Internal Control Considerations Related to Adoption of the New Revenue Recognition Standard (May 9, 2017)

Internal Control Considerations Related to Adoption of the New Revenue Recognition Standard

by Jennifer Burns, Amy Steele, and Amy Groves, Deloitte & Touche LLP

Introduction

As companies work to adopt the FASB’s revenue standard (ASU 2014-091), it is critical that internal control considerations be front and center. SEC filing data show that revenue recognition is one of the most common accounting issues that trigger a material weakness.2 These data underscore the importance of focusing on the internal control impacts of adopting the new revenue standard and support comments by SEC Chief Accountant Wesley Bricker, who has said that “[i]t is hard to think of an area more important than ICFR [internal control over financial reporting].”3

This Heads Up discusses certain considerations with respect to internal control and the adoption of the new revenue standard. For a comprehensive discussion of the new standard, including an analysis of other potential implementation issues, see Deloitte’s A Roadmap to Applying the New Revenue Recognition Standard.

Preadoption Disclosure Controls

The SEC has been emphasizing the importance of transition-period disclosures (or preadoption disclosures) in accordance with SAB 74.4 These disclosures should be both qualitative and quantitative and should be included in MD&A (subject to disclosure controls and procedures) and the footnotes to the financial statements (subject to ICFR). The SEC staff has also made clear its expectation that the preadoption disclosures become more robust and quantitative as the new standard’s effective date approaches.

In light of the SEC’s guidance and recent comments from the SEC staff, such disclosures should address the impact the new revenue standard is expected to have on the financial statements and should include:

A comparison of the company’s current accounting policies (which, to the extent available, could include tabular information or ranges comparing historical revenue patterns) with the expected accounting under the new standard.
The transition method (full retrospective or modified retrospective) elected.
The status of the implementation process.
The nature of any significant implementation matters that have not yet been addressed.

A company that is able to reasonably estimate the quantitative impact of the new standard should disclose those amounts. Some disclosures may therefore include pro forma financial statements under the full retrospective method.

Internal controls over these preadoption disclosures are important to management’s ability to address the risks that the disclosures are inaccurate or incomplete. Management should first identify whether appropriate internal controls exist for the disclosures and then specify the information and analysis used to support them. Then, management needs to test the design and operating effectiveness of the relevant controls given that they should be included within the scope of management’s report on ICFR in the year before the adoption of the new revenue standard, as applicable.

When assessing whether appropriate internal controls exist with respect to the preadoption disclosures, management may consider whether procedures are in place regarding:

Competence — The preadoption disclosures are prepared by competent individuals with knowledge of the new revenue standard and potential impacts on the company.
Compliance — The disclosures meet the SEC’s requirements and guidelines.5
Data quality — The quantitative disclosures (if known and estimated) are calculated on the basis of reliable inputs that are subject to appropriate internal control.
Review — The disclosures are reviewed by appropriate levels of management.
Monitoring — The company’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately reviews the internal controls in accordance with company protocols. In addition, the audit committee is involved in the oversight of the disclosures’ preparation.

Internal Control Considerations Related to the Adoption of the New Standard

Internal Controls Over the Adoption

There are often unique circumstances and considerations associated with the adoption of a new accounting standard that can pose a higher risk of material misstatement to the financial statements. Thus, companies should consider the circumstances that may only be present during the adoption period and evaluate whether there are any unique risks that require “one-time” internal controls that may operate exclusively during the adoption period. Management should also consider the internal controls, documentation, and evidence it needs to support:

Entity-level controls such as the control environment and general “tone at the top.”
Identification of material revenue streams and different contract types within those revenue streams.
Accounting conclusions reached (such as by preparing accounting white papers or internal memos memorializing management’s considerations and conclusions), including the impact to other account balances such as costs of sales or services, contract assets and liabilities, and income tax accounts.
Information used to support accounting conclusions, new estimates, adjustments to the financial statements, and disclosure requirements.
Identification and implementation of changes to information technology systems, including the logic of reports.
The transition approach selected.
The accounting logic used and journal entries (including the transition adjustments) that record the adoption’s impact.
Any practical expedients applied and related disclosures.
Changes to the monthly, quarterly, or annual close process and related reporting requirements (e.g., internal reporting, disclosure controls and procedures).

See Appendix A of this Heads Up for considerations related to additional risks and internal controls.

Five-Step Model, Related Risks, Internal Controls, and Documentation

The new revenue standard requires companies to apply a five-step model for recognizing revenue. As a result of the five steps, it is possible that new financial reporting risks will emerge, including new or modified fraud risks, and that new processes and internal controls will be required. Companies will therefore need to consider these new risks and how to change or modify internal controls to address the new risks.

