Professional Documents
Culture Documents
Why Do Countries Adopt International Financial Reporting Standards?
Why Do Countries Adopt International Financial Reporting Standards?
Why Do Countries Adopt International Financial Reporting Standards?
A27
[MBA International]
International Financial Reporting Standards
Many of the standards forming part of IFRS are known by the older name of
International Accounting Standards (IAS). IAS were issued between 1973 and 2001
by the Board of the International Accounting Standards Committee (IASC). On 1 April
2001, the new IASB took over from the IASC the responsibility for setting International
Accounting Standards. During its first meeting the new Board adopted existing IAS and
SICs. The IASB has continued to develop standards calling the new standards IFRS.
Role of Framework
Deloitte states:
A financial statement should reflect true and fair view of the business affairs of the
organization. As these statements are used by various constituents of the society /
regulators, they need to reflect true view of the financial position of the organization.
Underlying assumptions
• 1. Accrual basis: the effect of transactions and other events are recognized when
they occur, not as cash is gained or paid.
• 2. Going concern: an entity will continue for the foreseeable future.
• 3. Stable measuring unit assumption: financial capital maintenance in nominal
monetary units or traditional Historical cost accounting; i.e., accountants consider
changes in the purchasing power of the functional currency up to but excluding
26% per annum for three years in a row (which would be 100% cumulative
inflation over three years or hyperinflation as defined in IFRS) as immaterial or
not sufficiently important for them to choose financial capital maintenance in
units of constant purchasing power during low inflation and deflation as
authorized in IFRS in the Framework, Par 104 (a).
• Understandability
• Reliability
• Comparability
• Relevance
• True and Fair View/Fair Presentation
Revenues and expenses are measured in nominal monetary units under the Historical
Cost Accountimg model and in units of constant purchasing power (inflation-adjusted)
under the Units of Constant Purchasing Power model.
Under the Units of Constant Purchasing Power model, all constant real value non-
monetary items are inflation-adjusted during low inflation and deflation; i.e. all items in
the Statement of Comprehensive Income, all items in shareholders´ equity, Accounts
Receivables, Accounts Payables, all non-monetary payables, all non-monetary
receivables, provisions, etc.
Requirements of IFRS
Main article: Requirements of IFRS
Comparative information is required for the prior reporting period (IAS 1.36). An entity
preparing IFRS accounts for the first time must apply IFRS in full for the current and
comparative period although there are transitional exemptions (IFRS1.7).
IFRS are used in many parts of the world, including the European Union, Hong Kong,
Australia, Malaysia, Pakistan, GCC countries, Russia, South Africa, Singapore and
Turkey. As of 27 August 2008, more than 113 countries around the world, including all
of Europe, currently require or permit IFRS reporting. Approximately 85 of those
countries require IFRS reporting for all domestic, listed companies. In addition, the US is
also gearing towards IFRS. The SEC in the US is slowly but progressively shifting from
requiring only US GAAP to accepting IFRS and will most likely accept IFRS standards
in the longterm. [8]
For a current overview see IAS PLUS's list of all countries that have adopted IFRS.
Australia
The Australian Accounting Standards Board (AASB) has issued 'Australian equivalents
to IFRS' (A-IFRS), numbering IFRS standards as AASB 1–8 and IAS standards as AASB
101–141. Australian equivalents to SIC and IFRIC Interpretations have also been issued,
along with a number of 'domestic' standards and interpretations. These pronouncements
replaced previous Australian generally accepted accounting principles with effect from
annual reporting periods beginning on or after 1 January 2005 (i.e. 30 June 2006 was the
first report prepared under IFRS-equivalent standards for June year ends). To this end,
Australia, along with Europe and a few other countries, was one of the initial adopters of
IFRS for domestic purposes (in the developed world). It must be acknowledged,
however, that IFRS and primarily IAS have been part and parcel of accounting standard
package in the developing world for many years since the relevant accounting bodies
were more open to adoption of international standards for many reasons including that of
capability.
The AASB has made certain amendments to the IASB pronouncements in making A-
IFRS, however these generally have the effect of eliminating an option under IFRS,
introducing additional disclosures or implementing requirements for not-for-profit
entities, rather than departing from IFRS for Australian entities. Accordingly, for-profit
entities that prepare financial statements in accordance with A-IFRS are able to make an
unreserved statement of compliance with IFRS.
