Get ready for scrutiny. One of the many challenges presented by the new revenue recognition rules is the need for companies to come up with an estimate of revenue for variable consideration instead of waiting until amounts are certain as they do under current GAAP. Determination of these estimates involves significant judgment.
If public companies recognize an estimated amount of revenue that subsequently turns out to be unjustifiably overstated, they won’t be dealing just with the problem of non-GAAP compliance. They will also face a decrease in credibility among financial analysts, possible restatement of their financials and the threat of shareholder lawsuits alleging fraud. To avoid such troubles, companies need to make their estimates as bullet-proof as possible and establish sound practices for documenting their basis for those estimates.
How to pull that off? Even though the new rules don’t go into effect until 2017, companies need to begin rethinking their revenue recognition process now to minimize their risk of off-track estimates. Yes, there’s a fair amount of work involved up-front, but there’s a payoff (hang on, we’ll explain).
The new five step process
The new rules direct companies to apply a five step process for analyzing contracts with customers and deciding when and how they should recognize revenue. Step 3 is “Determine transaction price,” which requires, for variable consideration, companies to estimate a transaction price as either the expected value of possible outcomes (a probability-weighted estimate) or as the “most likely amount” (from a range of possible outcomes). Here’s where the challenge comes in: However a company proceeds, the rules specify that the estimate must be an amount for which it is “probable that a significant reversal in the amount of cumulative revenue recognized will not occur when the uncertainty … is subsequently resolved.”
As an example, consider the difficulty of achieving that goal in a distributor model. Many technology businesses use distributors to sell and support their products across a broad customer base. To avoid overpaying for tech products amid short life cycles and constantly decreasing prices, distributors usually insist on having price protection in their agreements. That way, they can claim a price protection rebate from the manufacturer if they have to resell a product at a price below the initial, agreed-upon margin.
Under current GAAP, a company waits to recognize revenue until the price is “fixed and determinable.” A manufacturer recognizes revenue only when its distributor has sold the product to an end customer and requested its price protection, if needed, because that’s when the price is fixed and determinable. However, under the new rules, the manufacturer will often have to record a minimum amount of revenue at the time of shipment to the distributor, meaning it will have to estimate the impact of price protection it will have to grant.
Another example is found in licensing arrangements. Many such agreements include milestone payments that are contingent either upon performance of the licensor (a performance obligation under the new rules) or upon performance of the customer, such as when a drug-development customer achieves success in a critical trial (variable consideration that the licensor might receive after performance of its obligation for delivering the license but is only receivable if the customer achieves its goal). Under current GAAP, a company excludes contingent payments from the revenue allocated under a multiple-element arrangement and recognizes such contingent payments when the contingency is resolved. But with the new rules, when a milestone is considered probable, such payments become part of the transaction price and are allocated to performance obligations. This estimation and inclusion of contingent payments when they are considered probable — and not waiting until milestones are actually achieved — could result in earlier recognition of revenue if performance obligations have already been satisfied.
How to make good estimates
We’ve told you the “why,” now here’s the “how.” The following are principles for making estimates that will be defensible and limit the risk of a restatement.
Make estimating a team sport: Although it must lead the effort, finance should harness the expertise of other relevant functions within the company to make the best estimate. This means turning to sales and marketing personnel for their knowledge of customers, pricing and timing of sales milestones. The engineering team should weigh in on the readiness of a new product or confirm whether technical problems are causing returns or rework. The operations team will need to provide input on the probability of achieving performance milestones. Some companies will need to supplement this team of internal advisors with customer staff who are in direct touch with end customers (for example, this could be distributor personnel who manage the channel).
Use the best tools for the best results: Any company affected by the new rules will need robust systems to obtain up-to-the-minute volume and pricing information to prepare its estimates for financial close.
In the distributor example, large global distributors already have excellent systems that provide bookings, billings and backlog by customer and by part, in real time. Companies using smaller and regional distributors with less sophisticated systems may need to work with them to enhance information flow to the level they need. Online software tools from third parties that are specifically built to manage the manufacturer-distributor relationship can be very helpful as well.
In other industries, tools may not be in place to make estimates at all, or they may be focused on a specific step such as allocation of revenue to multiple elements in a software licensing arrangement at the start of the contract. For these circumstances, companies will need to develop tools to monitor contingent elements and determine their probability each reporting period.
Document and disclose: Companies should systematically document how they came up with each estimate — the process used, the historical information input, the personnel involved by function, the assumptions made and the risks mitigated. They should apply a consistent approach over time. If circumstances require a change in approach, then document the change and why it was required. All this information should be archived in such a way that it can be brought out any time to compare to actual figures and explain and justify differences to auditors, financial analysts and potentially the Securities and Exchange Commission.
The new rules require companies to disclose in notes to financial statements “sufficient information to enable users of financial statements to understand the nature, amount, timing and uncertainty of revenue,” along with existing requirements to provide disclosures about significant accounting policies and critical accounting estimates. Given the increase in estimates and judgments, companies should use these disclosures to provide information on the assumptions and risks inherent in their estimates. Taken together, the documentation and disclosures should reflect how the company made a competent good-faith effort to develop its estimate.
