Approximately 9,000 U.S. companies have submitted more than 50,000 filings in Extensible Business Reporting Language (XBRL) since the beginning of a three-year rollout that was completed in June 2012. All U.S. publicly listed companies now must make XBRL filings at the same time as traditional filings to the U.S. Securities and Exchange Commission (SEC). Although the SEC expects these filings to be consistent, that is not always the case for many companies. This is hardly surprising given the steep learning curve for filers, the size and complexity of the "digital dictionary" they have to work with, and the fact that the full rollout of XBRL only recently has been completed.
XBRL filing is management's responsibility and not the responsibility of the company's filing agent or external consultant; the SEC views the XBRL filing as subject to disclosure controls and procedures. Yet often companies rely on these third parties not only to prepare the filings but also to check and review them, thereby abdicating their responsibility, but not their accountability. Mistakes made in the XBRL formatting process can result in noncompliance (i.e., XBRL submission rejected from the EDGAR database of U.S. company reports), or more commonly, can result in inaccurate information in the XBRL document and data that is inconsistent with the company's traditional HTML filing.
Developing an XBRL-formatted financial statement requires knowledge of the financial statements, accounting, and XBRL. This is where the internal auditor can provide vital assistance in determining whether the company has a sound financial reporting process and established controls in place over the XBRL financial reporting process. Specifically, auditors can help assess whether the company is following steps needed to ensure the accuracy of its XBRL filings, including having an independent internal review process in place, adequately trained personnel to review the XBRL data, and appropriate tools to facilitate the review process.
Before beginning their work, internal auditors need to understand the SEC's requirements for XBRL filings. The SEC will accept only valid XBRL filings that comply with the XBRL global specification, a technical specification that is maintained by XBRL International, a consortium of companies, governments, and individuals dedicated to XBRL adoption. Also, the XBRL documents submitted to the SEC must comply with the EDGAR Filing Manual (EFM), which lists rules to which companies need to conform. The intent of the EFM is to constrain the XBRL document so that the information can be analyzed consistently by users of the data. The EFM applies to all filings made in XBRL, be it a 10-K, 10-Q, risk return prospectus for a mutual fund, or reporting payments for resource extraction.
Lastly, the filing should be consistent with the HTML filing, which is the traditional public company submission to the EDGAR system that continues to be required along with the XBRL filing. This is where it is imperative that the company has adequate controls over the translation process. Without these procedures in place to implement the principles and criteria, many problems can occur as part of the tagging process (see "Common XBRL Filing Problems" above). These include:
Positive values are entered as negative amounts and vice versa.
Values are entered inappropriately into XBRL tables.
Values that should match in the financial statement and notes are not the same.
Inappropriate tags are used to tag financial line items.
Items are entered with an incorrect scale (e.g., the company's public float of US $500 million is entered as US $5,000 or alternatively, assets of US $5 million are entered as US $5 billion).
Companies create new tag extensions for tags that already exist in the list of tags (U.S. Generally Accepted Accounting Principles (GAAP) taxonomy) published by the Financial Accounting Standards Board or the SEC-published concepts covering document entity information and country and state listings.
Companies neglect to report calculation relationships representing totals among financial line items reported.
Required disclosures are absent from the XBRL filing.
Values in the XBRL filing are not updated from filing to filing. This is particularly prevalent when reporting the financial year-end.
Values are transposed from the original HTML filing.
When reviewing the organization's financial reporting processes and controls, internal auditors should ensure that XBRL reporting is included within the scope of the review. XBRL typically has been
viewed as the realm of the IT auditor. Although XBRL preparation and consumption relies heavily on IT processes, there are some manual review steps that must be performed. In addition to having a good understanding of financial reporting disclosure controls and procedures, members of the audit team should understand how XBRL works, so they can identify control deficiencies in the organization's XBRL preparation process quickly and effectively. To prepare for this work, auditors can consult two publications from the American Institute of Certified Public Accountants' (AICPA's) XBRL Assurance Task Force: Performing Agreed-upon Procedures Engagements That Address the Completeness, Accuracy, or Consistency of XBRL-tagged Data (SOP 09-1) and the recently released Principles and Criteria for XBRL-formatted Information, which details the procedures and broad categories of review that should be covered as part of preparing an XBRL filing. Taking the following steps will give internal auditors the information they need to evaluate the risks posed by the XBRL process within their organization and advise the company about the steps needed to mitigate those risks.
