Financial Reporting, and Auditing
By Ryan Youngwon Shin, CISA, CPA
future widespread delivery of financial reporting will be in digital
form; however, the question of which information exchange language
will become the de-facto standard remains unanswered. Currently,
most digital representations of financial information are coded
in Hypertext Markup Language (HTML), which controls the way that
information is displayed, in terms of appearance, size, shape,
and color. HTML, however, does not recognize content, so its use
generally is limited and is not effective for extracting data.
The HTML format also does not allow for searching, analysis, or
manipulation of information without re-entering data to a spreadsheet
or downloading some other software application that has analysis
and manipulation capabilities.
Business Reporting Language (XBRL) was developed by a consortium
of leading financial organizations, accounting firms, financial
services providers, and technology companies. It is designed to
make financial reports easier to post on the Internet and easier
to understand once they are posted 1. According to the American
Institute of Certified Public Accountants, a total of 66% of public
companies surveyed by the Association for Management and Investment
Research have a website, and 76% of those companies provide financial
information on their website. The same study also found that,
even when other sources exist, analysts preferred using websites
to obtain information because it is easier. Another study indicated
that approximately 80% of major U.S. companies make some type
of financial disclosure online 2. Investors need accurate and reliable
financial information that can be delivered promptly in order
to help them make informed financial decisions. XBRL meets these
needs and is particularly important in improving the usefulness
of financial information delivered via the Internet. It also makes
full use of the efficiencies of the Internet the primary source
of financial information for today’s users.
purpose of this article is to present an overview of XBRL as well
as the technical aspects relevant to financial reporting and auditing.
Technical Developments and Issues
early 1993, the Securities Exchange Commission (SEC) began to
mandate electronic filings through its Electronic Data Gathering,
Analysis, and Retrieval system (EDGAR). This system was intended
to benefit electronic filers, enhance the speed and efficiency
of SEC processing, and make corporate and financial information
available to investors, the financial community, and others in
a matter of minutes. Electronic dissemination generates the participation
of more informed investors as well as more informed securities
markets3. Currently, the EDGAR system accepts both ASCII and HTML
documents as official filings. Although EDGAR delivers the advantages
of speed and efficiency characteristic of a centralized database,
it still forces users to download reports from the SEC website
or manually to search for and prepare data for use in other purposes.
use of XBRL-coded financial statements, bank loan documentation,
and tax filings delivered via the Internet to regulatory authorities,
analysts, and investors is gaining credibility. Efficiency and
effectiveness are increased because data in XBRL format can be
retrieved more easily and can be analyzed with greater accuracy.
Moreover, XBRL provides relevant and reliable exchanges of information
by allowing for technological independence and less human involvement.
According to Cohen and Hannon’s 2000 article:
XBRL specifications and taxonomies are created by the XBRL community.
The creators are referred to as a community because XBRL is not
developed or owned by a single entity; rather, it is an open-source
software developed by representatives of over one hundred seventy
different worldwide organizations and companies.
XBRL specification is software code that describes financial
information presented and represented by XBRL. The specification
facilitates software developers and coders in creating exchangeable
digital documents. It also allows financial users to compare business
reporting information from different entities, even if the information
was originally in otherwise incompatible formats. The use of the
specifications is not limited to financial statements: It may
be used for digital reporting and presentation of general ledger
details through drill-down, regulatory filings, and non-financial
information as well5.
taxonomies are standard descriptions for presenting business
information and accounting reports. With XBRL, financial information
preparers link data elements stored in accounting databases, and
use XBRL to code them in a standard manner based on the taxonomy.
For example, a digital annual report would include management’s
discussion and analysis, financial statements, footnote disclosure,
and the auditor’s opinion, all coded in XBRL.
an example, the taxonomy for the changes in treasury stock information
under US GAAP—Commercial and Industrial (US-GAAP-CI)6is
<element id="us-gaap-ci_ChangesTreasuryStock" name="ChangesTreasuryStock"
instance documents are used to represent financial data
with tags from one or several taxonomies. For example, an instance
document could include a company’s annual report, the earnings
release, and general ledger details.