Watch what’s on the horizon: As part of their estimation process, companies need to identify current factors that differ from prior periods that may drive estimates away from prior trend lines. Broader economic and industry trends can overwhelm their prior revenue trajectory. The financial crisis of 2008 and the tech downturn of 2000 are examples of extreme events that had a tremendous impact on the revenue estimates of companies that had nothing to do with the downturns themselves. A rising tide can lift all boats, and a swift ebb tide can strand them all on the sand.
Technology companies need to focus in particular on the impact of newly introduced and end-of-life products. A strong new product ramp can drive volumes above the trend line and improve pricing. But it can also accelerate the decline of an older product. For both large external events and tech product changes, companies should be especially careful to state their assumptions about the events and the impact on their estimates, both in their documentation and financial statement disclosures.
The plus side of this additional work
Making good estimates to meet the new rev rec rules will require companies to apply more time and thought to their revenue recognition efforts. But there’s good news in here as well: Finance teams can use this challenge as an opportunity to better understand their business, customers and products, and communicate that understanding to investors. That’s the type of scrutiny we can all root for.
Ray Solari is a member of the RoseRyan dream team. He has served as the CFO/VP finance for private companies and managed SEC reporting for public companies. He began his career at Deloitte.
4 things no one’s telling you about SOX compliance
The JOBS Act granted some relief from the burdens of SOX for emerging growth companies, and while any relief was most welcome, the changes brought on some confusion. And it hasn’t abated even three years later. There’s so much for newly public companies to do as they gear up for their intro on the markets and so much they have to do afterward to be in compliance with the new overseer in their life (the SEC). Working in the middle of an active IPO market, we often get questions about what a newly public company actually needs to take care of to be in compliance with SOX under the JOBS Act.
I’ll get to that in just a moment. First, here’s a quick refresher. The JOBS Act granted a temporary exemption (generally five years, depending on certain factors) from SOX 404(b)—the requirement for external audit attestation on internal controls over financial reporting for so-called emerging growth companies (i.e., practically any Silicon Valley company that’s on the go-public track). There is no exemption from SOX 404(a)—management’s report on internal controls over financial reporting. For any new public company, regardless of size, management is responsible for designing effective internal controls over financial reporting, for testing the effectiveness of those controls, and reporting their take on them beginning with the company’s second 10-K.
There’s a good intent behind all this: Whether you are exempt from audit attestation or not, you still need to report accurate financials. Internal controls over financial reporting should prevent material misstatements in your financials. A restatement of financials would be disruptive to your business, demoralizing to your team and very expensive. Where compliance become a hairy endeavor is in the details. It’s not something you want to put off until the 11th hour before that second 10-K is due. And you don’t want to be blasé about the whole matter just because the auditors won’t be looking at this area until the five-year mark goes by.
After working with companies for years on their internal controls, we have some practical advice that’s useful for both newly public and soon-to-be public companies:
Expect a culture shift. The typical entrepreneurial mindset that pits “nimble, innovative and responsive” as the polar opposite of “discipline and documentation” should change. The attitude that helped create your success needs to evolve to a more disciplined state for this next phase of your organizational development. This, more than anything, can be the biggest challenge of SOX compliance. Approach it as a “check the box, bureaucratic nightmare” and that is what you likely will end up with when you’re done. View and treat SOX as a value-add contribution to the success of your business and you may be surprised by the value you get.
Map out your SOX timeline before you go public. The second 10-K sounds so far away, but it will sneak up on you. You’ll need to ideally have your first round of testing finished in the first or second quarter of the year prior to your second 10-K—that gives you time to remediate and retest before the end of the year. Work backwards from there, keeping in mind other business priorities, such as new system implementations, audit timelines, vacation schedules and other deadlines. Your SOX timeline needs to build in the design, testing and reporting aspects—and you need to manage all that while the business evolves and your first rounds of SEC reporting deadlines create their own challenges.
Design your controls. Take advantage of the processes you already have in place, and identify your existing controls (you might be surprised at how much you already have in place). You’ll need to map to the COSO framework, identify where you already have strong controls and where you need to shore up others. You can develop a “gap list” of controls that need to be implemented and prioritize them so you can work on them over time. Your IT controls and entity level controls need to be addressed as well. The twist for SOX compliance is that not only do you have to have controls, you have to be able to demonstrate that you perform the controls. Reviewing the payroll register isn’t sufficient; documenting your review becomes just as important.
Time to start testing—assume the best but plan for the worst. First-time SOX testing typically has a high failure rate, unfortunately. Most everyone is learning the ropes and still operating under the entrepreneurial mentality of “Let’s get things done fast, and don’t worry about the paperwork.” People may be performing the controls that you have designed but failing to document what they did. For that payroll register review, if the sign-off is missing, it’s hard to demonstrate the review actually happened. On the other hand, some controls may be new, and they may not get done reliably at first; it may take a while for new habits to take hold. “Trust, but verify,” and “test early” will be your mantras, so you can find out who may need more training and which controls are not workable in your environment and need to be redesigned. Remediate and retest. As often as needed.
For more hints on making the transition to a compliant, well-oiled organization, check out our intelligence report on Ensuring a smooth ride as a newly public company.
Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client management, ensuring all our clients are on the road to happiness. She previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm.
