Category: Audit

Boardroom Implications for the New Revenue Recognition Standard

Published by

It’s all a matter of time—at least when it comes to recognizing revenue at public companies. The Financial Accounting Standards Boards (FASB) and the International Accounting Standards Board (IASB) in 2014 developed an accounting rule that is set to change how companies approach revenue recognition. The rules, available here, go into effect for public companies with fiscal years beginning after December 15, 2017, and will have major consequences for financial reporting in many industries.

To address the executive-compensation implications of the revenue recognition standard, NACD, executive compensation advisory firm Farient Advisors, and law firm Katten Muchin Rosenman cohosted a meeting of the Compensation Committee Chair Advisory Council on April 4, 2017. During that meeting and its related teleconference, Fortune 500 companies’ compensation committee chairs came together to discuss leading practices and key considerations related to the impact of the new revenue recognition standard. Jose R. Rodriguez, partner in charge and executive director of KPMG’s Audit Committee Institute, joined council delegates for the discussion. The meeting was held using a modified version of the Chatham House Rule, under which participants’ quotes (italicized below) are not attributed to those individuals or their organizations, with the exception of cohosts. A list of attendees’ names are available here.

About the New Standard

A 2014 press release from FASB explained the rationale behind the new standard, noting that revenue is an important metric that investors use when trying to understand how a company has performed and its potential for future performance. Previous accounting standards from the International Financial Reporting Standards (IFRS) and U.S. Generally Accepted Accounting Principles (GAAP), however, were somewhat at odds, according to the press release. Those inconsistencies between IFRS and GAAP meant that different industries that had very similar types of transactions were accounting for revenue in sometimes very different ways. The revenue recognition standard aims to bring more consistency to accounting done for similar types of transactions.

A key part of the new standard is that revenue can only be recognized—among other requirements—once customers actually benefit from the services or goods that the company has already provided them, as noted in the Journal of Accountancy. The Journal continues that if a company provides a customer with goods or services over time, such as a yearlong service contract, the company can recognize revenue as the customer receives benefits in the contract period. For more information on the standard, see this four-page overview and in-depth guide from KPMG.

Key Questions Directors Should Ask
While the level of disruption that the revenue recognition standard will cause varies by industry and company, four questions important for all boards emerged from the Advisory Council meeting:

  1. How will the new revenue recognition standard affect our company specifically?
  2. Does the board understand the key milestones for the revenue recognition standard and how the company is progressing in light of those milestones?
  3. How will compensation plans be affected?
  4. How will our disclosures need to change?

How will the new revenue recognition standard affect our company specifically?

Impact of the new standard will vary widely for a few reasons.  First, sales and service contracts can differ significantly depending on industry—consumer products, health care, manufacturing, IT, and so on. Additionally, the types of sales contracts—and, therefore, the way revenue is recognized—can differ even within a single company, depending on the types of products and services sold. The company’s suppliers and vendors are a third factor influencing change: “Even if the standard doesn’t affect our core business, we could be working with partners and vendors that are affected,” said one director. “One of my companies has hundreds of millions of dollars in service contracts,” another delegate commented. “Our whole income statement is going to change.”

“Every company’s finance department has been looking at this,” Rodriguez said. “Ask your CFO to brief the board about the major income-statement changes that will occur for the company. What will be affected across all revenue lines? How are key reporting processes changing to accommodate the new standard?”

Does the board understand the key milestones for the revenue recognition standard and how the company is progressing in light of those milestones?

Rodriguez said that a pitfall for many companies is not investing enough time upfront in ensuring compliance with the new standard. “Some companies are finding that this is a bigger lift than they thought [to adopt the standard], so they are having to scramble to coordinate.”

