At-A-Glance

With the start of the New Year, we introduce a new bi-monthly schedule for the Audit & Accounting Alert. Each issue will highlight topics of emerging interest, as well a summary of recent actions and activities from the world of accountancy. With the heightened reports of hacking and attacks on email and internet sites nowadays, cybersecurity is a constant concern for companies and organizations. Our first article discusses a standardized framework the American Institute of Certified Public Accountants (AICPA) is developing for reporting the state of cybersecurity measures at the entity level. The new revenue accounting standard starts to go into effect a year from now. The importance for adequate planning and preparation become more urgent with every passing day. Our second article describes several sources offering ongoing assistance for maneuvering through the implementation challenges. Finally, our Worldwide Update covers news from organizations across the globe. Editor Gerald E. Herter, CPA

In This Issue 

• Cybersecurity Reporting

  A proposed standardized framework for assessment of risk

• Preparing for the New Revenue Recognition Standard

  A sense of urgency grows along with more guidance
  

• Worldwide Update

  Periodic roundup of recent and upcoming actions and activities by audit and accounting organizations throughout the world

• Additional A&A News

Cybersecurity Reporting

A proposed standardized framework for assessment of risk

Threats to cybersecurity are pervasive at all levels of society today. Recently, the objectivity of America’s election process was drawn into question by alleged cyberattacks on candidates, if not the actual voting mechanism itself.

Ironically, according to the United Nations Office for Disarmament Affairs, the Russian Federation back in 1998 first introduced a resolution addressing information security, including the question of “unauthorized interference with or misuse of information and telecommunications systems and information resources.” They also, along with the other G20 countries at the 2015 summit, issued a communique starting that “states have a special responsibility to promote security, stability, and economic ties with other nations…All states in ensuring the secure use of ICTs (information and communications technology), should respect and protect the principles of freedom from unlawful and arbitrary interference of privacy, including in the context of digital communications.”

The accounting profession has tackled the cyber threat in various ways over the years. For example, COSO (Committee of Sponsoring Organizations of the Treadway Commission) issued a report in January, 2015, COSO in the Cyber Age, that applied the guidelines of COSO’s pronouncement, Internal Control-Integrated Framework, to the realm of technology. (See the March, 2015 Audit & Accounting Alert for a discussion of that report).

However, this past December, 2016, United States Treasury Department Deputy Secretary Sarah Bloom Raskin, in a speech at the Public Company Accounting Oversight Board (PCAOB) International Institute on Audit Regulation, expressed concern that the auditor’s current role, though useful, falls short. She observed that:

“Auditors focus their attention on the use of IT to prepare financial statements and automated controls around financial reporting, such as controls around the reliability of underlying data and reports. This approach is appropriate to address financial reporting risk but it does not address a company’s overall business or operating risk. Unless retained as part of a consulting engagement, an auditor does not more broadly evaluate a company’s overall cybersecurity risk management program. For example, auditors do not evaluate whether a company has appropriately identified the functions, activities, products, and services—including interconnections, dependencies, and third parties—that present it with cyber risk. Likewise, an auditor does not assess whether a company has identified and implemented controls—including systems, policies, procedures, and training—to protect against and manage identified cyber risks within the tolerance set by the board.”

Acknowledging the long-term potential for cyber norms, such as those promoted in summits like the G20 meeting mentioned above, Raskin nevertheless stressed the immediate need for a consistent, comparable method to assess an entity’s threats, since “more than 80 percent of cyber incidents can be prevented.” One such development singled out by Raskin is a project currently under way by the AICPA.

Noting the disparity of approaches that have developed to assess cybersecurity, the AICPA in September, 2016, proposed a standardized “reporting framework through which organizations can communicate useful information regarding their cybersecurity risk-management programs to stakeholders.” The comment period for the proposal, which is summarized in a document, titled Cybersecurity Reporting: A Backgrounder, ended December 5, 2016, so results of the responses should be reported in the coming months.

The AICPA determined that different reports should be developed to respond to the needs of entities, service providers and the supply chain. The current proposal covers the entity reporting level, while the other two are in the planning stages.

