67AUGUST 2013 / THE CPA JOURNAL

By Josef Rashty

In 2009, the SEC mandated the use ofExtensible Business ReportingLanguage (XBRL) to improve and

enhance the functionality of its electronicData Gathering, Analysis, and Retrieval(Edgar) database. XBRL is based onExtensible Markup Language (XML), awidely accepted technological standardthat defines a set of rules for encoding doc-uments in a format that both humans andmachines can read.

XBRL, used to present and define infor-mation in a company’s SEC filings, pro-vides an identifying tag for each individ-ual item in the financial statements.Taxonomy tags include individual items inthe financial statements and in the note dis-closures. Furthermore, a company can cre-ate and define new tags that are unique toits own circumstances and business oper-ations (extensions).

SEC regulations do not include any typeof audit or assurance requirement forclient-prepared XBRL files. Moreover, CPAfirms cannot perform meaningful analyticalprocedures on XBRL-tagged data sufficientto achieve the level of assurance needed toform the basis for a review engagement. Aregistrant may, however, engage a publicaccounting firm to perform an agreed-uponprocedures engagement to help managementevaluate the completeness, accuracy, andconsistency of its XBRL submission.

The ensuing discussion provides a briefoverview of the XBRL tagging process andimplementation; it also considers risks,internal controls, compliance considera-tions, and some best practices for XBRLsubmissions by publicly held companies.

The XBRL Tagging ProcessXBRL tagging allows computer pro-

grams to read financial information in orderto help investors and analysts access the

financial information in a standardized andconsistent manner. The SEC requires thatregistrants tag their financial statements—and the notes to their financial statements—with elements from a taxonomy or withtags that the company has created (due tospecial characteristics and requirementsof its business [extension]) that define thecorresponding reporting concepts.

The SEC’s requirements for the con-version to XBRL by companies reportingunder U.S. GAAP were phased in overtime. The largest companies began pro-viding XBRL information in 2009; by June2011, all registrants were subject to XBRLreporting. After an initial public offeringor spin-off, newly formed public compa-nies are required to begin complying withthe XBRL requirements in their firstquarterly filing on Form 10-Q (http://www.sec .gov/spot l ight /xbr l /xbr lsummaryinfophase3-051011.shtml).

Companies have gradually moved fromwhat is referred to as “block tagging” to“detail tagging.” In block tagging, a tag isapplied to each individual number in theprimary financial statements and to eachnote, taken as a whole (i.e., a block of text).In the more complex “detail tagging,” tagsmust be applied to each individual numberthat appears in the notes. Many companiesobserved an increase in the number of tagsused, from 200 to more than 1,000, whenthey moved from block tagging to detailtagging. Some complex sets of financialstatements require more than 10,000 indi-vidual tags in a detail-tagged submission.

The Financial Accounting Foundation(FAF) and FASB have assumed responsi-bilities for the U.S. GAAP financial report-ing taxonomy, originally developed byXBRL US Inc. under a contract with theSEC. A key objective for moving the tax-onomy development and maintenance

T E C H N O L O G Ye l e c t r o n i c r e p o r t i n g

An Overview of XBRL Compliance Understanding the Risks and Liabilities

68 AUGUST 2013 / THE CPA JOURNAL

CHECKLIST FOR XBRL-RELATED CONTROLS

Tag Selection Controls

Rule 405(c)(1)(iii) of Regulation S-T states, “Each data element contained in the Interactive Data [XBRL] File is matched with an appropriate tag from the most

recent version of the standard list of tags specified by the EDGAR Filer Manual.” The following is a controls checklist for XBRL tagging process:

n Assign a team for preparation, review, and approval of XBRL submissions.

n Obtain an in-depth understanding of a company’s financial statements and business environment.

n Develop a thorough understanding of sections 6.6.23 through 6.6.29 of the Edgar Filer Manual.

n Provide due diligence and an approval process for a selection of new elements due to any changes in the financial statements and related

notes or due to the implementation of a new taxonomy.

n Perform benchmarking with the XBRL filings of other public companies.

n Develop a robust review process by establishing documentation controls and procedures and utilizing tools such as XBRL validation, SEC

validation, or XBRL US consistency check.

Submission Controls

The late submission of XBRL files may create complications.

The following is a controls checklist that companies should follow for their XBRL submission:

n Prepare a filing calendar for quarterly and annual filings, and allow time for emergencies.

n Plan to have the HTML and XBRL files ready for submission at least two days prior to the statutory deadline in each reporting period.

n Engage IT personnel for timely posting of the XBRL files on the company’s website.

n Review the third-party vendor process for XBRL preparation and filing.

