XR:h F neoFacleo i BLTe r trfi naRprn oi n i tg

TECHNOLOGY

XBRL
The theme of this article is straightforward, but its application in practice is a bit more complicated: Enterprise Risk Management (ERM) is becoming increasingly valued as a core business process within organizations, yet research directed to CEOs, CFOs, and boards of directors indicates that effective adoption is slow and arduous. XBRL (eXtensible Business Reporting Language), as you know from this column, is an open standard focused primarily on external financial reporting that is increasingly being turned inward to improve organizational effectiveness in risk management, internal controls, operational reporting, sustainability reporting, business intelligence, and more. Lets start at the beginning. What is ERM? The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as: A process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
64 S T R AT E G I C F I N A N C E

By Jeffrey C. Thomson, CMA, and Uma Iyer

XBRL and ERM: Increasing Organizational Effectiveness

ERM generally encompasses a strategic and systematic approach to managing risks across the organization that includes a process for identifying and managing risks, the people involved in the process, and supporting technology for monitoring and managing risks. And what about ERMs value for our profession? For some insights there, we turn to Robert Kaplan, one of the luminaries in our profession and a member of IMA: Quantifying financial, operating, technological, and strategic risk is far from trivial, and much needs to be learned to make ERM more effective. Also, risk management requires effective systems for internal control and governance. Management accountants can play a leadership role in the design and effective implementation of these risk management systems. This area would be my highest priority for where increases in knowledge and professional expertise could add substantial value to an organization. Strategic Finance, March 2008. IMA is a founding member of COSO, a committee of five accounting associations and a thought leader in delivering guidance, thought leadership, and research in the areas of internal controls, risk management, and fraud prevention. COSOs 2010 Report on ERM: Current State of Enterprise Risk Oversight and Market Perceptions of COSOs ERM Framework says: The state of ERM appears to be relatively immature. Only 28 percent of respondents describe their current state of ERM implementation as systematic, robust and repeatable with regular reporting to the board. Almost 60 percent of respondents say their risk tracking is mostly informal and ad hoc or only tracked within individual silos or categories as opposed to enterprise-wide. And a COSO-sponsored study by Protiviti, Board Risk Oversight: Where Boards of Directors Currently Stand in Executing Their Risk Oversight Responsibilities (December 2010), states: We found there are mixed signals about the effectiveness of board risk oversight across organizationsA strong majority indicate that their boards are not formally executing mature and robust risk oversight processes. If ERM is viewed as important especially in the wake of financial frauds and the recent global financial crises

May 2011

then what is the problem? Put simply, recognizing ERM as a critical business process with longer-term, sometimes intangible benefits isnt the same as integrating it as a critical business process. Is this a systematic and comprehensive process by which enterprise risk is identified? How do we determine that risks arent buried in silos? How do we determine that management and boards have frequent discussions on the top risks facing the enterpriseand whether they are being mitigated or managed to an acceptable level relative to objectives? How do we determine that risks identified in one part of the organization are rationalized with risks identified in another part of the organization (in some cases, the individual risks may not be material or probable, but, when interacted together, they may become material and/or probable)? Part of the integration challengeand hence overall effectiveness of ERMcan be solved with enabling technology, such as the open standard XBRL. As indicated earlier, XBRL has been focused primarily on external financial reporting, but users are increasingly looking for opportunities to leverage XBRL for other purposes. Investor demand for more transparency into corporate financials and the desire to accelerate the financial information supply chain are driving the need for faster, high-integrity reporting of financial results to multiple stakeholders. XBRL allows for increased transparency of financial information and easier access to financial and business data to meet such demands. The extensibility and flexibility that XBRL offers provides the potential for it to be adapted to a wide variety of applications and requirements, including ERM. The key issue that organizations face with ERM is the need to source and

