, , ,

What to do if you’ve been in denial about the new COSO framework

Regulators are not requiring companies to follow the new COSO framework even though the 1992 version is being retired later this year. While we encourage companies to adopt the new internal control framework and most of them have begun the process, the lack of an explicit mandate still has some dragging their feet.

For now, the Securities and Exchange Commission staff have said they are keeping a close watch on which framework companies will be following. During this upcoming transitional year of reporting, they won’t be questioning companies that haven’t migrated to the new framework even after the old one is superseded as of December 15, 2014. As it is, the Committee of Sponsoring Organizations of the Treadway Commission has given organizations a fair amount of time to make the move before the preceding 20-year-old guidance is no longer available.

Still, some companies delayed starting their transition until after their 2013 10K and 2014 first quarter 10Q were filed. By the time fiscal year-end 2014 filings are submitted, not all public companies will have been able to say they follow the more modern framework, as COSO had hoped they would.

If you fall into that camp, it might be too late to make the transition for fiscal year 2014. Making the move is different for each company. Let’s say you’ve followed best practices for internal controls, then you may only need to map your existing internal controls to the new framework. In that situation, your internal controls have been effective for the year and can be relied upon, and your transition is done. However, if you don’t fall into this category, there will be more time involved (how much time and resources will be required depends on the current state of your internal controls). At this point, it also means that the new controls put in place for the new framework have not been effective for the first eight months of the year, and therefore, reliance on these controls will be in question.

We’re not trying to make you feel bad. Procrastination—for whatever reason—happens. What really matters is what you do now. While the ideal path would have been to make your COSO transition sooner rather than later, this could also be the time if you haven’t started at all to begin the evaluation of the new COSO framework for fiscal year 2015.

Where to begin
If you have read the new framework, you will have noticed that it has 17 new principles for internal control, and within each of those principles, there are specific points of focus. The points of focus do help with identifying controls within your organization. Most of these internal controls will exist in your entity level controls. Entity level controls address those controls that apply across the organization, and most of the new principles are aimed at those internal controls that reside at the organizational level.

If you haven’t reviewed the 17 new principles and their corresponding points of focus, you should really start to familiarize yourself with them. Any controls identified that only need to be documented, improvements to existing controls, or the addition of new controls do need to be in place and working in order to be able to rely on them. Any of the controls you add or modify under the new framework should be in place and in working order. Otherwise, they cannot be relied upon.

Based on those companies that have already mapped their entity level controls to the new framework, here’s what will likely happen. We have seen our clients experience a combination of three possible outcomes:

  1. They need to take credit for what they already do, as their latest evaluation shows the control is already in place but not currently identified as an internal control. This involves formalizing the control and documenting it.
  2. They work on improving a control that already exists in order to make sure it covers the points of focus within the framework.
  3. They add a new control. This is the one that requires more time. You will need to get agreement from the organization that the control needs to be added, confirm that the control is documented accurately and will be performed, and then be able to test early enough to allow time to remediate the control in case something goes wrong.

If your company has been following best practices with identifying internal controls within its entity level controls, then you will likely see the transition to the new framework follows items 1 and 2 above. This will take time for documentation, but the controls are already being performed and additional training will not be needed.

However, if you haven’t been following best practices for internal controls as closely as you could have been, then you might find yourself working with all three points above. Item 3 does entail additional time and training that could go beyond the finance department. The sooner you start this process, the sooner you will position yourself to be prepared to make the switch.

With all of this said, if you are choosing to not migrate to the new COSO framework now, you will at the very least have to document your reasoning as to why you think your internal controls are sufficient as is. In addition, you will have to make sure your external auditors are in agreement with your rationale. In my opinion, it would be prudent to keep in mind that at some point, the new COSO framework will be required. Nobody wants to be caught without the time, resources, or remediation runway when that requirement is made.

Tracy Thames has been a member of the RoseRyan dream team since 2008. She excels at SOX, internal audit, accounting management and project management.

/by
, ,

5 ways every CFO can mitigate cybersecurity risks

It’s time to test your current events knowledge: Which major retailer acknowledged having to spend $88 million related to a mega data breach in its most recent 10-Q, with more costs expected?

Target immediately comes to mind, right? The prevalence of the retailer’s troubles speaks to the far-reaching effect a cybersecurity attack can have on a company. That $88 million is just a drop in the bucket of expenses and problems Target continues to face following the exposure of its customer payment data over six months ago. The initial tally does not include the company’s anticipated claims for incremental fraud losses nor does it include litigation costs for the more than 100 legal actions filed in various jurisdictions to date or the reputational hit and the faltering loyalty by customers now worried about sharing their credit card information with their local store.

Every day there seems to be a new headline reporting another Internet security breach or data protection lapse – be it hacked credit card data, the Heartbleed Bug or well-crafted phishing scams luring victims to give up sensitive information. If there is an upside, it’s that such news may prompt other companies to do a full sweep of their internal processes and systems to minimize the probability of something like this happening to them.

