XBRL: What’s In It for Internal Auditors?

Written by Gianluca Garbellotto     Posted on March 30, 2009

Gianluca Garbellotto is current Chair of the XBRL Global Ledger Working Group and is a past member of the XBRL International Standards Board. He  is deeply involved both in XBRL standards development and in their practical implementation, with a specific focus on internal reporting requirements. His current professional engagements include some of the major global XBRL projects. His GLG Repository site features his newly inaugurated blog.

Earlier this month, the Institute of Internal Auditors (IIA) Research Foundation published my white paper XBRL: What's In It for Internal Auditors, which I had the privilege to write with the invaluable review and advice of a number of individuals quoted in the paper.

This paper was initially conceived to address the results of an XBRL awareness survey among chief internal audit executives worldwide conducted by The IIA at the end of 2008. The survey showed only a partial awareness of XBRL by internal audit professionals. In addition, auditors were minimally involved in the actual process of generating XBRL filings even in those companies that are already using XBRL, either in voluntary or mandatory projects.

One of the objectives of the white paper is to fill this awareness gap by providing a comprehensive overview of what XBRL is, how it is being used in various programs across the world, and how it will have to be used to meet the SEC’s interactive data mandate, which starts in the second half of this year.

However, this is only one part of the story. Obviously, internal auditors need to be able to contribute to, and provide professional assurance on, the process of generating XBRL filings as they do with any other corporate reporting process. Still, XBRL's value proposition in internal auditing processes goes far beyond being an additional format to which to convert financial reports. The white paper highlights the uses of XBRL that go beyond regulatory compliance, demonstrating how it enables the enhancement of critical processes in the internal space:  data integration, reporting assembly, application of validation rules, controls, and visualization templates in a consistent way across the whole corporate information system.

Simply put, internal auditors should consider XBRL -- and I am not referring here just to the US GAAP XBRL taxonomy used to report to the SEC, but to the standard as a whole in its various flavors as described in the paper -- as a key tool to perform their functions more efficiently, rather than simply an additional reporting burden that requires their professional attention. XBRL enables moving from widespread manual, error-prone processes to automated and standardized ones in key data-related activities. It is something that businesses can leverage internally as a key technology and not just see as an additional compliance burden.

This concept is relevant not only for internal auditing, but for internal corporate processes in general. It can help executives making crucial decisions today on how to comply with the SEC’s interactive data mandate over the course of the next several years.

The white paper also examines different approaches to XBRL adoption, where XBRL can be either bolt-on at the highest financial report generation level, built-in deeper into the reporting layer of the corporate information system, or deeply embedded at ledgers level.

If a company sees XBRL as just another format in which financial statements have to be submitted for compliance, its management is likely to consider only the easiest options to create its filings: either create them under the existing process and convert to the new format at the end, or outsource as much of the process as possible. These choices not only represent a missed opportunity on the "internal" benefits that XBRL enables, but will actually be put to test by evolving reporting requirements. Additional reporting concerns like IFRS convergence and the “Year 2" requirements already set in the SEC mandate, which extend the depth at which information will have to be tagged in notes and schedules, are reason enough to consider all of the options available and their implications very carefully.

In short, even if you are not an internal auditor,  I think it may be worthwhile for you to get the white paper from The IIA website.