However, while the introduction of additional judgments and estimates may provide greater opportunity for fraud, the additional disclosures required by the standard theoretically would make it more difficult for the fraudsters to cover their tracks when justifying certain financial reporting practices.

A Look at the New Standard

In May of 2014, the Financial Accounting Standards Board and the International Accounting Standards Board concluded a joint project which resulted in an update to the standard that deals with when and how revenue is recognized. Public companies were required to implement the new revenue recognition standard into their annual reporting beginning December 15, 2017. Non-public companies, including non-profit organizations, have an extra year to do the same.

The new standard includes a core principle, which states that an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.

The new revenue recognition standard can be summarized in the following five steps.

The standard also calls for increased disclosures, affording companies the opportunity to provide financial statements users with comprehensive information about the nature, amount, timing, and uncertainty of revenue and cash flows arising from contracts with customers. Additionally, the new standard requires a company to provide quantitative and qualitative information about assets recognized from the costs to obtain or fulfill a contract with a customer.

Detecting Fraud Risk

A study by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) of 347 financial statement fraud cases found that improper revenue recognition schemes accounted for 61 percent of fraudulent financial reporting occurrences investigated by the SEC. Common instances of revenue recognition schemes include:

• Improper cut-offs: Holding the books open beyond the end of an accounting period to record end-of-period sales or “stealing sales” from later periods;
• Bill and hold arrangements: Certain sales agreements that allow goods to be sold but not shipped to a customer and are “held” in a company or a third party’s warehouse;
• Sham related-party transactions: Recording intercompany transactions as external sales, and sales of assets from one related party to another;
• Fictitious sales: Shipment of product to a non-existent customer, sales recorded based solely on purchase orders, sales recorded for canceled, or duplicate orders;
• Round tripping: Sale of product with an agreement to repurchase, recording transactions that occur between two companies for which there is no economic benefit to either company;
• Channel stuffing: Offering distributors or other third parties short-term discounts incentivizing them to overbuy, inducing customers to order more goods than they normally would through offers of discounts and other incentives;
• Side agreements: Agreements created outside of the normal and proper recording channels); and
• Early delivery of product/recognizing revenue prior to “earning” or “realizing” the value: Engaging in soft sales, recognizing full amount of revenue on contracts where services are due, recognizing full amount of revenue on fees collected up front instead of deferring or amortizing.

While companies have been anticipating and preparing for the new revenue recognition standard, fraud risks may not become evident until companies review the details of how the guidance will apply to their transactions.

Steps to Address Fraud Risks

There are some actions companies should consider as a proactive approach to managing fraud risks. One consideration is to form an internal triad defense team consisting of legal/compliance, finance, and internal audit who can collaborate and coordinate efforts to address fraud prevention and detection. Further, companies may want to consider a governance structure with roles and responsibilities clearly defined as to who will be responsible for overseeing the initial implementation and ongoing financial reporting requirements.

It is also important that relevant personnel be educated on the new revenue recognition standard, associated fraud risks, and the control framework for assessing and mitigating these risks. In the event a historical issue is uncovered during the standard’s implementation phase, personnel need to know how to escalate the issue within the company. This could result in an investigation, remediation, or restatement.

A company’s risk assessment, including its fraud risk assessment, also may need to be revisited. This would include conducting a brainstorming session to outline changes to existing and new risks. Those risks should be linked to existing mitigating controls, and any gaps in controls should be addressed.

Further, internal audit programs and other methods of ongoing monitoring may need to be revisited and updated to address the risk of fraud. Companies need to be in a position to perform ongoing monitoring through periodic testing. This can be aided through the use of data analytics.

Should outliers in the data be identified, then transaction testing may be appropriate to determine the reason for these outliers. Based on the results of the transaction testing, the company may identify weaknesses or gaps in controls and decide to take steps to implement remedial controls to mitigate these risks.

For a fraud detection and prevention program to be effective incentives and disciplinary activities should be clearly defined in policy language. In the case of a compliance breach, disciplinary procedures should be applied promptly, consistently and be commensurate with the violation. A company also may want to consider a reward system based on ethics and compliance rather than strictly on financial performance and consider whether the personnel who set and oversee policy and its application should be paid based on company performance.

Also, a mechanism for employees or third parties to report suspected or actual misconduct or violations of a company’s policies on a confidential basis and without fear of retaliation should be in place. Most frauds are identified through hotlines or tips. In the instance a fraud occurs, a company should have policies and procedures in place to perform timely and effective investigations. An investigations manual detailing how investigations are to be conducted, documented, reported, and remediated can be beneficial in supporting consistency in this process.

Questions for Management to Consider

The legal/compliance, finance, and internal audit functions often are able to support fraud prevention and management efforts, and this cross-functional view can help companies make decisions about whether they have the infrastructure in place to effectively manage fraud risks.

Some questions for management to consider include:

• Are there existing personnel with the requisite skillsets and bandwidth to identify potential fraud risks and proactively monitor and advance data analytics?
• Does the company have the necessary technological capabilities to identify potential control exceptions or data outliers?
• If exceptions or outliers are identified, is there a protocol in place for these to be escalated and addressed?
• What types of reporting requirements will result from such findings? Who are the stakeholders who should be involved? How will any issues be remediated?

It’s natural for many companies to feel they have an existing control infrastructure that will allow them to manage these risks proactively, but as often is the case, revenue recognition can be fertile area for fraud based on the incentive, opportunity, and rationale that may be present when applying the standard.

Article originally published in the Deloitte portal of the Wall Street Journal’s website.

— Produced by Anthony Campanelli, partner, and Nicholas Florio, principal, both with Deloitte Risk and Financial Advisory, Deloitte & Touche LLP.

*Earnings before interest, taxes, depreciation, and amortization