But will they do a good job? Those companies that make such an effort go beyond the confines of their IT department are more likely to succeed in shrinking their risk. CFOs in particular should take responsibility for toughening up the organization’s cyber defenses if they haven’t already.

Regulators are demanding it: Three years after requiring companies to disclose cybersecurity risks and incidents that are specific to them – and to stay away from generic language – the Securities and Exchange Commission continues to focus attention on the topic. In fact, the SEC hosted a roundtable earlier this year to discuss the challenges of cybersecurity on market participants and public companies, and how they’re getting handled. Just a couple of months later, the SEC’s Office of the Investor Advocate announced that it would study how the SEC and other market participants are actually protecting investors from cybersecurity threats, which further puts pressure on the Commission to keep tabs on the risks.

On top of all this regulatory introspection is a call on auditors to pay more attention to how companies deal with the problem and what they say about it. The Center for Audit Quality recently issued an alert outlining independent auditors’ responsibilities related to cybersecurity risks. Such an alert may cause auditors to up their scrutiny of their clients’ forthrightness about their risks and what they disclose about them.

Data breaches at larger companies make the headlines, but smaller companies are not immune from this threat. In fact, smaller companies may be easier targets because they have fewer resources to deploy in preventing a breach. Think what a treasure trove a hacker could find on your servers — employee information, customer information, engineering design information, your financial information, etc.

What CFOs can do
CFOs can play a critical role in all of this, as the keeper and protector of their business’ sensitive information and internal controls. While your IT gurus, data protection officers and security and privacy experts are addressing “defense in depth” strategies to thwart would-be hackers, here’s what you should be doing.

  • Identify the crown jewels: No matter how good your firewall is, let’s assume that everything can be hacked. Hackers are looking for valuable information that isn’t adequately protected, so the first thing to think about is “what are your crown jewels?” This can include information such as engineering and design data, financial information, employee and HR information, and customer or client information. You want to make sure the full scope of your company’s sensitive data has extra security layers around it. And you’ll need to get input from all areas of your company for identifying your most sensitive information.
  • Control who has access to that valuable and vulnerable info: Now that you have identified what the critical data is, make sure you know where it resides. It is important to limit access to only the specific individuals who need it to perform their job duties. Do you have proper controls in place to ensure proper authorization is obtained before access is granted? Do you monitor access on an ongoing basis to make sure no unauthorized individuals have access to this data? Is your data backed up so that you are not vulnerable to ransom demands for stolen data? Depending on the size and complexity of your business, you may need to confer with your CIO on what measures are currently in place or you may need to bring in outside expertise.
  • Review third parties critically: You can’t outsource your responsibilities. When you use third parties to host, store or process your data, you need transparency in how they are protecting your data and complying with privacy laws. Don’t assume any third party has it all under control. Obtain and critically review SSAE16 reports (depending on the nature of the work being outsourced, you will want to review a SOC 1 report for internal controls over financial reporting or a SOC 2 report for data protection, security and privacy). You may want to reconsider using a company that refuses to share this information or that has questionable results.
  • Encrypt like crazy: Is all of your sensitive data encrypted? Not only is it important to encrypt data during transit, but it is also important to encrypt critical data at rest, meaning that information sitting on computer drives, laptops, flash drives and the like. Encryption won’t protect your data from being intercepted, but it can protect the contents from getting read.
  • Engage everyone in the effort: Do you have formal, companywide policies around data protection and security? Are they effectively communicated to employees (i.e., not just shared with new staff but distributed periodically)? Employees can unknowingly violate a carefully created data security effort by simply sending an unencrypted email that includes sensitive information. Ongoing training and education are key ways of ensuring that the procedures you have created to safeguard your data are correctly implemented.

If you consistently review and update your policies and systems, train your employees on those policies, and allocate sufficient resources to cybersecurity, you will have taken significant steps to reduce your risk. This should be an ongoing process, not a one-time reaction to a headline about a data breach. In this fast-moving era of hacks and viruses, a protective effort that occurs outside of IT needs to be a matter of course.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client management, ensuring all our clients are on the road to happiness. She previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. Melette Evans, a RoseRyan senior IT guru, contributed to this blog post.

/1 Comment/by
, , , ,

The new rev rec rules: Making estimates that minimize the likelihood of restatements

Get ready for scrutiny. One of the many challenges presented by the new revenue recognition rules is the need for companies to come up with an estimate of revenue for variable consideration instead of waiting until amounts are certain as they do under current GAAP. Determination of these estimates involves significant judgment.

If public companies recognize an estimated amount of revenue that subsequently turns out to be unjustifiably overstated, they won’t be dealing just with the problem of non-GAAP compliance. They will also face a decrease in credibility among financial analysts, possible restatement of their financials and the threat of shareholder lawsuits alleging fraud. To avoid such troubles, companies need to make their estimates as bullet-proof as possible and establish sound practices for documenting their basis for those estimates.

