in the exchange no longer exists.In such an Òelectronic marketÓenvironment (Bakos 1991),inter-organizational systems are used to share informationmultilaterally between potential buyers and sellers (e.g.,sharing product catalogs,prices,et cetera),with a goal toestablish a bilateral relationship and allow a higher level ofelectronic integration among trading partners.In e-commerce exchanges,therefore,a certain degree ofriskexists that is relative to the transacting parties involved in the exchange.This overall level ofrisk may be due to the perceived riskiness in transaction processing.Perceived riskin the decision environment,therefore,will inßuence theextent to which a relationship oftrust should exist in theabsence ofdirect control over the behavior ofthe otherparty.Thus,organizational trust in EC exchanges serves asan uncertainty absorption mechanism,since the willingnessofan organization to place trust in a partner acts as a bufferto absorb uncertainty in the relationship without exercisingcontrol over the exchange.Trustworthiness in a dataexchange must therefore be established in relation to a ÞrmÕs electronic transactions that occur on a real-time basisand must be communicated to users in every instance anexchange occurs.Trustworthiness in data exchange or data-level assurance can therefore be provided through the designofa generalized schema that is available to all parties in theexchange and ensures that both the format and content ofexchanged data conform to a ÞrmÕs data model and businessconstraints.Figure 1 presents the basic research model forthe study.FIGURE1Research Model for the StudyThe concepts and relationships identiÞed in Figure 1 areused to motivate the research hypotheses for the study.Open (Web-based) Data Exchange in B2BEC and Overall Risk Taking BehaviorTrust and data-level assurances in speciÞc B2Bexchanges.In past inter-organizational research,a trusteeÕsperceived trustworthiness (as judged by the trustor) hasbeen operationalized in terms ofthe trusteeÕs perceivedintegrity and perceived benevolence (Mayer et al.1995;Nooteboom et al.1997).Integrity refers to Òthe trustorÕs perception that the trustee adheres to a set ofprinciples thatthe trustor Þnds acceptableÓ(Mayer et al.1995,p.719),while benevolence is deÞned as the Òextent to which a trusteeis believed to want to do good for the trustor,aside from anegocentric proÞt motiveÓ(p.718).In B2B EC,Òperceivedintegrity in the data exchangeÓcould be deÞned as whetherthe data involved in the exchange adheres to a set ofprinci-ples or qualities that the trustor Þnds acceptable.Such qualities for example,could consist ofthose informationqualities oftimeliness,completeness,accuracy,comprehen-siveness,veriÞability,reliability,and validity ofexistence(Nicolaou,Masoner,and Welker 1995).ÒPerceived benevo-lence in the data exchange,Óon the other hand,could bedeÞned as the trustorÕs assessed intention ofthe trustee tosuccessfully complete the data exchange.Benevolence can beestablished after gaining some experience with the speciÞcexchange (e.g.,Nooteboom et al.1997) and is based on aconsistent sense ofassurance that is communicated to oneparty (the trustor) by the trusteeÕs information system inprocessing exchanged data in an accurate and completemanner.As a result ofthe above conjectures,the followingseries ofresearch hypotheses (in alternative form) can beadvanced:In B2B EC,the provision ofenhanced data-level assurance will be: Trustworthiness in Datavel erceivontext ver - EMANDFORDATAASSURANCESINELECTRONICCOMMERCE35H1a:negatively associated with the probability ofhaving lost transactions in the speciÞc exchange;H1b:negatively associated with the probability oftransmitting invalid data in the exchange;H1c:positively associated with the probability ofsuccessfully completing the speciÞc transaction.Perceived risk in a B2B decision context and overallrisk-taking behavior.A recent inter-disciplinary review oftrust has shown that risk is considered an essential conditionin psychological,sociological,and economic conceptualiza-tions oftrust (Rousseau et al.1998).Risk,as deÞned by thecombinatory effect ofthe perceived probability ofloss (lossexposure) and the extent ofloss (threat),when and ifitoccurs,creates an opportunity for trust,which leads to risk-taking.As a result,a perception ofrisk is prerequisite totrust;as stated earlier,in B2B EC,a perception ofrisk mightbe related to the sensitivity ofthe data transmitted betweenthe two partners or the criticality ofthe data exchange interms oftimeliness and accuracy.Relational risk as an outcome ofa trusting relationship,however,implies that one takes action with an expectation ofa positive or a negative outcome and is distinguished fromsituational factors that necessitate trust (as in the perceptionofrisk that a particular information exchange with a giventrading partner will be unreliable or untimely).In traditionalelectronic data interchange (EDI),trading partners ensuretrustworthiness in data transmission,accuracy,reliability,timeliness,and completeness through the use ofa value-added network provider (VAN).The VAN serves as an inter-mediary that provides an effective substitute for the lack ofassurance that each trading partner would perform asexpected.In open,Web-based exchanges,however,althoughdisintermediation carries many apparent efÞciency beneÞts,it also poses certain risks that trading partners have toassess.Assurance on Web site availability and good house-keeping practices (as that provided by a WebTrust seal),or even assurance on information system integrity and ade-quacy ofcontrols built into an internal system (as providedby SysTrust),do not necessarily mean that adequate assur-ance is also available for data exchanged over a ÞrmÕs supplychain.Additional data-level assurances may also be indemand to ensure that both the format and content ofdataexchanged through agreed-upon schemas conform to aÞrmÕs data model and constraints.Trust and risk-takingbehavior can be valid concepts only when partners canchoose among different courses ofaction.Trust would therefore be expected to be more signiÞcant in open-market,electronic exchanges.As a result,the following series ofresearch hypotheses are advanced (in alternative form):H2a:The level oftrust associated with a data exchange in B2B EC will be negatively related to the overall assessed risk (or relational risk) in the exchange.H2b:The level ofperceived risk within a speciÞc decision context will be directly related to the overall assessed risk in the exchange.H2c:An increase in the level ofperceived risk within a speciÞc decision context will have a signiÞcantly greater effect on the overall assessed risk when a lower level oftrust is attributed to the data exchange than when a higher level oftrust is evident.Because relational risk is presumed to be a function oftrust in the exchange,the extent to which situational riskattributes a sense ofcriticality or sensitivity in a speciÞcdecision context can enhance or reduce the importance thatis placed on the provision oftrustworthy data exchanges andthus affect demand for data-level assurances.As a result,thefollowing research hypothesis is advanced:H3:A higher level ofperceived risk in a decision context,combined with a lower level oftrust in the data exchange,will positively inßuence the demand for data-level assurance in a speciÞc B2B EC exchange.III. Research MethodDevelopment of Simulated InformationProcessing Schema in B2B ECFor the purposes ofthis experiment,an informationexchange schema was developed to test the validity oftheconceptual arguments presented in the research hypotheses.This effort corresponds to a generative-constructive researchmethod that usually precedes the logico-empiricist methodofhypothesis testing.This method promotes validity in theconceptual domain since it allows for the detailed differenti-ation offeatures ofthe focal problem,while it contributes tothe generalizability,precision ofmeasurement,and realismofthe projectÕs methodological domain (Brinberg andMcGrath 1985).The information exchange schema developed in thisresearch assists in implementing an open architecture for theinterchange ofbusiness processing models and transactiondata in a B2B EC environment.XML provides a frameworkfor describing the syntax for creating and exchanging datastructures,and it also allows for simplicity (separation ofmodel schema for a speciÞc business process from its data-driven instances or transaction requests),extensibility,inter-operability,and openness (W3C 1999;2000).The informa-tion-processing schema represents a generic document-type deÞnition (DTD) for the purchasing business process,alongwith detailed tag speciÞcations and sample instance docu-ments with transaction data.A model company was createdand a relational database (on an Structured Query Language(SQL) database server) was developed that maintained sample data.Instance documents,which are exchangedbetween two simulated trading partners,are parsed and validated against the developed XML schema,and thentranslated into SQL statements in order to enter the modelcompanyÕs database and process the relevant requests.Figure2-a presents the generalized model that was adopted for thedesign ofthe XML-based information exchange schema.FIGURE2-ADiagrammatic Representation ofGeneralized Model for XML-basedElectronic CommerceThe generalized model shown in Figure 2-a was subse-quently employed to develop two different types ofXML-based business data exchanges.The Þrst data exchange provided real-time validation ofboth the format and contentoftransaction data,and also provided an online real-timesearch function to the user.This is referred to as the ÒAssuredBusiness Data ExchangeÓ(ABDE),and its basic design isdepicted in Figure 2-b.FIGURE2-BDiagram ofAssured Business Data Exchange (ABDE)The second data exchange provided a basic validation ofthe format oftransmitted data,without providing validationofdata content.This is referred to as the ÒNon-AssuredBusiness Data ExchangeÓ(NABDE),and its design is depicted in Figure 2-c.FIGURE2-CDiagram ofNon-Assured Business Data Exchange (NABDE)Instrument DevelopmentThe experimentÕs instrument package that was providedto the subjects consisted ofseveral parts.The cover page was a letter mandated by our institution where the studentssigned to indicate their informed consent about their partici-pation in the experiment.A one-page description about thebasic technology supporting a web-based exchange ofdatausing XML provided all subjects with a minimal commonbasic knowledge about a generalized model ofWeb-based e-commerce (EC) exchange.This basic description was followed by a two-page description ofthe two types ofbusi-ness exchanges that were developed for this experiment.Thisdescription explained features common to both exchangesand further noted that ÒABDEÓprovided real-time validationofthe content oftransaction data and an online search function,while ÒNABDEÓdid not provide these features.After reading about both types ofbusiness exchanges,thesubjects were provided detailed instructions on how to entertwo transactions using each ofthem.These instructionsmade the subjects familiar with how the business exchangesworked and highlighted the unique validation features ofABDE as compared to NABDE.The subjects were then askedto respond to a series of19 statements related to their ÒtrustÓofthe two data exchanges.For both exchanges,the subjectsresponded by circling a number between 1 and 7 with theend points labeled as strongly agree (disagree) and the middle point identiÞed as Òneither agree nor disagree.ÓSix ofthese statements were from the ÒSystem Trust ScaleÓpreviously used and tested by McAllister (1995),one ofthestatements asked about overall trust,and the remaining 11 Generalized Model for XML-based E-Commer reed roc Model ContentdityData InputInput ControlSubmit data Assured Business Data Exchange (ABDE) Parse XML file Input ControlSubmit dataUsingstack Generate XML fileFeedback XMLto CustomerConcurrency control using token passing mechanismCompletionStack-basedparsing tree Parse XML file ed Business Data Exchange (NABDE) EMANDFORDATAASSURANCESINELECTRONICCOMMERCE37items,which we identify as Òdata assurance items,Óweredeveloped in this research (see table 1).These trust questionswere used as manipulation checks to verify that the instru-ment and the features presented about the two exchanges ledsubjects to ÒtrustÓABDE more than NABDE.As anticipated,our tests indicated that for all items the subjects recorded ahigher trust in ABDE than NABDE.The mean differencescores,with standard deviations,are presented in Table 2.In all cases,differences between the scores for the two dataexchanges were signiÞcant at pTABLE 1MANIPULATION CHECK ITEMS FOR TRUST AND DATA ASSURANCEPanel A:Trust Scale Adapted from McAllister (1995) Q1.Ifpeople knew in detail the design and functionality ofthis system,they would be more concerned and monitor its performance more closely.(This item was reverse scored)Q5.Most people,even those who would just use this system for a single time,would trust the system.Q6.Other people who must use this system would consider it to be trustworthy.Q9.The provider ofthis system approaches his/her job with professionalism and dedication.Q15.Given my experience with this system,I see no reason to doubt the effectiveness ofthe system to carry out my transactions.Q17.I can rely on this system not to make my job more difÞcult by careless work.Panel B:Items Developed in this ResearchO v e r a l l T r u s t: Q2.All in all,I trust this system.D a t a A s s u r a n c e I t e m s: Q3.I am conÞdent that the data I transmit through the system will be valid and accepted by the vendor.Q4.The data I enter on the form is the same data received by the vendor.Q7.The system ensures the accuracy ofthe transmitted data.Q8.The transaction data transmitted is actually processed by the vendor.Q10.The data I enter on the system can be relied upon.Q11.I get the information I need in time.Q12.The system requires sufÞcient data to carry out transactions.Q13.I am conÞdent that the data I transmit through the system will be processed and my order executed.Q14.I am conÞdent that the data I transmit through the system will reach its destination.Q16.The system provides up-to-date information with regard to past transactions.Q18.The system protects the data from unauthorized tampering during transmission.Q19.The data I enter on the system is valid.Notes:1.The question numbering corresponds to the actual sequence in which each question was asked on the measurement instrument.1.The responses for all 19 times were measured on a Òstrongly agreeÓto Òstrongly disagreeÓseven-point response scale and were obtained individually for both ÒABDEÓand ÒNABDEÓ.TABLE 2DATA ANALYSIS FOR MANIPULATION CHECK ITEMSN=66anel A:McAllister (1995) Trust Scale ABDEABDENABDENABDEDifferenceDifferencePairedMeanStd.Dev.MeanStd.Dev.MeansStd.Dev.t-test*Q14.1361.5282.151 1.167 1.985 1.714 Q55.6061.10783.197 1.747 2.409 1.840 Q65.5911.0222.742 1.305 2.848 1.6756 Q95.6971.0953.000 1.436 2.697 1.905 Q155.7271.0012.333 1.207 3.394 1.568 Q175.7581.0822.348 1.387 3.409 1.953 Six-Item Ave.5.4200.780 2.629 0.984 2.790 1.248 18.17 Panel B:Items developed in this research ABDEABDENABDENABDEDifferenceDifferencePairedMeanStd.Dev.MeanStd.Dev.MeansStd.Dev.t-test* O v e r a l l T r u s t: Q25.6971.1892.3641.2363.3331.63016.62 D a t a A s s u r a n c e I t e m s: Q36.030 0.822 2.3641.185 3.667 1.482 20.11 Q4 5.894 0.947 4.121 1.844 1.773 1.821 7.91 Q7 5.864 1.051 2.561 1.4263.303 1.789 15.00 Q8 5.561 1.010 3.440 1.490 2.121 1.844 9.35 Q10 5.773 0.856 3.061 1.435 2.712 1.547 14.24 Q11 6.000 1.023 3.364 2.043 2.636 2.050 10.45 Q12 5.970 1.109 4.379 1.920 1.591 1.856 6.96 Q13 6.000 0.804 2.712 1.476 3.288 1.699 15.73 Q14 5.924 0.791 4.106 1.764 1.818 1.762 8.38 Q16 6.136 0.9102.788 1.819 3.348 2.094 12.99 Q18 4.561 1.383 3.636 1.388 0.924 1.667 4.50 Q19 5.758 1.178 3.470 2.025 2.288 2.066 9.00 * All t-statistics for mean difference scores were signiÞcant at pFollowing these common parts ofthe package,each subject received one offour different one-page case descrip-tions that were used to deÞne the independent variables andto separate the subjects into the four treatment groups.Thecase scenario instructed the study participants to portray theowner ofa store that sold a variety ofgift items.The storeÕssuccess was very dependent upon sales around gift-givingholidays,and the Christmas season and ValentineÕs Day were identiÞed as two important times ofthe year.It wasexplained that the supplier