Transitioning to the New Revenue Recognition Standard Will Likely Be Harder Before It Gets Easier

By Chris Wright, Managing Director
Internal Audit and Financial Advisory




The new revenue recognition accounting standard from the Financial Accounting Standards Board (FASB) is going into effect for most public companies in their next fiscal year, and a year later for everyone else. This fast-approaching deadline explains the increased interest and focus on the standard in Sarbanes-Oxley initiatives. The focus also showed up more demonstrably in our 2017 SOX survey than it has in the past. A majority of respondents (56 percent) indicated they are well into the transition process and have begun to update their controls documentation.

In theory, the new standard is intended to simplify revenue recognition by replacing years of accumulated industry-specific guidance with a single global model. It includes a number of disclosure requirements intended to enable users of financial statements to understand timing and judgments related to revenue recognition.

This may appear simple to some companies in industries not substantially affected by the new standard, but many other organizations will still have to work through some uncertainty in the few months remaining between now and the effective date as they analyze current processes to identify gaps, and design and implement new processes and procedures to the extent necessary. And for those organizations for whom the apparent change will be substantial, the actual change may be even more substantial than first impressions, as well.

The new standard provides a five-step revenue recognition framework in which companies must:

  1. Identify customer contracts
  2. Identify performance obligations
  3. Determine the transaction price
  4. Allocate the transaction price to each performance obligation, and
  5. Recognize revenue as each performance obligation is met

There are a number of changes that companies need to plan for. Multiple-element arrangements (arrangements in which companies deliver more than one thing — goods, services and after-market services; hardware with software that requires upgrades, etc.) need to be looked at in terms of whether or not each individual element should be considered a distinct element requiring revenue and expense recognition.

The ability to use estimated selling prices across all industries is also new and, for many, quite welcome. Some would say this is an easier way to allocate selling price than prior models, particularly for software companies. Similarly, companies that regularly receive performance bonuses at the end of a contract, or some other variable form of consideration, may now be able to recognize that revenue earlier, provided that they have experience and good data documenting previous outcomes. Transitioning to this new standard, even if the result is an easier future process, will nevertheless take effort to get there.

For example, identifying contracts and designing and implementing new controls and procedures can be a tedious and time-consuming process. Many companies are seeking guidance with their transition efforts with the goal of defining and implementing an approach that results in a smooth transition and sustainable processes. We held a SOX compliance webinar last month, in which we outlined a structured approach for the transition. The nine key elements of this approach are grouped by transitional phase (Analyze, Design, and Implement).

In the Analyze phase, organizations form a steering committee — which should include not just accounting and finance staff but legal, IT and internal audit as well, among others — to perform a gap analysis of current processes compared to the new standard, determine the transition method and assess reporting capabilities against the new requirements.

Once the process and reporting gaps have been identified, the transition enters the Design phase. This is where remediation recommendations are honed into a transition strategy and assigned to a project management office (PMO) for implementation.

During the Implementation phase, the PMO, with guidance from the steering committee, works with process owners to update and test critical accounting policies and financial reporting controls, and produces the updated financial statements and other reports required under the new standard.

Some early adopters in industries for which the accounting change is substantial have been surprised by the amount of documentation required to substantiate their findings under the new standard. This will continue to be a topic of increasing concern in the weeks and months ahead as we move toward the first quarter of 2018 and as smaller companies, which may lack the project management infrastructure of some of the early adopters, move closer to implementation. A good starting point for those still in the early stages is our recorded webinar. And we are happy to answer your questions, in the comment section below.

Internal Audit’s Role Will Be Key in the GDPR Journey


By Jeff Sanchez, Managing Director
Technology Consulting

Andrew Struthers-Kennedy, Managing Director
Technology Audit


Over the next nine months, organizations will spend billions of dollars to comply with the General Data Protection Regulation, or GDPR — a European data protection and privacy regulation with the potential to be as disruptive to companies that conduct any kind of personal data exchange with the EU as the financial reforms created by the Sarbanes-Oxley Act were back in 2002. For starters, it is estimated that over the next year, companies in Europe will hire 28,000 data protection officers (DPOs) — one of the requirements of the GDPR. And that’s just one of the changes companies will have to make.