Rodriguez shared several steps that companies can take to prepare:

  • Forming cross-functional task forces that integrate finance, accounting, IT, legal, and HR to ensure activities are coordinated.
  • Designating a revenue group to analyze contracts in different regions and locations to ensure all jurisdictions are covered.
  • Devoting sufficient time and resources to make required changes and upgrades to IT and reporting systems, especially in companies that have multiple legacy systems in place.
  • Developing a communication plan to explain to affected employees (especially on sales teams) how the changes will impact their work. “This is actually a huge change-management process,” one council delegate said. “You have to re-train sales people about how they design contracts and agreements.”

How will compensation plans be affected?

Council delegates agreed that compensation committees need to have a clear understanding of how the new standard will affect the key metrics that drive compensation for all levels of employees, from rank-and-file to the C-suite (For more information on incentives and risk taking, please see NACD’s brief, Incentives and Risk Taking). Changes to the way revenue is reported could have a major impact on the numbers used in annual bonus plans, as well as on long-term incentive plans that are already in place.  “With multi-year incentive plans that are in mid-cycle, the effects could be quite complex,” said Dayna L. Harris, partner at Farient Advisors. “For compensation committees, it will be important to ensure incentives are paid out in a way that’s appropriate to what was originally intended to keep consistent with the compensation philosophy the board has devised.”

Compensation committees can ask the following questions:

  • Is the company adopting the new standard prospectively or retrospectively, and how will that change our revenue numbers?
  • Which compensation plans will be affected beyond the CEO and named executive officers (e.g., sales staff at multiple levels)?
  • What do we anticipate will be the impact on the peer groups we use to benchmark executive compensation?

Rodriguez suggested that compensation committees schedule a briefing session with the external auditor, audit committee chair, CFO, and compensation consultant to discuss these and other questions. Members of the audit committee can also be invited to the briefing.

How will our disclosures need to change?

As noted in the Report of the NACD Blue Ribbon Commission on Board-Shareholder Communications (p. 17), “Directors have a general responsibility to oversee the company’s disclosure programs. They also need to take special care in reviewing certain specific disclosures—notably the company’s regular financial disclosures, such as the proxy statement, 10-Ks, 10-Qs, and 8-Ks, as well as any securities registration statements filed with the [U.S. Securities and Exchange Commission (SEC)].” A director observed, “In addition to the changes to reports, we need a strategy to communicate with our major investors. They will be asking questions about why compensation payouts appear to have ‘changed.’”

The SEC will task review teams with scrutinizing public companies’ financial disclosures, 10-Ks especially, to determine if the statements include information on the revenue recognition standard, Bloomberg BNA reports. Mark Kronforst, chief accountant of the SEC’s Division of Corporation Finance, told Bloomberg BNA, “I don’t think that we will be shy about issuing comments if we don’t see the disclosures.”

“Accounting changes should not interfere with a good business decision, performance outcomes on incentives, and appropriate incentive payouts,” said Harris. “With an accounting change in the middle of a performance period, compensation committees will need to provide full transparency into incentive payout decisions, especially if they appear larger than expected under the new accounting. There’s a whole list of ramifications if that transparency is lacking, from proxy advisors’ criticisms to activist investors’ reproach.”

And there’s no time like the present to understand those ramifications and ensure that management stays on top of key milestones.

Seven Ways to Stronger Oversight of Supply Chain Risk

Published by
Jim DeLoach

Jim DeLoach

One important source of operational risk relates to the organizations, people, processes, and resources comprising a company’s supply chain. In many sectors, companies increasingly depend on the external elements of the supply chain (e.g., suppliers, outsource partners, third-party logistics) in an effort to cut costs while increasing capabilities and global reach. Because every business depends on a well-functioning, cost-effective supply chain, every board should consider its oversight of supply chain risks. The following are seven suggestions for better board-level oversight of supply chain issues.

1. Strike the right balance when selecting a supplier. Time, cost, quality, and risk are four factors a company needs to consider when identifying potential suppliers, negotiating contracts, and evaluating supplier risk and performance throughout the lifespan of the contract. Boards should be leery when management emphasizes one or two factors over the others as this can result in unintended consequences. For example, seeking to reduce procurement costs when negotiating supply contracts should not lead to the unintended consequence of taking delivery of components that fail to meet critical quality specifications or timing requirements.