Review the Process
The internal auditor needs to review the process by which XBRL filings are prepared. Principles and Criteria for XBRL-formatted Information gives preparers, reviewers, practitioners, and users of XBRL-formatted information a basis to evaluate those files. The document details four principles that can be used to evaluate the quality of XBRL-formatted information:
Completeness of XBRL files.
Mapping of source information.
Consistency of XBRL files with the source information.
Structure of XBRL files.
These principles should be applied in accordance with the requirements of the organization's reporting environment. Questions the internal auditor should pose to the external reporting staff include: Is the company's XBRL filing consistent with the data reporting in the traditional HTML filing? Does it cover all financial statement captions included in the traditional filing, not including management discussion and analysis? Will the data produced be consistent with other companies' XBRL filings within the same industry? Is the XBRL document structurally and technically sound such that it will be accepted by EDGAR and be useable by XBRL software? Will the data produced be accurate and convey what was intended by the external reporting team?
Internal auditors should assess the financial reporting staff's XBRL knowledge and experience. To assess whether the staff has the appropriate level of experience, the internal auditor should ask: Has the staff had the appropriate training? Have staff members attended sufficient training courses that focus on the U.S. GAAP Taxonomy and the underlying XBRL process, rather than how to use their organization's XBRL creation software? Do they have continuing professional education hours in XBRL creation, or have they obtained a certificate demonstrating their XBRL knowledge? The AICPA in conjunction with XBRL US, the nonprofit consortium for XBRL reporting in the United States, is developing the XBRL US GAAP Certificate program to address the varied XBRL experience across reporting organizations. The certification is expected to launch in mid-2013.
Review XBRL Tools
Due to the size and complexity of XBRL filings, the organization needs to have automated tools in place to confirm that the filing is XBRL valid, complies with the EFM, and is consistent with the U.S. GAAP Taxonomy. Internal auditors should confirm with their external reporting team that these tools are in place. Most software used for XBRL preparation incorporates XBRL specification validation and EFM validation. There are several automated steps that also should be deployed to determine whether the filing is consistent with the U.S. GAAP Taxonomy and the HTML filing. At a minimum, the filer should render the document using the SEC rendering engine, a previewer tool on the SEC's website that enables users to test how an XBRL filing will appear on the site when it is submitted through EDGAR. Once a company completes its interactive data submission via EDGAR, the results of the rendering engine will be presented with the official filing on the SEC's website.
In addition to comparing the filing for completeness, the filer should check its filings automatically against peers and previous filings. Internal auditors should confrm that the external reporting team has the appropriate tools in place to perform this assessment. XBRL US provides automated tools to facilitate this process; the organization's Consistency Checks tool has more than 13,000 rules that check for consistency in the filings and identify problems.
Review Taxonomy Updates
Internal auditors need to determine whether the organization is using an approved XBRL taxonomy, which is a list of tags that the filer must use when filing with the SEC. These tags are updated and published every year. This means that a filer needs to update the taxonomy it uses at least once every two years. While the FASB publishes new taxonomy releases every year, the SEC currently allows filers to continue using the previous taxonomy release for a specified time. Effectively, this means that two releases of the taxonomy are always available to filers. New taxonomy releases represent a control risk to the organization as new tags become available and existing tags are removed. Auditors need to ensure the company has adequate controls in place to update the filing to the new taxonomy, as well as check that elements removed from the taxonomy are replaced in the company filing and that new concepts are evaluated to determine whether extension elements should be replaced.
Increasingly Global Risks
XBRL reporting is quickly expanding globally as a standardized method for reporting to regulators and investors. In Australia for example, companies are required to report to all regulatory agencies in XBRL; this approach, called Standard Business Reporting, is designed to reduce the regulatory burden on companies of reporting multiple times to multiple agencies. In the United States, XBRL is required for filings submitted to the Federal Deposit Insurance Corp., in addition to the SEC.
As with the SEC, the transfer of company information to regulatory bodies throughout the world is expected to be complete, accurate, and reliable. Inaccurate reporting of XBRL-formatted information represents a risk to the organization that is likely to increase over time. Internal audit departments should be aware of these risks and develop audit procedures to determine whether existing controls are appropriate, clearly managed, function as designed, and are communicated throughout their organization.