New Revenue Recognition Standard: What Does It Mean For Compliance?

by Thomas Fox
Contact

Thomas Fox - Compliance Evangelist

I. Introduction

In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. The amendments become effective for public entities for annual reporting periods beginning after December 15, 2017. In other words, the new Revenue Recognition (“new revenue recognition”) standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward is here and ongoing in full force. Matt Kelly and I created a podcast series and audio white paper around this new revenue recognition standard which forms a basis for this article.  

FASB recognized that its revenue recognition requirements around U.S. generally accepted accounting principles (GAAP) differed from those in the International Financial Reporting Standards (IFRS) and that both sets of requirements needed improvement. This led to a project by FASB and the International Accounting Standards Board (IASB) to jointly clarify the principles for recognizing revenue and to develop a common converged revenue standard for GAAP and IFRS. Hence the new revenue recognition standard. 

One of the key differences in this new revenue recognition standard is that it requires companies to disclose new information beyond data a company might have been required to release in the past. This will put pressure on auditors to get comfortable with what the company provided to them. This will create risks for auditors adjusting to the new revenue recognition standard because as they learn more about the new standard and apply it going forward into 2018, they may have to revisit prior reporting and revise some of it. 

The reason this is important to the compliance profession and the compliance practitioner is internal controls over financial reporting involved in implementing this new standard are critical to the effective use of implementation and how you implement. The Securities and Exchange Commission (SEC) has said explicitly in several public statements and through their early comment letters on disclosures made in advance of implementation, that companies must inform the SEC about the accounting policies that they are changing, and how this new standard will affect a company’s accounting processes, and finally how those effects are going to be managed. 

Moreover, the SEC has indicated that these disclosures are central to the new revenue recognition standard. If a company previously had a failure in their disclosures for an accounting standard, they were considered under section Sarbanes-Oxley (SOX) Section 302 of the SEC rules which has a lower than the liability that a company might face under SOX Section 404, which has to do with the actual internal controls over financial reporting. In the past, the disclosure of internal controls might not typically bring Section 404 scrutiny; however, under the new revenue recognition standard, they may now do so. 

Of course, this is overlaid on the requirements of effective internal controls under the Foreign Corrupt Practices Act (FCPA) and the lack of any materiality standard. One only need to consider the Wells Fargo fraudulent accounts scandal to see how a lack of materiality does not prevent the types of risk from moving forward to become huge public relations disasters, hundreds of millions of dollars in fines and costs estimated at over $1bn for failures of internal controls. 

Yet there are other tie-ins into compliance which the compliance practitioner needs to understand and prepare for going forward. The prior revenue recognition standard was rules based. As a lawyer, that was an approach I was quite comfortable with both from a learning stand point and communicating to business folks. But now the standard is much more judgment based and when a standard is more judgment based, there can be more room for manipulation. For a Chief Compliance Officer (CCO), a key task will be to make sure that you have changes in the business processes necessary to gather the information that has not previously been required to continue to monitor; how that information is factoring into the judgements that managers must make as they report their revenue under the new standard; and that those judgements themselves are properly documented. 

This final point demonstrates the convergence and overlap between the compliance profession, compliance programs and compliance practitioners going forward. Compliance internal controls are in place to both detect and prevent. Now they can also be used to gather the information which will be presented to auditors under the new revenue recognition standard. Many professionals are focused on the new revenue recognition from the auditing and implementation perspective. However, if you are a Chief Compliance Officer (CCO), you might want to go down the hall and have a cup of coffee with your Chief Financial Officer (CFO) and find out what internal controls might be changing or that they might be adding and consider how that will impact compliance in your organization. 

The prior revenue recognition standard was rules-based, while this new revenue recognition standard is principles-based. This was done deliberately as FASB is coordinating this rollout with how revenue is recognized in other parts of the world, specifically IFRS, which are put forth by the International Accounting Standards Board. This was a joint effort to have a one global approach to how companies recognize revenue and the process involves a lot more judgment. Kelly noted, “The good news is that you can exercise a lot more judgment and if you have good judgment you can finesse things to be much more reflective of what's the economics of the deal.” 