At the entity level, the intended audiences are the board of directors/audit committee, management, investors, regulators, and analysts. The benefits envisioned for the entity and recipients are to:

1. Provide transparency to key elements of the entity’s cyber risk management program;
2. Improve communications; and
3. Enhance confidence in the integrity of information presented.

The components of the entity-level cybersecurity reporting framework would be threefold:

1. Management’s description – a narrative of the entity’s cybersecurity risk-management program;
2. Management’s assertion – as to the effectiveness of the controls in place; and
3. The practitioner’s opinion – of the completeness and accuracy of management’s description and the effectiveness of the controls to achieve the entity’s cybersecurity objectives.

Along with the above descriptive document, the AICPA issued the “Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program.” In accordance with the AICPA attestation standards, the criteria should be relevant, objective, measurable and complete. The categories of the description are to include:

• Nature of Operations
• Nature of Information at Risk
• Cybersecurity Risk Management Program Objectives (Cybersecurity Objectives)
• Inherent Risks Related to the Use of Technology
• Cybersecurity Risk Governance Structure
• Cybersecurity Risk Management Process
• Cybersecurity Communications and the Quality of Cybersecurity Information
• Monitoring of the Cybersecurity Risk Management Program
• Cybersecurity Control Activities

For each of the categories, the proposal includes points of focus related to each criteria, to assist management in determining the pertinent matters to address.

A separate “Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy” addresses the evaluation of controls within an entity’s cyber risk management program.

Further details can be found at AICPA Cybersecurity Initiative

Preparing for the New Revenue Recognition Standard

A sense of urgency grows along with more guidance

With the first year of implementation just a year away for some companies, the new revenue accounting standard looms ever larger on the horizon. Considering the need for current disclosures of expected impact and the potential recasting of pre-implementation years for meaningful comparison, the time for accelerated effort is upon us.

At an address to the AICPA Conference on Current Securities and Exchange Commission (SEC) and PCAOB Developments in Washington, D.C. on December 5, 2016, SEC Chief Accountant Wesley Bricker stressed the pervasive significance of revenue accounting to financial reporting:

“Revenue is one of the single most important measures used by investors in assessing a company’s performance and prospects, regardless of a company’s industry, the nature of its securities, or the capital markets it accesses. Revenue impacts key analytical ratios and bottom line earnings. Although often a complex area, companies cannot afford to get the accounting wrong. The standards, including the disclosures, are an important step forward in financial reporting, both domestic and foreign, and when implemented, they are designed to enhance the comparability of companies’ reported revenues.”

While recognizing that progress has been made toward implementation in the past year, Bricker pointed out that there is still more to do. He quoted an October 2016 Price Waterhouse Coopers (PwC) survey reporting that “eight percent of respondents still had not started an initial assessment of the new revenue recognition standard, while the others were still assessing (75%) or implementing (17%).” He encouraged the AICPA and other industry task force members “to complete their work expeditiously but without compromising quality. It is important to bring closure to the issues identified through this process.”

In that regard, the joint International Accounting Standards Board/Financial Accounting Standards Board (IASB/FASB) Revenue Recognition Transition Resource Group has proactively addressed requests for clarification. At a semi-annual web update on December 19, 2016, FASB staff reported that of the 108 submissions received, the majority of issues were resolvable through educational efforts, while a handful were advanced to the standard setting boards, resulting in a number of amendments to the pronouncement. The issues and the number of submissions for each were:

1. Identify the performance obligations (Pronouncement Step 2) - 16
2. Determine the transaction price (Pronouncement Step 3) - 14
3. Recognize revenue when (or as) - 13
4. Scope - 11
5. Presentation and disclosure - 10
6. Identify the contract(s) with a customer (Pronouncement Step 1) - 10
7. Contract costs - 16
8. Principal vs. Agent - 5
9. Licensing - 6
10. Allocate the transaction price (Pronouncement Step 4) - 4
11. Transition – 3

In addition, the FASB on December 14, 2016 issued Accounting Standard Update 2016-20 to provide a number of technical corrections and improvements to the guidance for the standard. See Worldwide Update below for additional information.