How to pull that off? Even though the new rules don’t go into effect until 2017, companies need to begin rethinking their revenue recognition process now to minimize their risk of off-track estimates. Yes, there’s a fair amount of work involved up-front, but there’s a payoff (hang on, we’ll explain).

The new five step process
The new rules direct companies to apply a five step process for analyzing contracts with customers and deciding when and how they should recognize revenue. Step 3 is “Determine transaction price,” which requires, for variable consideration, companies to estimate a transaction price as either the expected value of possible outcomes (a probability-weighted estimate) or as the “most likely amount” (from a range of possible outcomes). Here’s where the challenge comes in: However a company proceeds, the rules specify that the estimate must be an amount for which it is “probable that a significant reversal in the amount of cumulative revenue recognized will not occur when the uncertainty … is subsequently resolved.”

As an example, consider the difficulty of achieving that goal in a distributor model. Many technology businesses use distributors to sell and support their products across a broad customer base. To avoid overpaying for tech products amid short life cycles and constantly decreasing prices, distributors usually insist on having price protection in their agreements. That way, they can claim a price protection rebate from the manufacturer if they have to resell a product at a price below the initial, agreed-upon margin.

Under current GAAP, a company waits to recognize revenue until the price is “fixed and determinable.” A manufacturer recognizes revenue only when its distributor has sold the product to an end customer and requested its price protection, if needed, because that’s when the price is fixed and determinable. However, under the new rules, the manufacturer will often have to record a minimum amount of revenue at the time of shipment to the distributor, meaning it will have to estimate the impact of price protection it will have to grant.

Another example is found in licensing arrangements. Many such agreements include milestone payments that are contingent either upon performance of the licensor (a performance obligation under the new rules) or upon performance of the customer, such as when a drug-development customer achieves success in a critical trial (variable consideration that the licensor might receive after performance of its obligation for delivering the license but is only receivable if the customer achieves its goal). Under current GAAP, a company excludes contingent payments from the revenue allocated under a multiple-element arrangement and recognizes such contingent payments when the contingency is resolved. But with the new rules, when a milestone is considered probable, such payments become part of the transaction price and are allocated to performance obligations. This estimation and inclusion of contingent payments when they are considered probable — and not waiting until milestones are actually achieved — could result in earlier recognition of revenue if performance obligations have already been satisfied.

How to make good estimates
We’ve told you the “why,” now here’s the “how.” The following are principles for making estimates that will be defensible and limit the risk of a restatement.

Make estimating a team sport: Although it must lead the effort, finance should harness the expertise of other relevant functions within the company to make the best estimate. This means turning to sales and marketing personnel for their knowledge of customers, pricing and timing of sales milestones. The engineering team should weigh in on the readiness of a new product or confirm whether technical problems are causing returns or rework. The operations team will need to provide input on the probability of achieving performance milestones. Some companies will need to supplement this team of internal advisors with customer staff who are in direct touch with end customers (for example, this could be distributor personnel who manage the channel).

Use the best tools for the best results: Any company affected by the new rules will need robust systems to obtain up-to-the-minute volume and pricing information to prepare its estimates for financial close.

In the distributor example, large global distributors already have excellent systems that provide bookings, billings and backlog by customer and by part, in real time. Companies using smaller and regional distributors with less sophisticated systems may need to work with them to enhance information flow to the level they need. Online software tools from third parties that are specifically built to manage the manufacturer-distributor relationship can be very helpful as well.

In other industries, tools may not be in place to make estimates at all, or they may be focused on a specific step such as allocation of revenue to multiple elements in a software licensing arrangement at the start of the contract. For these circumstances, companies will need to develop tools to monitor contingent elements and determine their probability each reporting period.

Document and disclose: Companies should systematically document how they came up with each estimate — the process used, the historical information input, the personnel involved by function, the assumptions made and the risks mitigated. They should apply a consistent approach over time. If circumstances require a change in approach, then document the change and why it was required. All this information should be archived in such a way that it can be brought out any time to compare to actual figures and explain and justify differences to auditors, financial analysts and potentially the Securities and Exchange Commission.

The new rules require companies to disclose in notes to financial statements “sufficient information to enable users of financial statements to understand the nature, amount, timing and uncertainty of revenue,” along with existing requirements to provide disclosures about significant accounting policies and critical accounting estimates. Given the increase in estimates and judgments, companies should use these disclosures to provide information on the assumptions and risks inherent in their estimates. Taken together, the documentation and disclosures should reflect how the company made a competent good-faith effort to develop its estimate.

Watch what’s on the horizon: As part of their estimation process, companies need to identify current factors that differ from prior periods that may drive estimates away from prior trend lines. Broader economic and industry trends can overwhelm their prior revenue trajectory. The financial crisis of 2008 and the tech downturn of 2000 are examples of extreme events that had a tremendous impact on the revenue estimates of companies that had nothing to do with the downturns themselves. A rising tide can lift all boats, and a swift ebb tide can strand them all on the sand.