The new revenue recognition standard is really about a series of performance obligations; what a company is committing to do in delivering a good, delivering a service, or both. Next, has a company fulfilled those performance obligations. Finally, is do these actions give that obligation to a company beyond the contract language? Kelly said, “It's a sweeping standard. The philosophy of when you have a transaction and when you do not, has changed. Different types of industries will be hit by this quite a bit by this new revenue recognition standard, but others will not.”

Kelly said this use of more judgment, than rules cuts, both ways. “If your judgment is not sound or if your judgment could be called into question because you have not properly documented your logic and your chain of thought, your organization is opened itself to questioning your judgment much more than might have happened under the old standard. This means a key will be the logic in determining the transaction price.” In addition to the process aspect, there is the document, document, document process which should warm the heart of every compliance practitioner. As the prior revenue recognition standard was rules based, “you went through all the contortions you come to a number that's the number.”  Now, as Kelly noted, “it's down to this is our judgment and if our judgment is good and we can document it here we are.”

Kelly also noted the SEC has gone to great lengths over the past two years at least about this new revenue recognition standard, giving what he termed “gentle nudges and sometimes not gentle nudges to companies that you've got to get on board with this new revenue recognition standard.” The good thing is that while the SEC may well provide a few comment letters, as companies are reporting under the new revenue recognition standards, they will probably not sanction companies for reporting errors for some period of time. Kelly believes, “as long as you are actually trying to embrace the spirit of the new revenue recognition standard” the SEC will not sanction your organization. However, if an organization is “committing accounting fraud you are still going to get nailed.” 

Kelly concluded by raising the very interesting question of whether the investor community is ready for this new revenue recognition standard. This may be truer for private equity companies investing in the tech space are the rules around revenue recognition for software companies could be more greatly impacted than other organizations. (We will take up the new revenue recognition standards for software companies in Part 3.) The bottom line is that a wide variety of interests, in a multitude of organizations will be impacted by this new revenue recognition standard; including the compliance profession. 

Part II. What the logic of the transaction price?

FASB states that Step 3, determine the transaction price, is the amount of consideration to which an entity expects to be entitled in exchange for transferring promised goods or services to a customer, excluding amounts collected on behalf of third parties. To determine the transaction price, an entity should consider the effects of:

1. Variable consideration - If the amount of consideration in a contract is variable, you must determine the amount to include in the transaction price by estimating either the expected value or the most likely amount.

2. Constraining estimates of variable consideration - An entity should include in the transaction price some, or all, of an estimate of variable consideration only to the extent it is probable that a significant reversal in the amount of cumulative revenue recognized will not occur.

3. The existence of a significant financing component - An entity should adjust the promised amount of consideration for the effects of the time value of money if the timing of the payments agreed upon by the parties to the contract provides the customer or the entity with a significant benefit of financing for the transfer of goods or services to the customer.

4. Noncash consideration - If a customer promises consideration in a form other than cash, an entity should measure the noncash consideration at fair market value.

5. Consideration payable to the customer - If an entity pays, or expects to pay, consideration to a customer in the form of cash or items, such as a credit, a coupon, or a voucher, that the customer can apply against amounts owed to the entity, the entity should account for the payment as a reduction of the transaction price or as a payment for a distinct good or service, or both.

Kelly noted all of this means judgment are going will become more important under the new revenue recognition standard. He said “People should be thinking about that judgment means, who will be able to defend, precisely how your organization is defining the transaction price. That is something that your audit firm will want to look at and you should understand that the audit firms have more pressure to be more skeptical about judgments their clients make.”

One particular problem could be non-cash transactions or even consideration. He advised to think “about the difference between cash and non-cash compensation for a deal. What if some of your payment for a transaction was in Bitcoin; the value of which is literally changing by the day right now. You could have a transaction that you agree to payment on the first of the month and some part of it might be conveyed in Bitcoin at the end of the month. However, the value of bitcoin could change dramatically before the end of the month or the quarter. Further, compensation can come in many forms, such as receipt a patent from a joint venture partner, travel voucher or really anything of value. It will create a requirement to accurately value them and implement that valuation.

