| Daniel
Roberts is the former Chairman, XBRL-US Steering Committee, and member
of the AICPA and XBRL International working groups on assurance over
XBRL, and former National Director of Assurance Innovation for a
Global-6 Accounting Firm.
Background
About
two years ago, the CFO of a large firm told me that his company would
not participate in the SEC’s XBRL Voluntary Filing Program (VFP) until
he had assurance regarding the XBRL that his firm would provide to the
SEC. He knew that the SEC did not require assurance, and that the XBRL
would be “furnished not filed.” Nonetheless, he would not publicy
participate until he knew that his financial reports in XBRL would not
contain any errors.
He did this by having his staff perform their
own assurance engagement based on the guidance provided by the PCOAB in
2005. When I asked him why, he said “It’s not the SEC that requires the
assurance; I require the assurance”.
Earlier this year, the SEC
released a Proposed Rule recommending a timetable for the adoption of
XBRL for reporting by SEC registrants. Notably missing from the
recommendations is the requirement for reports provided in this new
format to be audited or reviewed as is required for current SEC
filings.
Participants in the SEC's existing VFP are not required
to have any assurance provided over their VFP filings. At the
Interactive Data Roundtable on March 19, 2007, Chairman Cox said that
to require assurance over these filings would be "crib death" for the
voluntary program, and potentially for their XBRL initiative (see page
59 of the transcript).
Still smarting from their terrible
underestimate of the costs that Sarbanes-Oxley (SOX) would impose on
businesses, the SEC has taken every opportunity to emphasize the low
cost of XBRL implementation. The shock of SOX assurance costs, and the
fact that such costs for XBRL are such an unknown, have probably been
the major reasons for the SEC to avoid the subject of assurance over
XBRL.
At the same time, primarily from a lack of a deep
understanding of XBRL by their professional standards groups and what
I’ll call “standards overload,” the accounting industry also has not
developed guidance on how to provide assurance over XBRL.
This
lack of clarity has resulted in a lack of guidance for industry as a
whole, and it is leading some people to state that assurance over XBRL
filings will not be required, that auditing firms will not want to
provide that assurance, or that filing companies will be unwilling to
request or pay for such assurance.
For regulators and investors,
the XBRL "version" of the financial statements will most likely become
the primary version, or at least the version that investors will rely
on. As a result, a failure to provide an audit opinion on the version
of the financial statements that are used as primary statements by the
investor community would certainly undermine the very assumption that
there is a need for an audit in the first place.
Auditor Conservatism
Auditors
by nature are a conservative, cautious bunch. Not only are they
trained to be, but their standards specifically state that they are
required to be. When companies fail, shareholders, clients, and
creditors frequently go looking for the deepest pockets…and that
includes the auditors. All firms carry significant reserves for
potential legal costs, knowing that any claim, even if not supported by
a court, can still result in millions of dollars in costs to the firm.
And
-- of course -- there is the still-fresh memory of the collapse of
Andersen, one of their peers. All the major firms are now homes to
large numbers of former Andersen partners and staff; to these
individuals, caution and risk are both real, and have had a painful
impact on them.
The best way to minimize the risk of a lawsuit is to
ensure that the auditor has traced all financial statement figures all
the way back to source transactions. Needless to say this is not
possible, and therefore the concept of "materiality" comes into play.
All "material" financial statement figures will be confirmed to a level
of granularity where the auditor can have some confidence that the
figures are accurate.
When considering the work to be performed
by the auditor, there is a natural desire, from the perspective of
minimizing their risk, to expand the scope of audit work to cover as
much potential risk as possible.
XBRL as a New Risk
New
technology brings new risks. If there is anything that is certain, it
is that the introduction of XBRL, a new reporting technology that today
is fairly poorly understood by either the auditor or the filer, will be
viewed as an area of significant potential additional risk. Auditing
standards professionals in the accounting and auditing firms will
understand the risk (or at least understand the uncertainty associated
with new technologies applied to financial reporting.)
When
XBRL becomes mandatory, the auditor that says "okay, we'll only audit
the HTML version of the financial statements" will be taking on a huge
level of risk. As a result, we should expect the professional
practices and risk management functions within the auditing firms will
insist on auditing the XBRL as well, or they will refuse to provide an
opinion on the rest of the financial statements in any other format.
Consider
the alternative, and picture a future courtroom. On the stand is the
audit partner who signed off on the opinion. "Can you please tell the
court why you chose not to audit the information that your own
literature has been saying for years will be the information that will
actually be used by the investor to make investment decisions?" I
doubt that is a question that any audit partner will want to have to
answer.
It stands to reason we should expect auditors will take
the most cautious approach when presented with the question of whether
to audit the XBRL or not to audit the XBRL.
Role of the Audit
What
is the role and purpose of the audit? Simply put, to provide an
independent opinion on the financial statements as provided by a
company. Note that this includes both publicly-held and privately-held
companies, as audits are performed on the financial statements of
privately-held companies to be provided to their financial institutions.
