Over several blog posts, I have explored in detail the new Financial Accounting Standards Board (FASB) Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606), which set forth a new Revenue Recognition (“new rev rec”) standard. I was guided in this exploration from an internal controls perspective by Joe Howell, Executive Vice President (EVP) at Workiva Inc. Today I want to consider what it means for the for the compliance profession, compliance programs and compliance practitioners going forward.
There are five factors that you must consider to make a determination of whether revenue can be recognized. I set out these factors again to more easily tie them into the requirements around the compliance function and compliance internal controls.
A key reason this is important in the compliance area is because the internal controls over financial reporting involved in implementing this new standard are critical to effective implementation. The Securities and Exchange Commission (SEC) has said explicitly in several public statements, and through their early comment letters on disclosures made in advance of implementation, that companies must inform the SEC about the accounting policies that they are changing, and how this new standard will affect a company’s accounting processes, and finally how those effects are going to be managed. Howell believes “The SEC is making it perfectly clear that this is a real compliance issue.”
Moreover, the SEC has indicated that these disclosures are central to the new rev rec standard. Howell said, “typically, if a company has some sort of failure in their disclosures for an accounting standard, they’re treated under section Sarbanes-Oxley (SOX) Section 302 of the SEC rules, and that has a level of significance or liability, which is much lower than the liability that a company might face under SOX Section 404, which has to do with the actual internal controls over financial reporting.” While disclosure of internal controls might not typically bring Section 404 scrutiny, under the new rev rec standard, they may now do so.
Under step 1 above, you must identify the written contract and who your counter-party is. While the answer to the inquiry of Who is the customer? may seem straight-forward in the compliance arena, it may not be so clear. A third-party sales agent contract or even a distributor agreement may have elements which might fall under the new rev rec standard and hence require a different analysis and internal controls standard. Further, as written contracts are specified in the Ten Hallmarks of an Effective Compliance Program as a key internal control, you can easily see how the lack of such a written agreement can fall into the realm of compliance. Even Foreign Corrupt Practices Act (FCPA) enforcement actions are relevant here as one of the well-known bribe-funding tactics is to provide a discount to a customer but not credit the company’s books but instead take the actual discounted amount and give to a corrupt official as a bribe. With this first step of the new rev rec standard apparently recognizing that the lack of a contract is not an impediment to eventually recognizing revenue, compliance practitioners may well need to more thoroughly review contracts with governmental entities or state-owned enterprises.
The 2nd element may well cause the compliance professional consternation. Usually, when a party performs, payment is due. However, under this element there can be partial performance, a rolling performance or something altogether different. Some third-party representatives may have contracts that read more like customer agreements contemplated under Topic 606, for example commissioned sales agents and distributors are two which come to mind. If there is now more flexibility on payment, will it allow nefarious actors to manipulate both data and financials to hide the creation of pots of money to pay bribes? Chief Compliance Officers (CCOs) and compliance practitioners need to consider these issues in the context of compliance internal controls going forward.
Step 3 speaks directly to a wide variety of corruption risk. Typically, only attorneys are concerned with such arcane topics as ‘consideration’. However now a judgment call must be made regarding the consideration that can be expected to be achieved. This would seem to provide a clear area for possible manipulation unless there are sufficient internal controls in place. While this might not seem like a compliance internal control, such detect and prevent controls could alert relevant employees, both in finance and compliance, if excessive evaluation or variance was assigned to a large contract with a state-owned enterprise or foreign government.
This is where the documentation required under a best practices compliance program is so critical. Not only is it evidence to present to a regulator of compliance but it also will form an internal database that a company (or its auditors) can measure against for reasonableness of such variations going forward. CCOs and compliance practitioners need to consider these issues in the context of compliance internal controls going forward.
Step 4 presaged the theme of the Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs (Evaluation) of operationalization I and firmly demonstrates the convergence between the new rev rec standard and compliance overlap going forward. Compliance internal controls are in place to both detect and prevent. Now they can also be used to gather the information which will be presented to auditors under the new rev rec standard. Many professionals are focused on the new rev rec from the auditing and implementation perspective.
Step 5th is to recognize the revenue as appropriate. Yet this seems to me to emphasize the over-arching requirement of this new rev rec standard: Document, Document, and Document. The key is to document evidence of the performance obligations to support your conclusions. Yet, as Joe Howell made clear throughout this series, this requirement does not fall solely on the shoulders of accounting. He stated that a company must “build processes with their sales organization, their sales op organization, their marketing organization, their legal department to figure out what is the evidence. This requires that the accountants have conversations with your sales team early on to figure this out but also as we talked about the capturing the judgments related to the cost to acquire the contracts, that they work closely with the sales organization on these commissions.” This is another way of saying “operationalize the process.”
This new rev rec standards intertwines two concepts which I have been thinking a fair bit about recently. This first is the convergence and overlap between the compliance profession, compliance programs and compliance practitioners and internal controls. While largely seen as financial in nature, compliance internal controls are in place to both detect and prevent. Now compliance internal controls can also be used to gather the information which will be presented to auditors under the new rev rec standard. Many professional are focused on the new rev rec from the auditing and implementation perspective. However, if you are a Chief Compliance Officer (CCO), you might want to go down the hall and have a cup of coffee with your Chief Financial Officer (CFO) and find out what internal controls might be changing or that they might be adding and consider how that will impact compliance in your organization.
The second concept is the continued operationalization of compliance. During my tenure in compliance, you rarely heard a CCO consider revenue recognition as a compliance related issue. By going into detail with each step, I have shown how this new rev rec standard can change the manner in which a company might recognize revenue, leading to a greater risk of the obfuscation of payments for bribery by corrupt employees. This means as a CCO you must not only be aware of the risk to manage it but you also must take active steps to mitigate against it.
The new rev rec standard raises risks which intersect with the compliance function. Are you prepared?Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2017