Page 1

XBRL SWEDEN

Sweden

XBRL Authenticity of Electronic Records

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

EDITORS Name Fredrik Hertz Lucas Cardholm

Contact fredrik.hertz@se.ey.com lucas.cardholm@se.ey.com

Affiliation Ernst & Young Ernst & Young

Contact michael.asplund@deloitte.se per.thorling@se.pwc.com mats.andersson@se.ey.com helena.ortholm@se.ey.com magnus.toren@se.ey.com

Affiliation Deloitte & Touche PricewaterhouseCoopers Ernst & Young Ernst & Young Ernst & Young

CONTRIBUTORS Name Michael Asplund Per Thorling Mats Andersson Helena Örtholm Magnus Torén

STATUS OF THIS DOCUMENT This document is a DISCUSSION PAPER for a SUGGESTED RECOMMENDATION. Readers are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to provide supporting documentation.


XBRL SWEDEN

Sweden

1

PRINCIPLES & SCOPE FOR THE RECOMMENDATION................................ 2

2

ELECTRONIC RECORDS........................................................................................ 3

3

AUTHENTICITY OF ELECTRONIC RECORDS................................................. 3 3.1 THE SIGNATURE POLICY......................................................................................... 4 3.2 PERSONAL LIABILITY (ELECTRONIC RECORD SIGNED BY NATURAL PERSON) ........ 5 3.3 HIGH LIABILITY (ELECTRONIC RECORD SIGNED BY LEGAL P ERSON) ..................... 5 3.4 LOW LIABILITY (ELECTRONIC RECORD SIGNED BY LEGAL P ERSON) ...................... 5 3.5 NO LIABILITY (AUTHENTICATED ELECTRONIC RECORD) ....................................... 6

4

PURPOSE OF SIGNATURE ..................................................................................... 6 4.1 IDENTIFICATION ...................................................................................................... 7 4.2 AUTHENTICITY ....................................................................................................... 7 4.3 LEGAL EFFECT ........................................................................................................ 8 4.4 DECLARATION OF COMMITMENT ............................................................................ 9 4.5 WARNING ............................................................................................................... 9

5

CONFORMANCE REQUIREM ENTS ................................................................... 10 5.1 GENERAL REQUIREMENTS ..................................................................................... 10 5.2 REQUIREMENTS FOR THE SIGNATURELIABILITY ELEMENT ................................... 11 5.3 REQUIREMENTS FOR THE COMMITMENTTYPEINDICATION ELEMENT .................... 11 5.4 REQUIREMENTS FOR THE WARNING FUNCTION .................................................... 11 5.5 ELECTRONIC SIGNATURE FORM ............................................................................ 12

6

APPENDIX A: MATRIX – AUTHENTICATED ELECTRONIC RECORDS.. 14

7

APPENDIX B: SPECIFICATION OF ELECTRONIC RECORDS.................... 15 7.1 SWEDEN ................................................................................................................ 15

8

APPENDIX C: REGIONAL AND NATIONAL GENERAL ASPECTS ............. 18 8.1 LEGAL EFFECT OF ELECTRONIC SIGNATURES IN THE EUROPEAN UNION ............... 18 8.2 SECURE STORAGE OF ELECTRONIC RECORDS ......................................................... 19

9

REFERENCES AND RECOMMENDED READING........................................... 25 9.1 REFERENCES ......................................................................................................... 25 9.2 RECOMMENDED READING .................................................................................... 25

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

1 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN 1

Sweden

Principles & Scope for the Recommendation The present document has been written by the non-profit organisation XBRL Sweden [4], taking into consideration legal requirements on security and best practises within information security. The document is primarily aimed at the Swedish jurisdiction but applicable for an European audience. XBRL is an XML-based, royalty- free., and open standard being developed by XBRL International Inc., which is a not- for-profit consortium of around 200 companies and agencies [5]. This document builds on the standards for Electronic Signatures defined in: • ETSI TS 101 903: " XML Advanced Electronic Signatures (XAdES)" [1] • IETF W3C: "XML-Signature Syntax and Processing" [2] The present document, being built on the framework defined in [1] makes use of the terms defined there. Some of the definitions in [1] are repeated in the document for the sake of completeness. The present document: • Specifies requirements and recommendations for a Signature Policy 1 and format for electronic signatures that, by using this recommendation, can be used for giving electronic financial documents (electronic records) in XBRL a legal validity. • Defines a set of conformance requirements to claim endorsement to the present document. For the present document the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", RECOMMENDED", "MAY", and "OPTIONAL" in the present document are to be interpreted as described in IETF RFC 2119 [3].

