Archive for January, 2011

XBLR – The Audit Implications of XML for Financial Reporting

Posted by Ryan Buckner
January 17th, 2011

This article is also posted on the re: The Auditors blog and can be found here.

What is XBLR?

For those who haven’t heard of it, XBRL (eXtensible Business Reporting Language) is an open standard for exchanging business information between systems.  It is based on the open XML standards, which involves the tagging of data elements.  Converting financial statement data into intelligent and interactive fields allows for applications and systems to more quickly analyze that data.

Today, all US-based publically traded companies are required by SEC mandate to provide XBRL versions of their financial statements, during a three-year phase-in period.  The largest companies were required to do this starting in June 2009.  The remaining companies are required to file interactive data on a phased-in schedule lasting through mid-2011.  Other regulators, such as the Federal Deposit Insurance Corp. and the U.S. Office of the Controller, have been requiring XBRL for the filing of call reports for some time.

The technical process of converting financial data into XBRL relies on a taxonomy of accounting terms and the matching of Generally Accepted Accounting Principles (GAAP) “element” to an XBRL “tag”.  The current US GAAP taxonomy has approximately 15,000 distinct elements.  Early adopters of XBRL had could map and tag the data in-house or outsource the effort.  While some of the larger companies performed the work internally, a recent survey by the AICPA and XBRL.org indicates that outsourcing has been a popular choice for cost purposes.

What are the Risks?

Regardless of whether the company chooses to outsource the conversion or not, the company whose financial statements are being converted to XBRL is still responsible for the accuracy of the output data.  In addition, the introduction of a third party performing this work introduces the risks from errors and omissions to operational errors such as missing a filing deadline, sending the wrong file, and data security breaches.

Many companies do not have the formal reconciliation and approval processes in place with XBRL vendors as they normally have for a payroll vendor, for example, who files tax reports and makes payments on behalf of the company.

One speaker at the Financial Executives International (FEI) Current Financial Reporting Issues Conference this past November, the Chief Accounting Officer at a Fortune 500 pharmaceutical company, described an incident where their vendor had sent the wrong file to the SEC.  This necessitated a subsequent filing to correct the erroneous data.  In this case, the company caught the erroneous filing, not the vendor.

Current Audit Practices

Today, there is a concern that XBRL is not being thoroughly reviewed by external financial auditors.  The Public Company Accounting Oversight Board issued guidance in 2005 on external auditor engagements regarding XBRL, which relies on the auditor agreeing on a paper-only versions of the XBRL-related documents to the information in the official filing.

The PCAOB rules allow an auditor to perform an examination under attestation (AT) Section 101 that would include:

  • XBRL data agrees with the official EDGAR filings, and
  • XBRL-Related Documents are in conformity with the applicable XBRL taxonomies and specifications, as well as with the SEC requirements for format and content.

For larger companies, reviews of XBRL have been performed under the framework provided in the AICPA for Agreed Upon Procedures (AUP) otherwise known as AT section 201.  AUP engagements are specific between one company which engages the audit firm, and another company to be audited, in this case the vendor and would generally be specific to the company’s specific data, and the two or more companies specifically agree to have the audit firm perform certain procedures.  AUP reports are not shared reports and can only be used by companies specific to that agreement.  These reports are mainly seen as an extension of the financial statement audit.

Alternative Approaches and the Path Forward

It would seem that the more appropriate and cost effective path would be to have these third-party vendors be examined or reviewed under an attestation following the AT section 101 framework.  One benefit of using this framework is that the report could potentially be made available for use by multiple companies.  In addition, the Trust Services frameworks fall within AT Section 101 such that a third-party provider could obtain a SysTrust® examination for their services.

If history remains consistent, the combination of a compliance requirement for XBLR and the desire to do so at the lowest cost will result increased outsourcing.  With this comes increased risk of a provider’s technologies and processes inaccurately reflecting the financial position of the company.  Like any outsourcing, companies looking to outsource this function should inquire the provider’s processes and controls as well as the types of audits and certifications it has undergone to validate those controls.

SocialTwist Tell-a-Friend

Tags: ,
Posted in Assurance / Service Audits, SAS 70, SysTrust | No Comments »

SAS 70 Solutions, Inc. is now BrightLine CPAs & Associates, Inc.

Posted by Douglas Barbin
January 3rd, 2011

TAMPA, FLORIDA – January 3, 2011 – SAS 70 Solutions, Inc., one of the world’s largest providers of SAS 70 audit services, announced today that it has changed its name to BrightLine CPAs & Associates, Inc. (“BrightLine”).  This new name reflects the company’s broader suite of attestation and compliance services, which now include SAS 70 and SSAE 16 assessments, PCI DSS validations, and ISO 27001 compliance services.

The name is derived from an important industry term.  A “bright line” requirement is a component of an objective standard that is designed to produce predictable and consistent results.  Unlike the term “fine line” which implies ambiguity and the likelihood of varying interpretations, a bright line provides clear and absolute guidelines.  In other words, a “bright line” is the threshold of compliance with an objective standard.

Chris Schellman, founder and president of SAS 70 Solutions, Inc. comments: “The SAS 70 Solutions brand has provided us with a strong foundation for our future.  Our new name – BrightLine – better represents the integrated service lines we have developed over the years and will serve as a recognizable, global brand in the certified public accounting and compliance industries for years to come.  It is hard to imagine a more fitting name for our organization which specializes in assessing clients’ compliance with the world’s most well-known audit and compliance standards.”

Founded in 2002, SAS 70 Solutions, Inc. was the first CPA firm established specifically to provide audit services in accordance with Statement on Auditing Standards No. 70 (SAS 70).  Over the years, its service lines have expanded to include other complementary audits and assessment services.  As BrightLine, the company will continue to provide SAS 70 and SSAE 16 assessments, PCI DSS validation, ISO 27001 and 27002 assessments, and AT Section 101 attestation services, including WebTrust and SysTrust examinations.

BrightLine is a licensed Certified Public Accounting firm and is registered with the Public Company Accounting Oversight Board.  BrightLine is also one of the only CPA firms in the United States that is accredited as a Qualified Security Assessor (QSA) company by the PCI Security Standards Council.

For further information regarding the new BrightLine brand, please visit the company’s website at http://www.BrightLine.com/new-name

MEDIA CONTACT

Doug Barbin
Barbin@BrightLine.com
Tel.  1.866.254.0000 ext. 139
e-Fax  1.888.533.7108

SocialTwist Tell-a-Friend

Posted in BrightLine, News | No Comments »