Controls for Transition to a New Taxonomy

A new taxonomy has a new structure, and companies might need to significantly restructure their tags for reporting purposes. For example,

a company might have to change its approach toward member tags (dimensions) by using line-item tags instead of dimensions, or vice versa,

or the company might use a combination of line-item and dimension, rather than a line-item, tags.

The following is a controls checklist for transition to a new taxonomy:

n Ensure that the new accounting standards updates, reflected in the new-released taxonomy, are properly updated in the XBRL files.

n Ensure that deprecated tags are removed and replaced with new tags in the XBRL files. XBRL concepts become deprecated, for a variety of rea-

sons, with each version of the t axonomy; nevertheless, they remain in the taxonomy to satisfy the legacy and conversion requirements.

n Ensure all new tags and changes to the taxonomy have been incorporated in the XBRL files. FASB adds new tags to improve the taxonomy based

on public comments, leading reporting practices, and other input from constituents. Companies should review the deprecated tags and replace

them with the new tags.

Companies preparing a transition plan and review process should keep in mind a few tips:

n Review and fully understand the new adopted accounting standards.

n Read the new updated taxonomy and fully understand the revisions required by new accounting standards.

n Review FASB’s and XBRL US’s list of significant changes related to XBRL, especially those that claim to have resulted from “Best Practices, Public

Comments, and Internal Analyses” (http://xbrl.us/research/Pages/BestPractices.aspx).

n Determine the role that the third-party providers will play in the transition.

n Review the existing tag extensions for possible replacement with new tags.

n Identify when member tags (dimensions) are needed and use them properly. Dimensions represent complete financial reporting concepts

when combined with line-item tags; however, understanding when the use of dimensions is appropriate can be challenging.

responsibilities to the FAF and FASB was toachieve a greater level of integration withFASB’s standards-setting responsibilities.

XBRL ImplementationA company may prepare its XBRL files

internally, engage a third-party serviceprovider to prepare them, or use a combi-nation of both approaches. The followingare three different approaches for XBRLimplementation: n Built-in approach—integrates the XBRLpreparation process into a company’sexisting financial system.n Bolt-on approach—entails the acquisitionof additional software, implemented on topof a company’s existing financial system.n Full-service approach—allows compa-nies to outsource XBRL tagging andreporting to a third party (e.g., a filingagent, financial printer, or consulting firm).

A company that prepares its XBRL filesinternally benefits from having full controlover the process, which includes buildinga thorough knowledge of tagging, tax-onomies, and the tools and software used.But companies following this approachmight incur significant expenses in orderto train personnel.

A company that outsources the prepa-ration of XBRL files, on the other hand,benefits from its third-party serviceprovider’s expertise; however, a third-party service provider might have a lim-ited understanding of the company’s busi-ness, which could lead to multiple itera-tions in the tagging process and additionalreview time. Even if companies elect tooutsource the preparation and submis-sion of their XBRL files, they still needto provide basic XBRL training to per-sonnel and acquire appropriate softwaretools in order to review the third-partyprovider’s work.

The next generation of XBRL is InlineXBRL (iXBRL), which defines howXBRL metadata (e.g., type of data or thereporting period) can be embedded withinHTML or XHTML documents, mergingthe files to create a single document forrendering purposes. Adoption of iXBRLwill bring the XBRL function within thescope of internal controls over financialreporting because XBRL is part of acompany’s financial presentation(http://mike2.openmethodology.org/wiki/Inline_XBRL_-_An_Introduction).

There are no current plans to mandatethe use of iXBRL, even though its adop-tion would significantly improve compli-ance. The SEC has not yet determinedthe conditions under which iXBRL maybe accepted or how the processing can beintegrated into the Edgar validation andinteractive data viewer processes (http://www.sec.gov/spotlight/xbrl/staffinterps.shtml, Question B.4).

2013 U.S. GAAP XBRL TaxonomyThe SEC approved the 2013 U.S.

GAAP financial reporting taxonomy inMay 2013. Because the SEC supports onlytwo versions of the U.S. GAAP taxono-my at a time (currently 2012 and 2013),the 2011 U.S. GAAP taxonomy will nolonger be supported. The SEC encouragescompanies to always use the latest version.(For more information, see the followingresources:http://www.sec.gov/spotlight/xbrl/staff-interps.shtml, Question D.8;http://www.sec.gov/info/edgar/edgartaxonomies.shtml; http://www.sec.gov/spotlight/xbrl/staff-interps.shtml.)