1

As defined in [1]

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

2 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN 2

Sweden

Electronic Records “Electronic Record" means a record created, generated, sent, communicated, received, or stored by electronic means. This document presents a recommendation on how to achieve authenticity of electronic records that are further defined in chapter 7.

3

Authenticity of Electronic Records The authent icity of an electronic record may be secured through different means and with different levels of assurance. From the highest level, where a natural person takes liability for the contents and origin of a record by signing the contents, to the lowest level, where a record is technically protected against alterations during communications, but has no intended legal effect. This area often causes confusion due to the many different definitions of the two terms “electronic signatures” and “digital signatures”. Varying definitions can be found in both legislation and technical standards, and in some circles (notably in the media) the terms are used synonymously. Generally an “electronic signature” is the electronic means that confirm the originator of an electronic record. The term is generally used with a meaning including all legally recognizable signatures under the currently prevalent, broad definitions of signature. Electronic signature thus includes digital signatures as defined by this recommendation as part of electronic signatures. A “digital signature” is a digital guarantee that the data has not been altered, as if it were carried in an electronically sealed envelope, and where the “signature” is an encrypted digest (one-way hash function) of the text message, executable or other file. The recipient decrypts the digest that was sent and also recomputes the digest from the received file. If the digests match, the file is proved intact and tamper free from the sender. The signature secures any information introduced by the signature function but only what is "seen" (that which is represented to the user via visual, auditory or other media) should be signed. If signing is intended to convey the judgment or consent of a user (an automated mechanism or person), then it is normally necessary to secure as exactly as practical the information that was presented to

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

3 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

that user. Note that this can be accomplished by literally signing what was presented, such as the screen images shown a user. However, this may result in data which is difficult for subsequent software to manipulate. Instead, one can sign the data along with whatever filters, style sheets, client profile or other information that affects its presentation. Just as a user should only sign what he or she “sees�, persons and automated mechanism that trust the validity of a signed record on the basis of a valid signature should operate over the data that was transformed (including canonicalization) and signed, not the original pre-transformed data. For instance, if an XML document includes an embedded style sheet it is the transformed document that should be represented to the user and signed. To meet this recommendation where a document references an external style sheet, the content of that external resource should also be signed via a Signature Reference 2 , otherwise the content of that external content might change which alters the resulting document without invalidating the signature. 3.1

The Signature Policy The Signature Policy 3 is a set of rules for the creation and validation of an electronic signature, under which the signature can be determined to be valid. A given legal or contractual context MAY recognize a particular signature policy as meeting its requirements. The signature policy MUST be ava ilable in human readable form so that it can be assessed to meet the requirements of the legal and contractual context in which it is being applied. To facilitate the automatic processing of an electronic signature the parts of the signature policy which specify the electronic rules for the creation and validation of the electronic signature MUST be in a computer processable form. If no signature policy is identified the signature SHOULD be assumed to have been generated or verified without any policy constraints, and hence SHOULD

2 3

As defined in [2] As defined in [1]

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

4 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

NOT be given any legal or contractual effect through the context of a signature policy. 3.2

Personal Liability (Electronic Record signed by Natural Person) A “Personal Liability”- signature, with the property that the identity of the signer is as claimed, is aimed to be used in order to obtain a legally binding electronic signature for a natural person, including non-repudiation with regards to being originator of an electronic record and its contents, without prior contractual relationship with a relying party. In order for the natural person to take legal responsibility for electronic records secured through the use of such a signature, the security requirements stated in this document SHOULD be fulfilled, together with legal, good practice and other security measures not stated in this document.

3.3

High Liability (Electronic Record signed by Legal Person) A “High Liability”-signature, with the property that the identity of the signer is as claimed, is aimed to be used in order to obtain a legally binding electronic signature for a legal person, including non-repudiation with regards to being originator of an electronic record and its contents, with or without prior contractual relationship with a relying party. In order for the legal person to take legal responsibility for electronic records secured through the use of such a signature, the security requirements stated in this document SHOULD be fulfilled, together with legal, contractual, good practice and other security measures not stated in this document.