Technology companies need to focus in particular on the impact of newly introduced and end-of-life products. A strong new product ramp can drive volumes above the trend line and improve pricing. But it can also accelerate the decline of an older product. For both large external events and tech product changes, companies should be especially careful to state their assumptions about the events and the impact on their estimates, both in their documentation and financial statement disclosures.

The plus side of this additional work
Making good estimates to meet the new rev rec rules will require companies to apply more time and thought to their revenue recognition efforts. But there’s good news in here as well: Finance teams can use this challenge as an opportunity to better understand their business, customers and products, and communicate that understanding to investors. That’s the type of scrutiny we can all root for.

Ray Solari is a member of the RoseRyan dream team. He has served as the CFO/VP finance for private companies and managed SEC reporting for public companies. He began his career at Deloitte.

/by

Innovation, leadership are dominant qualities of EY Entrepreneur of the Year Award recipients

Economists like to debate about the level of economic growth that is driven by innovation. Some think that the days of rapid growth in the U.S. economy is over and any new inventions won’t make up for the slowdown in growth. Others think that innovation and new ideas are still taking off and will fuel lots of economic growth. I’m not an economist, but the one thing I know for certain is that Northern California has a group CEOs who aren’t waiting around to find out. They are leading their companies in developing new technologies and new and better ways of operating their businesses, all while building high performance teams.

I met them firsthand during the recent 28th EY Entrepreneur of the YearTM Awards gala for Northern California at the Fairmont Hotel in San Jose. The theme for this event, for which RoseRyan proudly served as a sponsor, was “honoring the best of the best,” and it was successful at that. There were 27 finalists out of an original group of over 110 CEOs. Of the finalists, the regional award winners were chosen from nine categories ranging from software and technology to life sciences and digital advertising. There was a very good mix of entrepreneurs from all different kinds of backgrounds and experiences.

This was one of 25 programs in U.S. cities and in 61 countries around the world; the overall national winner will be announced later this year. There were over 14,000 individuals involved in this global endeavor. Some were from established companies, some from startups, and others from large companies. For our area, here are the winners announced at the gala (for quick videos about each company, go to EY’s website):

  • Technology: David Gorodyansky, CEO, AnchorFree
  • Services: Fedele Bauccio, co-founder and CEO, Bon Appétit Management Co.
  • Emerging: Marcin Kleczynski, CEO, Malwarebytes
  • Life Sciences: David Hung, founder, president and CEO, Medivation
  • Software: Vladimir Shmunis, CEO and founder, RingCentral
  • Digital Advertising: George John, CEO and co-founder, and Richard Frankel, president and co-founder, Rocket Fuel
  • Large Companies: Amir Dan Rubin, president and CEO, Stanford Hospital & Clinics
  • Internet: Pete Flint, CEO and founder, Trulia
  • Real Estate and Finance: Doug Brien, co-founder, and Colin Wiel, co-founder, Waypoint Homes

A theme that I heard repeatedly during this year’s program and in the past is that innovation doesn’t just involve the CEO or founder, but rather it is a bottom’s up process involving many people at all levels of the organization. Those honored at the EY event recognized that truth; the first people many of them thanked in their acceptance speeches were their employees. Those who will go far know they need to develop a team of key people who believe in what they are trying to accomplish. “The best advice I ever got from anybody is … get the wrong people off the bus as quickly as possible and get the right people on the bus,” said Kleczynski in a video about Malwarebytes, an anti-malware software provider. “They will get you going; they will get you where you need to go.”

With the help of the right people, entrepreneurs look for ways to disrupt and change industries, and that is what drives them. AnchorFree, for instance, aims to give everyone across the globe freedom when using the Internet and privacy protection when doing so. In his video, Gorodyansky said the company faced “headwinds” in its goals “but also knew in our hearts that we’re doing the right thing.”

Certainly, younger companies have more freedom to get changes made quickly. This is particularly true of the private companies involved in this program (over 80 percent of all award winners are privately held). Studies have shown that what really make the finalists different are their independence, freedom and flexibility. The overarching value they all share is outstanding leadership plus a willingness to try new things. Once a quarter, Trulia lets its engineers pursue any idea they have in mind, without the red tape that oftentimes ties down more established companies from realizing innovation. “It’s an incredible way for us to create an environment where creativity, where ownership is part of the culture,” according to Flint of the real-estate listing site. “So, new employees can come in, they can build a product they’re passionate about, solve the problem they want to solve, and release it to the public soon after.”

Indeed, their nimbleness and openness to ideas are continuing to make entrepreneurs the job engine of our economy, and all indications are that this will continue for the foreseeable future.

We can all learn from their stories, particularly in my industry. The world of finance and accounting consulting has been constantly changing over the past 10 to 20 years. Innovation in the way companies approach the market, deal with clients and look for talent is critical to success. Evolution in our business is oftentimes driven by regulatory changes and new ways of interpreting rules and principles. A firm that doesn’t embrace change and work with it will be left behind. The firms with strong visionary leadership are the ones that are leading the industry and staying ahead of the curve.