The AASB continues to mirror changes made by the IASB as local pronouncements. In
addition, over recent years, the AASB has issued so-called 'Amending Standards' to
reverse some of the initial changes made to the IFRS text for local terminology
differences, to reinstate options and eliminate some Australian-specific disclosure. There
are some calls for Australia to simply adopt IFRS without 'Australianising' them and this
has resulted in the AASB itself looking at alternative ways of adopting IFRS in Australia
Canada
The use of IFRS will be required for Canadian publicly accountable profit-oriented
enterprises for financial periods beginning on or after 1 January 2011. This includes
public companies and other “profit-oriented enterprises that are responsible to large or
diverse groups of shareholders.”[9]
European Union
All listed EU companies have been required to use IFRS since 2005.
In order to be approved for use in the EU, standards must be endorsed by the Accounting
Regulatory Committee (ARC), which includes representatives of member state
governments and is advised by a group of accounting experts known as the European
Financial Reporting Advisory Group. As a result IFRS as applied in the EU may differ
from that used elsewhere.
Parts of the standard IAS 39: Financial Instruments: Recognition and Measurement were
not originally approved by the ARC. IAS 39 was subsequently amended, removing the
option to record financial liabilities at fair value, and the ARC approved the amended
version. The IASB is working with the EU to find an acceptable way to remove a
remaining anomaly in respect of hedge accounting. The World Bank Centre for Financial
Reporting Reform is working with countries in the ECA region to facilitate the adoption
of IFRS and IFRS for SMEs.
Hong Kong
Starting in 2005, Hong Kong Financial Reporting Standards (HKFRS) are identical to
International Financial Reporting Standards. While Hong Kong had adopted many of the
earlier IAS as Hong Kong standards, some had not been adopted, including IAS 38 and
IAS 39. And all of the December 2003 improvements and new and revised IFRS issued
in 2004 and 2005 will take effect in Hong Kong beginning in 2010.
Implementing Hong Kong Financial Reporting Standards: The challenge for 2005
(August 2005) sets out a summary of each standard and interpretation, the key changes it
makes to accounting in Hong Kong, the most significant implications of its adoption, and
related anticipated future developments. There is one Hong Kong standard and several
Hong Kong interpretations that do not have counterparts in IFRS. Also there are several
minor wording differences between HKFRS and IFRS.[10]
India
The Institute of Chartered Accountants of India (ICAI) has announced that IFRS will be
mandatory in India for financial statements for the periods beginning on or after 1 April
2011. This will be done by revising existing accounting standards to make them
compatible with IFRS.
Reserve Bank of India has stated that financial statements of banks need to be IFRS-
compliant for periods beginning on or after 1 April 2011...
The ICAI has also stated that IFRS will be applied to companies above Rs.1000 crore
from April 2011. Phase wise applicability details for different companies in India:
a. Companies whose shares or other securities are listed on a stock exchange outside
India
b. Companies, whether listed or not, having net worth of more than INR1,000 crore
• If the financial year of a company commences at a date other than 1 April, then it
shall prepare its opening balance sheet at the commencement of immediately
following financial year.
On January 22, 2010 the Ministry of Corporate Affairs issued the road map for transition
to IFRS. It is clear that India has deferred transition to IFRS by a year. In the first phase,
companies included in Nifty 50 or BSE Sensex, and companies whose securities are
listed on stock exchanges outside India and all other companies having net worth of Rs
1,000 crore will prepare and present financial statements using Indian Accounting
Standards converged with IFRS. According to the press note issued by the government,
those companies will convert their first balance sheet as at April 1, 2011, applying
accounting standards convergent with IFRS if the accounting year ends on March 31.
This implies that the transition date will be April 1, 2011. According to the earlier plan,
the transition date was fixed at April 1, 2010.
The press note does not clarify whether the full set of financial statements for the year
2011-12 will be prepared by applying accounting standards convergent with IFRS. The
deferment of the transition may make companies happy, but it will undermine India’s
position. Presumably, lack of preparedness of Indian companies has led to the decision to
defer the adoption of IFRS for a year. This is unfortunate that India, which boasts for its
IT and accounting skills, could not prepare itself for the transition to IFRS over last four
years. But that might be the ground reality. Transition in phases Companies, whether
listed or not, having net worth of more than Rs 500 crore will convert their opening
balance sheet as at April 1, 2013. Listed companies having net worth of Rs 500 crore or
less will convert their opening balance sheet as at April 1, 2014. Un-listed companies
having net worth of Rs 500 crore or less will continue to apply existing accounting
standards, which might be modified from time to time. Transition to IFRS in phases is a
smart move. The transition cost for smaller companies will be much lower because large
companies will bear the initial cost of learning and smaller companies will not be
required to reinvent the wheel. However, this will happen only if a significant number of
large companies engage Indian accounting firms to provide them support in their
transition to IFRS. If, most large companies, which will comply with Indian accounting
standards convergent with IFRS in the first phase, choose one of the international firms,
Indian accounting firms and smaller companies will not benefit from the learning in the
first phase of the transition to IFRS. It is likely that international firms will protect their
learning to retain their competitive advantage. Therefore, it is for the benefit of the
country that each company makes judicious choice of the accounting firm as its partner
without limiting its choice to international accounting firms. Public sector companies
should take the lead and the Institute of Chartered Accountants of India (ICAI) should
develop a clear strategy to diffuse the learning. Size of companies The government has
decided to measure the size of companies in terms of net worth. This is not the ideal unit
to measure the size of a company. Net worth in the balance sheet is determined by
accounting principles and methods. Therefore, it does not include the value of intangible
assets. Moreover, as most assets and liabilities are measured at historical cost, the net
worth does not reflect the current value of those assets and liabilities. Market
capitalisation is a better measure of the size of a company. But it is difficult to estimate
market capitalisation or fundamental value of unlisted companies. This might be the
reason that the government has decided to use ‘net worth’ to measure size of companies.
