Heads Up — Internal control considerations related to adoption of the new revenue recognition standard
by Jennifer Burns, Amy Steele, and Amy Groves, Deloitte & Touche LLP
Introduction
As companies work to adopt the FASB’s revenue standard (ASU 2014-091), it is critical that internal control considerations be front and center. SEC filing data show that revenue recognition is one of the most common accounting issues that trigger a material weakness.2 These data underscore the importance of focusing on the internal control impacts of adopting the new revenue standard and support comments by SEC Chief Accountant Wesley Bricker, who has said that “[i]t is hard to think of an area more important than ICFR [internal control over financial reporting].”3
This Heads Up discusses certain considerations with respect to internal control and the adoption of the new revenue standard. For a comprehensive discussion of the new standard, including an analysis of other potential implementation issues, see Deloitte’s A Roadmap to Applying the New Revenue Recognition Standard.
Preadoption Disclosure Controls
The SEC has been emphasizing the importance of transition-period disclosures (or preadoption disclosures) in accordance with SAB 74.4 These disclosures should be both qualitative and quantitative and should be included in MD&A (subject to disclosure controls and procedures) and the footnotes to the financial statements (subject to ICFR). The SEC staff has also made clear its expectation that the preadoption disclosures become more robust and quantitative as the new standard’s effective date approaches.
In light of the SEC’s guidance and recent comments from the SEC staff, such disclosures should address the impact the new revenue standard is expected to have on the financial statements and should include:
- A comparison of the company’s current accounting policies (which, to the extent available, could include tabular information or ranges comparing historical revenue patterns) with the expected accounting under the new standard.
- The transition method (full retrospective or modified retrospective) elected.
- The status of the implementation process.
- The nature of any significant implementation matters that have not yet been addressed.
A company that is able to reasonably estimate the quantitative impact of the new standard should disclose those amounts. Some disclosures may therefore include pro forma financial statements under the full retrospective method.
Internal controls over these preadoption disclosures are important to management’s ability to address the risks that the disclosures are inaccurate or incomplete. Management should first identify whether appropriate internal controls exist for the disclosures and then specify the information and analysis used to support them. Then, management needs to test the design and operating effectiveness of the relevant controls given that they should be included within the scope of management’s report on ICFR in the year before the adoption of the new revenue standard, as applicable.
When assessing whether appropriate internal controls exist with respect to the preadoption disclosures, management may consider whether procedures are in place regarding:
- Competence — The preadoption disclosures are prepared by competent individuals with knowledge of the new revenue standard and potential impacts on the company.
- Compliance — The disclosures meet the SEC’s requirements and guidelines.5
- Data quality — The quantitative disclosures (if known and estimated) are calculated on the basis of reliable inputs that are subject to appropriate internal control.
- Review — The disclosures are reviewed by appropriate levels of management.
- Monitoring — The company’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately reviews the internal controls in accordance with company protocols. In addition, the audit committee is involved in the oversight of the disclosures’ preparation.
Internal Control Considerations Related to the Adoption of the New Standard
Internal Controls Over the Adoption
There are often unique circumstances and considerations associated with the adoption of a new accounting standard that can pose a higher risk of material misstatement to the financial statements. Thus, companies should consider the circumstances that may only be present during the adoption period and evaluate whether there are any unique risks that require “one-time” internal controls that may operate exclusively during the adoption period. Management should also consider the internal controls, documentation, and evidence it needs to support:
- Entity-level controls such as the control environment and general “tone at the top.”
- Identification of material revenue streams and different contract types within those revenue streams.
- Accounting conclusions reached (such as by preparing accounting white papers or internal memos memorializing management’s considerations and conclusions), including the impact to other account balances such as costs of sales or services, contract assets and liabilities, and income tax accounts.
- Information used to support accounting conclusions, new estimates, adjustments to the financial statements, and disclosure requirements.
- Identification and implementation of changes to information technology systems, including the logic of reports.
- The transition approach selected.
- The accounting logic used and journal entries (including the transition adjustments) that record the adoption’s impact.
- Any practical expedients applied and related disclosures.
- Changes to the monthly, quarterly, or annual close process and related reporting requirements (e.g., internal reporting, disclosure controls and procedures).
See Appendix A of this Heads Up for considerations related to additional risks and internal controls.
Five-Step Model, Related Risks, Internal Controls, and Documentation
The new revenue standard requires companies to apply a five-step model for recognizing revenue. As a result of the five steps, it is possible that new financial reporting risks will emerge, including new or modified fraud risks, and that new processes and internal controls will be required. Companies will therefore need to consider these new risks and how to change or modify internal controls to address the new risks.
