NASDAQ recently filed a proposed rule change with the SEC that’s seemingly aimed at SOX compliance. If implemented, each NASDAQ-listed company will be required to establish and maintain an internal audit function “to provide management and the audit committee with ongoing assessments of the Company’s risk management processes and system of internal control.” Companies listed as of June 30, 2013, will be required to establish an internal audit function by December 31, 2013; companies listed after June 30, 2013, will be required to establish that function prior to listing. In NASDAQ’s view, the proposed rule change will place no unnecessary or inappropriate burden on competition.

To me, this proposed rule change signals that the NASDAQ is weighing in on the JOBS Act provision that exempts certain companies from SOX 404(b), an auditor attestation regarding internal controls that was intended to foster growth by lowering administrative burdens on emerging growth companies (those with revenues less than $1 billion) entering the public market. These companies were granted as many as five years’ relief from a number of rules, including independent auditor attestation on the design and effectiveness of internal controls over financial reporting.

The more than 30 comments posted by the recent close of the SEC comment period were primarily from CFOs of small NASDAQ-listed companies, who said the proposed rule was costly for their enterprises and duplicative of existing SOX requirements. Some comments reflected concern that the rule reduced audit committees’ flexibility to direct the focus of the internal audit function.

Here’s my take: the proposed rule change was not intended to force companies to go beyond what is currently considered best practice—and what most companies do in support of SOX 404(b). (In general, companies that comply with 404(b) have a much more robust set of internal controls and are more diligent in consistently adhering to them—and therefore have greater financial statement integrity—than companies complying only with 404(a).) Although the proposed rule specifically excludes companies’ external audit firms from providing internal audit services, it does allow outsourcing to a third party.

The NASDAQ’s attempt to close the SOX loophole should not significantly affect RoseRyan’s SOX clients. These companies typically engage us to help them ensure that their internal controls are appropriately designed, to independently test the controls’ effectiveness and to periodically meet with their audit committees. I don’t see the proposed rule greatly changing that scope of work. However, the rule will add to the workload of many newly public companies currently exempt from 404(b). I view that change as a step in the right direction for investor protection and for leveling the playing field for companies traded on the NASDAQ, regardless of when they went public.

In my pre–Sarbanes-Oxley days, I worked with companies where it was tough to get audit committee members to attend meetings, and many of those meetings were check-the-box exercises without real value. The Sarbanes-Oxley Act changed the landscape significantly. Among other things, SOX clearly laid the responsibility for overseeing external audits on the shoulders of the audit committee—and now we are seeing increased focus on how the audit committee manages the external auditor.

Two documents recently issued by the SOX-created Public Company Accounting Oversight Board, which oversees the audits of public companies, focus on one aspect of that management: communication. The first, AS 16, Communications with Audit Committees, is aimed at increasing the relevance and quality of communication between audit committees and external audit firms. The second, Release No. 2012-003, Information for Audit Committees about the PCAOB Inspection Process, provides guidance on conversations that audit committees may wish to have with their external auditors.

A little background may be helpful. Each year, the PCAOB conducts inspections of audit firms. These inspections ascertain how the firms under review conducted their audits—in essence, whether their audit opinions were sufficiently supported by the facts. They also determine how committed the firms are to quality control—basically, whether they meet professional standards.

Release No. 2012-003 suggests some questions for an audit committee to ask its external auditor, including the following:

  • Has my audit been selected for a PCAOB review?
  • Have other companies similar to my business been selected for review?
  • What issues did these reviews raise?
  • What were the review findings?
  • If deficiencies were uncovered, how is the audit firm remediating them, and how will those efforts affect our company?

Be skeptical if your external auditor suggests that an issue identified was a documentation problem or a matter of professional judgment. You may find it difficult to imagine that your auditor did not gather sufficient evidence to form an opinion when your management team feels like it’s being audited to death—but perhaps this is an opportunity for some candid discussion. A benefit of talking with your auditor about the PCAOB inspection results is to gain more insight about issues the PCAOB is seeing across the profession, and to learn how you might be impacted by those issues and ways to get a leg up on proactively addressing them.

Audit committees are becoming more proactive in managing relationships with external auditors and in evaluating auditor performance—think quality of services and adequacy of resources. Ensuring the audit firm’s independence, objectivity and professional skepticism hinges on good communication.

As a former audit partner of a Global Six accounting firm, I’ve done my fair share of presenting at audit committee meetings. I’ve noticed that when it’s time for the auditors to present, there will always be the occasional board member who turns to his or her laptop for a bit of day trading or to check email (no, this didn’t hurt my feelings at all).