The big impact of small business fraud, and some smart steps to prevent it
We often hear more about fraud at large companies because of the hefty price tags involved and the large number of investors who may be affected. But the sad fact is that when small businesses experience a fraudulent event, they may be hit much harder and have more difficulty absorbing the losses. Innocent employees may lose their jobs, personal investments may be lost, and creditors may be wary of helping out the victimized business in the future. And smaller companies are more likely to experience a fraud than large ones.
In the past two years, nearly 30 percent of reported organizational fraud cases occurred at companies with fewer than 100 employees, and 24 percent of cases occurred at companies with between 100 and 999 employees, according to the Association of Fraud Examiners (ACFE) 2014 Report to the Nations.
And from a loss-to-revenue standpoint, their impact hurt more. Organizations with fewer than 100 employees had a median loss of $154,000, while those with 100-999 employees had a median loss of $130,000. The victim organizations with over 10,000 employees made up just 20 percent of the reported cases, experiencing a median loss of $160,000. (Keep in mind while all those median losses are at the six-figure level, one-fifth of all reported cases involved losses of over $1 million.)
The problem for many of these companies is they didn’t realize that fraud could be instigated by their most trusted employees.
A common thread
Smaller companies may underestimate their risk, thinking “it can’t happen to me.” And yet small organizations are disproportionately harmed by fraud losses, often due to employee misconduct, a lack of internal controls and segregation of duties.
And what kind of fraud is most prevalent? The fraud schemes most common in small businesses include corruption (33%), billing fraud (29%) and check tampering (22%). Embezzlement happens, particularly in organizations with inadequate controls or segregation of duties.
Awareness can reduce the risk
There are inexpensive and tangible actions that even the smallest of companies can take to reduce the risk of fraud:
The fact is that resource-strapped companies can prioritize activities that are proven to effectively reduce the risk and duration of frauds. For example, consider the feasibility of the following:
It has been reported that companies lose 5% of their revenues to fraud. You don’t want your company to be the next one victimized or to be known for ineffective controls and management.
Alisanne Gilmore-Allen is a recent addition to the RoseRyan dream team. She is a Certified Fraud Examiner as well as a Certified Internal Auditor, Certified Information Systems Auditor, and she has a Certification in Risk Management Assurance. Alisanne spent over seven years helping Big 4 clients with enterprise risk management, and she has consulted for and headed the internal audit departments at Bay Area technology companies.
New discontinued operations guidance de-clutters reporting
While large valuation acquisitions of entire companies (for example, Facebook acquiring WhatsApp for $19 billion) grab the headlines, the majority of the acquisitions are for just a division or segment of a business, and they have much smaller price tags and light media coverage.
Some of those deals are notable. Earlier this year, Nokia, which was once the dominant mobile handset maker in the world, sold its handset division to Microsoft for $7.5 billion. But most of them fall under the radar, justifiably. Each month in Silicon Valley, hundreds of high tech and biotech companies are making business and market decisions about when to sell off or close operations of a segment of their business. Reporting on these divested businesses is a time-consuming task that results in information that is often of little value to investors and can actually be confusing.
In response, the Financial Accounting Standards Board (FASB) recently updated guidance to strike a balance between the materiality of a discontinued operation and the details that companies need to provide about it. This revised standard (Accounting Standards Update No. 2014-08, Reporting Discontinued Operations and Disclosures of Disposals of Components of an Entity) is expected to result in fewer disposals being presented as discontinued operations. To qualify as a discontinued operation, a component or group of components must represent a “strategic shift” that has (or will have) a major effect on an entity’s operations and financial results. These can include the following:
The guidance is to be applied prospectively to all new disposals of components and new classifications as held for sale beginning in 2015 for most entities, with early adoption allowed in 2014.
In the regular course of business, companies frequently evaluate how all their brands and segments align with their strategic plan. They may find some acquisitions that did not pan out, or segments or product lines that are being deemphasized or no longer fit with the strategy of the company. Closing or selling off such a division lets the company mitigate losses or accumulate additional capital that can be invested in its core businesses.
The same logic happens at your favorite neighborhood restaurant. Customers’ food preferences shift over time and items disappear off the menu when seasonal specials or improved offerings are available. Why keep an item on the menu that hardly anyone buys? Restaurant owners know they have to constantly improve operational efficiency and decrease their food costs associated with waste.
When companies in any industry give a contemplative eye to their own menu choices, so to speak, they may see how a paring down could lead to improved operations, lowered expenses, and greater efficiencies. The FASB’s new guidance uses the same definition for a component of an entity as before. That is, a component comprises operations and cash flows that can be clearly distinguished—operationally and for financial reporting purposes—from the rest of the entity. However, the new guidance requires that, in order to be reported, a disposal of a component represents a strategic shift that has or will have a major effect on an entity’s operations and financial results. This is a key distinction.
What this means is the new guidance provides a lighter financial-reporting burden when small divestitures occur. This is a rare “phew” finance teams rarely feel after seeing new accounting guidance. Another significant improvement in the new guidance is the timing of disclosure—just because a company has continuing involvement with a disposed component doesn’t mean it has to put off reporting it as a discontinued operation. This change could result in easier negotiations for the company that is in the process of divesting a piece of its business but has a need to assist in the transition (for example, if the acquiring company still needs a manufacturing facility for a period of time).
