Controls and Non-GAAP Measures
As part of its current focus on non-GAAP measures, the SEC has questioned whether
companies and audit committees have implemented appropriate controls regarding the
disclosure of such measures.1 This Heads Up discusses the types of controls that could be
established and provides high-level examples of control issues and related responses for
consideration in connection with non-GAAP measures. In addition, the Heads Up outlines a
sample approach for consideration.
Editor’s Note
A new Deloitte Roadmap publication on non-GAAP financial measures is currently in
development and is expected to be issued in the summer of 2016.
Disclosure Controls and Procedures Versus Internal Control Over Financial Reporting
Before diving into a detailed discussion about types and examples of controls, we should set
the stage by clarifying whether controls over non-GAAP measures are related to disclosure
controls and procedures (DCPs), to internal control over financial reporting (ICFR), or to both.
ICFR, which is defined in both SEC and PCAOB rules (see Appendix B), focuses on controls
related to the “reliability of financial reporting and the preparation of financial statements for
external purposes in accordance with generally accepted accounting principles.” DCPs, on the
other hand, is more broadly defined and pertains to all information required to be disclosed
by the company (see Appendix B).
Because the starting point for a non-GAAP measure is a GAAP measure, ICFR would be
relevant to consider up to the point at which the GAAP measure that forms the basis of the
non-GAAP measure has been determined. However, regarding controls over the adjustments
to the GAAP measure and the related calculation of the non-GAAP measure — including the
oversight and monitoring of the non-GAAP measure — we believe that it is appropriate to
consider such controls within the realm of DCPs.
For a discussion of controls over non-GAAP measures in which the Committee of Sponsoring
Organizations (COSO) Internal Control — Integrated Framework is considered, see Appendix A.
Non-GAAP Measures, Earnings Releases, and DCPs
The SEC’s final rule on certifications states that Section 302 of the Sarbanes-Oxley Act of 2002
requires management to certify on a quarterly basis that DCPs are effective “to ensure that
information required to be disclosed by the issuer in the reports filed or submitted by it under
the Exchange Act [footnote omitted] is recorded, processed, summarized and reported, within
the time periods specified in the Commission’s rules and forms.” Earnings releases containing
non-GAAP measures are often furnished on Form 8-K, which does not require certifications
of the effectiveness of DCPs. However, the final rule also indicates that “[d]isclosure controls
and procedures . . . are required to be designed, maintained and evaluated to ensure full and
timely disclosure in current reports.”
Therefore, registrants that use non-GAAP measures in earnings releases furnished on Form
8-K — or those that use them in Forms 10-Q and 10-K (outside the financial statements),
which would be explicitly covered by Section 302 certifications — should consider the
appropriateness of their DCPs in the context of their non-GAAP information. Registrants
should, at a minimum, consider designing DCPs to ensure that procedures are in place
regarding:
- Compliance — Non-GAAP measures are presented in compliance with SEC rules, regulations, and guidance.
- Consistency of preparation — Non-GAAP measures are presented consistently each period, and potential non-GAAP adjustments are evaluated on an appropriate, consistent basis each period.
- Data quality — Non-GAAP measures are calculated on the basis of reliable inputs that are subject to appropriate controls.
- Accuracy of calculation — Non-GAAP measures are calculated with arithmetic accuracy, and the non-GAAP measures in the disclosure agree with the measures calculated.
- Transparency of disclosure — Descriptions of the non-GAAP measures, adjustments, and any other required disclosures are clear and not confusing.
- Review — Non-GAAP disclosures are reviewed by appropriate levels of management to confirm the appropriateness and completeness of the non-GAAP measures and related disclosures.
- Monitoring — The registrant’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately reviews the DCPs related to non-GAAP disclosures. The audit committee is involved in the oversight of the preparation and use of non-GAAP measures.
A critical aspect of such DCPs is the involvement of the appropriate levels of management and those charged with governance. Depending on the registrant, this may include reviewing the selection and determination of non-GAAP measures with a disclosure committee, the audit committee, or both. Establishing a written policy that (1) clearly describes the nature of allowable adjustments to GAAP measures, (2) defines the non-GAAP measure(s) to be used under the policy, and (3) explains how potential changes in the inputs, calculation, or adjustments will be evaluated and approved may help management identify its DCPs. For example, a policy might describe qualitatively the types of adjustments that are nonrecurring and abnormal and thus within the defined policy. It may also outline specific quantitative thresholds for which income or expense items might be evaluated in the determination of whether they should be included in non-GAAP adjustments. This could help ensure that appropriate non-GAAP measures are used as well as eliminate the need for numerous immaterial adjustments in the reconciliation that may confuse investors.