manage data from multiple disparate systems and to manage multiple compliance management frameworks. Financial data generally resides in ERP or other accounting systems, while risk and control frameworks are either stored in spreadsheets or disparate point solutions. This leads to a manual process for compilation of data from financial and compliance management systems. So how does XBRL help with this issue? An XBRL-based solution makes it possible to extract and manipulate data from multiple sources and combine or consolidate such data to create data views and reports that can be repurposed for a variety of uses and/or users. In the context of ERM, XBRL can be deployed to support each of the key phases of the ERM processfrom risk identification to risk reporting and management. One of the key challenges of ERM is inconsistent understanding and interpretation of risks across the organization. At the risk identification and assessment phases, XBRL can facilitate the development of an inventory of risks relevant to an organization. These risks, along with relevant controls, can be structured into an XBRL-based risk and controls taxonomy comprising processes, subprocesses, control objectives, risks, and controls defined and structured in a standard taxonomy format. This provides a standard definition and approach for classifying risks and controls and facilitates consistent interpretation through the organization. With the ability to run an XBRL report or create an instance document at any time, XBRL also facilitates monitoring and management of risks, controls, and control activities, allowing organizations to proactively monitor and address compliance issues. Understanding which con-

trol activities are used to address risks and control objectives also assists organizations in evaluating the effectiveness of controls and identifying and leveraging leading practices for control activities across various business units. The XBRL Global Ledger (GL) is a standard that allows for the extraction or representation of financial as well as nonfinancial data found in enterprise source systems. The combination of the existing XBRL GL Taxonomy and a potential XBRL risk and controls taxonomy would allow for the integration of financial statement, global ledger, and compliance reporting to enable drilldown on financial statement items for specific risk or controls activities. The ability to drill into Internal Control details tied to Financial Statement accounts using XBRL, without the need for manual data compilation, is potentially a significant benefit of using an XBRL-based solution for ERM. XBRL is already being used in parts of the world for Basel II reporting of risks for credit institutions and investment firms. Financial regulators are also looking at XBRL for solvency reporting. A report published by Gartner in July 2010, Hype Cycle for Governance, Risk and Compliance Technologies, 2010, identifies financial reporting with XBRL as one of the emerging technologies and gives it a high benefit rating as a governance, risk, and compliance solution. To effectively use XBRL for ERM, there needs to be a shift in focus from using XBRL purely for external reporting to deploying XBRL capabilities for internal reporting and decision making. But XBRL technology alone isnt a silver bullet. Developing a sustainable long-term solution for ERM requires a focus on establishing a defined and concrete ERM
c ont inue d on p age 69
May 2011

S T R AT E G I C F I N A N C E

65

XBRL
c ont inue d from p age 65

process and leveraging XBRL-based solutions to support the process. SF Jeffrey C. Thomson, CMA, is the IMA President and CEO. You can contact Jeff at jthomson@imanet.org. Uma Iyer is a Senior Manager at Deloitte & Touche, LLP and a member of IMAs XBRL Standing Advisory Committee. You can contact Uma at uiyer@deloitte.com.

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a U.K. private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/ about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

May 2011

S T R AT E G I C F I N A N C E

69

TECHNOLOGY

XBRL
By Kristine Brands, CMA, CPA

Peer Review: An Internal Control for the XBRL SEC Tagging Mandate
In 2009, the U.S. Securities & Exchange Commission (SEC) issued a mandate requiring that U.S. public companies submit their 10-K, 10-Q, and 8-K filings using eXtensible Business Reporting Language (XBRL). The final of the three phases of this mandate became effective for smaller filers with year-ends after June 15, 2011approximately 5,000 companies. Now all U.S. public companies are required to use the U.S. Generally Accepted Accounting Principles (GAAP) Financial Reporting Taxonomy (UGT) to meet this requirement. Compliance requires tagging these financial filings with XBRL tags for each account (element) on a companys financial statements. The requirement also applies to footnote disclosures. The mandate has provided more transparency in corporate reporting but at a cost to the companies trying to map their accounts to XBRL while trying to achieve full financial disclosure. Some of the problems the SEC identified were the creation of extension elements when existing elements existed, using the wrong element, and the need to add an extension element because an element necessary for disclosure didnt exist. For exam56 S T R AT E G I C F I N A N C E

ple, in 2009, United Airlines needed to disclose high fuel costs, but the UGT didnt have a term for it. To satisfy the disclosure, the company needed to add an extension for fuel costs. In response to the weaknesses of the 2009 UGT, the Financial Accounting Foundation (FAF), parent of the Financial Accounting Standards Board (FASB), released the 2011 UGT in February 2011. It includes more than 4,000 changes to address accounting standards changes and 1,900 new elements, which increases the number of elements to more than 15,000. While the improvements to the UGT will help U.S. filers improve the quality of their filings, the scope of this requirement continues to challenge those working to accurately map their accounts to XBRL. Some filers,

such as Microsoft, have adopted XBRL peer review to help them make informed tagging choices. Lets take a look at how Microsoft uses the peer review process and Rivet Pivot software to do this.

