Appendix E — Internal Control Over Financial Reporting | DART

...

Appendix E — Internal Control Over Financial Reporting

E.1 Preadoption Disclosure Controls

SEC registrants should be aware that the SEC has been emphasizing the importance of transition-period disclosures (or preadoption disclosures) in accordance with SAB 74.1 These disclosures should be both qualitative and quantitative and should be included in MD&A (subject to disclosure controls and procedures) and the footnotes to the financial statements (subject to ICFR). The SEC staff has also made clear its expectation that the preadoption disclosures should become more robust and quantitative as ASU 2016-02’s effective date approaches.

In light of the SEC’s guidance and recent comments from the SEC staff, such disclosures should address the impact ASU 2016-02 and other related ASUs (collectively referred to as “ASC 842” herein) are expected to have on the financial statements and should include:

A comparison of the company’s current accounting policies with the expected accounting under ASC 842.
The status of the implementation process.
The nature of any significant implementation matters that have not yet been addressed.

A company that is able to reasonably estimate the quantitative impact of ASC 842 should also disclose those amounts.

Internal controls over these preadoption disclosures are important to management’s ability to address the risks that the disclosures are inaccurate or incomplete. Management should first identify whether appropriate internal controls exist for the disclosures (e.g., controls over infrequent processes) and then specify the information and analysis used to support those controls. In some cases, management may need to revise existing controls or implement new controls. Next, management needs to evaluate the design and test the operating effectiveness of the relevant controls given that they should be included within the scope of management’s report on ICFR in the year before the adoption of ASC 842, as applicable.

When assessing whether appropriate internal controls exist with respect to the preadoption disclosures, management may consider whether procedures are in place to evaluate:

Competence — The preadoption disclosures are prepared by competent individuals with knowledge of ASC 842 and potential impacts on the company.
Compliance — The disclosures meet the SEC’s requirements and guidelines.
Data quality — The quantitative disclosures (if known and estimated) are calculated on the basis of reliable inputs that are subject to appropriate internal control.
Review — The disclosures are reviewed by appropriate levels of management.
Monitoring — The company’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately reviews the internal controls in accordance with company protocols.

E.2 Internal Control Considerations Related to the Adoption of ASC 842

E.2.1 Internal Controls Over Adoption

There are often unique circumstances and considerations associated with the adoption of a new accounting standard that can pose a greater risk of material misstatement to the financial statements. Thus, companies should consider the circumstances that may only be present during the adoption period and evaluate whether there are any unique risks for which an entity needs to design controls over infrequent processes that may operate exclusively during the adoption period. Management should also consider the internal controls, documentation, and evidence it needs to support:

Entity-level controls such as the control environment and general “tone at the top.”
Identification of a complete population of lease agreements or contracts in accordance with company policies.
Accounting conclusions reached (e.g., preparing accounting white papers or internal memos memorializing management’s considerations and conclusions).
Information used to support accounting conclusions, new estimates, adjustments to the financial statements, and disclosure requirements.
Identification and implementation of changes to relevant IT systems.
The modified retrospective transition approach.
The accounting logic used and journal entries (including the transition adjustments) that record the adoption’s impact.
Any practical expedients applied and related disclosures.
Changes to the monthly, quarterly, or annual close process and related reporting requirements (e.g., internal reporting, disclosure controls and procedures).

E.2.2 Lease-Related Risks, Internal Controls, and Documentation

It is possible that, as a result of ASC 842, new financial reporting risks will emerge, including new or modified fraud risks, and that new processes and internal controls will be required. Companies will therefore need to consider these new risks and how to change or modify internal controls to address the new risks.

Management will need to make significant assumptions and judgments because of the requirements under ASC 842. For example, since almost all leases will be recognized in the statement of financial position, management will need to use significant judgment in evaluating matters such as whether an arrangement is or contains a lease and in assessing a lease’s term, which would affect whether the lease qualifies for the short-term exemption. It is critical for management to (1) evaluate the risks of material misstatement associated with these significant judgments, (2) design and implement controls to address those risks, and (3) maintain documentation that supports the assumptions and judgments that underpin its estimates.

See Section E.4 for a table summarizing sample risks and controls that may help entities consider how ASC 842 will affect them.

E.2.3 Significant Changes in Information and Related Data-Quality Needs

Companies will need to gather and track new information to comply with ASC 842, including the related disclosure requirements. Management should consider whether appropriate controls are in place to support (1) any necessary IT changes (including change management controls and, once the IT changes have been implemented, the evaluation of their design and testing of their operating effectiveness) and (2) the completeness and accuracy of the information used by the entity in recognizing lease assets and liabilities and the related income and expense and providing the required disclosures. The table below illustrates some potential challenges and examples of practices related to internal control.