3.4

Low Liability (Electronic Record signed by Legal Person) A “Low Liability”-signature, with the property that tampering with both the data and checksum of the record, so as to introduce changes while seemingly preserving integrity, are still detected, is aimed to be used in order to obtain an electronic record that is not denied legal effect, with or without prior contractual relationship with a relying party.

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

5 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

The “Low Liability” signatures are not aimed at being legally binding electronic signatures per se, but could be, if supported by contractual means. In order for the legal person to take legal responsibility for electronic records secured through the use of such a signature, the security requirements stated in this document SHOULD be fulfilled, together with legal, contractual, good practice and other security measures not stated in this document. 3.5

No Liability (Authenticated Electronic Record) A “No Liability”-signature, with the property to show that data has not been changed, destroyed, or lost in an unauthorised or accidental manner, is aimed to be used in order to authenticate an electronic record, but not give any legal effect, with or without prior contractual relationship with a relying party. When issuing electronic records authenticated by Non-Liability signatures, the organisation SHOULD disclaim all express or implied conditions, representations and warranties, including any implied warranty of merchantability, satisfactory quality, fitness for a particular purpose or non- infringement, except to the extent that such disclaimers are held to be legally invalid. The organisation SHOULD further, to the maximum extent permissible by applicable law, accept no liability for any direct, punitive, special, incidental and consequential damages arising out of or relating to the use of Non-Liability signatures (including loss of business, revenue, profits, use, data or other economic advantage) however it arises, whether for breach or in tort.

4

Purpose of Signature When examining the purpose of handwritten signatures on business records there are several reasons for their use. These have been examined by legal expertise several times before, in many countries4 . To summarise, the typical purposes of a signature may be to: 1. identify the signer 2. assure authenticity of the record

4

See [6], [7], [8] and [9] for sample references. Many other exist.

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

6 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

3. give legal effect 4. give a declaration of commitment of the signer 5. act as a warning These five functions are not easily separated, and may be presented in different ways. In this recommendation we use the structure above, as it is a familiar model that has been deployed for several years, and explain how these SHOULD be handled when deployed in XBRL. 4.1

Identification When a signature is uniquely bound to a signer, the signer may be identified through the verification of the signature applied to a record. Whether a signature is uniquely linked to a signer or not, is dependent on how the certificate or other means of identification is issued and handled. This function is thus reliant upon factors outside the electronic record. External Dependencies Case Liability Level set to Personal Liability

MUST be uniquely linked

Liability Level set to High Liability

MUST be uniquely linked

Liability Level set to Low Liability

SHOULD be uniquely linked

Liability Level set to No Liability 4.2

Expected Identification

MAY be uniquely linked

Authenticity The function of assuring the authenticity of a record is divided in two main aspects. The first, record authentication, is to assure that the contents have not been

changed since the signature was applied to them. The second, signer authentication, is to achieve non-repudiation for the signer with regards to being originator of an electronic record. The level of authenticity of an electronic record is decided by such factors as the technical implementation of the signature and how the certificate or other means of identification is managed.

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

7 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

External Dependencies Expected Authenticity

Case

Record

Signer

Liability Level set to Personal Liability

Yes

Yes

Liability Level set to High Liability

Yes

Yes

Liability Level set to Low Liability

Yes

By contract

Data integrity only

No

Liability Level set to No Liability 4.3

Legal effect For an electronic signature to have legal effect it must meet three requirements; Firstly the signature MUST be applied by a legal or natural person with a legal capacity. Secondly it MUST meet the formal requirements on presenting evidence in the jurisdiction where it is to have legal effect. Thirdly it MUST meet the material requirements on the value as evidence to be able to achieve the effect. As an example, In Sweden these requirements are stipulated in the Code of Judicial Procedure (Rättegångsbalken). The principles of free acceptance of evidence (fri bevisprövning) and free value of evidence (fri bevisvärdering) apply as described in the Code: “After evaluating everything that has occurred in accordance with the dictates of its conscience, the court shall determine what has been proved in the case. As to the effect of certain kinds of evidence, the specific provisions thereon shall govern.” (Chapter 35, Section 1)

This means, in short, that any record MAY be presented and valued as evidence in a Swedish court. The presenting party SHOULD however strive to use such solutions that meet the need of not being denied legal effect, as the court is not forced to accept all records as evidence.