Peer Review
Companies are beginning to perform a review of their industry peers to compare tagging choices in their XBRL filings. This simply means comparing a companys financial statement tagging elements to those selected by the companys industry peers as well as all filers. Microsoft has taken the lead in peer review and uses a report designed by Rivet Software, Rivet Pivot, to automate this process. Because SEC financial filings are public records, all that a company needs to do is choose the peer company filings and dates and download them from the SEC website. According to Paige Hamack, Microsofts SEC Reporting Group accounting manager: An integral part of our XBRL reporting process at Microsoft is a quarterly analysis of the XBRL tags used by an alternating group of peer companies. This peer review helps us ensure that our XBRL reporting is complete and accurate and meets one of the most important
IMAGE COURTESY: ICLIPART.COM/MICR OSOFT

July 2011

RIVET PIVOT PEER REVIEW TAGGING EXAMPLE, COURTESY OF RIVET SOFTWARE

objectives of XBRL, which is comparability of similar information across companies. To perform this review, we use a custom report created by Rivet. Each quarter they perform the XBRL peer review to review the tags used by their peers but not used by them and vice versa, and to review reporting disclosures they make annually but that their peer group makes quarterly and vice versa. The key differences of the peer review are summarized and presented to senior management for review. Benefits of peer review analysis include having meaningful conversations with their peers about XBRL tag usage, explaining and defining XBRL judgment areas to senior management for review, and improving the quality of tagging, which will reduce questions from XBRL data users. While many companies have chosen to outsource their XBRL tagging

to third-party providers, that doesnt excuse a company from accurately tagging the data. Peer review is an important internal control to review the accuracy of XBRL tagging. Although theres a two-year limited liability for XBRL filings after a company complies with the SEC mandate, its always in a companys best interests to create high-quality filings to reduce the number of questions asked by stakeholders: analysts, the SEC, investors, and the Internal Revenue Service (IRS). Ted Stavropoulos, director of business development at Rivet Software, believes that the early benefits of XBRL SEC filings are enabling the SEC to analyze the filings by using decision rules to analyze the data to generate reports that identify outlier information. In the past, there was too much data to allow comprehensive analysis of inbound reporting by the SEC. Now that barrier has been

removed, and the SEC can use a riskbased approach to analyze the XBRL data to quickly identify companies that report outlier data. Think about the SEC using this data as the basis for additional questions in comment letters. Peer review provides you with valuable insight into your filings because you can compare your data to your peer groups data. Regardless of whether you use a software tool like Rivet Pivot or download your companys peer group from the SEC to an Excel spreadsheet and perform your own review, peer review will help your company improve the quality of SEC XBRL filings. SF Kristine Brands, CMA, CPA, is an assistant professor at Regis University in Colorado Springs, Colo., and is a member of IMAs Pikes Peak Chapter. You can reach her at kmbrands@yahoo.com.
July 2011

S T R AT E G I C F I N A N C E

57

TECHNOLOGY

XBRL
By Kristine Brands, CMA, CPA

A Tale of Two XBRL Taxonomies

The power of eXtensible Business Reporting Language (XBRL) is the transparency that it provides financial reporting. It allows financial statement users to analyze and compare their financial statements with those of other companies using XBRL-formatted statements. A key factor for achieving financial reporting transparency is the existence of a comprehensive and robust XBRL taxonomy because the taxonomy serves as a dictionary to define the accounting terms and standards that are used to tag the information in the financial statements. As a result, financial information can be searched electronically, allowing users to prepare, analyze, and process the data for their reporting needs. More robust taxonomies will improve the comparability of the XBRL filings. The U.S. Securities & Exchange Commission (SEC) recognized the importance of XBRL financial reporting when it issued a rule in 2009 mandating XBRL filings for companies listed on U.S. stock exchanges. Compliance with the rule was phased in over a three-year period. The final phase of the rule became effective June 15, 2011, requiring small-cap and Foreign Private Issuers (FPIs) to sub56 S T R AT E G I C F I N A N C E

mit XBRL filings for their financial reports to comply with the mandate. Because of the widespread global adoption of International Financial Reporting Standards (IFRS), many FPIs use IFRS for financial reporting. But because of issues with the IFRS XBRL (xIFRs) taxonomy, FPIs have been unable to comply.

didnt address common IFRS financial reporting practice concepts such as sales and aggregated sales and marketing expense. These concerns led the SEC to issue a No Action letter in early April 2011 stating that the Commission hasnt specified an accepted IFRS XBRL taxonomy. Since there is no SEC-approved XBRL IFRS taxonomy, FPIs cant meet the filing requirement until the SEC approves one. The No Action designation also means that FPIs wont be sanctioned for not filing XBRL financial statements.

