Written by Daniel Roberts Posted on September 24, 2008
Daniel Roberts is the former Chairman, XBRL-US Steering Committee, and member of the AICPA and XBRL International working groups on assurance over XBRL. He is the former National Director of Assurance Innovation for a Global Six accounting firm. Mr. Roberts can be reached by email.
This is the first installment of his two-part article on XBRL and the assurance function; the second half will be published next week.
About two years ago, the CFO of a large firm told me that his company would not participate in the SEC’s XBRL Voluntary Filing Program (VFP) until he had assurance regarding the XBRL that his firm would provide to the SEC. He knew that the SEC did not require assurance, and that the XBRL would be “furnished not filed.” Nonetheless, he would not publicly participate until he knew that his financial reports in XBRL would not contain any errors.
He did this by having his staff perform their own assurance engagement based on the guidance provided by the PCAOB in 2005. When I asked him why, he said “It’s not the SEC that requires the assurance; I require the assurance”.
Earlier this year, the SEC released a Proposed Rule recommending a timetable for the adoption of XBRL for reporting by SEC registrants. Notably missing from the recommendations is the requirement for reports provided in this new format to be audited or reviewed as is required for current SEC filings.
Participants in the SEC's existing VFP are not required to have any assurance provided over their VFP filings. At the Interactive Data Roundtable on March 19, 2007, Chairman Cox said that to require assurance over these filings would be "crib death" for the voluntary program, and potentially for the XBRL initiative (see page 59 of the transcript).
Still smarting from their terrible underestimate of the costs that Sarbanes-Oxley (SOX) would impose on businesses, the SEC has taken every opportunity to emphasize the low cost of XBRL implementation. The shock of SOX assurance costs, and the fact that such costs for XBRL are such an unknown, have probably been the major reasons for the SEC to avoid the subject of assurance over XBRL.
At the same time, primarily from a lack of a deep understanding of XBRL by their professional standards groups and what I’ll call “standards overload,” the accounting industry also has not developed guidance on how to provide assurance over XBRL.
This lack of clarity has resulted in a lack of guidance for industry as a whole, and it is leading some people to state that assurance over XBRL filings will not be required, that auditing firms will not want to provide that assurance, or that filing companies will be unwilling to request or pay for such assurance.
For regulators and investors, the XBRL "version" of the financial statements will most likely become the primary version, or at least the version that investors will rely on. As a result, a failure to provide an audit opinion on the version of the financial statements that are used as primary statements by the investor community would certainly undermine the very assumption that there is a need for an audit in the first place.
Auditors by nature are a conservative, cautious bunch. Not only are they trained to be, but their standards specifically state that they are required to be. When companies fail, shareholders, clients, and creditors frequently go looking for the deepest pockets…and that includes the auditors. All firms carry significant reserves for potential legal costs, knowing that any claim, even if not supported by a court, can still result in millions of dollars in costs to the firm.
And -- of course -- there is the still-fresh memory of the collapse of Andersen, one of their peers. All the major firms are now homes to large numbers of former Andersen partners and staff; to these individuals, caution and risk are both real, and have had a painful impact on them.
The best way to minimize the risk of a lawsuit is to ensure that the auditor has traced all financial statement figures all the way back to source transactions. Needless to say this is not possible, and therefore the concept of "materiality" comes into play. All "material" financial statement figures will be confirmed to a level of granularity where the auditor can have some confidence that the figures are accurate.
When considering the work to be performed by the auditor, there is a natural desire, from the perspective of minimizing their risk, to expand the scope of audit work to cover as much potential risk as possible.
XBRL as a New Risk
New technology brings new risks. If there is anything that is certain, it is that the introduction of XBRL, a new reporting technology that today is rather poorly understood by either the auditor or the filer, will be viewed as an area of significant potential additional risk. Auditing standards professionals in the accounting and auditing firms will understand the risk (or at least understand the uncertainty associated with new technologies applied to financial reporting.)
When XBRL becomes mandatory, the auditor that says "Okay, we'll only audit the HTML version of the financial statements" will be taking on a huge level of risk. As a result, we should expect the professional standards and risk management functions within the auditing firms will insist on auditing the XBRL as well, or they will refuse to provide an opinion on the rest of the financial statements in any other format.
It’s a smarter position. Picture a future courtroom. On the stand is the audit partner who signed off on the opinion. "Can you please tell the court why you chose not to audit the information that your own literature has been saying for years will be the information that will actually be used by the investor to make investment decisions?" I doubt that is a question that any audit partner will want to have to answer.
It stands to reason we should expect auditors will take the most cautious approach when presented with the question of whether to audit the XBRL or not to audit the XBRL.