Further details can be found at FASB/IASB Joint Transition Group for Revenue Recognition

The AICPA Revenue Recognition Task Force (RRTF) has been busy, also. The RRTF was established to provide implementation guidance by industry. On the December 5, 2016 status update, the RRTF reported 149 identified implementation issues, classified into sixteen separate industries. Industries with more than ten issues included aerospace & defense, airlines, gaming, power and utility, software entities, and telecommunications entities. The issues are working their way through various deliberative bodies. Fifteen have been referred to the IASB/FASB Transition Resource Group for possible amendment consideration. Another 43 have been developed into guidance that has been published by the AICPA in the form of exposure drafts for comment. Of these thirteen are now finalized for incorporation into the forthcoming Accounting Guide on Revenue Recognition.

Further details can be found at the AICPA Revenue Recognition Section

The Center for Audit Quality (CAQ), concerned about the readiness of audit committees, on December 13, 2016, released Preparing for the New Revenue Recognition Standard, A Tool for Audit Committees (Tool). The CAQ is an autonomous public policy organization dedicated to enhancing investor confidence and public trust in the global capital markets. The CAQ is affiliated with the AICPA. The Tool states from the outset that “It is urgent that audit committees understand how management is assessing the impact of the new revenue recognition standard and forging a successful path to its implementation.” Noting the substantial magnitude of the implementation effort, the Tool emphasizes the importance of starting immediately, if the process has not already been initiated.

To facilitate the audit committee’s oversight of management’s implementation efforts, the Tool provides a four-step guide:

1. Understanding the New Revenue Recognition Standard – What Is It? - a brief overview of the core principles of the standard. The five step process for determining when to recognize revenue is described. Also, the two transition options are summarized. Full retroactive application for public companies requires recasting the 2016 and 2017 financials to reflect the new standard. Modified retrospective application records the cumulative effect of applying the standard as an adjustment to opening retained earnings in 2018.
2. Evaluating the Company’s Impact Assessment– How Will Revenue Recognition Change? - assists audit committees in discussing with management the impact of the new standard due to various factors related to the company’s business. A list of suggested factors to be considered is provided.
3. Evaluating the Implementation Project Plan – How Do We Need to Prepare? - assists audit committees in their efforts to understand and evaluate management’s implementation project plan. A series of questions is posed concerning the plan, culture and resources, involvement of stakeholders, accounting policies and significant accounting judgments, contracts, and systems & controls.
4. Other Implementation Considerations – What Else Do We Need to Consider? - assists audit committees with other considerations such as transition decisions and new disclosure requirements.

The Tool wraps up with additional resources, including links to executive summaries and technical guides available from the AICPA, FASB/IASB, and international accounting firms.

With all the attention and resources forthcoming, companies and auditors should have no shortage of guidance to move forward with revenue recognition implementation. One final note Bricker mentioned in his speech was that while auditors can use their knowledge to advise clients on these matters, they need to be careful to maintain their independence. Clients need to do the actual development of systems, processes and controls, so that the auditors are not placed in a position of auditing their own work.

For further information, see Preparing for the New Revenue Recognition Standard: A Tool for Audit Committees.

Worldwide Update

Periodic roundup of recent and upcoming actions and activities by audit and accounting organizations throughout the world

International

IASB – International Accounting Standards Board (www.ifrs.org)

1. Amendments - Annual Improvements to IFRS Standards - 2014–2016 Cycle – issued December8, 2016, includes minor changes to clarify, correct, or remove redundant wording in: IFRS 12 – Disclosure of Interests in Other Entities, effective January 1, 2017; IFRS 1 – First-time Adoption of International Financial Reporting Standards, effective January 1, 2018; IAS 28 – Investments in Associates and Joint Ventures, effective January 1, 2018. .
2. IFRIC Interpretation 22 - Foreign Currency Transactions and Advance Consideration, issued December 8, 2016, addresses the exchange rate to use in transactions that involve advance consideration paid or received in a foreign currency. Effective 1 January 2018.
3. Amendments to IAS 40 - Investment Property, to clarify the requirements on transfers to, or from, investment property. Effective 1 January 2018.

