XBRL Queries, Inference Channels & the Inadvertent Disclosure Problem


CautionGirlAs we’ve discussed so often in related RVA_CFES Chapter posts,  prior to the passage of the US Sarbanes-Oxley Act, control assurance professionals like auditors and fraud examiners could review data principally only at discrete points in time.  With continuous SEC mandated XBRL supported reporting, we’re now operating with a reporting model in which detailed financial transaction data are more or less continuously available for query on corporate websites.  In the face of the hard fact that investors, analysts, insider-traders and fraudsters can all forcefully make the case that these systems improve the quality of their decisions, ethical or unethical, there needs to be some corporate review of the level of detail that should be made publicly available.   As the available web based data expand to include all operational information, there’s certainly a benefit to legitimate investors and analysts as they delve into the intricacies of the firm.  The technology to support this vision is upon us but, I would argue, there needs to be a critical review of the query systems that provide the interface between investors and the underlying corporate data; one such critical issue is the display of query results.  The type of powerful query systems envisioned by the SEC, have access to most, if not all, of the firm’s data.  Rather than simply responding to requests, such systems must be able to balance the requests for information with the need to protect sensitive corporate information.   For example, if the system responds to multiple queries about sales grouped by states or regions (or other types of grouping), if enough queries are asked of the system, the value of sales for a particular store or even for a particular customer can be determined.

The ability to time XBRL queries may also lead to inadvertent disclosure.  For example, if an unauthorized person knows that a corporate employee is about to be made manager of a division, then requesting wage information for  the division before and after the appointment can disclose the target’s salary.  Even responding inappropriately can provide unintended information; a response of  “that information cannot be provided” to a query asking whether a certain project is confidential  will have the unintended consequence of providing the requested information.

Fraud examiners need to be aware of the concept of inference channels when discussing problems related to inadvertent XBRL disclosure with our clients.    An inference channel is an identified set of information that would allow someone to infer a piece of knowledge.  The assumption is that a user knows the piece of knowledge once that part of the channel is traversed.  Users are assigned a set of virtual tokens that are assigned to that user as each piece of information is acquired from the system.  The tokens for the inference channel are used before the user is allowed to acquire the final piece of information in the channel.  Knowledge protection is performed by identifying the individual pieces of information that make up a channel or path to the protected or sensitive knowledge set and assigning tokens to those pieces.  The tokens essentially make up the charges to traverse the channel and protection is achieved by keeping the number of tokens below the number necessary to get to the final information the firm wishes to safeguard; i.e., if you’ve asked for this and this and then this, you can’t get access to this.

The bottom line is that, if enough uncontrolled queries are allowed, the user can eventually discover all the underlying data.  This becomes an even greater problem with the XBRL-GL model, in which even the underlying transactions are tagged in a machine readable form and are available for disclosure.  What every corporate XBRL SEC filer needs as part of its fraud risk assessment is a clear set of criteria that will provide a precise definition of the nature of the interface between its web based financial reporting system and the user.   Management has to approve whatever standards for the control of queries that its IT and assurance units (internal audit, external audit, fraud examiners, etc.) come up with. These standards have to specify precisely what level of system response to query chains is acceptable and what levels are not so that instances of inadvertent disclosure can be prevented.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the Topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!

Comments are closed.