Stan Fels is a director at RoseRyan, who joined the finance and accounting firm in 2006. In addition to helping the finance dream team keep their skills sharp and stay true to RoseRyan’s proven processes, he matches gurus to clients in the high tech and life sciences sectors. 

/by
, ,

Unearthing revenue and expense opportunities through SOX

It is easy to see why, after Sarbanes-Oxley became law in the early 2000s and internal-control testers and reviewers became sought-after professionals, that the demand for their talents sometimes went to their heads. From being the mostly ignored internal audit department to becoming the highly noticed glamour boys and girls of their own movie called Corporate America, their first instinct was, “The power is with us and let us start policing.” I admit that happened to me, but only for a minute.

Two things happened to make me quickly snap out of it. First was a reflective process where I decided that I did not want to make a career out of solely pointing out errors that other people made — that would be too much negativity day in and day out. Then, during a chance encounter after hours with a corporate controller, she blurted out, “You know the best thing about having you on our team is that I feel more secure when I go home every night, that things are working optimally and the world will not fall apart tomorrow morning.” Viola! The statement was made by her, but the big impact was on me. In her mind, I was collaborating with her and giving her peace of mind, but in my mind, I had seen myself as the cop. I preferred her outlook and embraced it.

From that moment on, finding SOX errors became secondary to my working as a thoughtful partner who uncovers positive opportunities in the organizations I work with. Consider these real-life examples from my experiences:

  • SOX became a revenue generator when testers helped a disc drive maker realize that it had been needlessly throwing away material that was actually quite valuable. The finding began with a control test that read, “Excess inventory is classified as scrap and authorized.” Looking for authorization controls, the SOX testers wondered why the excess material from the precious metal (the inventory) used to make the disc drives was not worth anything. It was just thrown away. A group of employees, who had previously been ignored on this issue, revealed that the metal could be recycled at a fraction of the cost of discarding it, to actually make new disc drives and add new revenue to the bottom line. An outside perspective, through a SOX exercise, brought this opportunity to the forefront.
  • A company that took a conservative approach to its SOX control for the cycle counts of inventory had a monthly reconciliation process. The cautious way of doing things had an upside when management looked at the results of the reconciliation and decided to streamline the entire inventory management and supply chain process, which saved millions in costs and contributed to the closing process getting cut down by a week.
  • A retail giant was planning to implement a new system in the supply chain area and wanted to consider SOX upfront to ensure that prior to going live, the new system would pass all the relevant IT general computer controls (including user and developer access, termination, passwords and change management). This was a first for the retailer, which didn’t usually take SOX into account in the early stages of a new system. The proactive effort saved it time and money. The SOX readiness testing led to the operations side working more closely with the IT side, granting early buy-in, creating better communication between the two groups, and leading to an overall more efficient supply chain process. The net impact was a savings of $3 million, and the project went live and operational three months ahead of schedule.
  • The reach of SOX sometimes spills over to IT security and PCI compliance (the data security standard used by the payment card industry). This was evident in a retailer that was planning to break away from its publicly listed parent and go public on its own. As the team I was working with was putting the SOX controls in the various areas, we realized that although it did not having a direct impact on the company’s SOX compliance, the IT security systems did not rein in customers’ credit card information as much as it should. While this security gap sounds like a huge hole in today’s privacy-conscious environment, this finding was made back in 2007. Even then the very prudent upper management team, including the CEO and CFO, saw the need to plug the gap; they had the foresight to put in place strong IT security measures and encryption technology and prevent their customers’ credit card information from getting plastered on Times Square. If only all the retailers had followed suit! This company was not just ahead of the game in IT security; it also met PCI compliance, thanks to the initial recommendations that turned up during the SOX work.

The above is only a short list of the process improvements I have seen firsthand during my time working heavily in SOX. The point is that, if the only cap I had worn while going about my SOX testing was that of a policeman, I would never have seen past the brim to play a part in those process improvements. These are examples of positive changes from SOX that revealed new revenue opportunities or saved money. And, on a personal level, they have reinforced my profile as a “trusted partner” even in the eyes of the people being subject to SOX controls. This, as any SOX tester will testify these days, is the ultimate goal. Any feeling of being a SOX cop is long gone. All it took was a slight change in mindset and approach.

Vivek Kumar is a member of the RoseRyan dream team. He has been working in SOX since the time it became law and from both sides, in-house and as an external consultant. When not doing SOX, Vivek keeps himself busy playing tennis and making feature films, the first of which hits theaters this summer.

/by
, , ,

Does the FASB need to step back and simplify?

Having been involved in accounting for over 30 years, I have seen quite a few changes in accounting requirements, all enthusiastically introduced to “help the reader understand the financial status of a company better.”

I have to say that I believe the opposite is happening. Reading (interpreting) accounts is getting harder to do, as more and more intricate rules are introduced. In just the last 20 years, we have seen significant changes, including the introduction of stock compensation standards, revised fair value accounting, rewrites of revenue recognition rules, to name just a few. The changes have become intricate and mind-numbing.

