Insource or Outsource?
What choices do we have in implementing XBRL? Outsource the XBRL filing to a third party? Internally use purchased software? Is there another choice?
Many third parties will help companies fulfill the XBRL compliance requirement on an outsource basis. There are also SEC approved XBRL software vendors that will sell you software so you can complete the compliance process every quarter and year end yourself.
Are Outsourcing or Insourcing the best choices you have? What about other “hidden” issues like procedures, controls, audit trails, risk mitigation and the like? After all, your XBRL Instance Document is only as good as the tags associated with your unique data.
Most companies think they have two choices for complying with the SEC’s XBRL mandate. The first choice is thought to be outsource and the second choice is thought to be “insource”. In reality, a blending of these choices is more realistic. Let’s consider each and explain why they typically lean toward a blended approach.
When outsourcing, SEC filers choose a partner to do the heavy lifting of selecting and mapping XBRL tags to financial reporting facts, creating custom extensions, building the extension taxonomy and populating the instance document – in short creating the XBRL filing. In reality this process is iterative whereby the partner creates the XBRL files then returns some form of rendering (often a web based tool or an Excel workbook) for review. The SEC filer must review and comment on the tags selected and make changes where desired. There are usually three to five rounds of tag selection and approval, so the SEC filer is involved all along the way. In other words, you can outsource but you can’t abdicate your role.
When “insourcing”, companies must do most of the heavy lifting themselves. There are many factors to consider when insourcing including what software tool to use, how to overcome the steep learning curve, what tags to choose, how to validate the files produced (usually the software tool can address this) and what internal procedures will be followed for gaining approval of the tags selected. The level of effort is significantly greater using this approach and will involve expert help from external partners due to complexity of initial XBRL implementation. You can insource, but you can’t eliminate your XBRL partners.
The Blended Approach
Companies should realistically consider initial XBRL implementation as neither purely outsource nor purely insource. With experience the insource approach can be fully realized, but not for initial compliance. By thinking about implementing XBRL using a blended strategy, companies can proactively choose what portion of XBRL implementation to tackle internally and what portion to trust to their partners.
The Integrated Approach
Companies should seek to integrate XBRL into their financial reporting systems over time. By doing so they can take advantage of XBRL enabled data validation and reuse. The goal would be to tag data deep with financial systems so that the tagged data can flow through the financial reporting value chain from bottom to top. One result of a fully integrated approach is automated production of XBRL tagged SEC filings.
The XBRL Continuum
Implementation and maintenance of XBRL should be seen as a continuum of choices. The XBRL continuum could be graphically depicted in this way:
As XBRL technologies mature and companies get past the learning curve, their processes should move from outsource toward integrated over time. By thinking about XBRL implementation as a continuum of choices, companies can develop an XBRL strategy that realizes the benefits of validated and contextualized data that persists throughout the financial reporting process.
The Risk Factor
For the first two years that you submit XBRL instance documents to the SEC, the XBRL portion of your filing will be considered “furnished” rather than “filed”. As such, your interactive data (as the SEC calls it) will not be fully subjected to security laws. After the first two years, your XBRL filings will be subject to the all the security laws your paper filings are subject to. With SEC compliance risk applied to your XBRL effort shouldn’t you be paying attention to internal controls, proper use of taxonomies and data tags?
Management of risk must be a key component of your XBRL strategy. Addressing change control, audit trails, review and approval, SOX compliance, IT controls is vital to your XBRL success. XBRL will open the window to your data in a disaggregated way. As former SEC chairman Cox said “Interactive data will let the sun shine in as never before.”
Many internal control factors need to be considered. With respect to areas of control companies should consider:
- Source data accuracy
- Correct taxonomy selection
- Accurate taxonomy extensions
- Correct application of “tags”Calculations function properly
- XBRL renderings match what is communicated in HTML filings (not formating but content and context)
There also many types of controls to consider like change control, version control, review and approval, SOX compliance, IT controls and spreadsheet controls. No matter how you comply with the SEC’s XBRL mandate, make sure you think beyond compliance.
What will your XBRL implementation choices be?