An ancillary result will be that many non-accountants are going to find that they get pulled into these conversations that you probably have not had much experience with before over revenue recognition. Lawyers and compliance practitioners, for instance may well be a part of these conversations going forward. They typically have not been a part of the discussion to determine the transaction price in the past.  That is really going to be the tricky part of defining what a transaction is under this new revenue recognition standard. 

For the compliance practitioner, it is not simply being able to read a spreadsheet anymore. It is understanding the underlying basis of that spreadsheet and are those underlying bases defensible. Consider in the FCPA and greater compliance ream, you may be required to justify the values assigned to either discounts, rebates or some other form of payment variance. In the overall context of an FCPA investigation, under the books and records provisions, a compliance professional may well have to take a much more detailed view of this to determine the transaction price when you sit down across the table from somebody at the DOJ. 

Kelly concluded, “in the grand scheme what FASB wanted to achieve with this new revenue recognition standard was to bring more transparency to the logic of the economic action.” You will need to be able to justify where did these numbers come from related to this business transaction the companies are engaged in going forward. It is certainly going to be a very different world for some people.

Part III. Contracts

The key to understanding the new revenue recognition standard is that it is judgment based, not rules based. This will allow more room for interpretation but also allows for more room for manipulation. This is where the new revenue recognition standard intersects with compliance and where the compliance practitioner needs to not only understand the new revenue recognition standard but also understand the role that internal controls will play in complying with this new standard going forward. 

There are five elements that you must consider to make a determination of whether revenue can be recognized. FASB identifies these five elements as the following:

FASB states that Step 1: Identify the Contract with a Customer, as follows:

A contract is an agreement between two or more parties that creates enforceable rights and obligations. An entity should apply the requirements to each contract that meets the following criteria: 

  1. Approval and commitment of the parties
  2. Identification of the rights of the parties
  3. Identification of the payment terms
  4. The contract has commercial substance
  5. It is probable that the entity will collect the consideration to which it will be entitled in exchange for the goods or services that will be transferred to the customer

Joe Howell, EVP at Workiva said, “The first step is to figure out what the contract is, and the most important point there is that contracts do not need to be written. The key about what is the contract means that if your business practices differ from what’s written in the contract, you have to make a judgment about which survives. For example, if you have a contract that says you have 90-day return privileges but you as a business practice always give 360 or 365 days’ return, what’s the contract? Is the contract the 90 days that’s written or is the contract the 365 days that you’re actually giving?” Obviously in the compliance world, the failure to follow the contract terms and conditions can raise one very large red flag as it might signify conduct the compliance function has not evaluated or approved.

But Howell points out how the failure to follow one of the most basic compliance requirements, i.e. following the terms of a contract, can negatively impact a company’s ability to recognize revenue under this new standard. “If you don’t have a contract, if you legitimately don’t have a contract, then you can’t recognize revenue until you actually get the cash. This can most often occur when a company follows a business practice that is not recorded or written. One would determine that the company has a business practice that was simply not written down. Of course, there are companies which ship based upon POs alone but in that case, you must discuss any pricing concessions that might be given in the PO and from that point try and determine what that actual contract might be going forward. This means your company may have a contract of some kind, but it may be enforceable only as a business practice not as a written contract.” 

Howell also noted another important consideration is that a written contract represents the performance obligations of both parties. Moreover, there may “be some sort of credit factor that is considered in the contract and that’s something that’s quite new that changes the way the judgments need to be formed. In the past, you would have reserves for bad debt now you need to factor in to the actual revenue the amount of the revenue that could be affected by lack of ability to perform through any revenue that could be recognized until you actually collect it.”

Given that a written contract is specified in the Ten Hallmarks of an Effective Compliance Program as a key internal control, you can easily see how the lack of such a written agreement can fall into the realm of compliance. Even FCPA enforcement actions are relevant here as one of the well-known bribe-funding tactics is to provide a discount to a customer but not credit the company’s books but instead take the actual discounted amount and give to a corrupt official as a bribe. With this first element of the new revenue recognition standard apparently recognizing that the lack of a contract is not an impediment to eventually recognizing revenue, compliance practitioners may well need to more thoroughly review contracts with governmental entities or state-owned enterprises. 

