Companies that led the way to data-interactive financial reporting are now facing their first exposure to full liability for the content of their filings—and exposed they are, with no audit to backstop litigation or regulatory action.

The largest public calendar-year companies that submitted their third-quarter financial statements through the still-evolving XBRL system are at risk. That's because the Securities and Exchange Commission no longer considers these companies to be simply “furnishing” their financial statements, says Paul Penler, executive director at Ernst & Young. Now they are “filing” them through XBRL. It's a legal distinction that provides cover during a transition period, as companies get used to the new system.  “There is no change to the rules they have to follow, but it means that an XBRL exhibit has the same liability as the HTML financials,” he says.

The SEC required the largest domestic public companies—those with a public float of $5 billion or greater—to begin submitting financial statements through XBRL in 2009. XBRL, or eXtensible Business Reporting Language, is a format that allows financial statement information to be downloaded directly into spreadsheets and analyzed in a variety of ways using off-the-shelf software. The second wave of companies— those between $5 billion and $75 million in market capitalization—were required to submit financial statements in XBRL in 2010. The smallest companies faced the XBRL requirement for the first time in 2011.

The phase-in process suspends the usual liability associated with filing financial statements for two years to give companies ample time to learn the system before facing regulatory scrutiny or litigation, says Penler. That means the largest companies, numbering about 500, are entering full liability with their third-quarter filings, he says, while the second tier, about 1,150 companies, will become exposed to liability and regulatory scrutiny next summer.

Although companies can be held liable for the accuracy and completeness of the XBRL submission, the SEC does not require companies to have their XBRL rendering audited and hasn't given any signal that it plans to require an audit. “Litigation relief is now gone for the first wave of filers, yet there remains, after two years to get ready for this, no auditing standard for XBRL,” said Daniel Roberts, CEO of XBRL service provider raas-XBRL and a past committee chair at XBRL U.S., a consortium that helped develop the technology. “This means that both filers and external auditors have no standard to fall back on to demonstrate that reliance can be placed on the XBRL versions of the financial statements,” he says.

United Technologies, one of the earliest adopters of XBRL going back to the SEC's voluntary pilot phase, has been working with XBRL for about six years, says John Stantial, assistant controller. Early on, even though an audit is not required, the company sought an audit just to get a sense of what it would be like, he says. “They did a very lengthy, time-consuming tick-and-tie,” he says, leading him to conclude auditors were not prepared to audit XBRL instance documents, or financial statements prepared in the XBRL format.

“Litigation relief is now gone for the first wave of filers, yet there remains, after two years to get ready for this, no auditing standard for XBRL.”

—Daniel Roberts,

Chief Executive Officer,


More recently, United Technologies hired its audit firm again to double check the XBRL submission and found it “a bit more beneficial,” he says. “They pointed out some changes that could be made to refine the filing relative to best practices, but I don't think it made it that much more robust.”

Guidance, but No Standards

As Roberts laments, it's true auditors have no standards to follow when auditing XBRL instance documents. Auditors have, however, been following guidance issued by the American Institute of Certified Public Accountants in 2009. Statement of Position 09-1 explains how to perform “agreed-upon procedures” engagements to check the completeness, accuracy, and consistency of data tagged in XBRL. An AUP engagement is more limited than an audit and is meant to be used by management internally, not by investors or anyone outside the company.

An AUP engagement tends to focus on three things, says Penler. Auditors check to assure companies have selected the right tags from the GAAP Taxonomy to describe each piece of data in their financial statements. They check to assure the XBRL rendering is complete, and they check for proper structure. Many companies have struggled with positive and negative values and with decimal placement, for example, so auditors are helping resolve some of those issues, he says. Companies are also taking more care internally to perform self reviews and to bulk up their controls around XBRL to improve quality and to attempt to limit liability, he says.


In December 2010, the AICPA published some observations and recommendations based on the first XBRL filings. The excerpt below covers some of the AICPA's observations:

A number of observations were made

regarding the existence of significant variances

in permitted practices. Many companies

were not aware that there were alternative or

optional approaches permitted for different

tagging scenarios. While these practices did

not represent known issues with the SEC

requirements, companies may consider a

common approach to take in order to help

facilitate additional consistency between each

submission and between XBRL Exhibits in

general. To help drive consistency, companies

may find it helpful to record their approach

for addressing various practices in the future.

