Posts

What you really don’t want in the midst of Sarbanes-Oxley compliance is any kind of sudden surprise. Getting caught off-guard in the middle of a compliance effort can slow things down considerably and create rifts within the company. The audit committee chair suddenly finding out about a material weakness in internal controls that should have been brought to their attention weeks ago could derail the Sarbanes-Oxley timeline. A CFO being apprised of a broken chain of command that could have been addressed from day one understandably won’t be happy.

Such scenarios can largely be avoided by baking in an effective communication plan at the outset of the SOX compliance program to keep management and stakeholders up to speed on progress and findings. Setting up communication pathways at regular intervals between peers, SOX project sponsors, senior management, the board members (the audit committee in particular) is essential. You can identify problems early and take action on them, thereby avoiding any nasty surprises. This streamlines your program and creates a better outcome.

Let’s Talk About This

Communication is an inherent part of Sarbanes-Oxley Act compliance. In particular, the section informally referred to as SOX 404, internal controls over financial reporting, lets investors and regulators know whether management and the auditors stand by the company’s internal controls and, in effect, the company’s accounting policies and practices. If the statement made is a positive one, it requires documentation to back it up with evidence to show that a thorough evaluation occurred. If there’s a weakness to report, that could call into question the adequacy of the financial information being shared.

But in between the start of a Sarbanes-Oxley program and the final signoff by the CEO and CFO are many opportunities for a communication breakdown, from the SOX project manager not having access to the audit committee to stakeholders outside the finance team not knowing they have any responsibility for SOX compliance. For a successful SOX program, be sure you have a well-crafted communication plan that covers these key areas:

Educate the SOX stakeholders.

Outside of finance, Sarbanes-Oxley is often a mystery when it hasn’t yet become a way of life at companies. For companies looking at their internal controls as they near an IPO and for newly public companies gearing up for SOX for the first time, they should meet early with stakeholders who need to understand their connections and deliverables for this compliance effort, including those outside of the finance function like HR and sales. Sarbanes-Oxley experts brought on board can help to keep these stakeholders aware of their responsibilities and what needs to happen next or what is missing in the process, at the right level, without overburdening everyone with more details than they need to know.

Make sure you have smooth communication pathways.

Those leading the SOX work—whether they are outside consultants or internal leaders—need to keep an open flow of communication from the beginning of the process to the end. If something looks amiss or a problem arises, it needs to be addressed swiftly. Identify the control owners and decide how often certain key players need to be updated about how testing is going. Schedule updates at frequent intervals and stay organized with the facts, so everyone knows what’s happening, from the testers and executives to the audit committee and external auditor.

Foster two-way communication.

Management also needs to be informative, providing up-to-date information necessary for testing, while those leading the SOX program need to be up-front, too, to bring to light information management needs to know, provide progress updates, and deal with any problems that pop up. 

Flag issues early.

It’s better to have the tough conversations early on and address the issues than to deliver bad news when up against a deadline or when a problem has worsened. This is one of those times when the SOX manager needs to have access to senior management, to make noise when necessary and create solutions to fix a problem. By being solutions-focused, the SOX team will be known for providing answers rather than just surfacing complaints. Complaints don’t result in improvements. Those on the team who are more accustomed to SOX compliance shouldn’t be fearful of communicating any issues but instead should be naturally forthcoming, and alert those who need to be in the know.

Communication’s Role in Compliance

A breakdown in controls can mess with a company’s ability to provide trustworthy, reliable financial statements. Sarbanes-Oxley compliance helps public companies pinpoint such issues, and companies gearing up for an IPO wisely look for any gaps in their controls, too.

All too often, though, these compliance efforts can be slowed or put into jeopardy if communication flows are spotty or weak. That’s why it is best to have a solid communication plan built into the entire program. It should not be an afterthought, but a careful process designed from the start. This foundational layer involves early collaboration with stakeholders, the right set of reviews, regular updates and checkpoints, and careful consideration of information for the audit committee and the board. A lapse in any key communication pathway can bring about a nasty surprise, and set up the project for failure.