IFAC – International Federation of Accountants (www.ifac.org)

1. International Auditing and Assurance Standards Board (IAASB) - Exploring the Demand for Agreed-Upon Procedures Engagements and Other Services, and the Implications for the IAASB’s International Standards – Discussion Paper published November 29, 2016, “sets out the key features of an AUP engagement and explores how they are undertaken, including the extent to which practitioners find existing requirements and guidance helpful or challenging. In addition, the IAASB is seeking an understanding of how reports on factual findings are used to determine the needs of users. The Discussion Paper also explores the demand for engagements that combine reasonable assurance, limited assurance, and non-assurance engagements, and whether the IAASB’s existing International Standards are appropriate.” Comment period ends March 29, 2017.
2. International Auditing and Assurance Standards Board (IAASB) - The New Auditor’s Report: Questions and Answers - published November 30, 2016, “provides guidance to address areas where there are common differences in interpretation of the IAASB’s new and revised Auditor Reporting standards and ISA 720 (Revised), which are effective for periods ending on or after December 15, 2016.
3. International Public Sector Accounting Standards Board (IPSASB) – Emissions Trading Schemes – Staff Background Paper published December 14, 2016, “provides information on Emissions Trading Schemes (ETSs) and other government interventions that reduce emissions of greenhouse gases, including different types of government interventions and their economic impacts.

ACCA – Association of Chartered Certified Accountants (www.accaglobal.com/)

1. Professional accountants – the future: 50 drivers of change in the public sector – report issued December 2, 2016, “identifies the main drivers for change that will affect the global public sector landscape, and assesses the likely timing of the changes.”
2. Enterprise Performance Management: an eye on performance – report issued December 5, 2016, “ is the culmination of three surveys jointly commissioned by ACCA and KPMG to assess how EPM can support business planning, reporting and analysis.”

CIMA – Chartered Institute of Management Accountants (www.cimaglobal.com)

1. A CFO's key competencies for the future – report issued in December, 2016, “chronicles the discussions on the key competencies of a CFO in the present day and for future aspiring CFOs in the Malaysian context…is a summary of the insights shared through two roundtable discussions conducted in Kuala Lumpur in October 2016.”

Africa, Europe, India, and the Middle East (AEIME)

FRC – Financial Reporting Council of the UK (www.frc.org.uk)

1. Technical Actuarial Standards (TAS) – issued December 14, 2016: TAS 100: Principles for technical actuarial work applies to all technical actuarial work; TAS 200: Insurance, TAS 300:Pensions and TAS 400:Funeral plan trusts, apply to areas of technical actuarial work where there is a high degree of risk to the public interest. Effective 1 July 2017, the TAS’s will replace the existing standards. TAS 100 extends the scope of FRC technical actuarial standards to cover all technical actuarial work. The current standards only apply to specific areas of work and work reserved to actuaries.

ICAEW – The Institute of Chartered Accountants in England and Wales (http://www.icaew.com)

1. Audit insights: data analytics – report published December 13, 2016, describes external auditor insights into the impact of data analytics on the businesses they audit, and provides management with a high-level approach to data analytics.
2. Response to PIOB Strategy Public Consultation Paper–issued December, 2016, expresses concern that the latest set of governance proposals from the Public Interest Oversight Board, which are “intended to ensure that the public interest is at the core of standard-setting, could actually risk undermining the quality of international standards…by bringing in more non-accountants into the standard-setting process.” 

