Internal control considerations related to adoption of the new revenue recognition standard
This Heads Up discusses considerations related to a company's internal control over financial reporting in connection with its adoption of the FASB's new standard on revenue recognition.
As companies work to adopt the FASB’s revenue standard (ASU 2014-09), it is critical that internal control considerations be front and center. SEC filing data show that revenue recognition is one of the most common accounting issues that trigger a material weakness. These data underscore the importance of focusing on the internal control impacts of adopting the new revenue standard and support comments by SEC Chief Accountant Wesley Bricker, who has said that “[i]t is hard to think of an area more important than ICFR [internal control over financial reporting].”
This Heads Up discusses certain considerations with respect to internal control and the adoption of the new revenue standard. For a comprehensive discussion of the new standard, including an analysis of other potential implementation issues, see Deloitte’s A Roadmap to Applying the New Revenue Recognition Standard.
Preadoption Disclosure Controls
The SEC has been emphasizing the importance of transition-period disclosures (or preadoption disclosures) in accordance with SAB 74. These disclosures should be both qualitative and quantitative and should be included in MD&A (subject to disclosure controls and procedures) and the footnotes to the financial statements (subject to ICFR). The SEC staff has also made clear its expectation that the preadoption disclosures become more robust and quantitative as the new standard’s effective date approaches.
In light of the SEC’s guidance and recent comments from the SEC staff, such disclosures should address the impact the new revenue standard is expected to have on the financial statements and should include:
• A comparison of the company’s current accounting policies (which, to the extent available, could include tabular information or ranges comparing historical revenue patterns) with the expected accounting under the new standard.
• The transition method (full retrospective or modified retrospective) elected.
• The status of the implementation process.
• The nature of any significant implementation matters that have not yet been addressed.
A company that is able to reasonably estimate the quantitative impact of the new standard should disclose those amounts. Some disclosures may therefore include pro forma financial statements under the full retrospective method.
Internal controls over these preadoption disclosures are important to management’s ability to address the risks that the disclosures are inaccurate or incomplete. Management should first identify whether appropriate internal controls exist for the disclosures and then specify the information and analysis used to support them. Then, management needs to test the design and operating effectiveness of the relevant controls given that they should be included within the scope of management’s report on ICFR in the year before the adoption of the new revenue standard, as applicable.
When assessing whether appropriate internal controls exist with respect to the preadoption disclosures, management may consider whether procedures are in place regarding:
• Competence — The preadoption disclosures are prepared by competent individuals with knowledge of the new revenue standard and potential impacts on the company.
• Compliance — The disclosures meet the SEC’s requirements and guidelines.
• Data quality — The quantitative disclosures (if known and estimated) are calculated on the basis of reliable inputs that are subject to appropriate internal control.
• Review — The disclosures are reviewed by appropriate levels of management.
• Monitoring — The company’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately reviews the internal controls in accordance with company protocols. In addition, the audit committee is involved in the oversight of the disclosures’ preparation.
Internal Control Considerations Related to the Adoption of the New Standard
Internal Controls Over the Adoption
There are often unique circumstances and considerations associated with the adoption of a new accounting standard that can pose a higher risk of material misstatement to the financial statements. Thus, companies should consider the circumstances that may only be present during the adoption period and evaluate whether there are any unique risks that require “one-time” internal controls that may operate exclusively during the adoption period. Management should also consider the internal controls, documentation, and evidence it needs to support:
• Entity-level controls such as the control environment and general “tone at the top.”
• Identification of material revenue streams and different contract types within those revenue streams.
• Accounting conclusions reached (such as by preparing accounting white papers or internal memos memorializing management’s considerations and conclusions), including the impact to other account balances such as costs of sales or services, contract assets and liabilities, and income tax accounts.
• Information used to support accounting conclusions, new estimates, adjustments to the financial statements, and disclosure requirements.
• Identification and implementation of changes to information technology systems, including the logic of reports.
• The transition approach selected.
• The accounting logic used and journal entries (including the transition adjustments) that record the adoption’s impact.
• Any practical expedients applied and related disclosures.
• Changes to the monthly, quarterly, or annual close process and related reporting requirements (e.g., internal reporting, disclosure controls and procedures).