There’s little sign of it stopping; although recently the FASB announced it will be focusing on reducing complexity and promoting simplification in its accounting standards, the Board has taken no meaningful action to date to do so. Board members have stated they want to simplify how inventory is measured and eliminate the need to disclose extraordinary items from income statements, but these pale into insignificance when compared to the revamped revenue recognition rules and the new operating lease accounting rules likely to be introduced too.

The bottom line is that unless you have a sophisticated understanding of accounting, you probably are unable to fully understand the accounts and what they mean to the health of the business. I don’t believe I am the only one who thinks the rules are going too far, and I understand sophisticated accounts! Every time I listen to a public company announce its quarterly financial results, I hear the CEO or CFO announce their earnings, and then they follow it with a pro-forma result, usually described as an “adjusted EBITDA,” which is to them a more meaningful result to disclose to their investors. Absolutely every company will back out stock compensation costs and other non-cash charges to get to a baseline cash-based result. Observers who trend these revised numbers on a quarterly basis can probably get a more meaningful trend of financial performance of the company and can make more meaningful decisions affecting their investment than if they tried to follow along with the pure GAAP figure.

I’m not saying cash-based accounting is the way to go. That is accounting at its simplest but that, too, doesn’t give a true picture of a company’s financial health. The reality is a simplified disclosure process is in desperate need. Maybe if this was introduced, companies would stop releasing pro-forma results, and I wouldn’t keep being asked to interpret accounting results into meaningful information. Seeing the proposed new rules on the horizon, it looks like it’s going to get worse before it gets better, which is unfortunate.

Until we see more progress, I expect to hear more and more complaints that financial statements are becoming more difficult to interpret. That to me is doing the U.S. accounting profession a major disservice.

Stephen Ambler is a director at RoseRyan, where he manages the development of the firm’s “dream team” of consultants. His interim CFO stints at RoseRyan have included a social media company and the management of the financial integration process at a company acquired by Oracle. He previously held the CFO position for 13 years at Nasdaq-listed companies. 

/by
, , , ,

Why an underfunded finance team is risky business

In a new small company, all the focus — and funds — tend to be on the development side, where the company’s product or service gets fine-tuned for the marketplace. The finance organization as a support function is often low on the priority list. But as the company grows — and tracking and managing the finances gets more complex — almost all spending will continue to be concentrated on other areas, leaving the finance department to fight over the bread crumbs.

Being a team player means making do with what you have, not complaining, and doing what it takes to meet your objectives. But sometimes, being a good soldier is detrimental to the overall good of the company. Consider just a few examples why finance should demand its fair share:

  • Systems that don’t keep pace with your business put your company at risk: When the business grows in complexity, so should the methods and technology for tracking its performance. Workflow that is highly dependent on top-side adjustments to close the books and spreadsheet tracking of critical information (revenue recognition, stock awards, etc.) are prone to error.
  • Rules and regulations are constantly changing — which means the company has to keep up: Staying current can take considerable time and effort, and not knowing what you don’t know can be harmful. Misapplying accounting rules to significant transactions can result in significant errors to your financial statements.
  • Understaffed and underperforming accounting teams can result in delays to the close process: The slowdown not only hurts morale and the department’s ability to keep moving forward — it can have a direct effect on the company if management is running the business with inaccurate or insufficient data to make decisions.

In addition to jeopardizing your own reputation, the inability to produce timely and accurate financial statements can result in a decrease in the company’s valuation, its ability to attract financing at favorable rates (or at all) and win (or keep) strategic partners and clients. The problems could also derail a business combination or IPO.

It doesn’t have to be that way. Finance organizations are beginning to be looked at as more than just a cost center and are on their way toward becoming key players in the overall business strategy. To get to that point, they need to improve how they anticipate and support the needs of other departments and get recognized for such work.

Here are a few questions to consider as you evaluate how others perceive your finance organization:

  • Do your cross-functional peers know what the finance organization does to add value to the business? How is finance communicating its value-add?
  • Does finance take time to understand what the business is doing, and provide information to support the tasks that are underway? Is it proactive in this, or does it wait for others to make requests?
  • Does the organization meet regularly with other departments to find out, from their perspective, what they need from the organization and how the team is doing in filling those needs?
  • Is finance able to support the organization with reliable information on a timely basis?
  • Does finance have a handle on the company’s current needs and realistic growth plans?
  • Does the organization know what best practices are for your industry? Is it in line with your competition?

When finance teams make progress in these areas, their stature will be elevated and they will be seen as key contributors to  the business, not a cost drain. This in turn makes getting finance’s piece of the pie much easier. And much more deserved.

For more information about building a foundation of financial integrity, read why timely, accurate financials are valuable for your company.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client management, ensuring all our clients are on the road to happiness. She previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm.