Disclosure Committee Considerations
Some companies may find it helpful to use a disclosure committee to assist the CEO, CFO, and audit committee in preparing and overseeing disclosures, including those related to non-GAAP measures. Disclosure committees are typically management committees, although some companies prefer that the disclosure committee function as a subcommittee of the board and audit committee.
Disclosure committees can set parameters for and determine the appropriateness of disclosures related to non-GAAP measures. In particular, the disclosure committee could review draft earnings releases to provide input and oversight by using the seven considerations outlined above. As part of its review, the disclosure committee can provide effective governance and play an integral role in the accuracy, completeness, timeliness, and fairness of a company’s disclosures.
Sample Approach — Controls Associated With the Disclosure of Non-GAAP Measures
A global manufacturing company uses certain non-GAAP measures in its quarterly earnings releases that are furnished to the SEC on Form 8-K. The manager of external reporting (1) prepares the non-GAAP measures that the entity plans to include in the quarterly earnings release and (2) provides to the controller for review the computed non-GAAP measures and related support (e.g., reconciliation between the most directly comparable GAAP financial measure and the non-GAAP measure) for the calculations.
The controller recomputes each non-GAAP measure and agrees the underlying GAAP measure to the general ledger. The controller then reviews each reconciliation of the GAAP measure to the non-GAAP measure, which includes agreeing the adjustments to the trial balance or other support and considering whether the reconciliation clearly labels and describes the nature of each adjustment. The controller also considers whether each adjustment is appropriate under company policy and is consistent with adjustments made in prior periods, and the controller excludes immaterial adjustments that are not the focus of management. Further, the controller reviews a list of prohibited presentations of non-GAAP financial measures to ensure that the measures are consistent with SEC guidance. The list of prohibited presentations includes the following, which can be evaluated before the draft earnings release is prepared:
- The inclusion of material misstatements or omissions that would make the presentation of the non-GAAP financial measure misleading.
- The presentation of per-share measures of liquidity.
- The exclusion of charges or liabilities that require, or will require, cash settlement, or would have required cash settlement in the absence of an ability to settle in another matter, from non-GAAP liquidity measures.
- Adjustments to a non-GAAP performance measure to eliminate or smooth items identified as nonrecurring, infrequent, or unusual when the nature of the charge or gain is such that it is reasonably likely to recur within two years or there was a similar charge or gain within the prior two years.
The controller considers whether the non-GAAP measures contain misleading adjustments, including those that:
- Exclude normal, recurring cash operating expenses necessary for business operation.
- Adjust an item in the current reporting period but do not adjust for a similar item in the prior period.
- Exclude certain nonrecurring charges but do not exclude nonrecurring gains.
- Are based on individually tailored accounting principles, including certain adjusted revenue measures.
The controller considers the income tax effects of the adjustments made to the GAAP measure (mindful that adjusting revenue or income before tax could affect the tax expense or benefits assumed in the calculation of the tax provision and that if the measure is a performance measure, a current and deferred income tax expense commensurate with the non-GAAP measure of profitability should be calculated and included in the disclosure). In addition, the controller verifies that adjustments for income taxes are presented separately and there is disclosure of how the adjustment for income taxes was determined. Finally, the controller reviews the non-GAAP measures used by the entity’s peers and considers whether the entity’s non-GAAP measures are comparable to them. The controller will follow up, if necessary, with the manager of external reporting regarding these review steps and, when any outstanding issues are resolved, will submit the reviewed non-GAAP measures to the director of investor relations. The director of investor relations drafts the earnings release and includes the non-GAAP measures reviewed by the controller.
The draft earnings release is then subject to review by the disclosure committee, which consists of the chief financial officer, the general counsel, the income tax director, and the director of internal audit. The disclosure committee reviews the non-GAAP measures disclosed in the draft earnings release for compliance with Regulation G and other SEC guidance and ensures the following:
- The non-GAAP measure is neither misleading nor prohibited.
- The non-GAAP measure is presented with and reconciled to the most directly comparable GAAP measure and with no greater prominence than the GAAP measure.
- The non-GAAP measure is appropriately defined and described and is clearly labeled as non-GAAP.
- The non-GAAP measure is balanced (i.e., it adjusts not only for nonrecurring expenses but also for nonrecurring gains).
- There is transparent and company-specific disclosure of the substantive reason(s) why management believes that the measure is useful for investors and, if material, the purpose for which management uses the measure.
- The non-GAAP measure is not presented on the face of the GAAP financial statements or in the accompanying notes or on the face of any pro forma financial statements required to be disclosed by Regulation S-X, Article 11.2
- The titles or descriptions of non-GAAP financial measures are not the same as, or confusingly similar to, titles or descriptions used for GAAP financial measures.
- The measure is consistently prepared from period to period in accordance with the defined policy and is comparable to that of the company’s peers.