ofthe storeÕs products recentlyhad developed the Web-based ordering exchange that hadbeen described earlier in the experiment (and that the stu-dents had practiced).In the scenario,it was early Decemberand this was the Þrst time the store owner had used this newexchange to order products.The experimental design was a 2 X 2 arrangement withparticipants assigned randomly to one offour treatmentgroups established by varying the type ofexchange that wasavailable for the subjects to use (ABDE or NABDE) and therisk associated with the product order (very low risk or veryhigh risk).The ValentineÕs Day order represented an orderthat was stated to be very low risk because the store ownernormally placed the order in early January and therefore sufÞcient time was available to place the order again iftherewere any problems.Because there was very little time tospare ifthe order was not placed correctly the Þrst time,theChristmas season order was stated to be ofvery high riskbecause the products were needed so quickly.The subjects in each treatment group were instructed to enter two trans-actions that they were to consider as being representative ofthe entire order for their particular seasonÕs products.Therepresentative products to be ordered were substantially thesame so that this issue would not impact the results oftheexperiment. To determine the effectiveness ofour cases in establishingthe risk difference between the high-risk condition (Christ-mas order) and the low-risk condition (ValentineÕs Dayorder),we asked the subjects to respond to two questionsfrom two different perspectives.The Þrst two manipulationquestions asked the subjects to rate the (a) importance and(b) criticality ofthe accurate completion oftheir order fortheir storeÕs success.The second two manipulation checksasked the subjects to rate the (a) importance and (b) critical-ity ofthe timely fulÞllment oftheir order by their supplierfor their storeÕs success.Table 3 shows that the subjects in thehigh-risk groups differed from the low-risk groups in theirevaluation ofthe risk associated with the two questions andtwo perspectives.The differences related to their evaluationofthe accurate completion ofthe order were both signiÞcantat pand the differences related to their evaluation ofthe timely fulÞllment ofthe order were both signiÞcant at pThe details ofthe statistical results,including themeans and standard deviations are in Table 3.TABLE 3ANOVA RESULTS FOR MANIPULATION CHECKS ON PERCEIVED (SITUATIONAL) RISKPanel A:How would you rate the completion ofthis order for your storeÕs success?A1.Seven-point scale with endpoints Ònot importantÓ(1) and ÒimportantÓ(7)SourceDegrees ofFreedomSum ofSquaresF-StatisticR-squareModel1 2.97 3.38 (p = 0.07) 5% Error 64 56.30 A2.Seven-point scale with endpoints Ònot criticalÓ(1) and ÒcriticalÓ(7)SourceDegrees ofFreedomSum ofSquares F-Statistic R-square Model 1 10.24 7.16 (p = 0.009) 10.1% Error 64 91.52 Panel B:How would you rate the timely fulÞllment ofthis order by your supplier for your storeÕs success?B1.Seven-point scale with endpoints Ònot importantÓ(1) and ÒimportantÓ(7)SourceDegrees ofFreedomSum ofSquares F-Statistic R-square Model 1 6.68 5.29 (p = 0.025) 7.6% Error 64 80.85 B2.Seven-point scale with endpoints Ònot criticalÓ(1) and ÒcriticalÓ(7)SourceDegrees ofFreedomSum ofSquares F-Statistic R-square Model 1 6.06 4.75 (p = 0.033) 6.9% Error 64 81.70 Panel C:Item means (standard deviations) by risk levelLevel ofRisk N A1 A2 B1 B2 High (Christmas)336.58 (0.83)6.45 (0.90) 6.61 (0.61) 6.36 (0.65) Low (ValentineÕs Day)33 6.15 (1.03) 5.67 (1.43) 5.97 (1.47) 5.76 (1.46) The last section ofthe experiment package was a series ofquestions that we used as the dependent variable measure-ment items.All ofthe measurement items were designed toelicit a probability or likelihood response from the subjects.Subject Acquisition and AdministrationProceduresThe subjects for this research were students at theauthorsÕuniversity.Although these students were not actuallystore owners as described in the case,we think the nature ofthe task is such that experience as a store owner was not anecessity to our design.Rather,we designed the research to utilize student participants who would have a more com-prehensive knowledge ofelectronic commerce systems thanthe average student.The subjects were undergraduate andgraduate students that were in either a course studying electronic commerce or one studying accounting informa-tion systems,which included electronic commerce topics.The experiment was administered during a normal classperiod,and the classes each met in one ofthe computer lab classrooms on campus.All subjects volunteered to participate in the experiment,and some ofthe students inthe classes chose to work on other class assignments instead ofparticipating in the research project.All participating students read and signed the informed consent statementbefore participating,and no students who began the experi-ment subsequently withdrew from the subject pool norasked that their data not be utilized.No incentives were provided to the subjects to gain their voluntary participationin the project.After the collection ofall materials,theresearcher who administered the experiment debriefed the participants.Ample opportunity was provided to askquestions,and we provided contact information in case there were subsequent questions.IV. ResultsAll subjects in the experiment had knowledge and practice with both the exchange that provided real-time validation ofthe transaction data (ABDE) and the exchangethat did not provide the real-time validation (NABDE).However,as discussed above,the subjects randomly wereassigned treatment groups that allowed them to use only one ofthe two exchanges.To test the Þrst three researchhypotheses (H1a,H1b,and H1c),three dependent variablequestions were designed to determine ifresponses providedby the subjects that utilized ABDE differed from responsesprovided by subjects that were assigned to NABDE.For eachofthe three questions,the subjects recorded a percentageprobability on an 11-point scale that had end-points of0%and 100% and where each point was a 10% point increment.The results ofthe statistical analysis,as well as the meansand standard deviations for each item and experimentalcondition,are presented in Table 4. EMANDFORDATAASSURANCESINELECTRONICCOMMERCE39TABLE 4MEANS AND ANOVA RESULTSPROBABILITY ESTIMATE DEPENDENT VARIABLE MEASUREMENTSPANEL AH1a:Considering the case and the system assigned to you,how would you rate the probability ofhaving lost transactionswhen using this system?SourceDegrees ofFreedomSum ofSquaresF-statisticR-square Model 1 260.02 68.90 (p )51.84% Error 64 241.52 H1b:Considering the case and the system assigned to you,how would you rate the probability oftransmitting invalid datawhen carrying out your transactions using this system?SourceDegrees ofFreedomSum ofSquaresF-statisticR-square Model 1 432.74 116.93 (p )64.63% Error 64 236.85 H1c:Considering the case and the system assigned to you,how would you rate the probability ofyour transactions being successfully completedusing this system? (The subjectsÕresponses for this item were reverse scored.)SourceDegrees ofFreedomSum ofSquares F-statistic R-square Model 1 331.88 92.59 (p )59.13% Error 64 229.39 PANEL BItem means (standard deviations) for each dependent variable by type ofdata exchange (A or B)System IdentiÞer N H1a H1b H1c ABDE 33 2.73 (1.48) 2.67 (1.41) 2.40 (1.34) NABDE 33 6.70 (2.31) 7.79 (2.33) 6.88 (2.32) Note:The responses for each ofthese items were measured on an 11-point scale,indicating a range ofpercentages from 0% to 100%,using a 10-percentage-point increment.The question designed to test research hypothesis H1a asked the subjects to consider the case and exchangeassigned to them and rate the probability ofhaving losttransactions when using the exchange.As predicted by thehypothesis,the subjects using ABDE had a signiÞcantlylower (p= .0001) mean probability of27.3% as compared to the subjects using NABDE who recorded a higher probability of67%.The second question,designed to test H1b,asked subjectsto consider the case and exchange assigned to them and to rate the probability oftransmitting invalid data when carrying out their transactions on their assigned exchange.The subjects also responded as predicted for this question.The ABDE subjects had a signiÞcantly lower (p= .0001)mean probability of26.7% as compared to the subjects using NABDE who recorded a higher probability of77.9%.The last ofthese questions,designed to test H1c,was a reverse scored item that required the subjects to rate theprobability oftheir transactions being successfully completedusing their assigned exchange.This question was reversescored so that our analysis would present a higher level ofsuccess as being on the lower end ofthe scale,which is consistent with the analysis ofresponses on the other items.As shown in table 4,the results for this test also supportedthe hypothesis.The mean (reverse scored) value for ABDE subjects was 2.40 as compared to a signiÞcantly greater (p= .0001) value of6.88 for the subjects in NABDE.Research hypothesis H2 predicted an interaction effectbetween the level oftrustworthiness provided by the dataexchange used by a subject and degree ofperceived risk inthe decision context in affecting the extent ofoverall risk inthe information exchange.Table 5 presents the measurementitem designed to test the hypothesis,along with item meanand standard deviation values by experimental condition.TABLE 5ITEM DESCRIPTION AND RESULTS ON OVERALL (RELATIONAL) RISK HYPOTHESIS PANEL A Ð Item Description for Dependent Variable Used in the AnalysisH2.Considering the case and the system assigned to you,how would you rate the overall risk ofengaging in transactions with this system?(Responses were measured on a 7-point scale,with Òextremely lowÓ(1) and Òextremely highÓ(7) endpoints.) PANEL B Ð Means,Standard Deviations and ANOVA Results Cell Means and Standard Deviations Level ofRiskType ofSystemNMeans (Std.Deviations) High (Christmas) ABDE 17 2.53 (1.42) High (Christmas) NABDE 16 5.88 (0.89) Low (ValentineÕs Day) ABDE 16 2.13 (1.03) Low (ValentineÕs Day) NABDE 17 4.65 (1.54) Analysis ofVarianceSourceDegrees ofFreedomSum ofSquares F-Statistic R-square Model 3 153.41 32.48 (p)61.11% Error 62 97.62 Independent Variables:Degrees ofFreedomMSEF-statistic RISK 1 8.73 5.54 (p = .0217) SYSTEM 1 139.64 88.69 (p )RISK * SYSTEM 1 5.05 3.21 (p= .0782) The question designed to investigate H2 required thesubjects to rate the overall risk ofengaging in transactionswith this system.Their responses were measured on a 7-point scale with extremely low (1) and extremely high (7) asendpoints.As shown in Table 5,our analysis ofthe subjectsÕevaluation ofthe overall risk ofengaging in transactionsindicated that the type ofexchange they were assigned tohad a very signiÞcant effect upon their responses (F = 88.69,p= .0001),thus providing strong support for H2a.Further-more,as predicted by H2b,there was a clearly signiÞcanteffect related to the risk treatment (high or low) to which the subjects were assigned (F = 5.54,p= .0217).The moredominant effect related to the exchange assignment can beidentiÞed by the subjectsÕmuch higher probability estimatesofoverall risk when the subjects were assigned the NABDEthat did not have real time validation.Although the effectwas less signiÞcant,when the type ofexchange was held Interaction EffectOverall Risk HypothesisOverall Risk12 76 LowNAB constant,the subjects in the high-risk conditions indicated amarkedly higher probability estimate about the overall risk.The interaction ofthese two treatment effects was marginallysigniÞcant (F = 3.21,p= .078),thus providing some supportfor research hypothesis H2c.The last two dependent variable questions were designedto address our hypothesis H3,which investigated the maineffects for the two exchanges and the main effects for ourrisk treatment on the demand for incremental data assurancein the information exchange.These two questions were analyzed with a multivariate analysis ofvariance approachusing repeated measures.Item descriptions and empiricalresults are shown in Table 6.TABLE 6ITEM DESCRIPTIONS AND MULTIVARIATE RESULTS ON THE EFFECT OFSYSTEM AND PERCEIVED (SITUATIONAL) RISK ON DEMAND FOR ASSURANCE (HYPOTHESIS H3)PANEL AÐItem Descriptions for Dependent Variables Used in the Analysis1.Considering the case and the system assigned to you,ifyou had the opportunity to pay a fee to use the alternative system available by this product vendor,what is the likelihood that you would pay this incremental fee?(Responses were measured on a 7-point scale,with Òextremely likelyÓ(1) and Òextremely unlikelyÓ(7) endpoints.2.Considering the events described in the case,ifyou had the opportunity to pay a fee to use an entirely different system(other than the two provided by this product vendor) that would provide additionalconÞdence in your data exchange,what is the likelihood that you would pay this incremental fee?(Responses were measured on a 7-point scale,with Òextremely likelyÓ(1) and Òextremely unlikelyÓ(7) endpoints.PANEL BÐMultivariate Analysis for Repeated Measures on the Two DependentItems Within SubjectsMANOVA Exact F statistic for the Hypothesis of:F-statistic-No Overall Risk Effect:1.09 p = 0.3432 -No Overall System Effect:172.04 p PANEL CÐMeans,Standard Deviations and ANOVA Results 1:Likelihood to Incur Incremental Fee to Use Alternative System.Cell Means and Standard Deviations Level ofRiskType ofSystemNMeans (Std.Deviations) High (Christmas) ABDE 17 1.65 (0.70) High (Christmas) NABDE 16 6.19 (0.66) Low (ValentineÕs Day) ABDE 16 2.00 (1.21) Low (ValentineÕs Day) NABDE 17 6.06 (1.09) Analysis ofVarianceSourceDegrees ofFreedomSum ofSquaresF-StatisticR-square Model 2 306.48 174.09 (p )84.68% Error 63 55.45 Independent Variables:Degrees ofFreedomMSEF-statistic RISK 1 0.97 1.10 (p= .30) SYSTEM 1 305.52 347.09 (p)2:Likelihood to Incur Incremental Fee to Use Different System with Increased Data Assurance.Cell Means and Standard Deviations Level ofRisk Type ofSystem N Means (Std.Deviations) High (Christmas) ABDE 17 4.35 (1.50) High (Christmas) NABDE 16 6.06 (0.93) Low (ValentineÕs Day) ABDE 16 4.19 (1.38) Low (ValentineÕs Day) NABDE 17 5.59 (1.33) Analysis ofVarianceSourceDegrees ofFreedomSum ofSquaresF-StatisticR-square Model2 40.64 12.05 (p)27.67% Error 63 106.23 Independent Variables:Degrees ofFreedomMSEF-statistic RISK 1 1.230.73 (p= .40) SYSTEM 1 39.41 23.37 (p)The Þrst question asked the subjects ifthey had theopportunity to pay a fee to use the alternative system avail-able by this product vendor,what is the likelihood that theywould pay this incremental fee.The second question asked ifthey had the opportunity to pay a fee to use an entirely different system (other than the two provided by the productvendor in the experiment) that would provide additionalconÞdence in their data exchange,what is the likelihood thatthey would pay this incremental fee.The responses for bothitems were recorded on a 7-point scale with the endpointsextremely likely (1) and extremely unlikely (7).A Multiple Analysis ofVariance (MANOVA) evaluationwas run to determine the multivariate overall effects for therisk treatment and the type ofexchange (system) treatmenton both dependent variables.Our results indicated that thenull hypothesis ofno overall risk effect could not be rejected(p= .3432),while the null hypothesis ofno overall systemeffect could be rejected at pAfter determining fromthe MANOVA results that the model did indicate statisticallysigniÞcant results for at least one main effect,we proceededto conduct an Analysis OfVariance (ANOVA) analysis ofthesystem and risk for each question individually.Hypothesis H3 predicted that the demand for data-levelassurance in a speciÞc B2B EC exchange will be positivelyinßuenced when a high level ofperceived risk in the decisioncontext is combined with a lower level oftrust in the dataexchange.The measurement ofthis effect was carried out by assuming that subjects in the NABDE treatment groupswould be more likely to pay an incremental fee to use theABDE than the subjects in the ABDE group would be willing to pay extra to use NABDE.Our results supportedthis hypothesis (F = 347.09,p)However,our resultsdid not support the theory that situational risk also wouldinßuence the subjectsÕjudgments (F = 1.10,p= .30).Although the means from the subjects in the ABDE groupswere noticeably less than the means from the NABDE sub-jects,there was no signiÞcant difference between the two risklevels within either