/by
, ,

SOX management testing: The debate over in-house vs. external testers

In its decade-long life, the Sarbanes-Oxley Act has triggered many emotional arguments. One that continues to persist, even all these years later, is whether management testing can be done in-house or should be done solely by independent consultants. Like any logical argument in life, both sides to the equation have valid points, including the ones below:

The case for independent consultants

  • Consultants provide independence: This is an area companies quickly embrace whenever someone looks at their past in-house testing with skepticism. I saw it firsthand at an established retail giant, where the company’s SOX project manager took great pride in asserting, “In the last five years, we have had no significant deficiency.” The applause that followed matched the kind you hear after an Olympic Gold performance. But another fine day, that same declaration didn’t get the same reaction. This time, the PMO said it to the brand-new controller, a former Big 4 partner, who wasn’t pleased. “But that means you have not been independent enough in your evaluation,” the controller said. Ouch! Silence all around. It’s hard to debate one of the strongest arguments for taking testing to external consultants — independence.
  • They bring a wider perspective: Independent finance pros step out a lot more than entrenched employees. They see different companies, distinct SOX departments, and a variety of mindsets. All of this makes them a valuable resource for SOX best practices, not just for uncovering flaws but finding ways to improve processes and figuring out the balance between tight controls and overwrought ones. They know what works well in certain types of companies and what doesn’t. Plus, they can anticipate what the auditors will likely expect down the line and prepare the company for those expectations (life is much easier when you can be proactive with your external accounting firm rather than scrambling when the auditors find something amiss). Employees, as an intrinsic part of the organization, usually can’t bring such up-to-date and diverse experience to the table.
  • They can reduce costs: It’s generally more cost-effective to outsource SOX testing to highly skilled, knowledgeable professionals, on a project basis, than taking on full-time employees. And these professionals may also help lower the total cost of SOX as external auditors will rely on the work of objective and competent third parties. The less time auditors spend scrutinizing what a company’s internal staff has done, the less the company has to pay in auditor hours.

The case for in-house testers

  • They may be able to extract more information from their colleagues. In-house testers, by working among their business and IT partners all year long, have the opportunity to build strong relationships and rapport over time. While such rapport can fuel the argument for independence, the fact is they could make more inroads in gathering information if their colleagues tend to be more helpful to those they already know and trust.
  • They know the business inside and out and have a vested interest in its future. Testers working from the inside can at times provide meaningful suggestions for process improvements — a strong and beneficial byproduct of the testing process. With a desire to keep their jobs and see their company thrive, they have a personal interest in uncovering inefficiencies. At other times, however, these in-house testers may hold back their ideas, not wanting to rock the boat with any of their fellow employees who may be affected by their suggestions.

What about a combo approach?
A trend, which appears to be gaining traction in Silicon Valley, is a mix-and-match approach, whereby the external consultants work in tandem with a select few from the in-house team. While it might appear that this is the “best of both worlds” scenario, it doesn’t play out that way in practice. The decision-making still tends to be made in-house, with all the pros and cons the in-house model entails.

The verdict: What makes sense for your company
Management needs and wants confidence in what the testers find and report to them (and so do investors and other stakeholders). The top executives put their name on the line to whatever is or isn’t uncovered during the testing process. Only you can decide, after weighing the pros and cons and the factors that go into the work involved, which method of SOX testing makes the most sense for your business and provides you with the right level of certainty.

Vivek Kumar is a member of the RoseRyan dream team. He has been working in SOX since the time it became law and from both sides, in-house and as an external consultant. When not doing SOX, Vivek keeps himself busy playing tennis and making feature films, the first of which hits theaters this summer.

/by
, , , ,

How the new revenue recognition standard may affect your company

We’ve been hearing about it for years. Finally, the result of the joint project between the FASB and the IASB to update and consolidate accounting standards for revenue recognition into one global standard is just about here. They’re expected to issue it by the end of this month.

This is when the fun begins. While there is time before companies have to issue financial statements under the new standard (which we’ll see in the first interim period of 2017 for public companies with fiscal years beginning after December 15, 2016), they will need to disclose the expected impact of the new standard right away. And they will need to be tracking transactions under the new principles beginning in 2015.

The biggest change is the shift from industry-specific guidance to the application of general principles across all industries. Companies will need to re-think how revenue will be recognized for their transactions, and in some cases they will be able to record revenue earlier than they do now. Here are my thoughts on what our clients should be considering in the months ahead.

If you work at a life sciences company
The revenue standard applies to all contracts with customers, including some collaboration arrangements for life sciences companies if they are in effect transactions with a customer. Collaborations might fall outside the scope of the new revenue guidance if the collaborator or partner is not in substance a customer, such as when a biotechnology company and pharmaceutical company have an agreement to share equally in the development of a specific drug candidate as well as the risk that comes with it.

Another change that will arise with the new standard is that variable consideration (such as milestone payments) may be included in the transaction price allocated to deliverables as long as the company has relevant experience with similar performance obligations and, based on that experience, they do not expect a significant reversal in future periods. Changes to these estimates will have to be allocated to performance obligations based on that initial allocation, unless a payment relates to a specific element and is consistent with the amount expected to be entitled for performance of that obligation.

