23 November 2010

Security theater

I had the pleasure of visiting the United States last month, and traveling from New York City to Boston, by train. It was a slow train, but even the fast train wasn't much faster, but that's not the point of this article.

The point is that security in the United States is being used as an excuse by small people to demonstrate their power over other peoples' lives. "I have the POWER over your live now! So now YOU are the little person." It would be funny if it wasn't so sad.

In fact, it is just down right stupid. Moronic. Inept. And a massive waste of money.

So, let me describe the scenario:

1. I purchased my ticket online (key point).
2. At the station, I used the scanner on the machine to read my printed confirmation and print my ticket.
3. The man behind the ticket window was very helpful in pointing me to the right platform.
4. I waited for the train, with my backpack containing a change of clothes.
5. Train arrives, I and others board, find seats.
6. Train leaves, conductor comes along, takes ticket, punched hole in it, returns ticket, continues.

Boston is a nice town, and it was great to visit visit with old and new friends, and unfortunately pass a cold bug along. (Sorry about that).

Two days later it was time to return.

So I took the Boston subway to the Amtrak station, arriving just in time to be told that I the train was closed - and then watched it pull away. Fair enough. If I had been there2, or even 1 minute earlier, I would have simply walked onto the train. Oh well. So I asked the conductor, what are my options? Oh, no problem, he said, just go to the ticket counter and they'll issue you with a ticket on the next train.

7. I go to the ticketing hall - that's all I can call it, a hall, with 8 - 10 granite protected windows (bullet proof glass also I suppose).
8. Only two windows are open, at opposite ends of the room, but there is still the rope-corridor that you are suppose to follow endlessly, even though you are the only one int he queue.
9. Arrive at window (I'll not say which one), and explain, I just missed my train, is it possible to get on the next train to NYC?
10. Certainly - transaction under way, then "I need to see some ID?"
11. Oops. That's when I remember that I've left my passport with the people we are staying with in NYC, and all I have is an expired drivers license. No harm, I hand it over.
12. He studies it., then declares: "This is not valid, give me another ID." Note the politeness along the way...
13. Umm, I don't have any, I forgot my passport in NYC.
14. "Then I cannot sell you a ticket. Amtrak is now under the same rules as Airplanes and the TSA won't let us sell you a ticket with out a valid ID". (But your machine already did, over the Internet, without any ID, and you let me travel to Boston without any ID - I think this, but do not say it.)
15. Umm, how can I get back to NYC?
16. "You can't by train without an ID".
17. Umm, so what are my options?
18. "You can go across the street to the bus station."

Well, I'm not getting anywhere with Mr Charming, so I leave.... ...and

19. Return to the ticket hall, but go directly to window number (other).
20. I just missed my train, is it possible to get on the next train to NYC?
21. Certainly, that will be $6.
22. I hand over the same credit card used to purchase the ticket (over the Internet).
23. Card is swiped, ticket printed, card and ticket passed under the Al-Qaeda Proof Glass barrier.
24. Thank you, and I leave.
25. Time for a quick spot of lunch, then get on the train, walking past the conductor who glances to see that I'm actually carrying a ticket to NYC (or at lease on this train).
26. Find seat, conductor passes through (after we've left the station, takes ticket, clips hole in ticket, returns ticket, moves on.

So Congratulation Amtrak.

You let someone onto one of your tains who might have been carrying a bomb in his backpack (but most definitely was not!). You actually let the train travel long enough for that person to detonate that bomb (which wasn't there, not even a practice bomb). You let travel all the way to my destination without ID, based on a ticket I bought online.

But coming back, when I missed my train. Oh no. You wanted me to travel by bus to NYC with all the Al-Qaeda operatives who, without ID, are transporting their bombs to NYC by bus.

US Security is Theater. That's all it is. If I was a terrorist (which I am NOT - please, I'm not. PLEASE - stop, I'm not an enemy combatant, please do not take me to North Carolina and and put me in solitary confinement until I admit anything you tell me to) I can think of probably hundreds of ways to cause problems, and the TSA would simply be the joke that would facilitate my accomplishing my (if I had one) evil plot. (Which I don't, so please don't put on a "No Fly List").

I believe in the Constitution, and believe that these morons in Washington, from both parties, have spent years undermining it. I'm also a veteran, and spent four years in the Pentagon. That doesn't make my a Timothy McVeigh either.

But I've reached the point where I'm afraid to be in the United States, because honestly, I have no idea what I might do that will have me declared an enemy combatant, stripped on my rights, thrown into a cage, and deprived of liberty until I will admit to anything, so they can prove how effective the system is at rooting out terrorism.