Some companies, which are large in terms of fundamental value or which intend to
attract foreign capital, might prefer to use Indian accounting standards convergent with
IFRS earlier than required under the road map presented by the government. The
government should provide that choice. Conclusion The government will come up with a
separate road map for banking and insurance companies by February 28, 2010. Let us
hope that transition in case of those companies will not be deferred further.
Taiwan
(2) Phase II companies: unlisted public companies, credit cooperatives and credit card
companies:
(3) Pre-disclosure about the IFRS adoption plan, and the impact of adoption
2009~2011
2013
2014
Expected Benefits
(2) Better comparability between the financial statements of local and foreign companies;
(3) No need for restatement of financial statements when local companies wish to issue
overseas securities, resulting in reduction in the cost of raising capital overseas;
(4) For local companies with investments overseas, use of a single set of accounting
standards will reduce the cost of account conversions and improve management
efficiency.
Japan
The Accounting Standards Board of Japan has agreed to resolve all inconsistencies
between the current JP-GAAP and IFRS wholly by 2011.[11]
Pakistan
All listed companies must follow all issued IAS/IFRS except the following:
IAS 39 and IAS 40: Implementation of these standards has been held in abeyance by
State Bank of Pakistan for Banks and DFIs
IFRS-1: Effective for the annual periods beginning on or after January 1, 2004. This
IFRS is being considered for adoption for all companies other than banks and DFIs.
IFRS-9: Under consideration of the relevant Committee of the Institute (ICAP). This
IFRS will be effective for the annual periods beginning on or after 1 January 2013.
Russia
The government of Russia has been implementing a program to harmonize its national
accounting standards with IFRS since 1998. Since then twenty new accounting standards
were issued by the Ministry of Finance of the Russian Federation aiming to align
accounting practices with IFRS. Despite these efforts essential differences between
national accounting standards and IFRS remain. Since 2004 all commercial banks have
been obliged to prepare financial statements in accordance with both national accounting
standards and IFRS. Full transition to IFRS is delayed and is expected to take place from
2011.
Singapore
South Africa
All companies listed on the Johannesburg Stock Exchange have been required to comply
with the requirements of International Financial Reporting Standards since 1 January
2005.
The IFRS for SMEs may be applied by 'limited interest companies', as defined in the
South African Corporate Laws Amendment Act of 2006 (that is, they are not 'widely
held'), if they do not have public accountability (that is, not listed and not a financial
institution). Alternatively, the company may choose to apply full South African
Statements of GAAP or IFRS.
South African Statements of GAAP are entirely consistent with IFRS, although there may
be a delay between issuance of an IFRS and the equivalent SA Statement of GAAP (can
affect voluntary early adoption).
Turkey
Turkish Accounting Standards Board translated IFRS into Turkish in 2006. Since 2006
Turkish companies listed in Istanbul Stock Exchange are required to prepare IFRS
reports.
We investigate why there is
heterogeneity in countries’ decisions to adopt IFRS; in other words, why some countries
adopt
IFRS while others do not. Understanding countries’ adoption decisions can provide
insights into
the benefits and costs of IFRS adoption.
We focus our analysis on a sample of 102 non-EU countries and examine IFRS adoption
over the period 2002 through 2007.2 We exclude the EU member states from our tests
because
their decision to adopt IFRS was closely tied to the establishment of the IASB itself (EC,
2000).
Moreover, the EU member states committed jointly to adopting IFRS (EC, 2002) making
an
analysis of their individual adoption decisions infeasible.
