When SOX was first invented, we all struggled to figure out what companies were supposed to be doing, and what auditors were expecting to see. All this happened while the auditors were trying to follow new audit rules just as their new regulator (the PCAOB) came into existence. We were all stumbling around together.

AS2 came out with principles-based guidance—and was the shortest auditing standard in history. It threw everything into the auditors’ scope regardless of materiality, and created a lot of work for dubious value. And a lot of expense.

Along came AS5 to replace that standard, with an attempt to focus auditors on items that could reasonably give rise to a material misstatement. Use professional judgment was the message. That helped settle things down for a while … until the PCAOB started failing audit firms in the inspection process, citing deficiencies in its reviews of internal control over financial reporting.

The audit firms pushed back, and the PCAOB pushed harder. All the pushback was occurring behind the curtain. Companies were often left in the dark about priorities and expectations. And disagreements over what should be in scope of the audit have persisted.

Interpretations in flux

Over a decade after SOX’s passage, a mismatch in expectations continues. The interpretation of the rules keeps evolving. The new directives aren’t always official but are instead happening piecemeal, audit firm by audit firm, and sometimes even engagement team by engagement team. Companies have often been caught unawares of new changes, not realizing that the bar had been raised.

Most of this direction has stemmed from inspection findings. Audit firms are in the unenviable position of delivering the news to their clients about what the PCAOB inspectors find, and companies understandably cry foul that it’s not helpful to have them change their ways “after the fact.” When it comes to audits, no one likes surprises.

The upsides of SOX

Years of SOX compliance have resulted in positive progress. The way companies design controls is far different today than the early days—and how they evidence the execution of controls has matured as well. We see that companies have integrated SOX into their operations—it is not some “thing” off to the side, separate and apart from ongoing operations. And real, tangible benefits are being derived from it. Financial statements are more reliable. There are more checks and balances in place. We see a better defined “tone at the top”—there’s clear integrity and transparency in how SOX-compliant companies do business.

We’ve also seen companies becoming more mature in their operations and documentation of accounting entries. In the past, we were more likely to see journal entries with no supporting documentation. Or we’d find that reconciliations were performed but nobody reviewed them. Now, the level of documentation produced and retained is more robust, and there is more scrutiny of the underlying data itself.

What do they want?

Still, it’s not always clear whether companies are living up to their auditors’ (and their auditors’) expectations. In 2013, some light shone through when the PCAOB released an audit alert following three years’ worth of serious deficiencies in internal-control audits. The general public finally got to hear what the inspectors were seeing beyond their vague inspection reports. The PCAOB expected to see more proof that the auditors were doing what they are supposed to be doing while reviewing internal controls, and those demands have trickled down to the auditors’ clients.

Here’s one example of how it plays out now: When auditors want to look over management review controls (controls that help management identify errors), they need to understand them and then test to see if they are operating at a precise enough level to detect a material misstatement. The potential snafu here is that management documented their review in accordance with their own needs, not the auditors’. The auditor will want sufficient evidence to prove what management looked at, what was investigated and how it was resolved.

Management does not need a stack of paperwork to perform a meaningful budget-to-actual analysis and be comfortable that there are no material misstatements. But auditors want to know for sure that the analysis was done and thoroughly reviewed or else they are hard-pressed to place reliance on that control. Ten years ago, a simple signature on a page was often sufficient evidence. Not so today.

At times it seems audit requests are coming from a “one size fits all” approach rather than a tailored approach based on specific facts and circumstances. Companies end up feeling a need to pile on the documentation to make future audits easier but on areas that have little connection to the possibility of a material misstatement.

What’s next

How the PCAOB goes about its inspections could change. In May, the PCAOB revealed that it may go about the selection of audits to review differently, shifting from a risk-based focus to taking some audits at random (as it is now, the PCAOB tends to review the riskiest/most complex clients in a company’s portfolio).

That change may not address the issue of mismatched expectations but it will certainly get the conversation going, which isn’t a bad thing. As usual, the devil is still in the details. What matters to the regulator—and the firms it audits—will continue to evolve as precedents get set and the bar gets raised. Some areas, such as cybersecurity risks, could attract more focus.

Here’s the bottom line: The evolution could all be for the better, as long as we can use judgment about what adds value and what is merely checking off boxes.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client experience, ensuring all our clients are on the road to happiness. She was recently asked by ComplianceWeek for her take on the “new normal for internal controls.” Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. 