exchange (see panel C oftable 6).Additional exploration ofthe subjectsÕwillingness to paymore for a better system was conducted by our examinationofH3 with the second dependent variable question.Theresults were similar to those found with the Þrst question.The subjects who were assigned the exchange without thereal-time validation were more willing to incur an incremen-tal fee to use a different system with increased data assurancethan the subjects who were assigned the exchange with thereal-time validation (F = 23.37,p)while the effect ofrisk ofthe particular transaction did not signiÞcantlyaffect the subjectsÕjudgments (F = 0.73,p= .40),as shown in panel C ofTable 6. EMANDFORDATAASSURANCESINELECTRONICCOMMERCE41V. Summary And ConclusionsOur study provides the Þrst step into a long researchagenda dealing with demand for data-level assurances inbusiness reporting.The present study provides some evidence that supports the incremental value ofdata-levelassurances.While system professionals and professionalorganizations in accounting have emphasized the provisionofassurance services that focus on network security andWeb site availability,there has not been any systematicexamination ofdata-level assurances that are carried out on a real-time basis.This study has presented insights fromthe literature on information systems effectiveness and trustin inter-organizational relationships to develop its majorresearch hypotheses.The Þrst research hypothesis predicted that the provisionofdata-level assurance in an information exchange wouldresult in a number ofpositive outcomes,such as minimizingthe probability oflost transactions or the probability oftransmitting invalid data,and maximizing the probability ofsuccessfully completing the transaction.Our resultsdemonstrated that the use ofa data exchange that actuallyprovides data-level assurances can result in all ofthese outcomes,at least to the extent that these were perceived as desirable outcomes by our student subjects.The second hypothesis predicted that overall risk in arelational exchange is a function oftrust in the exchange aswell as the degree ofperceived risk for the speciÞc decisioncontext.Our results clearly supported these premises.Inaddition,we also predicted that overall risk would be greaterwhen a lower-level trust in the exchange and a higher level ofperceived risk in the decision context were combined.This interaction effect was marginally supported by the data,suggesting that the increase in the overall risk ofan informa-tion exchange is greater than the simple increase in the levelofsituational risk in the decision context,as the level ofdataassurance provided in the exchange is reduced.Given a levelofperceived risk in the decision environment,therefore,aninformation exchange can be assessed as less or more risky,ifdata-level assurance is or is not provided.This conclusioncan justify the supply ofdata-level assurances in selected situations only,where perceived risk in the decision contextis expected to be ofvery high importance.However,giventhe marginal signiÞcance ofour results,future research isneeded to further examine this conjecture.The third research hypothesis has shown that lower levels ofdata-level assurances in an exchange would leadusers to be willing to incur additional expenditures in orderto acquire increased assurance,while users would also incre-mentally value additional levels ofdata assurance.In general,the results on this hypothesis also provide some support for the importance ofdata-level assurances in inter-organizational information exchanges.The study has therefore contributed some useful resultswith regard to the provision ofdata-level assurances.Like all studies,however,the results presented here have to beinterpreted within the context that the study was carried out and cannot be overgeneralized.The data exchange devel-oped in the study to carry out the necessary transactions was a simulated Web-based system using XML,where inreal-world exchanges,more advanced systems with greatervariations in data assurance would be available for use.The risk manipulations introduced into the experimentseemed to work reasonably well,even though most subjectsperceived high levels ofrisk in their decision contexts,irrespective ofthe intentions ofthe experimenters.The AICPA and other third parties and professionalorganizations could be involved in future efforts to providedata-level assurances on business data that are exchanged as part ofeXtensible Business Reporting Language (XBRL-based) reports,especially as GL-XBRL becomes more widespread and transaction-type data is more frequentlyexchanged.Real-world decision makers would most likelyhave access to data that carry different levels ofassurance.In such cases,real-world decision makers would be morerepresentative subjects,since they would not only have priorexperience with similar decision situations but also would be able to more readily identify subtle differences in dataassurances provided by various third parties.This issue,however,is left for future research.AcknowledgementsThe authors valuable comments received on earlier versions ofthis paper from the editor,anonymous reviewers,and the conference participants at the ÒBusiness Reportingand Data Assurance Conference,ÓBryant College,RhodeIsland,18-19 April 2002. ReferencesBakos,J.Y.1991.Information links and electronic market-places:The role ofinter-organizational information systemsin vertical markets.Journal ofManagement InformationSystems8 (Fall):31-52.Brinberg,D.and E.J.McGrath.1985.Validity and theResearch Process.Beverly Hills,CA:Sage Publications.Elliot,R.K.1998.Assurance services and the audit heritage.The CPA Magazine68:40-47.Das,T.K.and B.Teng.1998.Between trust and control:Developing conÞdence in partner cooperation in alliances.Academy ofManagement Review23 (3):491-512.Hewett,K.and W.O.Bearden.2001.Dependence,trust,andrelational behavior on the part offoreign subsidiary market-ing operations:Implications for managing global marketingoperations.Journal ofMarketing65 (October):51-66.Malone,T.W.,J.Yates,and R.I.Benjamin.1987.Electronicmarkets and electronic hierarchies.Communications oftheACM30 (June):484-497.Mayer,R.C.,J.H.Davis and F.D.Schoorman.1995.An inte-grative model oforganizational trust.Academy ofManagement Review20 (3):709-734.McAllister,D.1995.Affect- and cognition-based trust asfoundations for interpersonal cooperation in organizations.Academy ofManagement Journal38:24-59.Nicolaou,A.I.,M.Masoner,and R.Welker.1995.Intent to enhance information systems as a function ofsystem success.Journal ofInformation Systems9 (Fall):93-108.Nooteboom,B.,H.Berger,and N.G.Noorderhaven.1997.Effects oftrust and governance on relational risk.AcademyofManagement Journal40 (2):308-338.Rousseau,D.M.,S.B.Sitkin,R.S.Burt and C.C.Camerer.1998.Not so different after all:A cross-discipline view oftrust.Academy ofManagement Review23 (3):393-404.Sako,M.and S.Helper.1998.Determinants oftrust in supplier relations:Evidence from the automotive industry in Japan and the United States.Journal ofEconomic Behavior& Organization34:387-417.Shepard,B.H.and D.M.Sherman.1998.The grammars oftrust:A model and general implications.Academy ofManagement Review23 (3):422-437.Sitkin,S.B.and A.L.Pablo.1992.Reconceptualizing thedeterminants ofrisk behavior.Academy ofManagementReview17:9-38.W3C.1999.XSL Transformations (XSLT) Version 1.0.Available online:www.w3.org/TR/xslt.W3C.2000.XML Schema Part 0:Primer.Available online:www.w3.org/TR/xmlschema-0/.Williamson,O.E.1975.Markets and Hierarchies:Analysis andAntitrust Implications.New York:Free Press. ANSACTIONAGENTSINE-COMMERCE,AGENERALIZEDFRAMEWORK43©2003Transaction Agents in E-commerce, A Generalized FrameworkRob NehmerBerry CollegeAbstractThis research develops a framework for deploying softwareagents in e-commerce applications.A transaction agent is aspecialized software component that cooperatively interactswith the data-capture facilities ofa transaction-processing system at the point or band ofcapture,such as the Webserver and browser.The generalized framework providesmeans for checking transaction validity and accuracy withinthe Internet model ofdata communications as well as XBRLtaxonomies or other data format checks.It also provides thefunctionality to cooperate with management authorizationsoftware to terminate or correct classes oftransactions.I. IntroductionThis research details a model ofsoftware transactionagents in e-commerce settings.It is shown to Þt into the program ofresearch in continuous auditing (CA) detailed by Kogan et al(1999).The research is ofinterest to peopleconsidering the implications ofXBRL,continuous auditing,and software agents systems in business and speciÞcallyaccounting environments.It provides a description oftheuse ofsoftware agents as internal controls rather than as datacollection tools having consequences for internal control systems.The model is derived by considering softwareagents generally and then introducing a transaction settingin which the agents will operate.The transaction setting isthen further restricted to e-commerce (Þnancial) settings.This further restriction is informed by using the CommitteeOfSponsoring Organization (COSO) and Control Object-ives for Information and related Technology (COBIT) auditmodels.The intent ofthis is to make the model relevant incontinuous audit environments.We then look at the imple-mentation ofthe model in eXtensible Markup Language(XML) and eXtensible Business Reporting Language (XBRL) application environments.The XBRL applicationenvironment considered includes the XBRL General Ledgerextensions.The model provides a framework to use whenconsidering how and where agent technologies might best be deployed in such application environments for purposesofinternal control and continuous auditing.At the end ofthe paper,we consider transaction agent use in non-XMLapplication environments for these same purposes.A discus-sion ofthe focus ofthis research in a continuous auditingprogram ofresearch precedes the discussion ofsoftwareagents and the derivation ofthe framework.Kogan et al(1999) detail a program ofresearch in continuous auditing,referred to in that paper as continuousonline auditing.Their program consists ofthree majorissues:architectural issues relating to CA,factors affectingCA,and the effects/consequences ofCA.They divide theÞrst issue into four subcomponents:system architecture,audit parameters,information processing,and security.Factors affecting CA include functional areas,industry,and internal vs.external audit.Effects/consequences ofCA is broken down to Þve subcomponents:agency costs,qualityofaudit,behavioral effects,auditorÕs independence,andinternal auditing.This paper falls into the architecturalissues category using their classiÞcation scheme.Further,it addresses elements ofthree ofthe subcomponents ofthismajor issue:system architecture,information processing,and security.It is foremost a system architecture speciÞca-tion in that it relates formal systems speciÞcations,and agentcommunities in XBRL implementation environments toaudit objectives as evidenced in internal control systems.Assuch,it also contains aspects ofsecurity,again as evidencedby the implemented systems ofinternal controls.Finally,it includes the data capture component ofinformation processing by its exploration ofthe effects ofXML andXBRL representations on CA.Generalized Software AgentsSoftware agents have been used in a variety ofsettingsover the past decade.Agent implementations have appearedin product design,planning and scheduling,and real-timecontrol settings.There are also many conceptual schemasdescribing agent architectures (Fingar 1998,Farhoodi andFingar 1997,Greenstein and Feinman 2000).Before we discuss transaction agents in more detail,we will compareand contrast software agents to two other software designconcepts:third-generation programming languages (C,Pascal) and object-oriented languages (C++,Java).We will call program components written in third-generationlanguages modules,and program components written inobject-oriented languages objects (see Table 1).Modules and objects are differentiated along three characteristics:class,polymorphism,and inheritance (encapsulation). Modules typically specify data structures and processes(functions) independently ofother modules.There is little tono sharing ofdata or process deÞnitions in third-generationprogramming.By contrast,object-oriented programmingdeÞnes a class ofobjects all ofwhich share common dataand processes (methods).Additionally,processes can operatedifferently on different classes by the characteristic ofpoly-morphism.For example,the close operation would behavedifferently on different classes ofaccounts by zeroing outexpenses but not liabilities.Finally,the classes can bedesigned in a hierarchical structure where appropriate andinherit properties from classes higher up in the hierarchy.For instance,the bike class attributes ofwheels,frame,pedals,and seat would be inherited by both the mountainbike class and the road-bike class.Table 1 Ð A Comparison ofModules,Objects,and AgentsM o d u l e s O b j e c ts A g e n ts Class No Yes Yes Polymorphism No YesYes Inheritance No Yes Yes AutonomyNo Some Yes Flexibility No No Yes Thread ofControl No No Yes There are three distinctions contrasting agents andobjects:autonomy,ßexibility,and threads ofcontrol.Whileagents are often built with object-oriented technologies,they possess properties that are not inherent in the objectmodel.An object-oriented design requires that objectsrespond to invoked methods on demand.That is,ifoneobject calls a method that is implemented in another object,the second object is constrained to comply with the request.This entails a loss ofautonomy on the part ofthe calledobject.By contrast,agents do not communicate with otheragents;they must negotiate with those agents.Another wayto understand this idea is to realize that object-oriented systems are built to satisfy common goals,whereas agents aredesigned without foreknowledge ofwhat other agents theymay come into contact with.Ifone agent requests an actionfrom another agent,it may not be in the second agentÕs bestinterest to comply,given its goals.Therefore,agents are moreautonomous than objects.An autonomous agent is one thatÒlivesÓin its environment without human intervention.Theidea is similar to a terminate-and-stay resident program.Once an autonomous agent is invoked,it remains ready toperform its tasks as needed.Autonomy also implies an envi-ronment in which the agent operates.The agent is designedto accept inputs from its environment and to react to thoseinputs.The UNIX operating system supports this concept byallowing processes to be run as daemons.A familiar daemonis a Web server listening to a port,usually port 80,for arequest from a client.The Web server program remains running in the background until it receives its next requestfrom a browser for a page or another service.The second distinction between agents and objects is thatofintelligence.The daemonized Web server is autonomousbut not intelligent.Agent intelligence is characterized bythree criteria.Reaction to stimuli in its environment is theÞrst criteria ofagent intelligence.The Web server can becharacterized as reacting to stimuli:a request for a web page from its environment.The second criterion ofagentintelligence is proactivity.Intelligent agents are able to satisfy,whether in whole or in part,deÞned goals in their environ-ments.While a Web server would not typically be consideredproactive,search bots are proactive in that they go out intothe Internet to collect information about the content ofWebpages and Web sites.The Þnal criterion ofagent intelligenceis social ability.Intelligent agents interact with other agentsto form agent communities or agent ecologies.Search botsthat share information with other search bots evidence socialability.We will come back to this idea later in the paper.The last distinction between agents and objects involvesthreads ofcontrol.A thread ofcontrol in a software systemdetermines the order ofprocessing that occurs as the systemexecutes.While there are multi-threaded,object-orientedsystems,each object in such a system does not usually haveits own thread ofcontrol.By contrast,each agent generallyhas its own thread ofcontrol.This distinction is really a matter ofsystem implementation and will not be furtherconsidered here.In this paper,we consider agents generally to have twocharacteristics:autonomy and intelligence.Agent technolo-gies are a natural Þt in the Internet1environment,althoughnot