Potential Challenge	Example of Internal Control Practice
Information requirements have not been updated to support the reporting (e.g., interim and annual requirements, including those related to disclosures) required under ASC 842.	Management establishes data governance, policies, and standards for identifying and resolving data gaps and implements processes to verify the quality of information needed for implementation of ASC 842.
Control expectations have not been considered for new information required under ASC 842.	The lease implementation team meets periodically with the ICFR or SOX team (and control owners as appropriate) to share relevant information about the adoption of ASC 842 so that the ICFR or SOX team can prepare and plan accordingly.
Legacy internal controls over source data, report logic, or parameters have not been reconsidered.	Management takes steps to update and review the appropriate flowcharts, data flow diagrams, process narratives, procedure manuals, and control procedures to reflect the new processes as a result of ASC 842 and to support management’s ICFR assessment.

E.3 Evaluating Material Changes in Internal Control2

SEC registrants are required to disclose any material changes3 (including improvements) in their ICFR in each quarterly and annual report in accordance with SEC Regulation S-K, Item 308(c). SEC guidance explains that materiality is determined on the basis of the impact on ICFR and the materiality standard articulated in TSC Industries Inc. v. Northway Inc.4 (i.e., that “an omitted fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote”).

As discussed previously, when a company adopts ASC 842, management will probably need to implement new controls or modify existing ones to address new or modified risks of material misstatement. Disclosure requirements will also be triggered by the adoption of a new accounting standard if such changes in internal control are material. In addition, management should consider whether there are appropriate controls for identifying and disclosing material changes in ICFR.

For example, management may consider whether there are controls related to the following:

Compliance — Processes are in place to identify and evaluate material changes in internal control. Further, protocols exist for developing appropriate disclosures and reporting such information to appropriate levels of management (e.g., those signing the quarterly and annual certifications required under SEC Regulation S-K, Item 601(b)(31)).
Review — The disclosures are reviewed by appropriate levels of management (including, as warranted, those signing the quarterly and annual certifications).
Monitoring — The company’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately considers the state of the entity’s ICFR to identify changes and monitor controls in accordance with company protocols.

In developing the required disclosures, companies should clearly state whether a material change has occurred and, if so, describe the nature of the change. The SEC staff has commented when a registrant has not explicitly asserted whether there has been a change in ICFR in the most recent fiscal quarter that could have a material effect on its ICFR. The staff has further stressed that registrants should avoid “boilerplate” disclosure in which they state that there have been no material changes affecting ICFR in a period, particularly when there have been identifiable events such as changes in accounting policies. For examples of appropriate disclosures to provide in such circumstances, see Section E.6.

E.4 Examples of Risks and Internal Control Considerations Related to the Adoption and Ongoing Accounting

The table5 below lists risks and internal control considerations related to the adoption of ASC 842 and the ongoing accounting under ASC 842 (the risks and considerations apply to both lessees and lessors, unless otherwise specified).


Adoption period	All leases are not identified, in accordance with company policies. Accounting conclusions are inaccurate or incomplete. The recording of journal entries related to the adoption of ASC 842 is inaccurate or incomplete. IT logic for reports and journal entries is inaccurate.	Internal controls related to: Documenting and reviewing revised accounting policies. Identifying the complete population of contracts to evaluate. Identifying all lease contracts or arrangements in accordance with company policies. Documenting and reviewing accounting conclusions. Reviewing the application of the modified retrospective transition approach. Evaluating whether the information used to record ASC 842 adoption adjustments to the financial statements is accurate and complete. Identifying, developing, and implementing new system requirements, including IT logic of reports.
Capturing leases	All leases are not captured appropriately in accordance with company policies. Contracts are captured as leases when they do not meet the new requirements of a lease.	Internal controls related to: Determining whether a contract or arrangement meets the new requirements of a lease. Reassessing existing lease contracts to determine whether such arrangements meet the new requirements of a lease.6 Identifying, and allocating consideration in the contract to, the lease and nonlease components in a contract or arrangement.
Calculating leases	Lease assets/liabilities are not calculated appropriately. Lease income/expense is not calculated appropriately.	Internal controls related to: Ensuring that the lease term (including whether events have occurred that require reassessment for the lessee) is properly identified in the arrangement. Determining that the lease payments in the lease arrangement include all relevant components (i.e., fixed payments, variable payments that depend on an index or rate, residual value guarantees, and payments related to purchase or termination options). Determining appropriate lease classification. Determining the appropriate discount rate.
Accounting for leases	Lease assets/liabilities are not appropriately accounted for. Lease income/expense is not appropriately accounted for.	Internal controls related to: Initial measurement: The recording of the ROU assets and related lease obligations on the balance sheet (lessee). The recording of the lease investment and profit, when applicable, in the financial statements (lessor). Subsequent measurement: The recording of subsequent adjustments (both balance sheet and profit and loss) to the financial statements on the basis of the lease classification. Evaluating the ROU asset for impairment in accordance with ASC 360 (lessee). Evaluating the lease investment for impairment in accordance with ASC 310 or ASC 326 (lessor). Other considerations: Determining whether lease modifications or changes to lease terms have been identified, evaluated, and accounted for. Evaluating whether sale-and-leaseback transactions, related-party leases, sublease transactions, and build-to-suit arrangements have been appropriately identified, evaluated, and accounted for.
Presentation and disclosure for leases	Lease assets/liabilities are not presented appropriately. Lease income/expense is not presented appropriately. The statement of cash flows is not presented appropriately on the basis of the lease classification. Footnote disclosures are not accurate, complete, or understandable.	Internal controls related to: Evaluating presentation of lease assets/liabilities and income/expense, on the basis of the lease classification, in accordance with ASC 842. Reviewing the accuracy and completeness of lease disclosures, including related-party leases. Reviewing the disclosures for significant assumptions and judgments.

