There’s a tension for finance organizations that go public. Throughout the year, they are faced with new rules from accounting standard-setters, new guidance from accounting firms and new direction by regulators that could affect them directly.

Last year was no different as the Financial Accounting Standards Board issued 17 Accounting Standards Updates (ASUs), up from 12 in 2013, including a real biggie (the new revenue recognition standard), and the regulators continued to be active and forceful. On top of this, privately held companies are getting more rules sent their way, and an increasing number are considering whether they too should get involved in the public markets.

No matter where your organization lies in its cycle—whether you’re in a startup or a fully fledged publicly traded company past the early, shaky days of trading—you have many issues to face in the coming year as your team puts together its financial reports and communicates with investors. Here are recent changes you should keep in mind, depending on your situation:

Taking on the new revenue recognition rule: By now companies should be past the evaluation stage and their plan to implement should be nearing completion. They should start tracking their transactions to see how they’ll play out under the new guidance.

Until formal adoption in 2017, companies must disclose the anticipated effect the new standard will have on their financials, so knowing the magnitude of the change is a critical initial step. It could lead to adjustments in processes and affect how contracts are drafted. Moreover, companies need to have this type of data around now to decide whether to adopt the standard retrospectively (which will include 2015 financials) or prospectively (beginning January 2017).

The entire endeavor will go beyond the finance department. As we saw with the implementation of the previous revenue recognition standard, possibly business practices and certainly revenue accounting processes and systems will need to adapt to record revenue transactions correctly.

Simplifying matters for private companies: The good news for private companies is FASB’s Private Company Council (PCC), now a year into its Decision-Making Framework for determining the situations when private companies can use an accounting alternative, issued four PCC-consensus ASUs in 2014. With the goal of simplifying accounting and reporting for private companies, these new ASUs should reduce private companies’ cost of compliance.

      • 2014-02: allows private companies to evaluate goodwill impairment when a triggering event occurs rather than annually.
      • 2014-03: provides a simpler method of accounting for derivatives.
      • 2014-07: provides a simpler alternative than the variable interest entity (VIE) model for accounting for leases under common control.
      • 2014-18: hot off the FASB presses in time for Christmas, this ASU simplifies private company accounting for intangible assets acquired through a business combination.

Preparing for public-company life: Depending on your viewpoint, there has been a positive effect of the reduced reporting and SOX compliance provisions from the JOBS Act in the increased number of IPOs in 2014 (a 44% increase over the number of 2013 filings). And IPO and follow-on public market financing activity don’t seem to be tailing off so far as we start 2015, particularly in the Bay Area.

But before private companies rush to Wall Street, they need to remember that despite a one-year exemption from the requirement to have their auditors sign off on SOX, management must still include their own assertion regarding internal controls in SEC reports beginning with the second 10-K and will want to have effective internal controls way before then. The auditors will still want to get comfortable in knowing management is doing what they say they’re doing. (For more about braving the new world as a post-IPO business, see our recent intelligence report, Ensuring a smooth ride as a newly public company.)

Getting ready for the audit: Finally, the auditors also received their own flurry of new rules and warnings from the Public Company Accounting Oversight Board in 2014. Companies will end up feeling the effect as those changes trickle down, leading auditors to deepen their focus as they review certain accounting methods. The PCAOB has stated the new audit requirements and alerts were issued in response to insufficient audit procedures in areas that have a higher risk for misstatements and the incidence of deficiencies.

There is a new audit requirement surrounding transactions and financial relationships with related parties, including executive officers, as well as requirements that strengthen the auditing of significant unusual transactions.

Two new practice alerts were issued in the fourth quarter of 2014. One dealt with auditing revenue, specifically testing recognition and timing, evaluating the presentation (gross vs. net), internal controls, and the risk of fraud. Additionally, the alert addresses the application of audit sampling and analytic testing procedures.