For example, in applying the five-step model, management will need to make significant judgments and estimates (e.g., the determination of variable consideration and whether to constrain variable consideration). It is critical for management to (1) evaluate the risks of material misstatement associated with these judgments and estimates, (2) design and implement controls to address those risks, and (3) maintain documentation that supports the assumptions and judgments that underpin its estimates. Mr. Bricker recently pointed out that management should consider whether controls, including those related to tone at the top of the organization, “support the formation and enforcement of sound judgments [required under the new standard] or whether changes are necessary.”6 Appendix A of this Heads Up outlines the five-step revenue recognition model and contains sample risks and controls for consideration.

Significant Changes in Information and Related Data-Quality Needs

Companies will need to gather and track new information to comply with the five-step model and related disclosure requirements. Management should consider whether appropriate controls are in place to support (1) the necessary information technology (IT) changes (including change management controls and, once the IT changes have been implemented, the testing of their design and operating effectiveness) and (2) the accuracy of the information used by the entity to recognize revenue and provide the required disclosures. The table below illustrates some potential challenges and examples of practices.

Potential Challenge	Example of Internal Control Practice
Information requirements have not been updated to support the reporting (e.g., interim and annual requirements, including disclosures) required under the new revenue standard. Control expectations have not been considered for new information required under the standard. Internal controls over source data, report logic, or parameters have not been reconsidered.	Management establishes data governance, policies, and standards for identifying and resolving data gaps and implements processes to verify the quality of information needed for implementation of the new standard. The revenue recognition implementation team meets periodically with the ICFR/SOX7 team (and control owners as appropriate) to share relevant information about the adoption of the new standard so that the ICFR/SOX team can prepare and plan accordingly. Management takes steps to update and review the appropriate flowcharts, data flow diagrams, process narratives, procedure manuals, and control procedures to reflect the new processes as a result of the new standard and to support management’s ICFR assessment.

Potential Challenge

Example of Internal Control Practice

Information requirements have not been updated to support the reporting (e.g., interim and annual requirements, including disclosures) required under the new revenue standard.
Control expectations have not been considered for new information required under the standard.
Internal controls over source data, report logic, or parameters have not been reconsidered.

Management establishes data governance, policies, and standards for identifying and resolving data gaps and implements processes to verify the quality of information needed for implementation of the new standard.
The revenue recognition implementation team meets periodically with the ICFR/SOX7 team (and control owners as appropriate) to share relevant information about the adoption of the new standard so that the ICFR/SOX team can prepare and plan accordingly.
Management takes steps to update and review the appropriate flowcharts, data flow diagrams, process narratives, procedure manuals, and control procedures to reflect the new processes as a result of the new standard and to support management’s ICFR assessment.

Applying the COSO Principles

The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control — Integrated Framework (the “2013 COSO Framework”) provides a framework for designing and evaluating internal controls through the use of 17 principles and related guidance. As companies implement the new revenue standard, particularly those that apply the 2013 COSO Framework in management’s assessment of ICFR, they should consider the COSO principles in evaluating and designing controls (including those related to recognizing revenue and data quality, as discussed above). In addition, as new controls are designed and implemented, control owners should consider the evidence and documentation that will be available to support management’s assessment of ICFR. See Appendix B of this Heads Up for further discussion.

Evaluating Material Changes in Internal Control

SEC registrants are required to disclose any material changes8 (including improvements) in their ICFR in each quarterly and annual report in accordance with Regulation S-K, Item 308(c). SEC guidance explains that materiality would be determined on the basis of the impact on ICFR and the materiality standard articulated in TSC Industries Inc. v. Northway Inc.9 (i.e., that “an omitted fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote”).

As discussed previously, the adoption of the new revenue standard will probably require management to implement new controls or modify existing ones to address new or modified risks of material misstatement. Such changes in internal control, if material, as a result of the adoption of a new accounting standard, will trigger disclosure requirements. In addition, management should consider whether there are appropriate controls with respect to identifying and disclosing material changes in ICFR.