all ofthese are intelligent.The use ofWeb browsers andWeb-search engines ofvarious complexities is well known.Itis perhaps less well known and understood that the Internetis fundamentally a distributed,data-sharing community.Moving the packets through the Internet requires a complex process ofcommunication ofmachine names and addresses at several levels.In addition,communicationand coordination among and between layers ofthe protocolstacks is extensive.Even ifwe agree that this activity does notconstitute an agent community,we cannot deny that it is aninteresting and rich environment where agent activities canoccur.This is exactly the environment in which we deÞnetransactions and transaction agents.1 Although we use the term Internet throughout the paper,the results apply equally well to VPN environments and mixed Internet VPN environments. ANSACTIONAGENTSINE-COMMERCE,AGENERALIZEDFRAMEWORK45II. Transaction AgentsTransaction agents are designed to work in environmentscharacterized by exchanges between two or more systems.Furthermore,they are designed to support those exchangesor transactions in some fashion.We need to clarify the twinconcepts ofsystem and exchange to make this a workingdeÞnition.By system,we mean just information and otherresources surrounded by a known boundary.Two servers on the Internet can be considered as independent systems.By exchange,we mean communication between the two systems.A one-way exchange would be characterized by onesystem producing an output that can be transmitted to theother system and accepted as an input on that system.Mostexchanges will be two-way or interactive.The concept ofan environment populated by transacting systems naturallylends itselfto a community ofsoftware agents with individ-ual agents on both systems involved in the exchange.While it is certainly possible to build an agent model on only onesystem,we will not consider that as a transaction agentmodel.Transaction agents,then,are able to communicateabout the exchanges that occur between systems in theirenvironment.For instance,they might keep details ofexchanges and communicate summary results to the othersystem,thus reducing the risk oflost transaction data.The concept oftransaction used in this paper needs to be distinguished from that used in Transaction Cost Theory.Transaction Cost Theory takes a macroeconomic view ofcapital resource allocations in an economy.It is concernedwith the transaction costs incurred by the knowledge specialization inherent among suppliers ofcapital and theÞnancial managers and operational managers ofthat capitalemployed in speciÞc organizations.In contrast,the perspec-tive employed here is microeconomic in nature.The transac-tions are the day-to-day,operational transactions ofbuyingand selling that typically occur between two Þrms.However,the management control implications ofthe framework presented here are related to Transaction Cost Theory.SeeRoland SpeklŽÕs ÒTowards a Transaction Cost Theory ofManagement ControlÓfor an interesting analysis ofthisproblem.The idea oftransaction agents is extended to e-commercecontexts in a natural way.That is to say that it is a commer-cial exchange involving buying and selling or providingÞnancial data.E-commerce transactions are characterized by the following components.First,there is a communicationchannel between the trading partners.Next,for each partner,there is a translation interface that transforms the internalrepresentation ofcommercial data into a common externalrepresentation used in the exchange.This is where XML and XBRL,including eXtensible Business ReportingLanguage General Ledger (XBRL GL),come into the model.Finally,there are the back-ofÞce processing and database components.Agent activities can occur at the channel level by tracking transmissions and communicatingsummary statistics to the trading partner.This same type ofcommunication can also be collected by agents operating atthe translation,processing,or database component level.Consider the example ofWeb-based transaction agents.Using a simple XBRL example,a customer visits EDGAR,chooses a company and downloads a balance sheet instancedocument.The transaction is purchasing the document for the current fee ofx dollar.Agents might be used in thisscenario to automate the process for a list ofrequested companies created during the day and downloaded at non-peak hours for processing the next day.Transaction agentscould be used to invoke a validation procedure on theretrieved Þles,thus helping to ensure proper transmission.III. Points And Bands Of Control In The ModelIn this paper,we are considering an e-commerce transac-tion model that includes a communications channel,a translation interface,processing,and database componentsfor each partner (see Figure 1).In this model,a point ofcontrol refers to a single control activity and a band ofcon-trol refers to multiple activities that could span componentsofthe e-commerce context.Ifwe extend this idea to agents,then an agent that performed a single control task would beexercising control at that point in the system.An agent orgroup ofagents that performed multiple activities would beexercising control at that control band ofthe system.Ifthegroup ofagents were a community that communicated andinteracted with one another,then we say that the communityis exercising a system ofcontrols at that control band.Thisßexible deÞnition allows us to design arbitrary agents oragent communities to effect controls and systems ofcontrol.FIGURE1:THEGENERALIZEDE-COMMERCETRANSACTIONMODEL DBTrading Partner BDBProcessorTranslationInterfaceTrading Partner A CommunicationChannelTranslationInterface Transaction Agents: Deriving theGeneralized FrameworkNow,consider two models ofinternal control and howthey relate to transaction agents in e-commerce setting.TheÞrst control model is from the Committee ofSponsoringOrganizations,the COSO model.It consists ofÞve compo-nents:the control environment,risk assessment,controlactivities,monitoring,and information and communication.Although arguments could plausibly be made to include all Þve ofthese areas in a transaction agent model,it is notclear that the control environment needs to be included intechnologies that are in the main application or applicationsystem speciÞc.Therefore,we will drop the control environ-ment from further consideration in this paper.Clearly,riskassessment is a relevant and major factor in choosing whatcontrol activities might be implemented by transactionagents or agent communities.Either the control activitieswill be directly implemented by the agents,or they will bedeÞned through agent interactions.The monitoring functionis also clearly relevant to agent implementations.Finally,information and communication will occur not only withinthe agent community but also between that community andmanagement as well.The other control model is Control Objectives forInformation and related Technology (COBIT).It consists offour objectives:planning and organizing,acquisition and implementation,delivery and support,and monitoring.Acquisition and implementation ofinformation technologieswill only be considered from the purchasing perspective in this paper.In addition,delivery and support ofthe infor-mation technologies is not relevant to transaction agents ofthe type we are considering.Monitoring has already beenseen as relevant per the COSO model.Planning and organiz-ing exchange systems is a relevant area for transaction agentsbecause ofthe monitoring data they may provide which isuseful for planning and systems-design purposes.Additionally,some agent societies are capable ofself-organization during operation.We say that these societiesevolve over time.In this paper,we conÞne our scope to therisk reducing functions ofimplemented transaction agents.We consider the control componentsÕrisk assessment,con-trol activities,monitoring,information and communication,planning and organizing,and acquisition and implementa-tion to be legitimate control contexts for transaction agentdesigns in e-commerce settings.The combination ofthe e-commerce transaction model with these six control com-ponents provides a generalized framework oftransactionagents in e-commerce (see Figure 2).Details ofhow agentsmight be used in these areas are described next.FIGURE2:A GENERALIZEDFRAMEWORKOFTRANSACTIONAGENTACTIVITIESWITHINTHEE-COMMERCETRANSACTIONMODELSystem-wide (example):Information and communicationRisk assessment (a)ßows (d)Control (agent) activities (b)Planning and organizing activities:Monitoring (c)(agent community self-organization)When we are considering internal controls and agents,the match ofagent communities to systems ofinternal control is especially relevant.This is particularly true in the case ofrisk assessment.While we might think about a point ofrisk from the perspective ofinternal control,the idea does not translate well from the perspective ofasoftware agentÕs activity.This is because the agentÕs activities,reading a memory location for instance,are not in one-to-one correspondence with the system ofinternal control.That is,the design problem is not trivial.In the case ofriskassessment,agent activities include data collection,trendingthe data over time,and communication ofthe trends.Theaggregation ofthese activities deÞnes the risk-assessmentprocess.An example ofagent-based,risk-assessment activi-ties is using agents to help determine whether validation ofindividual,line-item amounts in a purchase order is superiorto only validating the total dollar amount ofthe purchaseorder.This situation illustrates how risk assessment is closelytied to costs,in this case the cost ofprocessing more detailsfor validity.This example is indicated by (a) in Figure 2.Theexample ofrisk assessment is continued in some ofthe othercontrol objectives discussed next.Consider control activities that are part ofrisk assessment.Keeping track oftechnology,legal,or economic changes in thebusinesses environment is an essential activity that is well suited to implementation by software agents.Bands ofcontrolcan be applications,such as sales or inventory,or model components:the channel,translation interface,processing,or database.Agent activities at the application level includevalidation and evidencing authorization.At the componentlevel,possible activities include searching event logs forunusual items and testing connectivity with businespartners (see (b) in Figure 2).Tranction agents are naturally suited to serve as monitors ofother software applications.In addition to simple monitoring activities,such as tracking inventory DBTrading Partner BDB(c)Processor(a)TranslationInterfaceTrading Partner A CommunicationChannelTranslationInterface (d) Acquisition:PurchaseAgents (e) b) ANSACTIONAGENTSINE-COMMERCE,AGENERALIZEDFRAMEWORK47levels (see (c) in Figure 2),agents can be designed to monitorother agents.There has been a lot oftheoretical work doneon building stable agent communities.HollandÕs Hidden Order is a very assessable Þrst pass at some ofthis work.Monitoring,measuring,and communication through infor-mation exchange between agents are very important in thesecontexts.An example ofthe type ofmonitoring activity that an agent community could be designed to accomplish is watching for changes in an underlying population datadistribution,such as a change in mean,variance,or form.This type ofwork will therefore be very important in building agent communities as systems ofinternal control.The use ofagents in the communication ofcontrol ininternal control settings can be viewed as a set ofcommuni-cation strategies.These strategies consist ofcommunicationprotocols among agents ofthe same type and among agentsofdifferent types.Other strategies include communicationprotocols within agent communities (see (d) in Figure 2),protocols for communication with management,and communication with the agentÕs environment.These proto-cols will lend themselves to method sharing and inheritancein object-oriented design environments.The cost structureand beneÞts ofdifferent protocol strategies can also be studied and the results used to make decisions about implementation.The next control objective includes planning andorganizing systems,controls,and systems ofcontrol.Again,by its nature this is a systemic objective.Bands ofcontrol will be evidenced by any agent community that can exhibitself-organization.Self-organization is the capacity for complex systems to evolve into new structures with newprocesses (activities) as conditions change.This is the verynature ofplanning.In this context,it is interesting to notethat a point ofcontrol becomes a band ofcontrol iftheagents that constitute the point are capable ofevolving.As was noted previously,the last control objective is arather restricted area for software agents considering whatCOBIT means by acquisition and implementation.Ifwe consider acquisition as an application,however,we do have a well-known agent implementation ofthe application in theform ofthe purchasing agents that crawl the Web looking for the best prices and return them to its invoker (see (e) inFigure 2).The example can be extended into the context ofinternal control by conceiving ofa quality control feedbackloop,implemented by transaction agents,which monitorsand reports actual product quality versus product qualityreported by the vendor.This example is very similar opera-tionally to the risk assessment scenario reported above.Transaction Agents at the ApplicationLevelXML-based agents will have to work with XML and inXML-processing environments.They are unlikely to be written in XML,however.XML is inherently at the transla-tion interface component level ofour e-commerce model.The question is how transaction agents can interact withXML in e-commerce applications.There are two basic typesofXML processing technologies.The Þrst is the DocumentObject Model or DOM.The DOM is a tree representation ofan XML document that is stored in memory.The DOM is usually created by the XML parser at run time.This givestwo ways for agents to access the DOM data.The Þrst is bydirectly accessing the DOM in memory.The second isthrough Application Program Interface (API) calls to theXML parser.The second type ofXML processing is by using the Simple API for XML (SAX),an open-source APIstandard that works with XML parsers.So again,we haveavailable API calls to use when building agents with SAXtechnology.It would also be possible to build an agent toperform the XML parsing and pass the relevant results toother agents,but it is unlikely that this will prove to be neces-sary in real-world situations.The concept ofXML parsingwill be discussed further in the section on validation below.XBRL-based agents will mainly follow the lines ofXMLagents as sketched above but with a few differences.Whendesigning XBRL-based agents,the variety ofschemas,Document Type DeÞnitions,etc.,likely to be encounteredwill be considerably fewer than with general XML.This will simplify the task ofcreating these agents.In addition,ifwe use object-oriented agent designs,XBRL-based agents may be able to inherit some features ofXML-based agents,particularly methods and object classes.XBRL Agent ActivitiesThis section discusses transaction agent activities inXBRL environments (see Figure 3 for the location ofXBRLin the generalized framework).The following discussionapplies equally well to XML and XBRL environments.First,we discuss how the term ÒvalidationÓis currently used in the XML literature.Next,we look at how agents can be used to extend this deÞnition ofvalidation into senses more common in internal control models.Finally,we willlook at some non-validation opportunities for transactionagents in XBRL environments. FIGURE3:LOCUSOFXBRL INTHEGENERALIZEDFRAMEWORKÒTraditionalÓXBRL validation refers to either validationin compliance to a Document Type DeÞnition (DTD) orschema,called parsing,or validation against business rulestriggered by the documentÕs content,sometimes referred to as application validation.Additionally,the software engineering literature discusses validation in the sense ofvalidating program or object code.Transaction agents canextend traditional validation activities in several ways.First,agents can be used to implement constraint conditions inlegacy information systems.2XML documents do not provide methods for handling constraint conditions.In thisapplication oftransaction agents,constraints are handled byagents.The idea is that the constraint is a business rule dictated by the legacy information system,such as a limit onthe number ofitems a purchase order can contain.Agentscan be created to break up a large purchase order into anumber ofsmaller orders that satisfy the legacy systemÕs constraints.Several standards for specifying business rules are underdevelopment.One is IBMÕs Business Rules Markup Language(BRML).These standards provide metadata ofbusiness rulesand/or constraints that can be shared among agents for validation purposes.Transaction agents can also be createdto access the validation data from both XML and business-rule sources to integrate those two validation steps.Anotherstandard for metadata is the Resource DescriptionFramework or RDF.RDFs are represented in XML documents.They provide for specifying resources,resourceproperties,and statements about the domain speciÞed by theresources and properties descriptions.RDF can be used todeÞne relationships among objects in its domain.Trans-action agents can be used to validate that these relationshipsexist.For example,an RDF could deÞne an invoice as beingpayable ifa valid purchase order,receiving report,andinvoice exist.Agents can be designed to check the validity ofthis relationship and then pass the invoice on for payment.