XBRL, Financial Reporting, and Auditing

By Ryan Youngwon Shin

The future delivery of financial reports will be digital; the question of which information exchange language will become the de facto standard remains unanswered. Currently, most digital representations of financial information are coded in hypertext markup language (HTML), which controls the way information is displayed but does not recognize content, limiting its usefulness. The HTML format does not easily allow for the searching, analysis, or manipulation of information.

Extensible business reporting language (XBRL) was developed by a consortium of leading financial organizations, accounting firms, financial services providers, and technology companies. It is designed to make financial reports easier to post on the Internet. Investors need accurate and reliable financial information that can be delivered promptly in order to help them make informed financial decisions, and company websites are crucial sources of this information. XBRL meets these needs and improves the usefulness of financial information on the Internet.

Technical Developments and Issues

In early 1993, the SEC began to mandate electronic filings through its Electronic Data Gathering, Analysis, and Retrieval system (EDGAR). This system was intended to enhance the speed and efficiency of SEC processing and make financial information available to investors, the financial community, and others more quickly. Currently, EDGAR accepts both the American Standard Code for Information Interchange (ASCII) and HTML documents as official filings. Although EDGAR delivers the advantages of speed and efficiency characteristic of a centralized database, it still forces users to download reports from the SEC website or manually search for and prepare data for other uses.

The use of XBRL-coded financial statements, bank loan documentation, and tax filings delivered via the Internet to regulatory authorities, analysts, and investors is gaining credibility. Efficiency and effectiveness are increased because XBRL data can be exchanged with more technological independence and less human involvement.

XML format. XBRL uses extensible markup language (XML) data tags in describing financial information. A simple example of converting a text to the XML format can be seen in the following:

Original Data XML Data
John Smith <name>John Smith
</name> <address>
1 Pace Plaza <street>1 Pace Plaza
</street>
New York, <city>New York
NY 10038 </city>
<state>New York
</state>
<country>United
States of America
</country>
<postcode>10038
</postcode>
</address>
(212) 346-1200 <telephone>
2123461200
</telephone>

XBRL has various and complex components and documents. The XBRL specifications and taxonomies are created by the XBRL community, over 170 different worldwide organizations and companies that have contributed to its development.

An XBRL specification is software code that describes and defines the financial information for XBRL software developers. Information in otherwise incompatible formats can be compared across different entities using the XBRL specification. The use of the specification is not limited to financial statements; it may also be used for digital reporting and presentation of general ledger details through drill-down, regulatory filings, and nonfinancial information.

XBRL taxonomies are standard descriptions for presenting business information and accounting reports. With XBRL, financial information preparers link data elements stored in accounting databases, and use XBRL to code them in a standard manner based on the taxonomy. As an example, the taxonomy for the changes in Treasury stock information under U.S. GAAP, Commercial and Industrial (US-GAAP-CI) is presented below:

XBRL instance documents are used to represent financial data with tags from one or several taxonomies. For example, an instance document could include a company’s annual report, the earnings release, and general ledger details.

Instance documents make digital financial information for external or internal reporting and regulatory filing user-friendly because XBRL allows data to be read directly by computer programs, manipulated by end users, and outputted in various forms. Instance documents may also include stylesheets, which allow presentation-quality documents to be printed from a web browser or .pdf file.

David Von Kannon and Yufei Wang discussed the design of X4GFR, a component of the XBRL framework, at XML Europe in 2000. In their paper they presented the following example of the instance document for an XBRL report, which shows the text of the concentrations note at calendar year-end 1998 for Sample Company:

<item entity="Sample Company"
period="19981231" xmlns="http://www.x4gfr.org/core/
00-03-31" xmlns:aicpa="http://www.x4gfr.org/
aicpa/us/gaap/ci/03-03-31" schemaLocation="http://www.x4gfr.
org/aicpa/us/gaap/ci/03-03-31.xsd" type="aicpa:NotesToFinancialStatements.

Concentrations" /> Concentration of credit risk with regard to short-term investments is not considered to be significant due to the Company's cash management policies. These policies restrict investments to low risk, highly liquid securities (that is, commercial paper, money market instruments, etc.), outline issuer credit requirements, and limit the amount that may be invested in any one issuer. </item>

Users of financial reports will not see the embedded tags when they retrieve financial information, but the tags make it clear that the information is the footnote disclosure for concentrations of credit risk for the financial statement of Sample Company at December 31, 1998. This attribute also contributes to more effective searches on the Internet, as the user can specify a tag as a search criterion.