For example, management may consider whether there are controls related to the following:

Compliance — Processes are in place to identify and evaluate material changes in internal control. Further, protocols exist for developing appropriate disclosures and reporting such information to appropriate levels of management (e.g., those signing the quarterly and annual certifications required under SEC Regulation S-K, Item 601(b)(31)10).
Review — The disclosures are reviewed by appropriate levels of management (including, as warranted, those signing the quarterly and annual certifications).
Monitoring — The company’s monitoring function (e.g., internal audit, disclosure committee, or audit committee) appropriately considers the state of the entity’s ICFR to identify changes and monitors controls in accordance with company protocols. In addition, the audit committee is involved in the oversight of the disclosures’ preparation.

In developing the required disclosures, companies should clearly state whether a material change has occurred and, if so, describe the nature of the change. The SEC staff has commented when a registrant has not explicitly asserted whether there has been a change in ICFR in the most recent fiscal quarter that could have a material effect on its ICFR. The staff has further stressed that registrants should avoid “boilerplate” disclosure in which they state that there have been no material changes affecting ICFR in a period, particularly when there have been identifiable events such as changes in accounting policies.

Illustrative Disclosures — Material Change in Internal Control

Example — Several Quarters Before Adoption

During the quarter ended June 30, 20XX, we implemented new controls as part of our efforts to adopt the new revenue recognition standard. Those efforts resulted in changes to our accounting processes and procedures. In particular, we implemented new controls related to:

Monitoring the adoption process.
Implementing a new IT system to record revenue.
Recording adjustments to the 2016 and 2017 financial statements for the full retrospective transition method.
Gathering the information and evaluating the analyses used in the development of disclosures required before the standard’s effective date.

We evaluated the design of these new controls before adoption during the quarter ended June 30, 20XX. As we continue the implementation process, we expect that there will be additional changes in ICFR. However, there were no other changes in ICFR during the quarter ended June 30, 20XX, that materially affected ICFR or are reasonably likely to materially affect it.

Example — Shortly Before Adoption

During the quarter ended December 31, 20XX, we implemented a plan that called for modifications and additions to ICFR related to the accounting for revenue as a result of the new revenue recognition standard. The modified and new controls have been designed to address risks associated with recognizing revenue under the new standard. We have therefore augmented ICFR as follows:

Enhanced the risk assessment process to take into account risks associated with the new revenue standard.
Added controls that address risks associated with the five-step model for recording revenue, including the revision of our contract review controls.

There were no other changes in ICFR during the quarter ended December 31, 20XX, that materially affected ICFR or are reasonably likely to materially affect it.

Example — Upon Adoption

We implemented the new revenue recognition standard as of January 1, 20XX. As a result, we made the following significant modifications to ICFR, including changes to accounting policies and procedures, operational processes, and documentation practices:

Updated our policies and procedures related to recognizing revenue and added documentation processes related to meeting the new criteria for recognizing revenue.
Modified our contract review controls to take into account the new criteria for recognizing revenue, specifically the identification of implied promises and the evaluation of whether performance obligations are distinct in the context of the contract.
Added controls for reviewing constrained variable consideration and reevaluating our significant contract judgments and estimates on a quarterly basis.
Added controls to address related required disclosures regarding revenue, including the disclosure of performance obligations and our significant judgments and estimates for determining the transaction price and when to recognize revenue.

Other than the items described above, there were no changes in ICFR during the quarter ended March 31, 20XX, that materially affected ICFR or are reasonably likely to materially affect it.

Appendix A — Examples of Risks and Internal Control Considerations for the Adoption of the Revenue Standard and the Five-Step Model for Recognizing Revenue