It is a Joke. And a very bad one.

(Truth is, I'm actually afraid to publish this. "But is you done nothing wrong, what are you afraid of?" I'm afraid of retribution for even questioning their authority. That's what I'm afraid of.)

22 November 2010

The Crunch Is Coming!

Last week I was talking to the CFO of a small public company - I'll call him "Bob" (not his real name, but you probably guessed that). He said they use specialist software to produce their SEC filings, which they file themselves. He likes the software and process, and he likes the price. But recently he's had a call from the account manager, who was thrilled to tell him that they were ready to meet all his XBRL filing needs - at almost 8 to 10 times their current costs. Bob almost choked. He told me, "Dan, who do they think we are?"

So is XBRL really that complex? (Yes)  Do companies really need help doing this? (Yes) 

So where are the experts? I have asked that question before. Actually, I've been asking that question for years. But that's not the point I want to make today.

The SEC (in its final rule in 2009 - page 117) estimated that there are 8,700 third tier filers. That's 8,700 Bobs out there?

It is now crunch time. In 2011 the 8,700 third wave of filers (Bob-1, Bob-2 ... Bob-8699, Bob-8700) will need to produce XBRL for the SEC. These are not the giants that can throw people at this interesting problem, and maybe with appropraite investment discover ways to use XBRL to improve operational efficiency. These are companies with limited budgets, small finance departments (sometimes only two people) already struggling to ensure that they meet their SEC filing obligations.

In early 2008 I wrote an article recommending 4 steps for companies to get ready for XBRL.

In early 2009 I wrote the following:

"Like any new standard there will be difficulties with implementation, assurance, ease of use, availability of software and tools, and most important a lack of real expertise. Companies that wait for a mandate will find themselves in a SOX type situation - too many companies chasing too few resources. "Experts" will magically appear, and costs could spike, so plan early."

That remains as true today as it was three years ago. A chunch is coming. Companies will either lock-in the resources that they will need early, they will need to "grow their own" (something many simply cannot afford to do), or they will need to complete for scarce skilled resources. And yes, there will be a lot of charlatans out there.

A lot of companies are going to get burned by the price they are going to have to pay.

Limited Seating: At the XBRL table, and at the Cave de la Tour. Comment below or e-mail me to learn more (about limited XBRL seating or Cave de la Tour).

16 November 2010

XBRL IS being audited - at what cost?

Imagine being called to the stand in court and being asked "So, what 'good faith efforts' did you make to ensure that there were no errors in your filing to the SEC?" That question has been keeping CFOs, Audit Partners, and more recently Audit Committees up at night. Certainly the traditional filings in HTML format (for 10Ks and 10Qs) are subject to audit and review as required by the SEC. The XBRL versions of the same documents do not carry that requirement, so nothing "must" be done. 

The same holds true in the UK, where the is no requirement for assurance over the XBRL versions of financial statements that will be filed with the CT600 to HMRC starting April 2011. Only the Danes seem ready to require assurance, and that remains to be defined.

In 2008 I wrote "XBRL Will be Audited", and " and in November 2009, I wrote "So, What about Assurance (or, "Lord make me virtuous, but not yet").

There is of course no mandate for assurance (or audit) of XBRL filed with the SEC today. Filers have been provided with a 2-year window of litigation relief provided they are able to demonstrate a "good faith effort" to produce error-free XBRL. What happens after that 2-year window is anyone's guess. As the first-tier filers are coming up on that 2-year period, I expect they are asking themselves what a "good faith effort" is, especially if some filers are opting for some form of assurance.

XBRL has turned out to be about as expensive as the SEC estimated (for first year, block tagging). But those cost estimates did not include any costs for assurance over the XBRL. This is a cost to filers that was not estimated in the proposed and final rules (because it is not mandated). And if you ask them, the SEC will say "No, assurance is not required. We would hope that companies will take whatever steps they think are appropriate to ensure that their XBRL data is error-free, but we do not require assurance. That is a market led issue."

But make no mistake, XBRL IS being audited. We just aren't allow to call it that. Officially, "reviews" of XBRL are being performed under the guidance provided in the Agreed Upon Procedures (AUP) recommendations of the AICPA.