IV. Performance Obligations

FASB states that Step 2: Identify the Performance Obligations in the Contract, requires the following: 

A performance obligation is a promise in a contract with a customer to transfer a good or service to the customer. If an entity promises in a contract to transfer more than one good or service to the customer, the entity should account for each promised good or service as a performance obligation only if it is (1) distinct or (2) a series of distinct goods or services that are substantially the same and have the same pattern of transfer.

A good or service is distinct if both of the following criteria are met:

  1. Capable of being distinct—The customer can benefit from the good or service either on its own or together with other resources that are readily available to the customer. 
  2. Distinct within the context of the contract—The promise to transfer the good or service is separately identifiable from other promises in the contract. 

A good or service that is not distinct should be combined with other promised goods or services until the entity identifies a bundle of goods or services that is distinct. 

Howell said, “The second step is to determine what are the performance obligations. Again, those performance obligations may not be immediately obvious to the casual observer and the contract needs to be picked apart to determine if those performance obligations are such that you would recognize that or complete that at a point in time, or if you’re going to be performing those over a period of time. If it’s for a period of time, what period of time?” 

Obviously with any type of revenue recognition standard, “there are judgments made about the performance obligations themselves, if they’re performed at a point, if there’s some period of time, what is that period of time? Those all need to be documented and you need to have a process to monitor the future contracts that are going to be entered into by the company or any modifications to the contract or to the performance obligations.”

These time points are critical as obligations that are performed can be satisfied revenue recognized over time or at a point in time. One commentator has stated, “Performance obligations are satisfied over time if one of the following criteria is met: (1) The customer simultaneously receives and consumes the benefit as the entity performs; (2) The performance creates or enhances an asset that the customer controls; (3) The asset created has no alternative use to the entity and the entity has an enforceable right to payment for performance completed to date.” Somewhat surprisingly and not consistent with prior revenue recognition rules, the possibility of the contract with the customer being terminated should not be considered relevant. 

For a contract that has FCPA implications and scrutiny, this new element may well cause consternation. Typically, when a party performs, payment is due. However, under this element there can be partial performance, a rolling performance or something altogether different. Some third-party representatives may have contracts that read more like customer agreements contemplated under Topic 606, for example commissioned sales agents and distributors are two which come to mind. If there is now more flexibility on payment, will it allow nefarious actors to manipulate both data and financials to hide the creation of pots of money to pay bribes? Chief Compliance Officers and compliance practitioners need to consider these issues in the context of compliance internal controls going forward. 

V. Determining the Transaction Price

FASB states that Step 3, determine the transaction price, is the amount of consideration to which an entity expects to be entitled in exchange for transferring promised goods or services to a customer, excluding amounts collected on behalf of third parties. To determine the transaction price, an entity should consider the effects of:

  1. Variable consideration - If the amount of consideration in a contract is variable, you must determine the amount to include in the transaction price by estimating either the expected value or the most likely amount, depending on which method the entity expects to better predict the amount of consideration to which the entity will be entitled.
  2. Constraining estimates of variable consideration - An entity should include in the transaction price some, or all, of an estimate of variable consideration only to the extent it is probable that a significant reversal in the amount of cumulative revenue recognized will not occur when the uncertainty associated is subsequently resolved.
  3. The existence of a significant financing component - An entity should adjust the promised amount of consideration for the effects of the time value of money if the timing of the payments agreed upon by the parties to the contract provides the customer or the entity with a significant benefit of financing for the transfer of goods or services to the customer. In assessing whether a financing component exists and is significant to a contract, an entity should consider various factors. However, an entity need not assess whether a contract has a significant financing component if the entity expects at contract inception that the period between payment by the customer and the transfer of the promised goods or services to the customer will be one year or less.
  4. Noncash consideration - If a customer promises consideration in a form other than cash, an entity should measure the noncash consideration at fair market value. If an entity cannot reasonably estimate the fair market value of the noncash consideration, it should measure the consideration indirectly by reference to the standalone selling price of the goods or services promised in exchange for the consideration. If the noncash consideration is variable, an entity should consider the guidance on constraining estimates of variable consideration.
  5. Consideration payable to the customer - If an entity pays, or expects to pay, consideration to a customer in the form of cash or items, such as a credit, a coupon, or a voucher, that the customer can apply against amounts owed to the entity, the entity should account for the payment as a reduction of the transaction price or as a payment for a distinct good or service, or both. If the consideration payable to a customer is a variable amount and accounted for as a reduction in the transaction price, an entity should consider the guidance on constraining estimates of variable consideration.