The second alert reminds auditors about PCAOB standards related to auditing “going concern” with regard to the application of updated accounting and reporting guidance. The PCAOB’s agenda for 2015 includes a project to consider updating the auditing standard.

Companies will still need to be ready for the increased scrutiny by the auditors of their 2014 results as a result of the alert issued late in 2013 that seemed to sneak up on them as they went through audits last year. Be ready for testing of review controls, controls over system-generated data and reports, and management’s evaluation of identified control deficiencies.

We all recognize that the pace of change keeps accelerating and isn’t likely to slow down in 2015. Staying on top of what’s new and what applies to our specific situation requires quite a bit of focus. It is part of what makes your finance and accounting folks such valuable members of the team.

Julie Gilson is a senior consultant with RoseRyan and a CPA (inactive) with over 15 years working in finance and accounting with fast-moving public and private technology companies.

It’s that time of year again. Remember last year, after the auditors came and went, when you promised yourself next year would go a lot smoother? Well, here we are, with an opportunity to set up all of your department’s information as organized and as clean as possible so that you can keep any bumps between your team and the audit team to a minimum. To help with this process, I have put together a list, primarily for accounting managers, to prepare for the year-end audit.

Be sure you are on the same page as the auditors: Every quarter, you have provided documentation per the audit request list (also known as PBC, or Prepared by Client). Check with the auditors that they will be using the data that you’re taking the time to put together for them. Oftentimes, those of us who are tasked with working with auditors find out only after we have provided a schedule with multiple tabs of information that they will not be using those tabs. They may instead rely on other data points they have collected over the year or they are just not fully aware of the additional information. Communication here will prevent everyone from wasting time.

Take a look back at the past year: In the preparation of year-end, review the information that was provided to the audit team on a quarterly basis as well as any comments the auditors or your internal SOX team made afterward. Keep in mind quarterly reviews do not necessarily find all issues or errors. They are more likely to crop up during the year-end, when the audit team really digs into the details.

Check your work: When creating the year-end schedules, look at the logic of the worksheet, the formulas used in each calculation, and verify the totals match the financials. Hint: if using Excel, select the “formulas” tab and select the “show formulas” option. This will change the worksheet from showing the resulting number to the formula used in each cell. Look for any changes made since the last quarter’s review in methodology, calculations, method of gathering the data (because of a different report or an updated system), or presentation on the schedule. Then, if you are the person creating the audit schedules, have someone else take a look who is familiar with the process. That person will probably find little things that you didn’t see simply because you are too familiar with the information.

Address any mistake in the schedule ahead of time: If a discrepancy is found during the internal review process, create a new year-to-date schedule by quarter with the changes identified, documented, and quantified. Discuss your findings with management so they can determine if the changes are material and how best to communicate them with the audit team.

Be organized: Make an audit binder or a folder on your secured internal site with the schedules and any information that would help someone else prepare them. Keep track of when you submit your schedules to the audit team and what version you give them. If there are any questions, you will both need to be looking at the same schedule.

Don’t forget about the effect on the first-quarter review: Lastly, when creating your first-quarter review schedules, verify they contain any updates from the year-end review – both yours and the audit team’s. In other words, don’t automatically pull the previous first quarter schedules to use.

These tips will hopefully make your audit process much smoother than last year. For more information about this topic, check out our intelligence report Audit time? Don’t sweat it.

Monica Zorn is a member of the RoseRyan dream team. She specializes in controllership issues, reconciliations and audit prep, and SOX.

Accounting for revenue is no piece of cake, and it’s especially true for a lot of Silicon Valley firms. If your rev rec won’t stand up in an audit, you’ve got your work cut out for you.

RoseRyan guru Miranda Chook has seen her share of rev rec fiascos. “Firms with complicated multiple-element agreements can really get tripped up,” she says. “They don’t have or haven’t consistently applied the proper accounting treatment for their various revenue streams. After awhile, they’re really in the weeds. They’ve closed a lot of deals, but they’ve documented them in incorrect ways. Now the audit needs to happen. Panic!