Of course, companies should be mindful that new disclosures are required for disposals that don’t meet the new definition of a discontinued operation if they are material. And companies still have to give thoughtful consideration to what the FASB means by “strategic shift.” Does the company’s board view the disposal as indicative of an overhaul? Would giving it the heave-ho signify a big change in the direction for the company and be something investors would really want to know about? Would the marketplace care? Those are some key questions to ask. While the answers are going to vary from company to company, how any one company interprets the guidance should be consistent and well documented.
With the new guidance, companies can properly manage their business by shedding previously acquired companies and fine-tuning their operations without the clutter of reporting these activities if they are not material to their operations.
Steve Jackson, a member of the RoseRyan dream team, has expertise in the areas of revenue recognition, SOX, systems implementation, budgeting, financial analysis, and process improvements, among others. He has worked at public accounting firms and corporate finance departments for over 30 years.
Master these 6 things after your IPO and you’ll have a well-oiled public company
Talk about hype. There’s so much hoopla surrounding the decisions and details that go into the initial public offering and day of the offering itself. Just consider how much we all heard about Chinese e-commerce company Alibaba before its $25 billion IPO. But what about the day after, when the bankers and advisors have gone back to their offices and those hotly debated predictions about the first day of trading no longer matter?
That’s when the real work truly begins. The company has to keep that momentum of the IPO going and keep moving forward, moving on from the dotting of the I’s and crossing the T’s of the S-1 to carefully crafting the first rounds of quarterly and annual filings, proxy statements, the earnings releases, not to mention those first discussions with investors and analysts. These firsts will hone in on the fact that the discussions have shifted, the tone has changed, and the scrutiny is heightened for the new public company.
In a new RoseRyan intelligence report, Ensuring a smooth ride as a newly public company, technical accounting guru Kelley Wall outlines six key finance areas these post-IPO businesses need to conquer. These are the spots that can get overlooked in the rush to go public, without as much thought put into actually being a public company. Here are those actions these businesses should be taking during this transitional time:
New public companies face a whole new world that is watching their every move. To minimize any missteps, you have to know what they are. Download Ensuring a smooth ride as a newly public company to learn more.
Revenue recognition: Are you in denial?
After more than a decade in the making, the FASB and the IASB finally issued new revenue recognition rules. Now if the boards needed that kind of a runway, how hard will it be for companies to implement? This is what management should be asking themselves.
But I get a sense that some are just in shock and aren’t asking the questions that need to get asked — maybe because they thought the guidance would never be issued or maybe because it’s just one more thing on the corporate plate right now. I get it. When anyone is in a state of shock, they tend to adopt a couple of go-to coping techniques — denial and procrastination. It’s been just over three months since the rules have been issued, and I have been witness to those coping techniques as companies battle implementation shock. What’s developed is a culmination of misconceptions, which we dispel below.
6 common misconceptions about the new rules
#1 The new rules don’t impact my business.
The new rules will apply to all entities that enter into contracts with customers, including long-term contracts and licenses. You cannot determine the impact until you truly evaluate each of your revenue models under the new guidance. Companies should also look ahead to how their business is growing and changing, and consider the new rules in connection with possible changes in their sales models between now and the adoption date. And, at the end of the day, even if your conclusion is “no impact,” you’ll also need to document your evaluation, vet it with your auditors, and update your financial statement disclosures and policy documentation so that they coincide with the new guidance.
#2 The implementation date is far away, so I can afford to wait.
While the standard is effective Q1 2017 for calendar-based public companies, the guidance does not allow for prospective adoption. You have some choices in terms of adoption methodology, but no matter what you decide you’ll still be looking back to 2016 and possibly 2015 if you choose full retrospective adoption…and 2015 is just around the corner. As a result, you will need to assess current contracts and those that commenced several years before the effective date. Then, when you begin to consider systems, processes, financial planning, investor communications, that date will no longer look so far off — especially when you know implementation duties will be in addition to your day job.
#3 Implementation of the new rules is just an accounting exercise.
So many people believe that it’s something that their accounting department will handle. Quite the contrary! Consider the following: debt covenants (treasury), sales incentives (HR), customer contracts (legal), investor communication (IR), systems (IT), and internal controls (internal audit). Companies big and small will need to think operationally where these rules are concerned. A successful implementation should be a collaborative effort across the organization.
#4 The standard only impacts the timing of revenue.
The fact is the new standard is comprehensive and changes the way we look at contracts with customers, the concept of delivery as well as many other aspects of the revenue process. For example, some of the collaboration revenue of life science companies may be excluded from the revenue guidance if the other party to the deal is not considered a “customer.” The new guidance also considers whether there is a financing component when an arrangement extends beyond one year. And any company opting for the modified retrospective adoption approach may have to record a cumulative effect of a change in accounting principle, which means it goes into the “black hole” of retained earnings, skipping the P&L, never to be seen again.
#5 My financial systems are savvy and can handle the rule changes.
With the complexity of contracts, there is no simple “flip-the-switch” scenario that can be employed. All types of revenue models will need to be evaluated. The new standard utilizes estimates and judgments, which can pose challenges in terms of automation. Companies may also want to look at additional reporting functionality to support their estimation process. And with all of this, internal control processes both in and around their system capabilities will need to be reviewed and updated.