Howell said one of the keys is to determine if there is some period “where you create some sort of discount in the future to determine the transaction price?” from there you move to the next question, “Is the transaction price fixed and determinable or is there some variable component?” He went to explain that if there are volume purchase discounts that you will provide in the future “and they’re related to the activity you’re undertaking today, what is the potential impact on the revenue over that period of time?”

For a contract that has Foreign Corrupt Practices Act implications and scrutiny, this new element speaks directly to a wide variety of corruption risk. Typically, only attorneys are concerned with such arcane topics as ‘consideration’. However now a judgment call must be made regarding the consideration that can be expected to be achieved. This would seem to provide a clear area for possible manipulation unless there are sufficient controls in place. While this might not seem like a compliance control, such detect and prevent controls could alert relevant employees, both in finance and compliance, if excessive evaluation or variance was assigned to a large contract with a state-owned enterprise or foreign government. 

Finally, this is where the documentation required under a best practices compliance program is so critical. Not only is it evidence to present to a regulator of compliance but it also will form an internal database that a company (or its auditors) can measure against for reasonableness of such variations going forward. Chief Compliance Officers and compliance practitioners need to consider these issues in the context of compliance internal controls going forward. 

VI. Allocation and Revenue Recognition

FASB states Step 4: Allocate the Transaction Price to the Performance Obligations in the Contract with the following:

If a contract has more than one performance obligation, an entity should allocate the transaction price to each performance obligation in an amount that depicts the amount of consideration to which the entity expects to be entitled in exchange for satisfying each performance obligation.

To allocate an appropriate amount of consideration to each performance obligation, an entity must determine the standalone selling price at contract inception of the distinct goods or services underlying each performance obligation and would typically allocate the transaction price on a relative standalone selling price basis. If a standalone selling price is not observable, an entity must estimate it. Sometimes, the transaction price includes a discount or variable consideration that relates entirely to one of the performance obligations in a contract. The requirements specify when an entity should allocate the discount or variable consideration to one (or some) performance obligation(s) rather than to all performance obligations in the contract.

An entity should allocate to the performance obligations in the contract any subsequent changes in the transaction price on the same basis as at contract inception. Amounts allocated to a satisfied performance obligation should be recognized as revenue, or as a reduction of revenue, in the period in which the transaction price changes.

FASB states Step 5: Recognize Revenue When (or as) the Entity Satisfies a Performance Obligation with the following:

An entity should recognize revenue when (or as) it satisfies a performance obligation by transferring a promised good or service to a customer. A good or service is transferred when (or as) the customer obtains control of that good or service.

For each performance obligation, an entity should determine whether the entity satisfies the performance obligation over time by transferring control of a good or service over time. If an entity does not satisfy a performance obligation over time, the performance obligation is satisfied at a point in time.

Step four requires a company to allocate the transaction price to the performance obligations and five then follows to recognize the revenue after a business has satisfied it the performance obligation. According to Howell, this “means you have to figure out what is the ability to judge if what’s going to be returned. If you’re just starting out and they have a right to return, and then you have no transaction history, then it’s really hard to build the case that it’s not impossible but it’s harder to build a case that you can recognize some part of that revenue.” 

As you might guess at this point the key is to document evidence of the performance obligations to support your conclusions. This means Document, Document, and Document are still the three most important things. But here Howell noted that this requirement does not fall solely on the shoulders of the accounting function of an organization. He stated that a company must “build processes with their sales organization, their sales op organization, their marketing organization, their legal department to figure out what is the evidence. Now, this requires that the accountants have conversations with your sales team early on to figure this out but also as we talked about the capturing the judgments related to the cost to acquire the contracts, that they work closely with the sales organization on these commissions.” This is another way of saying “operationalize the process.”