A team with deep experience with the ins and outs of Sarbanes-Oxley compliance can ensure this entire process goes seamlessly. Make the most of your Sarbanes-Oxley partners’ acumen so that the risks to the business are clearly understood. They bring a fresh perspective, with insights pulled from other companies in your industry, as well as specialized expertise. They know who needs to know what, when. It’s all part of a well-designed communication plan.

RoseRyan Director Christopher Ludwig heads our Corporate Governance practice, which includes our Sarbanes-Oxley Compliance and Internal Audit solutions designed for fast-moving companies. He previously was director of Sarbanes-Oxley compliance and internal audit at SOAProjects, and he has held compliance-focused and finance roles at KPMG, CafePress.com, The Federal Reserve Bank of San Francisco, and IBM.

Regulators are not requiring companies to follow the new COSO framework even though the 1992 version is being retired later this year. While we encourage companies to adopt the new internal control framework and most of them have begun the process, the lack of an explicit mandate still has some dragging their feet.

For now, the Securities and Exchange Commission staff have said they are keeping a close watch on which framework companies will be following. During this upcoming transitional year of reporting, they won’t be questioning companies that haven’t migrated to the new framework even after the old one is superseded as of December 15, 2014. As it is, the Committee of Sponsoring Organizations of the Treadway Commission has given organizations a fair amount of time to make the move before the preceding 20-year-old guidance is no longer available.

Still, some companies delayed starting their transition until after their 2013 10K and 2014 first quarter 10Q were filed. By the time fiscal year-end 2014 filings are submitted, not all public companies will have been able to say they follow the more modern framework, as COSO had hoped they would.

If you fall into that camp, it might be too late to make the transition for fiscal year 2014. Making the move is different for each company. Let’s say you’ve followed best practices for internal controls, then you may only need to map your existing internal controls to the new framework. In that situation, your internal controls have been effective for the year and can be relied upon, and your transition is done. However, if you don’t fall into this category, there will be more time involved (how much time and resources will be required depends on the current state of your internal controls). At this point, it also means that the new controls put in place for the new framework have not been effective for the first eight months of the year, and therefore, reliance on these controls will be in question.

We’re not trying to make you feel bad. Procrastination—for whatever reason—happens. What really matters is what you do now. While the ideal path would have been to make your COSO transition sooner rather than later, this could also be the time if you haven’t started at all to begin the evaluation of the new COSO framework for fiscal year 2015.

Where to begin
If you have read the new framework, you will have noticed that it has 17 new principles for internal control, and within each of those principles, there are specific points of focus. The points of focus do help with identifying controls within your organization. Most of these internal controls will exist in your entity level controls. Entity level controls address those controls that apply across the organization, and most of the new principles are aimed at those internal controls that reside at the organizational level.

If you haven’t reviewed the 17 new principles and their corresponding points of focus, you should really start to familiarize yourself with them. Any controls identified that only need to be documented, improvements to existing controls, or the addition of new controls do need to be in place and working in order to be able to rely on them. Any of the controls you add or modify under the new framework should be in place and in working order. Otherwise, they cannot be relied upon.

Based on those companies that have already mapped their entity level controls to the new framework, here’s what will likely happen. We have seen our clients experience a combination of three possible outcomes:

  1. They need to take credit for what they already do, as their latest evaluation shows the control is already in place but not currently identified as an internal control. This involves formalizing the control and documenting it.
  2. They work on improving a control that already exists in order to make sure it covers the points of focus within the framework.
  3. They add a new control. This is the one that requires more time. You will need to get agreement from the organization that the control needs to be added, confirm that the control is documented accurately and will be performed, and then be able to test early enough to allow time to remediate the control in case something goes wrong.

If your company has been following best practices with identifying internal controls within its entity level controls, then you will likely see the transition to the new framework follows items 1 and 2 above. This will take time for documentation, but the controls are already being performed and additional training will not be needed.

However, if you haven’t been following best practices for internal controls as closely as you could have been, then you might find yourself working with all three points above. Item 3 does entail additional time and training that could go beyond the finance department. The sooner you start this process, the sooner you will position yourself to be prepared to make the switch.