More important, I’ve been able to observe what characterizes an effective audit committee. This has been on the minds of Public Company Accounting Oversight Board members lately, too. Last month, the PCAOB unanimously adopted AS 16, Communications with Audit Committees. Though the intent is to enhance the relevance and timeliness of communications between the auditor and the audit committee, the standard has little to do with influencing the audit committee’s dynamic with management.

So, here is a compendium of my direct observations on what separates a truly effective audit committee from the rest.

Risk-focused meetings. Meeting agendas should evolve with the growth stages of the company and respond to changes in the economic and competitive environment.

Challenge historical policies and practices. The key operating and financial reporting risks will never be uncovered unless the committee challenges the past.

Transparent and honest communications. It’s crucial that audit committee members talk candidly about what’s going well and what isn’t.

A dynamic chair. It’s paramount that the committee is led by a strong communicator who facilitates discussion, keeps it on track with the agenda and acts as an objective voice during heated exchanges.

Global representation. Committee members who represent the company’s foreign operations add insight into cultural, legal and tax-structure differences.

“Pre-meeting” with the finance team. The most effective audit committee I observed flew in the day before the meeting to have dinner with key finance team members. This informal setting facilitated communication and gave the committee a chance to formulate more questions. It also gave the finance team a heads-up about late developments that weren’t on the agenda.

Quarterly lunch with the independent auditor. Yes, I understand that the audit partner “takes you out” and then bills the company, but he or she can provide valuable insights, such as feedback on the performance of the management team and an honest take on accounting and internal control risk areas. The committee chair isn’t likely to get this kind of information from the formal slide presentation.

For more suggestions, check out Ernst & Young’s excellent article, Audit Committees: Going Beyond the Ordinary.” It’s a great piece from the June 2012 issue of E&Y’s BoardMatters Quarterly newsletter.

The SEC XBRL mandate provides for a period of limited liability of either two years following a filer’s initial XBRL filing date or October 31, 2014, whichever comes first. During this time, XBRL exhibits are deemed as “furnished” instead of “filed.” Under this modified-liability safe harbor provision, the company is protected as long as its compliance efforts are in good faith and any known errors are corrected promptly after discovery. However, when the limited liability window closes, XBRL exhibits will have the same liability provisions as regular filings under the antifraud provisions of the Securities Law. In the event of a misstatement or omission of a material fact in the XBRL files, the company along with its officers and directors can be held legally liable and be subjected to civil and criminal liability.

What should you consider before your limited liability expires? At a minimum, if your XBRL exhibits fall outside of the financial reporting process, you should have disclosure control and procedures (DC&P) in place on your XBRL creation process (see “Do Auditors Care About XBRL?”). However, as XBRL technology becomes integrated into the close process, the preparation of financial statements may become interdependent with the interactive data tagging process. When this happens, the company and its auditors should evaluate the XBRL controls under SOX 404.

Are there broader risks your CFO and audit committee need to consider? Absolutely! The Committee of Sponsoring Organizations of the Treadway Commission (COSO) expands on internal control, and provides a comprehensive framework on the broader subject of enterprise risk management.  In order to design an effective framework to meet the strategic, operations, reporting and compliance needs of XBRL, consider applying the following essential components.

Control environment: When appropriate, involve your CFO and audit committee with every aspect of your XBRL strategy, including process and controls, risk and opportunities. Be proactive and ask your audit committee for an AICPA agreed-upon procedures (AUP) to review XBRL files for accuracy and data quality. (See my earlier post on the importance of an AUP.)

Objective setting: Since XBRL technology is here to stay, how can you best leverage the power of XBRL to drive effectiveness and efficiency beyond external transparency? The logical next step is to explore opportunities that go beyond SEC compliance, such as the existing XBRL Global Ledger Taxonomy and the evolving Risk and Controls Taxonomy, to enhance internal transparency, operational performance and risk management objectives.

Risk assessment and response: What filing is subjected to XBRL tagging? The answer is: it depends. While the requirements for Form 10-K, 10-Q and 8-K are clear, the XBRL rules for registration statements can be tricky, especially with respect to the S-1 resale registration statement and the shelf registration statement on Form S-3. A best practice is to develop a documentation guide based on authoritative standards, such as SEC rules, the Edgar Filer Manual, SEC FAQs, SEC CD&Is, XBRL US GAAP Taxonomy Preparers Guide and resolutions from the XBRL US Best Practices/Data Quality Working Group, to ensure compliance.

In the absence of formal SEC guidance, it is important to establish a policy to assess material XBRL errors and a process to determine whether an amendment filing is required (for details, see this post.)