These final two elements demonstrate the convergence between the new revenue recognition standard and overlap of the compliance profession, compliance programs and compliance practitioners going forward. Compliance internal controls are in place to both detect and prevent. Now they can also be used to gather the information which will be presented to auditors under the new revenue recognition standard. Many professionals are focused on the new revenue recognition from the auditing and implementation perspective.

Part VII. Shaking Up the Software Industry?

One of the industries which may greatly feel the impact of the new revenue recognition standards is the software industry. Kelly noted, the new revenue recognition rule will ultimately allow some portion of the software sector to recognize more of their long-term contract revenue immediately. He believes they initially may think something along the lines of “Hey that's sounds good right. We can hit our quarterly numbers. However, that then brings about bigger strategic questions.” So, the reality may be somewhat different as a software company might need to think about this might well drive much more volatile revenue patterns over a multi-year period.

Kelly provided an example of the volatility from one of the companies he has studied, Microsoft. He stated that “when Microsoft adopted the revenue recognition standard earlier this summer, it actually pushed its revenues up because all those liabilities that would have been deferred revenue on the balance sheet recognized them all at once. Microsoft's total revenue for 2017 went from $8.9bn to $26.5bn.” All that just because of a change in revenue recognition. 

He then gave a more tangible example of a specific contract, where a company entered into a contract for five years, paying $500,000 and receiving 1000 seat licenses and four years of updates. Under the prior revenue recognition standards, the software company recognized a $100,000 in that first year when they signed the deal and then they had $400,000 of deferred revenue, which they recognized in chunks of $100,000 per year. Now a software company under the same scenario could recognized the entire $500,000 in the first year. While this may look great, it has serious implications. First and foremost, it will impact the software company’s balance sheet for the final four years of the five-year contract. It will seem most bare, with no deferred revenue. Kelly concluded “that's the sort of thing that the software companies sector is going to go through a bit of a blender in early 2018 as people start to realize what all this means.”

Another obvious area of change will be in commission payments for sales persons and third parties. Previously they may have been paid when the revenue was recognized over the life of a contract. Now it may be all up front in the first year. This could cause a commission payment to be made in Year 1 of a 5-year contract. This would present the same cash flow issue for a sales person. Now consider this in a FCPA context. The five-year split of a commission payment has acted as an internal compliance control to keep such payments low enough so as not to create a fund for bribery. Now that type of internal control may not be available to the Chief Compliance Officer. 

In a white paper for CalcBench, Kelly and Pranav Ghai found several themes emerging for software companies under the new revenue recognition standard. 

First, software companies expect the new standard to accelerate revenue recognition for some long-term software contracts, where previously the revenue would have been recognized in increments across the life of the contract. This is because the new standard eliminates the need for “vendor-specific objective evidence” (VSOE). With the VSOE requirement gone, the new standard will allow firms to recognize more of the revenue from a long-term contract immediately.

Second, numerous firms said the new standard will change how they account for sales commissions, which qualify as costs of obtaining contracts. Under the new standard, sales commissions can be capitalized over the term of a contract, rather than expensed immediately.

That means deferred commissions will increase as an asset on the balance sheet, and the amortization costs will be expensed over the term of the contract.

Finally, the data does raise questions about how well-prepared some software firms are for the new standard. While numerous firms say they plan to implement the standard by Jan. 1, 2018— but still report that they are uncertain about its possible effect, or even what adoption method they will use. 

Perhaps one of the most unintended consequences will be for software companies looking for some sort of a merger, exit or those looking for an investment round from private equity or venture capital. The difficulty for PE or VC will be to determine what a software company’s value might be over a period of time. This may end up being one of the most critical questions facing software companies and those who invest in them.

Part VIII. Auditors, the PCAOB and Disclosures?

Kelly identified three areas where he sees immediate auditor impact. The first is that the audit firms’ regulator, the PCAOB has clearly communicated to auditors they must pay attention to this new revenue recognition standard. One of the clear themes throughout this podcast series has been the increased amount of judgment which will come into these calculations going forward. This means companies will need to have more complete documentation which can then be reviewed and tested by their auditors. Add to this PCAOB auditing standards and there may well be a time for some sorting out of what will be required going forward. 