For example, in applying the five-step model, management will need to make significant judgments and estimates (e.g., the determination of variable consideration and whether to constrain variable consideration). It is critical for management to (1) evaluate the risks of material misstatement associated with these judgments and estimates, (2) design and implement controls to address those risks, and (3) maintain documentation that supports the assumptions and judgments that underpin its estimates. Mr. Bricker recently pointed out that management should consider whether controls, including those related to tone at the top of the organization, “support the formation and enforcement of sound judgments [required under the new standard] or whether changes are necessary.”6 Appendix A of this Heads Up outlines the five-step revenue recognition model and contains sample risks and controls for consideration.
Significant Changes in Information and Related Data-Quality Needs
Companies will need to gather and track new information to comply with the five-step model and related disclosure requirements. Management should consider whether appropriate controls are in place to support (1) the necessary information technology (IT) changes (including change management controls and, once the IT changes have been implemented, the testing of their design and operating effectiveness) and (2) the accuracy of the information used by the entity to recognize revenue and provide the required disclosures. The table below illustrates some potential challenges and examples of practices.
Potential Challenge | Example of Internal Control Practice |
---|---|
|
|
Applying the COSO Principles
The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control — Integrated Framework (the “2013 COSO Framework”) provides a framework for designing and evaluating internal controls through the use of 17 principles and related guidance. As companies implement the new revenue standard, particularly those that apply the 2013 COSO Framework in management’s assessment of ICFR, they should consider the COSO principles in evaluating and designing controls (including those related to recognizing revenue and data quality, as discussed above). In addition, as new controls are designed and implemented, control owners should consider the evidence and documentation that will be available to support management’s assessment of ICFR. See Appendix B of this Heads Up for further discussion.
Evaluating Material Changes in Internal Control
SEC registrants are required to disclose any material changes8 (including improvements) in their ICFR in each quarterly and annual report in accordance with Regulation S-K, Item 308(c). SEC guidance explains that materiality would be determined on the basis of the impact on ICFR and the materiality standard articulated in TSC Industries Inc. v. Northway Inc.9 (i.e., that “an omitted fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote”).
As discussed previously, the adoption of the new revenue standard will probably require management to implement new controls or modify existing ones to address new or modified risks of material misstatement. Such changes in internal control, if material, as a result of the adoption of a new accounting standard, will trigger disclosure requirements. In addition, management should consider whether there are appropriate controls with respect to identifying and disclosing material changes in ICFR.
For example, management may consider whether there are controls related to the following:
- Compliance — Processes are in place to identify and evaluate material changes in internal control. Further, protocols exist for developing appropriate disclosures and reporting such information to appropriate levels of management (e.g., those signing the quarterly and annual certifications required under SEC Regulation S-K, Item 601(b)(31)10).
- Review — The disclosures are reviewed by appropriate levels of management (including, as warranted, those signing the quarterly and annual certifications).
- Monitoring — The company’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately considers the state of the entity’s ICFR to identify changes and monitors controls in accordance with company protocols. In addition, the audit committee is involved in the oversight of the disclosures’ preparation.
In developing the required disclosures, companies should clearly state whether a material change has occurred and, if so, describe the nature of the change. The SEC staff has commented when a registrant has not explicitly asserted whether there has been a change in ICFR in the most recent fiscal quarter that could have a material effect on its ICFR. The staff has further stressed that registrants should avoid “boilerplate” disclosure in which they state that there have been no material changes affecting ICFR in a period, particularly when there have been identifiable events such as changes in accounting policies.
