Companies that led the way to data-interactive financial reporting are now facing their first exposure to full liability for the content of their filings—and exposed they are, with no audit to backstop litigation or regulatory action.
The largest public calendar-year companies that submitted their third-quarter financial statements through the still-evolving XBRL system are at risk. That's because the Securities and Exchange Commission no longer considers these companies to be simply “furnishing” their financial statements, says Paul Penler, executive director at Ernst & Young. Now they are “filing” them through XBRL. It's a legal distinction that provides cover during a transition period, as companies get used to the new system. “There is no change to the rules they have to follow, but it means that an XBRL exhibit has the same liability as the HTML financials,” he says.
The SEC required the largest domestic public companies—those with a public float of $5 billion or greater—to begin submitting financial statements through XBRL in 2009. XBRL, or eXtensible Business Reporting Language, is a format that allows financial statement information to be downloaded directly into spreadsheets and analyzed in a variety of ways using off-the-shelf software. The second wave of companies— those between $5 billion and $75 million in market capitalization—were required to submit financial statements in XBRL in 2010. The smallest companies faced the XBRL requirement for the first time in 2011.
The phase-in process suspends the usual liability associated with filing financial statements for two years to give companies ample time to learn the system before facing regulatory scrutiny or litigation, says Penler. That means the largest companies, numbering about 500, are entering full liability with their third-quarter filings, he says, while the second tier, about 1,150 companies, will become exposed to liability and regulatory scrutiny next summer.
Although companies can be held liable for the accuracy and completeness of the XBRL submission, the SEC does not require companies to have their XBRL rendering audited and hasn't given any signal that it plans to require an audit. “Litigation relief is now gone for the first wave of filers, yet there remains, after two years to get ready for this, no auditing standard for XBRL,” said Daniel Roberts, CEO of XBRL service provider raas-XBRL and a past committee chair at XBRL U.S., a consortium that helped develop the technology. “This means that both filers and external auditors have no standard to fall back on to demonstrate that reliance can be placed on the XBRL versions of the financial statements,” he says.
United Technologies, one of the earliest adopters of XBRL going back to the SEC's voluntary pilot phase, has been working with XBRL for about six years, says John Stantial, assistant controller. Early on, even though an audit is not required, the company sought an audit just to get a sense of what it would be like, he says. “They did a very lengthy, time-consuming tick-and-tie,” he says, leading him to conclude auditors were not prepared to audit XBRL instance documents, or financial statements prepared in the XBRL format.
“Litigation relief is now gone for the first wave of filers, yet there remains, after two years to get ready for this, no auditing standard for XBRL.”
Chief Executive Officer,
More recently, United Technologies hired its audit firm again to double check the XBRL submission and found it “a bit more beneficial,” he says. “They pointed out some changes that could be made to refine the filing relative to best practices, but I don't think it made it that much more robust.”
Guidance, but No Standards
As Roberts laments, it's true auditors have no standards to follow when auditing XBRL instance documents. Auditors have, however, been following guidance issued by the American Institute of Certified Public Accountants in 2009. Statement of Position 09-1 explains how to perform “agreed-upon procedures” engagements to check the completeness, accuracy, and consistency of data tagged in XBRL. An AUP engagement is more limited than an audit and is meant to be used by management internally, not by investors or anyone outside the company.
An AUP engagement tends to focus on three things, says Penler. Auditors check to assure companies have selected the right tags from the GAAP Taxonomy to describe each piece of data in their financial statements. They check to assure the XBRL rendering is complete, and they check for proper structure. Many companies have struggled with positive and negative values and with decimal placement, for example, so auditors are helping resolve some of those issues, he says. Companies are also taking more care internally to perform self reviews and to bulk up their controls around XBRL to improve quality and to attempt to limit liability, he says.
In December 2010, the AICPA published some observations and recommendations based on the first XBRL filings. The excerpt below covers some of the AICPA's observations:
A number of observations were made
regarding the existence of significant variances
in permitted practices. Many companies
were not aware that there were alternative or
optional approaches permitted for different
tagging scenarios. While these practices did
not represent known issues with the SEC
requirements, companies may consider a
common approach to take in order to help
facilitate additional consistency between each
submission and between XBRL Exhibits in
general. To help drive consistency, companies
may find it helpful to record their approach
for addressing various practices in the future.
