Good summary of firms’ view on XBRL auditing

So, I was contemplating a piece on the Assurance aspects of the SEC’s interactive data proposals, now that there are a number of statements on the subject from the audit firms. But it turns out that Jim Hamilton has written a great analysis of the comment letters from the audit firms’ positions on audit and XBRL. So I don’t have to. Recommended reading. Some background from my perspective, here.

Review the Future

It’s been a while – the XBRL world is hectic at present, to say the least. This post first appeared a week ago on the Hitachi Blog, run by Bob Schneider and Wilson So (a must read if you are not already subscribed). I’m concerned about the assurance framework for XBRL at the moment, and that’s what this post is all about. You can read more about the topic in a downloadable whitepaper, titled Assurance Considerations for Interactive Data.

Fresh back from the latest international XBRL conference in Vancouver, I think the writing is on the wall. The SEC’s Voluntary Filing Program (VFP), the sandbox that lets registrants furnish their quarterly and annual financial statements in XBRL format in a low risk, low pressure environment to the EDGAR system, is going to close down. Why? Because it is going to be replaced, with mandatory XBRL filings for large corporations toward the end of 2008 or early 2009. All other registrants will follow before long.  The immediate message that all SEC registrants should take away is that now is the right time to participate in the VFP: while it’s still available, still low risk, still low pressure.

Mandatory XBRL filings will undoubtedly involve (no doubt with a short transition) explicit or implied assertions about the accuracy and utility of the financial information contained in them. 

That’s why it is important that financial executives, regulators, and auditors alike work together to determine how XBRL documents can be independently reviewed.

The SEC’s efforts are creating a domino effect, with securities regulators around the world either monitoring what is happening or implementing their own programs. Increasingly, policymakers are seeing this development as a question of national competitiveness. For an admirable analysis of this phenomenon, read the keynote speech made to the conference by Peter Wallison, who serves on the Pozen Committee of the SEC.

Japan’s Financial Services Agency is moving to mandatory XBRL-based disclosures, including the equivalent of earnings releases (made through the Tokyo Stock Exchange) for all listed companies as early as April 2008. One-quarter of Japanese companies are participating in a pilot program – that’s fully 1,000 listed companies.

Contrast this with the few dozen companies, or less than 1% of EDGAR filers, that have participated in the SEC’s VFP program so far. Perhaps the VFP will become substantially more popular at the point that it is crystal clear mandatory filing is on the way, but at present it looks as though the US market is letting slip a great opportunity to get comfortable with this technology. Let me repeat: It’s not too late! Sign up now.

It won’t be very long before it is those documents – the bar-coded financial disclosures – that will be the primary materials consumed by financial market systems to help analysts and investors make decisions about the best way to invest. This is vastly more sophisticated than today’s processes that rely on slow and inaccurate re-keying of a subset of the financial information published by companies.

Is the American market ready? Well, the framework is not far away. Thanks to a Herculean effort by XBRL-US, the new US GAAP taxonomies have just been completed in draft. Public review of these taxonomies is well under way. The software situation is beginning to shake out. The education process for CFOs and IROs has a long way to go, but it is accelerating quickly.

However, there is one area that still really seems to need a kick along: audit and assurance.

While there are a number of committees working on this issue within the audit profession, and the regulators are examining the issues actively, this is an area that needs rapid attention from preparers as well as the broader audit profession. Not just in the US (in fact, all the action is currently stateside) but internationally as well.

First, there needs to be acceptance of something fundamental: XBRL disclosure will require (a small amount of) additional review, above and beyond today’s audit. Suggesting that this step is unnecessary would be a serious disservice to the investing public as well as the professional financial markets. Publishing information in XBRL is more complicated than transforming an existing report into PDF or HTML. It isn’t like today’s EDGARising of existing reports into a specific layout. It involves management making decisions about which "tags" they need to use for which concepts. It is like having a supermarket of goods without bar codes that need to be labelled correctly.

You need to put the bar code for Heinz tomato soup on the Heinz tomato soup can, not the (similar-looking) Heinz potato soup can. Just as in the grocery store, once you’ve selected your bar codes the first time around, the process becomes much easier next time. And, as you’ve guessed, if you can get the manufacturer (in this case, the consolidation or ERP system) to put the bar codes on at source, everything becomes easier again. Whichever way the bar codes are applied, the information that has been marked up this way gains hugely important utility and gives rise to a wide range of efficiencies. Investors are going to rely on these tagging decisions, so they need to be reviewed by someone independent.

To be clear, this isn’t a huge area. There have been a few suggestions from frankly rather badly informed pundits that XBRL assurance will amount to another Sarbanes-Oxley. That is probably a bit mischievous.

What’s really involved? Auditors (and investors) are concerned with identifying areas of risk that might introduce material misstatements into financial statements as a whole. XBRL introduces a small number of new types of risk. First, there is a pretty wide range of basically technical issues that need to be tested. Examples include determining whether the correct date and the correct currency have been associated with concepts being disclosed. Most of these tests can be automated, in part or in full.

While management no doubt can run through these kinds of tests, it would be best if an independent expert also conducted these reviews.

More substantively, there are a number of areas that require professional judgement from an independent expert. These relate to decisions about the manner in which financial statements are marked up, or tagged. Since XBRL encourages companies to create extension taxonomies (i.e., customized definitions about financial concepts being disclosed by particular companies), this is not quite the same as choosing between bar codes of tomato and potato soup. But the analogy is not a bad one. Specific areas that require professional judgment include:

  • Determining whether a company has chosen the correct tag to mark up a specific disclosure.
  • Determining whether a company has correctly decided to extend a taxonomy with a custom definition.
  • Deciding whether a company has associated the right values with its chosen tags.

(As mentioned in the introduction, a lot more detail, some examples, and some tentative recommendations can be found in the white paper I’ve prepared on this topic.)

So what needs to be done? The business community needs to accept that a small incremental piece of audit work is part of interactive data. It is likely to involve some small additional costs at the outset which should be more than offset by a range of savings in the short term.

The "assurance supply chain" community (i.e., the audit profession, its regulators, and its clients) need to identify the tests that should be applied to draft XBRL versions of financial statements. Work needs to be done with securities regulators as well as software vendors to make sure that anything that can be fully automated is automated. And the audit profession and its regulators need to agree on an audit or assurance standard that will govern this kind of work. Most important, auditors then need to be educated in the new procedures. If this education process is not in full swing by the summer of 2008, the "assurance supply chain" might have failed the investors and analysts that it serves.