Protiviti held a popular webinar last month to discuss what GDPR is, how it will affect companies and how companies should prepare for this significant change. Scott Giordano of Robert Half Legal and Jeff Sanchez provided an overview of the regulation in a previous post. Here, we want to focus on GDPR’s implication for internal audit specifically. Two-thirds of the attendees at our webinar were from the internal audit function — not a surprise, as this is the group that will be providing assurance over the new controls once they are implemented, and is well positioned to provide guidance during their design and implementation.

The effects of this new law will be felt across all organizational departments, affecting policies, procedures, marketing, analytics, vendor contracts and customer transactions, among other things. The internal audit function, by virtue of its deep departmental access, compliance and risk knowledge, and board-level credibility, can play a significant role in both preparing for the change and monitoring compliance after the law is enforced, beginning May 25, 2018.

Between now and May 2018, internal audit can play a key role in guiding company strategy, serving as a strategic partner, helping the DPO, raising awareness of the new law, talking about potential risks, identifying gaps in the company’s compliance program, and helping to drive change within the organization.

Results from participants in Protiviti’s GDPR webinar

The majority of attendees we polled during the webinar (66 percent) said their companies are still in the early planning and discovery phase — conducting privacy risk assessments, identifying applicable laws, mapping data and trying to understand requirements. This is an area where internal audit can make a big difference.

Once the risks and compliance requirements have been identified, internal audit can add value by facilitating a gap analysis. With roughly a quarter of companies at this stage, common gaps we have seen so far include:

  • General lack of awareness related to the GDPR requirements (in particular among customer-facing functions, e.g., sales)
  • Lack of comprehensive inventory of personal data and mechanisms for how such data is being captured, stored, processed, and transmitted
  • Poor data mapping, or a lack of priority in privacy design
  • CRM systems not designed to accommodate the rights of data subjects
  • Third-party contracts that don’t reflect new regulatory requirements, and insufficient vendor management
  • Historical data that may not meet GDPR consent requirements
  • Insufficient accountability in data security and privacy across all users and applications
  • Security vulnerabilities during data processing
  • Slow or insufficient breach reporting and communication

Only after the requirements and compliance gaps have been identified can the organization begin to implement changes and move toward compliance. Our polling questions revealed that j ustone in ten companies has made it to this phase. Internal audit can add value here by helping to shape a compliance roadmap and advising on appropriate practices to meet the requirements of GDPR.

Of course, after the regulation takes effect, internal audit will play a pivotal role in assessing the compliance posture of an organization, testing the compliance framework and the timely reporting of data breaches, challenging management assumptions and making sure the organization is truly compliant. Data protection, specifically related to GPDR, might well be a focus point for all integrated audits that are conducted.

Companies and their internal audit departments should not underestimate the effort involved in complying with this law. The cost of complying is estimated at more than $1 million for 17 percent of U.S. companies, with larger companies likely to see higher costs. Now is the time to raise awareness among all functions that will be affected, inventory personal data, review data policies thoroughly, conduct a risk assessment and identify gaps, and engage with vendors. As with any business initiative of this scope, proper governance and oversight (including executive sponsorship and a dedicated steering committee) is going to be key to the success of the GDPR program.

For more information, we strongly encourage you to watch our free archived webinar, subscribe to our blog to be part of future discussions, and try to attend a roundtable near you. It’s not too late to start, but that won’t be the case for long.

SEC Clarifies Revenue and Lease Deadlines for Private Entities Included in Public Filings

By Charles Soranno, Managing Director
Internal Audit and Financial Advisory




With transition deadlines fast approaching on new revenue recognition and lease accounting rules from the Financial Accounting Standards Board (FASB), the Securities and Exchange Commission (SEC) has opted to clarify some confusion among certain private businesses regarding their specific deadlines for the new standard. One specific area that was unclear was the deadline for private companies whose financial statements are being filed with the SEC solely as part of another public company’s filing, such as an initial registration statement, or an IPO.

FASB requires public business entities (PBEs) to adopt new revenue recognition requirements for annual reporting periods beginning December 15, 2017 (or January 1, 2018 for calendar-year reporting companies). Private businesses have an additional year before they have to comply. The deadline for PBEs to comply with FASB’s lease accounting rule is December 15, 2018 (effectively January 1, 2019 for calendar-year reporting filers) — again, with an additional year granted to private companies. Chris Wright and I wrote about the new lease standard here.