Secondly, with this new emphasis on judgment, auditors will have a renewed emphasis on fraud detection. There may be some incentives for sales executives to manipulate the numbers a bit or to close the deal more quickly to hit a bonus. Such pressure could transgress into fraud and as Kelly noted “auditors will be looking more closely at fraud risk because there could well be circumstances where sales commissions could be higher because of the new revenue standard; that would let some firms recognize more of a transaction more quickly.” Finally, Kelly also noted the International Controls for Financial Reporting will have renewed focus from auditing firms. 

Kelly pointed to the straightforward issue of whether a contract exists and then posed some of the questions auditors may be asking going forward: How do we know the organization’s contracts are complete and accurate? How does a company demonstrate its contract management system has not be tampered with after execution? What are the controls around these programs you might use to manage your financial transactions? Are we capturing all of the contracts that our employees are generating and that employees are not generating some contracts, have not informed management or that the company’s contract management system has not captured them? Finally, is there contract system security to insure there is no manipulation after the contract is signed? 

Another key area for auditing will be whether the pattern and practice of doing business is the same as the contract performance terms and conditions. One immediate area is payment terms. Most contracts specify 30 days net payment terms. However often this date may slip 30, 60 days or even longer. Now take this same concept into the FCPA realm around vague deliverables in third party agent’s agreement and you begin to see some additional issues. If the performance deliverable terms are so vague as to render them meaningless, how will that be handled under this new revenue recognition standard. 

My observation is there is a continuum, working backward from the PCAOB, to auditors and audits to the disclosures companies may have to make. Under GAAP, a disclosure may only need to be made if it is material. Yet in the FCPA world there is no materiality standard. At what point does the lack of materiality of a contract outside the United States make your books and records not correct leading to a potential exposure under a law unrelated to traditional revenue recognition; IE., the FCPA? Kelly concluded by noting that companies need to be (or have been in) discussions with their audit firm for to plan these things out as “these sorts of complexities are not to be dismissed because we don't know when they might boil up and suddenly grab you in the rear end. And when that happens it will happen at the least convenient time and cause the most pain.” (ouch!)

Part IX. What does it all mean?

As you might expect from the Compliance Evangelist, I see most issues through the lens of compliance practitioner. A key reason this is so important in the compliance area is because the internal controls over financial reporting involved in implementing this new standard are critical to effective implementation. The SEC has said explicitly in several public statements, and through their early comment letters on disclosures made in advance of implementation, that companies must inform the SEC about the accounting policies that they are changing, and how this new standard will affect a company’s accounting processes, and finally how those effects are going to be managed. This makes it clear to me that this is a really a compliance issue.

Moreover, the SEC has indicated that these disclosures are central to the new revenue recognition standard. This is because if a company has some sort of failure in their disclosures for an accounting standard, they are treated under section Sarbanes-Oxley (SOX) Section 302 of the SEC rules, and that has a level of significance or liability, which is much lower than the liability that a company might face under SOX Section 404, which has to do with the actual internal controls over financial reporting. While disclosure of internal controls might not typically bring Section 404 scrutiny, under the new revenue recognition standard, they may now do so. Kelly stated, the SEC has made it “clear that it will be watching this first year of financial statements under the new standard closely.”

There are several key issues which I believe will become critical for the compliance practitioner going forward. The first is under step 1, you must identify the written contract and who your counter-party is. While the answer to the inquiry of Who is the customer? may seem straight-forward in the compliance arena, it may not be so clear. A third-party sales agent contract or even a distributor agreement may have elements which might fall under the new revenue recognition standard and hence require a different analysis and internal controls standard. Further, as written contracts are specified in the Ten Hallmarks of an Effective Compliance Program as a key internal control, you can easily see how the lack of such a written agreement can fall into the realm of compliance. Even FCPA enforcement actions are relevant here as one of the well-known bribe-funding tactics is to provide a discount to a customer but not credit the company’s books but instead take the actual discounted amount and give to a corrupt official as a bribe. With this first step of the new revenue recognition standard apparently recognizing that the lack of a contract is not an impediment to eventually recognizing revenue, compliance practitioners may well need to more thoroughly review contracts with governmental entities or state-owned enterprises. 