E.5 Applying the COSO Principles to Adoption

The 2013 COSO framework contains 17 principles that explain the concepts associated with the five components of internal control (i.e., control environment, risk assessment, control activities, information and communication, and monitoring activities). The components are related to all aspects of an organization’s objectives, which typically fall into three categories — operations, reporting, and compliance. These objectives, as well as the components, are also related to an entity’s structure. COSO uses the following cube to depict the relationship between objectives, components, and an entity’s structure:

In assessing the design of effective internal control with respect to ASC 842, a company may consider its objectives in terms of internal and external reporting and, on the basis of those objectives, may take into account the five components of internal control and the 17 principles within the components. The chart below summarizes the 17 principles and provides examples of how a company would apply them when implementing and adopting ASC 842.


Control environment	1. Demonstrates commitment to integrity and ethical values. 2. Board of directors exercises oversight responsibilities. 3. Establishes structure, authority, and responsibility. 4. Demonstrates commitment to competency. 5. Enforces accountability.	Principle 1 Demonstrate appropriate tone at the top regarding the importance of the adoption and implementation of ASC 842 (e.g., through communications, dedication of resources, oversight). Incorporate the adoption of ASC 842 into expectations of standards of conduct (e.g., expectations regarding responsible conduct and developing sound judgments). Principle 2 The board of directors exercises appropriate oversight over: The adoption of ASC 842 (including appropriate disclosures and financial reporting). The assessment of risks resulting from ASC 842 and related development and implementation of internal controls to address the risks. Principle 3 Evaluate and update lines of reporting and responsibilities. Principle 4 Assess, identify, and monitor competencies required by ASC 842. Take steps to address any identified shortcomings. Adjust training, retention, and recruiting programs as necessary. Appropriately train key personnel and control performers to ensure competence in the organization. If using an outsourced service provider, determine whether (1) controls are in place to evaluate the provider’s competence and objectivity and (2) management has sufficient understanding to perform effective oversight and review of the work performed by the provider. Principle 5 Hold individuals accountable for their roles related to the adoption of ASC 842. Design accountability for individuals responsible for internal controls related to ASC 842.
Risk assessment	6. Specifies suitable objectives. 7. Identifies and analyzes risk. 8. Assesses fraud risk. 9. Identifies and analyzes significant change.	Principle 6 Identify objectives associated with the adoption of ASC 842 to enable identification of risks related to the objectives. Principle 7 Identify and document risks associated with the adoption of ASC 842 (including those associated with IT changes and the modified retrospective transition method), and reconsider the risks throughout the adoption process. Principle 8 Consider fraud risks related to the adoption of ASC 842 (e.g., considering the potential for new fraud schemes, particularly given changes in accounting, controls, and IT). Principle 9 Complete the assessment of ASC 842 and its impact on the company, including on internal control, data and system requirements, disclosures, and reporting.
Control activities	10. Selects and develops control activities. 11. Selects and develops general controls over technology. 12. Deploys through policies and procedures.	Principle 10 Evaluate the internal controls affected by the adoption of ASC 842 and identify new internal controls to address new risks associated with ASC 842. Principle 11 Consider impacts on general controls over technology and modify as appropriate. Principle 12 Revise policies and procedures to address risks and internal controls related to ASC 842 and establish responsibility and accountability for executing the policies and procedures.
Information and communication	13. Uses relevant, quality information. 14. Communicates internally. 15. Communicates externally.	Principle 13 Identify new information requirements, modify systems, update reports, and modify controls to produce relevant, quality information to support the functioning of internal controls. Principle 14 Develop communication methods to ensure that required information (including accounting and operational changes) is communicated to all personnel so that they can understand and carry out their internal-control-related responsibilities. Provide updates as necessary. Ensure that the board of directors and audit committee have information they need to perform their oversight responsibilities. Principle 15 Ensure that processes are in place for communicating relevant and timely information regarding internal controls to external parties as appropriate (including through required external disclosures regarding changes in controls and quantitative and qualitative impacts of adoption).
Monitoring activities	16. Conducts ongoing and/or separate evaluations. 17. Evaluates and communicates deficiencies.	Principle 16 Implement plans for ongoing and/or separate evaluations of internal controls related to ASC 842 (e.g., companies may consider evaluating new controls before ASC 842’s effective date or performing a test close). Principle 17 Take corrective actions, including revising the risk assessment and redesigning internal controls, when gaps or deficiencies in controls are identified during the adoption process.

