Posts

, , , ,

4 things no one’s telling you about SOX compliance

The JOBS Act granted some relief from the burdens of SOX for emerging growth companies, and while any relief was most welcome, the changes brought on some confusion. And it hasn’t abated even three years later. There’s so much for newly public companies to do as they gear up for their intro on the markets and so much they have to do afterward to be in compliance with the new overseer in their life (the SEC). Working in the middle of an active IPO market, we often get questions about what a newly public company actually needs to take care of to be in compliance with SOX under the JOBS Act.

I’ll get to that in just a moment. First, here’s a quick refresher. The JOBS Act granted a temporary exemption (generally five years, depending on certain factors) from SOX 404(b)—the requirement for external audit attestation on internal controls over financial reporting for so-called emerging growth companies (i.e., practically any Silicon Valley company that’s on the go-public track). There is no exemption from SOX 404(a)—management’s report on internal controls over financial reporting. For any new public company, regardless of size, management is responsible for designing effective internal controls over financial reporting, for testing the effectiveness of those controls, and reporting their take on them beginning with the company’s second 10-K.

There’s a good intent behind all this: Whether you are exempt from audit attestation or not, you still need to report accurate financials. Internal controls over financial reporting should prevent material misstatements in your financials. A restatement of financials would be disruptive to your business, demoralizing to your team and very expensive. Where compliance become a hairy endeavor is in the details. It’s not something you want to put off until the 11th hour before that second 10-K is due. And you don’t want to be blasé about the whole matter just because the auditors won’t be looking at this area until the five-year mark goes by.

After working with companies for years on their internal controls, we have some practical advice that’s useful for both newly public and soon-to-be public companies:

Expect a culture shift. The typical entrepreneurial mindset that pits “nimble, innovative and responsive” as the polar opposite of “discipline and documentation” should change. The attitude that helped create your success needs to evolve to a more disciplined state for this next phase of your organizational development. This, more than anything, can be the biggest challenge of SOX compliance. Approach it as a “check the box, bureaucratic nightmare” and that is what you likely will end up with when you’re done. View and treat SOX as a value-add contribution to the success of your business and you may be surprised by the value you get.

Map out your SOX timeline before you go public. The second 10-K sounds so far away, but it will sneak up on you. You’ll need to ideally have your first round of testing finished in the first or second quarter of the year prior to your second 10-K—that gives you time to remediate and retest before the end of the year. Work backwards from there, keeping in mind other business priorities, such as new system implementations, audit timelines, vacation schedules and other deadlines. Your SOX timeline needs to build in the design, testing and reporting aspects—and you need to manage all that while the business evolves and your first rounds of SEC reporting deadlines create their own challenges.

Design your controls. Take advantage of the processes you already have in place, and identify your existing controls (you might be surprised at how much you already have in place). You’ll need to map to the COSO framework, identify where you already have strong controls and where you need to shore up others. You can develop a “gap list” of controls that need to be implemented and prioritize them so you can work on them over time. Your IT controls and entity level controls need to be addressed as well. The twist for SOX compliance is that not only do you have to have controls, you have to be able to demonstrate that you perform the controls. Reviewing the payroll register isn’t sufficient; documenting your review becomes just as important.

Time to start testing—assume the best but plan for the worst. First-time SOX testing typically has a high failure rate, unfortunately. Most everyone is learning the ropes and still operating under the entrepreneurial mentality of “Let’s get things done fast, and don’t worry about the paperwork.” People may be performing the controls that you have designed but failing to document what they did. For that payroll register review, if the sign-off is missing, it’s hard to demonstrate the review actually happened. On the other hand, some controls may be new, and they may not get done reliably at first; it may take a while for new habits to take hold. “Trust, but verify,” and “test early” will be your mantras, so you can find out who may need more training and which controls are not workable in your environment and need to be redesigned. Remediate and retest. As often as needed.

For more hints on making the transition to a compliant, well-oiled organization, check out our intelligence report on Ensuring a smooth ride as a newly public company.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client management, ensuring all our clients are on the road to happiness. She previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. 

/by
, , , , ,

Revenue recognition: Are you in denial?

After more than a decade in the making, the FASB and the IASB finally issued new revenue recognition rules. Now if the boards needed that kind of a runway, how hard will it be for companies to implement? This is what management should be asking themselves.