Illustrative Disclosures — Material Change in Internal Control |
---|
Example — Several Quarters Before Adoption During the quarter ended June 30, 20XX, we implemented new controls as part of our efforts to adopt the new revenue recognition standard. Those efforts resulted in changes to our accounting processes and procedures. In particular, we implemented new controls related to:
We evaluated the design of these new controls before adoption during the quarter ended June 30, 20XX. As we continue the implementation process, we expect that there will be additional changes in ICFR. However, there were no other changes in ICFR during the quarter ended June 30, 20XX, that materially affected ICFR or are reasonably likely to materially affect it. Example — Shortly Before Adoption During the quarter ended December 31, 20XX, we implemented a plan that called for modifications and additions to ICFR related to the accounting for revenue as a result of the new revenue recognition standard. The modified and new controls have been designed to address risks associated with recognizing revenue under the new standard. We have therefore augmented ICFR as follows:
There were no other changes in ICFR during the quarter ended December 31, 20XX, that materially affected ICFR or are reasonably likely to materially affect it. Example — Upon Adoption We implemented the new revenue recognition standard as of January 1, 20XX. As a result, we made the following significant modifications to ICFR, including changes to accounting policies and procedures, operational processes, and documentation practices:
Other than the items described above, there were no changes in ICFR during the quarter ended March 31, 20XX, that materially affected ICFR or are reasonably likely to materially affect it. |
Appendix A — Examples of Risks and Internal Control Considerations for the Adoption of the Revenue Standard and the Five-Step Model for Recognizing Revenue
Core Considerations | Examples of Risks | Examples of Control Considerations11 | |
---|---|---|---|
Adoption period |
|
Internal controls related to:
|
|
Five-Step Model |
1. Identify the contract with the customer |
|
Internal controls related to:
|
2. Identify the performance obligations |
|
Internal controls related to:
|
|
3. Determine the transaction price |
|
Internal controls related to:
|
|
4. Allocate the transaction price |
|
Internal controls related to:
|
|
5. Recognize revenue when (or as) performance obligations are satisfied |
|
Internal controls related to:
|
|
Licensing |
|
Internal controls related to:
|
|
Contract costs |
|
Internal controls related to:
|
|
Presentation and disclosure |
|
Internal controls related to:
|
Appendix B — Applying the COSO Principles to the Adoption of the New Revenue Standard
The 2013 COSO Framework contains 17 principles that explain the concepts associated with the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring activities). The components are related to all aspects of an organization’s objectives, which typically fall into three categories — operations, reporting, and compliance. These objectives, as well as the components, are also related to an entity’s structure. COSO depicts this relationship among objectives, components, and an entity’s structure in the form of a cube as follows:
In assessing the design of effective internal control with respect to the new revenue standard, a company may consider its objectives in terms of internal and external reporting, and on the basis of those objectives, take into account the five components of internal control and the 17 principles within the components. The chart below summarizes the 17 principles and provides examples of their application in a company’s implementation and adoption of the new standard.
COSO Principles Summarized12 | Examples of the COSO Principles’ Application in the Adoption of the New Revenue Standard | |
---|---|---|
Control environment |
1. Demonstrates commitment to integrity and ethical values. 2. Board of directors exercises oversight responsibilities. 3. Establishes structure, authority, and responsibility. 4. Demonstrates a commitment to competence. 5. Enforces accountability. |
Principle 1
Principle 2
Principle 3
Principle 4
Principle 5
|
Risk assessment |
6. Specifies suitable objectives. 7. Identifies and analyzes risk. 8. Assesses fraud risk. 9. Identifies and analyzes significant change. |
Principle 6
Principle 7
Principle 8
Principle 9
|
Control activities |
10. Selects and develops control activities. 11. Selects and develops general controls over technology. 12. Deploys through policies and procedures. |
Principle 10
Principle 11
Principle 12
|
Information and communication |
13. Uses relevant, quality information. 14. Communicates internally. 15. Communicates externally. |
Principle 13
Principle 14
Principle 15
|
Monitoring activities |
16. Conducts ongoing or separate evaluations. 17. Evaluates and communicates deficiencies. |
Principle 16
Principle 17
|
____________________
1 FASB Accounting Standards Update No. 2014-09, Revenue From Contracts With Customers, as amended.
2 Based on data from Audit Analytics for fiscal years ending 2010 through 2017 as reported in auditor ICFR attestation reports.
3 Speech by Mr. Bricker at the March 21, 2017, Annual Life Sciences Accounting & Reporting Congress. Also, a keynote address by Mr. Bricker at the December 5, 2016, AICPA Conference on Current SEC and PCAOB Developments.
4 SEC Staff Accounting Bulletin 74, codified as SAB Topic 11.M, “Disclosure of the Impact That Recently Issued Accounting Standards Will Have on the Financial Statements of the Registrant When Adopted in a Future Period.” See Deloitte’s September 22, 2016, Financial Reporting Alert and Deloitte’s A Roadmap to Applying the New Revenue Recognition Standard for further discussion and related examples of SAB 74 disclosures.
5 See the appendix in Deloitte’s September 22, 2016, Financial Reporting Alert and Deloitte’s A Roadmap to Applying the New Revenue Recognition Standard for a discussion and examples of SAB 74 disclosures.
6 Speech by Mr. Bricker at the March 21, 2017, Annual Life Sciences Accounting & Reporting Congress.
7 Sarbanes-Oxley Act of 2002.
8 SEC Final Rule No. 33-8238, Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, states that management “must evaluate, with the participation of the issuer’s principal executive and principal financial officers, or persons performing similar functions, any change in the issuer’s internal control over financial reporting, that occurred during each of the issuer’s fiscal quarters, or fiscal year in the case of a foreign private issuer, that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial reporting.”
9 426 U.S. 438 (1976). See also Basic Inc. v. Levinson, 485 U.S. 224 (1988).
10 SEC Regulation S-K, Item 601(b)(31), “Exhibits.”
11 One or more controls may address one or more risks. The number of controls a company may have will vary depending on how the controls are designed to address the company’s risks.
12 Adapted from the 2013 COSO Framework.