External Dependencies Case

Expected Legal Effect

Liability Level set to Personal Liability

Yes

Liability Level set to High Liability

Yes

Liability Level set to Low Liability

Not Denied

Liability Level set to No Liability

No Liability

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

8 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN 4.4

Sweden

Declaration of Commitment When a natural or legal person with a legal capacity applies a signature to an electronic record, the expectation of the signer to take responsibility for the record and its contents is implied. However, this expectation may not always match the commitment of the signer. An example is when a person attests a photocopy of an original paper record by signing the copy. The intention of the signer is purely to show that the copy is identical to the original, but not taking responsibility for its actual contents or authenticity of the original record being copied.

To minimise the risk of misinterpretations with regards to the intended purpose of a signature, an electronic record being authenticated by an electronic signature SHOULD have a commitment statement applied to it as specified in chapter 5.3. The declaration of commitment MUST be applied as specified in the table below5 . Electronic Record Case

Declaration of Commitment

Liability Level set to Personal Liability

SHOULD

Liability Level set to High Liability

SHOULD

Liability Level set to Low Liability

MAY

Liability Level set to No Liability 4.5

SHOULD

Warning In some cases the signature acts as a function of warning to the signer. The idea is to have the person appreciate the importance of the record by enforcing the use of a signature to make it valid. In today’s society the relevance of giving warning to the signer is not as prevalent as it used to be. This is due to us using our signatures in our everyday lives more than ever before, thus lessening the sense of warning when signing a record. The warning function MUST require the signer to actively confirm the Liability Level or the Declaration of Commitment when signing the record. The warning

5

The use of Declaration of Commitment is specified in chapter 5.3 in this document.

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

9 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

function MUST be handled by the computer application as specified in the table below. Application Case

Warning Presented No DC present

DC present

MUST

MUST

Liability Level set to High Liability

SHOULD

MUST

Liability Level set to Low Liability

MAY

SHOULD

SHOULD NOT

SHOULD NOT

Liability Level set to Personal Liability

Liability Level set to No Liability DC=Declaration of Commitment

5

Conformance Requirements The present document defines conformance requirements for the generation of electronic signatures in an Electronic Record as defined in chapter 7.

5.1

General requirements A system supporting electronic signatures according to the present document MUST, at a minimum, conform to the following: •

Support generation of an XML electronic signature built on IETF RFC 3275: "XML-Signature Syntax and Processing" [2] by addition of the properties as specified in chapter 5.2 and 5.3 of this document Implementors MUST give special consideration to the Security Considerations part of the XML-Signature Syntax and Processing. Section 8.1 Transforms are of particular interest.

A system supporting electronic signatures with a Liability Level of Personal or High (see chapter 3) according to the present document MUST, at a minimum, also conform to the following: •

Signatures MUST be built on “Explicit policy based Electronic Signature (XAdES-EPES)” as defined in ETSI TS 101 903 [1]

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

10 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN 5.2

Sweden

Requirements for the SignatureLiability element The signature MUST include an element (SignatureLiability6 ) that identifies the intended liability level as described in chapter 3. The element MUST have the following properties: •

There MUST always be only one value from {Personal, High, Low, No}indicated for SignatureLiability

The SignatureLiability element SHOULD be implemented as specified in chapter 5.4. 5.3

Requirements for the CommitmentTypeIndication element The signature SHOULD include an element (CommitmentTypeIndication7 ) that identifies a commitment statement as described in chapter 4.4. The CommitmentTypeIndication MUST specify a commitment statement in the form of a CommitmentTypeId8 for each signature. The precise semantics and meaning for each specific electronic record is described in chapter 7. An electronic signature aligned with the present document MAY contain more than one CommitmentTypeIndication elements.

5.4

Requirements for the Warning Function The warning function SHOULD be handled by the computer application used for authenticating the electronic records. Formal requirements on when to use the warning function are specified in chapters 6 and 7. The following apply when the warning function is used:

6

As defined in this chapter As defined in [1] 8 As defined in [1] 7

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

11 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN • • •

5.5

Sweden

If a commitment statement as specified in chapter 5.3 is present this MUST be shown to the signer. If no commitment statement is present the Liability Level as specified in chapter 5.2 MUST be shown to the signer. The signer MUST actively confirm a presented warning before a signature can be created.

