Author Archive for Bill Zoellick

XBRL and The Truth

Can tags lie? Of course they can. But this is usually not a problem because
incorrect or misleading tagging typically causes trouble for the very same
people who are doing the tagging. This gives them an incentive to get the tags
right. And, if the tags aren’t right, there is an incentive to fix them.

Consider an XML-based publishing application. I want to get the tags right so
that the presentation comes out right.  Or, in a syndication application, I
want my tags to be semantically, not just syntactically correct, because I want
someone else to use and link back to my information. Even in an XML-based
commercial transaction, where there might in fact be more incentive for me to
have the tags tell lies — increasing the quantity of goods shipped, for example
— the external controls already built into the transaction (counting the
quantity of goods received, for example) create an incentive to ensure that the
tags tell the truth, reducing overall processing costs and ensuring repeat
business.

All of this changes when we use XBRL to communicate financial information to
analysts and investors. The incentives to misrepresent information or, in some
cases, to hide it altogether, are substantial. This makes XBRL different from
many other XML applications and requires a different approach to validation.
This is not just a detail. The shift from intrinsic incentives that help get the
tagging right to a need for external controls changes the way XBRL is used. It
also adds to the list of capabilities that must be in place to build an XBRL
market. 

Read More →

Aligning Expectations With XBRL’s Maturity

A couple of days ago I wrote
about an instance of XBRL’s leaping over the market chasm to see use in
a no-nonsense, pragmatic, "early majority" application. This isn’t
just idle marketing chatter. The question of where XBRL stands along the
technology adoption curve is one that any organization or company thinking about
using XBRL needs to be asking. Just how mature is this technology? How big a bet
can you put on it? And if you do make a bet, what steps do you need to take to
hedge it?

Read More →

XBRL and the Chasm

On Tuesday of last week XBRL-US sponsored a set of presentations in
Washington, D.C. focused on "XBRL in Government and Industry." The
conference was hosted by the Federal Deposit Insurance Corporation (FDIC), which
was appropriate since it was the FDIC that was the source of some of the most
significant XBRL activity announced at the conference. 

Here is the news: By October 1 of this year, the more than 8300 banks
submitting Call Report data to the FDIC, the Federal Reserve System, and the
Office of the Comptroller of the Currency will be required to do so using XBRL.
Because most banks submit these reports through use of software and services
supplied by a handful of vendors, this requirement will not bring about changes
in the internal operations of most banks. The initiative does, however, represent a
significant application of XBRL, and opens the door to greater reuse of data and
simplification of workflows for other regulatory reporting requirements. It is
also a good example of the kinds of broad improvement in financial information
communication and processing that XBRL enables.

Read More →

XBRL and The Big Stick

On Wednesday of last week PR Newswire sponsored a set of webcast
presentations on XBRL. This was part of PR Newswire’s increasing engagement with
XBRL. The company is in the business of publishing earnings releases and would
like to see more of them arriving tagged in XBRL. To that end, PR Newswire has
entered into a number of agreements with technology firms and others engaged in
XBRL. last week’s panel discussion showcased an agreement with Rivet Software,
in which PR Newswire offers Rivet’s Dragon Tag tool, which can be used to set up
XBRL tagging of documents from Microsoft Excel and Word. The panel included Campbell Pryde, Executive Director at Morgan Stanley, Wayne Harding, VP Business Development at Rivet Software, Daniel Roberts, National Director of Assurance Innovation at Grant Thornton LLP and Vice-Chair US Adoption for XBRL-US, and Liv
Watson, Vice President of XBRL at EDGAR Online, Inc.

The presentations would be useful for anyone wanting an update on XBRL
issues. They are available in an online
archive

As anyone following my contributions on the Gilbane blogs knows, I think that
XBRL is an important early-stage standards initiative. I also find myself
wondering about the eventual pace and scope of XBRL adoption. In particular, I
have been wondering what will drive adoption. Much of the early
XBRL activity has been focused around external financial reporting–rather than
internal use of XBRL–and I have been wondering where the payoff would be for a
company. If the benefits of these early XBRL initiatives go primarily to
external users, what is the motivation for the investment?

Read More →

Document Retention in Light of Today’s Supreme Court Reversal of Andersen Verdict

Today’s Supreme Court ruling reversing the decision against Arthur Andersen
is big news in the compliance world. My bet is that it will have two important
effects–both good. 

The first is that, once again, it will be OK to destroy documents in
accordance with a company’s retention policy. The second is that it is going to
become even more obvious to companies that they really do need to have a
carefully designed document retention policy, along with a way to ensure that it
is implemented and monitored.

Read More →

PCAOB Clarifies SOX Compliance Rules

Yesterday the Public Company Accounting Oversight Board (PCAOB) issued its
response to concerns that Sarbanes Oxley Section 404 requirements were onerous,
unwieldy, and just too expensive. The PCAOB published a policy
statement
that affirmed the goals and requirements in the regulations
implementing Section 404, which requires that public companies have effective
internal controls over financial reporting and requires that an independent
auditor provides an opinion regarding the effectiveness of these controls. No
surprise there. 

What was more interesting and important was that the PCAOB did acknowledge
that many first year audit efforts were inefficient and too expensive. The
important parts of the statement called for a top-down, rather than bottom-up,
approach to internal control assessment. The PCAOB also made important
clarifications about the kinds of interactions between auditors and the
companies that they audit that are permissible and useful.