We use the economic theory of networks to develop our hypotheses: adopting a set of
standards like IFRS can be more appealing to a country if other countries have adopted it
as well
(in this sense, IFRS can be a product with “network effects”). In other words, countries
do not
adopt IFRS all at once, and the observed inter-temporal increase in IFRS adoption across
countries can be due to the growing value of the IFRS “network.” We focus our analysis
of
network effects at the regional and trade levels. Accordingly, we test whether the
likelihood of
1 Several of these countries have committed to adopting (“converging with”) IFRS at
some future date. For the
purpose of our analyses, we do not consider a country to have adopted IFRS until listed
companies in its jurisdiction
are in fact required to report under IFRS. For example, in 2004, Albania committed itself
to requiring IFRS effective
January 1, 2006; the adoption date was subsequently moved to January 1, 2008.
2 We begin our analysis in 2002 because this was the first full year of the IASB’s
existence. In Section 2, we discuss
some institutional reasons for excluding the international accounting standards that
preceded the IASB. We restrict
our sample to year 2007 because the macroeconomic data required for our analyses were
not available for years
beyond 2007 at the initiation of this study.
2
IFRS adoption for a given country in a given year increases with the number of IFRS
adopters in
its geographical region and with IFRS adoption among its trade partners.
Economic network theory predicts that in addition to network benefits (synchronization
value), a product with network effects can be adopted due to its direct benefits (autarky
value)
(Katz and Shapiro, 1985; Liebowitz and Margolis, 1994). In the case of the IFRS
adoption
decision by a country, we argue the direct benefits are represented by both the net
economic and
net political value of IFRS over local standards.
The net economic value of IFRS is intended to capture direct pecuniary benefits as they
are usually conceived in economic models of networks. Proponents of IFRS argue that
the
standards reduce information costs to an economy, particularly as capital flows and trade
become
more globalized: it is cheaper for capital market participants to become familiar with one
set of
global standards than with several local standards (Leuz, 2003; Barth, 2008).
Accordingly, we
test whether economies with high levels of or expected increases in foreign investment
and trade
are more likely to adopt IFRS.3 The benefits from adopting IFRS, however, are likely to
diminish
with the relative quality of local governance institutions, including the quality of local
GAAP
(high quality institutions present higher opportunity and switching costs to adopting
IFRS). Thus,
we also examine whether the likelihood of IFRS adoption decreases with the quality of
domestic
governance institutions.
The net political value of IFRS is the benefit arising from the potential political nature of
international accounting standard setting: if IFRS standard setting can be influenced by
political
lobbying, more powerful countries are more likely to be able to shape IFRS.4 The
prevailing
position of the EU in IFRS standard setting, however, can override this argument. If
countries
expect the EU to have a dominant role in IASB affairs (Brackney and Witmer, 2005),
they are
likely to have to cede some authority over standard setting to EU interests. Ceding
authority over
local standards is, in turn, likely to be less palatable to more powerful countries, which
leads to
the prediction that more powerful countries are less likely to embrace IFRS. In addition
to
standard-setting power, cultural sensitivities can also affect the net political value of
IFRS to a
country. If the IASB is perceived as a European institution, countries that are culturally
more
3 Adopting IFRS to lower information costs is conceptually distinct from adopting IFRS
due to its “network
benefits.” Please see Section 2 for details.
4 Powerful countries can influence IFRS by directly lobbying the IASB; alternately, their
influence can be more
indirect if the IASB implicitly caters to their interests when developing IFRS.
3
distant from Europe are likely to be less accepting of IFRS (Ding et al., 2005; Ciesielski,
2007;
and Norris, 2007). Thus, we also test whether cultural differences can explain cross-
sectional
variation in IFRS adoption.
In addition to the macro-level economic and political factors discussed earlier, it is likely
that a country’s decision to adopt IFRS is influenced by its internal politics: e.g., the
actions of
special-interest lobbyists and ideology-driven regulators. It is difficult to specify the
nature of
such within-country politics in a large sample of countries, let alone measure it with a
reasonable
degree of accuracy: only in more transparent societies like the United States is such an
exercise
possible. To the extent that the effects of internal politics on IFRS adoption are
systematically
associated to those of the macro-level determinants we study, the associations
documented in our
empirical tests can have alternate interpretations. However, we are not aware of any
theory that
predicts such a systematic association.
On network effects, the data reveal evidence of regional trends in IFRS adoption, i.e., a
country is more likely to implement IFRS if other countries in its geographical region are
IFRS
adopters. We also find evidence that a country is more likely to adopt IFRS if its trade
partners
are IFRS adopters. The result is significant for at least two reasons: (1) it suggests
countries
internalize the network effects of IFRS in their adoption decisions; and (2) it suggests that
as the
network benefits from IFRS get large, countries may adopt the international standards
even if the
direct benefits from such standards are inferior to those from locally developed standards.
