When I talk with finance executives about implementing XBRL, nearly everyone asks, “What will auditors be looking for? Do they care about XBRL?” The answer is no, they don’t. But they do care about your controls, and that relates directly to how you design and document your due diligence in XBRL creation process. Ultimately, as XBRL gets built into your close process, the more it may start to fall into the SOX environment.
While XBRL exhibits are not subject to SOX 404 internal controls over financial reporting, they are nevertheless subject to disclosure controls and procedures (DC&P). This means that management is responsible for the implementation of controls over the XBRL creation process as well as documentation that the DC&P are performed and reviewed. How can companies provide evidence to their auditors that management, including the CEO and CFO, have evaluated the effectiveness of the design and operation of DC&P?
To design proper DC&P controls, you first need to ask, “How do you know your XBRL files are complete, accurate, consistently mapped and comply with the mandated XBRL structure?” A best practice is to develop an XBRL technical and compliance checklist to document every aspect of your XBRL creation process, from taxonomy mapping and appropriate extensions to common error reviews, technical and SEC validations, structure compliance issues. You may also want to involve your disclosure or audit committee in the review and consideration of your DC&P process and get them on board with your XBRL strategy.
As XBRL technology becomes more embedded into your overall financial reporting process and integrated into the creation and preparation of your financial statements, XBRL controls may start to fall within the scope of SOX 404. As this happens, you should reevaluate your XBRL controls under SOX 404 framework.