A flurry of effective dates, interpretive guidance and new rules—companies are processing a lot of information coming their way from the Financial Accounting Standards Board and the Securities and Exchange Commission. Some of the changes have been in the works for ages (we’re talking about you, revenue recognition), and now there are overlapping implementation periods and many, many questions on the part of finance teams that need to put all these rules into place. Is your head spinning yet?

Finance professionals not only need to make sense of the rules, but they also want to know what their auditors think of them and how their peers are going to approach them. For the accounting change biggies—like the new leasing standard—some companies will need to revisit their internal processes and they’ll have some tough choices to make on how they’ll proceed (Should any contracts be changed? How much do investors need to know now about the potential effect on the company’s balance sheets?). The impacts will vary by company and can vary widely. Some companies are getting surprised by how much.

We’ve noted before that FASB has been in the process of clearing to-do items off its own agenda and dumping them onto finance teams’ plates, making this the time to get a handle on it all. That’s why we have developed a 90-minute webinar for senior finance executives called “Demystifying the latest accounting rulings—what finance leaders need to know” so they can get a grip on what’s happening and how to deal with it. This online event will break down the newly effective standards and proposals from FASB plus updates from the SEC and the Public Company Accounting Oversight Board. Senior consultant Diana Gilbert, who leads our Technical Accounting Group, will guide you through it on Thursday, June 2, 10:00-11:30am PT. Read more about this webinar and register here:

Get ahead of these changes. With looming, varied effective dates, you’ll need to prioritize and understand the impacts, all while keeping watch for more updates coming down the pike.

There’s a tension for finance organizations that go public. Throughout the year, they are faced with new rules from accounting standard-setters, new guidance from accounting firms and new direction by regulators that could affect them directly.

Last year was no different as the Financial Accounting Standards Board issued 17 Accounting Standards Updates (ASUs), up from 12 in 2013, including a real biggie (the new revenue recognition standard), and the regulators continued to be active and forceful. On top of this, privately held companies are getting more rules sent their way, and an increasing number are considering whether they too should get involved in the public markets.

No matter where your organization lies in its cycle—whether you’re in a startup or a fully fledged publicly traded company past the early, shaky days of trading—you have many issues to face in the coming year as your team puts together its financial reports and communicates with investors. Here are recent changes you should keep in mind, depending on your situation:

Taking on the new revenue recognition rule: By now companies should be past the evaluation stage and their plan to implement should be nearing completion. They should start tracking their transactions to see how they’ll play out under the new guidance.

Until formal adoption in 2017, companies must disclose the anticipated effect the new standard will have on their financials, so knowing the magnitude of the change is a critical initial step. It could lead to adjustments in processes and affect how contracts are drafted. Moreover, companies need to have this type of data around now to decide whether to adopt the standard retrospectively (which will include 2015 financials) or prospectively (beginning January 2017).

The entire endeavor will go beyond the finance department. As we saw with the implementation of the previous revenue recognition standard, possibly business practices and certainly revenue accounting processes and systems will need to adapt to record revenue transactions correctly.

Simplifying matters for private companies: The good news for private companies is FASB’s Private Company Council (PCC), now a year into its Decision-Making Framework for determining the situations when private companies can use an accounting alternative, issued four PCC-consensus ASUs in 2014. With the goal of simplifying accounting and reporting for private companies, these new ASUs should reduce private companies’ cost of compliance.

      • 2014-02: allows private companies to evaluate goodwill impairment when a triggering event occurs rather than annually.
      • 2014-03: provides a simpler method of accounting for derivatives.
      • 2014-07: provides a simpler alternative than the variable interest entity (VIE) model for accounting for leases under common control.
      • 2014-18: hot off the FASB presses in time for Christmas, this ASU simplifies private company accounting for intangible assets acquired through a business combination.

Preparing for public-company life: Depending on your viewpoint, there has been a positive effect of the reduced reporting and SOX compliance provisions from the JOBS Act in the increased number of IPOs in 2014 (a 44% increase over the number of 2013 filings). And IPO and follow-on public market financing activity don’t seem to be tailing off so far as we start 2015, particularly in the Bay Area.

But before private companies rush to Wall Street, they need to remember that despite a one-year exemption from the requirement to have their auditors sign off on SOX, management must still include their own assertion regarding internal controls in SEC reports beginning with the second 10-K and will want to have effective internal controls way before then. The auditors will still want to get comfortable in knowing management is doing what they say they’re doing. (For more about braving the new world as a post-IPO business, see our recent intelligence report, Ensuring a smooth ride as a newly public company.)