With all of this said, if you are choosing to not migrate to the new COSO framework now, you will at the very least have to document your reasoning as to why you think your internal controls are sufficient as is. In addition, you will have to make sure your external auditors are in agreement with your rationale. In my opinion, it would be prudent to keep in mind that at some point, the new COSO framework will be required. Nobody wants to be caught without the time, resources, or remediation runway when that requirement is made.

Tracy Thames has been a member of the RoseRyan dream team since 2008. She excels at SOX, internal audit, accounting management and project management.

NASDAQ recently filed a proposed rule change with the SEC that’s seemingly aimed at SOX compliance. If implemented, each NASDAQ-listed company will be required to establish and maintain an internal audit function “to provide management and the audit committee with ongoing assessments of the Company’s risk management processes and system of internal control.” Companies listed as of June 30, 2013, will be required to establish an internal audit function by December 31, 2013; companies listed after June 30, 2013, will be required to establish that function prior to listing. In NASDAQ’s view, the proposed rule change will place no unnecessary or inappropriate burden on competition.

To me, this proposed rule change signals that the NASDAQ is weighing in on the JOBS Act provision that exempts certain companies from SOX 404(b), an auditor attestation regarding internal controls that was intended to foster growth by lowering administrative burdens on emerging growth companies (those with revenues less than $1 billion) entering the public market. These companies were granted as many as five years’ relief from a number of rules, including independent auditor attestation on the design and effectiveness of internal controls over financial reporting.

The more than 30 comments posted by the recent close of the SEC comment period were primarily from CFOs of small NASDAQ-listed companies, who said the proposed rule was costly for their enterprises and duplicative of existing SOX requirements. Some comments reflected concern that the rule reduced audit committees’ flexibility to direct the focus of the internal audit function.

Here’s my take: the proposed rule change was not intended to force companies to go beyond what is currently considered best practice—and what most companies do in support of SOX 404(b). (In general, companies that comply with 404(b) have a much more robust set of internal controls and are more diligent in consistently adhering to them—and therefore have greater financial statement integrity—than companies complying only with 404(a).) Although the proposed rule specifically excludes companies’ external audit firms from providing internal audit services, it does allow outsourcing to a third party.

The NASDAQ’s attempt to close the SOX loophole should not significantly affect RoseRyan’s SOX clients. These companies typically engage us to help them ensure that their internal controls are appropriately designed, to independently test the controls’ effectiveness and to periodically meet with their audit committees. I don’t see the proposed rule greatly changing that scope of work. However, the rule will add to the workload of many newly public companies currently exempt from 404(b). I view that change as a step in the right direction for investor protection and for leveling the playing field for companies traded on the NASDAQ, regardless of when they went public.

In my pre–Sarbanes-Oxley days, I worked with companies where it was tough to get audit committee members to attend meetings, and many of those meetings were check-the-box exercises without real value. The Sarbanes-Oxley Act changed the landscape significantly. Among other things, SOX clearly laid the responsibility for overseeing external audits on the shoulders of the audit committee—and now we are seeing increased focus on how the audit committee manages the external auditor.

Two documents recently issued by the SOX-created Public Company Accounting Oversight Board, which oversees the audits of public companies, focus on one aspect of that management: communication. The first, AS 16, Communications with Audit Committees, is aimed at increasing the relevance and quality of communication between audit committees and external audit firms. The second, Release No. 2012-003, Information for Audit Committees about the PCAOB Inspection Process, provides guidance on conversations that audit committees may wish to have with their external auditors.

A little background may be helpful. Each year, the PCAOB conducts inspections of audit firms. These inspections ascertain how the firms under review conducted their audits—in essence, whether their audit opinions were sufficiently supported by the facts. They also determine how committed the firms are to quality control—basically, whether they meet professional standards.

Release No. 2012-003 suggests some questions for an audit committee to ask its external auditor, including the following:

  • Has my audit been selected for a PCAOB review?
  • Have other companies similar to my business been selected for review?
  • What issues did these reviews raise?
  • What were the review findings?
  • If deficiencies were uncovered, how is the audit firm remediating them, and how will those efforts affect our company?

