It’s been almost one year since Jay Clayton was appointed as the new Chairman of the U.S. Securities and Exchange Commission (SEC), the organization created to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. Of the many initiatives assigned to Clayton, his priorities include modernization and streamlining of disclosures, cybersecurity, and vigorous enforcement through its Public Company Oversight Board (PCAOB).
I thought it was a good time to discuss the PCAOB enforcement and disclosure effectiveness relative to implementations of upcoming accounting pronouncements, given the extensive disclosure requirements going into effect in the coming year.
The truth is that it can be difficult to place preventative measures in the rapidly changing atmosphere within a public company’s control and governance environment. The PCAOB has instituted stringent requirements on the control environments of public companies over the past five to 10 years at a somewhat speedy pace.
I would be remiss to believe this trend has come to an end given the consistency with which they have been previously released. Additionally, with changes in accounting pronouncements including Revenue Recognition (ASC 606) and Leases (ASC 842), we are more likely to see higher enforcement and new requirements—all while our resources and bandwidth potentially decrease.
The most recent, or potentially the most prominent, of these have been the Internal Controls over Financial Reporting (ICFR).
Based on my past experience as a practitioner and now my current position as a solutions provider, I have a unique perspective of Financial Reporting and Internal Controls that I feel compelled to share. I want to highlight some of the issues and upcoming challenges within the context of ICFR and disclosure effectiveness and how to stay ahead of them. I want to also provide some thoughts on how they can be addressed in the context of ASC 606, although they can be similarly applied to ASC 842 or any accounting pronouncement for that matter. Please take a look at the 3 Ways to Stay Ahead of ICFR Challenges below.
1. Focus your ICFR in the right areas.
The area of Revenue Recognition is historically known to be one of the most common areas that trigger a material weakness. Henceforth, I think practitioners would agree that it is difficult to think of a more important area to apply ICFR in the upcoming year. The PCAOB’s considerations for ICFR when applied to ASC 606, may expose weaknesses in the control environment that were previously unknown given their novelty. For example, implementing new controls involving other areas of the business (e.g. contract management) make way for a higher potential of miscommunication than before. Hence, the need for clarity around controls at this point is of utmost importance. By that same token, there are ways you can alleviate your exposure by taking preventative measures and prioritizing certain components over others, some of which the PCAOB has provided a “heads up” on.
2. Get ahead of existing PCAOB requirements.
It is critical to invite conversations with your auditors to discuss appropriate Revenue Recognition controls in this space and get their “buy in.” These conversations should be periodic and consistent with a focus on “moving the needle forward.” In the meantime, it is important not to be bogged down by any gaps or previous issues in other recent PCAOB considerations such as Management Review Controls (MRC) and Information Produced by Entity (IPE). Get them to be airtight in the revenue recognition area, spending additional time upfront, so you can free up valuable time later to address more critical concerns. It is important that in the instance of MRC, you have well documented processes and procedures with clear distinction on roles and responsibilities. Additionally, consider the risk of Information Technology (IT) and related IT General Controls (ITGC). There will be higher scrutiny on access as well as change management controls in ITGC within the data utilized to build calculations around ASC 606. The tighter your controls are around how this data is produced and validated, the easier your audit will be. Given the potential new sources and processes to produce this data, larger scrutiny can be expected.
3. Ensure your SAB 74 Disclosures are consistent with your ICFR.
The SEC directly reviews disclosures of public companies and issues comment letters to clarify them, while its PCAOB division directly addresses ICFR through ongoing inspections of auditors and their audits. The catch is that auditors review both ICFR and disclosure controls, creating a double-edged sword. So, a sharp audit professional can always sense gaps between disclosure controls and ICFR, especially when it comes to implementation of new pronouncements. There are areas within the SEC filings such as the Management Discussion and Analysis (MD&A) for which disclosure controls apply, but alternatively, the financial statements and footnotes, where ICFR applies. Of course, both of these should be consistent for the purpose of SEC disclosure reviews. For example, a recent trend has been the inconsistency of disclosures between GAAP and non-GAAP disclosures in different sections of filings.
ASC 606 generally needs to be adopted for public companies for the annual reporting period ending in 2018. However, SAB (SEC Staff Accounting Bulletin) 74 requires transition period disclosures that will start in the first quarter of 2018 for these companies. Companies will have the whole next year to address and refine preadoption controls. At this point, major inconsistencies between interim disclosures and year-end annual disclosures should not be expected as that would represent a major inconsistency in ICFR. In other words, the clock is now ticking.
As noted above, there are various ICFR considerations that need to be addressed during implementation. However, the disclosure-related ones will likely receive the most exposure and scrutiny by management and leadership, due to their external exposure. There are a few critical considerations that should rise to priority such as the competence of individuals preparing disclosures, data quality of the disclosures, especially estimates, and monitoring of these controls. The monitoring controls are of particular importance since they represent an ongoing effort by the company rather than effort to date. Additionally, these represent additional parties involved in the review process, such as Internal Audit, the Audit Committee and the disclosure committee. It is crucial that these individuals are involved in every quarter until the end of the upcoming year, if they are not already.
What are your thoughts on staying ahead of the ICFR challenges ahead? Comment below and let us know!