Lou Rohman, Vice President, XBRL Services, Merrill Corporation | October 09, 2017
No Assurance Requirement
There is no audit requirement for XBRL tagged financial statements filed with the SEC. However, the tagged data is being used for making financial decisions. Is it a problem to have no independent assurance on company-provided financial information that’s being used for analysis and investment purposes?
Since 2009 the SEC has required periodic financial reports to be submitted in both the traditional HTML (paper-based) format which is audited, and in a tagged (XBRL) format, which is not audited. Both formats are supposed to provide the same information. However, often there are errors in the XBRL filing which causes the tagged format to provide information that is inconsistent with the paper-based format. When this happens, there is no independent assurance to inform data consumers of these errors.
This was not an issue during the first years of SEC XBRL filings, roughly 2009-2012, because XBRL data wasn’t used significantly. But now consumers have figured out how to efficiently use the XBRL data, which raises concerns on whether the XBRL tagging should have some level of independent assurance.
For background information on the use of XBRL data, see three relevant articles: Willis Interview, Q&A with an expert from Bloomberg, Q&A with SEC Enforcement.
Pros and Cons of Auditing the XBRL
Should the XBRL be audited? One significant consequence of an audit is that it would motivate those companies that are currently submitting poorly-tagged XBRL to start paying attention, and do it the right way. Unfortunately, poor quality XBRL is submitted too often today, whereby the XBRL computer-readable financials don’t provide the same information as the HTML human-readable financials. Some companies are unaware they are doing XBRL improperly. For others, the “care-factor” is just too low; minimal effort is given since they see no tangible negative consequences to submitting low quality XBRL data. But an audit would likely change this. If the company wanted a "clean" auditor's report on the XBRL tagging, it would be motivated to transform the quality of the XBRL filing.
A second benefit of an audit is that the improved quality of XBRL would decrease the pain and effort of consumers of the XBRL to “fix” the data prior to using it. Much effort is put forth by consumers to correct the tagged data submitted by registrants. Better data would also increase the ability of less-sophisticated consumers to use the as-submitted data and rely on the output of their analysis.
And lastly, the audit would prevent the inevitable situation whereby an unknowing registrant that submitted sub-par XBRL to the SEC, must pay a large legal settlement to an investor that relied on the incorrect XBRL data to make an investment – an investment that was based on bad XBRL information provided by the registrant. (Beware: The legal liability is the same for the XBRL tagged financials as it is for the traditional paper-based financials.) An audit requirement would reduce the likelihood of this happening.
Of course, there is a clear downside to auditing XBRL. It requires effort and adds a regulatory requirement during a time when new filing requirements are being heavily scrutinized. Also, there's the need to develop clear guidance on what is expected from auditors and what is communicated in an XBRL assurance report. As a former auditor and now a preparer and reviewer of XBRL, I see the difficulties of creating practical and effective assurance procedures and reporting. It requires involvement from many parties, including the CPA firms, the AICPA, PCAOB, SEC, registrants, and others (including the XBRL US Data Quality Committee).
And there’s also the argument that registrants should be tagging XBRL correctly - without the need for an audit requirement to motivate them.
Possible XBRL Audit Requirement in the European Union
XBRL auditing may be coming to the European Union. In 2020 an XBRL tagging mandate starts for annual reports of most listed companies in the EU. The European Commission will decide soon on whether an audit is required for the tagging of those financials. It seems logical that an XBRL audit will be required, not only because the EU mandate requires the submission of the annual financials to be in a single Inline XBRL format (with no separate .pdf or HTML document), but also because much of the consumption of the financials will be XBRL-based.
We’ll have to wait for the EU answer, but if the answer is “yes”, that could start a movement toward considering an assurance requirement in a wider range of jurisdictions, and possibly heighten the conversation regarding SEC filings.
Growing Reliance on SEC Tagged Data
I’ve been told that the adage “trust, but verify” is an oxymoron. You can either trust or verify, but not both. For XBRL, the future will determine if tagging is trusted or verified. There are many factors to consider, but with the growing reliance and usage of SEC tagged financials, some level of independent assurance on XBRL data is a topic that surely will get more attention.