Be skeptical if your external auditor suggests that an issue identified was a documentation problem or a matter of professional judgment. You may find it difficult to imagine that your auditor did not gather sufficient evidence to form an opinion when your management team feels like it’s being audited to death—but perhaps this is an opportunity for some candid discussion. A benefit of talking with your auditor about the PCAOB inspection results is to gain more insight about issues the PCAOB is seeing across the profession, and to learn how you might be impacted by those issues and ways to get a leg up on proactively addressing them.

Audit committees are becoming more proactive in managing relationships with external auditors and in evaluating auditor performance—think quality of services and adequacy of resources. Ensuring the audit firm’s independence, objectivity and professional skepticism hinges on good communication.

The passage of the Sarbanes-Oxley Act 10 years ago dramatically improved corporate governance in U.S. companies, restoring investor confidence in U.S. capital markets in the wake of headline-making accounting blowups (Enron, WorldCom, et al). SOX instituted rules on the composition of audit committees, established the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of audit firms and spelled out civil and criminal penalties for CEOs and CFOs. But when SOX is mentioned, most people immediately think of Section 404 (internal controls over financial reporting), which continues to take heavy criticism—not always deservedly.

Initially, implementation of SOX 404 was difficult, cumbersome and expensive. Companies had to formalize their system of internal controls over financial reporting and invest resources in designing, documenting and testing the effectiveness of controls, even in areas that would not reasonably give rise to a misstatement of financial results. Over time, though, the rules were revised and both managers and auditors learned how to apply judgment to principals-based regulations and develop supportable positions. Companies incorporated internal controls into their normal workflow and created cost-effective programs to improve the integrity of their financial reporting. A November 2009 study published by Audit Analytics found that the rate of financial restatements was 46 percent higher for companies that did not comply with all of the SOX internal control provisions than for companies that did.

Some companies comply with the letter of the law, but do not embrace the spirit of SOX 404, viewing it as a check-the-box exercise. They use lower standards of evidence (for example, inquiry only rather than re-performance), and their SOX testing is neither meaningful nor insightful. That means their results are not informative. This approach would not pass muster under an independent audit, and since all but the smallest public companies (those with less than a $75 million public float) have been subject to audit attestation, most public companies have ended up with meaningful SOX results.

Now, recent developments are sending conflicting messages about the direction of SOX rules.

The JOBS Act granted a five-year exemption from SOX audit attestation for newly public companies with less than $1 billion in revenue—a huge swing in the direction of more leniency.

In the other direction, PCAOB reviews of Big Four audit firms have led auditors to ask for more robust documentation of internal controls and more thorough testing of the data used to support the effectiveness of controls. And COSO, which publishes the most widely used framework for designing and assessing internal controls, has issued an exposure draft of an updated internal control framework intended to address changing technology and globalization, as well as to provide greater clarity on designing and maintaining an effective system of internal controls. Given that the draft runs to more than 500 pages, reviewing, revising and implementing the guidance from the new framework is no small undertaking.

So where are we headed? My fear is that we are taking a big step backward. By exempting some companies from SOX audit attestation, we turn a blind eye to ineffective internal controls and erode investor confidence in financial statements. At the same time, the updated COSO framework and requirements for more robust SOX documentation seem to be pushing nonexempt companies back to the difficult, cumbersome and expensive path, without any increase in financial statement integrity. Neither of these directions is in the best interest of companies or investors.

Entrepreneurs are constantly setting up companies as new business opportunities arise. It’s called innovation, and that’s what Silicon Valley is all about. VCs put their money into these companies to help them grow with the expectation that they will make a great return on investment themselves—and they perform significant due diligence and risk assessment before investing.

So it always surprises me when many of these innovative companies that have been assessed for investment risk by their backers act cavalier when it comes to managing the financial risks within their fledgling businesses. Even more surprising is that many of the venture funds that have invested their money never question the company’s approach to financial risk management.

Many companies, particularly start-ups, sell on terms without checking out their customers for credit risk or taking steps to reduce risk. They are so intent on making the sale to show they have a real business (maybe even desperate) that the quality of the sale doesn’t matter. Many have been burnt when they don’t get paid, and others have gone out of business.

