Appendix E — Internal Control Over Financial Reporting
E.1 Preadoption Disclosure Controls
SEC registrants should be aware that the SEC has been emphasizing the importance
of transition-period disclosures (or preadoption disclosures) in accordance with
SAB 74.1 These disclosures should be both qualitative and quantitative and should
be included in MD&A (subject to disclosure controls and procedures) and the
footnotes to the financial statements (subject to ICFR). The SEC staff has also
made clear its expectation that the preadoption disclosures should become more
robust and quantitative as ASU 2016-02’s effective date approaches.
In light of the SEC’s guidance and recent comments from the SEC staff, such disclosures should address the impact ASU 2016-02 and other related ASUs (collectively referred to as “ASC 842” herein) are expected to have on the financial statements and should include:
- A comparison of the company’s current accounting policies with the expected accounting under ASC 842.
- The status of the implementation process.
- The nature of any significant implementation matters that have not yet been addressed.
A company that is able to reasonably estimate the quantitative impact of ASC 842 should also disclose those amounts.
Internal controls over these preadoption disclosures are important to
management’s ability to address the risks that the disclosures are inaccurate or
incomplete. Management should first identify whether appropriate internal
controls exist for the disclosures (e.g., controls over infrequent processes)
and then specify the information and analysis used to support those controls. In
some cases, management may need to revise existing controls or implement new
controls. Next, management needs to evaluate the design and test the operating
effectiveness of the relevant controls given that they should be included within
the scope of management’s report on ICFR in the year before the adoption of ASC
842, as applicable.
When assessing whether appropriate internal controls exist with respect to the preadoption disclosures, management may consider whether procedures are in place to evaluate:
- Competence — The preadoption disclosures are prepared by competent individuals with knowledge of ASC 842 and potential impacts on the company.
- Compliance — The disclosures meet the SEC’s requirements and guidelines.
- Data quality — The quantitative disclosures (if known and estimated) are calculated on the basis of reliable inputs that are subject to appropriate internal control.
- Review — The disclosures are reviewed by appropriate levels of management.
- Monitoring — The company’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately reviews the internal controls in accordance with company protocols.
E.2 Internal Control Considerations Related to the Adoption of ASC 842
E.2.1 Internal Controls Over Adoption
There are often unique circumstances and considerations associated with the
adoption of a new accounting standard that can pose a greater risk of
material misstatement to the financial statements. Thus, companies should
consider the circumstances that may only be present during the adoption
period and evaluate whether there are any unique risks for which an entity
needs to design controls over infrequent processes that may operate
exclusively during the adoption period. Management should also consider the
internal controls, documentation, and evidence it needs to support:
-
Entity-level controls such as the control environment and general “tone at the top.”
-
Identification of a complete population of lease agreements or contracts in accordance with company policies.
-
Accounting conclusions reached (e.g., preparing accounting white papers or internal memos memorializing management’s considerations and conclusions).
-
Information used to support accounting conclusions, new estimates, adjustments to the financial statements, and disclosure requirements.
-
Identification and implementation of changes to relevant IT systems.
-
The modified retrospective transition approach.
-
The accounting logic used and journal entries (including the transition adjustments) that record the adoption’s impact.
-
Any practical expedients applied and related disclosures.
-
Changes to the monthly, quarterly, or annual close process and related reporting requirements (e.g., internal reporting, disclosure controls and procedures).
E.2.2 Lease-Related Risks, Internal Controls, and Documentation
It is possible that, as a result of ASC 842, new financial reporting risks will emerge, including new or modified fraud risks, and that new processes and internal controls will be required. Companies will therefore need to consider these new risks and how to change or modify internal controls to address the new risks.
Management will need to make significant assumptions and judgments because of
the requirements under ASC 842. For example, since almost all leases will be
recognized in the statement of financial position, management will need to
use significant judgment in evaluating matters such as whether an
arrangement is or contains a lease and in assessing a lease’s term, which
would affect whether the lease qualifies for the short-term exemption. It is
critical for management to (1) evaluate the risks of material misstatement
associated with these significant judgments, (2) design and implement
controls to address those risks, and (3) maintain documentation that
supports the assumptions and judgments that underpin its estimates.
See Section E.4 for a table summarizing sample risks and controls that may help entities consider how ASC 842 will affect them.