#6 These changes always get delayed.
While some of us remember fondly the days when the internal controls part of SOX kept getting delayed, keep in mind that SOX was a U.S.compliance initiative. The new revenue rules, on the other hand, were developed in collaboration with the IASB in an effort to move closer to a single set of global accounting standards. The boards took great pains in developing the new standard and laying down the transition date so that reporting of revenue would be consistently applied on a global basis. So while companies may continue to lobby for postponement, this could result in nothing more than wishful thinking. Investors are going to want their companies to plan ahead — the “wait and see” approach will put delayers at high risk for financial misstatements and delayed filings.
In the face of a sweeping standard that could have extensive implications, it’s easy to understand why anyone would deploy coping strategies and try to look the other way. But as you can see from this list, there’s a lot to be done and only a certain amount of time to get it done right. The best approach is to tackle one step at a time. Start with assessing the impacts to your business — financial, operational and external. Then develop a plan. Knowing what needs to happen and how you can get there is certain to to take you away from the depths of denial to a clear path to compliance.
Kelley Wall leads RoseRyan’s Technical Accounting Group, which provides technical accounting and SEC expertise to public and private companies on complex accounting matters and implementation of new accounting pronouncements.
Red flags in the finance org: The one simple question every new CFO should ask
So you just walked through the doors as the new CFO. You’ve already met the key players, you understand your role, and you have a pretty good understanding of the company. Only when you become part of the company can you get a real picture of what goes on in the finance organization.
While you have many responsibilities in front of you — which can include IT, facilities and possibly HR — your primary focus should be on the finance team and getting to know its inner workings. This is the team that is vital to the greater organization, and you need to understand its ins and outs.
Here’s how to get a grip on your new finance organization without wasting another minute. Ask this question: How long does the finance organization take to close the books? The answer reveals a lot.
Seems like a simple question, right? But there will be no simple answer, despite what the first person you come across tries to tell you. Most likely, after some digging, you will discover some issues related to the close process. A slow-to-close team will reflect poorly on your leadership if you don’t find a way to speed things up, but it’s also a key way for you to see where the skills deficiencies lie within your new team. They could be with just one person or a few, or there could be something that needs to be fixed — or significantly updated — within the systems and processes the organization has been using. The real answer to the question — based not only on what people tell you but what you can see for yourself — will go a long way toward letting you know exactly how strong a team you have, their ability to get things done and their level of commitment toward getting things done right.
Ask for details
Let’s say you have a five-day close, but your team is working 18-hour work days to get it done. That’s a clear warning sign something is amiss. Or you have a 20-day close, and you wonder what the heck everyone is doing all day. Under either scenario, you may discover inefficiencies related to process flow, duplication of effort or lack of skills. Just one person who doesn’t have the requisite training to execute a task can make the entire team suffer from this inefficiency, either because of effects of dependency or errors that need to be fixed.
Your discovery of deficiencies should also have you looking down the path of technology. Are the current systems effective for the task, do they help the team or hinder the team in getting the job done? Your team may be suffering with a system that is older than they are. Or your team may have the latest and greatest but still don’t know how to use it effectively one year after the go-live date.
Use your early days in the new job to interview the team members individually, to get to know them and the details behind how the books get closed. As you listen to others walking you through the process, you will likely hear inconsistencies and questions about who is responsible for what. Ask about when things have gone right and when they haven’t, and how issues get resolved. Who is monitoring these issues for resolution? Are the issues being resolved based on how critical they are to the organization? Someone needs to be accountable, and if it’s not you, then who should it be?
Beyond helming the finances, your role as CFO includes the staff’s morale and motivation. It’s not always top of mind, but when it’s done well, you will see the effects. If you can get the month-end close process down to a well-oiled, repeatable process, then you have created an environment where the day to day becomes smooth sailing and the adventure of growing the business can then be enjoyed by all finance employees as they become true business partners within the company.
Salena Oppus has been a member of the RoseRyan dream team for over 15 years. Her specialties are system planning and implementation, cost accounting and forecasting.
What to do if you’ve been in denial about the new COSO framework
Regulators are not requiring companies to follow the new COSO framework even though the 1992 version is being retired later this year. While we encourage companies to adopt the new internal control framework and most of them have begun the process, the lack of an explicit mandate still has some dragging their feet.
For now, the Securities and Exchange Commission staff have said they are keeping a close watch on which framework companies will be following. During this upcoming transitional year of reporting, they won’t be questioning companies that haven’t migrated to the new framework even after the old one is superseded as of December 15, 2014. As it is, the Committee of Sponsoring Organizations of the Treadway Commission has given organizations a fair amount of time to make the move before the preceding 20-year-old guidance is no longer available.
Still, some companies delayed starting their transition until after their 2013 10K and 2014 first quarter 10Q were filed. By the time fiscal year-end 2014 filings are submitted, not all public companies will have been able to say they follow the more modern framework, as COSO had hoped they would.