“What companies need is an auditor-approved treatment that covers all revenue types. Then they need to go back and apply industry-specific GAAP literature to deals. Once the accounts are clean, they need a template going forward so they don’t get in the weeds again.”

If rev rec is the bane of your existence (or just a nagging worry), rest easy—it’s one of the things we live for. Find out how we helped one high tech firm rectify its revenue accounting and come through an audit with clean books and a user-friendly rev rec template.

We’ve seen audit delays wreak havoc on implementation of business plans and make financing a costly affair. Why? Companies failed to undertake a pre-audit review to pinpoint problems and make recommendations for solving them, as well as improve efficiency and implement best practices. Once they initiated audits, they failed to collaborate with their auditor to make the process efficient and keep its costs in check.

It doesn’t have to be that way. Our new report, Audit Time? Don’t Sweat It by RoseRyan guru Julie Gilson, will help you speed up your audit summit and plant a clean flag. Its audit preparedness tips will help you work with your in-house audit team and audit firm to address technical accounting issues and missing or messy documentation that could waylay your audit.

Tip #1: Find out how knowledgeable you are about your company’s accounting. Our report asks three questions that will help you figure out whether you need to start talking with your audit firm to vet issues that could cause audit adjustments.

A pre-audit review, followed by audit prep, is key to a timely and cost-effective audit. Check out our report and breathe easy knowing that your audit is no obstacle to your business plans.

The holidays are fast approaching, and with them, all the stress of the season. Santa is making his list and checking it twice, and we accountants can follow his lead to keep a little sanity in our 2012 closeout activities.

Here’s my recommended year-end to-do list:

Account reconciliations—Yes, ideally these were performed on a monthly basis, but if other priorities shunted them aside, now is the time to get them done. And it’s a good idea to review all your current reconciliations to see if any items need resolving before you ring in the new year.

Impairment analysis—Have you attempted to identify indicators that might affect your asset valuation? Have you documented your findings in an accounting memo for your records? No? Get on it!

Inventory of non-routine business transactions with accounting or disclosure implications—If you haven’t already, prepare an accounting memo summarizing each of these transactions, and for each, outline the accounting policy and its basis in GAAP. It’s best to prepare these memos close to the time of the transaction, while the information is readily available and the details are fresh in your mind, but if other demands took precedence, catch up—before you close your books and invite your auditors in.

Revenue recognition—Have you been keeping good documentation for large or unusual transactions? If not, now’s the time to tackle this task. Review your revenue transactions and make sure you have a well-written accounting memo documenting the basis in GAAP for your revenue recognition conclusions. Also, make sure you have copies of the relevant contract or other pertinent information. Is VSOE important to your revenue recognition policy? If so, ensure that you have maintained it by updating or testing it.

SOX annual controls—By definition, these controls are performed once a year. Take a look through your SOX documentation and make sure you have a complete list of everything you need to do. It’s easy for something to fall through the cracks. Speaking of which, do you have SOC 1 reports from all your in-scope third-party providers? Have you reviewed and evaluated them for any adverse impact on your internal controls?

Stock-based compensation accounting—Let’s be blunt: this task is a hotbed of opportunity for things to go awry. If you haven’t been through your equity records with a fine-tooth comb in a while, examine them now. Problems we commonly find range from data entry errors to missing or incomplete paperwork, surprise (at least to the accounting department) option modifications, and unsupported Black-Scholes assumptions. Check out our guide, Stock Options: Do You Have a Problem?to avoid these and related pitfalls.

This list should help you stay on track for a smooth year-end close. Happy holidays!


As inhabitants of Silicon Valley, we’re sure to have been shaken by an earthquake or two. For me, it’s always a reminder of how important it is to have a disaster plan and earthquake preparedness kit ready…for the big one! In the corporate world, there’s also a need to prepare for the inevitable—and that includes the SEC comment letter.