When life sciences companies license their drugs to commercialization partners, they can estimate and recognize sales-based royalties when the partners’ subsequent sales occur and will not have to wait, as they do now, until each partner has reported such sales. These estimates can include only the amount that has a low probable risk of significant reversal.

Another change that will result in earlier recognition of revenue for life sciences companies is the recording of sales of new products when they ship, minus the estimates for returns. Currently, companies have to delay recognition on a sell-through basis if a pattern of return has not been established.

If you enter into license agreements
The new standard’s emphasis on when control transfers to the customer may change the timing of revenue recognition on licenses. A license is the right to use an entity’s intellectual property, such as software and technology, patents, trademarks, copyrights, music and movie rights and franchises. In some cases, a license is a promise to provide a right, which transfers at a point in time. In other cases, it is a promise to provide access to a right that transfers to the customer over time, such as if a licensor has continuing obligations under the arrangement that do not otherwise qualify as separate performance obligations, or if the licensor must actively make the IP available on a continuous basis during the license period, or if the licensee benefits from changes over time.

If you have software arrangements
For software arrangements, VSOE (vendor-specific objective evidence) guidance is no longer required, resulting in earlier recognition of revenue for licenses that lacked it for undelivered elements, including future upgrades, additional product rights or other vendor obligations. Companies still need to allocate revenue to each of the deliverables in the arrangement based upon best estimated selling prices (BESP). It simply allows for alternate methods of determining BESP beyond VSOE.

If you sell software as a service
You will need to assess software license and hosting services to determine if they represent distinct performance obligations. It is unclear what criteria will apply to determine whether a typical SaaS arrangement will qualify for service accounting treatment (over time) or if the software element should be recognized separately (at a point in time).

In addition, provisions entitling the customer to a refund if undelivered elements are not successfully provided — an issue that currently delays recognition — will be a part of the estimate of variable consideration, resulting in earlier revenue recognition in some arrangements.

If you’re a contract manufacturer
In contract manufacturing situations, the timing of revenue recognition will no longer revolve around when units are delivered but instead when a service is performed and when the control of goods are transferred to the customer over time. This change may require contract manufacturers to modify their systems and processes to recognize revenue in the new way.

If you work in the technology sector
Distributors and resellers tend to require price protection or right of return from manufacturers of technology products to protect themselves from obsolescence and price reductions. Manufacturers currently delay recognition of revenue from these transactions because of the possibility they’d have to give money back or accept product returns. Under the new standards, fees that are currently not considered fixed and determinable can be recognized to the extent the company can estimate the amount that has a low probable risk of significant reversal. This will result in earlier recognition of revenue for manufacturers.

When companies license their technology for use in tangible goods or services, they can recognize the royalties when sales or usage occurs to the extent they can estimate the amount that won’t reverse (subject to the constraint on variable consideration). Today, recognition is typically delayed until such sales are reported by the licensee.

What everyone should do in the meantime
These are just a few examples of impacts in certain industries. When the new standard is released, we encourage you to evaluate its impact on your company and business model. Don’t underestimate the subtleties the new principles guidance will change in revenue recognition. Without bright-line rules, there will be room for judgment but also room for differences in interpretation and implementation, particularly between you and your auditor. Let the fun begin!

Diana Gilbert has been a member of the RoseRyan dream team since 2008 with almost 30 years of professional experience. She excels at technical accounting, revenue recognition, SOX/internal controls, business systems and process improvements.

/1 Comment/by
, , , , ,

New report: What high-growth CFOs need to thrive

CFOs at high-growth companies are in a whirlwind. Everything around them is moving fast and the pressure is on to keep the positive figures moving upward and get a hold of the huge amounts of data the company is taking in every day. Unlike the CFOs of yesteryear, they’re not just stewards of their company’s finances but strategic players who have a direct say on how the company will move forward.

The smart ones, the ones who will be successful, will take a moment amid the crazy times to take a breath and figure out how can they live up to the expectations and responsibilities they have taken on. And here’s what they’ll remember: the key to their success are the people behind them. It’s easy to overlook this point when the company is barreling forward with new hires, shifts in strategies and expanding complexities. With a strong finance team that’s empowered by the trust of their superior, the CFO and the company as a whole are poised to make quick decisions that can ensure they stay on the high-growth track.

In a new intelligence report, A guide for high-growth CFOs, RoseRyan hits upon this challenge head-on with an emphasis on developing a hyper-efficient finance team. This involves shaking off silos and encouraging openness and collaboration between finance employees and the rest of the company. The CFO is in a position to cross any divide and push for any changes in technologies or processes to both empower the finance crew and give them access to real-time data to make real-time decisions.

The concept of entrusting employees of various levels in a mid-sized or large organization to make decisions based on their assessments of real-time data is relatively new. In this report, RoseRyan dream team member Jason Barker explains why it’s now possible and crucial for any company that wants to maintain its high-growth status. Download A guide for high growth CFOs to learn more.

/by