If you fall into that camp, it might be too late to make the transition for fiscal year 2014. Making the move is different for each company. Let’s say you’ve followed best practices for internal controls, then you may only need to map your existing internal controls to the new framework. In that situation, your internal controls have been effective for the year and can be relied upon, and your transition is done. However, if you don’t fall into this category, there will be more time involved (how much time and resources will be required depends on the current state of your internal controls). At this point, it also means that the new controls put in place for the new framework have not been effective for the first eight months of the year, and therefore, reliance on these controls will be in question.
We’re not trying to make you feel bad. Procrastination—for whatever reason—happens. What really matters is what you do now. While the ideal path would have been to make your COSO transition sooner rather than later, this could also be the time if you haven’t started at all to begin the evaluation of the new COSO framework for fiscal year 2015.
Where to begin
If you have read the new framework, you will have noticed that it has 17 new principles for internal control, and within each of those principles, there are specific points of focus. The points of focus do help with identifying controls within your organization. Most of these internal controls will exist in your entity level controls. Entity level controls address those controls that apply across the organization, and most of the new principles are aimed at those internal controls that reside at the organizational level.
If you haven’t reviewed the 17 new principles and their corresponding points of focus, you should really start to familiarize yourself with them. Any controls identified that only need to be documented, improvements to existing controls, or the addition of new controls do need to be in place and working in order to be able to rely on them. Any of the controls you add or modify under the new framework should be in place and in working order. Otherwise, they cannot be relied upon.
Based on those companies that have already mapped their entity level controls to the new framework, here’s what will likely happen. We have seen our clients experience a combination of three possible outcomes:
If your company has been following best practices with identifying internal controls within its entity level controls, then you will likely see the transition to the new framework follows items 1 and 2 above. This will take time for documentation, but the controls are already being performed and additional training will not be needed.
However, if you haven’t been following best practices for internal controls as closely as you could have been, then you might find yourself working with all three points above. Item 3 does entail additional time and training that could go beyond the finance department. The sooner you start this process, the sooner you will position yourself to be prepared to make the switch.
With all of this said, if you are choosing to not migrate to the new COSO framework now, you will at the very least have to document your reasoning as to why you think your internal controls are sufficient as is. In addition, you will have to make sure your external auditors are in agreement with your rationale. In my opinion, it would be prudent to keep in mind that at some point, the new COSO framework will be required. Nobody wants to be caught without the time, resources, or remediation runway when that requirement is made.
Tracy Thames has been a member of the RoseRyan dream team since 2008. She excels at SOX, internal audit, accounting management and project management.
5 ways every CFO can mitigate cybersecurity risks
It’s time to test your current events knowledge: Which major retailer acknowledged having to spend $88 million related to a mega data breach in its most recent 10-Q, with more costs expected?
Target immediately comes to mind, right? The prevalence of the retailer’s troubles speaks to the far-reaching effect a cybersecurity attack can have on a company. That $88 million is just a drop in the bucket of expenses and problems Target continues to face following the exposure of its customer payment data over six months ago. The initial tally does not include the company’s anticipated claims for incremental fraud losses nor does it include litigation costs for the more than 100 legal actions filed in various jurisdictions to date or the reputational hit and the faltering loyalty by customers now worried about sharing their credit card information with their local store.
Every day there seems to be a new headline reporting another Internet security breach or data protection lapse – be it hacked credit card data, the Heartbleed Bug or well-crafted phishing scams luring victims to give up sensitive information. If there is an upside, it’s that such news may prompt other companies to do a full sweep of their internal processes and systems to minimize the probability of something like this happening to them.
But will they do a good job? Those companies that make such an effort go beyond the confines of their IT department are more likely to succeed in shrinking their risk. CFOs in particular should take responsibility for toughening up the organization’s cyber defenses if they haven’t already.
Regulators are demanding it: Three years after requiring companies to disclose cybersecurity risks and incidents that are specific to them – and to stay away from generic language – the Securities and Exchange Commission continues to focus attention on the topic. In fact, the SEC hosted a roundtable earlier this year to discuss the challenges of cybersecurity on market participants and public companies, and how they’re getting handled. Just a couple of months later, the SEC’s Office of the Investor Advocate announced that it would study how the SEC and other market participants are actually protecting investors from cybersecurity threats, which further puts pressure on the Commission to keep tabs on the risks.
On top of all this regulatory introspection is a call on auditors to pay more attention to how companies deal with the problem and what they say about it. The Center for Audit Quality recently issued an alert outlining independent auditors’ responsibilities related to cybersecurity risks. Such an alert may cause auditors to up their scrutiny of their clients’ forthrightness about their risks and what they disclose about them.
Data breaches at larger companies make the headlines, but smaller companies are not immune from this threat. In fact, smaller companies may be easier targets because they have fewer resources to deploy in preventing a breach. Think what a treasure trove a hacker could find on your servers — employee information, customer information, engineering design information, your financial information, etc.
What CFOs can do
CFOs can play a critical role in all of this, as the keeper and protector of their business’ sensitive information and internal controls. While your IT gurus, data protection officers and security and privacy experts are addressing “defense in depth” strategies to thwart would-be hackers, here’s what you should be doing.
If you consistently review and update your policies and systems, train your employees on those policies, and allocate sufficient resources to cybersecurity, you will have taken significant steps to reduce your risk. This should be an ongoing process, not a one-time reaction to a headline about a data breach. In this fast-moving era of hacks and viruses, a protective effort that occurs outside of IT needs to be a matter of course.
Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client management, ensuring all our clients are on the road to happiness. She previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. Melette Evans, a RoseRyan senior IT guru, contributed to this blog post.
The new rev rec rules: Making estimates that minimize the likelihood of restatements
Get ready for scrutiny. One of the many challenges presented by the new revenue recognition rules is the need for companies to come up with an estimate of revenue for variable consideration instead of waiting until amounts are certain as they do under current GAAP. Determination of these estimates involves significant judgment.
If public companies recognize an estimated amount of revenue that subsequently turns out to be unjustifiably overstated, they won’t be dealing just with the problem of non-GAAP compliance. They will also face a decrease in credibility among financial analysts, possible restatement of their financials and the threat of shareholder lawsuits alleging fraud. To avoid such troubles, companies need to make their estimates as bullet-proof as possible and establish sound practices for documenting their basis for those estimates.
How to pull that off? Even though the new rules don’t go into effect until 2017, companies need to begin rethinking their revenue recognition process now to minimize their risk of off-track estimates. Yes, there’s a fair amount of work involved up-front, but there’s a payoff (hang on, we’ll explain).
The new five step process
The new rules direct companies to apply a five step process for analyzing contracts with customers and deciding when and how they should recognize revenue. Step 3 is “Determine transaction price,” which requires, for variable consideration, companies to estimate a transaction price as either the expected value of possible outcomes (a probability-weighted estimate) or as the “most likely amount” (from a range of possible outcomes). Here’s where the challenge comes in: However a company proceeds, the rules specify that the estimate must be an amount for which it is “probable that a significant reversal in the amount of cumulative revenue recognized will not occur when the uncertainty … is subsequently resolved.”
As an example, consider the difficulty of achieving that goal in a distributor model. Many technology businesses use distributors to sell and support their products across a broad customer base. To avoid overpaying for tech products amid short life cycles and constantly decreasing prices, distributors usually insist on having price protection in their agreements. That way, they can claim a price protection rebate from the manufacturer if they have to resell a product at a price below the initial, agreed-upon margin.
Under current GAAP, a company waits to recognize revenue until the price is “fixed and determinable.” A manufacturer recognizes revenue only when its distributor has sold the product to an end customer and requested its price protection, if needed, because that’s when the price is fixed and determinable. However, under the new rules, the manufacturer will often have to record a minimum amount of revenue at the time of shipment to the distributor, meaning it will have to estimate the impact of price protection it will have to grant.
Another example is found in licensing arrangements. Many such agreements include milestone payments that are contingent either upon performance of the licensor (a performance obligation under the new rules) or upon performance of the customer, such as when a drug-development customer achieves success in a critical trial (variable consideration that the licensor might receive after performance of its obligation for delivering the license but is only receivable if the customer achieves its goal). Under current GAAP, a company excludes contingent payments from the revenue allocated under a multiple-element arrangement and recognizes such contingent payments when the contingency is resolved. But with the new rules, when a milestone is considered probable, such payments become part of the transaction price and are allocated to performance obligations. This estimation and inclusion of contingent payments when they are considered probable — and not waiting until milestones are actually achieved — could result in earlier recognition of revenue if performance obligations have already been satisfied.
How to make good estimates
We’ve told you the “why,” now here’s the “how.” The following are principles for making estimates that will be defensible and limit the risk of a restatement.
Make estimating a team sport: Although it must lead the effort, finance should harness the expertise of other relevant functions within the company to make the best estimate. This means turning to sales and marketing personnel for their knowledge of customers, pricing and timing of sales milestones. The engineering team should weigh in on the readiness of a new product or confirm whether technical problems are causing returns or rework. The operations team will need to provide input on the probability of achieving performance milestones. Some companies will need to supplement this team of internal advisors with customer staff who are in direct touch with end customers (for example, this could be distributor personnel who manage the channel).
Use the best tools for the best results: Any company affected by the new rules will need robust systems to obtain up-to-the-minute volume and pricing information to prepare its estimates for financial close.
In the distributor example, large global distributors already have excellent systems that provide bookings, billings and backlog by customer and by part, in real time. Companies using smaller and regional distributors with less sophisticated systems may need to work with them to enhance information flow to the level they need. Online software tools from third parties that are specifically built to manage the manufacturer-distributor relationship can be very helpful as well.
In other industries, tools may not be in place to make estimates at all, or they may be focused on a specific step such as allocation of revenue to multiple elements in a software licensing arrangement at the start of the contract. For these circumstances, companies will need to develop tools to monitor contingent elements and determine their probability each reporting period.
Document and disclose: Companies should systematically document how they came up with each estimate — the process used, the historical information input, the personnel involved by function, the assumptions made and the risks mitigated. They should apply a consistent approach over time. If circumstances require a change in approach, then document the change and why it was required. All this information should be archived in such a way that it can be brought out any time to compare to actual figures and explain and justify differences to auditors, financial analysts and potentially the Securities and Exchange Commission.