Make sure a customer’s credit is good

All of this is avoidable with a few basic steps—and the most basic of all is to check the credit worthiness of a new customer. It takes a minimal amount of time to do, yet in many cases it’s seen as an unnecessary hassle. (This is rarely a problem in public companies, as a basic SOX control on revenue recognition is a requirement to assess collectability. That is one area where SOX has added a lot of value.)

If it is not possible to establish a customer’s credit competence, get them to prepay, use a credit card or provide some sort of guaranteed financial instrument. I have rarely seen a sale cancelled because appropriate terms cannot be agreed upon, yet I have seen companies suffer a lot of pain when they realize, too late, that they have made a poor sale. It’s not only the loss of the receivable that hurts. The cost in time, effort and third-party services to chase the money can be exorbitant, too.

Make sure that credit stays good—and take basic precautions

In addition, companies need to reassess credit terms on a regular basis. Often I see companies check out credit risk and give terms for an initial sale, but they never reassess the customer’s credit risk thereafter, not even when the customer deviates from the agreed terms on that sale or a subsequent sale. Sooner or later that approach comes back to haunt them.

The same is true of credit concentration. Having most of your eggs in one basket is not a good idea, yet many companies do it. Whenever possible, take basic precautions to limit credit concentration, such as selling through multiple channels, or enforcing and continually reassessing credit limits on larger accounts.

Companies that sell overseas also take on significant risk with currency exposure when they sell on inappropriate terms or when the currency risk is not hedged properly. Given the constant headlines about the euro crisis and the considerable downside risk with little upside potential, why do so few companies spend no time considering and minimizing their risk? Beats me.

What I do know is that a small amount of time invested in managing credit and currency risk can save a lot of headaches down the road. It could mean the difference between being in business and becoming extinct.

Enterprise risk management (ERM) tends to be thought of as something only big companies need (or can afford). But it’s not just a megacorp thing—it can protect assets; rescue your company from unforeseen catastrophes, like a supplier going out of business or an epic PR crisis; guard against weak links in your supply chain; and more. Done right, an ERM program can also make decision making smarter, more strategic and more sharply focused on key success factors.

And it doesn’t have to be a major undertaking. Our new report, ERM: Not Just for the Big Guys, shows how midsize businesses can benefit from ERM and how to implement a program cost effectively with a plan that’s right-sized for your company.

How can you get the right fit? The report covers this checklist:

  • Give the CFO the lead
  • Get support from the top
  • Take a step-by-step approach
  • Provide the right tools and frameworks
  • Integrate ERM into decision making
  • Identify key performance indicators

The thought of yet another program when you’re already running lean may make you want to run the other way. You’re not alone: in a recent CFO magazine survey, participants said a commitment of time and resources was the single biggest impediment to implementing ERM.

Think about what you could gain—and what you might lose if unseen risks arise and you don’t have a plan. ERM: Not Just for the Big Guys shows how you can get started sensibly, one step at a time.

Other RoseRyan intelligence reports are available on topics such as M&A due diligence, acing your IPO filing, debt financing and revenue recognition.

The JOBS Act (Jumpstart Our Business Startups Act) purports to foster the growth of small businesses, allowing them easier access to funding by lowering bureaucratic hurdles and thus enabling the growth of their business and their ability to hire more people.

In reality, the bill—passed overwhelmingly by the House last week and now awaiting President Obama’s signature—allows small companies to avoid scrutiny of their financial statements for the first five years because compliance is too costly. What is “small”? Companies with revenues of less than $1 billion. Yep—that’s most of Silicon Valley.

These small companies need access to funding. VC funding (with astute financial inquiries) isn’t readily available, so they go to the public market where we, the investors, have only the financial statements, press releases, website content and other information the company produces. We have to trust that it is accurate, but the JOBS Act says the internal controls and third-party independent oversight mandated by SOX legislation is “too costly.” Too costly for whom?