documents make digital financial information for external or internal
reporting and regulatory filing user-friendly because XBRL facilitates
data to be read directly by computer programs, manipulated by
end-users, and generates output in various forms. Instance documents
may also include style sheets, which allow presentation quality
documents to be printed from a Web browser or an Adobe Acrobat
David Von Kannon and Yufei Wang discussed the design of X4GFR,
a component of the XBRL framework, at XML Europe in 2000. In their
paper they present the following example of the instance document
for an XBRL report, which shows the text of the Concentrations
note at calendar year end 1998 for Sample Company8.
entity="Sample Company" period="19981231"
/> Concentration of credit risk with regard to short term investments
is not considered to be significant due to the Company's cash
management policies. These policies restrict investments to low
risk, highly liquid securities (that is, commercial paper, money
market instruments, etc.), outline issuer credit requirements,
and limit the amount that may be invested in any one issuer. </item>
of financial reports will not see the tags when they retrieve
financial information because they are embedded inside the program
along with other formatting tags. Thus, the disclosure in the
above example will always be recognized as the footnote disclosure
for concentrations of credit risk for the financial statement
of Sample Company at December 31, 1998. This attribute also contributes
to more effective searches on the Internet, as the user can specify
a specific tag as a search criterion. Such a search cannot be
performed on HTML documents.
entity may have a financial data item that does not already exist
in the US-GAAP-CI taxonomy. In that case they can create a XBRL
tag unique to their specific taxonomy. Once financial data is
correctly tagged, users can utilize XML-enabled software and browsers
for analysis, reporting, and other functions. As XBRL-formatted
data, information can be accessed and queried based on individual
user preferences in an efficient manner9.
Audit and Control Issues
financial information technology experts strongly believe that
XBRL will succeed. Alan Anderson, the AICPA’s Senior Vice
President, envisions the business-reporting model of the future
as online, real-time disclosure. Today’s legacy audit opinion
is backward-looking because it applies to the company’s
financial condition and activity at a previous point in time or
period-end, usually at least sixty days ago. However, users of
financial information are unlikely to have information and assurance
on activity that just happened, happened yesterday, or last week,
which, if known, might improve capital allocation decisions10. Rather
than having to rely on stale financial information from dated
hard copy documents or websites, stakeholders today want data
in real time. Financial information available on the Internet
and coded in XBRL allows users to find easily and on demand the
underlying accounting data of their specific interests.
When financial information is streamed in real time, the risk
of error in the financial statements could become higher, depending
on the controls in place regarding changes in that data. SAS 94
states, “when evidence of an entity’s initiation,
recording, or processing of financial data exists only in electronic
form, the auditor’s ability to obtain the desired assurance
only from substantive tests would significantly diminish."11
When financial statements are prepared using XBRL, the auditor
should consider gathering evidential matter and performing control
tests on the correct application of specifications, taxonomy,
and instance documents used in the coding.
Planning the Audit when XBRL is used for Financial Reporting
to SAS 94, “In circumstances where a significant amount
of information supporting one or more financial statement assertions
is electronically initiated, recorded, processed, or reported,
the auditor may determine that it is not possible to design effective
substantive tests … significant audit evidence may be available
only in electronic form. In such cases, its competence and sufficiency
as evidential matter usually depend on the effectiveness of controls
over its accuracy and completeness.” 12
fully implemented, the risks of XBRL center on the accurate and
complete mapping of the financial information and accounting data
to the tags. An adequately designed and effective internal control
structure for XBRL will ensure that the data retrieved represents
valid and accurate transactions, has integrity, and is recognized
in the proper accounting period. Another audit concern with respect
to the use of XBRL is whether all relevant data in the source
records has been tagged, i.e., whether the report is complete.
This would involve reviewing the tagging system in software systems
in order to ensure that information such as new data elements
or new accounts are included in the tagging process.13
Operational Environment and XBRL
auditor needs to design procedures that determine whether the
specifications, taxonomy, and instance documents are appropriate
for financial statements. Engagement audit staff should have the
technical expertise to apply these procedures as well as be knowledgeable
of relevant industry standards and any specific generally accepted
accounting principles applicable to the entity. The audit procedures
should address the specifications, taxonomy, and instance documents
in this context. Such an examination would involve considering
XBRL details in order to ensure that they are up to date and properly
designed internal controls over XBRL that have been placed in
operation and are operating effectively are important in ensuring
the integrity and consistency of a particular taxonomy being applied
in an entity. General control audit procedures relevant to XBRL
include network operations, application development and maintenance,
and access controls. Application controls relevant to XBRL address
input, error correction, and output. For example, when a taxonomy
is assigned, modified, or added, the auditor should validate or
check an instance document against the taxonomy so to ensure the
tags used are all from the taxonomy.
