06 November 2009

So, What about Assurance (or "Lord make me virtuous, but not yet")?

Originally posted: 2 November 2009

Probably the best place to start is by paraphrasing St Augustine: "Lord make me virtuous, but not yet". St Augustine was born in North Africa and lived for a time in Carthage. While his mother was a Catholic, his father was pagan, and he followed in his father's footsteps for much of his earlier life. Eventually he converted to Catholicism, and became one of the great leaders of the church.

XBRL is a business reporting language, and the first and primary application has always been the provision of financial statements by companies to users of financial and business information, be they investors, regulators, banks, etc. The provision of assurance over the financial statements, via the audit and audit report, represents the lifeblood of the accounting profession. Isn't it amazing then that the accounting industry did not raise howls of protest to the SEC's specific statement that XBRL versions of financial statement do not require assurance.

There seems to be two potential reasons for this:

1. The SEC has stopped believing in assurance, or
2. The accounting industry simply does not know how to provide assurance over XBRL.

The first is, well, silly.
 XII Assurance Working Group

The Assurance Working Group is included in the list of working groups on the XII website, complete with it charter and purpose. Lets listen in for a moment. ( or you read it yourself. scroll down to the Assurance WG.). I especially like the deliverables, and the dates of the meetings that the deliverables will (future tense) be prepared. Frankly, you have to wonder why they even bother any longer...

The objective of the Assurance Working Group (AWG) is to support the IAASB in the development of relevant standards and guidance for the audit profession surrounding the use of XBRL for company reporting.  In working with the IAASB, the working group will support the standards development process through the collaborative development of the deliverables outlined below for use by the IAASB, the audit profession and other relevant capital market participants.  The AWG works in close collaboration with the International Auditing and Assurance Standards Board (IAASB) of IFAC.

The AWG will provide the following deliverables:

- A discussion paper for use by the IAASB at their meeting in Lima early March 2005 and/or by the Steering Committee of the IAASB at their meeting in Rome mid June 2005.
- A white paper reflecting risks and opportunities related to XBRL as well giving advice on how to move forward on this issue.
- Recommendations for the IAASB, which will make it possible for them to issue auditing standards.
Proactively inform the IAASB of relevant technical matters.
- Respond to technical matters referred to it by the IAASB.
- Recommendations for educational materials and delivery resources to enhance the awareness among the audit profession and the stakeholders regarding the assurance issues associated with the use of XBRL.

The good news: Now, in 2009, 4 years leter, the IAASB says they will look at XBRL. Progress!

The second is a little more problematic. After all, the accounting industry has been the primary champion for XBRL for a decade. You would think that with a 10 year head start, they would by now know how to do what is after all, their core competency. And you would think that XBRL International would have paid more attention to the issue. Frankly, XBRL International and the accounting industry have failed to cater for what is arguable one of the most important aspects of XBRL - assurance over the information provided in the XBRL format.

Of course this will now generate a number of e-mails (hopefully headed off by this comment) reminding people that the AICPA and the CAQ (Center for Audit Quality - of the AICPA) both recently published guidance on how accountants and auditors can provide assurance over XBRL. But in both cases, the assurance provided is based on Agreed Upon Procedures, and therefore is for internal use only - not much good for an investor. Why don't we move to AUPs for all assurance/audit. It would certainly save businesses globally a huge amount of money, and in most cases could actually be performed by internal resources. But my guess is that this would not satisfy regulators or investors.

Mind you, supporting #1 and #2 above, here is an extract from page 3 of the CAQ's submission to the SEC's proposed rule mandating XBRL:

"We fundamentally believe that independent assurance on XBRL documents would add value by increasing reliability and enhancing public confidence in financial reporting, as it does today. However, we also acknowledge that some, including the Commission and the SEC's Advisory Committee on Improvements to Financial Reporting (CIFiR), are concerned that the cost and time incurred to obtain such assurance might outweigh the benefits to preparers and users."

It almost makes you wonder if the same couldn't be said about the audit in general. Adds value, but concerned that the cost and time might outweigh the benefits.

But, lets return to the SEC for a moment. The SEC specifically exempted XBRL from assurance, and provided a two-year window of litigation relief. And this is for information that the SEC says will benefit investors. So if there another explanation? Maybe the SEC is losing faith with the accounting industries ability to define or deliver assurance, at least over the future of information for investors?