As part of their XBRL compliance pro-grams, companies must review the contentsof the new taxonomy using FASB’s onlinetaxonomy viewer or similar tools. FASB hasrecently released a series of proposed newguidance for XBRL implementation. Theobjective of the U.S. GAAP taxonomy imple-mentation and reference guides is to provideadditional and supplemental guidance for thecreation of XBRL documents. The proposedguidelines deal with subsequent events, seg-ment reporting, other comprehensive income,and the insurance industry (http://www.fasb.org/jsp/FASB/Page/SectionPage&cid=1176160665046).

XBRL Compliance Risks The following sections discuss XBRL

compliance risks that companies should beaware of.

Inaccurate XBRL submissions. The pri-mary risk associated with XBRL is pro-viding data that are inconsistent with thecorresponding Edgar HTML files. Typicalrisks include incorrect tagging, inconsis-tencies in amounts, and missing data. Asecondary risk is that the XBRL files mightfail to comply with the complex rules con-tained in the Edgar Filer Manual.

The SEC granted companies a two-year modified liability period, under which

a company would not be liable for inac-curacies in its XBRL submissions as longas it made a good faith effort to complywith the regulations and promptly correct-ed the failure after becoming aware of it.For the largest companies that began pro-viding XBRL information in June 2009,the modified liability period ended withtheir 10-Q filing for the quarter endedSeptember 30, 2011. Most other compa-nies’ modified liability periods ended eitherfor the quarters ended September 30, 2012,or September 30, 2013, depending uponwhen they first started providing theirXBRL information. The modified liabili-ty period will expire for all registrants afterOctober 31, 2014.

XBRL US, the organization that devel-oped the architecture and concepts for theU.S. GAAP reporting taxonomy, publisheda white paper in 2010, Avoiding CommonErrors in XBRL Creation (http://xbrl.us/research/documents/avoidingerrorswhitepaper.pdf), based on over 1,400XBRL submissions by public companies;the white paper identified the following com-mon errors in XBRL submissions:n Use of negative values that shouldhave been positiven Report of erroneous values in lieu ofrequired valuesn Report of values that should have beenzero or undisclosedn Report of values that should have beenzero or undisclosed if another value isnot reportedn Unreported values that should have beenreportedn Use of deprecated and superseded ele-ments (concepts that have been removedfrom the taxonomy)n Use of positive values that should havebeen negativen Use of duplicated values that do notmatch.

In addition to the above errors, the fol-lowing common mistakes have also beennoted in companies’ XBRL submissions:n Submission of XBRL files preparedbased on a preliminary rather than finalHTML draftn Use of an extension when an appropri-ate element exists in the standard taxonomyn Presentation of elements in the XBRLand HTML submissions inconsistently.n Use of elements in XBRL submissionsfrom period to period inconsistently.

69AUGUST 2013 / THE CPA JOURNAL

n Improper use of calculation linkbase,resulting in calculation inconsistencies.n Use of different numeric values inXBRL versus HTML submissions.n Inclusion of improper trailing zeros tothe numbers in XBRL files.

Timely submissions. A company thatfails to submit its XBRL file on the filingdue date will temporarily lose its status asa timely filer; consequently, it will nolonger be eligible to use short Forms S-3,F-3, or S-8. The SEC rules also clarify that,under Rule 144, such a company will bedeemed to have inadequate informationavailable to the public until it submits therequired XBRL files.

But the SEC does allow for two 30-day grace periods (Regulation S-T, under17 CFR section 232.405[a]) for initial

tagged and detail-tagged submissions.Companies that take advantage of thesetwo grace periods should submit theirXBRL files on an amended form (e.g.,Form 10-Q/A or Form 10-K/A). Similarly,if a company misses the filing deadline andsubmits a late filing, the submission shouldbe made on a Form 10-Q/A or Form 10-K/A, as applicable.

The SEC’s Rule 12b-25, as amended,specifically does not apply to the submis-sion or posting of a company’s XBRL files.Rule 12b-25 gives a registrant 15 additionalcalendar days to file a late Form 10-Kand five additional calendar days to file alate Form 10-Q.

Other risks. A company is also requiredto post its XBRL file on its corporate web-site for a period of at least 12 months, nolater than the end of the calendar day thatthe information is filed or required to be

filed with the SEC (whichever is earlier).Alternatively, a company’s website maylink directly to its XBRL file, which mayreside on a third-party non-SEC websitefor no charge. Unlike with HTML sub-missions, however, companies cannot sat-isfy this requirement by simply providinga hyperlink to the SEC’s website.