may provide live links from financial documents back to the underlying
production databases. In this case, substantial security risks
exist if the security of the operating system, application, and
database is inadequately configured. Such miss-configurations
could allow unauthorized changes or destruction of the data that
supports the financial statements. When such links are present,
the auditor should consider the adequacy of the entity’s
security policies and procedures for configuring firewalls, hardening
operating systems, and other relevant security controls, given
the nature of the data.15
security polices and procedures should address classifying the
sensitivity or criticality of digital information, especially
if the entity is subject to the Sarbanes Oxley Act,16
Gramm Leach Bliley Act (GLB),17 or Health Insurance Portability
and Accountability Act (HIPAA).18
and regulators around the globe are calling for increased financial
transparency in order to regain market confidence and stimulate
the economy. According to John Delta, Vice President of NASDAQ,
“XBRL is a way to really improve transparency for investors
and the timely delivery of standardized [Securities and Exchange
Commission] data.” 19
of its simplicity and the improved efficiency of XBRL, the expected
growth of XBRL will impact the ways that companies exchange financial
data as well as business reporting of all kinds. The use of XBRL
for financial statements, however, will lead to new audit issues
that practitioners must take into consideration.
order to experience how XBRL formatted data could be used, go
to NASDAQ.com’s XBRL pilot, “NASDAQ-Microsoft-PwC
Demo” at http://www.nasdaq.com/xbrl.
This demonstration provides a glimpse of how information reported
by companies in the XBRL format will be more useful to investors
and other users.
Youngwon Shin, CISA, is an IT auditor at J.H. Cohn, LLP. He
has a Bachelors degree in Applied Statistics and Business Administration
from Yonsei University, Seoul, Korea, and a Masters of Science
in Accounting Information Systems from Pace University, Lubin
School of Business. His experience includes stock market-based
accounting and SEC 10-K filing research with statistical analysis.
He also has been involved in redesigning business processes, administrating
databases, and other various accounting functions.
is a member of the NYSSCPA Technology Assurance committee and
the Task Force on Alternative Delivery Methods of CPE. Ryan can
be reached at email@example.com
Approved for U.S. Implementation.” Journal of Accountancy;
October , 2000. http://www.aicpa.org/pubs/jofa/oct2000/news1.htm
Developments for XBRL: What Do They Mean for Large Firms?”
The CPA Letter, AICPA; October, 2000. http://www.aicpa.org/pubs/cpaltr/oct2000/supps/large1.htm
Filing and the EDGAR System: A Regulatory Overview,” U.S.
SEC; May, 2002.
Eric E. and Neal Hannon. “How XBRL will Change Your Practice,”
The CPA Journal; November, 2000.
6US GAAP—Commercial and Industrial (US-GAAP-CI)
8Vun Kannon, David and Yufei Wang. “Design of
the XBRL Specification.” http://www.gca.org/papers/xmleurope2000/papers/s26-01.html
Seven: XBRL Instance Documents,” Bryant College.
Business Reporting Model of the Future.” The CPA Letter,
AICPA; Novevember, 2002. http://www.aicpa.org/pubs/cpaltr/nov2002/supps/edu1.htm
Effect of Information Technology on the Auditor’s Consideration
of Internal Control in a Financial Statement Audit.” Statement
on Auditing Standards, AICPA, No. 94, paragraph 4; 2001.
12Ibid, Paragraph 65.
& Control Implications of XBRL,” CICA Information Technology
Advisory Committee: http://www.cica.ca/multimedia/Download_Library/Standards/Studies/English/CICA-XBRL-0502-e.pdf
16The Sarbanes Oxley Act of 2002: http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ204.107.pdf
17Gramm Leach Bliley Act of 1999 (GLB): http://www.ftc.gov/privacy/glbact/
18Health Insurance Portability and Accountability Act
of 1996 (HIPAA): http://www.cms.hhs.gov/regulations/hipaa/cms0003-5/0049f-econ-ofr-2-12-03.pdf
19Colkin, Eileen. “Nasdaq Giving XBRL a Try,”
Informationweek.com; August 6, 2002. http://www.informationweek.com/story/IWK20020806S0004