On economic determinants of IFRS adoption, we find no evidence that the level of and
expected changes in foreign investment and trade affect the likelihood of adoption. Thus,
we
cannot confirm that IFRS lowers information costs in more globalized economies. We do
find,
however, evidence that the likelihood of IFRS adoption at first increases and then
decreases in
the quality of countries’ domestic governance institutions. That quality is measured using
a
factor that extracts common variation from a set of proxies measuring the process and
output of
countries’ governance systems (including, an economic democracy index and citizen
wealth).
The result on governance quality can be interpreted as consistent with both the most
poorly
governed countries being less responsive to international standards, and all other
countries
conditioning their IFRS adoption decisions on the opportunity and switching costs of
domestic
governance standards.
4
There is also evidence that political considerations affect IFRS adoption decisions. We
find that more powerful countries are less likely to adopt IFRS, consistent with more
powerful
countries being less willing to surrender standard-setting authority to the IASB. Country-
level
power is measured as the first principal component of a set of proxies for countries’
abilities to
influence international decision making (including their size and popularity within the
United
Nations). In contrast to the results on power, we do not find evidence of countries’
cultural
closeness to the EU influencing their IFRS adoption decisions, where more Christian
countries
and countries with long-settled colonial relations with EU powers are considered
culturally
closer to the region.
Academic theories yield mixed predictions on whether the adoption of IFRS is beneficial
to a country. Some scholars have argued that international harmonization in accounting
can
improve capital-market efficiency: a common set of international accounting standards
can
reduce the information processing and auditing costs to market participants (Barth, 2007;
2008).
Other academics argue that accounting standards evolve in the context of domestic
cultural,
legal, and other institutional features (including auditing): international harmonization in
accounting, if it is not accompanied by changes to related capital market institutions, can
be
costly (Ball et al., 2000; Ball et al., 2003; Ball, 2006).5 Our analysis of the cross-
sectional
variation in country-level IFRS adoption decisions suggests there is evidence consistent
with
both sets of arguments. The evidence of a higher IFRS adoption rate among countries
with
moderate governance standards is consistent with IFRS being adopted for reasons that
can be
beneficial to a country. At the same time, the evidence that the best governed and most
powerful
non-EU countries were, as of 2007, less likely to adopt IFRS, suggests that several
countries still
perceived IFRS as being costly.
The existing empirical literature on IFRS has focused largely on the determinants and
consequences of IFRS adoption at the firm level.6 The firm-level studies are conditional
on
countries’ decisions to allow or mandate IFRS, suggesting that studies of IFRS adoption
at the
country-level can complement firm-level studies. A study by Hope et al. (2006) provides
some
preliminary evidence on country-level IFRS adoptions through 2005 in a sample of 38
countries
(including 14 EU countries). Their evidence suggests countries with weaker investor
protection
5 Leuz and Wysocki (2008) provide a comprehensive survey of the literature on
accounting harmonization.
6 Examples include Armstrong et al. (2008), Barth et al. (2008), Christensen et al.
(2008), and Daske et al. (2008).
5
and more easily accessible financial markets are more likely to adopt IFRS. We expand
the
country-level analysis to a more comprehensive sample of 102 non-EU countries, and
develop
and test a number of new factors that can affect IFRS adoption, including political power,
opportunity and switching costs, and network effects. The inclusion of network effects is
particularly useful in that it augments hypotheses on cross-sectional variation in IFRS
adoption
with an explanation for the observed inter-temporal increase in IFRS adoption across
countries.
We caution against a broad interpretation of the results in this paper in the context of any
ongoing policy debate on IFRS adoption. There are two reasons for this caveat and they
are
outlined more thoroughly in the conclusion. In brief, the caveat is associated with: (1)
concerns
over “modifications” to IFRS at the country level (countries claim to have adopted IFRS,
but in
practice adopt the standards with restrictions); and (2) the likely increasing importance of
network benefits (over direct economic and political factors) in determining IFRS
adoption as
This is a summary of the interim report, that was agreed upon at the meeting of the
Planning
and Coordination Committee of the Business Accounting Council (BAC), an advisory
body to
the Commissioner of the Financial Services Agency, on June 11, 2009.
To ensure that sufficient preparations are made, which will lead to the smooth application
of IFRS, it is critical that the future prospect is shown, while it may vary depending on
the
progress made in a number of areas, including preparations in accounting practice.