Getting ready for the audit: Finally, the auditors also received their own flurry of new rules and warnings from the Public Company Accounting Oversight Board in 2014. Companies will end up feeling the effect as those changes trickle down, leading auditors to deepen their focus as they review certain accounting methods. The PCAOB has stated the new audit requirements and alerts were issued in response to insufficient audit procedures in areas that have a higher risk for misstatements and the incidence of deficiencies.

There is a new audit requirement surrounding transactions and financial relationships with related parties, including executive officers, as well as requirements that strengthen the auditing of significant unusual transactions.

Two new practice alerts were issued in the fourth quarter of 2014. One dealt with auditing revenue, specifically testing recognition and timing, evaluating the presentation (gross vs. net), internal controls, and the risk of fraud. Additionally, the alert addresses the application of audit sampling and analytic testing procedures.

The second alert reminds auditors about PCAOB standards related to auditing “going concern” with regard to the application of updated accounting and reporting guidance. The PCAOB’s agenda for 2015 includes a project to consider updating the auditing standard.

Companies will still need to be ready for the increased scrutiny by the auditors of their 2014 results as a result of the alert issued late in 2013 that seemed to sneak up on them as they went through audits last year. Be ready for testing of review controls, controls over system-generated data and reports, and management’s evaluation of identified control deficiencies.

We all recognize that the pace of change keeps accelerating and isn’t likely to slow down in 2015. Staying on top of what’s new and what applies to our specific situation requires quite a bit of focus. It is part of what makes your finance and accounting folks such valuable members of the team.

Julie Gilson is a senior consultant with RoseRyan and a CPA (inactive) with over 15 years working in finance and accounting with fast-moving public and private technology companies.

When I cofounded RoseRyan (then known as Macias & Ryan) in September 1993, the Internet was just taking off. The word “global” had a different connotation. Cell phones (if you even had one) were the size of bricks. The “cloud” was in the sky. In many ways, it was a simpler time for accounting and finance.

In the 20 years since, we have weathered two economic downturns and countless changes in accounting rules, governance and oversight. Corporate abuses gave us Sarbanes-Oxley, AS2 and AS5, the PCAOB and the Dodd-Frank Act. Business changed, and continues to change, at exponential rates of speed. We have a truly global economy, blazing technology advancements and exciting new ways of doing business.

This all means that the staid and boring world of accounting has become anything but. We have addressed changes with far-reaching implications in the areas of stock-based compensation, accounting for derivatives, business combinations, fair value measurements, codification and accounting for leases, and we’re now facing brand-new ways to look at recognizing revenue. (FASB promises it will be final any day now.…)

CFOs and their teams have had to step up their game. In addition to understanding and implementing new and complex accounting principles, they are rightfully taking on a more strategic role as leaders in the business. No longer are CFOs expected to be just the keepers of historical financial statements and budgets; they also need to understand their business and market trends, and strategically and systematically increase the value of their company. Not easy tasks, but certainly challenging and exciting in today’s dynamic market.

While the finance needs of Bay Area companies have changed, the fundamentals of RoseRyan’s business have not. As in 1993, in 2013 we are dedicated to attracting and retaining top-notch professionals, and to providing an environment where our consultants are challenged but also able to enjoy a personal life. This allows us to provide exceptional finance and accounting solutions to our clients, giving them the right people with the right skills at the right time.

No matter what the level of their assignment, every RoseRyan consultant rolls up their sleeves to get the job done—and they look beyond the cubicle to provide best practices, advice and objective opinions derived from their years of experience. We call ourselves “gurus” because we strive to be leaders and mentors for our clients and one another.

We’ve worked with more than 700 clients at RoseRyan, and they have made for an exciting 20 years. It has been a great time to work with companies in the technology and life sciences industries, participating in the myriad of changes that have taken place and watching companies go up and down—and sideways. What’s most exciting is that we are often with clients through their corporate life cycle. For example, I started with one client as CFO when they were in an incubator. We shepherded them through two-plus years of fast growth as their outsourced accounting department. We later helped them with revenue recognition issues, stock-based compensation and audit support. Finally, as they neared their exit, we helped with financial forecasting, due diligence and integration with the eventual acquirer. We were with the company for over eight years, and it was rewarding to understand their business, walk with them through the ups and downs, and celebrate their successes.