Electronic Signature Form

XMLDSIG XAdES-EPES | | <ds:Signature ID?>- - - - - - - - - - - - + - - - - - - - - - - - - - - - +- - - - - - - + <ds:SignedInfo> | | | <ds:CanonicalizationMethod/> | | | <ds:SignatureMethod/> | | | (<ds:Reference URI? > | | | (<ds:Transforms>)? | | | <ds:DigestMethod> | | | <ds:DigestValue> | | | </ds:Reference>)+ | | | </ds:SignedInfo> | | | <ds:SignatureValue> | | | (<ds:KeyInfo>)?- - - - - - - - - - - - - - + | | | | <ds:Object> | | | | <QualifyingProperties> | | | | <SignedProperties> | | | | <SignedSignatureProperties> | | (SigningTime)? | | (SigningCertificate)?- - - - - - - - - - - - - - - - - - - - - - - - + | (SignatureLiability) | (SignaturePolicyIdentifier)- - - - - - - - - - - - - - - - - - - - + | | |

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

12 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

(SignatureProductionPlace)? (SignerRole)? </SignedSignatureProperties>

| | | | | | | | <SignedDataObjectProperties> | | (DataObjectFormat)* | | (CommitmentTypeIndication)* | | (AllDataObjectsTimeStamp)* | | (IndividualDataObjectsTimeStamp)* | | </SignedDataObjectProperties> | | | | </SignedProperties> | | | | <UnsignedProperties> | | | | <UnsignedSignatureProperties> | | (CounterSignature)* | | </UnsignedSignatureProperties> | | | | </UnsignedProperties> | | | | </QualifyingProperties> | | | | </ds:Object> | | | | </ds:Signature>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - + XBRL

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

13 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN 6

Sweden

Appendix A: Matrix – Authenticated Electronic Records The matrix below summarises the relationships between different sources and liability levels with their corresponding purposes as described in this recommendation. Electronic Record Level

Application

Declaration of

Warning

External Dependencies

9

Unique

Authenticity

Legal Effect

Commitment

No DC

DC

Identification

Record

Signer

Personal Liability

SHOULD

MUST

MUST

MUST

Yes

Yes

Yes

High Liability

SHOULD

SHOULD

MUST

MUST

Yes

Yes

Yes

Low Liability

MAY

MAY

SHOULD

SHOULD

Yes

By contract

Not Denied

No Liability

SHOULD

SHOULD NOT

SHOULD NOT

MAY

Data integrity only

No

No Liability

9

“No DC” denotes No Declaration of Commitment present in signature, while “DC” denotes Declaration of Commitment present in signature.

DISCUSSION PAPER: Suggested Recommendation 2004-06-14 XBRL Authenticity of Electronic Records

14 (26)


XBRL SWEDEN

7

Sweden

Appendix B: Specification of Electronic Records THIS CHAPTER IS INTENDED AS AN EXAMPLE OF HOW THE SUGGESTED RECOMMENDATION COULD BE USED TO HANDLE SEVERAL JURISDICTIONS. THE TEXT CONTAINED HERE IN IS ONLY VALID FOR SWEDEN, UNLESS OTHERWISE STATED. This appendix specifies requirements and recommendations for different electronic records as stipulated by the different national jurisdictions of XBRL.

7.1

Sweden The regulations regarding financial data are handled by the Swedish Accounting Act (Bokföringslagen 1999:1078) and the Swedish Companies Act (Aktiebolagslagen). According to the Accounting Act, Accounting Records (räkenskapsinformation) are widely described as any information (documents, legal agreements etc.) needed in order to illustrate the financial state of the operation. Specific regulations regarding the Annual Report are also handled by the Annual Accounts Act (Årsredovisningslagen).

7.1.1

Swedish Annual Report The Annual Report 10 (Årsredovisningen) must be in Swedish. It must be available in human readable form. The Annual Report consists of balance sheet, profit and loss account, notes, administration report and cash flow statement (for certain companies) which all are described in the Annual Accounts Act (ÅRL) and further guidelines are also given in notes from the Swedish Accounting Standards Board (BFN). For other accounting information, language is not stipulated.