The confusion stemmed from FASB’s definition of a PBE, which includes all entities whose financial information is included in an SEC filing. This raised a question among a certain segment of companies that operate as private entities, except for the fact that their financial statements were to be included in another company’s filing. SEC rules, for example, require companies going through an IPO, to provide financial statements for all significant recent acquisitions.

Although such companies technically meet FASB’s definition of a PBE, the SEC has gone on record that it would not object to such companies adhering to the private companies’ deadline for the revenue recognition and lease accounting requirements. The SEC staff announcement was included in the FASB Emerging Issues Task Force’s July 20 meeting agenda, and can be found at this link.

It also should be noted that the new FASB revenue and lease rules still apply to all business entities. The SEC ruling merely offers private companies in transition during the implementation period the option of adhering to the later, private company deadline.

As Chris Wright and I wrote in May, getting the accounting standard transition process started early will enable management to develop an efficient and timely plan, as well as involve internal auditors early and enable them to have a voice at the table and offer strategic guidance to ensure orderly controls transition and project management monitoring. The one year extension for certain companies should be seen not as a “reprieve” but as an opportunity. An early start will provide sufficient lead time to enhance processes, upgrade support systems and prepare stakeholders for the coming change.

Certainly, this ruling will be welcome relief to those companies who, in prepping for an IPO, have a number of initiatives on their plate; but although this affords companies a bit more time to prepare for the revenue recognition and leases deadlines, it is not in any way intended as an exemption or carve out. Our Guide to Public Company Transformation is a good “IPO user manual” and can be found here.

Regtech: An Innovation Quickly Going Mainstream




By Vishal Ranjane, Managing Director
Risk and Compliance

and Shubhendu Mukherjee, Director
Risk and Compliance


Last year, we wrote about the various ways financial institutions were using technology to streamline and improve regulatory compliance. We thought it was time to revisit the topic, given regtech’s quiet but steady advancement in the financial services industry in the time that has passed.

A specific definition of “regtech” is still evolving, but generally speaking, the term applies to any automation or digitalization of manual regulatory compliance processes to add speed, security, accuracy and agility in complying with regulatory requirements. Part of a broader trend toward digital transformation in financial services, the term typically refers to the regulatory application of existing technology, not the technology itself — a point well-made by my colleagues John Harvie and Derek Cummings in Regtech: A Confluence of Opportunities, a paper Protiviti published earlier this year.

Much of the driving force behind this transformation is coming from financial institutions, who are replacing outdated and disjointed legacy systems with new core technology and are looking for ways to replace expensive and error-prone manual processes with automated processes across all functions, including compliance.

It is fair to say that, historically, technology funding for compliance functions has been low. As the regulatory expectations increased over the years, many compliance processes were enhanced in an ad hoc manner, utilizing antiquated systems and manual consolidation of multiple data streams from disparate sources that were hard to manage and/or update. A common solution to the complexity (which still exists today) is to add more resources to existing teams.

Digital transformation initiatives have created opportunities to consolidate and integrate these systems, generating efficiencies that organizations are using to reduce the time and resources devoted to routine compliance tasks. These opportunities and technology applications are in various stages of maturity. Financial institutions are now in a position to prioritize the more mature and proven technologies to provide real-world solutions to high-cost business problems in areas that cause the biggest expense.

One such technology that is higher on the maturity curve is robotic process automation (RPA) — the use of software to work alongside human operators to perform high-volume repetitive tasks. It is most commonly encountered in the automated menus most large companies use to route incoming calls, or schedule an automatic call-back at times of high call volume. Increasingly, financial institutions are using RPA to perform compliance tasks, specifically in AML transaction monitoring, OFAC screening, and ”know your customer” (KYC) activities.

Visual analytics is another technology seeing widespread regtech application. Dashboards and other graphic representations of real-time data with drilldown capabilities and cross-tabulation provide at-a-glance insights that were functionally impossible to achieve previously with manual-based reporting. (The Protiviti Risk Index is one such example of a dashboard used to provide dynamic risk information at glance.)

Other innovations, such as artificial intelligence and biometrics, are making regtech inroads as well, particularly in onboarding and KYC compliance, though they are behind in the maturity curve compared to RPA and visual analytics. Technology acceptance is changing fast, however, with regulators encouraging “responsible innovation” and testing of new applications in a controlled environment. The number of vendors offering regtech solutions is also increasing. One research cites $3.2 billion in funding raised in the past five years for startups specifically focused on regtech solutions, primarily for the financial services industry.