Technically speaking, Section 408 of the Sarbanes-Oxley Act of 2002 requires the Securities and Exchange Commission to review the filings of public registrants at least once every three years. And that review may be sooner if the company has reported a material misstatement, experienced significant volatility in its stock price or been affected by something the SEC deems relevant. Based on its review, the SEC issues a comment letter to start the dialogue with the company. It usually requests supplemental information so that SEC staff can better understand the company’s accounting and disclosures. Depending on the company, its activities and transactions, and the transparency of its disclosures, these letters can include a handful or dozens of comments.

Practically speaking, comment letters are known to hit the CFO’s fax machine just after close of market on an otherwise quiet Friday afternoon. In most cases, the SEC will ask the company to respond to its inquiry within 10 business days.

Instantly unsettled, corporate executives respond frantically (and sometimes in a panic), racking their brains about who they should call and assessing whether voicemails will be returned before the weekend. Then their minds wander to the level of risk inherent in the accounting and disclosures contained in their filings. And finally, they’re left asking, “What now?”

It doesn’t have to be this way. Creating an SEC preparedness plan can save time and money and is scientifically proven to lower stress levels.

Creating your emergency plan

It’s a given that responding to SEC inquiries requires time, resources and efficient project management capabilities.

First, create a SEC review preparedness folder on your company’s intranet—it should include copies of the following documentation:

  • All technical accounting memos, whether written by the company or your auditors
  • Correspondence with your auditors and legal counsel regarding key accounting and disclosure decisions
  • Any materiality assessments that were performed for evaluation of errors, disclosures and the like
  • Documentation regarding key transactions, including impairments, business acquisitions and restructuring activities
  • Restatement documentation (if applicable)

Having reviewed and assisted in the response to hundreds of SEC comments, I’m still amazed by how much time can be spent tracking down the information needed to respond.

Second, create a tactical plan that identifies who should be engaged in the response and how efforts will be coordinated. Comment responses should be both thoughtful and careful—you can’t do that if you’re in panic mode.

Consider the following steps:

  1. Coordinate a call with key accounting members, legal counsel, outside legal advisors and your auditors.
  2. Create a “response team,” which may include both accounting and legal personnel, capable of drafting responses.
  3. Develop a timeline, including when information will be gathered and when responses are due, allowing enough time for review.
  4. Determine who should be engaged in the review. Legal counsel and the auditors are a given, but what about your disclosure committee and board of directors?
  5. Assign a project coordinator to consolidate comments and keep everyone up-to-date and on schedule.

With key information at your fingertips and a tactical plan in hand, you won’t be shaken when the big one arrives.



Is your internal audit plan working at cross purposes with your company strategy? Missed communication opportunities may make it appear that way. I was drawn to that observation in Aligning Internal Audit: Are You on the Right Floor? a new PwC white paper that suggests that the role of internal auditors is changing as stakeholders increasingly appreciate their risk management contributions.

Internal auditors add value to their companies by identifying risks as business strategies evolve. That value is diminished if they’re unaware of key decisions taken on the top floor. The objective of a program audit will change if, for example, the company is divesting itself of the program. Bottom line? Seeking strategy intel is vital to earning respect for internal auditors.

Communication style is the other key to helping execs view internal auditors as team players. When reporting results, consider the audience. That means headlining findings for top brass. All the gnarly details should be readily available for anyone who wants to wade through them, but spend your face time (or devote your report cover memo to) identifying the items of concern and your recommendations for dealing with them.

Internal auditors typically have access to all areas of their company. That perspective means that occasionally you’ll have good news to share—for example, efficiencies that can be implemented. The tone with which you communicate this information is just as important as the tone you take in delivering news about potential risks. Buy-in for your suggestions has a lot to do with the way they’re delivered.

Like tone, timing is crucial to maintaining trust with the rest of the company. If you want your audience to become defensive and view you as an adversary, just try springing all your concerns at the end of an audit. As a general rule, keeping business owners and execs informed as you find issues makes for a relationship of respect. No one wants to be blindsided by a problem with no corrective plan in sight.