See Appendix A of this Heads Up for considerations related to additional risks and internal controls.
Five-Step Model, Related Risks, Internal Controls, and Documentation
The new revenue standard requires companies to apply a five-step model for recognizing revenue. As a result of the five steps, it is possible that new financial reporting risks will emerge, including new or modified fraud risks, and that new processes and internal controls will be required. Companies will therefore need to consider these new risks and how to change or modify internal controls to address the new risks.
For example, in applying the five-step model, management will need to make significant judgments and estimates (e.g., the determination of variable consideration and whether to constrain variable consideration). It is critical for management to (1) evaluate the risks of material misstatement associated with these judgments and estimates, (2) design and implement controls to address those risks, and (3) maintain documentation that supports the assumptions and judgments that underpin its estimates. Mr. Bricker recently pointed out that management should consider whether controls, including those related to tone at the top of the organization, “support the formation and enforcement of sound judgments [required under the new standard] or whether changes are necessary.” Appendix A of this Heads Up outlines the five-step revenue recognition model and contains sample risks and controls for consideration.
Significant Changes in Information and Related Data-Quality Needs
Companies will need to gather and track new information to comply with the five-step model and related disclosure requirements. Management should consider whether appropriate controls are in place to support (1) the necessary information technology (IT) changes (including change management controls and, once the IT changes have been implemented, the testing of their design and operating effectiveness) and (2) the accuracy of the information used by the entity to recognize revenue and provide the required disclosures. The table below illustrates some potential challenges and examples of practices. (See table in PDF.)
Applying the COSO Principles
The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control — Integrated Framework (the “2013 COSO Framework”) provides a framework for designing and evaluating internal controls through the use of 17 principles and related guidance. As companies implement the new revenue standard, particularly those that apply the 2013 COSO Framework in management’s assessment of ICFR, they should consider the COSO principles in evaluating and designing controls (including those related to recognizing revenue and data quality, as discussed above). In addition, as new controls are designed and implemented, control owners should consider the evidence and documentation that will be available to support management’s assessment of ICFR. See Appendix B of this Heads Up for further discussion.
Evaluating Material Changes in Internal Control
SEC registrants are required to disclose any material changes (including improvements) in their ICFR in each quarterly and annual report in accordance with Regulation S-K, Item 308(c). SEC guidance explains that materiality would be determined on the basis of the impact on ICFR and the materiality standard articulated in TSC Industries Inc. v. Northway Inc. (i.e., that “an omitted fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote”).
As discussed previously, the adoption of the new revenue standard will probably require management to implement new controls or modify existing ones to address new or modified risks of material misstatement. Such changes in internal control, if material, as a result of the adoption of a new accounting standard, will trigger disclosure requirements. In addition, management should consider whether there are appropriate controls with respect to identifying and disclosing material changes in ICFR.
For example, management may consider whether there are controls related to the following:
• Compliance — Processes are in place to identify and evaluate material changes in internal control. Further, protocols exist for developing appropriate disclosures and reporting such information to appropriate levels of management (e.g., those signing the quarterly and annual certifications required under SEC Regulation S-K, Item 601(b)(31)).
• Review — The disclosures are reviewed by appropriate levels of management (including, as warranted, those signing the quarterly and annual certifications).
• Monitoring — The company’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately considers the state of the entity’s ICFR to identify changes and monitors controls in accordance with company protocols. In addition, the audit committee is involved in the oversight of the disclosures’ preparation.
In developing the required disclosures, companies should clearly state whether a material change has occurred and, if so, describe the nature of the change. The SEC staff has commented when a registrant has not explicitly asserted whether there has been a change in ICFR in the most recent fiscal quarter that could have a material effect on its ICFR. The staff has further stressed that registrants should avoid “boilerplate” disclosure in which they state that there have been no material changes affecting ICFR in a period, particularly when there have been identifiable events such as changes in accounting policies. (See illustration in PDF.)
View the rest of the Heads Up.
Subscribe and Archives
Heads Up newsletters, published as warranted, analyze important accounting developments, such as new FASB and IASB pronouncements or exposure drafts. Concise examples and answers to frequently asked questions assist readers in understanding and implementing the critical guidance.