Regtech is an exciting trend, with a promising future. As our clients look for ways to drive down costs and increase compliance efficiency, we continue to advise them to assess their options carefully, invest time, effort and resources in those activities most likely to deliver value, and be prepared to learn quickly from the failures as well as the successes of others.

SEC Expands JOBS Act Registration Filing Provisions to All Companies

By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit



Good news for companies that are planning or considering an initial public offering (IPO): The confidential IPO review period, created in 2012 to assist emerging growth companies, is now available to any company considering a public offering, regardless of size. The June decision by the U.S. Securities and Exchange Commission (SEC), effective July 10, 2017, is the first major policy move by new SEC chairman Walter J. Clayton.

Prior to July 10, only smaller companies (defined as those with less than $1.07 billion in annual revenue) were allowed to confidentially file draft registration statements for SEC review before their public offerings. The Jumpstart Our Business Start-Ups (JOBS) Act was created to stimulate the economy by making it easier for these so-called “emerging growth” companies to expand through IPOs. The confidential review period was intended to protect sensitive information required under SEC registration requirements from the competitive threat of premature public scrutiny and to allow companies to consider other exit options at the same time as pursuing an IPO.

There has been some debate as to whether the limited confidentiality period — which expires 15 days prior to the effective date of the public offering — is an effective incentive. Some analysts have also complained that the provision shortens the time they have to perform their own due diligence before a stock hits the market. The SEC, however, says that allowing companies to handle IPO preliminaries in secrecy provides companies more time to plan their offerings and protects them from market fluctuations that can adversely affect companies at a vulnerable time, as well as allows them multiple exit options. The SEC provided these answers for submitting draft registrations under the new rules.

Although the impact of the SEC’s action has yet to be determined, generally speaking, the extension of the confidential review process seems like a great opportunity for companies looking for some kind of exit. As to whether it will succeed in its stated goal, that will depend on a number of factors, including economic conditions, sector timing, industry attractiveness and the individual company’s value proposition.

With all this said, it is also important to note that the extension of confidentially does not change the substance of what pre-public companies have to do to prepare for an IPO. Planning to become a public company is time-consuming and complex, whether done in confidentiality or not. Much of that complexity is due to the numerous legal and technical requirements that must be addressed prior to an IPO. But a substantial — and often overlooked — aspect of public company readiness involves transforming organizational functions and processes.

Protiviti’s Guide to Public Company Transformation, 3rd Edition is an excellent resource for any company that wishes to review the key steps to achieving public company readiness. For starters, our guide recommends that companies establish a baseline of policies and procedures and develop a plan for bringing those critical elements in line with the heightened expectations for a public company. Specifically, our guide recommends that companies:

  • Develop a baseline of appropriate accounting, operational and regulatory policies and procedures
  • Take stock of the maturity of key processes
  • Develop a baseline for the financial close and forecasting capabilities
  • Address skills gap and other organizational changes
  • Perform a risk assessment and initial scoping for Sarbanes-Oxley readiness and compliance
  • Assess the IT environment and consider the specifications of the right ERP system (if required)
  • Establish a program management office to address incremental work streams and competing initiatives

This checklist just scratches the surface. For a more substantive analysis download the guide, or register to watch the archived version of our webinar, “It’s What You Don’t Know That Can Affect Your IPO.”

At the end of the day, while this move by the SEC is good news, there’s still a lot of work that companies have to do to prepare for an IPO. The links above should provide a good starting point.

A New Look at Politically Exposed Persons – Focus on Risk, not Rules

By Matt Taylor, Managing Director
Risk and Compliance, Protiviti UK




Implementation of the European Union’s (EU) Fourth Anti-Money Laundering Directive (4AMLD) went into effect on Monday, June 26, for all EU countries. Back in April, Protiviti sponsored a “PEP Breakfast” in anticipation of this directive, at which we had the opportunity to share information with key clients and other leading industry figures about the changes now in effect. The discussion centered on the UK’s Financial Conduct Authority’s Guidance Consultation, which provides guidelines on how to implement 4AMLD in the UK, and spells out how the new regulations will change firms’ design of – and approach to – enhanced scrutiny of accounts with high money-laundering risk, including those associated with “politically exposed persons,” or PEPs. The PEP Breakfast presented details regarding the changing approach to PEPs, and offered participants the opportunity to compare notes and learn from one another’s approaches to changing anti-money laundering (AML) regulations and best practices in the EU and UK.