If an entity has a financial data item that does not already exist in the US-GAAP-CI taxonomy, it can create an XBRL tag unique to its taxonomy. Once financial data is correctly tagged, users can utilize XML-enabled software and browsers for analysis, reporting, and other functions. XBRL-formatted data can be accessed and queried efficiently based on user preferences.

Audit and Control Issues

Many financial information technology experts strongly believe that XBRL will succeed. AICPA senior vice president Alan Anderson envisions the business-reporting model of the future as online, real-time disclosure. Today’s legacy audit opinion is backward-looking, relying on dated, hard-copy information; stakeholders today want data in real time. Financial information available on the Internet and coded in XBRL allows users to easily find the underlying accounting data that they are interested in.

When financial information is streamed in real time, the risk of error in the financial statements could become higher, depending on the controls in place. SAS 94 states, “[W]hen evidence of an entity’s initiation, recording, or processing of financial data exists only in electronic form, the auditor’s ability to obtain the desired assurance only from substantive tests would significantly diminish.” When financial statements are prepared using XBRL, the auditor should consider gathering evidential matter and performing control tests on the correct application of specifications, taxonomy, and instance documents used in the coding.

Planning the audit when XBRL is used for financial reporting. According to SAS 94, “In circumstances where a significant amount of information supporting one or more financial statement assertions is electronically initiated, recorded, processed, or reported, the auditor may determine that it is not possible to design effective substantive tests … significant audit evidence may be available only in electronic form. In such cases, its competence and sufficiency as evidential matter usually depend on the effectiveness of controls over its accuracy and completeness.”

When fully implemented, the risks of XBRL center on the accurate and complete mapping of the financial information and accounting data to the tags. An adequately designed and effective internal control structure for XBRL will ensure that the data retrieved represents valid and accurate transactions, has integrity, and is recognized in the proper accounting period. Another audit concern with respect to the use of XBRL is whether all relevant data in the source records has been tagged; that is, whether the report is complete.

The operational environment and XBRL. The auditor needs to design procedures that determine whether the specifications, taxonomy, and instance documents are appropriate for financial statements. Engagement audit staff should have the technical expertise to apply these procedures, as well as the knowledge of relevant industry standards and applicable GAAP. Such an examination would involve considering XBRL details in order to ensure that they are up to date and properly applied.

General control audit procedures relevant to XBRL include network operations, application development and maintenance, and access controls. Application controls relevant to XBRL address input, error correction, and output. For example, when a taxonomy is assigned, modified, or added, the auditor should check an instance document against the taxonomy to ensure that all tags are from the taxonomy.

Network security. XBRL may provide live links from financial documents back to the underlying production databases. In this case, substantial security risks exist if the security of the operating system, application, and database is inadequately configured. Such misconfigurations could allow unauthorized changes or destruction of data. When such links are present, the auditor should consider the adequacy of the entity’s security policies and procedures for configuring firewalls, hardening operating systems, and other relevant security controls.

The security polices and procedures should address classifying the sensitivity or criticality of digital information, especially if the entity is subject to the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act (GLB), or Health Insurance Portability and Accountability Act (HIPAA).

The Future of XBRL

Investors and regulators around the globe are calling for increased financial transparency in order to rebuild market confidence. Because of its simplicity and efficiency, the expected growth of XBRL will impact the ways that companies exchange financial data, as well as business reporting. The use of XBRL for financial statements, however, will lead to new audit issues that practitioners must take into consideration.

To experience how XBRL-formatted data could be used, go to NASDAQ.com’s XBRL pilot, “NASDAQ-Microsoft-PwC Demo” at www.nasdaq.com/xbrl. This demonstration provides a glimpse of how information reported by companies in the XBRL format will be more useful to investors and other users.

Ryan Youngwon Shin, CISA, is an IT auditor at J.H. Cohn, LLP, and a member of the NYSSCPA’s Technology Assurance Committee. He would like to thank the assistance of technical editor Amanda B. Chaloupka, PhD candidate, Rutgers University.