E.2.3 Significant Changes in Information and Related Data-Quality Needs
Companies will need to gather and track new information to comply with ASC 842,
including the related disclosure requirements. Management should consider
whether appropriate controls are in place to support (1) any necessary IT
changes (including change management controls and, once the IT changes have
been implemented, the evaluation of their design and testing of their
operating effectiveness) and (2) the completeness and accuracy of the
information used by the entity in recognizing lease assets and liabilities
and the related income and expense and providing the required disclosures.
The table below illustrates some potential challenges and examples of
practices related to internal control.
Potential Challenge | Example of Internal Control Practice |
---|---|
Information requirements have not been updated to support the reporting (e.g., interim and annual requirements, including those related to disclosures) required under ASC 842. | Management establishes data governance, policies, and standards for identifying and resolving data gaps and implements processes to verify the quality of information needed for implementation of ASC 842. |
Control expectations have not been considered for new information required under ASC 842. | The lease implementation team meets periodically with the ICFR or SOX team (and
control owners as appropriate) to share relevant
information about the adoption of ASC 842 so that
the ICFR or SOX team can prepare and plan
accordingly. |
Legacy internal controls over source data, report logic, or parameters have not
been reconsidered. | Management takes steps to update and review the appropriate flowcharts, data flow diagrams, process narratives, procedure manuals, and control procedures to reflect the new processes as a result of ASC 842 and to support management’s ICFR assessment. |
E.3 Evaluating Material Changes in Internal Control2
SEC registrants are required to disclose any material changes3 (including improvements) in their ICFR in each quarterly and annual report
in accordance with SEC Regulation S-K, Item 308(c). SEC guidance explains that
materiality is determined on the basis of the impact on ICFR and the materiality
standard articulated in TSC Industries Inc. v. Northway Inc.4 (i.e., that “an omitted fact is material if there is a substantial
likelihood that a reasonable shareholder would consider it important in deciding
how to vote”).
As discussed previously, when a company adopts ASC 842, management will probably need to implement new controls or modify existing ones to address new or modified risks of material misstatement. Disclosure requirements will also be triggered by the adoption of a new accounting standard if such changes in internal control are material. In addition, management should consider whether there are appropriate controls for identifying and disclosing material changes in ICFR.
For example, management may consider whether there are controls related to the following:
- Compliance — Processes are in place to identify and evaluate material changes in internal control. Further, protocols exist for developing appropriate disclosures and reporting such information to appropriate levels of management (e.g., those signing the quarterly and annual certifications required under SEC Regulation S-K, Item 601(b)(31)).
- Review — The disclosures are reviewed by appropriate levels of management (including, as warranted, those signing the quarterly and annual certifications).
- Monitoring — The company’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately considers the state of the entity’s ICFR to identify changes and monitor controls in accordance with company protocols.
In developing the required disclosures, companies should clearly state whether a
material change has occurred and, if so, describe the nature of the change. The
SEC staff has commented when a registrant has not explicitly asserted whether
there has been a change in ICFR in the most recent fiscal quarter that could
have a material effect on its ICFR. The staff has further stressed that
registrants should avoid “boilerplate” disclosure in which they state that there
have been no material changes affecting ICFR in a period, particularly when
there have been identifiable events such as changes in accounting policies. For
examples of appropriate disclosures to provide in such circumstances, see
Section E.6.
E.4 Examples of Risks and Internal Control Considerations Related to the Adoption and Ongoing Accounting
The table5 below lists risks and internal control considerations related to the
adoption of ASC 842 and the ongoing accounting under ASC 842 (the risks and
considerations apply to both lessees and lessors, unless otherwise
specified).
| ||
---|---|---|
Adoption period |
| Internal controls related to:
|
Capturing leases |
| Internal controls related to:
|
Calculating leases |
| Internal controls related to:
|
Accounting for leases |
| Internal controls related to:
|
Presentation and disclosure for leases |
| Internal controls related to:
|
E.5 Applying the COSO Principles to Adoption
The 2013 COSO framework contains 17 principles that explain the concepts
associated with the five components of internal control (i.e., control
environment, risk assessment, control activities, information and communication,
and monitoring activities). The components are related to all aspects of an
organization’s objectives, which typically fall into three categories —
operations, reporting, and compliance. These objectives, as well as the
components, are also related to an entity’s structure. COSO uses the following
cube to depict the relationship between objectives, components, and an entity’s
structure:
In assessing the design of effective internal control with respect to ASC 842, a company may consider its objectives in terms of internal and external reporting and, on the basis of those objectives, may take into account the five components of internal control and the 17 principles within the components. The chart below summarizes the 17 principles and provides examples of how a company would apply them when implementing and adopting ASC 842.
| ||
---|---|---|
Control environment | 1. Demonstrates commitment to integrity and ethical values.