A well-designed SOX program is not too expensive—it’s too expensive not to have those controls. Any idea how expensive a restatement is? (Think audit fees, legal fees, the army of accountants crunching through your books, regulatory inquiries, shareholder litigation, the list goes on.) Nearly one-third of companies that have had IPOs since 2004 have had to issue financial restatements—that’s a staggeringly high number.

Why do small companies get it wrong?

For starters, finance isn’t viewed as a strategic business function—it’s viewed as overhead. That means it’s often not properly funded, so there’s not enough horsepower to make sure the books are accurate, not enough access to expertise to understand complex accounting regulations and not enough rigor in the close process. Bottom line: the financial statements are not accurate. They do not serve as a basis for understanding the financial position of the business—either for making investment decisions or making management decisions about running the business.

JOBS Act advocates say that most companies will be fine without the discipline of solid internal controls. Really? Did you see the latest from Groupon? First it stumbled with its IPO, and now it has stumbled with its first 10-K. See any patterns? In this last trip-up, the company identified a material weakness in internal controls related to the financial close process and cited three contributing factors: 1) an inadequate close process, resulting in a number of manual post-close adjustments; 2) account reconciliations not performed and/or reviewed; and 3) inadequate policies for timely, adequate review of estimates and assumptions. These are pretty basic controls that every company should perform as part of its normal close process—nothing fancy or tricky here—yet Groupon doesn’t seem embarrassed about missing these controls. (And it certainly isn’t embarrassed to be taking investor money.) While Groupon wouldn’t benefit from the JOBS Act because it has revenues of $1.6 billion, it’s a great example of what often happens with young, newly public companies and the challenges they face in providing accurate financial information to the investor community.

In the wake of the massive frauds perpetrated by Enron, WorldCom, Adelphia, and others, we got SOX. In the wake of the massive frauds perpetrated by Wall Street—which drove us into the deepest recession since the Great Depression—we got Dodd-Frank. Who are we kidding with the JOBS Act? Get ready: we’ve paved the way for a lot more fraud and financial misstatements.

In a March 2 CNBC interview, Marc Andressen was asked what one thing Washington could do to increase job creation and innovation in Silicon Valley. He replied by saying “attack regulation” and went on to specifically mention Sarbanes-Oxley. In his view, Sarbanes-Oxley was put in place to prevent the next Enron or WorldCom but, in reality, it has just about killed the tech IPO. Founders want to keep their companies private for as long as possible, or forever.

I can certainly understand and applaud that founders desire to keep their companies private—but I think that has more to do with keeping control over the operations and direction of the company, focusing on long-term strategic goals and not being distracted by short-term returns to investors. Focusing on the business rather than the return to investors seems like a healthy approach to running a company.

When asked what specifically is the problem with Sarbanes-Oxley, Andreessen stated that it introduces an entirely new category of regulations, controls and responsibilities for companies’ finance staff, legal staff, board and audit committees—which translates into an enormous amount of time, energy and attention on the part of management when they are trying to focus on building their business. He went on to say that he is not in favor of another Enron or WorldCom, but the companies he works with are not out to defraud anybody. The big frauds haven’t come out of Silicon Valley.

I suspect Marc Andreessen knows more about the companies he invests in than the average investor knows about the companies in their portfolios. And that, I think, is the point of Sarbanes-Oxley: providing accurate and timely financial information to investors and to management. The Enrons and WorldComs may not have come out of Silicon Valley, but I believe we were the poster children for the stock option backdating scandals a few years back. While I agree that the vast majority of companies are not out to defraud anyone, it’s a slippery slope. In my experience, small private companies are not staffed appropriately to deal with the accounting implication of unusual transactions, and not adequately staffed to make sure mistakes are detected and corrected before publishing financial statements. Without proper objective oversight, the pressure to achieve certain operating results—or to be viewed as someone who believes in and supports the business—can cause a well-intentioned person to go astray. While founders are busy building their business, they won’t fund finance appropriately if they do not value it as a strategic part of the business. That’s fine if it’s just the founders’ money at risk, but when you are raising money in the public market you’ve taken on additional obligations and responsibilities. Those additional categories of regulations, controls and responsibilities that Sarbanes-Oxley brings to the table become essential.