The 2nd element may well cause the compliance professional consternation. Usually, when a party performs, payment is due. However, under this element there can be partial performance, a rolling performance or something altogether different. Some third-party representatives may have contracts that read more like customer agreements contemplated under Topic 606, for example commissioned sales agents and distributors are two which come to mind. If there is now more flexibility on payment, will it allow nefarious actors to manipulate both data and financials to hide the creation of pots of money to pay bribes? CCOs and compliance practitioners need to consider these issues in the context of compliance internal controls going forward. 

Step 3 speaks directly to a wide variety of corruption risk. Typically, only attorneys are concerned with such arcane topics as ‘consideration’. However now a judgment call must be made regarding the consideration that can be expected to be achieved. This would seem to provide a clear area for possible manipulation unless there are sufficient internal controls in place. While this might not seem like a compliance internal control, such detect and prevent controls could alert relevant employees, both in finance and compliance, if excessive evaluation or variance was assigned to a large contract with a state-owned enterprise or foreign government. 

This is where the documentation required under a best practices compliance program is so critical. Not only is it evidence to present to a regulator of compliance, but it also will form an internal database that a company (or its auditors) can measure against for reasonableness of such variations going forward. CCOs and compliance practitioners need to consider these issues in the context of compliance internal controls going forward. 

Step 4 presaged the theme of the Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs and new FCPA Corporate Enforcement Policy of operationalization of compliance and firmly demonstrates the convergence between the new revenue recognition standard and compliance overlap going forward. Compliance internal controls are in place to both detect and prevent. Now they can also be used to gather the information which will be presented to auditors under the new revenue recognition standard. Many professionals are focused on the new revenue recognition from the auditing and implementation perspective. 

Step 5th is to recognize the revenue as appropriate. Yet this seems to me to emphasize the over-arching requirement of this new revenue recognition standard: Document, Document, and Document. The key is to document evidence of the performance obligations to support your conclusions. Yet, as Joe Howell made clear throughout this series, this requirement does not fall solely on the shoulders of accounting. He stated that a company must “build processes with their sales organization, their sales op organization, their marketing organization, their legal department to figure out what is the evidence. This requires that the accountants have conversations with your sales team early on to figure this out but also as we talked about the capturing the judgments related to the cost to acquire the contracts, that they work closely with the sales organization on these commissions.” This is another way of saying “operationalize the process.”

This new revenue recognition standards intertwines two concepts. This first is the convergence and overlap between the compliance profession, compliance programs and compliance practitioners with internal controls. While largely seen as financial in nature, compliance internal controls are in place to both detect and prevent. Now compliance internal controls can also be used to gather the information which will be presented to auditors under the new revenue recognition standard. Many professionals are focused on the new revenue recognition from the auditing and implementation perspective. However, if you are a CCO, you might want to go down the hall and have a cup of coffee with your Chief Financial Officer (CFO) and find out what internal controls might be changing or that they might be adding and consider how that will impact compliance in your organization. 

The second concept is the continued operationalization of compliance. During my tenure in compliance, you rarely heard a CCO consider revenue recognition as a compliance related issue. By going into detail, we have shown how this new revenue recognition standard can change the manner in which a company might recognize revenue, leading to a greater risk of the obfuscation of payments for bribery by corrupt employees. This means as a CCO you must not only be aware of the risk to manage it, but you also must take active steps to mitigate against it.  

This new revenue recognition standard means a lot of work for probably the next 12 months, or at least through the end of this year. It is difficult to say how many companies will go through all of this to find that actually their numbers will not change to any material amount. However, for many companies, they may not be able to quantify it, but their internal mechanisms are going to get a lot more scrutiny. There will be pressure on the internal financial controls and processes to determine how a business is justifying what is being audited and reported to investors.

Kelly concluded by adding that, at the end of the day, “revenue recognition is a financial process. It is a financial issue. This standard really gets to how are you justifying the process of putting forth these numbers. It is about documenting your judgment. It is about making sure the processes you use are full and complete and sound. Who is the one who makes sure that people understand what the process is the process is well thought out and correct and sturdy.”

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox
Contact
more
less

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.