The new rules require companies to disclose in notes to financial statements “sufficient information to enable users of financial statements to understand the nature, amount, timing and uncertainty of revenue,” along with existing requirements to provide disclosures about significant accounting policies and critical accounting estimates. Given the increase in estimates and judgments, companies should use these disclosures to provide information on the assumptions and risks inherent in their estimates. Taken together, the documentation and disclosures should reflect how the company made a competent good-faith effort to develop its estimate.
Watch what’s on the horizon: As part of their estimation process, companies need to identify current factors that differ from prior periods that may drive estimates away from prior trend lines. Broader economic and industry trends can overwhelm their prior revenue trajectory. The financial crisis of 2008 and the tech downturn of 2000 are examples of extreme events that had a tremendous impact on the revenue estimates of companies that had nothing to do with the downturns themselves. A rising tide can lift all boats, and a swift ebb tide can strand them all on the sand.
Technology companies need to focus in particular on the impact of newly introduced and end-of-life products. A strong new product ramp can drive volumes above the trend line and improve pricing. But it can also accelerate the decline of an older product. For both large external events and tech product changes, companies should be especially careful to state their assumptions about the events and the impact on their estimates, both in their documentation and financial statement disclosures.
The plus side of this additional work
Making good estimates to meet the new rev rec rules will require companies to apply more time and thought to their revenue recognition efforts. But there’s good news in here as well: Finance teams can use this challenge as an opportunity to better understand their business, customers and products, and communicate that understanding to investors. That’s the type of scrutiny we can all root for.
Ray Solari is a member of the RoseRyan dream team. He has served as the CFO/VP finance for private companies and managed SEC reporting for public companies. He began his career at Deloitte.
Innovation, leadership are dominant qualities of EY Entrepreneur of the Year Award recipients
Economists like to debate about the level of economic growth that is driven by innovation. Some think that the days of rapid growth in the U.S. economy is over and any new inventions won’t make up for the slowdown in growth. Others think that innovation and new ideas are still taking off and will fuel lots of economic growth. I’m not an economist, but the one thing I know for certain is that Northern California has a group CEOs who aren’t waiting around to find out. They are leading their companies in developing new technologies and new and better ways of operating their businesses, all while building high performance teams.
I met them firsthand during the recent 28th EY Entrepreneur of the YearTM Awards gala for Northern California at the Fairmont Hotel in San Jose. The theme for this event, for which RoseRyan proudly served as a sponsor, was “honoring the best of the best,” and it was successful at that. There were 27 finalists out of an original group of over 110 CEOs. Of the finalists, the regional award winners were chosen from nine categories ranging from software and technology to life sciences and digital advertising. There was a very good mix of entrepreneurs from all different kinds of backgrounds and experiences.
This was one of 25 programs in U.S. cities and in 61 countries around the world; the overall national winner will be announced later this year. There were over 14,000 individuals involved in this global endeavor. Some were from established companies, some from startups, and others from large companies. For our area, here are the winners announced at the gala (for quick videos about each company, go to EY’s website):
A theme that I heard repeatedly during this year’s program and in the past is that innovation doesn’t just involve the CEO or founder, but rather it is a bottom’s up process involving many people at all levels of the organization. Those honored at the EY event recognized that truth; the first people many of them thanked in their acceptance speeches were their employees. Those who will go far know they need to develop a team of key people who believe in what they are trying to accomplish. “The best advice I ever got from anybody is … get the wrong people off the bus as quickly as possible and get the right people on the bus,” said Kleczynski in a video about Malwarebytes, an anti-malware software provider. “They will get you going; they will get you where you need to go.”
With the help of the right people, entrepreneurs look for ways to disrupt and change industries, and that is what drives them. AnchorFree, for instance, aims to give everyone across the globe freedom when using the Internet and privacy protection when doing so. In his video, Gorodyansky said the company faced “headwinds” in its goals “but also knew in our hearts that we’re doing the right thing.”
Certainly, younger companies have more freedom to get changes made quickly. This is particularly true of the private companies involved in this program (over 80 percent of all award winners are privately held). Studies have shown that what really make the finalists different are their independence, freedom and flexibility. The overarching value they all share is outstanding leadership plus a willingness to try new things. Once a quarter, Trulia lets its engineers pursue any idea they have in mind, without the red tape that oftentimes ties down more established companies from realizing innovation. “It’s an incredible way for us to create an environment where creativity, where ownership is part of the culture,” according to Flint of the real-estate listing site. “So, new employees can come in, they can build a product they’re passionate about, solve the problem they want to solve, and release it to the public soon after.”
Indeed, their nimbleness and openness to ideas are continuing to make entrepreneurs the job engine of our economy, and all indications are that this will continue for the foreseeable future.
We can all learn from their stories, particularly in my industry. The world of finance and accounting consulting has been constantly changing over the past 10 to 20 years. Innovation in the way companies approach the market, deal with clients and look for talent is critical to success. Evolution in our business is oftentimes driven by regulatory changes and new ways of interpreting rules and principles. A firm that doesn’t embrace change and work with it will be left behind. The firms with strong visionary leadership are the ones that are leading the industry and staying ahead of the curve.
Stan Fels is a director at RoseRyan, who joined the finance and accounting firm in 2006. In addition to helping the finance dream team keep their skills sharp and stay true to RoseRyan’s proven processes, he matches gurus to clients in the high tech and life sciences sectors.