The
audit provides comfort to the regulator and investor that the financial
statements, when taken as a whole (an important concept that we'll come
back to), provide a fair and accurate representation on the state of
the business. Various regulators require audits of companies’ financial
statements, and banking institutions require audited financial
statements from their nonpublic clients.
To the reporting
company, the audit itself is overhead of the purest type. It is a cost
of doing business that cannot be avoided, and with Sarbanes-Oxley, it
can no longer be offset by financial benefits identified by the auditor
while performing related or even unrelated engagements. This naturally
creates conflict between the company purchasing audit services (and
what they are willing to pay) and the extent of work that the auditor
feels compelled to perform in order to provide the audit opinion.
The
client wants to keep audit fees to an absolute minimum; however, they
also want to ensure that adequate work was performed to enable them to
sign their SOX declarations with confidence. Let’s go to the
courtroom. The discomfited CFO is in the witness box: "Can you please
explain to the court why you thought it would be acceptable to only
have assurance on the printable version of the accounts, but not on the
version that is actually used by investors? What were you trying to
hide?"
With this picture firmly in mind, while they will not want to
see any increases in their audit fee, it is pretty clear that CFOs will
either agree to inclusion of the XBRL in the audit scope or they will
ask for the XBRL submissions to be included in the scope of the audit.
Clients and auditors will decide that there is too much risk in
providing unaudited XBRL to the SEC, regardless of the SEC's currently
not requiring such an audit.
The SEC's Game
The
SEC does not want to state categorically that XBRL data is subject to a
requirement for assurance. They have gone so far to as to recommend
that the XBRL that is required to be provided by companies will
actually be treated as "furnished," as is currently the case with the
Voluntary Filing Program (VFP).
The SEC's Proposed Rule on
interactive data (XBRL), page 63, states "We expect that each filer
would be in the best position to determine the appropriate manner in
which to assure the accuracy of the interactive data it would be
required to submit and the viewable interactive data that would result.
We also expect that software providers and other private sector third
parties would help develop procedures and tools to help in that regard.
As an adjunct to those private sector efforts, we plan to make
available to filers, on an optional basis, the opportunity to help
assure accuracy by making a test submission with the Commission or
using software we provide to create viewable interactive data."
Basically,
the SEC is saying that it is up to the filer to determine the level of
assurance that they require, thus being able to say to the markets that
XBRL does not require assurance; therefore, the unknown expenses
associated with an audit are not the responsibility of the SEC to
estimate.
What Assurance Might Look Like
I
don’t represent any accounting or auditing firm, but I did spend four
years as an active member of the AICPA and XBRL International working
groups on assurance and XBRL. Contributing to these discussions and the
outputs of these two groups leads me to the following thoughts.
Auditors
will include the XBRL instance documents that will be provided to the
SEC as part of their audit scope. They will, for the first year or
two, struggle with the concept of materiality. What is material in the
XBRL world? The mistagging of a piece of information might be material
if it influences the analysis of reported information.
Companies
should expect the auditor to begin by including the processes that
exist to create the XBRL version of the financial statements (and
footnotes) as part of the SOX 404 internal controls review. This
should be an insignificant addition to the overall audit.
With
regard to the stability of the XBRL mapping, there is an assumption
today that -- once a company has created a template for tagging their
financial statements (having mapped all financial statement line- items
to their respective XBRL elements) -- there should be few changes to
the tagging in future periods. However, a company may choose to change
their tagging; as such, a change of tagging between periods, while it
may be perfectly accurate XBRL, may raise auditor flags, and therefore
become "material."
So, should the auditor look at every
financial statement element and confirm the choice of XBRL taxonomy
element? Well, if every line item on a financial statement was checked
to source, this would impose a significant burden on the auditor and
company. Would any change to the default XBRL element labels to
reflect the actual labels or line item titles used by the filer
constitute a material change worthy of review? Will all changes to the
presentation order or calculations be considered “material”?
There
will be many different answers, and we should expect to see auditors
determining how they will perform their sampling of which elements they
will review in detail. As a rule of thumb, companies should expect that
all company-specific extension elements will be treated as material,
and the requirement for the extension will need to be documented by the
company. Discussions within the various XBRL assurance working groups
seemed to arrive at a consensus that where a company creates an
extension element instead of using an existing taxonomy element that
represents the same accounting principle, such extension elements would
"cause a problem for the auditor" and may impact the auditor’s
willingness to provide a clean opinion.
Auditing of XBRL will
happen, and companies should take the opportunity presented by the
lead-in time before XBRL is mandatory to ensure that their assurance
provider is as ready as they will need to be.
So what should
companies do? First, they should ask their auditors early in the
process to explain exactly how they will be including XBRL in their
audit, and the expected impact that this will have on overall audit
cost and activity. Then, they should ensure that the auditor is able
to clearly provide them with a list of all information that will be
required to make the audit of the XBRL as smooth as possible. The only
caveat is that the auditor cannot participate in any of the XBRL
creation or tagging choices made by the company.
Auditing of
XBRL will happen, and companies should take the opportunity presented
by the lead-in time before XBRL is mandatory to ensure that their
assurance provider is as ready as they will need to be.
| |