Therefore, constituencies are strongly encouraged to make proactive efforts in the
following areas:
vi) XBRL
The number of IFRS data items in the taxonomy published by the IASCF is by far
smaller than that of Japanese GAAP taxonomy, and the IFRS taxonomies are not
compatible with the Japanese language or the Japanese electronic reporting system
(Electronic Disclosure for Investors' NETwork, or EDINET). Therefore, the
IFRS taxonomies should be further developed by global efforts so that the XBRL
reporting at EDINET under IFRS may be possible by the time the use of IFRS
becomes mandatory, if it is decided to do so.
-3-
Optional use of IFRS
i) Scope of companies
It is appropriate that IFRS are allowed as a basis for the consolidated financial
statements by listed companies whose financial or operational activities are
conducted internationally. In that case, such companies are required to be
sufficiently prepared for IFRS reporting. It is appropriate to decide whether to
enhance the scope to include large-scale listed companies well recognized in the
market, by carefully examining the developments in the setting of IFRS, etc.
ii) Parallel disclosure
For companies choosing the option to use IFRS, it is appropriate to also require
disclosure of Japanese GAAP financial information corresponding to the current
and previous year, in the first year of IFRS application. On an on-going basis,
however, considering the costs and benefits of parallel disclosure, it would be
appropriate to consider a simpler and more effective measure, including qualitative
and quantitative disclosure comparing significant differences between IFRS and
Japanese GAAP when applicable.
iv) Timing
It is appropriate that the use of IFRS is allowed from the fiscal year ending in
March 2010.
If it is decided to make the use of IFRS mandatory, a roadmap should be drawn with
detailed steps so that stakeholders can make preparations well in advance.
Loopholes
As compliance with the Payment Card Industry Data Security Standard (PCI DSS) has
become more complex, an increasing number of businesses rely on compensating
controls to satisfy requirements they'd otherwise have no way of meeting.
Designed to enable companies to comply with the spirit and intent of the requirements,
compensating controls have also become something of a hot-button issue as some
assessors question whether organizations are using them as a loophole when a control is
otherwise too costly to implement. Although, version 1.1
Compensating controls of PCI DSS, released in 2006, somewhat closed the
loophole when the council declared compensating
Compensating controls may
controls could not be used unless an organization
be considered when an entity
already failed one assessment.
cannot meet a requirement
explicitly as stated, due to
In practice, there are only two reasons for a company to
legitimate technical or
use a compensating control: a business or technical
documented business
constraint, or a physical impossibility to implement a
constraints but has
primary control. For example, a retailer with 5,000
sufficiently mitigated the risk
locations would have a physical problem deploying
associated with the
encryption on all its legacy point-of-sale systems,
requirement through
resulting in the use of a compensating control, says
implementation of other
James DeLuccia, a PCI expert and author of IT
controls.
Compliance and Controls.
Compensating controls must:
1) Meet the intent and rigor
But some companies need to do a better job
of the original stated PCI
understanding the intent of the primary
DSS requirement;
control before deploying something else and calling it a
2) Repel a compromise
compensating control. Often, they fail to provide good
attempt with similar force;
documentation described in the compensating controls
3) Be "above and beyond"
worksheet that identifies and supports how the
other PCI DSS requirements
cardholder data will be protected using a different
(not simply in compliance
method, DeLuccia said.
with other PCI DSS
requirements);
PCI compliance checklist
4) Be commensurate with the
Companies should begin by identifying the issues that
additional risk imposed by
may preclude compliance with the requirement,
not adhering to the PCI DSS
requirement.
"PCI requires seven-character passwords. Some people have mainframes that don't allow
passwords longer than six characters, so you automatically can't satisfy that without
replacing the mainframe," said Michael Gavin, a security strategist at Security Innovation
Inc. and a Qualified Security Assessor (QSA). "A compensating control is if you can
force all connections to go through an authentication phase before the password. That
meets the requirement."
The current process for an assessor to approve PCI compensating controls introduces
potential problems. Organizations may change auditors year after year, so a level of
uncertainty exists in the acceptance of these controls, DeLuccia said. Also, it is in the
auditor's interest to accept the compensating control, because he serves the client and has
an incentive to accept it. Finally, DeLuccia said compensating controls require more
mature control environments. This could mean additional processes and technologies to
fully address the risk.
"A common mistake is thinking that compensating controls are temporary -- not
necessarily. They may remain in place so long as they satisfy the risk appropriately,"
DeLuccia said.
Roger Nebel, an independent PCI DSS auditor and director of strategic security at FTI
Consulting Inc., agrees that PCI compensating controls should be chosen very carefully
and always be well documented. The company should understand the strength of the
primary control and what it's intended to do. Once implemented, an assessor has to
evaluate whether the compensating control meets the objective of the primary control and
whether other entry points are opened to the sensitive data, Nebel said.