7.1.2

Requirements for the Swedish XBRL Annual Report The following is REQUIRED for the Swedish XBRL annual report: 1. Contains the information specified by XBRL Sweden taxonomy[11] 2. Personally signed by all members of the board

10

As defined in the Swedish Annual Accounts Act (Årsredovisningslagen)

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

15 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN 3. 4. 5. 6.

Sweden

Personally signed by the managing director or equivalent Signed auditor’s endorsement of the report 11 Signed Proof of Adoption Resolution from shareholder general meeting 12 Archived by the company

Warning

Entire Annual Report

Personal

*

X

All members of the board

Entire Annual Report

Personal

*

X

Managing director

Auditors endorsement within Annual Report

Personal

X

X

Appointed auditor

Entire Annual Report

No

X

Auditors endorsement within Annual Report

High

X

Entire Annual Report

No

X

Proof of Adoption Resolution attached to the

Personal

Level

Commitment

The table below shows what type of signatures that SHOULD be applied to the Annual Report.

What to be signed

Signer

Appointed auditor X

Appointed auditing firm Appointed auditing firm Member of the Board

X

X

Annual Report Entire Annual Report

No

X

Member of the Board

* According to good practice, no explicit declaration of commitment is stated, and a written declaration of commitment is not required by the Swedish Annual Accounts Act (Årsredovisningslagen). Therefore the CommitmentTypeIndication has been excluded. When there is no declaration of commitment applied but a warning is required, the warning function MUST present the Liability Level of the signature. 11

Must include a reference to the official Audit Report according to the Swedish Companies Act (Aktiebolagslagen 1998:760). Please note that the auditor’s signature may be of Personal Liability (for a natural person, i.e. the appointed auditor) or of High Liability (for a legal person, i.e. the appointed auditing firm). 12 Requirement by Swedish Patent and Registration Office (PRV, Patent & Registreringsverket) with regards to the traditional paper based copy sent to PRV for official filing. Regarding electronic records, only original content can be considered, thus the Proof of Adoption Resolution is set directly to the XBRL annual account.

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

16 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN 7.1.3

Sweden

Swedish Audit Report The Audit Report 13 (Revisionsberättelsen) must state corporate identity number, corporate name and the financial period where the audit is applicable. The audit report states among other things the auditor’s opinion regarding the adoption of the balance sheet as well as the profit and loss statement. Furthermore, there shall be a statement from the auditor regarding the members of the board’s and executive director’s discharge from liability.

7.1.4

Requirements for the Swedish XBRL Audit Report The following is REQUIRED for the Swedish XBRL audit report: 1. Contains the information specified by XBRL Sweden taxonomy 2. Signed by the appointed auditor14 3. Archived by the audited company

Warning

Entire Audit report

Personal

X

X

Appointed auditor

Entire Audit report

High

X

X

Appointed auditing firm

What to be signed

Level

Commitment

The table below shows what type of signatures that MUST be applied to the Audit Report.

Signer

13

As defined in the Swedish Companies Act (Aktiebolagslagen 27-32 §§) Please note that the auditor’s signature may be of Personal Liability (for a natural person, i.e. the appointed auditor) or of High Liability (for a legal person, i.e. the appointed auditing firm). 14

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

17 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

8

Sweden

Appendix C: Regional and national General Aspects THIS CHAPTER IS INTENDED AS AN EXAMPLE OF HOW THE SUGGESTED RECOMMENDATION COULD BE USED TO HANDLE SEVERAL JURISDICTIONS. THE TEXT CONTAINED HERE IN IS ONLY VALID FOR SWEDEN, UNLESS OTHERWISE STATED.

8.1

Legal effect of Electronic signatures in the European Union When it comes to the legal effect of electronic signatures the Directive 1999/93/EC [10] state that the Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is: • in electronic form, or • not based upon a qualified certificate, or • not based upon a qualified certificate issued by an accredited certificationservice-provider, or • not created by a secure signature-creation device. For the purpose of the Directive an advanced electronic signature means an electronic signature which meets the following requirements: 1. it is uniquely linked to the signatory 2. it is capable of identifying the signatory 3. it is created using means that the signatory can maintain under his sole control; and 4. it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable. Member States shall also ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signaturecreation device: 1. satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

18 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

2. are admissible as evidence in legal proceedings. Any laws, regulations and administrative provisions necessary to comply with this directive should have been brought into force before 19 July 2001. The Directive is therefore applicable in all the Member States today. 8.1.1

