Controls and Non-GAAP Measures
As part of its current focus on non-GAAP measures, the SEC has questioned whether companies and audit committees have implemented appropriate controls regarding the disclosure of such measures.1 This Heads Up discusses the types of controls that could be established and provides high-level examples of control issues and related responses for consideration in connection with non-GAAP measures. In addition, the Heads Up outlines a sample approach for consideration.
A new Deloitte Roadmap publication on non-GAAP financial measures is currently in development and is expected to be issued in the summer of 2016.
Disclosure Controls and Procedures Versus Internal Control Over Financial Reporting
Before diving into a detailed discussion about types and examples of controls, we should set the stage by clarifying whether controls over non-GAAP measures are related to disclosure controls and procedures (DCPs), to internal control over financial reporting (ICFR), or to both.
ICFR, which is defined in both SEC and PCAOB rules (see Appendix B), focuses on controls related to the “reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.” DCPs, on the other hand, is more broadly defined and pertains to all information required to be disclosed by the company (see Appendix B).
Because the starting point for a non-GAAP measure is a GAAP measure, ICFR would be relevant to consider up to the point at which the GAAP measure that forms the basis of the non-GAAP measure has been determined. However, regarding controls over the adjustments to the GAAP measure and the related calculation of the non-GAAP measure — including the oversight and monitoring of the non-GAAP measure — we believe that it is appropriate to consider such controls within the realm of DCPs.
For a discussion of controls over non-GAAP measures in which the Committee of Sponsoring Organizations (COSO) Internal Control — Integrated Framework is considered, see Appendix A.
Non-GAAP Measures, Earnings Releases, and DCPs
The SEC’s final rule on certifications states that Section 302 of the Sarbanes-Oxley Act of 2002 requires management to certify on a quarterly basis that DCPs are effective “to ensure that information required to be disclosed by the issuer in the reports filed or submitted by it under the Exchange Act [footnote omitted] is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms.” Earnings releases containing non-GAAP measures are often furnished on Form 8-K, which does not require certifications of the effectiveness of DCPs. However, the final rule also indicates that “[d]isclosure controls and procedures . . . are required to be designed, maintained and evaluated to ensure full and timely disclosure in current reports.”
Therefore, registrants that use non-GAAP measures in earnings releases furnished on Form 8-K — or those that use them in Forms 10-Q and 10-K (outside the financial statements), which would be explicitly covered by Section 302 certifications — should consider the appropriateness of their DCPs in the context of their non-GAAP information. Registrants should, at a minimum, consider designing DCPs to ensure that procedures are in place regarding:
- Compliance — Non-GAAP measures are presented in compliance with SEC rules, regulations, and guidance.
- Consistency of preparation — Non-GAAP measures are presented consistently each period, and potential non-GAAP adjustments are evaluated on an appropriate, consistent basis each period.
- Data quality — Non-GAAP measures are calculated on the basis of reliable inputs that are subject to appropriate controls.
- Accuracy of calculation — Non-GAAP measures are calculated with arithmetic accuracy, and the non-GAAP measures in the disclosure agree with the measures calculated.
- Transparency of disclosure — Descriptions of the non-GAAP measures, adjustments, and any other required disclosures are clear and not confusing.
- Review — Non-GAAP disclosures are reviewed by appropriate levels of management to confirm the appropriateness and completeness of the non-GAAP measures and related disclosures.
- Monitoring — The registrant’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately reviews the DCPs related to non-GAAP disclosures. The audit committee is involved in the oversight of the preparation and use of non-GAAP measures.
A critical aspect of such DCPs is the involvement of the appropriate levels of management and those charged with governance. Depending on the registrant, this may include reviewing the selection and determination of non-GAAP measures with a disclosure committee, the audit committee, or both. Establishing a written policy that (1) clearly describes the nature of allowable adjustments to GAAP measures, (2) defines the non-GAAP measure(s) to be used under the policy, and (3) explains how potential changes in the inputs, calculation, or adjustments will be evaluated and approved may help management identify its DCPs. For example, a policy might describe qualitatively the types of adjustments that are nonrecurring and abnormal and thus within the defined policy. It may also outline specific quantitative thresholds for which income or expense items might be evaluated in the determination of whether they should be included in non-GAAP adjustments. This could help ensure that appropriate non-GAAP measures are used as well as eliminate the need for numerous immaterial adjustments in the reconciliation that may confuse investors.
Disclosure Committee Considerations
Some companies may find it helpful to use a disclosure committee to assist the CEO, CFO, and audit committee in preparing and overseeing disclosures, including those related to non-GAAP measures. Disclosure committees are typically management committees, although some companies prefer that the disclosure committee function as a subcommittee of the board and audit committee.
Disclosure committees can set parameters for and determine the appropriateness of disclosures related to non-GAAP measures. In particular, the disclosure committee could review draft earnings releases to provide input and oversight by using the seven considerations outlined above. As part of its review, the disclosure committee can provide effective governance and play an integral role in the accuracy, completeness, timeliness, and fairness of a company’s disclosures.
Sample Approach — Controls Associated With the Disclosure of Non-GAAP Measures
A global manufacturing company uses certain non-GAAP measures in its quarterly earnings releases that are furnished to the SEC on Form 8-K. The manager of external reporting (1) prepares the non-GAAP measures that the entity plans to include in the quarterly earnings release and (2) provides to the controller for review the computed non-GAAP measures and related support (e.g., reconciliation between the most directly comparable GAAP financial measure and the non-GAAP measure) for the calculations.
