XBRL – The Audit Consequences of XML in Financial Reporting
What are the risks associated with XML Audit?
Irrespective of whether the company opts for outsourcing the conversion or not, the firm whose financial statements are being converted into XBRL is still responsible for the output data’s accuracy. Moreover, the introduction of a third party for the work also increases the risk of mistakes and omissions to operational errors like a filing deadline being missed, breach of data security and sending the wrong file. Many firms lack a formal reconciliation and approval processes for XBRL vendors since they have a payroll vendor for filing tax reports and making payments on their behalf.
Existing Audit Practices
There is a growing concern among firms that XBRL is not being properly reviewed by external financial auditors. In 2005, the Public Company Accounting Oversight Board offered guidance on external auditor engagements regarding XBRL which depends on the auditor agreeing on paper only versions of documents related to XBRL to details in the official filing. The PCAOB rules enable an auditor to perform an attestation (AT) Section 101 which will include-
- XBRL data agrees with the EDGAR filings officially
- All XBRL related documents conform with applicable XBRL taxonomies and specifications and SEC requirements for format as well as content
For larger firms, reviews of XBRL is done under framework offered in AICPA for Agreed Upon Procedures (AUP) known as AT section 201. AUP engagements are specific between one firm which deals with the audit firm and the other firm to be audited. Such reports are considered an extension of financial statement audit.
Alternative Approaches and the Way Ahead
It would be far more effective and affordable to have third-party vendors reviewed under an attestation by following the AT section 101 framework. One major benefit of using such a framework is that the report can be possibly used by numerous firms. Moreover, the Trust Services framework falls within AT Section 101 in such a manner that a third-party provider can acquire a SysTrust® examination for the services they offer.
In case there is a consistency in history, the mix of a compliance need for XBRL and the intention to do so at an affordable cost will lead to more outsourcing. With this there will be a higher risk of a provider’s processes and technologies reflecting the financial position of a firm in an inaccurate manner. As in the case of any other type of outsourcing, companies who intend to outsource the function need to review the processes and controls of the provider apart from the audits and certifications it has gone through to validate such controls.