Control activities: To address data quality and compliance issues, stay current with the latest AICPA exposure draft on XBRL quality attributes of completeness, accuracy, proper mapping and structure. For each of these attributes, assess what could go wrong and implement a safety net and control environment to mitigate risk of errors.

Monitoring: Always keep abreast of latest developments and best practices from the SEC and XBRL US to avoid last-minute surprises. As XBRL standards evolve, monitoring is crucial to a quality filing. Likewise, when the SEC approves a new taxonomy, consider the advantages of early adoption and put a migration plan in place. Involve your internal audit function or a professional service firm to implement a continuous quality assurance program and perform corrective actions.

Information and communication: Benchmark your tag selection and extensions to your peer or industry group, thus enhancing comparability and transparency of your XBRL data. Collaborate with your industry group to collectively drive and shape the taxonomy. Communication is vital as you continue to redesign the close process and simplify SEC disclosures to streamline XBRL efficiency. (For tips, see “Less Is More: the Art of XBRL.”) Always get buy-in from internal and external stakeholders—you want to properly set expectations to avoid unwelcome surprises.

There is no one-size-fits-all approach to designing a quality XBRL filing. Regardless of limited liability protection, each company should manage XBRL risks within its risk appetite, define a comprehensive process to identify all the “what could go wrong” events, and provide an XBRL quality assurance framework.

Should you ask your audit committee to evaluate your XBRL files for completeness, mapping, accuracy and structure under an agreed-upon procedures (AUP) engagement in accordance with the principles and criteria set by the AICPA? I get asked this question all the time, especially by companies whose limited liability is expiring. But everybody should consider AUP for their XBRL.

Why? In the absence of a mandatory audit assurance, an AUP engagement helps ensure that XBRL data brings meaningful value and transparency to the investment community.

Even if your audit committee has adopted a wait-and-see attitude, analysts and investors may be making investment decisions about your company that may be based on substandard and inconsistent data quality. For example, the SEC found several significant and recurring errors by large accelerated filers during the first two months of 2011. The most prevalent data-quality issues revolved around negative values, extended elements and tagging completeness.

Says XBRL US: “In the over 14,900 XBRL submissions to date, over 145,000 data issues have been identified related to the use of the XBRL US GAAP Taxonomy. These inconsistencies include incorrect signs, missing concepts and concepts used incorrectly.“

While a formal AUP is not required, it is best to have a mock AUP environment that ensures compliance of your XBRL-formatted information. A recent trend is for companies to leverage their internal audit function or professional service firm to implement a mock AUP environment to be better prepared for the formal AUP engagement.

What exactly is AUP?
First, an AUP engagement doesn’t deliver an audit opinion. The practitioner performs agreed-upon procedures and assessments, and then reports findings, alternatives and recommendations in a letter to management and the audit committee.

An AUP ensures the completeness, accuracy, proper mapping and structure of your XBRL files. These are the four important aspects of XBRL, according to the AICPA’s latest exposure draft for the XBRL process. Here is what an AUP engagement covers.

Completeness Do you have a procedure to ensure that all required source information is tagged in XBRL? For example, a few commonly missed tags are significant accounting policies embedded throughout footnotes, spelled out amounts and superscript footnotes.

Mapping Even though finding data-quality issues on proper mapping can be aided by software-assisted search and benchmarking analytical tools, at the end of the day, this core process can be subjective: choosing the narrowest tag and assessing materiality can be an art rather than a science. Likewise, the SEC considers mapping to be the most critical part of the XBRL quality control process, but there are no software tools that can detect this type of error prior to filing.

Accuracy Even if common data-quality issues, such as negative values, are flagged by software tools, you still need to assess their validity based on financial facts and the specific circumstances for comparative quarters and year-to-date periods.

Structure Technical validation errors of this type tend to be black-and-white and can be detected by third-party SEC and EDGAR validation tools prior to submission to the SEC.

AUP = quality assurance = market value
Whether you have a built-in versus a bolt-on XBRL solution, you need quality assurance over your XBRL data. Some AUP steps can be accomplished with software tools, while other procedures require professional judgment. Automated tools can only help you so much in highlighting inconsistencies and the usual suspects. Ultimately, you need to tell your company’s story by choosing the tag that best maps to the underlying transaction and translates that fact into meaningful information.

Because investors rely on your XBRL data to make investment decisions, it is ultimately your responsibility to avoid errors before they are disseminated to the public. Aside from compliance, the real benefit of XBRL is increased transparency and comparability, which can in turn increase the value of your stock when the analyst community gains more confidence in your XBRL data.

Learn more about RoseRyan’s XBRL expertise.