Areas observed include:
Use of Definitions for Tags
While a significant number of filers frequently
included a 1-2 sentence definition for
extension tags, many other filers either didn't
include a definition, or just repeated the label.
Additionally, some filers included definitions
for member tags, whereas many others
did not provide definitions for axis and
domain-tag extensions. Many tags are simple
and the standard label provides adequate
information; however, when it may not be
obvious why an extension was created, a best
practice may be to provide a definition to
clearly explain the purpose of the element.
Companies have created and organized their
data in various ways, sometimes based on the
restrictions of linkbases for duplicate facts in
a single presentation group. Some filings had
in excess of 100 presentation groups, which
made it challenging to manually navigate the
instance documents using viewers. The EFM
and SEC FAQs provide guidance related to
the establishment of presentation groups
(or extended link roles) and how to organize
information in them. For example, the SEC FAQs
recommend that all tables relating to a specific
note be grouped in a single presentation group.
Denoting Information Labeled Unaudited in
the Financial Statements in the XBRL Exhibit
The traditional financial statements (HTML
version) present information that has been
labeled unaudited in the financial statements
by indicating the term “unaudited” at the top
of a column (e.g., on the balance sheet), at the
top of a financial statement, or in a footnote.
While there is no requirement to inform the
user of XBRL files of this information, some
companies optionally tagged information
as “unaudited” in their XBRL Exhibits using
different approaches (e.g., XBRL footnote link
or presentation section name) to communicate
Determining if Optional
Information Should be Tagged
Some companies have detail tagged
additional information (e.g., string, dates) to
provide more context to required amounts
so users do not have to review additional text
block information to understand the tags. For
example, a litigation disclosure settlement
amount by itself tells the reader nothing;
however, tagging additional information about
the litigation (e.g., identification of plaintiff)
could help the end user better understand
the amount that was tagged. Additionally,
since narrative disclosures are not required
to be separately tagged in addition to the
text block tag in which it is contained, some
relevant information may be lost. Filers also
may consider tagging non-required superscript
narrative text to the footnote disclosures
when that information provides more context
Source: AICPA Guidance on XBRL.
The AICPA recently developed and proposed additional guidance to establish principles and criteria for how to evaluate information expressed in XBRL, and the AICPA is working on an update to the 2009 guidance, says Ami Beers, a manager at AICPA involved in business reporting, assurance, and XBRL. “We've seen many companies engaging their auditors to perform these agreed-upon procedure engagements,” she says, but the profession has no indication from regulators that an audit will ever be required.
United Technology's Stantial isn't terribly worried about that at the moment. “Quite honestly, we haven't done anything different than our established process all along,” he says. “We have a fairly robust process to begin with.” The company's C-suite officers are not uncomfortable certifying the XBRL filing, he says. He doesn't expect the SEC to come down hard on companies for mistakes at this stage while the technology is still gaining traction, and he's not even terribly worried about the plaintiff's bar. Mistakes tend to focus on technical issues, not the underlying data, he says, so it would be hard for investors to claim they were being misled.
Given the expiring liability protection, an increasing number of companies are taking a more cautious approach and hiring auditors for AUP engagements, says Mike Willis, a partner with PwC and an XBRL advisor to Financial Executives International. The audit is required in some countries, such as India, the Netherlands, and China, he says, suggesting the SEC is likely to eventually require it.
According to Willis, the AICPA's efforts are a sound basis for eventually developing an auditing standard. “It's definitely moving in that direction,” he says. Willis also sees evidence that the SEC is beefing up its resources to expand its capability to review and analyze XBRL submissions.
Sean Denham, a partner at Grant Thornton, says XBRL is getting much more attention in the C-suite at companies where liability protection has or will soon expire. “For the first few years, the CEOs, CFOs, and COOs were really leaving it to the devices of IT,” he says. “Now that limited liability is going away, they're taking more interest in it.”
While companies have turned to outside service providers for assistance, says Phyllis Deiso, national SEC practice leader for McGladrey & Pullen, they should be careful not to rely too heavily on them for liability protection. “The SEC has made it clear that management cannot delegate responsibility to its service provider,” she says.