So what is the price of sleep? Apparently sleep starts around 60 auditor hours, and grows to at least 100 - all for the first filings. Second year (detailed tagging) and the cost of a good night's sleep increases to well over 200 auditor hours. So, on top of the SEC's estimates, companies should expect an additional $15,000 - $25,000 in auditor fees (although from what I've heard, the floor really is around the $25,000 level). Second year (detailed tagging) costs will probably be closer to an additional $50,000 - $75,000 in audit fees.

Now if you are a $1million - $3million in audit fees company, then that extra is pretty cheap for a good night's sleep.

But if you are a third-tier, non-accelerated filer, than those costs are simply outrageous, and other solutions for assurance over the XBRL will need to be found - fast.

Such solutions are possible, but I have yet to see them reach the market, and I am watching for those solutions. But today, the major accounting firms have no incentive to actually create such process improvements or tools - their giant clients are willing to pay the extra, and as they have the few skilled individuals, they are able to charge a premium for those services.

But for the remainder of the market, substantive testing of every tagged element simply does not seem to make sense, or at least as much sense as substantively testing each entry in the financial statements. And we know that does not happen - that's what "materiality" and "sampling" are all about.

But better ways are possible. Cheaper, faster. Just not on the market - yet.

A work in progress

14 November 2010

CSR Reporting Risks

Much has been written about the benefits of CSR and Sustainability reporting, so it may be worth taking some time to consider the risks, and potential mitigation of those risks. CSR and Sustainability reporting has a purpose, foremost to communicate a company's achievements, challenges and plan for being a responsible business, and to achieve a level of sustainability possible to that company and its industry.

It is easy (for those involved with sustainability or CSR) to assume that the benefits of reporting outweigh the risks or costs. This is an assumption that needs to be met head-on, to ensure that in each particular situation, the appropriate benefits are being achieved, accurate and relevant information is being reported, key stakeholders are engaged, and that the primary audiences are reading and using the reports.


I’ll start with the assumption that a CSR / Sustainability report is produced, and that a project team is responsible for creation and maintenance of the report. So this is not "just a report", it is a project and a process. What could possibly go wrong? To a certain extent, the list of possible risks mirrors those of any project or set of deliverables. After all, it represents a set of approved expenditure designed to address a set of business needs and issues, and deliver a set of business benefits that should outweigh the investment.

Yet CSR / Sustainability reporting is not just another project or report. A CSR / Sustainability report combines aspects of marketing, financial and regulatory reporting, operational efficiency and effectiveness, and enunciation of the vision and mission of the enterprise. There's a lot riding on that funny little report with its photos of windmills, smiling girls and daisies.

So what are the risks? Here is a summary list, with more detail in the full White Paper.

·         Is it worth it?
·         Market expectations
·         Green-washing
·         Fraud
·         Regulatory requirements
·         Delivery of promise
·         Is it being read? Hitting the target

In discussion each of these risks, I hope you'll bear with my being boring and using a structured approach. For each risk, I'll describe the risk, discuss the likelihood, impact, how to monitor and responses. Dull yes, but systematic when dealing with discussion of risk. And far to long for a blog posting.

You can download the full White Paper here.

02 November 2010

Breaking News: Time for a change?

First, congratulations to Mark on his new role, and our wishes for all possible success. Next, congratulations to "the new boss" (Campbell Pryde) who I am confident will make the lie of the "Who" song.

This is a great change, with leadership that understands the technology at as deep a level as possible, yet with the skills to enunciate the value proposition. Add to this the possibility of changes to membership options, and I think we might see and "XBRL US Inc" that I'll be happy to go back to calling "XUS".

Unfortunately this will not solve the funding crisis, and sadly we will probably see total staffing numbers at XBRL US Inc shrink. But then, I guess that comes wtih the job...

The best news of course will be the opportunity for a "fresh start" and for XUS to get back to its roots and mission.Some of the needed changes will probably not look good, but I'm confident that new (known) leadership will deliver the change needed, and will be able to reach out to the wider XBRL community, reinvigorate the membership (and even focus on members) while also progressing the Labs and other initiatives.

In addition, it can only be good for the international adoption of XBRL, to have the largest jurisdiction, hopefully, on the way to growth and prosperity. I expect the range of changes will also improve the financial situation. It is worth noting that even though as a US Not For Profit, with requirements of transparency, the Form 990 does not have to become public for over a year after the close of the period. So if there was a hemorrhaging of money and members, we might not knowuntil probably February or March next year, and then for 2009 only.

Hopefully the years of a flawed business model will be behind XUS, and with new leadership and new direction, the future will be nothing but success after success.

Good luck, we're behind you all the way! (Yes. really!)