There is also a risk when companies uti-lize outside service providers to processtheir XBRL submissions. They mustremain cognizant of the risk associated withthe qualifications of the third-partyproviders for safeguarding the company’sconfidential information.

As discussed previously, XBRL tools andtechnology can be integrated into the busi-ness information processing of registrants.If this integration occurs, the financial report-

ing and XBRL tagging processes canbecome interdependent. This scenario wouldmake XBRL internal controls an essentialcomponent of a company’s internal controlsover financial reporting.

Protection from LiabilitiesXBRL files are subject to the federal secu-

rities laws in a modified manner under thenew SEC Rule 406T. If a company sub-mits an XBRL file within 24 months of thetime it is first required to submit XBRLfiles—but no later than October 31,2014—the filer may have limited protec-tion from liability for failure to complywith the tagging requirements. The follow-ing two conditions must exist for companiesto meet this statutory requirement: 1) the fail-ure occurred despite the filer’s good faitheffort, and 2) the filer corrected the errorpromptly after becoming aware of it.

For most companies, the process of XBRLfiling currently falls under the definition of“disclosure controls and procedures.” TheSEC rules specifically exclude the XBRL sub-missions from the officer certification require-ments of Rules 13a-14 and 15d-14 of theSecurities Exchange Act of 1934. Theobjective is to avoid unnecessary costsincurred. Nevertheless, management of pub-licly held companies remains responsible forthe completeness, accuracy, and consistencyof its XBRL submissions to the SEC.Furthermore, the exclusion of the XBRL filesfrom the officer certification requirements doesnot mean that a company can exclude con-trols and procedures related to XBRL sub-missions from its evaluation and disclosure ofits controls and procedures. A company thatsubmits an XBRL file with its Form 10-Kor Form 10-Q still must consider controls andprocedures related to interactive data incomplying with Rules 13a-15 and 15d-15,as well as with Item 307 of Regulation S-K.The SEC rules also state that the SEC willmonitor XBRL submissions and, if necessary,make appropriate adjustments in the futureregarding officer certifications. (http://thecaq.org/members/alerts/CAQAlert2009_55_06012009.pdf)

The Role of Auditors A company’s independent auditor is not

required to have any involvement with theinteractive data file included in the XBRLexhibit to the filing. Furthermore, the SECregulations do not require any type ofaudit or assurance requirement under sec-tion 404(b) of the Sarbanes-Oxley Act of2002 (SOX) for XBRL submissions.Therefore, the auditor of a public companyis not required to apply the AICPA auditingstandards to the company’s XBRL submis-sions; however, a company is not prohibitedfrom voluntarily obtaining some form ofauditor assurance on its XBRL submission(http://thecaq.org/members/alerts/CAQAlert2009_55_06012009.pdf).

Agreed-upon procedures. A companymay engage a public accounting firm toperform an agreed-upon proceduresengagement to help management evaluatethe completeness, accuracy, and consis-tency of its XBRL submission. In such anagreed-upon procedures engagement, themanagement or audit committee engagesan accounting firm to perform certainprocedures. The accounting firm’s report

AUGUST 2013 / THE CPA JOURNAL70

For most companies, the process of XBRL filing

currently falls under the definition of “disclosure

controls and procedures.”

identifies the procedures performed andtheir results. Agreed-upon proceduresreports do not express an opinion; theystate that the accounting firm makes norepresentations regarding the sufficiency ofthe procedures. The use of these reports isrestricted to the client and specific partiesnamed in the report.

To provide guidance, the AICPA issuedStatement of Position (SOP) 09-1,Performing Agreed-Upon ProceduresEngagements That Address theCompleteness, Accuracy, or Consistency ofXBRL-Tagged Data. This guidance is appli-cable when a company engages a publicaccounting firm to perform certain procedureson the accuracy and validity of its XBRL tag-ging, preparation, and submission. TheAICPA’s Assurance Services ExecutiveCommittee (ASEC), which developed theoriginal guidance, is in the process of updat-ing SOP 09-1 to include illustrations thatreflect the SEC’s newly adopted criteriaregarding XBRL.

Review procedures. Public accountingfirms’ review engagements, based upon theAICPA’s Statement on Standards forAccounting and Review Services (SSARS)19, Compilation and Review Engagements,generally consist of independent accoun-tants’ inquiries and analytical proceduresto provide a moderate level of assurance(i.e., negative assurance) in a specificengagement; however, the feasibility ofsuch a review engagement for an XBRLtagging process is rather problematic,because an independent accountant can-not perform any meaningful analytical pro-cedures on XBRL submissions (http://the-caq.org/members/alerts/CAQAlert2009_55_06012009.pdf).

