Appendix D — Internal Control Over Financial Reporting | DART

...

Appendix D — Internal Control Over Financial Reporting

D.1 Examples of Risks and Internal Control Considerations Related to the Adoption and Ongoing Accounting Under ASC 842

The table below lists risks and internal control considerations related to the adoption of ASC 842 and the ongoing accounting under ASC 842 (the risks and considerations apply to both lessees and lessors, unless otherwise specified).


Adoption period	All leases are not identified, in accordance with company policies. Accounting conclusions are inaccurate or incomplete. The recording of journal entries related to the adoption of ASC 842 is inaccurate or incomplete. IT logic for reports and journal entries is inaccurate.	Internal controls related to: Documenting and reviewing revised accounting policies. Identifying the complete population of contracts to evaluate. Identifying all lease contracts or arrangements in accordance with company policies. Documenting and reviewing accounting conclusions. Reviewing the application of the modified retrospective transition approach. Evaluating whether the information used to record ASC 842 adoption adjustments to the financial statements is accurate and complete. Identifying, developing, and implementing new system requirements, including IT logic of reports.
Capturing leases	All leases are not captured appropriately in accordance with company policies. Contracts are captured as leases when they do not meet the new requirements of a lease.	Internal controls related to: Determining whether a contract or arrangement meets the new requirements of a lease. Reassessing existing lease contracts to determine whether such arrangements meet the new requirements of a lease. Identifying, and allocating consideration in the contract to, the lease and nonlease components in a contract or arrangement.
Calculating leases	Lease assets/liabilities are not calculated appropriately. Lease income/expense is not calculated appropriately.	Internal controls related to: Ensuring that the lease term (including whether events have occurred that require reassessment for the lessee) is properly identified in the arrangement. Determining that the lease payments in the lease arrangement include all relevant components (i.e., fixed payments, variable payments that depend on an index or rate, residual value guarantees, and payments related to purchase or termination options). Determining appropriate lease classification. Determining the appropriate discount rate.
Accounting for leases	Lease assets/liabilities are not appropriately accounted for. Lease income/expense is not appropriately accounted for.	Internal controls related to: Initial measurement: The recording of the ROU assets and related lease obligations on the balance sheet (lessee). The recording of the lease investment and profit, when applicable, in the financial statements (lessor). Subsequent measurement: The recording of subsequent adjustments (both balance sheet and profit and loss) to the financial statements on the basis of the lease classification. Evaluating the ROU asset for impairment in accordance with ASC 360 (lessee). Evaluating the lease investment for impairment in accordance with ASC 310 or ASC 326 (lessor). Other considerations: Determining whether lease modifications or changes to lease terms have been identified, evaluated, and accounted for. Evaluating whether sale-and-leaseback transactions, related-party leases, sublease transactions, and build-to-suit arrangements have been appropriately identified, evaluated, and accounted for.
Presentation and disclosure for leases	Lease assets/liabilities are not presented appropriately. Lease income/expense is not presented appropriately. The statement of cash flows is not presented appropriately on the basis of the lease classification. Footnote disclosures are not accurate, complete, or understandable.	Internal controls related to: Evaluating presentation of lease assets/liabilities and income/expense, on the basis of the lease classification, in accordance with ASC 842. Reviewing the accuracy and completeness of lease disclosures, including related-party leases. Reviewing the disclosures for significant assumptions and judgments.

D.2 Applying the COSO Principles to ASC 842

The 2013 COSO framework contains 17 principles that explain the concepts associated with the five components of internal control (i.e., control environment, risk assessment, control activities, information and communication, and monitoring activities). The components are related to all aspects of an organization’s objectives, which typically fall into three categories — operations, reporting, and compliance. These objectives, as well as the components, are also related to an entity’s structure. COSO uses the following cube to depict the relationship between objectives, components, and an entity’s structure:

In assessing the design of effective internal control with respect to ASC 842, a company may consider its objectives in terms of internal and external reporting and, on the basis of those objectives, may take into account the five components of internal control and the 17 principles within the components. The chart below summarizes the 17 principles and provides examples of how a company would apply them in the context of applying the guidance in ASC 842.