Areas observed include:

Use of Definitions for Tags

While a significant number of filers frequently

included a 1-2 sentence definition for

extension tags, many other filers either didn't

include a definition, or just repeated the label.

Additionally, some filers included definitions

for member tags, whereas many others

did not provide definitions for axis and

domain-tag extensions. Many tags are simple

and the standard label provides adequate

information; however, when it may not be

obvious why an extension was created, a best

practice may be to provide a definition to

clearly explain the purpose of the element.

Presentation Groups

Companies have created and organized their

data in various ways, sometimes based on the

restrictions of linkbases for duplicate facts in

a single presentation group. Some filings had

in excess of 100 presentation groups, which

made it challenging to manually navigate the

instance documents using viewers. The EFM

and SEC FAQs provide guidance related to

the establishment of presentation groups

(or extended link roles) and how to organize

information in them. For example, the SEC FAQs

recommend that all tables relating to a specific

note be grouped in a single presentation group.

Denoting Information Labeled Unaudited in

the Financial Statements in the XBRL Exhibit

The traditional financial statements (HTML

version) present information that has been

labeled unaudited in the financial statements

by indicating the term “unaudited” at the top

of a column (e.g., on the balance sheet), at the

top of a financial statement, or in a footnote.

While there is no requirement to inform the

user of XBRL files of this information, some

companies optionally tagged information

as “unaudited” in their XBRL Exhibits using

different approaches (e.g., XBRL footnote link

or presentation section name) to communicate

this information.

Determining if Optional

Information Should be Tagged

Some companies have detail tagged

additional information (e.g., string, dates) to

provide more context to required amounts

so users do not have to review additional text

block information to understand the tags. For

example, a litigation disclosure settlement

amount by itself tells the reader nothing;

however, tagging additional information about

the litigation (e.g., identification of plaintiff)

could help the end user better understand

the amount that was tagged. Additionally,

since narrative disclosures are not required

to be separately tagged in addition to the

text block tag in which it is contained, some

relevant information may be lost. Filers also

may consider tagging non-required superscript

narrative text to the footnote disclosures

when that information provides more context

to users.

Source: AICPA Guidance on XBRL.

The AICPA recently developed and proposed additional guidance to establish principles and criteria for how to evaluate information expressed in XBRL, and the AICPA is working on an update to the 2009 guidance, says Ami Beers, a manager at AICPA involved in business reporting, assurance, and XBRL. “We've seen many companies engaging their auditors to perform these agreed-upon procedure engagements,” she says, but the profession has no indication from regulators that an audit will ever be required.

United Technology's Stantial isn't terribly worried about that at the moment. “Quite honestly, we haven't done anything different than our established process all along,” he says. “We have a fairly robust process to begin with.” The company's C-suite officers are not uncomfortable certifying the XBRL filing, he says. He doesn't expect the SEC to come down hard on companies for mistakes at this stage while the technology is still gaining traction, and he's not even terribly worried about the plaintiff's bar. Mistakes tend to focus on technical issues, not the underlying data, he says, so it would be hard for investors to claim they were being misled.

Given the expiring liability protection, an increasing number of companies are taking a more cautious approach and hiring auditors for AUP engagements, says Mike Willis, a partner with PwC and an XBRL advisor to Financial Executives International. The audit is required in some countries, such as India, the Netherlands, and China, he says, suggesting the SEC is likely to eventually require it.

According to Willis, the AICPA's efforts are a sound basis for eventually developing an auditing standard. “It's definitely moving in that direction,” he says. Willis also sees evidence that the SEC is beefing up its resources to expand its capability to review and analyze XBRL submissions.

Sean Denham, a partner at Grant Thornton, says XBRL is getting much more attention in the C-suite at companies where liability protection has or will soon expire. “For the first few years, the CEOs, CFOs, and COOs were really leaving it to the devices of IT,” he says. “Now that limited liability is going away, they're taking more interest in it.”

While companies have turned to outside service providers for assistance, says Phyllis Deiso, national SEC practice leader for McGladrey & Pullen, they should be careful not to rely too heavily on them for liability protection. “The SEC has made it clear that management cannot delegate responsibility to its service provider,” she says.