ÒNon-traditionalÓmeans ofvalidation are those that donot use parsing or application validation techniques.Agentscan be used in non-traditional validation to validate theDTD itself,perhaps by secure communication with a trustedthird-party site.Another way that transaction agents can be used in non-traditional validation is to exploit SAX application design patterns.There are two basic SAX design patterns:Þltered design and rule based design.In Þlteredapplication designs,the applicationÕs processes are viewed as a sequence ofÞlters applied to an XML document (seeFigure 4).A Þlter might remove tags or perform validation,for example.Because SAX is implemented sequentially,itdoes not have the capability to access different parts ofanXML document simultaneously.Agents and agent communi-ties can be designed to overcome this limitation by keepingtrack ofcontrol data across Þlters and across an XML document.This can be done by designing agent Þlters thatcan collect and pass data to the agent community that continues its processing activities continuously andautonomously (see Figure 5).FIGURE4:THESIMPLEAPI FORXML (SAX) PIPELINEPATTERN(FILTERDESIGNPATTERN)FIGURE5:AGENTEXTENSIONOFSAX PIPELINEPATTERNPossible Agent Actions:The other SAX application design pattern is known asrule-based design.Rule-based applications consist ofa seriesofrules in the form event-condition-action.The XSL pro-cessing model is rule-based where the processing ofa nodeis the event,the condition is the instance ofthe node,and the action is the corresponding template.A natural agentapplication is to associate agent activities to the execution ofparticular rules or sets ofrules.Validation rules and rulesets are one example (see Figure 6).FIGURE6:AGENTEXTENSIONOFTHESAX RULE-BASEDDESIGNPATTERNTransaction agents can also provide non-validation activ-ities in XBRL environments.For example,transaction agentscan be designed to Þnd key words in XBRL documents andtrigger appropriate actions.They can also be designed to ProcessorDBTrading Partner BDBProcessorXBRLTrading Partner A CommunicationChannel Filter 3Filter 2Filter 1 put InputFilter 1AgentFilterAgentCommunFilter 2Filter 3Output SwitchRule 1Rule 2Agent RuleRule NRule ¼Output ANSACTIONAGENTSINE-COMMERCE,AGENERALIZEDFRAMEWORK49monitor XBRL documents for trends.Finally,transactionagents can combine Þnancial data across Þrms and periodsto provide analytical data for control purposes.IV. Application Level Transaction AgentActivities: Implications For Continuousting And Continuous AssuranceAlthough we have concentrated the discussion in thispaper on agents in control systems and XBRL applications,other implementations oftransaction agents are possible.One way ofconceptualizing transaction agent systems is tofocus on the transaction-processing path itself.This is probably more familiar to a traditional auditor.Agents canbe constructed to perform some ofthe usual audit activitiessuch as collecting data into system-control,audit-reviewÞles.Here,the general ledger extensions to XBRL will beimportant in cases where agents scan transactions for GLtags to append to the review Þle.The community ofagentscan be imagined conceptually to be a distributed artiÞcialintelligence application that implements auditor activitiesand judgments into a software system.Over time,this systemwill evolve both reactively as the conditions ofthe underly-ing system change and proactively to create structures thatbetter Þt its objectives.Perhaps one ofthe biggest areas for further research in continuous auditing is the exploration and exploitation ofwork in agent communities and ecologies.Most ofthebusiness literature references to agents in accounting andbusiness focuses on implementations that feature a singleagent with simple sets ofactivities.Looking at references to software agents and e-commerce usually gives the typicalWeb bot or purchase bot example.There are references tomulti-agent systems,but few,ifany,examples ofimplementa-tions ofsuch systems.Peter Fingar is a notable exception to this rule,but histhinking about agent communities is so strategic that it losesits applicability in abstraction.He does surface,however,animportant strategic trend in agent technologies:agents thatcan help us manage complexity and business organizationsare going to become more complex in the future.Foraccountants,we can derive two lessons from this:1) we need to start to think about how software agents can help us manage complexity in our environment,and 2) we needto begin to consider agent communities rather than singleagents.This can be related to the continuous reporting andcontinuous auditing context in the following way.Slack in asystem may help it to meet its design goals,although withsome corresponding inefÞciencies.Changing environmentscan force a system to become ineffective as its goals shift dueto these changes,despite the slack.Such is the current state ofexternal auditing that usestime (the delay between period close and the issuance oftheaudited statements) as its slack variable.As our environmentchanges to demand that we meet the need for continuousreporting,as evidenced,for example,by the Securities andExchange CommissionÕs reduction ofthe reporting cycle,we must look for ways to audit the Þnancial data that do notrequire as much time.This leads naturally to continuousauditing and the automation ofthe auditors agency deepinto the operational processing ofthe Þrm.Communities ofautonomous,intelligent agents interacting at the level oftransaction processing is one technology that may well provide the beneÞts required by these new environmentalpressures and provide them in a cost-effective manner.Another important consideration is the realization that anagent community will only be implemented ifit reduces riskin a way that outperforms its cost structure.Seen in this way,transaction agents are a continuous auditing technology thatare used to reduce risk at the transaction level.Finally,wheredoes XBRL GL Þt in with this framework? XBRL provides a standardized data representation that can be exploited byagent technologies.To the extent that an agent communitycan be built to represent a regime ofinternal controls at aband ofrisk in a transaction-based system,designing itbased on XBRL will make it more portable to other transac-tion-based systems.This will lower its overall cost per systemand increase the likelihood that the development ofthe agentcommunity will have beneÞts exceeding its costs.In this way,XBRL is one technology that helps enable continuousauditing and,by extension,continuous reporting.Thinkingthrough this important area will give accountants,auditors,regulators,and others,important insights into the creationand meaning ofsystems ofinternal control.V. ConclusionThis paper derived a model ofsoftware transactionagents in e-commerce settings.The model deÞned a generaltype ofagent in Þnancial transaction settings.This paperincorporated the relevant internal control objectives fromthe COSO and COBIT frameworks into the model to situateit speciÞcally in control and audit environments.A generalimplementation ofthe model was then performed in XMLand XBRL business processing settings,with the internalcontrol implications drawn out.The paper highlighted areaswhere agent technologies may be deployed in the control andaudit ofe-commerce transaction applications,especially where those applications have an XML or XBRL component.The paper also pointed out the symmetry between systemsofinternal control and agent communities.Finally,it encour-aged further research into designing agent communities inbusiness control and audit environments.ReferencesAnderson,R.et al.2000.Professional XML.Birmingham,UK:Wrox Press.COBIT Steering Committee and IT Governance Institute.2000.COBIT.3rd edition.Rolling Meadows,IL:ISACF.COSO.1994.Internal Control - Integrated Framework.New York:AICPA.Fingar,P.1998.A CEOÕs Guide to e-commerce Using Object-Oriented Intelligent Agent Technology.ttp://home1.gte.net/pÞngar/eba.ht&#xh000;mFarhoodi,F.and P.Fingar.1997.Developing EnterpriseSystems with Intelligent Agent Technology.ttp://home1.gte.net/pÞngar/docmag_part2.ht&#xh000;mGreenstein,M.and T.M.Feinman.2000.ElectronicCommerce:Security,Risk Management and Control.Boston:McGraw-Hill.Hoffman,C.and C.Strand.2001.XBRL Essentials.New York:AICPA.Holland,J.H.1995.Hidden Order:How Adaptation BuildsComplexity.Reading,MA:Addison-Wesley.Kogan,A.,E.F.Sudit and M.A.Vasarhelyi.1999.Continuousonline auditing:A program ofresearch.Journal ofInformation Systems13 (2):87-103.McLaughlin,B.2000.Java and XML.Sebastopol,CA:OÕReilly.SpeklŽ,R.F.2002.Towards a Transaction Cost Theory ofManagement Control.Report Series:Research inManagement.Rotterdam:Erasmus Research Institute ofManagement.ttp://www.erim.eur.n&#xh000;lWeiss,G.1999.Multi-agent Systems:A Modern Approach toDistributed ArtiÞcial Intelligence.Cambridge,MA:MIT Press. IMPLICATIONSOFECONOMICTHEORIESFORDATALEVELASSURANCES51©2003The Implications of Economic Theories for Data Level Assurances:Research OpportunitiesEric E.CohenBarbara LambertonSaeed RoohaniPricewaterhouseCoopersUniversity ofHartfordBryant CollegeAbstract The objective ofthe paper is to explore the issues andopportunities associated with data level assurance services inthe new business-reporting environment.The paper presentsan overview ofthe terminology,technology,and backgroundassociated with data level assurances.The paper also comparesnew,business-information assurance to traditional Þnancialstatement assurance.Finally,the paper reviews several economic theories that have been used to explain the use and value attached to business information.In particular,the discussion includes implications for data level assurance fromthe perspective ofinformation economics,agency theory,andtransaction-cost economics.The intent is to identify researchimplications that can be pursued by those interested in thearea.I. IntroductionIn his acceptance speech as Chairman ofthe AmericanInstitute ofCertiÞed Public Accountants (AICPA),James G.Castellano urged the profession to increase the CPAÕs value to all stakeholders by combining Òthe audit ofhistoricalÞnancial statements with a broad array ofassurance servicesÓ(Castellano 2002).The drive to expand and improve assurance services has been a continuing theme in both academic and practitioner literatures for well over a decade.Declining demand for audit services in the1990s,maturity ofauditing markets,the commoditization ofthe audit,sweeping changes in technology,and recent headline-grabbing events involving Enron,Global Crossing,and other audited but unaccountable businesses have promptedthe accounting profession to critically evaluate the value andrelevance ofthe traditional annual audit.According to the AICPA Special Committee onAssurance Services (SCAS),assurance refers to a broadrange ofservices above and beyond the traditional attestfunction performed in rendering an opinion on Þnancialstatements.According to the committee,auditing is a subsetofthe attest function and attest function is a subset ofassurance services.Assurance services have been deÞned by the committee as Òindependent professional services that improve the quality ofinformation,or its context,fordecision makersÓ(AICPA 1997b).ElderCare Services,Performance View,SysTrust,and WebTrust were the Þrst fournew services developed as additional services to be providedby CPAs.Independence is the essential component ofallforms ofassurance,both the traditional and new services.The newer assurances,however,are expected to be less structured than traditional services and involve more ÒtargetedÓusers and more speciÞc information.Data levelassurances fall under this category.The objective ofthis paper is to explore the issues andopportunities associated with data level assurance services in the new business-reporting environment.The Þrst sectionofthe paper presents an overview ofthe terminology andtechnology associated with data level assurances followed by background information in the second section.The thirdsection ofthe paper discusses new business informationassurance to traditional Þnancial statement assurance.In thisnext section,the paper reviews several economic theoriesthat have been used to explain the use and value attached tobusiness information.In particular,the discussion includesimplications for data level assurance from the perspective ofinformation economics,agency theory,and transaction-costeconomics.The intent is to identify research implicationsthat can be pursued by those interested in the area.II. Data Level Assurance: Terminology and TechnologyData level information refers to less aggregated dataabout a speciÞc activity or a targeted area.Informationreported about sales separated from the income statements,or customer satisfaction information separated from otherinformation,are examples ofdata level information that mayhave value for investors and creditors.Traditional assuranceis on documents - information presented fairly,taken as awhole.Information consumers are asking for assurances thatinformation presented outside ofthe safe environment ofa traditional Þnancial statement,such as sales and earningsper share Þgures listed on a web site in near real time,is reliable for business decisions.Data level assurance is alsogaining attention because ofthe recent developments ineXtensible Markup Language (XML) and eXtensibleBusiness Reporting Language (XBRL).For example,a user may Þnd weekly sales information for a company of interest when searching the Web.In determining the useful-ness ofthis data level information,the user is faced with several questions related to its value and integrity.Is the original company the source ofthe document? What is thereporting period? Is there any third-party assurance for thissales information? Ifthere is a third-party involvement,whatis the level ofassurance?It is anticipated that as businesses engage more in e-com-merce trade,there may be increased demand for assurancestatements expressing varying levels ofcomfort related tospeciÞc pieces ofbusiness information.TodayÕs assurance is for documents and data presented with the perspective ofthe Þnancial statements taken as a whole.The potentialexists for tomorrowÕs assurance services to be for datastripped from traditional formats but presented with veriÞ-able context in real- or near-real time.Harvey Pitt,formerChairman ofthe SEC says ÒIn my view,we need to supple-ment the static periodic disclosure model - that has longserved investors well,but in todayÕs world results in the delivery ofinformation that is often stale upon arrival,andimpenetrable to many ofthose who receive it.I believe weneed to move toward a dynamic model ofcurrent disclosureofunquestionably material information,Ó(Pitt 2001).Interestingly,the federal governmentÕs increasing empha-sis on security issues may serve as a catalyst driving greateropportunities for third-party assurance services on informa-tion content and quality at the data level.In a press release,the Government Electronics and Information TechnologyAssociation (GEIA) announced that information assuranceis now affected by the Homeland Security Mission (GEIA2002).According to the release,information assurance forthe Department ofDefense (DoD),Civil Agencies,and commercial market is expected to grow from $17.6 billion in 2001 to $61.6 billion in 2006,with 90 percent ofsuchassurances coming from the commercial sector.New and emerging technologies are expected to makedata level assurance feasible.In particular,XML,a new infor-mation communication technology tool that efÞciently storesand distributes business information on the Internet,makesdata level assurance a possibility.XML works on varied computer applications,allowing for easy ßow ofbusinessinformation on the Web.Documents are highly portableacross applications and can be authenticated using digitalsignatures and secured encryption.The beneÞts associatedwith XML have been translated to business reportingthrough eXtensible Business Reporting Language (XBRL).