XBRL is currently being adopted for a number of reporting channels around the world, including for public company reporting to the US Securities and Exchange Commission (SEC). The first phases of the SEC adoption have been successful, with a high level of compliance and good quality XBRL-tagged data for the most part. That said, there is still widespread misunderstanding related to the steps necessary to produce high-quality XBRL-tagged data and whether these files can be relied upon for decision-making purposes.
Many people still feel that tagging of information in XBRL is similar to turning a Word document into a PDF file and that XBRL-tagged data is inherently as accurate as the underlying information from which it was created. This is an inappropriate analogy, because the process of XBRL tagging involves judgment, just as financial statement preparation involves judgment, and there is potential for intentional or unintentional errors that could result in inaccurate, incomplete and/or misleading information. This is a problem, because it is the XBRL-tagged data that will ultimately be consumed and used for decision-making purposes, so the completeness, accuracy or consistency of the tagged data is of paramount importance.
Using submissions to the SEC under the SEC mandatory filing program as an example, another potential misunderstanding is that the XBRL-tagged data is covered by the audit of the underlying financial statements. This is not the case; absent a separate engagement of a third party looking at the completeness, accuracy or consistency of the XBRL-tagged data itself, there is no auditor involvement in the XBRL exhibits at this time. What this means is that the XBRL-tagged data – the data that will be consumed by analysts, investors, regulators and other stakeholders of company filings – may not be the same as the underlying audited financial statements.
The Importance of High-Quality XBRL-Tagged Data
The preceding paragraphs are not intended to imply that the tagged data produced to date is unreliable. As stated up front, with few significant exceptions the XBRL exhibits submitted to the SEC through the first phases of the mandatory filing program have been of high quality, and quality has been observed to increase significantly as companies familiarize themselves with the process. (For more information on common issues, see Staff Observations from Review of Interactive Data Financial Statements and AICPA XBRL Update: Observations and Recommendations for XBRL Implementations for SEC Reporting in the U.S. All companies, auditors and other parties involved with XBRL exhibits submitted to the SEC should familiarize themselves with these documents.) It is still important to note, however, that companies are ultimately responsible for the quality of the XBRL exhibits they submit. The significance of this responsibility will increase over time for two reasons:
1) The limited liability period for XBRL exhibits expires for all companies two years after the date they are first required to submit XBRL exhibits under the mandatory SEC filing program.
2) As more and more company data is available to the marketplace in XBRL format, more investors and other stakeholders will begin to consume and rely upon that XBRL-tagged data.
Some have argued that investors today rely on data that is parsed and normalized by data aggregators and therefore potentially much farther afield than the XBRL-tagged data, which is at least intended to mirror the underlying audited financial statements, even if there is no separate auditor involvement in its completeness, accuracy or consistency, and therefore that there is no need or market demand for any additional assurance or related services on the XBRL-tagged data. In my opinion, this argument does not necessarily hold water. First, I believe that if most stakeholders understood this dynamic, they would desire some level of third-party involvement. Second, in the case of XBRL exhibits submitted to the SEC, the company (as stated earlier) is responsible for the quality of the tagged data. Given that the XBRL exhibits are accessible via the SEC EDGAR system and are intended to serve as an electronic version of the underlying audited financial statements, it is logical that users of the XBRL-tagged data will expect the same level of quality as in the underlying audited financial statements.
What Companies Can Do To Help Promote the Reliability of Their XBRL-Tagged Data
Companies have several choices for tagging their financial statements in XBRL format.
Many of the largest public companies in the first phases of the SEC adoption have opted to outsource the tagging to a third party, typically an EDGAR filing agent. This approach has both pluses and minuses. On the plus side, given that these organizations have a high level of experience in tagging financial statements for companies across a number of industries, they may have an advantage in terms of timeliness or consistency of tagging the face of the financial statements and block tagging of notes (although it is not likely that this advantage will translate to detail tagging of footnotes). On the minus side, outsourcing of tagging can be costly. Also, staff of third-party service organizations cannot possibly be as familiar with the financial statements of a company as the company’s staff or auditor, who could be engaged in an advisory role to help tag financials in XBRL. In some cases, companies that are outsourcing may be reviewing Microsoft Excel-based mapping files and renderings of the XBRL files rather than looking at their actual XBRL files before submission to the SEC. As a result, those XBRL files may include errors of which management is unaware. The implication is that companies that are outsourcing should familiarize themselves with common errors using the documents referenced in the preceding section (SEC Staff Observations and AICPA XBRL Update) and should be reviewing the actual XBRL files themselves.
Some companies have instead taken a more hands-on approach and opted to bring tagging in-house. Others may eventually wish to do so even if they have engaged a third party to help with the preliminary tagging process, which is much more time-consuming than maintenance once preliminary tagging has been done.
Companies may also wish to have a third-party service performed on the completeness, accuracy or consistency of their XBRL data after it has been tagged and before it has been submitted to the SEC. (For more information on options, see CAQ Alert: Potential Audit Firm Service Implications Raised by the SEC Final Rule on XBRL.) Informal surveys indicate that about 50% of companies are either requesting or planning to request agreed-upon procedures engagements under the April 2009 AICPA Statement Of Position 09-1: Performing Agreed-Upon Procedures Engagements That Address the Completeness, Accuracy, or Consistency of XBRL-Tagged Data. An update of this SOP is planned, but the current version is still applicable until the update is released.) An agreed-upon procedures engagement does not entail judgment or positive assurance. Rather, a practitioner is engaged to perform procedures agreed upon by specified parties (typically management or the audit committee) and the practitioner who assists those parties in evaluating subject matter or an assertion, and to report findings. Positive assurance (where the practitioner is exercising judgment and expressing an opinion on the completeness, accuracy or consistency of XBRL-tagged data) on XBRL exhibits is neither required nor precluded by the SEC Rules, but there is currently no updated guidance for practitioners to follow in performing such engagements. This should change if market demand evolves toward a desire for positive assurance on the quality of XBRL-tagged data.
A related question that is commonly raised is whether or not SAS 70 (now replaced by SSAE 16/SOC 1) applies in the case of companies that outsource their tagging. The answer is currently no, because most companies tagging under the SEC Rules are doing so after the paper-based financial statements have already been prepared, and therefore tagging has no impact on the company’s Internal Control over Financial Reporting (ICFR). Over time, as companies start utilizing XBRL-tagged data to prepare their financial statements, then the XBRL tagging would be covered under the scope of ICFR.
I am often asked what I think companies should do. The answer, of course, is that a company needs to make its own determination, based on an assessment of the importance of quality XBRL-tagged data and what can be done to promote it as covered in this piece. From a personal perspective (and I come from a public company background, not an audit background), if I worked for a company required to submit XBRL exhibits to the SEC, I would encourage my company to train in-house staff to become familiar with the applicable taxonomies, to establish and maintain the tagging process, and to engage an auditor to perform an AUP engagement on our XBRL-tagged data before submitting it to the SEC. As a representative of the AICPA, I advocate on behalf of both our members in public practice and our members in industry. This piece is intended to help both of these constituencies, as well as the public that they serve, to understand how they can positively support the adoption of XBRL so that it is a net benefit to preparers and consumers alike.
For more information on this topic, please visit the following website: http://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/AssuranceSvcs/Pages/XBRLAssuranceTaskForce.aspx
 Existing guidance includes PCAOB Staff Q&As (2005) and AICPA AT101 Interpretation “Attest Engagements on Financial Information Included in XBRL Instance Documents” (2003), both of which predate the SEC Final Rules.
by Amy Pawlicki