Control environment	1. Demonstrates commitment to integrity and ethical values. 2. Board of directors exercises oversight responsibilities. 3. Establishes structure, authority, and responsibility. 4. Demonstrates commitment to competency. 5. Enforces accountability.	Principle 1 Demonstrate appropriate tone at the top regarding the importance of the application of the requirements in ASC 842 (e.g., through communications, dedication of resources, oversight). Incorporate the application of the requirements in ASC 842 into expectations of standards of conduct (e.g., expectations regarding responsible conduct and developing sound judgments). Principle 2 The board of directors exercises appropriate oversight over: The application of the requirements in ASC 842 (including appropriate disclosures and financial reporting). The assessment of risks resulting from ASC 842 and related development and implementation of internal controls to address the risks. Principle 3 Evaluate and update lines of reporting and responsibilities. Principle 4 Assess, identify, and monitor competencies required by ASC 842. Take steps to address any identified shortcomings. Adjust training, retention, and recruiting programs as necessary. Appropriately train key personnel and control performers to ensure competence in the organization. If using an outsourced service provider, determine whether (1) controls are in place to evaluate the provider’s competence and objectivity and (2) management has sufficient understanding to perform effective oversight and review of the work performed by the provider. Principle 5 Hold individuals accountable for their roles related to the application of the requirements in ASC 842. Design accountability for individuals responsible for internal controls related to ASC 842.
Risk assessment	6. Specifies suitable objectives. 7. Identifies and analyzes risk. 8. Assesses fraud risk. 9. Identifies and analyzes significant change.	Principle 6 Identify objectives associated with the application of the requirements in ASC 842 to enable identification of risks related to the objectives. Principle 7 Identify and document risks associated with the application of the requirements in ASC 842 (including those associated with changes to the controls related to ASC 842 and the IT environment), and reconsider the risks throughout when applying the requirements in ASC 842. Principle 8 Consider fraud risks related to the application of the requirements in ASC 842 (e.g., considering the potential for fraud schemes associated with applying the guidance). Principle 9 Complete the assessment of ASC 842 on an ongoing basis as well as its impact on the company, including on internal control, data and system requirements, disclosures, and reporting.
Control activities	10. Selects and develops control activities. 11. Selects and develops general controls over technology. 12. Deploys through policies and procedures.	Principle 10 Evaluate the internal controls that may be affected by the application of the requirements in ASC 842 and continually evaluate the internal controls to address risks associated with ASC 842. Principle 11 Consider impacts on general controls over technology and modify as appropriate. Principle 12 Monitor and revise, as needed, policies and procedures to address risks and internal controls related to ASC 842 and establish responsibility and accountability for executing the policies and procedures.
Information and communication	13. Uses relevant, quality information. 14. Communicates internally. 15. Communicates externally.	Principle 13 Identify and maintain information requirements, modify systems, update reports, and modify controls to produce relevant, quality information to support the functioning of internal controls. Principle 14 Develop and maintain communication methods to ensure that required information (including accounting and operational changes) is communicated to all personnel so that they can understand and carry out their internal-control-related responsibilities. Provide updates as necessary. Ensure that the board of directors and audit committee have information they need to perform their oversight responsibilities. Principle 15 Ensure that processes are in place for communicating relevant and timely information regarding internal controls to external parties as appropriate (including through required external disclosures regarding changes in controls and quantitative and qualitative impacts of adoption).
Monitoring activities	16. Conducts ongoing and/or separate evaluations. 17. Evaluates and communicates deficiencies.	Principle 16 Continue monitoring plans for ongoing and/or separate evaluations of internal controls related to ASC 842 (e.g., companies should ensure that there are processes in place that allow for the monitoring of controls related to the application of the guidance in ASC 842). Principle 17 Take corrective actions, including revising the risk assessment and redesigning internal controls, when gaps or deficiencies in controls are identified as part of the control monitoring process.

Confidential and Proprietary — for Use Solely by Authorized Personnel

This publication provides comprehensive guidance; however, it does not address all possible fact patterns, and the guidance is subject to change. Consult a Deloitte & Touche LLP professional regarding your specific issues and questions.