ÒXBRL provides a common platform for critical businessreporting processes and improves the reliability and ease ofcommunicating Þnancial data among users internal andexternal to the reporting enterpriseÓ(www.XBRL.org).Thefollowing simple illustration shows how XML code addscontext information that may have meaning for the users.Example 1,shown in Panel A ofTable 1,shows that rentexpense was $82.In this case,the advantage ofXML is that it provides context or meaning to the presented facts.InXML (and XBRL),context is marked up with ÒtagsÓthat have special meaning to users.In Example #1 in Table 1,theÒtagsÓlet the user know that the number Ò82Órefers to $82 in rent expense rather than some other account and that thenumber,82,refers to currency rather than 82 miles per houror 82 items in the inventory.In Example #2 ofPanel B in Table 1,another illustrationis shown that compares ordinary information to the Òmeta-dataÓ(data describing data) made possible by ÒtagsÓin XML.Presentation ofthe ordinary information provides basicname and address facts but fails to provide any insight aboutthe particular role ofthe individual.In contrast,XML allowspresentation ofcontext information.The ÒtagsÓinform thereader that the individual listed has the Òname,ÓEric E.Cohen,and his current role is that ofÒyour speaker.ÓTable 1Panel A:Example #1 Information about rentent expen&#x r00;seurrenc쀀y USD urrenc&#x/c00;ymounꀀt82moun&#x/a00;tent expen&#x/r00;sePanel B:Example #2Information about a speaker Ordinary InformationMetadata:information about information in XMLEric E.Cohenour_speake&#xy000;r123 Best Roadam&#xn000;eEric E.Cohenam&#x/n00;eRochester,New York 14678ddresꀀs1 716 123 4567 tree&#xs000;t123 Best Roadtree&#x/s00;tti00;yRochestert&#x/ci0;ytat&#xs000;eNew Yorktat&#x/s00;ep_cod&#xzi00;e14678p_cod&#x/zi0;eddres&#x/a00;selephon&#xt000;e 1716 123 4567elephon&#x/t00;eour speake&#x/y00;rThis is an example ofstandardized format/metadata.In both ofthese previously discussed examples,the readercan easily understand the meaning oftags such as name,address,currency,and rent expense.In the realm ofbusinessreporting,on the other hand,a considerable amount ofefforthas been spent developing speciÞcations for particular tagnames.Tag names in an XML document can be associatedwith different speciÞcations using a mechanism called name-spaces that associates speciÞc tag names with the source ofsuch tags.The tag names provide important context information and the speciÞcations for each industry.Toensure that tag names within XBRL documents are used IMPLICATIONSOFECONOMICTHEORIESANDDATALEVELASSURANCESERVICES53consistently,for example,namespaces are indicated within ataxonomy Þle using the targetNamespace.The namespacesonly point to the taxonomy/schema.The namespace ismeaningless without the related taxonomy;the namespace is only a pointer between the concepts in the instance document and the deÞnition ofthat item in the schema.In XBRL terminology for example,an element name may be ÒnonCurrentAssets.propertyPlantAndEquipmentNetÓdescribing non-current assets as part ofnet property,plant,and equipment(http://www.xbrl.org/resourcecenter/speciÞcations.asp?sid=22)1.In addition,the word,instance has special meaning inthe vocabulary ofXBRL.ÒAn XBRL instance is an XML doc-ument containing XBRL elements that together constituteone or more statements.The Þnancial statements ofIBM,expressed in XBRL,would be an instanceÓ(http://www.xbrl.org/resourcecenter/speciÞcations.asp?sid=22).As shown in Table 2,data level assurance services canprovide answers to users related to authorization,authentica-tion,context,and other characteristics offacts and informa-tion.Data level assurance may also include assurances at theaccount level.The consumer ofinformation may want somelevel ofcomfort when dealing with managementÕs assertionswith regard to speciÞc accounts.Account-level assurancewould be appropriate ifthe user in dealing with manage-mentÕs assertions needs assurance whether or not items have been coded to the ÒrightÓgeneral ledger account (e.g.,vendor,bank).The international business potentially adds an additional level ofcomplexity to data level assurance thatis being addressed by the XBRL community.In cases wherethere are different account classiÞcations because ofdifferentmeanings between countries,there would be a need for atranslator tool such as XBRL Reference Tool (http://xbrl.emporia.edu/ 2002-2003 XBRL International AcademicCompetition project).In such a case,assurances on a datalevel could possibly provide the user with some level ofcom-fort about the meaning ofspeciÞc account classiÞcations.Table 2Data level assurance is to provide variable comfort (opinion statement) that¥Appropriate authorization and authentication is assured Ð authorized data fromreliable source¥Reader has necessary context for understanding data item(s) Ð is the data meaningful to the reader¥No obvious inconsistencies between tags and textual items (machine and human-readable identiÞcation) exists ¥Content oftag and tag ofcontent make sense ¥Appropriate controls between instances and referred-to schemas are in placeAnd technology that makes that assurance is portable after transformation oftheoriginal data item.(Source:Eric E.Cohen,Data Level Assurance,IMA Anuual Conference,June 25,2002)With information proliferating on the web,Jeffrey (2002)suggests that there is a need for development ofmetadata(data describing data) to solve issues ofdata quality,queryquality,answer quality,and integration ofheterogeneoussources (Jeffrey 2002).The metadata approach results inbeneÞts because it provides reference points for validationthrough schema and constraints for online help and transla-tion.Metadata as a schema is helpful since it serves asdomain taxonomy (ontology) information against whichfacts can be evaluated to assess quality (Jeffrey 2002).Thereare various groups working on making XML-based datamore reliable for decision makers to use.For example,theOASIS Security Services Technical Committee (SSTC) isworking on the XML-based Security Assertion MarkupLanguage (SAML) to develop standards for exchangingauthentication and authorization ofXML (or XBRL) infor-mation (Cover 2002).SAML is primarily for business-to-business (B2B) information exchange rather than focusingon various data-quality issues faced by anonymous datasearchers looking for Þnancial information on the Internet.SAMLÕs efforts to develop standards are expected to be relevant to users who need to be authenticated to the supplychain and/or individuals who are Þling ofÞcial documents tocertain tax or regulatory authorities.Another example is theNASDAQ project which illustrates the use ofWeb services todeliver XBRL data to a spreadsheet or any other tool to beanalyzed by investors or other users asdaq.corlwIII. BackgroundThe rapid pace ofbusiness change combined with technological capability has created interest in the relatedconcepts ofcontinuous reporting (CR) and continuousassurance (CA).In this paper continuous,in contrast to periodic,reporting refers to more frequent reporting and disclosing ofbusiness information (e.g.,real or near-realtime,daily,weekly,or monthly basis).Some researchers(Alles Kogan and Vasarhelyi,2001) have predicted thatfuture reporting will occur so frequently as to make it near continuous.The concept offrequent reporting ofoperational measures within a company,however,is not necessarily a new phenomenon.Many companies alreadyhave systems that provide near continuous informationabout key operational indicators.The concept ofCR usuallyrefers to the ongoing disclosure ofboth Þnancial and non-Þnancial information to external parties such as investors,creditors,and regulators.1 Although the name can be indicative ofthe hierarchy and the meaning,it is anything by the rule.Reading the human readable labels and deÞnitions and evaluating the underlying authoritative references can only discern the true meaning ofwhat an element is. Continuous assurance (CA) providing assurances muchmore frequently would seem to be a logical companion tocontinuous reporting.Continuous auditing,as a foundationfor continuous assurance,was the topic ofa research reportdeveloped by the Canadian Institute ofChartered Account-ants (CICA) and the AICPA (CICA and AICPA 1999).Thereport indicates that the word audit implies ÒThe highestlevel ofassurance regardless ofsubject matterÓwith continuous auditing deÞned as:ÒÉa methodology that enables independent auditors toprovide written assurance on a subject matter using a seriesofauditorsÕreports issued simultaneously with,or a shortperiod oftime after,the occurrence ofevents underlying the subject matter.Ó(p.5)Continuous auditing,as well as continuous assurance,have been discussed in a number ofrecent articles (Alles,Kogan,and Vasarhelyi 2002;Elliott 2002;Rezaee,Elam,and Sharbatoghlie 2001;Rezaee,Sharbatoghlie,Elam,andMcMickle 2002;Wright 2002).While some authors have suggested that the demand for continuous assurance is not aforegone conclusion (Alles et al.2002),others have suggestedthat assurance services will be valued by a wide variety ofdecision-makers (Elliott 2002).Much ofthe research todayon continuous auditing has focused on the beneÞts ofrealtime monitoring ofbusiness processes,not the third-party,continuous assurance (CA) services.There is some evidencethat internal auditors use CA techniques to meet their pur-poses and to provide feedback to management,one stepfrom the monitoring and control function (Vasarhelyi,Halper 1991).Finally,external auditors (depending uponintrepretation ofthe Sarbanes-Oxley Act) may use CA for a series oftriggers and alarms that identify issues that needto be dealt with immediately rather than wait until year end-or interim-scheduled work.In absence ofgovernment or political inßuence,for CA tobecome an economically viable service,however,the beneÞtsmust exceed costs and someone must be willing to pay forthe service.Yet,it is not clear that demand for either CR orCA will be high for virtually all types ofbusiness informa-tion and every type ofbusiness.Since cost-beneÞt consider-ations are also expected to drive the CR decision,companiesmay limit their continuous disclosure to several key Þnancialand non-Þnancial indicators.To the extent that CR does takethe form ofdata level or account disclosure,the assurancewill be at the data level or account level.Providing assur-ances on a data level represents a signiÞcant change from the traditional attest perspective ofrendering an opinion on Þnancial statements as a whole.In Continuous Auditing (CICA and AICPA 1999),representatives ofthe accounting professions ofCanada andthe United States seem to suggest that,in the near term,thesubject matter for continuous auditing will be focused onÒroutine,hard data that is easily interpreted or measurableÓ(p.12).The report predicts that automation may eventuallyallow continuous auditing ofitems that today require a greatdeal ofjudgement and are considered non-routine and difÞcult to audit on a continuous basis.IV. New Business Assurance ServicesLabor-intensive manual tasks,such as footing and cross-footing,are now obsolete or can be completed quickly andefÞciently through software.Audit software packages havealso been used to facilitate sample selection,recalculation,conÞrmation generation,and a host ofother audit tasks.Fortunately,technology has been a catalyst behind manypositive improvements and efÞciencies in the audit process.For example,audit software packages such as ACL,IDEA,and Þrm-developed audit tools,have allowed auditors tocomputerize many clerical tasks (Bierstaker,Burnaby,andThibodeau 2001;Glover and Romney 1998;Helms 2002;Kanter 2001;Lanza 1998).Standardization is also criticaland has been emphasized by the profession as an importantfactor in accomplishing the six pillars in the AICPA/CICAstudy (CICA and AICPA 1999) required to move forwardwith timely audit reports.The move toward increased standardization may help to maximize the productivity associated with use ofauditing software.IDEA and ACLboth become easier to use when standardized formats/metadata tags are available so the auditor can more easily getat the data.Use ofIDEA and ACL,along with standardizedformats and tags allows more tasks to be automated andmakes data more transparent to the auditor.In a digital age,paper-based documents have increasinglybeen replaced with electronic equivalents,but electronicaudit trails have not matured to match.Whereas in a paper-based environment the auditor can examine source docu-ments,journal entries,and ledgers that are available longafter the fact,electronic documents may not exist after thetransaction has been completed.Often,the traditional,paper-based Òaudit trailÓdoes not exist,making substantiveaudit techniques less relevant.To accommodate the shift from paper to electronic evi-dence,the profession saw the need to focus more attentionon the internal controls.In ÒThe Information TechnologyAge:Evidential Matter in the Electronic Environment(AICPA 1997a),the authors state:ÒThe competence ofelectronic evidence usually depends on the effectiveness IMPLICATIONSOFECONOMICTHEORIESANDDATALEVELASSURANCESERVICES55ofinternal control over its validity and completeness.ÓThepervasiveness ofelectronic evidence means that auditorsmay no longer rely heavily on substantive testing to reducedetection risk.Instead,the auditor needs to develop a betterunderstanding ofthe clientÕs business and conduct tests ofsystems controls such as passwords,Þrewalls,and other systems controls.(Helms and Mancino 1998).The additional demands ofSarbanes-Oxley on internalcontrols,not only for accounting systems but also for Þnan-cial reporting,may lead to the need for new,more automatedprocesses for most SEC Þlers.For example,a user may accessinformation on a Web site that reports company sales Þgurein near-real time.Ifthe sales information is updated by hand or compiled manually from multiple sources within the organization,no automated process is readily available to support automated assurance.Whereas manual systemsmay be examined for traditional assurance services,theavailability ofreliable automated systems is an importantprerequisite for continuous data level assurance.If,on the other hand,the sales Þgure is automaticallysupplied from reliable systems,the continuous auditor canbegin to apply audit agents full-time computerized tools tocollect information from many internal and external sources.These data sources may include XBRL GL and other XMLderivative transactions,news sources,and representations ofevents related to loans and other covenantal relationships.The auditor can then maintain control totals that can becompared with reported totals at any point in time.Exception reports can be created and variances pursued and explained or otherwise reconciled.To facilitate data level assurance,reported totals wouldneed to be provided in a format that is machine-readable,discoverable,and consistent.The technology associated withXBRL aids this process by specifying that certain deÞninginformation must accompany business-reporting facts.Users may be interested in having their questions answeredthat related to almost any piece ofbusiness reporting information.Potential questions include the following:1.Who is the entity being reported upon?2.Do these facts represent the actual reported-upon facts,budget information,forecast information,or some other scenario?3.For what period oftime (or as ofwhat time) do the facts relate?4.What unit ofmeasure (dollars or Euros,square footage or head count) is each fact measured in?XBRL also aids the assurance process by establishingagreed-upon sets oftags,which surround business facts providing the context needed for the user to understand thepresented fact.These sets oftags are published by the XBRLInternational consortium,its jurisdictions,industry groups,companies,and individuals.As a consequence,data levelassurance may involve a series ofquestions about the tagsthemselves.Users may want to know ifthe facts are from an established