Americas, Asia, Australia and New Zealand (AAANZ)

FASB – Financial Accounting Standards Board (www.fasb.org)

1. Technical Corrections and Improvements: Revenue from Contracts with Customers – ASU 2016-20 – issued December 14, 2016, to clarify or correct unintended application of guidance in the areas of loan guarantee fees, impairment testing in contract costs, provisions for losses on construction-type and production-type contracts, the insurance contract scope exception, disclosure of remaining performance obligations, disclosure of prior-period performance obligations, contract assets versus receivables, refund liability, advertising costs, fixed-odds wagering contracts in the casino industry, and cost capitalization for advisors to private funds and public funds. Effective generally at the same time as the basic Revenue from Contracts with Customers pronouncement.
2. Technical Corrections and Improvements – ASU 2016-19 – issued December 14, 2016, clarifies and removes inconsistencies in ten key areas of U.S. Generally Accepted Accounting Principles (GAAP). Effective dates are generally immediately or in 2017.
3. Exposure Draft - Distinguishing Liabilities from Equity: I. Accounting for Certain Financial Instruments with Down Round Features; II. Replacement of the Indefinite Deferral for Mandatorily Redeemable Financial Instruments of Certain Nonpublic Entities and Certain Mandatorily Redeemable Noncontrolling Interests with a Scope Exception – issued December 7, 2016, “to address issues identified as a result of the complexity associated with applying generally accepted accounting principles (GAAP) for certain financial instruments with characteristics of liabilities and equity...Down round features are features of certain equity-linked instruments (or embedded features) that result in the strike price being reduced on the basis of the pricing of future equity offerings.” The comment period ends February 6, 2016. GAS .

GASB – Governmental Accounting Standards Board (www.gasb.org)

1. GASB Statement No. 83 – Certain Asset Retirement Obligations (AROs), issued on December 7, 2016, “establishes criteria for determining the timing and pattern of recognition of a liability and a corresponding deferred outflow of resources for AROs. This Statement requires that recognition occur when the liability is both incurred and reasonably estimable.” Effective for periods beginning after June 15, 2018, with earlier application permitted.
2. Exposure Draft - Implementation Guide No. 201X-Y, Implementation Guidance Update–201X, issued November 16, 2016, “addresses a wide array of practice issues, including questions related to the GASB’s accounting and financial reporting standards on pensions, cash flow statements, the financial reporting entity, certain investments, external investment pools, fund balance, and tax abatements.” The comment period ends January 31, 2017.

AICPA – American Institute of Certified Public Accountants (www.aicpa.org)

1. Financial Reporting Executive Committee (FinRec)

a. Exposure Draft - Gaming Revenue Recognition Implementation Issue, arising from ASU 2014-09 - Net Gaming Revenue - issued December 1, 2016, proposing that “the adjustments for cash sales incentives and the change in progressive jackpot liabilities to arrive at Net Gaming Revenue represent consideration payable to a customer and therefore should reduce the transaction price, and be accounted for as contra-revenue.” The comment period ends February 1, 2017.

SASB – Sustainability Accounting Standards Board (http://www.sasb.org)

1. State of Disclosure Report – 2016 – released December 1, 2016, “presents a review and analysis of current sustainability disclosures included in hundreds of SEC filings across every major industry.”
2. SASB Navigator – launched October 20, 2016, “a platform that combines financially material sustainability information with data and analytics to help users understand and analyze industries' and companies' sustainability performance and disclosure.”

Additional A&A News

The following links provide a selection of current articles devoted to highlighting other A&A topics currently making news.

1. How Transparent Accounting Leads to Smarter Decisions
2. A Review of 2016 in Accounting: An Expert View
3. 10 Steps to Financial Auditing Success
4. Rules to Clarify Sales of Nonfinancial Assets Out in 2017
5. Study favors PCAOB audit engagement partner disclosure rule
6. Goodwill Impairment Skyrocketed in 2015, Study Finds

Audit & Accounting Alert is a publication of Integra International intended to highlight emerging issues in the profession. The goal is to give Integra members an awareness of developments impacting the practice of Audit & Accounting, enabling them to stay on the forefront of industry trends.

Editor Gerald E. Herter  •  HMWC CPAs & Business Advisors, 17501 E. 17th Street, Suite 100, Tustin, CA 92780-7924
 •  Tel: 1 714 505-9000  •  Fax: 1 714 505-9200  •  Email: [email protected]