- From: <eric.e.cohen@us.pwcglobal.com>
- Date: Thu, 05 Jul 2001 13:34:25 -0400
- To: mscherling@rsasecurity.com
- Cc: xml-encryption@w3.org
You asked 'who signs the whole document'? Three quick answers: the publishing company, which is making the assertions found in the file; a CPA who would sign the external data and is also choosing to provide assurance on the systems or underlying detail; a service bureau creating the file on behalf of another company. You hit on a very key issue (which bleeds over to the digital signature area) - is the CPA's signature on a document really saying that the "document is true"? That is an expectation issue, but there is a need to have multiple types of signature - a signature may mean different things, such as: - This is the exact data file I was given by the company (just as a notary does not read what is being signed, but is saying they have observed the signer do their signing, this can be third party assurance that a data file is actually that provided from an original source). Perhaps, the signature shows it is the source document used for the CPA's own work and testing. - The contents are the assertions of management, but they have used our servicesd and systems to create this file and send it on to you (as will be the case for many small companies uysing a service bureau to create a file.) - I have seen this, pass it on. Your turn. - I have found a problem with this (not every accountant's report is clean) Thought you might like to know. - Check inside for more elaboration on what I think of this file and its contents Digital signature technology and agreement by the players can help provide additional levels of guidance on what a signature really means. Right now, on paper, the accountant's signature is stating something like "the financial statements PRESENT fairly the (condition of the company) in conformity with accounting principles generally accepted in the United States of America." That is what today's assurance covers - not the truth of the underlying document, but its fair presentation, and possibly really the presentation of the paper document. When the financial statements are then put on the Web, all of a sudden other issues come into play - such as whether the CPA's signature also covers contents accessed off of hyperlinks, or whether it is just saying "Check out the original paper document. That is where it is really at." What will a digital signature mean in the future? The means to have financial information on the web offering assurance where there is no paper (original presentation) around to fall back on. The profession is (haltingly) working through those issues, and the abilities that XML Encryption and XML Digital Signature give are certainly a catalyst. With XML, the _presentation_ can be removed, leaving all of the content and context. How does the CPA profession deal with content and context without presentation? New types of assurance may offer: - This electronic document does exactly match the original paper version, with the exception of the additional detail provided at - All of the context you need to make a decision is here - The correct tags have been applied - The content has been put into the right classifications XML Digital Signatures can really help highlight what is covered under a CPA's assurance and more importantly WHAT IS NOT. There are a slew of issues involved - such as who within the organization or at the CPA firm can be authorized to be signers for different purposes (a repository of authorized organizations and signers within those organizations comes to mind, maintained by the SEC or equivalent organization.) How can you make sure that the signature of a two year old financial statement shows as valid if the signer is no longer authorized to sign, but was then? Can you recall or obsolete a file so you have the equivalent of a recall? I hit on some of these topics in a presentation (http://raw.rutgers.edu/raw/XBRLandContinuousAuditing.ppt) given at a continuous auditing symposium at Rutgers, including some animated graphics of the selective unfolding of XML files. <eccn /> On your second example, it's a bit more nebulous. Since parts of the document are public, parts are confidential and parts are sensitive, who signs the whole document? You could segment the signatories to each level of security such that each part has been signed as a whole, i.e. public component is signed by the CPA to indicate that the information is true and an executive could sign the confidential parts, etc. AS a CPA you may not want to sign an entire document that the document is true if you cannot validate parts of the document. I would not recommend it to anyone. ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Received on Thursday, 5 July 2001 13:35:36 UTC