2. Board of directors exercises oversight responsibilities.
3. Establishes structure, authority, and responsibility.
4. Demonstrates commitment to competency. 5. Enforces accountability. | Principle 1
Principle 2
Principle 3
Principle 4
Principle 5
|
Risk assessment | 6. Specifies suitable objectives.
7. Identifies and analyzes risk.
8. Assesses fraud risk.
9. Identifies and analyzes significant change. | Principle 6
Principle 7
Principle 8
Principle 9
|
Control activities | 10. Selects and develops control activities.
11. Selects and develops general controls over technology.
12. Deploys through policies and procedures. | Principle 10
Principle 11
Principle 12
|
Information and communication | 13. Uses relevant, quality information.
14. Communicates internally.
15. Communicates externally. | Principle 13
Principle 14
Principle 15
|
Monitoring activities | 16. Conducts ongoing and/or separate evaluations.
17. Evaluates and communicates deficiencies. | Principle 16
Principle 17
|
E.6 Illustrative Disclosures — Material Change in Internal Control7
Example E-1
Several Quarters Before Adoption
During the quarter ended June 30, 20XX, we implemented new controls as part of our efforts to adopt ASU 2016-02. Those efforts resulted in changes to our accounting processes and procedures. In particular, we implemented new controls related to:
- Monitoring the adoption process.
- Implementing a new IT system to capture, calculate, and account for leases.
- Gathering the information and evaluating the analyses used in the development of disclosures required before ASU 2016-02’s effective date.
We evaluated the design of these new controls during the quarter ended June 30, 20XX. As we continue the implementation process, we expect that there will be additional changes in ICFR. However, there were no other changes in ICFR during the quarter ended June 30, 20XX, that materially affected ICFR or are reasonably likely to materially affect it.
Example E-2
Shortly Before Adoption
During the quarter ended December 31, 20XX, we implemented a plan that called for modifications to ICFR related to the accounting for leases as a result of ASU 2016-02. The modified controls have been designed to address risks associated with accounting for lease assets and liabilities and the related income and expense under ASC 842. We have therefore augmented ICFR as follows:
- Enhanced the risk assessment process to take into account risks associated with ASC 842.
- Modified existing controls that address risks associated with accounting for lease assets and liabilities and the related income and expense, including the revision of our contract review controls.
There were no other changes in ICFR during the quarter ended December 31, 20XX, that materially affected ICFR or are reasonably likely to materially affect it.
Example E-3
Upon Adoption
We implemented ASU 2016-02 as of January 1, 20XX. As a result, we made the following significant modifications to ICFR, including changes to accounting policies and procedures, operational processes, and documentation practices:
- Updated our policies and procedures related to accounting for lease assets and liabilities and related income and expense.
- Modified our contract review controls to consider the new criteria for determining whether a contract is or contains a lease, specifically to clarify the definition of a lease and align with the concept of control.
- Added controls for reevaluating our significant assumptions and judgments on a quarterly basis.
- Added controls to address related required disclosures regarding leases, including our significant assumptions and judgments used in applying ASC 842.
Other than the items described above, there were no changes in ICFR during the quarter ended March 31,
20XX, that materially affected ICFR or are reasonably likely to materially affect it.
Footnotes
1
SEC SAB 74 was codified as SEC SAB Topic 11.M. See
Deloitte’s September 22, 2016, Financial Reporting
Alert for further discussion.
2
This section is specific to SEC registrants.
3
SEC Final Rule No. 33-8238 states that ”management . . .
must evaluate, with the participation of the issuer’s principal
executive and principal financial officers, or persons performing
similar functions, any change in the issuer’s internal control over
financial reporting, that occurred during each of the issuer’s fiscal
quarters, or fiscal year in the case of a foreign private issuer, that
has materially affected, or is reasonably likely to materially affect,
the issuer’s internal control over financial reporting.”
4
426 U.S. 438 (1976). See also Basic Inc. v. Levinson,
485 U.S. 224 (1988).
5
This table does not take into account all possible
lease-related risks and an entity should also consider risks in other
accounting areas (e.g., income taxes, possible debt covenant
violations).
6
Reassessment of lease
contracts is not applicable if an entity (lessee
or lessor) elects the transition relief package
and discloses such election.
7
This section is specific to SEC registrants.