Legal effect of Electronic signatures in Sweden In accordance with [10] Sweden has enacted “Lag (2000:832) om kvalificerade elektroniska signaturer”. When it comes to signatures, the Act uses the following definitions: “En avancerad elektronisk signatur: elektronisk signatur som a) är knuten uteslutande till en undertecknare, b) gör det möjligt att identifiera undertecknaren, c) är skapad med hjälpmedel som endast undertecknaren kontrollerar, och d) är knuten till andra elektroniska data på ett sådant sätt att förvanskningar av dessa data kan upptäckas, Kvalificerad elektronisk signatur: avancerad elektronisk signatur som är baserad på ett kvalificerat certifikat och som är skapa av en säker anordning för signaturframställning”. When it comes to the validity of an elektronic signature the Act states that ”om det i lag eller annan författning ställs krav på egenhändig underskrift eller motsvarande och om det är tillåtet att uppfylla kravet med elektroniska medel, skall en kvalificerad elektronisk signatur anses uppfylla kravet.”

8.2

Secure storage of electronic records International efforts have been made in order to harmonize regulations and good practice regarding secure handling of financial data and electronic records, both as legislative initiatives and as market self- regulatory programs, of which some are mentioned below. There are several international initiatives on defining good practice with regards to corporate governance and financial reporting. In the U.S. the “Generally

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

19 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

Accepted Accounting Principles” (U.S. GAAP) is the ruling code of practice for financial reporting, especially with regards to listed companies, while many other countries follow their editions of GAAP or other standards, i.e. “International Financial Reporting Standards” (IFRS, formerly known as “International Accounting Standards” – IAS). The global auditing firms also have their internal codes of conduct to see that the different national audit requirements can be met through their professional auditing services. 8.2.1

Swedish legal restraints Electronic storage of financial data is regulated in the Swedish Accounting Act (Bokföringslagen 1999:1078). According to the Accounting Act, Accounting Records (räkenskapsinformation) is widely described as any information (documents, legal agreements etc.) needed in order to illustrate the financial state of the operation. The objective of this chapter is to give a basic understanding about the legal constraints on accounting methods in Sweden. Location of Accounting Function According to the Swedish Accounting Act the principal rule is that documents, microprints and machine-readable media used to store accounting information SHALL be kept in Sweden. Also, where electronic data processing is used, equipment and systems needed to print out the accounting information in readable form, or as microprints, SHALL be located within Sweden, during the whole preservation time. Despite this companies MAY store machine-readable media and also keep equipment and systems available in another country within the European Union if the following conditions are met: 1. Place and every change in place must be noticed to the Tax authorities (Skatteverket) or the Financial Supervisory Board (Finansinspektionen). 2. The company on request from the Tax authorities or the Customs Department (Tullverket) allows immediate electronic availability to the

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

20 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

accounting information for control purposes during the preservation time and 3. The company by immediate print out can present the information in Sweden in normal readable form or as microprints. These conditions are also valid for other countries with which Sweden has an agreement about administrative legal cooperation as defined in certain directives. The specified countries are Iceland, Poland and Norway. If the above conditions are not available and if there are special reasons, the Tax authorities, or the Financial Supervisory Board, MAY, despite the principal rule, allow that a company keeps machine-readable media as well as equipment and systems abroad. The permission MAY be combined with conditions and MAY be limited by time. It is allowed to temporarily store a document containing a voucher abroad if there are certain reasons and it is compatible with good accounting practice. When accounting for the period (normally one month) is finished and reconciled the document must be returned. There is one restriction in the Law about Personal particulars, i.e. it is only permitted to move information about persons to countries that have agreed to the Council of Europe’s conve ntion about protection for persons when EDP-treatment of personal data prevails. Keeping of Records The following specific books and records are REQUIRED by statutes to be maintained in respect of any local company (accounting information): • all supporting vouchers to the accounting records; • daily journals and books of original entry; • general ledger; • sub ledgers where applicable; • supporting schedules to summary entries; • description of the accounting system;

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

21 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN • • • • • • • • • • •

Sweden

systems documentation, including chart of accounts, description of transaction trail and of accounting procedures used; treatment history, i.e. documentation needed to afterwards get information about accounting procedures used for single postings; master file data (customer details, exchange rates, etc.) if part of the transaction trail; annual statutory financial statements including accounting and valuation principles and notes; specifications to balance sheet lines in the annual statutory financial statements; interim report, SHALL for certain companies be filed with a Government Agency (Patent- och Registreringsverket); list of physical inventory; pledged assets and contingent liabilities; essential contracts and correspondence; minutes from board meetings and shareholder meetings; and all other information needed to illustrate the company’s economic situation.

