The SEC XBRL mandate provides for a period of limited liability of either two years following a filer’s initial XBRL filing date or October 31, 2014, whichever comes first. During this time, XBRL exhibits are deemed as “furnished” instead of “filed.” Under this modified-liability safe harbor provision, the company is protected as long as its compliance efforts are in good faith and any known errors are corrected promptly after discovery. However, when the limited liability window closes, XBRL exhibits will have the same liability provisions as regular filings under the antifraud provisions of the Securities Law. In the event of a misstatement or omission of a material fact in the XBRL files, the company along with its officers and directors can be held legally liable and be subjected to civil and criminal liability.
What should you consider before your limited liability expires? At a minimum, if your XBRL exhibits fall outside of the financial reporting process, you should have disclosure control and procedures (DC&P) in place on your XBRL creation process (see “Do Auditors Care About XBRL?”). However, as XBRL technology becomes integrated into the close process, the preparation of financial statements may become interdependent with the interactive data tagging process. When this happens, the company and its auditors should evaluate the XBRL controls under SOX 404.
Are there broader risks your CFO and audit committee need to consider? Absolutely! The Committee of Sponsoring Organizations of the Treadway Commission (COSO) expands on internal control, and provides a comprehensive framework on the broader subject of enterprise risk management. In order to design an effective framework to meet the strategic, operations, reporting and compliance needs of XBRL, consider applying the following essential components.
Control environment: When appropriate, involve your CFO and audit committee with every aspect of your XBRL strategy, including process and controls, risk and opportunities. Be proactive and ask your audit committee for an AICPA agreed-upon procedures (AUP) to review XBRL files for accuracy and data quality. (See my earlier post on the importance of an AUP.)
Objective setting: Since XBRL technology is here to stay, how can you best leverage the power of XBRL to drive effectiveness and efficiency beyond external transparency? The logical next step is to explore opportunities that go beyond SEC compliance, such as the existing XBRL Global Ledger Taxonomy and the evolving Risk and Controls Taxonomy, to enhance internal transparency, operational performance and risk management objectives.
Risk assessment and response: What filing is subjected to XBRL tagging? The answer is: it depends. While the requirements for Form 10-K, 10-Q and 8-K are clear, the XBRL rules for registration statements can be tricky, especially with respect to the S-1 resale registration statement and the shelf registration statement on Form S-3. A best practice is to develop a documentation guide based on authoritative standards, such as SEC rules, the Edgar Filer Manual, SEC FAQs, SEC CD&Is, XBRL US GAAP Taxonomy Preparers Guide and resolutions from the XBRL US Best Practices/Data Quality Working Group, to ensure compliance.
In the absence of formal SEC guidance, it is important to establish a policy to assess material XBRL errors and a process to determine whether an amendment filing is required (for details, see this post.)
Control activities: To address data quality and compliance issues, stay current with the latest AICPA exposure draft on XBRL quality attributes of completeness, accuracy, proper mapping and structure. For each of these attributes, assess what could go wrong and implement a safety net and control environment to mitigate risk of errors.
Monitoring: Always keep abreast of latest developments and best practices from the SEC and XBRL US to avoid last-minute surprises. As XBRL standards evolve, monitoring is crucial to a quality filing. Likewise, when the SEC approves a new taxonomy, consider the advantages of early adoption and put a migration plan in place. Involve your internal audit function or a professional service firm to implement a continuous quality assurance program and perform corrective actions.
Information and communication: Benchmark your tag selection and extensions to your peer or industry group, thus enhancing comparability and transparency of your XBRL data. Collaborate with your industry group to collectively drive and shape the taxonomy. Communication is vital as you continue to redesign the close process and simplify SEC disclosures to streamline XBRL efficiency. (For tips, see “Less Is More: the Art of XBRL.”) Always get buy-in from internal and external stakeholders—you want to properly set expectations to avoid unwelcome surprises.
There is no one-size-fits-all approach to designing a quality XBRL filing. Regardless of limited liability protection, each company should manage XBRL risks within its risk appetite, define a comprehensive process to identify all the “what could go wrong” events, and provide an XBRL quality assurance framework.