But there is a kicker - the SEC did also say that litigation relief is only provided if companies can demonstrate a "good faith effort" to ensure their XBRL is error-free. So what is a "good faith effort". Cleverly this allows the AICPA and accounting firms both the time to test their own XBRL assurance processes in private. It was interesting to sit in on one of the post first-wave webcasts, and the hear David Blaszkowsky of the SEC's OID say that he was pleased that companies in the first wave had demonstrated a "good faith effort". I can only surmise that companies are requesting and receiving assurance in the form of the Agreed Upon Procedures framework provided by the AICPA. But alas, as the AUP if for internal use only, we cannot know that.

Unfortunately this leaves the second tier and smaller accounting firms with no opportunity to test-drive assurance over XBRL, gives the markets no assurance that the XBRL is actually being audited, at the same allowing the accounting firms to generate some of the XBRL-based fees they have been so desperate to find.

This certainly will give the big accounting firms a benefit. Imagine being a large SEC registrant currently audited by a "second tier" firm (firms like Grant Thornton, Crowe Chizek, Eisner, Moss Adams, McGladrey, BDO, Baker Tilly (Virchow Krause),  etc) and having to provide XBRL to the SEC, and to demonstrate a "good faith effort". You current second-tier firm has no experience providing assurance over XBRL, but the big-4 who are selling auditing services to you do have that experience. It is the classic FUD marketing play - Fear, Uncertainty and Doubt. "Certainly your current accountants should be able to provide assurance - that so important "good faith effort", but we not sure what actual experience they have doing that. I sure hope they don't use you as the test case. Of course, we've been doing this for a year now, and have smooth and streamlined processed to ensure the costs are managed and minimized. Would you like to see a proposal?"

Finally, the true costs of XBRL implementation remain hidden.



From: Dennis Santiago

So ultimately you're observing that the process as it is evolving creates a defacto four LLP oligarchy that places the other 2,000+ PCAOB registered public company accounting firms at a structural disadvantage vis-a-vis one of the lucrative sources of income in the auditing industry.

Sounds like someone needs to wake up at the SEC and the PCAOB. It's clearly not in the public interest to have yet another regulatory process captured by the industry being regulated, and certainly not by 4 out of 2,000+ of that business. I guess I'm still idealistic enough to believe that the outcome of major public benefit initiatives should be commoditized across the entire serving industry and not hyperconcentrated into a source for supernormal returns for a chosen few. It's important to remind the people who swore profusely that they were doing XBRL for altruistic reasons that the world hasn't forgotten those words and will hold them to that promise.

I really believe in computer architecture constructs like XBRL as helpful content capture and organizing mechanisms that can assist in improving transparency. But if all that's done here is to morph a minor variation of XML technology into a barrier to entry that undermines all the good it can bring. It will doom the process to a decade of scandal as 2,000 disenfranchised registered audit firms make their voices heard.

Solution? The SEC should mandate that XBRL assurance is not required, taking the franchise profits off the table, until at least 25% of PCAOB registered firms have achieved "good faith" capability.

Thanks for your continued efforts to keep the XBRL process on good foundations Dan.


From: Andrew Chilcott


The question of assurance goes further than the SEC filings. If the filer was to decide to publish the XBRL instance document on their investor relations web site and allow an RSS Feed, how would the recipient of that instance document be able to trust the contents.

XBRL sits on top of XML and can leverage other XML technologies like XML Signatures. In my opinion the instance document should be digitally signed by both the Company and the Auditor. We then get to the question of do we trust the certificate? Who is the Certification Authority? Shouldn't AICPA issue a root certificate that can be used to certify any particular firm of auditors that are it's members; and the SEC a root certificate that can be used to authenticate the companies that are obliged to report to it.

Pretty basic stuff

From: Jerry Trites


The Assurance Wroking Group did issue its White paper on November, 2006. It can be read at http://www.xbrl.org/Announcements/Interactive-Data-Assurance-2006-11-10.pdf.
Members of the group did a presentation at the Istanbul conference that year and also made representations to the IAASB at about the same time.

From: Dennis Santiago

It should be noted that AICPA is an industry association, it's an NGO. They have no authority to regulate or certify. The root certificate for public company audit firms you speak of should properly come from the PCAOB.


No comments:

Post a Comment