Core Considerations		Examples of Risks	Examples of Control Considerations11
Adoption period		All material revenue streams and contract types are not identified. Accounting conclusions are not accurate or complete. The recording of the adoption of the revenue standard is not accurate or complete. IT logic for reports and journal entries is not accurate.	Internal controls related to: Identifying and evaluating all material contract types. Identifying the complete population of contracts to evaluate. Evaluating whether the data used to record adjustments to the financial statements is accurate and complete. Documenting and reviewing accounting conclusions and revised accounting policies. Reviewing the application of the transition method elected. Identifying, developing, and implementing new system requirements, including logic of reports.
Five-Step Model	1. Identify the contract with the customer	Revenue is/is not recognized when a contract (as defined by the new revenue standard) does not exist/does exist. Side agreements exist that are not known to accounting personnel.	Internal controls related to: Identifying contracts that meet the criteria defined in the new standard. Reassessing arrangements that do not initially meet the criteria of a contract in accordance with the new standard given that significant changes may occur in the underlying facts and circumstances. Assessing management’s commitment and ability to perform under the contract. Ensuring payment terms are properly considered. Assessing the collectibility criterion. Evaluating whether combined contracts meet the various criteria specified in the new standard. Evaluating contract modifications.
	2. Identify the performance obligations	Performance obligations are not properly identified.	Internal controls related to: Identifying implied promises. Evaluating whether customer options are material rights. Evaluating whether a warranty is a performance obligation. Evaluating whether the good(s) or service(s) is/are capable of being distinct within the context of the contract or if two or more goods or services should be combined. Evaluating whether a series of goods or services should be treated as a single performance obligation.
	3. Determine the transaction price	Management’s estimates are inaccurate as a result of an inappropriate method or inappropriate significant assumptions.	Internal controls related to: Estimating the amount to which the entity expects to be entitled including variable consideration and constraining variable consideration. Reevaluating the accuracy of judgments and assumptions used in estimates for variable consideration. Determining the fair value of noncash consideration. Determining significant financing components. Determining noncash consideration. Determining consideration payable to a customer.
	4. Allocate the transaction price	Management’s estimates are inaccurate as a result of an inappropriate method or inappropriate significant assumptions.	Internal controls related to: Selecting an approach for determining the stand-alone selling price that maximizes the use of observable data. Estimating the stand-alone selling price. Determining the appropriate transaction price allocation including variable consideration and discounts. Reevaluating the accuracy of judgments and assumptions used in estimates for the determination of the stand-alone selling price.
	5. Recognize revenue when (or as) performance obligations are satisfied	Revenue is recognized before the performance obligation is satisfied.	Internal controls related to: Determining whether performance obligations are satisfied at a point in time or over time. Identifying when control transfers to the customer for a performance obligation satisfied at a point in time. Measuring progress toward complete satisfaction of a performance obligation that is satisfied over time (i.e., the input and output methods).
Licensing		Licensing revenue is improperly recognized.	Internal controls related to: Determining whether the license is distinct. Identifying the nature of the license (functional vs. symbolic). Determining whether obligations to provide updates to or maintenance of licensed intellectual property are distinct. Accounting for sales- or usage-based royalties.
Contract costs		Costs incurred with obtaining or fulfilling a contract are inappropriately capitalized.	Internal controls related to: Evaluating whether the cost of obtaining or fulfilling a contract may be capitalized on the basis of the criteria of the new standard. Amortizing capitalized contract costs.
Presentation and disclosure		Contract assets and liabilities are not presented appropriately. Footnote disclosures are not accurate, complete, or understandable.	Internal controls related to: Evaluating whether to present contract assets and liabilities as current or noncurrent. Determining the level of aggregation or disaggregation of the disclosures. Reviewing the accuracy and completeness of contract disclosures. Reviewing the disclosures of significant judgments and estimates.

Appendix B — Applying the COSO Principles to the Adoption of the New Revenue Standard

The 2013 COSO Framework contains 17 principles that explain the concepts associated with the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring activities). The components are related to all aspects of an organization’s objectives, which typically fall into three categories — operations, reporting, and compliance. These objectives, as well as the components, are also related to an entity’s structure. COSO depicts this relationship among objectives, components, and an entity’s structure in the form of a cube as follows:

In assessing the design of effective internal control with respect to the new revenue standard, a company may consider its objectives in terms of internal and external reporting, and on the basis of those objectives, take into account the five components of internal control and the 17 principles within the components. The chart below summarizes the 17 principles and provides examples of their application in a company’s implementation and adoption of the new standard.