organization and ifthey make sense in thecontext ofthe particular company.The paper-paradigm suggests that users need all oftheinformation in a Þnancial statement to make appropriatedecisions.Ifusers decide to extract and look at any one piece ofinformation,it becomes critically important to linkthat fact to any directly related information.For example,theinventory valuation method would need to be linked to factsabout inventory value.As we move from the paper paradigm toward Web-enabled dissemination ofdata,it becomes increasingly critical for users to know the source ofany facts and state-ments presented on a corporate web site,in a news release,on an analystÕs Web site or in a third party repository.Under-standing the source ofinformation is necessary to allow theuser to judge the quality ofa particular piece ofinformation.Fortunately,technology provides a potential solution.Emerging tools from the World Wide Web Consortium givemanagement,external auditors and analysts the capability toprovide electronic signatures that accompany the documentswherever they may be found.Electronic signatures may easeconsumer concern about whether or not the document orfact accurately portrays the representations and assertions ofmanagement.Lastly,questions may arise related to the credentials,reputation,and background oforganizations providingthird-party assurance.Users may want to know the reputa-tion ofthe assuror and whether the assurance actually relates to a particular set offacts.Given the background and reputation ofthe assuror,the user may want to know ifthe assurance can be trusted and ifit matters.Numerousefforts are under way to evaluate how the market will reactand how the accounting profession will be able to fulÞll these challenges.Current pronouncements related to supple-mentary materials,agreed-upon procedures,and electronicversions ofexisting documents fall short in meeting theneeds ofthe new assurance. V. Data Level Assurances and InformationEconomicsFor decades,researchers have tried to use one or moreeconomic theories to explain how organizations and individuals use and value business information.One ofthenormative frameworks that have been used in accountingresearch is information economics (Demski 1980;Demskiand Feltham 1976;Feltham 1972;Feltham and Xie 1994).Information economics suggests decision-makers valueinformation to the extent that it reduces uncertainty andallows them to make better decisions.Prior to selecting acourse ofaction,the decision-maker has the option to obtaininformation about alternative outcomes that may occur.The information provides the decision-maker with a ÒsignalÓabout the probabilities associated with alternative states ofnature.In terms ofinformation economics terminology,alternative outcomes are called states ofnature.For example,states ofnature can include conditions about the weather,the economy,and the performance ofa given company orsome other future uncertain outcome.Information only has potential value ifit allows the deci-sion-maker to revise his or her beliefs about the probabilitiesofthe salient state ofnature in time to select the course ofaction that maximize expected utility.Not all signals aboutstates ofnature have value.Ifthe information about a partic-ular state does not cause a change in the course ofactionselected,then that particular signal is perceived to have nouse for that particular decision-maker and decision.Forexample,a ÒsignalÓabout the weather may be very helpful for a business planning an outdoor concert or a business that provides refreshments on the beach but has no value for someone trying to decide whether to invest in a givenstock.Timely weather information would be important for a business that relies on good weather to plan its purchasesand other commitments,but the same signal provides noguidance for the decision-maker interested in selecting astock.A potentially valuable signal can also lose usefulness ifit is not timely.For example,assume a refreshment-standowner has made commitments to purchase a certain level ofperishable product and will be unable to cancel the order ortake any other corrective action ifthe weather turns stormy.In that instance,the signal about the weather is not impor-tant since it cannot cause a change in the decision-makerÕsactions.Taken together,information economics suggests that the value ofinformation is a function ofthe decision,the decision-maker,and potential signals.Timeliness is critical since information that arrives too late to make a difference is virtually worthless.Unlike classical economic theory that assumes costlessand perfect information,in the real world information is neither free nor perfect.The decision to obtain informationmeans that the decision-maker will incur costs in terms oftime,effort,and money.As a consequence,the decision-maker is expected to consider the costs associated with gathering more information.In particular,information economics suggests that the decision-maker will comparethe expected utility with and without the additional infor-mation.In terms ofCA,one prominent issue centers on thefeasibility ofproviding the services on a cost-effective basis.As previously discussed,CPAs have been successful inharnessing technology to improve the auditing process.Previous research (Kogan,Sudit,and Vasarhelyi 1999) suggests that Òmany technological hurdles in the way ofcontinuous online auditing are likely to be overcome in thenear future.ÓFor example,technologies such as XBRL makeit easier to share business reporting information amongmanagers,audit committee members,and other externalparties,such as creditors,investor,and regulators.Theadvantage ofXBRL relates to its ability to allow informationfrom various sources to be distributed over the Internet andbetween applications in a quick,cost-effective manner.To date,there have been few published research reportson applications ofCR and CA,(OÕDonnell and David 2000).Previous studies have examined continuous auditing ofdatabase applications (Groomer and Murthy 1989) and acontinuous auditing application at AT&T Bell Laboratories(Vasarhelyi and Halper 1991).More recently,accountingresearchers (Woodroofand Searcy 2001) have demonstratedthe feasibility ofcontinuously monitoring debt covenantcompliance through the use ofdigital agents and alarm triggers.Research Implication #1:Information economics suggeststhat demand for continuous reporting and data level assur-ance will not be uniformly high for all elements ofbusinessreporting for all timeframes.Demand for CR and CA isexpected to be a function ofthe needs ofthe decision maker,the types ofdecision that need to be made and the ability ofparticular signals to help speciÞc decision-makingprocesses.For example,daily reporting ofsales may be very informative while daily disclosure ofcertain committedÞxed expenses may have no information value.Frequent andreliable sales ÒsignalsÓmay help to reduce uncertainty aboutfuture proÞtability for companies with frequent and unex-plained ßuctuation in sales.In contrast,in all likelihood the potential information content associated with frequentupdates ofthe property tax bill or depreciation would tendto be low.Neither ofthese committed,Þxed costs would be IMPLICATIONSOFECONOMICTHEORIESANDDATALEVELASSURANCESERVICES57expected to change drastically over a short term.To providedata level assurance services,future research may speciÞcallyexamine which elements ofbusiness reporting are consid-ered most valuable by decision-makers in various settingsand how frequently the markets need such information to be disclosed.Researchers may also seek to apply this theoryin the context ofstatutory reporting.Studies could be conducted to examine the information content ofspeciÞcXBRL data submitted by the member Þrms to the FDIC.Information economics would suggest that some pieces ofinformation may have greater information content and valuethan others.Such research can be conducted through Þeldstudies,survey instruments,and model building.VI. Data Level Assurances and AgencyTheoryAgency theory provides a framework for exploring thenature ofcontracting and the role ofinformation in mitigat-ing the uncertainty that results when owners need to hireself-interested individuals to accomplish the work ofthe Þrm (Jensen and Meckling 1976).Since the owner cannotdirectly observe the level ofemployee effort,accounting datahas played a major role in determining compensation andrewards for managers and other employees.Agency theorydeÞnes the principal as the owner and/or stockholder withtop management being the agent.The owner delegates deci-sion-making to top management who then act as principalsin hiring lower level employees such as divisional manage-ment.The basic concept is that one party (the principal)needs to hire another party (the agent) but is unable to monitor the employeeÕs (agentÕs) performance.The inabilityto monitor performance causes problems (agency costs)since the principal and agent have different perspectives with the agent being both effort- and risk-averse.Essentially,the employee will be interested in maximizing compensationwhile minimizing personal costs such as time,knowledgeand effort.Without proper incentives,employees will act in their own best interests by making decisions that maxi-mize personal compensation,perhaps at the expense ofthecompany.To discourage shirking and other self-servingactions by the employee,the company designs incentives that carefully introduce an element ofrisk into the compen-sation plan.As a consequence,compensation plans mayinclude bonuses based on both Þnancial and non-Þnancialmeasures and include other inducements to encourage theeffort- and risk-averse agent to work hard and make deci-sions that increase the companyÕs value for the owners.Principals decide to spend money on information in an attempt to monitor the agentÕs actions in order to see howthe given employee contributed to Þrm value.Monitoringthe agentÕs effort is a key objective ofthe information systemsince the employee is considered self-interested with goalsthat may not be congruent with the owners.Agency theoristsare careful to emphasize that the principalÕs interest inaccounting measures is not for the inherent value ofthemeasures,per se,but rather for what they indicate about the effort level ofthe employee.Ifthe principal had perfectknowledge about the actions ofthe agent,then the agentwould be compensated based on effort.Previous researchers (Kogan et al.1999) have proposedagency theory as a meaningful framework for examining the beneÞts ofcontinuous auditing and have suggested thatmore frequent reporting may have a number ofbeneÞtsincluding a reduction ofagency costs.The authors also sug-gest that high frequency audits may increase the reliability ofmeasures to such an extent that ÒÉthe audits ofoutcomes ismore meaningful,and the audit ofactions is not as impor-tantÓ(p.96).According to Kogan et al (1999) Òthe demandfor continuous auditing may be higher when moral hazardor information asymmetry is strong,monitoring is cheap,risk sharing is expensive and agency costs are highÓ(p.97).In addition to providing some theoretical justiÞcation for increasing the frequency ofreporting,agency theory alsoprovides some guidance related to the subject matter.In particular,prior agency theory models (Banker,Datar,andSrikant 1989;Feltham and Xie 1994;Holmstrom 1979) sug-gest that the informativeness ofany potential measure mustbe considered in designing a system to monitor perform-ance.In the framework ofagency theory,the informativenessprinciple refers to the ability ofa measure or combination ofmeasures to provide meaningful insight about the employeeÕsactions and contribution to company value.In selectingwhich performance metrics to track in a continuous report-ing environment,prior agency theory research suggests that more information is not always better (Jacobides,andCroson 2001).According to Jacobides and Croson (2001),tracking more measures under certain conditions may leadto lower value,and Òoveremphasis on highly visible behav-iorsÓcan be counter-productive (Kerr 1975).The reductionin value is a function ofa variety offactors including noisymeasures,poor alignment ofmeasures,and the incentiveplan.For example,assume a companyÕs strategy is to increaseunit volume and the owners decide to track performance ona highly visible and easy-to-track metric,sales dollars.In a market with rising prices,sales dollar increases may mask a decrease in unit volume and a decline in proÞtability.Nevertheless,managers will have the incentive to worktoward improving sales dollars without regard to volume and costs.Given these circumstances,the owners may Þndthat data level reporting and/or assurance on sales dollarsleads to lower value for the Þrm as a whole.On the surface,it would seem that managers should onlybe held responsible for decisions over which they have somecontrol.In responsibility accounting terms,this is referred to as the controllability principle.Strict adherence to thecontrollability principle would suggest that a cost centermanager only be held responsible for costs over which he orshe has control.Agency theory,on the other hand,suggeststhat measures that are outside ofthe control ofthe managermay nevertheless be very ÒinformativeÓabout performance(Antle and Demski 1988).According to the Antle andDemski (1988),measures do not need to be controllable bythe employee to be valuable for performance evaluation.Forexample,to the extent that industry benchmark informationis available,reliable,and comparable,a company may chooseto forego in-depth internal monitoring ofemployees.Theindustry information could provide a benchmark againstwhich employeeÕs performance may be evaluated.Research Implication # 2:In addition,guiding researchabout high frequency audits per se,agency theory may alsobe helpful in understanding demand for data level assurance.Analogous to information economics,agency theory sug-gests that demand may not be equally high for all elementsofbusiness reporting.Future research may seek to evaluate the market forindustry-wide performance measures ÒcertiÞedÓby thirdparties.Research may demonstrate that the Òinformative-nessÓofbroad performance indices varies with the industry.For example,customer satisfaction among computer buyersmay be quite comparable across the various computer man-ufacturers.Similarly,a metric such as on-time performanceseems relatively comparable across the airline industry.Research questions abound about the ability oftechnolo-gies such as XBRL,to bring efÞciency in production and distribution ofbusiness information facilitating the use ofdata level reporting to monitor agents.At this stage,it isunclear ifand how the cost ofmonitoring the agent will bereduced.Besides having the potential to reduce costs associ-ated with internally developed information,efÞciencies driven by technology may also affect the internal and external assurance functions.Research may be needed toevaluate the costs and beneÞts ofthe various technologysolutions available to both internal and external auditors.Forassurance servicesÕclients,technology may make reportingand assurance on a data level less costly and more attractivefor monitoring the agents effort.Data level assurance orassurance at the account level on XML based or XBRL information may provide assurances on a targeted activity or responsibility.Answering these questions is left to futureresearch studies.Widespread concern about the inappropriate perform-ance measures and perceived lack ofrelevance ofÞnancialmeasures led a number ofbusinesses to adopt some form ofa Balanced Scorecard (Kaplan and Norton 1996 and 2000)for evaluating employees.The essence ofthe BalancedScorecard is that multiple measures,including many non-Þnancial metrics are needed to link employeeÕs actions toincreases in Þrm value.Future research may survey decision-makers on their perceptions ofthe quality ofvarious non-Þnancial measures and their willingness to pay for assuranceon certain metrics.For example,ifcustomer satisfaction datais considered a critical success factor for a given industry,there may be demand for third-party,data level assurance ofits measure.VII. Data Level Assurances andTransaction Cost TheorySimilar to agency theory,transaction cost economics(TCE) focuses on contracting,self-interest,and goal incon-gruence.Both theories provide a theoretical framework forresearchers interested in exploring the value ofmonitoringsystems as a control mechanism.While both theories examine mechanisms to reduce opportunism,the unit ofanalysis (Williamson 1975 and 1991) in TCE is the economicexchange or transaction.According to TCE,situations mayarise in which a partner to a transaction may be able to take advantage ofanother.For example,a supplier may takeadvantage ofa contractually committed buyer by providing a lower quality ofservice knowing that the buyer has limitedoptions (Noordewier,John,and Nevin 1990).With its focuson transactions and the exchange relationship,the literatureon TCE provides a rich background for accountingresearchers interested in investigating continuous reportingand data level assurance as control mechanisms in the supply chain.The theoretical underpinnings ofTCE are traceable backto Ronald CoaseÕs,ÒThe Nature ofthe FirmÓ(1937).In thisseminal work,Coase proposed that Þrms and markets arealternative ways to organize economic activity in the interestofminimizing transaction costs.According to Coase,Þrmsexist when the cost ofconducting economic activity in themarket is more costly than the cost would be in a Þrm set-ting.In economic terms,Þrms versus markets are alternativegovernance structures.In certain circumstances,supply anddemand are governed or controlled more cost effectively by the pricing mechanism in markets.In others,supply anddemand requirements are controlled with lower costs withinthe boundaries ofthe Þrm. IMPLICATIONSOFECONOMICTHEORIESANDDATALEVELASSURANCESERVICES59More than thirty years later,CoaseÕs propositions wereexpanded upon by explicitly considering how the behavioralattributes ofthe decision-maker and nature ofthe economicexchange affect transaction costs (Williamson 1975,1985,and 1991).Two attributes ofthe decision-maker thatWilliamson discusses as it relates to transactions are boundedrationality and opportunism.Bounded rationality (Simon1957) is the construct that humans attempt to make rationaldecisions but have limited information processing capabili-ties.ThTCE implication is that decision-makers cannotpossibly consider all aspects ofcomplex transactions whenmaking decisions about trading partners.Opportunism,orÒself-seeking with guileÓ(Williamson 1985,p.47) is anotherbehavioral attribute that suggests that some parties to atransaction may behave in a self-serving manner.Williamson also suggests that asset speciÞcity is animportant aspect oftransactions that,along with the behav-ioral attributes ofthe decision-maker,affect transactioncosts (Williamson 1985,p.202-207).Asset speciÞcity refersto the extent that a transaction involves speciÞc investmentsthat are highly valuable in the context ofthe trading relation-ship but have low value otherwise.SpeciÞc investments,atype ofsunk cost,create problems by making it costly fortrading partners to abandon the relationship eide and John1990).According to Williamson (1991) asset speciÞcity cantake a variety offorms including expenditures on physicalassets,dedicated equipment and specialized training.Previous empirical research has sought to examine therelationship between factors such as asset speciÞcity and various control devices (Anderson and Weitz 1992;Heideand John 1990;Stump and Heide 1996).For accountingresearchers,research dealing with monitoring (Stump &Heide,1996) and qualiÞcation ofsuppliers (Heide and John,1990) may provide a relevant perspective for examining thebeneÞts ofcontinuous reporting and data level assurance for trading partners.In a study ofchemical manufacturers,Stump and Heide (1996) found that certain contextual factors inßuence the decision to track the performance ofsuppliers.In particular,the study found that monitoring isless likely to occur when performance ofthe supplier is difÞ-cult to measure.The accounting implication ofthis Þnding is that demand for continuous reporting and data levelassurance may be highest for industries and situations thathave well-deÞned performance standards,or when the datais more transactional in nature,as opposed to needing todeal with rapidly changing market values.The study also provides some evidence ofthe relation-ship between ex ante control measures,such as evaluatingthe qualiÞcations ofthe supplier and monitoring.TCE suggests that ex ante control mechanisms may need to besupplemented with ex post devices such as monitoring(Williamson 1994).In terms ofex ante control devices,Stump and Heide differentiate between efforts to evaluatesupplier ability and motivation.Whereas evaluating abilityinvolves gathering information about supplier skills,evaluat-ing motivation involves gathering information about supplierphilosophy and benevolence.In terms ofex ante supplierevaluation,a positive relationship was only found betweenefforts to evaluate supplier ability and monitoring.A mar-ginally signiÞcant and negative relationship was foundbetween ex ante efforts to determine supplier motivationand monitoring.Although the authors suggest that measure-ment problems with the motivation variable may account for the Þndings,the results may also indicate that there is amissing variable such as trust that mitigates the need formonitoring.Although the formal transaction cost frame-work (Williamson 1993) discounts the explanatory value oftrust,others researchers have sought to add the construct oftrust to the theory (Nooteboom,Berger,and Noorderhaven1997).In terms ofthe demand for monitoring in supplychain relationships,accounting researchers (Alles et al.2002) have suggested that trust may substitute for extensivemonitoring.Research implication #3:Transaction cost economics and extensions that include trust would seem to providemeaningful frameworks for examining the demand for con-tinuous reporting and data level assurance in the supplychain.Researchers may ask how the availability ofXBRLinformation affects the relationship between parties in thesupply chain.By facilitating continuous reporting,XBRLmay allow trading partners to develop mutual trust morerapidly.On the other hand,faster,more frequent,and easy-to-use data may reduce the need for third party assurance on that reported information.Researchers may conductexperiments to investigate the relationship between demandfor continuous reporting and factors such as trust,assetspeciÞcity,uncertainty,transaction frequency,and ex antecontrol mechanisms.Previous studies ofTCE have used avariety ofmethods including mail surveys,use ofsecondarydata sources,and experimentation to study the factors thataffect the supply chain.Since continuous reporting and datalevel assurance are in the earliest stages ofdevelopment(Kogan et al.1999),it may be helpful for accountingresearchers to join forces with experts in marketing and economics and conduct basic market research to furtherexamine the determinants ofdemand for continuous reporting.Lastly,research could investigate the possible negative effects ofcontinuous assurance on the perceived independence ofthe third-party assurers.To the extent thatthe assurer obtains substantial fees and becomes intricatelyinvolved in the operations ofthe Þrm,independence may be jeopardized.VIII. LimitationsThis paper sought to explore issues associated with data level assurance as a new type ofassurance services.To that end,the paper presents an overview ofthe currentterminology and technology in this area.Since data levelreporting and assurance are evolving areas in accounting,issues discussed in this paper reßect the authorsÕcurrentthinking on the topics.In terms ofeconomic theories,this paper did not intendto serve as an exhaustive treatment ofeconomic theoryinteracting with data level assurance.In addition,althougheach theory was discussed separately to emphasize uniquecontributions,there are similarities among all three theoriesregarding the value ofinformation and data level assurance.For example,cost-beneÞt considerations are essential tounderstanding the predictions ofall three theories.IX. ConclusionsBy exploring the issues and opportunities associated with data level assurance as a new type ofbusiness assuranceservice,this paper hopes to stimulate further research in the area.The suggestion ofthis paper is that established economic theories may provide a valuable perspective forinterested academic researchers.Information economicshighlights the importance oftimeliness and also suggeststhat information is only valuable ifit reduces uncertaintyand facilitates better decision making.In addition to guidingresearch about high frequency audits (Kogan et al.1999),agency theory suggests that demand may not be uniformlyhigh for continuous reporting ofall elements ofbusinessreporting.The informativeness principle in agency theory(Holmstrom 1979) indicates that the value ofa given meas-ure depends on its ability to provide information about theemployeeÕs contribution to Þrm value.Agency theory also suggests that more information is not always better(Jacobides and Croson 2001;Kerr 1975) and performancemeasures do not necessarily need to be under the control ofthe employee to provide effective incentives (Antle andDemski 1988).This last suggestion has implications for thedemand for continuous reporting and assurance as it relatesto industry benchmark information.Accounting researchers have suggested that monitoringofinventory information may be beneÞcial for trading partners (CICA and AICPA 1999;Hunton 2002).XBRL GL as a standardized format for exchanging inventory and sales transaction representations may help meet this need.Transaction cost economics would seems to provide a mean-ingful framework for evaluating the demand for continuousreporting and assurance on inventory and other items thatare critical to supply chain management.Transaction costeconomics suggests that monitoring has value even when the buyer has pre-qualiÞed the supplierÕs abilities (Stumpand Heide,1996;Williamson 1994).It has been said that ÒContinuous assurance É is only a matter oftime,because continuous reporting is only a matter oftimeÓ(Elliot 2002,p.146).Academics can providevaluable insight to the accounting profession by researchingthe factors that affect the feasibility ofnew assurance services such as data level assurance.FIGURE1:EVOLUTIONOFNEWASSURANCESERVICESSource:Derived from www.aicpa.org/assurance/about/comstud/defncom.htm ureServices NewAssurances IMPLICATIONSOFECONOMICTHEORIESANDDATALEVELASSURANCESERVICES61ReferencesAICPA.1997a.The Information Technology Age:EvidentialMatter in the Electronic Environment.New York,New York:American Institute ofCertiÞed Public Accountants.AICPA.1997b.Special Committee on Assurance Services.Retrieved June 20,2002,from the World Wide Web:www.aicpa.org/assurance/index.htmAlles,M.G.,A.Kogan,and M.Vasarhelyi.2001.Accountingin 2015.CPA Journal,70 (11),14-20+.Alles,M.G.,A.Kogan,and M.Vasarhelyi.2002.Feasibity and economics ofcontinuous assurance.Auditing,21(1),121-138.Anderson,E.,and B.Weitz.1992.The use ofpledge to buildand sustain committment in distibution channels.Journal ofMarketing Research,29 (February),18-34.Antle,R.,and J.Demski.1988.The controllability principlein responsibility accounting.The Accounting Review,63(October),700-718.Banker,R.,D.Datar,and M.Srikant.1989.Sensitivity,Precision,and Linear Aggregation ofSignals.Journal ofAccounting Research,27(1),21-40.Bierstaker,J.L.,P.Burnaby,and J.Thibodeau.2001.TheImpact ofinformation technology on the audit process:anassessment ofthe state ofart and implications for the future.Managerial Auditing,16(3),159-164.Boeheim,M.A.,and M.A.Rieman.1999.Data extractionand analysis software:An audit examination tool for a newmillennium.The Secured Lender,55(5),46-50.Castellano,J.G.2002.LetÕs play to our strength.Journal ofAccountancy,193(2),52-55.CICA,and AICPA.1999.Research Report:ContinuousAuditing.Toronto,Ontario:The Canadian Institute ofChartered Accountants.Cover,R.2002.Security assertion Markup Language(SAML),ttp://xml.coverpages.org/ni2002-11-12-b.htm&#xh000;lDemski,J.1980.Information Analysis.Boston,MA:Addison-Wesley.Demski,J.,and G.Feltham.1976.Cost Determination:AConceptual Approach.Ames,Iowa:Iowa State UniversityPress.Elliott,R.K.2002.Twenty-Þrst century assurance.Auditing,21(1),139-146.Feltham,G.1972.Information Evaluation:Studies inAccounting Research # 5.Sarasota,FL.:American AccountingAssociation.Feltham,G.,and J.Xie.1994.Performance measure con-gruity and diversity in multi-task principal/agent relations.The Accounting Review,69 (July),429-453.GEIA.2002.Information assurance impacted by the homeland security mission.Press release (January).Arlington,VA.:GEIAGlover,S.,and M.Romney.1998.The next generation software.Internal Auditor,55(4),47-53.Groomer,S.M.,and U.S.Murthy.1989.ContinuousAuditing ofDatabase Applications:An Embedded AuditModule Approach.Journal ofInformation Systems (Spring),53-69.Heide,J.B.,and G.John.1990.Alliances in industrial purchasing:The determinants ofjoint action in buyer-sueller relationships.Journal ofMarketing Research,27(February),24-36.Helms,G.2002.Traditional and emerging methods ofelectronic assuance.CPA Journal,72(3),26-31.Helms,G.,and J.Mancino.1998.The electronic auditor.Journal ofAccountancy(April),45-48.Holmstrom,B.1979.Moral Hazard and observability.The Bell Journal ofEconomics,13,324-340.Hunton,J.2002.Blending Information and communicationtechnology with accounting research.Accounting Horizons,16(1),55-67.Jacobides,M.G.,and D.C.Croson.2001.Information policy:Shaping the value ofagency relationships.Academy ofManagement Review,26(2),202-223.Jeffrey,K.2002.Metadata:An overview and some issues ttp://www.ercim.org/publication/ws-proceedings/11th-EDRG/jefferey.pdf&#x h00;.Jensen,M.,and W.Meckling.1976.Theory ofthe Þrm:Managerial behavioral,agency costs and ownership structure.Journal ofFinancial Economics,3,305-360.Kanter,H.2001.Systems auditing in a paperless environment.Ohio CPA Journal,60(1),43-47.Kaplan,R.S.,and D.P.Norton.1996.The BalancedScorecard:Translating strategy into action.Watertown,MA:Harvard Business School Publishing.Kaplan,R.S.,and D.P.Norton.2000.The strategy-focusedorganization:How balanced scorecard companies thrive in the new business environment.Watertown,MA:HarvardBusiness School Press.Kerr,S.1975.On the folly ofrewarding A,while hoping for B.Academy ofManagement Journal,18,769-783.Kogan,A.,E.F.Sudit,and M.Vasarhelyi.1999.Continuouson-line auditing:A program ofresearch.Journal ofInformation Systems,13(Fall),87-103.Lanza,R.1998.Take my manual audit,please.Journal ofAccountancy,185(June),33-36. Noordewier,T.G.,G.John,and J.R.Nevin.1990.Performance outcomes ofpurchasing arrangements inindustrial buyer-vender relationships.Journal ofMarketing,54(October),80-93.Nooteboom,B.,H.Berger,and N.G.I.Noorderhaven.1997.Effects ofTrust and governance on relational risk.AcademyofManagement Journal,40(2),308-338.OÕDonnell,E.,J.S.David.2000.How information systemsinßuence user decisions:a research framework and literaturereview.International Journal ofAccounting InformationSystems,1,178-203.Pitt,H.2001,A major issues conference:securities regulations in the global Internet economy,ttp://www.sec.gov/news/speech/spch520.ht&#xh000;mRezaee,Z.,R.Elam,and A.Sharbatoghlie.2001.ContinuousAuditing:the audit ofthe future.Managerial Auditing,16(3),15-158.Rezaee,Z.,A.Sharbatoghlie,R.Elam,and P.McMickle.2002.Continuous Auditing:Building automated auditingcapability.Auditing,21(1),147-163.Simon,H.A.1957.Models ofMan.New York,New York:John Wiley & Sons.Stump,R.L.,and J.B.Heide.1996.Controlling supplieropportunism in industrial relationships.Journal ofMarketingResearch,33(4),431-441.Vasarhelyi,M.,and F.B.Halper.1991.The continuous auditing ofonline systems.Auditing:A Journal ofPracticeand Theory,10(1),110-125.Williamson,O.E.1975.Markets and Hierarchies:Analysisand Antitrust Implications.New York:The Fress Press.Williamson,O.E.1985.The Economic Institutions ofCapitalism:Firms,Markets,Relational Contracting.New York:The Free Press.Williamson,O.E.1991.Comparative EconomicOrganizations:An Analysis ofDiscrete StructuralAlternatives.American Science Quarterly,36(June),269-296.Williamson,O.E.1993.Calculativeness,Trust and EconomicOrganization.Journal ofLaw and Economics,36(April),453-486.Williamson,O.E.1994.Transaction cost economics andorganization theory.In N.J.Smelser and R.E.Sweddery(Eds.),The Handbook ofEconomic Sociology.Princeton,NJ:Princeton University Press.Woodroof,J.,and D.Searcy.2001.Continuous audit modeldevelopment and implementation with a debt covenant compliance domain.International Journal ofAccountingInformation Systems,2,169-191.Wright,A.2002.Forum ofcontinuous auditing and assurance.Auditing,21(1),123. Edited byDr. Saeed J. Roohani Bryant College 1150 Douglas PikeSmithÞeld, RI 02917 Tel: 401-232-6168E-mail: sroohani@bryant.eduWeb: www.bryant.edu