Report Package Hash Generator
For the identification of a Report Package based on the requirements published by ESMA or the Dutch SBR Program, the Royal Netherlands Institute of Chartered Accountants (NBA) has developed a tool. This tool can be used by the organization responsible for drawing up the Report Package and the audit firm in charge of auditing the Report Package. If the Report Package does not change, the tool will always calculate the same hash. This hash can be used in communication to identify the Report Package and to determine that the content of the Report Package was not changed.
Introduction
In a permission letter for the client, it must be clearly stated what the audited object is, and it must be ensured that this object has not been modified. In a paper-based environment, this is achieved by authenticating each individual page of the audit object and by explicitly linking the auditor’s opinion to the audited object. The purpose of this approach is to allow the original audit object to be identified in case of doubt.
In this context, the audit object is a Report Package. Based on a prescribed structure, it consists of multiple files, including the issuer’s Inline XBRL document and the issuer’s taxonomy. Because a Report Package is digital, authenticating the audit object using traditional paper-based methods is no longer possible.
Digital files are authenticated by means of hash values. A hash is the result of a mathematical operation performed on a file, producing a unique string of characters. When the same operation is applied to the same file, the resulting hash remains identical. Any change to the file will produce a different hash. By including the hash value in the auditor’s opinion, the audit object can be authenticated, and it can be verified whether the audit object has been modified.
Special requirements
When a Report Package is filed with the Dutch Chamber of Commerce (KvK), a separate Inline XBRL document may be included in the package. This Inline XBRL document contains mandatory elements as specified in Annex II, point 3 of the RTS for the SBR domain Business Register. One of these mandatory elements is the date of adoption of the financial statements.
Since this date is only determined once the auditor has issued the audit opinion, it is essential that this separate Inline XBRL document is excluded from the hash calculation of the Report Package. To enable this exclusion, the file must be clearly identifiable.
The Reporting Manual (G3-6-3_4) therefore prescribes that this file must comply with the following naming convention: kvk-{date}-{lang}.html.
Changes up to version 1.2026.1.0
To support stand-alone XHTML documents, used by issuers that only prepare non-consolidated financial statements, the Report Package Hash Generator has been extended with functionality to create hashes for stand-alone documents.
The current version also complies with the new requirements of the Report Package 1.0 specification concerning the use of specific file extensions (*.xbr and *.xbri). In addition, support has been added for processing extremely large XHTML files.
As stated above, files following the naming convention kvk-{date}-{lang}.html are excluded from the hash calculation.
Downloads
Open source
The source code of the Reporting Package Hash Generator is published by the Royal Netherlands Institute of Chartered Accountants under the GNU General Public License (GPL).
The currently available source code, written in VB.NET, can be obtained from GitHub. A C# version of the source code will be published in the near future. We also encourage software developers the recreate the tool in other program languages.