Understanding this business about "top-down" and
"bottom-up" is easier if you put it in the context of how auditing
practice has developed over time. Without that big picture perspective, Section
404 and the PCAOB statements sound like a lot of accounting jargon. But, given
the perspective, it is easier to see that we are talking about some fundamental
changes–and about expense and confusion emerging from not getting the changes
right during this past year.

Read More →

The Operational Approach to Governance, Risk Management, and Compliance

Today marks the official release of the public draft of the governance, risk
management, and compliance (GRC) paper that I have worked on over the past
couple months with Ted Frank, of The
Compliance Consortium, and others. The writing of the paper was driven by
three convictions:

  • GRC stands apart:: Governance, risk management, and compliance are
    all of a piece–and they are related to a coherent set of objectives and
    practices that are fundamentally different from the other things going on in
    an organization.
  • GRC needs high level attention: Governance, risk management, and
    compliance comprise a set of concerns and objectives that must be dealt with
    at the board of directors and senior management level.
  • GRC is manageable: Even though governance, risk management, and
    compliance touch thousands of processes and objectives throughout an
    organization, there really is a small, manageable set of concerns that
    should inform board and management decision-making.

Read More →

XBRL and Compliance

I have just finished working on a paper with an industry group that is concerned with compliance issues. The paper takes a broad look at enterprise-wide compliance issues, as distinguished from the trap (an easy one to fall into) of dealing with compliance in a fragmented way, driven by the demands of different (and changing) regulations.

What are the requirements for an enterprise-wide, operational approach to compliance? Well, to get the full answer you will need to read the paper when it comes out in the next few weeks. But there was one requirement –a requirement that I want to talk about here– that ties into the threads and postings about XBRL here on the Gilbane website.

One of the first, big steps toward getting a broader, more useful view of “compliance” consists of applying it to internal control procedures, rather than just in reference to external requirements. “Compliance,” in this view, means doing what is right for the organization.

Take relations with donors within a non-profit organization as an example. Compliance, in this instance, means that the staff follows the organization’s procedures for contacting donors, working with donors to structure gifts for maximum tax advantage, and staying in touch with and supporting donors after the gift has been given. Compliance, in this sense, means making use of what the organization has learned over time. Compliance is the means by which the organization ensures that learning is retained and put into practice.

Stepping back from the particulars and looking at the general case, compliance is one part of the mechanism by which an organization responds to its environment — to the sources of support, to threats, and, of course, to rules put in place by governments. Compliance–the exercise of internal control systems–is how the organization regulates itself so that it survives and thrives in its environment. To use a human analogy, your body’s responding to infection is kind of compliance response. At a higher level, using learned compliance, your responses in a business meeting–measuring your reactions, thinking before you speak–are also forms of control and compliance.

The point of taking this broader view  of compliance is, of course, to help organizations deal more deliberately and productively with the process of making decisions and taking risks.

But … when you put this good thinking and theory into practice, you run into a problem. The problem is that, for each component in this overall compliance system, the key to making the system work is always in the details–BUT–at the same time, you want to somehow get these systems to connect with each other.

And, they DO connect with each other. When you connect the details of
responding to infections with the details for responding to a business meeting, for example, you find that it is very difficult to put all the tact and learning about social interactions into play when you are running a raging fever.

This isn’t a far-fetched analogy. When you take a close look at the day-to-day operations at Enron, courtesy of a book such as Kurt Eichenwald’s Conspiracy of Fools, it is hard to escape the sense that the Enron tragedy grew from a combination of thousands of small infections coupled with a couple of big instances of shortsightedness and fraud. The interesting question raised by a book like Eichenwald’s is one of how the entire system managed to get out of control–and, if we can understand that–how can we prevent such interactions in the future.

So, the problem is one of finding a way to operate effectively both at the level of forest and at the level of trees. You’ve got to sweat the little things to make compliance work, but you also have to see how the little things work together in big ways.

One reason that this is so difficult is that many of the different, “tree-level” compliance efforts use different terms, because they reflect different concerns.  Calibration of lab instruments is an important aspect of compliance. Protecting privacy of patient records is another aspect of compliance. Tracking costs for clinical trials is yet another. Each uses a different language, reflecting different concerns. Yet all of these activities, taken together, contribute to assessing the health of a pharmaceutical research effort.

Successful governance–overseeing these compliance efforts and understanding what they are telling us–depends on finding a way to abstract the common elements and concerns. Communication of the common concerns depends on defining a “forest level” view that imposes uniform, organization-level language and perspective on all the tree-level activities.

My sense–and I am putting this out here for discussion and argument–is that XBRL is a good candidate for doing this. Taxonomies are a large part of what XBRL is all about, and XBRL has the flexibility, viewed as a formal language, to describe taxonomies at the level of “trees” and to link those “tree-level” concepts back up to a set of concepts that are appropriate to the needs of someone who wants to see and manage the “forest.”

Taking my pharmaceutical research example, XBRL taxonomies could describe the disparate concerns of instrument calibration, patient records, and financial costs, recording and tagging the facts associated with each of these areas of activity. The recording and identification of these facts would be an integral part of each detailed control process. At the same time, XBRL could be used to capture exception conditions and other aggregations, supporting high level, management control systems.

I would be interested in reader feedback on this idea. I am pretty sure that we do need a way to move from trees to forest and back again, and it seems to me that XBRL is set up to do that job. What do others think?