Catch-22
The status of FPIs compliance with the SEC mandate is in a Catch-22. Although global adoption of IFRS for financial reporting has swept the globe, the xIFRS taxonomys development has met several challenges. The first xIFRS taxonomy was issued in late March 2011, barely a quarter before the FPIs filing requirement date. This release was two years after the first U.S. Generally Accepted Accounting Principles (GAAP) Financial Reporting Taxonomy (UGT) for the SEC mandate was released in 2009. The SEC and the Center for Audit Quality raised concerns that the SEC didnt have enough time to review and approve the xIFRS taxonomy, a step required by the mandate. They also noted that the number of concepts (the actual financial reporting elements) was inadequate and

What Are the Taxonomy Differences?

Lets examine some of the differences between the two taxonomies for insight into this problem. The UGT development effort, now headed by the Financial Accounting Foundation (FAF), issued the updated and improved 2011 UGT in February 2011. On September 1, 2011, it released the 2012 UGT for public review and comment, adding more improvements to meet filers reporting needs. The scheduled release date is early 2012. The managing body for xIFRS is the International Accounting Standards Foundation (IASF), which issued an interim xIFRS

October 2011

Figure 1

Source: http://xbr l.us/taxonomies/P ages/US-GAAP2011.aspx .

release on September 1 to address concerns raised by the SEC. The IASF is currently working on the 2012 xIFRS that will include improvements that are expected to meet SEC requirements and approvals. The exposure draft release date is scheduled for January 2012, and April 2012 is the targeted final release date. For the past three years, the UGT has been used for the mandate, and its revisions incorporate user feedback. xIFRS hasnt been road-tested. The difference in the breadth and depth of the taxonomies is an eye opener. The 2011 UGT includes about 15,000 financial reporting elements with several industry entry points, such as the Commercial and Industrial Taxonomy that applies to most companies. The 2011 xIFRS taxonomy weighs in at about 2,500 concepts. One reason for this vast difference is that xIFRS was designed to only address IFRS. The taxonomys initial scope was limited to concepts for IFRS disclosure requirements and guidance. Common financial reporting concepts

and local, jurisdictional, and industry-/ company-specific reporting requirements werent included. The limited number of concepts forces companies to add extensions to achieve disclosure requirements, which diminishes the power of XBRL-reported financial statements by compromising financial reporting comparability. The IASF responded to these issues by modifying the IFRS XBRL mission statement to include developing a taxonomy that meets financial users needs by including common financial concepts. A practical difference affecting taxonomy users is access. The UGT SEC Approved Taxonomies are readily accessible through an easy-to-use Web-based browser called Yeti (see Figure 1). The IFRS 2011 Taxonomy is accessible through a fee-based subscription to eIFRS content that includes the complete IFRS and xIFRS.

adoption thats expected in early 2012. The progress that the SEC has achieved with the XBRL reporting mandate during the past three years has dramatically improved the transparency of financial reporting. The initiative has benefitted financial statement users and regulators alike by providing access to all public filings. Yet the gap between the UGT and xIFRS taxonomies is substantial and must be closed before the U.S. adopts IFRS to prevent the loss of financial transparency ground. SF Kristine Brands, CMA, CPA, is an assistant professor at Regis University in Colorado Springs, Colo., and is a member of IMAs Pikes Peak Chapter. You can reach her at kmbrands@yahoo.com. Note: For more information on IFRS and XBRL, visit www.ifrs.org/XBRL/XBRL.htm, and on XBRL US GAAP Taxonomies Viewer US GAAP 2011 Taxonomy Yeti Viewer, visit http://xbrl.us/taxonomies/Pages/USGAAP2011.aspx.
October 2011

The Future
The global financial community is awaiting the SECs decision about U.S. IFRS

S T R AT E G I C F I N A N C E

57