RoseRyan would not be where it is today without our amazing clients or our consultant gurus. I am very proud of all of them, and I am pleased that RoseRyan helps both clients and our employees thrive. They are a huge part of why I think the Bay Area is a great place to work, to learn, to live. I give heartfelt thanks to all who have made the past 20 years possible. We’re looking forward to the next two decades!

In my pre–Sarbanes-Oxley days, I worked with companies where it was tough to get audit committee members to attend meetings, and many of those meetings were check-the-box exercises without real value. The Sarbanes-Oxley Act changed the landscape significantly. Among other things, SOX clearly laid the responsibility for overseeing external audits on the shoulders of the audit committee—and now we are seeing increased focus on how the audit committee manages the external auditor.

Two documents recently issued by the SOX-created Public Company Accounting Oversight Board, which oversees the audits of public companies, focus on one aspect of that management: communication. The first, AS 16, Communications with Audit Committees, is aimed at increasing the relevance and quality of communication between audit committees and external audit firms. The second, Release No. 2012-003, Information for Audit Committees about the PCAOB Inspection Process, provides guidance on conversations that audit committees may wish to have with their external auditors.

A little background may be helpful. Each year, the PCAOB conducts inspections of audit firms. These inspections ascertain how the firms under review conducted their audits—in essence, whether their audit opinions were sufficiently supported by the facts. They also determine how committed the firms are to quality control—basically, whether they meet professional standards.

Release No. 2012-003 suggests some questions for an audit committee to ask its external auditor, including the following:

  • Has my audit been selected for a PCAOB review?
  • Have other companies similar to my business been selected for review?
  • What issues did these reviews raise?
  • What were the review findings?
  • If deficiencies were uncovered, how is the audit firm remediating them, and how will those efforts affect our company?

Be skeptical if your external auditor suggests that an issue identified was a documentation problem or a matter of professional judgment. You may find it difficult to imagine that your auditor did not gather sufficient evidence to form an opinion when your management team feels like it’s being audited to death—but perhaps this is an opportunity for some candid discussion. A benefit of talking with your auditor about the PCAOB inspection results is to gain more insight about issues the PCAOB is seeing across the profession, and to learn how you might be impacted by those issues and ways to get a leg up on proactively addressing them.

Audit committees are becoming more proactive in managing relationships with external auditors and in evaluating auditor performance—think quality of services and adequacy of resources. Ensuring the audit firm’s independence, objectivity and professional skepticism hinges on good communication.

Everyone supports a single set of global accounting standards, and there is a big spotlight on the United States and its pending decision process to adopt or incorporate IFRS into its reporting structure. However, there is a lot more to achieving global accounting standards than just adoption of standards.

The United States does not hold the key, as many indicate in their comments to an SEC staff paper (PDF) that proposes one possible method of incorporation of IFRS in the United States. (The paper was released in May; the comment period officially closed July 31.) Respondents point out that ensuring that the principles-based accounting guidance is consistently applied is up to regulatory agencies and others responsible for oversight of the financial reporting in jurisdictions around the world.

“Among other things, differences in language (and translation), culture, reporting cycles, legal and tax systems will unavoidably affect how global accounting standards are interpreted and applied to some degree,” Financial Executives International (FEI) comments point out.

PricewaterhouseCoopers responded with concerns regarding consistent application. Its comments state, “achieving the vision requires both the adoption of IFRS in all significant capital markets and enhanced cooperation and coordination among national regulators, the International Accounting Standards Board (IASB) and its interpretive body, preparers, and auditors in order to facilitate the consistent application of IFRS.”

The American Institute of Certified Public Accountants sounded a similar note in its response, encouraging the Public Company Accounting Oversight Board (PCAOB) to pursue greater harmonization of auditing standards with its international counterpart, the International Auditing and Assurance Standards Board.

Even the IASB itself acknowledges this issue. In April, the IFRS Foundation issued its Trustees’ Strategy Review report (PDF) on its ongoing strategy as a global accounting standard setter, in which they identified steps to help ensure the consistent application of IFRSs. These steps include:

  • Provide additional application guidance and examples.
  • Work with securities regulators, audit regulators and other standard setters to identify divergence in practice and consider improvement to standard or interpretative guidance.
  • Enlist IFRS Foundation to education and content services aimed at promotoing consistent application.
  • Indentify jurisdictions where IFRSs are being modified and encourage transparent reporting of divergence.
  • Seek assistance from other public authorities to assist in achieving this objective.

So while the world sits and waits for the United States to hurry up and make a decision about incorporation of IFRS, there is still a lot that could be done by other agencies to promote a single set of global accounting standards.