Internal Control Considerations Related to the Adoption of the New Standard
Internal Controls Over the Adoption
There are often unique circumstances and considerations associated with the adoption of a new accounting standard that can pose a higher risk of material misstatement to the financial statements. Thus, companies should consider the circumstances that may only be present during the adoption period and evaluate whether there are any unique risks that require “one-time” internal controls that may operate exclusively during the adoption period. Management should also consider the internal controls, documentation, and evidence it needs to support:
• Entity-level controls such as the control environment and general “tone at the top.”
• Identification of material revenue streams and different contract types within those revenue streams.
• Accounting conclusions reached (such as by preparing accounting white papers or internal memos memorializing management’s considerations and conclusions), including the impact to other account balances such as costs of sales or services, contract assets and liabilities, and income tax accounts.
• Information used to support accounting conclusions, new estimates, adjustments to the financial statements, and disclosure requirements.
• Identification and implementation of changes to information technology systems, including the logic of reports.
• The transition approach selected.
• The accounting logic used and journal entries (including the transition adjustments) that record the adoption’s impact.
• Any practical expedients applied and related disclosures.
• Changes to the monthly, quarterly, or annual close process and related reporting requirements (e.g., internal reporting, disclosure controls and procedures).
See Appendix A of this Heads Up for considerations related to additional risks and internal controls.
Five-Step Model, Related Risks, Internal Controls, and Documentation
The new revenue standard requires companies to apply a five-step model for recognizing revenue. As a result of the five steps, it is possible that new financial reporting risks will emerge, including new or modified fraud risks, and that new processes and internal controls will be required. Companies will therefore need to consider these new risks and how to change or modify internal controls to address the new risks.
For example, in applying the five-step model, management will need to make significant judgments and estimates (e.g., the determination of variable consideration and whether to constrain variable consideration). It is critical for management to (1) evaluate the risks of material misstatement associated with these judgments and estimates, (2) design and implement controls to address those risks, and (3) maintain documentation that supports the assumptions and judgments that underpin its estimates. Mr. Bricker recently pointed out that management should consider whether controls, including those related to tone at the top of the organization, “support the formation and enforcement of sound judgments [required under the new standard] or whether changes are necessary.” Appendix A of this Heads Up outlines the five-step revenue recognition model and contains sample risks and controls for consideration.
Significant Changes in Information and Related Data-Quality Needs
Companies will need to gather and track new information to comply with the five-step model and related disclosure requirements. Management should consider whether appropriate controls are in place to support (1) the necessary information technology (IT) changes (including change management controls and, once the IT changes have been implemented, the testing of their design and operating effectiveness) and (2) the accuracy of the information used by the entity to recognize revenue and provide the required disclosures. The table below illustrates some potential challenges and examples of practices. (See table in PDF.)
Applying the COSO Principles
The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control — Integrated Framework (the “2013 COSO Framework”) provides a framework for designing and evaluating internal controls through the use of 17 principles and related guidance. As companies implement the new revenue standard, particularly those that apply the 2013 COSO Framework in management’s assessment of ICFR, they should consider the COSO principles in evaluating and designing controls (including those related to recognizing revenue and data quality, as discussed above). In addition, as new controls are designed and implemented, control owners should consider the evidence and documentation that will be available to support management’s assessment of ICFR. See Appendix B of this Heads Up for further discussion.
The central theme in Power's 1997 book on the audit society is the proliferation of audit activity within the United Kingdom (UK) and North America. The most important joint development with the audit explosion is the rise of internal control systems. Auditing has shifted from auditing outcomes to auditing systems, and internal controls have become the subject of public policy debates on the regulation of corporate governance and the regulation of auditing. Power states that there is much confusion in practice about what (effective) internal controls actually are. This paper makes a similar argument with respect to internal control research. Internal controls are studied in various areas of accounting research, covering very different concepts, and studying controls at different organizational levels. As a result, the cross-fertilization between the various types of internal control research is limited. Also, most internal control research in accounting is not conducted within the context of wider corporate governance issues. Hence, many claims about the value of internal control systems for corporate governance still need to be studied.