2. Make procurement decisions with an enterprisewide perspective. Striving for functional excellence is a laudable goal, but it has its limits. Companies can incur huge losses making procurement decisions in isolation, ignoring initiatives undertaken by the research and development, engineering and finance functions.

3. Ensure the supplier agreement spells everything out. When a contract clearly defines scope, business objectives, deliverables and performance specifications, it lays the foundation for ongoing monitoring of contract compliance and supplier performance and reduces the risk of costly disputes and misunderstandings. For example, the contract should clarify product and packaging specifications and quality control and inspection protocols so that performance can be monitored over time. It also should ensure that intellectual property and critical assets (e.g., proprietary molds and tools the company gives to the supplier) are adequately protected. Due to the complexity of managing suppliers operating in other countries, boards should ensure that the procurement process is supported by legal advisers knowledgeable of the applicable court jurisdictions, particularly in countries where laws, customs, and business ethics may vary.

4. Hold suppliers to the same level of accountability. The rigor of company processes for identifying, sourcing, measuring, monitoring, and reducing third-party relationship risks should be proportionate to the level of risk and complexity of those relationships. With respect to legislative and regulatory developments regarding disclosure of the actions a company has voluntarily undertaken to remove labor abuses from its supply chains, companies should seek the advice of counsel as to the status of these developments and the jurisdictions and circumstances in which they apply. Given this environment, a case can be made for adopting and enforcing a supply chain code of conduct—especially for vendors authorized to act as agents on behalf of the organization. Coupled with a code of ethics that details the principles and values by which the company operates, a code of conduct might address topics such as human rights, health and safety standards, environmental sustainability standards, ethical and responsible business behavior, and cybersecurity standards.

5. Conduct periodic third-party audits. A supply chain code of conduct is only as good as the vendors who sign it. That’s why a cost-effective third-party audit process is Such audits may be integral to the due diligence associated with vendor selection and onboarding. Conducted on a periodic basis, third-party audits may focus on: selected internal controls, such as cybersecurity; vendor performance against contract specifications; and compliance with laws and regulations. The audits may also be conducted before contract renewals.

6. Monitor supplier risk and performance over the life of the contract. The risk environment is not static over the life of the contract. All suppliers should be segmented based on factors such as risk, the level of spend, criticality, and alternatives in the market. The segmentation should drive the level of preselection due diligence, the contracting strategy, and the level and frequency of monitoring through contract duration. Ideally all facets of contract and supplier risk are addressed through performance reporting, including early warning alerts before it’s too late to act on a timely basis.

7. Pay attention to business continuity risk. There are many instances where a single-source supply strategy is the right business decision. In these cases, however, quality, time, and cost considerations often win out over business continuity risk considerations despite the risk of supply chain disruptions. Thus, risk assessments should consider what could happen to the organization’s business model if any key component of the supply chain were taken away, even though a cause may be somewhat elusive at the time of the assessment.

An assessment should also consider the implications of plausible and extreme scenarios stemming from the loss of strategic sources of supplies for an extended period, including exposure to data security risks and physical access to sensitive information, the financial impact, expected recovery time, and adequacy of current recovery and contingency plans. To illustrate, directors should inquire whether management has considered the following questions:

  • What would happen if we were to lose, for any reason, one or more of the suppliers that we depend on for essential raw materials and components?
  • How long would we be able to operate?
  • What if there were significant disruptions in transportation?
  • What contingency plans do we have?
  • Have our key suppliers performed their own risk assessments with respect to key “Tier Two” or “Tier Three” suppliers? How do we know?

The board should be informed of the results of these assessments.

Focus on These Four Internal Audit Areas

Published by
Jim DeLoach

Jim DeLoach

As my firm reflected on directors’ expectations that have emerged while working with boards, four areas of emphasis that internal auditors should address rise above the rest. We refer to these as the four Cs: culture, competitiveness, compliance, and cybersecurity. These four areas offer suggestions to directors regarding what they should expect from a risk-focused audit plan.