Finally, weigh your communication options. You may have noticed, as I have, that voice inflections don’t register in digital formats, so sending an email may not always be the best choice. Sometimes picking up the phone or meeting face-to-face enhances communication, and improving the lines of communication within your company is a key step in identifying the risks it faces.

The passage of the Sarbanes-Oxley Act 10 years ago dramatically improved corporate governance in U.S. companies, restoring investor confidence in U.S. capital markets in the wake of headline-making accounting blowups (Enron, WorldCom, et al). SOX instituted rules on the composition of audit committees, established the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of audit firms and spelled out civil and criminal penalties for CEOs and CFOs. But when SOX is mentioned, most people immediately think of Section 404 (internal controls over financial reporting), which continues to take heavy criticism—not always deservedly.

Initially, implementation of SOX 404 was difficult, cumbersome and expensive. Companies had to formalize their system of internal controls over financial reporting and invest resources in designing, documenting and testing the effectiveness of controls, even in areas that would not reasonably give rise to a misstatement of financial results. Over time, though, the rules were revised and both managers and auditors learned how to apply judgment to principals-based regulations and develop supportable positions. Companies incorporated internal controls into their normal workflow and created cost-effective programs to improve the integrity of their financial reporting. A November 2009 study published by Audit Analytics found that the rate of financial restatements was 46 percent higher for companies that did not comply with all of the SOX internal control provisions than for companies that did.

Some companies comply with the letter of the law, but do not embrace the spirit of SOX 404, viewing it as a check-the-box exercise. They use lower standards of evidence (for example, inquiry only rather than re-performance), and their SOX testing is neither meaningful nor insightful. That means their results are not informative. This approach would not pass muster under an independent audit, and since all but the smallest public companies (those with less than a $75 million public float) have been subject to audit attestation, most public companies have ended up with meaningful SOX results.

Now, recent developments are sending conflicting messages about the direction of SOX rules.

The JOBS Act granted a five-year exemption from SOX audit attestation for newly public companies with less than $1 billion in revenue—a huge swing in the direction of more leniency.

In the other direction, PCAOB reviews of Big Four audit firms have led auditors to ask for more robust documentation of internal controls and more thorough testing of the data used to support the effectiveness of controls. And COSO, which publishes the most widely used framework for designing and assessing internal controls, has issued an exposure draft of an updated internal control framework intended to address changing technology and globalization, as well as to provide greater clarity on designing and maintaining an effective system of internal controls. Given that the draft runs to more than 500 pages, reviewing, revising and implementing the guidance from the new framework is no small undertaking.

So where are we headed? My fear is that we are taking a big step backward. By exempting some companies from SOX audit attestation, we turn a blind eye to ineffective internal controls and erode investor confidence in financial statements. At the same time, the updated COSO framework and requirements for more robust SOX documentation seem to be pushing nonexempt companies back to the difficult, cumbersome and expensive path, without any increase in financial statement integrity. Neither of these directions is in the best interest of companies or investors.

Should you ask your audit committee to evaluate your XBRL files for completeness, mapping, accuracy and structure under an agreed-upon procedures (AUP) engagement in accordance with the principles and criteria set by the AICPA? I get asked this question all the time, especially by companies whose limited liability is expiring. But everybody should consider AUP for their XBRL.

Why? In the absence of a mandatory audit assurance, an AUP engagement helps ensure that XBRL data brings meaningful value and transparency to the investment community.

Even if your audit committee has adopted a wait-and-see attitude, analysts and investors may be making investment decisions about your company that may be based on substandard and inconsistent data quality. For example, the SEC found several significant and recurring errors by large accelerated filers during the first two months of 2011. The most prevalent data-quality issues revolved around negative values, extended elements and tagging completeness.