But I get a sense that some are just in shock and aren’t asking the questions that need to get asked — maybe because they thought the guidance would never be issued or maybe because it’s just one more thing on the corporate plate right now. I get it. When anyone is in a state of shock, they tend to adopt a couple of go-to coping techniques — denial and procrastination. It’s been just over three months since the rules have been issued, and I have been witness to those coping techniques as companies battle implementation shock. What’s developed is a culmination of misconceptions, which we dispel below.

6 common misconceptions about the new rules

#1 The new rules don’t impact my business.
The new rules will apply to all entities that enter into contracts with customers, including long-term contracts and licenses. You cannot determine the impact until you truly evaluate each of your revenue models under the new guidance. Companies should also look ahead to how their business is growing and changing, and consider the new rules in connection with possible changes in their sales models between now and the adoption date. And, at the end of the day, even if your conclusion is “no impact,” you’ll also need to document your evaluation, vet it with your auditors, and update your financial statement disclosures and policy documentation so that they coincide with the new guidance.

#2 The implementation date is far away, so I can afford to wait.
While the standard is effective Q1 2017 for calendar-based public companies, the guidance does not allow for prospective adoption. You have some choices in terms of adoption methodology, but no matter what you decide you’ll still be looking back to 2016 and possibly 2015 if you choose full retrospective adoption…and 2015 is just around the corner. As a result, you will need to assess current contracts and those that commenced several years before the effective date. Then, when you begin to consider systems, processes, financial planning, investor communications, that date will no longer look so far off — especially when you know implementation duties will be in addition to your day job.

#3 Implementation of the new rules is just an accounting exercise.
So many people believe that it’s something that their accounting department will handle. Quite the contrary! Consider the following: debt covenants (treasury), sales incentives (HR), customer contracts (legal), investor communication (IR), systems (IT), and internal controls (internal audit). Companies big and small will need to think operationally where these rules are concerned. A successful implementation should be a collaborative effort across the organization.

#4 The standard only impacts the timing of revenue.
The fact is the new standard is comprehensive and changes the way we look at contracts with customers, the concept of delivery as well as many other aspects of the revenue process. For example, some of the collaboration revenue of life science companies may be excluded from the revenue guidance if the other party to the deal is not considered a “customer.” The new guidance also considers whether there is a financing component when an arrangement extends beyond one year. And any company opting for the modified retrospective adoption approach may have to record a cumulative effect of a change in accounting principle, which means it goes into the “black hole” of retained earnings, skipping the P&L, never to be seen again.

#5 My financial systems are savvy and can handle the rule changes.
With the complexity of contracts, there is no simple “flip-the-switch” scenario that can be employed. All types of revenue models will need to be evaluated. The new standard utilizes estimates and judgments, which can pose challenges in terms of automation. Companies may also want to look at additional reporting functionality to support their estimation process. And with all of this, internal control processes both in and around their system capabilities will need to be reviewed and updated.

#6 These changes always get delayed.
While some of us remember fondly the days when the internal controls part of SOX kept getting delayed, keep in mind that SOX was a U.S.compliance initiative. The new revenue rules, on the other hand, were developed in collaboration with the IASB in an effort to move closer to a single set of global accounting standards. The boards took great pains in developing the new standard and laying down the transition date so that reporting of revenue would be consistently applied on a global basis. So while companies may continue to lobby for postponement, this could result in nothing more than wishful thinking. Investors are going to want their companies to plan ahead — the “wait and see” approach will put delayers at high risk for financial misstatements and delayed filings.

In the face of a sweeping standard that could have extensive implications, it’s easy to understand why anyone would deploy coping strategies and try to look the other way. But as you can see from this list, there’s a lot to be done and only a certain amount of time to get it done right. The best approach is to tackle one step at a time. Start with assessing the impacts to your business — financial, operational and external. Then develop a plan. Knowing what needs to happen and how you can get there is certain to to take you away from the depths of denial to a clear path to compliance.

Kelley Wall leads RoseRyan’s Technical Accounting Group, which provides technical accounting and SEC expertise to public and private companies on complex accounting matters and implementation of new accounting pronouncements.

/by
,

Non-GAAP measures: Do they provide helpful insights or hide the “bad stuff”?