The controller recomputes each non-GAAP measure and agrees the underlying GAAP measure to the general ledger. The controller then reviews each reconciliation of the GAAP measure to the non-GAAP measure, which includes agreeing the adjustments to the trial balance or other support and considering whether the reconciliation clearly labels and describes the nature of each adjustment. The controller also considers whether each adjustment is appropriate under company policy and is consistent with adjustments made in prior periods, and the controller excludes immaterial adjustments that are not the focus of management. Further, the controller reviews a list of prohibited presentations of non-GAAP financial measures to ensure that the measures are consistent with SEC guidance. The list of prohibited presentations includes the following, which can be evaluated before the draft earnings release is prepared:
- The inclusion of material misstatements or omissions that would make the presentation of the non-GAAP financial measure misleading.
- The presentation of per-share measures of liquidity.
- The exclusion of charges or liabilities that require, or will require, cash settlement, or would have required cash settlement in the absence of an ability to settle in another matter, from non-GAAP liquidity measures.
- Adjustments to a non-GAAP performance measure to eliminate or smooth items identified as nonrecurring, infrequent, or unusual when the nature of the charge or gain is such that it is reasonably likely to recur within two years or there was a similar charge or gain within the prior two years.
The controller considers whether the non-GAAP measures contain misleading adjustments, including those that:
- Exclude normal, recurring cash operating expenses necessary for business operation.
- Adjust an item in the current reporting period but do not adjust for a similar item in the prior period.
- Exclude certain nonrecurring charges but do not exclude nonrecurring gains.
- Are based on individually tailored accounting principles, including certain adjusted revenue measures.
The controller considers the income tax effects of the adjustments made to the GAAP measure (mindful that adjusting revenue or income before tax could affect the tax expense or benefits assumed in the calculation of the tax provision and that if the measure is a performance measure, a current and deferred income tax expense commensurate with the non-GAAP measure of profitability should be calculated and included in the disclosure). In addition, the controller verifies that adjustments for income taxes are presented separately and there is disclosure of how the adjustment for income taxes was determined. Finally, the controller reviews the non-GAAP measures used by the entity’s peers and considers whether the entity’s non-GAAP measures are comparable to them. The controller will follow up, if necessary, with the manager of external reporting regarding these review steps and, when any outstanding issues are resolved, will submit the reviewed non-GAAP measures to the director of investor relations. The director of investor relations drafts the earnings release and includes the non-GAAP measures reviewed by the controller.
The draft earnings release is then subject to review by the disclosure committee, which consists of the chief financial officer, the general counsel, the income tax director, and the director of internal audit. The disclosure committee reviews the non-GAAP measures disclosed in the draft earnings release for compliance with Regulation G and other SEC guidance and ensures the following:
- The non-GAAP measure is neither misleading nor prohibited.
- The non-GAAP measure is presented with and reconciled to the most directly comparable GAAP measure and with no greater prominence than the GAAP measure.
- The non-GAAP measure is appropriately defined and described and is clearly labeled as non-GAAP.
- The non-GAAP measure is balanced (i.e., it adjusts not only for nonrecurring expenses but also for nonrecurring gains).
- There is transparent and company-specific disclosure of the substantive reason(s) why management believes that the measure is useful for investors and, if material, the purpose for which management uses the measure.
- The non-GAAP measure is not presented on the face of the GAAP financial statements or in the accompanying notes or on the face of any pro forma financial statements required to be disclosed by Regulation S-X, Article 11.2
- The titles or descriptions of non-GAAP financial measures are not the same as, or confusingly similar to, titles or descriptions used for GAAP financial measures.
- The measure is consistently prepared from period to period in accordance with the defined policy and is comparable to that of the company’s peers.
If there are any inconsistencies between the above compliance issues and the non-GAAP measures and their disclosure in the draft earnings release, the disclosure committee will follow up with the director of investor relations, the controller, or both and request that conforming changes be made to the draft earnings release. Once any outstanding matters have been resolved, the disclosure committee approves the draft earnings release and forwards it to the audit committee for its review.
The audit committee exercises its oversight with respect to external financial reporting in performing its review of the earnings release, including confirming that the non-GAAP measures are appropriately disclosed in accordance with policy and are consistent with SEC rules, regulations, and guidance.
Appendix A — Controls From a COSO Perspective
In 2013, COSO updated its Internal Control — Integrated Framework, which provides a framework for designing and evaluating internal control. The publication contains 17 principles that explain the concepts associated with the five components of the COSO framework (control environment, risk assessment, control activities, information and communication, and monitoring). The five components are related to all aspects of an organization’s objectives, which typically fall into three categories — operations, reporting, and compliance. These objectives, as well as the components, are also related to an entity’s structure. COSO depicts this relationship between objectives, components, and an entity’s structure in the form of a cube as follows:
We believe that in the consideration of non-GAAP measures and how they may be viewed through the COSO lens, both the reporting objective (related to external financial reporting) and the compliance objective (related to compliance with laws and regulations) come into play.
Therefore, in its assessment of the design of effective internal control over non-GAAP measures, a company may consider its objectives in terms of reporting and compliance and, on the basis of those objectives, take into account the five components of internal control and the 17 principles within the components. The considerations listed above for DCPs (1 through 7) could be expanded to cover all five COSO components and all 17 principles (see the table below, which is adapted from COSO’s 2013 Internal Control — Integrated Framework):
COSO Internal Control-Integrated Framework Components and Principles
1. The organization demonstrates a commitment to integrity and ethical values.
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
10. The oganization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
16. The organization selects, develops, and performs ongoing and/ or separate evaluations to ascertain whether the components of internal control are present and functioning.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Appendix B — Definitions of ICFR and DCPs
SEC and PCAOB rules define ICFR as “a process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements.”
SEC rules define DCPs as “controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Act (15 U.S.C. 78a et seq.) is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Act is accumulated and communicated to the issuer’s management, including its principal executive officer or officers and principal financial officer or officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.”