Internal audits. An internal auditor canhelp a company understand the risks asso-ciated with XBRL reporting by evaluatingwhether these risks have been appropriate-ly addressed and how to improve the qual-ity of XBRL internal controls and process-es. Furthermore, internal auditors can assistmanagement in implementation of the fol-lowing best practices for XBRL preparationand submission:n Internal auditors should take steps tounderstand the reporting process and howXBRL risks are currently being addressed.n Internal auditors should understand andevaluate the role of independent auditors inevaluating the XBRL submissions.

n Internal auditors can play an importantrole in design of XBRL-related controls. n Internal auditors can ensure that these con-trols are operating effectively. n Internal auditors can bring value-added ideason how to improve the XBRL processes.

Furthermore, internal auditors shouldreview the control reports from serviceprovider organizations and weigh in ontheir adequacy. The AICPA has developedguidance in the form of service organiza-tion control (SOC) reports for providing ahighly specialized examination of a serviceorganization’s internal controls. These SOCreports are internal control reports thatrelate information about the XBRL servicesprovided by a third party (see Josef Rashty,“New Guidance for Cloud-Based ServiceControl Reports,” The CPA Journal,October 2011, pp. 68–71).

XBRL Controls The Committee of Sponsoring Organiza-

tions of the Treadway Commission (COSO)defines internal control as “a process, effect-ed by an entity’s board of directors, man-agement and other personnel. This processis designed to provide reasonable assuranceregarding the achievement of objectives ineffectiveness and efficiency of operations,reliability of financial reporting, and com-pliance with applicable laws and regulations”(http://www.coso.org/resources.htm).

Control framework. The AICPA formedan XBRL Assurance Task Force, under thedirection of ASEC, that has been identify-ing issues and proposing solutions for thePCAOB’s consideration. In August 2012,the AICPA XBRL Assurance Task Forcepublished its guidance, Principles andCriteria for XBRL Formatted Information(http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/PRDOVR~PC-APCXBRL/PC-APCXBRL.jsp).

This guidance discussed the followingfour attributes applicable to the XBRL tag-ging process:n Completeness. All required informa-tion should be formatted at the requiredlevels, as defined by the entity’s report-ing environment. n Mapping. Elements selected should beconsistent with the meaning of the asso-ciated concepts in the source informa-tion, in accordance with the requirementsof the entity’s reporting environment. n Consistency. Amounts, dates, other

attributes (e.g., monetary units), and rela-tionships (order and calculations) in theinstance document and related files shouldbe consistent with the source informa-tion, in accordance with the requirementsof the entity’s reporting environment. n Structure. XBRL files should be struc-tured in accordance with the requirementsof the entity’s reporting environment.”

These four attributes provide a generalframework for preparing, processing, andsubmitting XBRL files (http://blog.aicpa.org/2012/08/new-tools-to-help-companies-and-auditors-evaluate-xbrl.html). The sidebar, Checklist forXBRL-Related Controls, provides usefuladvice for companies.

Looking to the FutureManagement is responsible for the accu-

racy and reliability of XBRL submissions.The SEC has stated that it expects regis-trants to take the initiative and developpractices to promote an accurate andconsistent tagging process. In the earlystages of XBRL submissions, most com-panies have focused on the preparation andtimely submission of XBRL files; how-ever, as levels of sophistication increase,companies will focus more on procedures,internal controls, and best practices sur-rounding XBRL submissions.

The SEC will be less lenient on XBRLsubmissions in the future because the lim-ited liability provision for the accuracy ofXBRL submissions will be completelyphased out on October 31, 2014. The SEChas indicated that it continues to identifyserious and recurring errors in XBRLexhibits and plans to issue comments soon;this might cause companies to issueamended returns. Many analysts and third-party users have not been able to fullyutilize the XBRL information as a resultof errors and inconsistencies in companies’XBRL filings. Moreover, the number oferrors in XBRL filings might increasebecause small companies have becomesubject to full XBRL tagging of their finan-cial statements. q

Josef Rashty, CPA, has worked in man-agerial positions with several publicly heldtechnology companies in the Silicon Valleyregion of California. He can be reachedat jrashty@mail.sfsu.edu.

71AUGUST 2013 / THE CPA JOURNAL

Copyright of CPA Journal is the property of New York State Society of CPAs and its contentmay not be copied or emailed to multiple sites or posted to a listserv without the copyrightholder's express written permission. However, users may print, download, or email articles forindividual use.