Many companies, especially in tech, supplement their income statement produced under generally accepted accounting principles with a non-GAAP income statement. It’s a practice that has proliferated in recent years as companies want to focus attention on the underlying “run rate” of the business and feel pressured to copy what their competitors are doing. Critics label non-GAAP measures as companies presenting “income before the bad stuff.” It’s true that presenting financials on a non-GAAP basis often has a major impact on the bottom line presented, by doubling a profit margin or turning a loss into a profit (as shown in our chart below).

Does non-GAAP reporting mean a company is hiding poor performance? Or is it providing investors with more information for judging the health of the business?

On balance, more disclosure is usually better. When companies present non-GAAP income statements in a thoughtful way and in good faith, investors will usually prefer the additional information and use the non-GAAP income to calculate P/E valuations. Note that most investment analysts report and focus on non-GAAP results. And the Securities and Exchange Commission has accepted their use as well, as long as the information is not misleading. The regulator outlines how and when companies can share non-GAAP figures with Regulation G.

So non-GAAP income statements look like they are here to stay. Let’s look at the most common areas where companies adjust GAAP numbers to give non-GAAP measures and why such measures have become accepted by both companies and investors.

Stock compensation: These are charges based on employee stock options and purchases that rely on theoretical models of their worth. Probably the most commonly listed adjustment to GAAP numbers, this charge is a lightning rod for criticism that GAAP has become overly conceptual and less relevant. As my colleague Stephen Ambler points out in his blog post “Stock compensation rules mask true operating performance,” stock comp charges are non-cash and can vary significantly depending on stock price and model assumptions, making it near impossible to compare two similar companies. Also, if the stock price declines, the company must continue recording the charges, which were based on the grant date value, even though the options have no value to the employees or to the company from a retention point of view.

Amortization of acquired intangibles: GAAP accounting for acquisitions requires the acquiring company to value the intangible assets of the acquired entity, other than goodwill, at fair value and amortize them over their useful lives. On one hand, the acquiring company paid hard cash or used its valuable stock to acquire these assets, and just as companies depreciate the purchase price of equipment they use in production under GAAP, they also should amortize their acquired intangible assets. They are matching cost with use over time. On the other hand, the amortization is a non-cash charge that the acquired business wouldn’t have shown on its own. To assess the sum of the underlying businesses, it is useful to show amortization removed.

Restructuring: These charges include such items as severance, facility and equipment write-offs, and contract termination costs tied to the resizing or closing of some part of a business. CFOs would prefer to keep the costs of these non-recurring events separate from the ongoing business’s results. Companies do need to be careful, though, that these “non-recurring” charges don’t recur every year or two! To mitigate abuse, Reg G sets rules for what is non-recurring — basically, it is something that hasn’t happened two years before the reporting date and is unlikely to happen in the next two years.

We commonly see the non-GAAP income statement remove other measures as well, such as the amounts paid to plaintiffs and attorneys to settle legal disputes or impairments of intangible assets or goodwill. Again, the rationale is to derive an income number that represents the fundamental ongoing business apart from non-cash charges and one-time events. The value to the investor is that these items are shown separately. The investor can value the company on its ongoing business while noting the size and frequency of these non-cash and non-operating charges.

To GAAP or to non-GAAP?
While investors are open and usually welcoming to non-GAAP income statements, they also value consistency. Companies should not use “good news” non-GAAP items and ignore “bad news.” Consider a company that accrues $1 million for a legal settlement and excludes the charge as a non-GAAP measure. It has effectively created a good news item. But if the actual settlement in a subsequent period turns out to be only $800,000, the company should include the $200,000 difference as a non-GAAP item when it comes time to report it. This difference may be perceived as bad news, but this keeps reporting consistent.

In general, companies should use an approach that relies on both full disclosure and moderation. Reg. G requires full disclosure, of course, including a presentation of the most directly comparable GAAP measure with equal or greater prominence as the non-GAAP measure, as well as reconciliation between the two. As for moderation, the investment community will reward companies that practice it, as moderate, thoughtful use of a non-GAAP income statement will build credibility and respect for the company. Finance pros who do these types of evaluations all the time can help you determine when applying non-GAAP makes sense for a particular situation.

Ray Solari is a member of the RoseRyan dream team. He has served as the CFO/VP finance for private companies and managed SEC reporting for public companies. He began his career at Deloitte. 

/by