If there are any inconsistencies between the above compliance issues and the non-GAAP measures and their disclosure in the draft earnings release, the disclosure committee will follow up with the director of investor relations, the controller, or both and request that conforming changes be made to the draft earnings release. Once any outstanding matters have been resolved, the disclosure committee approves the draft earnings release and forwards it to the audit committee for its review.
The audit committee exercises its oversight with respect to external financial reporting in performing its review of the earnings release, including confirming that the non-GAAP measures are appropriately disclosed in accordance with policy and are consistent with SEC rules, regulations, and guidance.
Appendix A — Controls From a COSO Perspective
In 2013, COSO updated its Internal Control — Integrated Framework, which provides a framework for designing and evaluating internal control. The publication contains 17 principles that explain the concepts associated with the five components of the COSO framework (control environment, risk assessment, control activities, information and communication, and monitoring). The five components are related to all aspects of an organization’s objectives, which typically fall into three categories — operations, reporting, and compliance. These objectives, as well as the components, are also related to an entity’s structure. COSO depicts this relationship between objectives, components, and an entity’s structure in the form of a cube as follows:
We believe that in the consideration of non-GAAP measures and how they may be viewed through the COSO lens, both
the reporting objective (related to external financial reporting) and the compliance objective (related to compliance with
laws and regulations) come into play.
Therefore, in its assessment of the design of effective internal control over non-GAAP measures, a company may
consider its objectives in terms of reporting and compliance and, on the basis of those objectives, take into account the
five components of internal control and the 17 principles within the components. The considerations listed above for
DCPs (1 through 7) could be expanded to cover all five COSO components and all 17 principles (see the table below,
which is adapted from COSO’s 2013 Internal Control — Integrated Framework):
COSO Internal Control-Integrated Framework Components and Principles
1. The organization
demonstrates
a commitment
to integrity and
ethical values. | 6. The organization
specifies
objectives with
sufficient clarity
to enable the
identification and
assessment of
risks relating to
objectives. | 10. The oganization
selects and
develops control
activities that
contribute to
the mitigation
of risks to the
achievement
of objectives to
acceptable levels. | 13. The organization
obtains or
generates and
uses relevant,
quality information
to support the
functioning of
internal control. | 16. The organization
selects, develops,
and performs
ongoing and/
or separate
evaluations to
ascertain whether
the components
of internal control
are present and
functioning. |
2. The board
of directors
demonstrates
independence
from management
and exercises
oversight of the
development and
performance of
internal control. | 7. The organization
identifies risks to
the achievement
of its objectives
across the entity
and analyzes risks
as a basis for
determining how
the risks should be
managed. | 11. The organization
selects and
develops general
control activities
over technology
to support the
achievement of
objectives. | 14. The organization
internally
communicates
information,
including
objectives and
responsibilities
for internal
control, necessary
to support the
functioning of
internal control. | 17. The organization
evaluates and
communicates
internal control
deficiencies in a
timely manner
to those parties
responsible
for taking
corrective action,
including senior
management
and the board
of directors, as
appropriate. |
3. Management
establishes, with
board oversight,
structures,
reporting lines,
and appropriate
authorities and
responsibilities
in the pursuit of
objectives. | 8. The organization
considers the
potential for
fraud in assessing
risks to the
achievement of
objectives. | 12. The organization
deploys control
activities through
policies that
establish what
is expected and
procedures that
put policies into
action. | 15. The organization
communicates
with external
parties regarding
matters affecting
the functioning of
internal control. | |
4. The organization
demonstrates
a commitment
to attract,
develop, and
retain competent
individuals in
alignment with
objectives. | 9. The organization
identifies and
assesses changes
that could
significantly impact
the system of
internal control. | |||
5. The organization
holds individuals
accountable
for their
internal control
responsibilities
in the pursuit of
objectives. |
Appendix B — Definitions of ICFR and DCPs
ICFR
SEC and PCAOB rules define ICFR as “a process designed by, or under the supervision of, the issuer’s principal executive
and principal financial officers, or persons performing similar functions, and effected by the issuer’s board of directors,
management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting
and the preparation of financial statements for external purposes in accordance with generally accepted accounting
principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and
dispositions of the assets of the issuer;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial
statements in accordance with generally accepted accounting principles, and that receipts and expenditures of
the issuer are being made only in accordance with authorizations of management and directors of the issuer;
and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or
disposition of the issuer’s assets that could have a material effect on the financial statements.”
DCPs
SEC rules define DCPs as “controls and other procedures of an issuer that are designed to ensure that information
required to be disclosed by the issuer in the reports that it files or submits under the Act (15 U.S.C. 78a et seq.) is
recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms.
Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that
information required to be disclosed by an issuer in the reports that it files or submits under the Act is accumulated
and communicated to the issuer’s management, including its principal executive officer or officers and principal financial
officer or officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required
disclosure.”