Documents, microprints and machine-readable media used to store accounting information SHALL, according to the principal rule, be kept in Sweden. However, it is allowed to temporarily store a document containing a voucher abroad if there are certain reasons and it is compatible with good accounting practice. One reason is if the document is needed for accounting abroad. Another reason is if the original document is needed abroad as evidence, e.g. to reclaim repayment of taxes. In the latter case a copy of the document must be kept in Sweden. Originals of accounting documents must be kept. Accounting information SHALL be stored in: a) normal readable form (document) b) microprint which can be read with help from enlarger, or

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

22 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

c) other form which can be read, monitored or by other means conceived only by technical facilities (machine-readable media) and which by immediate print out can be presented in the form described in points a) and b). Documents, microprint and machine-readable media with accounting information received by the company from external part SHALL be saved in the state it had when arrived to the company. Accordingly, when the corresponding is produced by the company, it SHALL be saved in the state it received when the accounting information was collected/produced. Documents, microprints and machine-readable media used to maintain accounting information electronically SHALL be durable and easily within reach. They SHALL be preserved ten years after expiration of the calendar year when the accounting year expired. They SHALL be kept in Sweden, in order and in a way that ensures safety and is also well arranged (note exceptions according to 1.1). Machine equipment and systems needed to present the accounting information in normal readable form (document) or in microprint form SHALL be available in Sweden during the preservation time. A company MAY destroy a machine-readable media used to save accounting information, if the accounting information, in a way that ensures safety, is transferred to document, microprint or other machine-readable media. If the accounting information consists of information which the company has received from an external party, the machine-readable media is only allowed to be destroyed up from the forth year after the expiration of the calendar year when the accounting year expired. Format of Records Transactions must be booked so they can be presented in posting and systematic order and in a way that the completeness of transactions can be checked. Filing SHOULD be in proper order, allowing material to be easily located. For every business transaction there SHALL be a voucher.

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

23 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

Sweden

According to the Accounting Act all vouchers must have the following information: • date when created; • date of business transaction; • description of business transaction; • amount; • opposite party; • and, where applicable, upon which documents the business transaction is based and where the originals of these documents are located. Vouchers must be marked in a permanent form with a voucher number or other identification and with such other necessary information in order that the relationship between the voucher and the entry in the accounting records can be determined without difficulty. According to generally accepted accounting principles the books of original entry must have the following information: • accounting date; • voucher number; • coding; and • amount per code. The business transactions SHALL be presented in one reporting currency, Swedish crowns. For among others limited companies the reporting currency instead can be Euro. It is only allowed to change reporting currency at the start of an accounting year.

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

24 (26)

XBRL Authenticity of Electronic Records )


XBRL SWEDEN

9

References and Recommended Reading

9.1

References

Sweden

[1]

ETSI TS 101 903: " XML Advanced Electronic Signatures (XAdES)"

[2]

IETF RFC 3275: "XML-Signature Syntax and Processing"

[3]

IETF RFC 2119: "Key words for use in RFCs to Indicate Requirement Levels"

[4]

www.XBRL.se

[5]

www.XBRL.org

[6]

www.abanet.org

[7]

IRI 1987:7

[8]

SOU 1992:110

[9]

UNCITRAL Model Law on Electronic Commerce (1996) with additional article 5 bis as adopted in 1998 and Guide to Enactment

[10] Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. [11] XBRL Sweden taxonomy 9.2

Recommended Reading • • • • • •

DS 1998:14 ITU-T Recommendation X.509: "Information technology - Open Systems Interconnection - The Directory: Authentication framework" SOU 1996:40 SOU 2002:78 www.terms.ks.se www.w3c.org

DISCUSSION PAPER: Suggested Recommendation 2004-06-14

25 (26)

XBRL Authenticity of Electronic Records )


Authenticity in XBRL  

The present document specifies requirements and recommendations for a Signature Policy and format for electronic signatures that, by using t...

Advertisement
Read more
Read more
Similar to
Popular now
Just for you