Still, whether a compensating control passes muster will be up to each individual assessor
and ultimately the strength of the organization's documentation.
"They certainly need to be reviewed every year. As long as you are meeting the intent
of the requirement as stated, it's normally OK," Gavin said. "The real purpose is to allow
people to be compliant without forcing them to buy new products. If you have to be
compliant, meeting the letter could cost you a fortune and the controls are an
acknowledgement that people were doing security before and maybe what they were
doing was good enough and can be augmented."
The PCI Security Standards Council is trying to address the inconsistencies among
qualified security assessors (QSAs). It's developing a training program and an assessor
evaluation program. An assessment team appointed by the council will evaluate feedback
from merchants on assessors. Negative feedback could result in probation and revocation
process for assessors.
Experts say that as the standard evolves, the use of compensating controls will become
less clouded. Although it's not an official compensating control, Nebel points out that
network segmentation is one form of a compensating control. Segmenting shouldn't be
taken lightly, he said. Sometimes company executives believe they have segmented off
the cardholder data, but the QSA discovers entry points to the main network.
"You're narrowing down the scope of the systems you're going to look at," Nebel said.
"You're isolating the cardholder data from normal network activity either through a
VLAN or a firewall."
Nebel evaluated a service provider that claimed its cardholder environment was
segmented. But after reviewing the documentation and assessing the controls in place,
Nebel found the environment could be accessed administratively from certain
workstations.
"There's a whole set of controls for remote management that requires communications
to be encrypted and two-factor authentication," Nebel said. "They thought everything was
fine, but it wasn't."
"When an in-depth code review or alternative measures may not be feasible, some
folks may try to get creative," Rothman said.
Assessor has final say
Rothman agrees that ultimately the success or failure of implementing a compensating
control will come down to the judgment and experience of the assessor. A company that
has its credit card data protected by several layers of security and can only be accessed by
an internal person with the proper administrative controls will likely meet the encryption
requirement via a compensating control, but it will all come down to the assessor's
judgment, Rothman said.
"It's up to the experience and capabilities of the assessor to really distinguish whether
a compensating control really does solve the problem," he said. "Companies will still
want to go through the process and look at it from an attack vector standpoint and ensure
that nothing was missed."
There are no generic answers -- every company has a slightly different environment
around credit card transaction systems -- so that's why compensating controls are
unacceptable for the first assessment, Rothman said. The PCI Data Security Standard lays
that out, saying that companies should be aware that a particular compensating control
will not be effective in all environments.
"I look at everything with a skeptical eye. As a QSA, I have to look for weaknesses and
make sure things are implemented and managed properly. Is this control adequate? Does
it meet the requirement?" Gavin asked. "To me, the intent is to improve everyone's
security to a certain level. If it's cheaper, that's OK."
Conclusion
We investigate why there is heterogeneity in countries’ decisions to adopt IFRS; in other
words, why some countries adopt IFRS while others do not. We focus our analysis on a
sample
of 102 non-EU countries, excluding the EU because of it closeness to the IASB. We
examine
IFRS adoption over the period 2002 (the first full year of the IASB’s existence) through
2007.
We use the economic theory of networks to develop our hypotheses since a standard like
IFRS is likely to be more appealing to a country if other countries adopt it as well. In
other
words, network theory allows us to explain the inter-temporal increase in the adoption of
IFRS
across countries. We find evidence consistent with the likelihood of IFRS adoption for a
given
28
country increasing with the number of IFRS adopters in its geographical region and with
IFRS
adoption among its trade partners. The result is significant for at least two reasons: (1) it
suggests
countries internalize the network effects of IFRS in their adoption decisions; and (2) it
suggests
that as the network benefits from IFRS get large, countries may adopt the international
standards
even if the direct economic benefits from such standards are inferior to those from locally
developed standards.
Economic network theory predicts that in addition to network benefits (synchronization
value), a product with network effects can be adopted due to its direct benefits (autarky
value)
(Katz and Shapiro, 1985; Liebowitz and Margolis, 1996). In the case of the IFRS
adoption
decision by a country, we argue the direct benefits are represented by both the net
economic and
net political value of IFRS over local standards.