	COSO Principles Summarized12	Examples of the COSO Principles’ Application in the Adoption of the New Revenue Standard
Control environment	1. Demonstrates commitment to integrity and ethical values. 2. Board of directors exercises oversight responsibilities. 3. Establishes structure, authority, and responsibility. 4. Demonstrates a commitment to competence. 5. Enforces accountability.	Principle 1 Demonstrate appropriate tone at the top regarding the importance of the adoption and implementation of the new standard (e.g., through communications, dedication of resources, oversight). Incorporate the adoption of the new standard into expectations of standards of conduct (e.g., expectations regarding responsible conduct and developing sound judgments). Principle 2 The board of directors exercises appropriate oversight of: The adoption of the new standard (including appropriate disclosures and financial reporting). The assessment of risks resulting from the new revenue standard and related development and implementation of internal controls to address the risks. Principle 3 Evaluate and update lines of reporting and responsibilities. Principle 4 Assess, identify, and monitor competencies required under the new standard. Take steps to address any identified shortcomings. Adjust training, retention, and recruiting programs as necessary. Appropriately train key personnel and control performers to ensure competence in the organization. If using an outsourced service provider, determine whether controls are in place to evaluate its competence and objectivity and that management has sufficient understanding to perform effective oversight and review of the work performed by the provider. Principle 5 Hold individuals accountable for their roles related to the adoption of the new standard. Design accountability for individuals responsible for internal control related to the new standard.
Risk assessment	6. Specifies suitable objectives. 7. Identifies and analyzes risk. 8. Assesses fraud risk. 9. Identifies and analyzes significant change.	Principle 6 Identify objectives associated with the adoption of the new standard to enable identification of risks relating to the objectives. Principle 7 Identify and document risks associated with the adoption of the new standard (including those associated with IT changes and transition method selected), and reconsider the risks throughout the adoption process. Principle 8 Consider fraud risks related to the adoption of the new standard (e.g., considering the potential for new fraud schemes, particularly given changes in accounting, controls, and IT). Principle 9 Complete the assessment of the new standard and its impact on the company, including on internal control, data and system requirements, disclosures, and reporting.
Control activities	10. Selects and develops control activities. 11. Selects and develops general controls over technology. 12. Deploys through policies and procedures.	Principle 10 See Appendix A of this Heads Up for control considerations regarding the recognition of revenue. Evaluate the internal controls affected by the adoption of the new standard and identify new internal controls to address new risks associated with the standard. Principle 11 Consider impacts on general controls over technology and modify as appropriate. Principle 12 Revise policies and procedures to address risks and internal controls related to the new standard and establish responsibility and accountability for executing the policies and procedures.
Information and communication	13. Uses relevant, quality information. 14. Communicates internally. 15. Communicates externally.	Principle 13 Identify new information requirements, modify systems, update reports, and modify controls to produce relevant, quality information to support the functioning of internal controls. Principle 14 Develop communication methods to ensure that required information (including accounting and operational changes) is communicated to all personnel so they can understand and carry out their internal-control-related responsibilities. Provide updates as necessary. Ensure that board of directors and audit committee have information they need to perform their oversight responsibilities. Principle 15 Ensure that processes are in place for communicating relevant and timely information regarding internal controls to external parties as appropriate (including through required external disclosures regarding changes in controls and quantitative and qualitative impacts of adoption).
Monitoring activities	16. Conducts ongoing or separate evaluations. 17. Evaluates and communicates deficiencies.	Principle 16 Implement plans for ongoing or separate evaluations of internal controls related to the new standard (e.g., companies may consider evaluating new controls before the new standard’s effective date or performing a test close). Principle 17 Take corrective actions, including revising the risk assessment and redesigning internal controls, when gaps or deficiencies in controls are identified during the adoption process.

Footnotes

FASB Accounting Standards Update No. 2014-09, Revenue From Contracts With Customers, as amended.

Based on data from Audit Analytics for fiscal years ending 2010 through 2017 as reported in auditor ICFR attestation reports.

Speech by Mr. Bricker at the March 21, 2017, Annual Life Sciences Accounting & Reporting Congress. Also, a keynote address by Mr. Bricker at the December 5, 2016, AICPA Conference on Current SEC and PCAOB Developments.

SEC Staff Accounting Bulletin 74, codified as SAB Topic 11.M, “Disclosure of the Impact That Recently Issued Accounting Standards Will Have on the Financial Statements of the Registrant When Adopted in a Future Period.” See Deloitte’s September 22, 2016, Financial Reporting Alert and Deloitte’s A Roadmap to Applying the New Revenue Recognition Standard for further discussion and related examples of SAB 74 disclosures.

See the appendix in Deloitte’s September 22, 2016, Financial Reporting Alert and Deloitte’s A Roadmap for Applying the New Revenue Recognition Standard for a discussion and examples of SAB 74 disclosures.

Speech by Mr. Bricker at the March 21, 2017, Annual Life Sciences Accounting & Reporting Congress.

Sarbanes-Oxley Act of 2002.

SEC Final Rule No. 33-8238, Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, states that management “must evaluate, with the participation of the issuer’s principal executive and principal financial officers, or persons performing similar functions, any change in the issuer’s internal control over financial reporting, that occurred during each of the issuer’s fiscal quarters, or fiscal year in the case of a foreign private issuer, that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial reporting.”

426 U.S. 438 (1976). See also Basic Inc. v. Levinson, 485 U.S. 224 (1988).

SEC Regulation S-K, Item 601(b)(31), “Exhibits.”

One or more controls may address one or more risks. The number of controls a company may have will vary depending on how the controls are designed to address the company’s risks.

Adapted from the 2013 COSO Framework.