E.6 Illustrative Disclosures — Material Change in Internal Control7

Example E-1

Several Quarters Before Adoption

During the quarter ended June 30, 20XX, we implemented new controls as part of our efforts to adopt ASU 2016-02. Those efforts resulted in changes to our accounting processes and procedures. In particular, we implemented new controls related to:

Monitoring the adoption process.
Implementing a new IT system to capture, calculate, and account for leases.
Gathering the information and evaluating the analyses used in the development of disclosures required before ASU 2016-02’s effective date.

We evaluated the design of these new controls during the quarter ended June 30, 20XX. As we continue the implementation process, we expect that there will be additional changes in ICFR. However, there were no other changes in ICFR during the quarter ended June 30, 20XX, that materially affected ICFR or are reasonably likely to materially affect it.

Example E-2

Shortly Before Adoption

During the quarter ended December 31, 20XX, we implemented a plan that called for modifications to ICFR related to the accounting for leases as a result of ASU 2016-02. The modified controls have been designed to address risks associated with accounting for lease assets and liabilities and the related income and expense under ASC 842. We have therefore augmented ICFR as follows:

Enhanced the risk assessment process to take into account risks associated with ASC 842.
Modified existing controls that address risks associated with accounting for lease assets and liabilities and the related income and expense, including the revision of our contract review controls.

There were no other changes in ICFR during the quarter ended December 31, 20XX, that materially affected ICFR or are reasonably likely to materially affect it.

Example E-3

Upon Adoption

We implemented ASU 2016-02 as of January 1, 20XX. As a result, we made the following significant modifications to ICFR, including changes to accounting policies and procedures, operational processes, and documentation practices:

Updated our policies and procedures related to accounting for lease assets and liabilities and related income and expense.
Modified our contract review controls to consider the new criteria for determining whether a contract is or contains a lease, specifically to clarify the definition of a lease and align with the concept of control.
Added controls for reevaluating our significant assumptions and judgments on a quarterly basis.
Added controls to address related required disclosures regarding leases, including our significant assumptions and judgments used in applying ASC 842.

Other than the items described above, there were no changes in ICFR during the quarter ended March 31, 20XX, that materially affected ICFR or are reasonably likely to materially affect it.

Footnotes

SEC SAB 74 was codified as SEC SAB Topic 11.M. See Deloitte’s September 22, 2016, Financial Reporting Alert for further discussion.

This section is specific to SEC registrants.

SEC Final Rule No. 33-8238 states that ”management . . . must evaluate, with the participation of the issuer’s principal executive and principal financial officers, or persons performing similar functions, any change in the issuer’s internal control over financial reporting, that occurred during each of the issuer’s fiscal quarters, or fiscal year in the case of a foreign private issuer, that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial reporting.”

426 U.S. 438 (1976). See also Basic Inc. v. Levinson, 485 U.S. 224 (1988).

This table does not take into account all possible lease-related risks and an entity should also consider risks in other accounting areas (e.g., income taxes, possible debt covenant violations).

Reassessment of lease contracts is not applicable if an entity (lessee or lessor) elects the transition relief package and discloses such election.

This section is specific to SEC registrants.

Confidential and Proprietary — for Use Solely by Authorized Personnel

This publication provides comprehensive guidance; however, it does not address all possible fact patterns, and the guidance is subject to change. Consult a Deloitte & Touche LLP professional regarding your specific issues and questions.