XBRL is gaining momentum as reporting agencies require their constituents to report using the standard. But how about using it within an organization? I used to work in the internal audit department of a major software company and I’ve been thinking about how XBRL can help in that realm.
A good internal audit department audits based on risk. A risky area, say derivatives trading, deserves a lot more attention from internal audit as opposed to a non-risky area, like marketing. However, internal audit needs information in order to assess risk. If they can’t assess risk, they end up auditing areas that don’t really matter and miss out on the areas that do.
In a large organization, internal audit will be choosing from a diverse set of risks such as:
- risk of financial statement misrepresentation
- lawsuits deriving from illegal hiring practices
- bribery charges stemming from a foreign operation
- purchasing managers colluding with suppliers
- inventory shrinkage
- rogue traders
- a lack of a disaster recovery plan for critical IT systems
The list could go on and on since each part of the organization has its own set of risks.
So the question is how to determine where to allocate audit resources in order to mitigate these risks. Getting a global vision of the activities that require internal audit’s attention is a transparency problem. This is one of the very things XBRL is excellent at resolving. By creating a taxonomy of relevant data points, then collecting that data and tagging it with the proper elements, one can create a data warehouse of risk related information that can then be used by internal audit to make effective decisions.
One such project has been initiated by OCEG (http://www.oceg.org/Details/GRC-XML). OCEG is a non profit organization dedicated to providing standards and metrics for governance, risk management, and compliance (GRC). The organization announced in September 2008 that they would be developing a taxonomy dedicated to GRC. While I’m unsure of the status of the taxonomy at this time, the other tools to make this a reality are available now.
I imagine the workflow of an XBRL savvy internal audit department would be something like this:
- Create XBRL enabled interview templates for the initial data gathering stage. These would be questions designed for managers representing each core function of the organization.
- Conduct phone interviews and fill in the templates with the appropriate responses.
- Create instance documents from the templates (an instance document consists of the business facts being reported, and a collection of the taxonomies which define metadata about these facts, such as what the facts mean and how they relate to one another).
- Load the instance documents into a data warehouse.
- Analyze the results.
- Select the area considered to be the most deserving of internal audits’ attention.
- Perform the audit using the normal procedures, but any data produced from the audit would be captured using XBRL.
Of course, there are many details to be hammered out but this gives a general road map of how it could be done and yes, it can be done today. To give you an example of the tools that are available for using XBRL for whatever purpose you think is appropriate, I was interested in gathering economic data to get a feel for the economy. I wanted to see if the United States was pulling out of the current recession so I gathered leading indicator data from several sources (the Bureau of Labor Statistics, the Census Bureau, the Federal Reserve, etc). Of course, this data is not in XBRL format (maybe someday!) so I created elements for this data by extending the US-GAAP 2009 taxonomy using Rivet’s Crossfire Preparer. I then, in Crossfire Preparer, created a template (a template basically looks like an Excel spreadsheet but contains all the metadata needed to describe each fact) and imported the data from Excel. At that point, I created an instance document. The instance document was loaded into Rivet’s Crossfire Analyst (our data warehouse) and from there I could easily analyze the data however I wanted and even combine it with data from SEC filers. It was probably eight hours of work, including the data gathering piece which includes data going back to 1995.
I know these things can be done without XBRL, but the beauty of XBRL is the standard taxonomy that enables data to be defined and shared across departments, organizations, and system platforms. In the internal audit scenario, once a well-defined taxonomy, which includes all the necessary concepts and relationships, is developed, the data and the meta-data can be shipped all across the organization and each consumer of the information needs only an XBRL viewer to digest the information (however, tools like Crossfire Analyst make it much easier to analyze the data). XBRL is taking hold in a business-to-government setting. It’s time it took hold in an intra-business setting too.
Tags: crossfire, internal audit, risk assessment, XBRL