The net economic value of IFRS is intended to capture direct pecuniary benefits as they
are usually conceived in economic models of networks. Accordingly, we test whether
economies
that are more reliant on foreign investment and trade are more likely to adopt IFRS and
whether
the likelihood of IFRS adoption decreases with the quality of domestic governance
institutions (a
proxy for both opportunity and switching costs). We find no evidence that the level of
and
expected changes in foreign investment and trade affect the likelihood of adoption. Thus,
we
cannot confirm that IFRS lowers information costs in more globalized economies. We do
find
some evidence that the likelihood of IFRS adoption at first increases and then decreases
in the
quality of countries’ domestic governance standards. This result can be interpreted as
consistent
with both the most poorly governed countries being less responsive to international
standards,
and all other countries conditioning their IFRS adoption decisions on the opportunity and
switching costs of domestic governance standards.
The net political value of IFRS is the benefit arising from the potential political nature of
international accounting standard setting. If countries expect the EU to have a dominant
role in
IASB affairs (Brackney and Witmer, 2005), they are likely to have to cede some
authority over
standard setting to EU interests. Ceding authority over local standards is, in turn, likely to
be less
palatable to more powerful countries, which leads to the prediction that more powerful
countries
are less likely to embrace IFRS. There is evidence in the data consistent with this
proposition. In
addition to standard-setting power, cultural sensitivities can also affect the net political
value of
IFRS to a country. If the IASB is perceived as a European institution, countries that are
culturally
29
more distant from Europe are likely to be less accepting of IFRS (Ding et al., 2005;
Ciesielski,
2007; Norris, 2007). However, we do not find evidence of cultural differences between
adopters
and non-adopters.
Our study of IFRS adoption at the country-level can complement recent firm-level studies
on IFRS. The results of these firm-level studies are mixed. Barth et al. (2008) conclude
that
“firms applying [IFRS] from 21 countries generally evidence less earnings management,
more
timely loss recognition, and more value relevance of accounting amounts than do a
matched
sample of firms applying non-US domestic standards.” Armstrong et al. (2008) in
studying the
stock market reaction in European companies to events associated with the adoption of
IFRS in
the EU also find evidence “consistent with investors expecting net information quality
benefits
from IFRS adoption.” In contrast, Daske et al. (2008) are cautious “to attribute the
capitalmarket
effects for mandatory adopters solely or even primarily to the IFRS mandate;” while
Christensen et al. (2008) find that improvements in earnings management and timely loss
recognition behavior among IFRS adopting firms are “confined to firms with incentives
to
adopt,” suggesting that “incentives dominate [IFRS] in determining accounting quality.”
Firm-level studies of IFRS adoption are conditional on countries’ decisions to allow or
mandate IFRS, suggesting that firm-level studies examine the second stage in what is at
least a
two-stage process. Further, since firm-level studies require significant amounts of cross-
company
data, they have been limited to firms in a few (mostly developed) countries where
corporate
financial reports are available in machine-readable format. By examining IFRS adoption
across
102 different (non-EU) countries, we expand our understanding of the determinants and
consequences of IFRS adoption to a more global sample. Our evidence of a higher IFRS
adoption rate among countries with moderate governance standards is consistent with
IFRS
being adopted for reasons that can be beneficial to a country. At the same time, the
evidence that
the best governed and most powerful non-EU countries were, as of 2007, less likely to
adopt
IFRS, suggests that several countries still perceived IFRS as being costly.
We caution against any broad interpretation of the results in this paper in the context of
any ongoing policy debate on IFRS adoption. There are two reasons for this caveat. First,
the
data in the paper on country-level IFRS adoption are based largely on information
provided by
Deloitte on its IASplus.com website. While even the IASB relies on these data (IASB,
2008a, b),
our correspondence with managing partners of non-Deloitte big-4 audit firms in some
countries
30
reveal potential errors in the IASplus.com dataset. The “errors” are likely due to
disagreements
among auditors on the extent to which a country has adopted IFRS: several countries
adopt
“modified” versions of IFRS, and we suspect auditors do not agree on whether the
modifications
are substantial enough to constitute something apart from IFRS.
Second, as noted earlier, our analysis covers IFRS adoption through year 2007. As more
countries adopt the international standards, the network benefits from IFRS adoption are
likely to
increase. This, in turn, can change the relative importance of direct (autarky) benefits and
costs
in determining IFRS adoption. In other words, the determinants of IFRS adoption are
likely to be
dynamic, so the magnitude of coefficients documented in this paper are likely to vary as
the set
of adopters (or non-adopters) is expanded.
The network-theoretic framework we use to explain the adoption of IFRS across
countrytime
can be applied in the study of other accounting and corporate governance phenomena.
For
example, the adoption of accounting methods, accounting standards, and corporate
governance
best practices by firms and jurisdictions are likely to depend on similar such actions by
competitors and associates. In other words, inter-temporal variation in adoption decisions
in
panel data, commonly studied in the accounting literature, can be explained by the
“network”
value of the product being adopted. The method employed in this paper can be a first step