Here’s a closer look.

Culture

A breakdown in risk management, internal control, or compliance is almost always due to a dysfunctional culture. The risks spawned by cultural dysfunction often require a lengthy incubation period before noticeable symptoms appear—and lead to consequences that could result in a reputation-damaging event. Examples include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override legitimate public safety priorities, empowers falsification of emission reports, or drives unacceptable risk-taking through inappropriate performance incentives. Once a culture of dysfunction inculcates a flawed business environment, it may take a long time for the consequences to emerge—and emerge they will if the dysfunction is left unaddressed.

Given that an organization’s culture is the mix of shared values, attitudes, and patterns of behavior that comprise its particular character, how does a board get its arms around it? An opportunity we see is for directors to look to the chief audit executive as the independent “eyes and ears” of the organization’s culture. Specifically, internal audit can be asked to perform the following functions:

  • understand the overall working environment;
  • identify the unwritten norms and rules governing employee interactions and workplace practices;
  • highlight possible barriers to an effective internal environment and communication flow;
  • report unacceptable behaviors, decisions and attitudes toward taking and managing risk; and
  • make recommendations to address identified problems.

Internal audit can also post warning signs to directors that further investigation into cultural concerns is warranted, and can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perception of the tone at the top. This contrast can be quite revealing. It can serve as a powerful reality check to a management team that really wants to listen.

Competitiveness

Competitiveness is a priority of every business and poses a significant opportunity for the internal audit function. If, for instance, the company’s practices are inferior relative to best-of-class performers due to underperforming business processes, the internal audit function can improve operating efficiency. In essence, the board should expect internal audit to look beyond traditional compliance areas and financial reporting to help the organization to continuously improve its operations.

Most organizations use some form of a balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. Key performance indicators address critical areas such as quality, time, cost, and innovation performance. They often include indicators of customer and employee satisfaction. Internal audit can assist with assessing the reliability of these metrics for decision-making. In addition, internal audit can benchmark selected metrics against competitors and best-in-class performers to identify performance gaps that must be corrected in a timely manner.

Compliance

Traditionally, the internal audit plan ensures that the organization’s compliance with laws, regulations, and internal policies are under control. As the third line of defense in the compliance chain of command, internal audit should ascertain whether:

  1. Front-line operators and functional leaders whose activities have significant compliance implications own the responsibility for identifying and managing compliance risk. These front-line operators are responsible for having effective controls in place to reduce the risk of noncompliance to an acceptable level.
  2. The scope of the independent compliance function, or the second line of defense, is commensurate with the significance of the company’s compliance issues and results in reliable and timely insights to management and primary risk owners.

Internal audit should determine whether a cost-effective monitoring process is in place to address the top compliance risks, and that can assess the overall implementation of the compliance program in light of changes in applicable laws and regulations.

Cybersecurity

In a recent survey, cybersecurity was cited as the third most critical uncertainty companies are facing as they look forward into 2017. What can internal audit do to alleviate this concern?

  • Assess whether the company’s processes give adequate attention to high-value information and information systems. Rather than costly, system-wise protection measures resulting in lack of attention to the most important assets, internal audit can assess whether the information technology organization and business leaders agree on what constitutes the company’s crown jewels.
  • Assist the board and senior management with understanding the threat landscape. The organization’s cybersecurity risks should be assessed based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target. For example: Who are the likely adversaries, and how might they attack? Where are our biggest vulnerabilities? How effective are our current internal controls? Do we conduct penetration testing? If so, what are the results?
  • Review the organization’s response readiness to a cyber incident. Effective incident response processes are critical to a company’s preparedness to reduce an attack’s impact and proliferation.

By focusing more broadly on the implications of audit findings and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.


Jim DeLoach is managing director of Protiviti.