The SEC XBRL mandate provides for a period of limited liability of either two years following a filer’s initial XBRL filing date or October 31, 2014, whichever comes first. During this time, XBRL exhibits are deemed as “furnished” instead of “filed.” Under this modified-liability safe harbor provision, the company is protected as long as its compliance efforts are in good faith and any known errors are corrected promptly after discovery. However, when the limited liability window closes, XBRL exhibits will have the same liability provisions as regular filings under the antifraud provisions of the Securities Law. In the event of a misstatement or omission of a material fact in the XBRL files, the company along with its officers and directors can be held legally liable and be subjected to civil and criminal liability.

What should you consider before your limited liability expires? At a minimum, if your XBRL exhibits fall outside of the financial reporting process, you should have disclosure control and procedures (DC&P) in place on your XBRL creation process (see “Do Auditors Care About XBRL?”). However, as XBRL technology becomes integrated into the close process, the preparation of financial statements may become interdependent with the interactive data tagging process. When this happens, the company and its auditors should evaluate the XBRL controls under SOX 404.

Are there broader risks your CFO and audit committee need to consider? Absolutely! The Committee of Sponsoring Organizations of the Treadway Commission (COSO) expands on internal control, and provides a comprehensive framework on the broader subject of enterprise risk management.  In order to design an effective framework to meet the strategic, operations, reporting and compliance needs of XBRL, consider applying the following essential components.

Control environment: When appropriate, involve your CFO and audit committee with every aspect of your XBRL strategy, including process and controls, risk and opportunities. Be proactive and ask your audit committee for an AICPA agreed-upon procedures (AUP) to review XBRL files for accuracy and data quality. (See my earlier post on the importance of an AUP.)

Objective setting: Since XBRL technology is here to stay, how can you best leverage the power of XBRL to drive effectiveness and efficiency beyond external transparency? The logical next step is to explore opportunities that go beyond SEC compliance, such as the existing XBRL Global Ledger Taxonomy and the evolving Risk and Controls Taxonomy, to enhance internal transparency, operational performance and risk management objectives.

Risk assessment and response: What filing is subjected to XBRL tagging? The answer is: it depends. While the requirements for Form 10-K, 10-Q and 8-K are clear, the XBRL rules for registration statements can be tricky, especially with respect to the S-1 resale registration statement and the shelf registration statement on Form S-3. A best practice is to develop a documentation guide based on authoritative standards, such as SEC rules, the Edgar Filer Manual, SEC FAQs, SEC CD&Is, XBRL US GAAP Taxonomy Preparers Guide and resolutions from the XBRL US Best Practices/Data Quality Working Group, to ensure compliance.

In the absence of formal SEC guidance, it is important to establish a policy to assess material XBRL errors and a process to determine whether an amendment filing is required (for details, see this post.)

Control activities: To address data quality and compliance issues, stay current with the latest AICPA exposure draft on XBRL quality attributes of completeness, accuracy, proper mapping and structure. For each of these attributes, assess what could go wrong and implement a safety net and control environment to mitigate risk of errors.

Monitoring: Always keep abreast of latest developments and best practices from the SEC and XBRL US to avoid last-minute surprises. As XBRL standards evolve, monitoring is crucial to a quality filing. Likewise, when the SEC approves a new taxonomy, consider the advantages of early adoption and put a migration plan in place. Involve your internal audit function or a professional service firm to implement a continuous quality assurance program and perform corrective actions.

Information and communication: Benchmark your tag selection and extensions to your peer or industry group, thus enhancing comparability and transparency of your XBRL data. Collaborate with your industry group to collectively drive and shape the taxonomy. Communication is vital as you continue to redesign the close process and simplify SEC disclosures to streamline XBRL efficiency. (For tips, see “Less Is More: the Art of XBRL.”) Always get buy-in from internal and external stakeholders—you want to properly set expectations to avoid unwelcome surprises.

There is no one-size-fits-all approach to designing a quality XBRL filing. Regardless of limited liability protection, each company should manage XBRL risks within its risk appetite, define a comprehensive process to identify all the “what could go wrong” events, and provide an XBRL quality assurance framework.