Says XBRL US: “In the over 14,900 XBRL submissions to date, over 145,000 data issues have been identified related to the use of the XBRL US GAAP Taxonomy. These inconsistencies include incorrect signs, missing concepts and concepts used incorrectly.“

While a formal AUP is not required, it is best to have a mock AUP environment that ensures compliance of your XBRL-formatted information. A recent trend is for companies to leverage their internal audit function or professional service firm to implement a mock AUP environment to be better prepared for the formal AUP engagement.

What exactly is AUP?
First, an AUP engagement doesn’t deliver an audit opinion. The practitioner performs agreed-upon procedures and assessments, and then reports findings, alternatives and recommendations in a letter to management and the audit committee.

An AUP ensures the completeness, accuracy, proper mapping and structure of your XBRL files. These are the four important aspects of XBRL, according to the AICPA’s latest exposure draft for the XBRL process. Here is what an AUP engagement covers.

Completeness Do you have a procedure to ensure that all required source information is tagged in XBRL? For example, a few commonly missed tags are significant accounting policies embedded throughout footnotes, spelled out amounts and superscript footnotes.

Mapping Even though finding data-quality issues on proper mapping can be aided by software-assisted search and benchmarking analytical tools, at the end of the day, this core process can be subjective: choosing the narrowest tag and assessing materiality can be an art rather than a science. Likewise, the SEC considers mapping to be the most critical part of the XBRL quality control process, but there are no software tools that can detect this type of error prior to filing.

Accuracy Even if common data-quality issues, such as negative values, are flagged by software tools, you still need to assess their validity based on financial facts and the specific circumstances for comparative quarters and year-to-date periods.

Structure Technical validation errors of this type tend to be black-and-white and can be detected by third-party SEC and EDGAR validation tools prior to submission to the SEC.

AUP = quality assurance = market value
Whether you have a built-in versus a bolt-on XBRL solution, you need quality assurance over your XBRL data. Some AUP steps can be accomplished with software tools, while other procedures require professional judgment. Automated tools can only help you so much in highlighting inconsistencies and the usual suspects. Ultimately, you need to tell your company’s story by choosing the tag that best maps to the underlying transaction and translates that fact into meaningful information.

Because investors rely on your XBRL data to make investment decisions, it is ultimately your responsibility to avoid errors before they are disseminated to the public. Aside from compliance, the real benefit of XBRL is increased transparency and comparability, which can in turn increase the value of your stock when the analyst community gains more confidence in your XBRL data.

Learn more about RoseRyan’s XBRL expertise.

When I talk with finance executives about implementing XBRL, nearly everyone asks, “What will auditors be looking for? Do they care about XBRL?” The answer is no, they don’t. But they do care about your controls, and that relates directly to how you design and document your due diligence in XBRL creation process. Ultimately, as XBRL gets built into your close process, the more it may start to fall into the SOX environment.

While XBRL exhibits are not subject to SOX 404 internal controls over financial reporting, they are nevertheless subject to disclosure controls and procedures (DC&P). This means that management is responsible for the implementation of controls over the XBRL creation process as well as documentation that the DC&P are performed and reviewed. How can companies provide evidence to their auditors that management, including the CEO and CFO, have evaluated the effectiveness of the design and operation of DC&P?

To design proper DC&P controls, you first need to ask, “How do you know your XBRL files are complete, accurate, consistently mapped and comply with the mandated XBRL structure?” A best practice is to develop an XBRL technical and compliance checklist to document every aspect of your XBRL creation process, from taxonomy mapping and appropriate extensions to common error reviews, technical and SEC validations, structure compliance issues. You may also want to involve your disclosure or audit committee in the review and consideration of your DC&P process and get them on board with your XBRL strategy.

As XBRL technology becomes more embedded into your overall financial reporting process and integrated into the creation and preparation of your financial statements, XBRL controls may start to fall within the scope of SOX 404. As this happens, you should reevaluate your XBRL controls under SOX 404 framework.