With 4AMLD now in force, it seems like a good time to recap some of this discussion.

PEPs are individuals whose position and/or influence in government or public bodies may present heightened risks of financial crime, generally bribery and corruption. AML regulations require obliged organizations to consider subjecting such individuals to enhanced due diligence to identify, mitigate and manage such potential heightened risks.

Historically, many financial institutions have approached the potential heightened risk of PEPs on a “one size fits all” and “once a PEP, always a PEP” basis. The new regulations (and indeed, maturing risk assessment models) are driving a move to a more risk-based approach to identifying, mitigating and managing the potential heightened risk of financial crime posed by PEPs.

A more risk-based approach to PEPs includes, among other things:

  • A detailed assessment of the real financial crime risk inherent in the PEP’s current (or recent) role in the public body and ability to exert control or influence over areas which pose a heightened risk of bribery and corruption. PEPs who have been out of public office for, say, 18 months may no longer pose any heightened risk since they can no longer control or influence decisions that could make them open to bribery or corruption.
  • A thorough review of the risks posed by relatives and close associates (RCAs) of the PEP. PEPs are often sophisticated individuals and know that their financial dealings are subject to enhanced scrutiny, and may use relatives and/or close associates to act as nominees, “independent consultants” or the like in corrupt transactions.
  • Not distinguishing between “domestic” and “non-domestic” PEPs in the overall assessment of heightened financial crime. Local government officials, for example, may have control or strong influence over building development planning consent or licences, which can result in large profits for property developers and the like. In addition, the distinction between domestic and non-domestic PEPs is not practical for multinational financial institutions where clients may have accounts in multiple jurisdictions regardless of where they were initially on-boarded.
  • Enhanced transaction monitoring for PEPs and RCAs (if they are a customer or linked to a customer).
  • A recognition that negative news and other public information sources are open to manipulation in certain circumstances.

In addition, a holistic AML approach to the risk of bribery and corruption should focus on those industries and/or countries which currently carry a higher risk of such activities. These would include, for example, oil and gas companies in developing countries with ranking PEPs on their boards, or global sports organizations, where transfer fees (including layers of agents/consultants) and salaries and other payments in the tens of millions create a heightened risk of bribery and corruption.

What will these changes mean for financial services firms’ day-to-day operations? Up-to-date, detailed and (where necessary) verified “know your customer” information about customers is crucial. Red flags might be garnered from business records, powers of attorney, contracts for services rendered, and even social media profiles. PEPs’ direct (or more commonly indirect through RCAs) links to offshore entities and other opaque ownership structures is perhaps the biggest red flag of all. In general, PEPs and their RCAs will seek to place funds in jurisdictions and entities that are most likely to shield them from reporting to tax or regulatory authorities either through anonymity or due to a lack of such reporting.

Organizations must review their approach to PEP risk in light of changes to regulations and a maturing view on financial crime risks to focus resources on true, rather than merely theoretical, risk. Asking the following questions will help:

  • Has the organization designed a method of assessing risk appropriate to its business model? “Method” implies a rigorous, documented approach not only to the process of identifying the real risk, but also to the process of monitoring the PEPs and RCAs to ensure such risk is mitigated and managed.
  • Is the established approach being applied appropriately and consistently? Firms should be able to demonstrate that the documented methods are applied without exception. For example, the organization’s procedures should be designed to identify both foreign and domestic PEPs and all the jurisdictions in which the company operates.
  • Does the organization invest effort to validate that its approach has been effective? Regulators will be assessing whether the methods in place are applied consistently and are yielding meaningful results in identifying, mitigating and managing risk and, where appropriate, reporting suspicious activity.

Updates to the definition of and approach to PEPs is just one of several changes required by 4AMLD. Others include the introduction of registers of ultimate beneficial owners for companies and other legal entities, including trusts; the removal of the entitlement for automatic application of simplified due diligence; and the addition of tax evasion as a predicate offence to money laundering. And 5AMLD is hot on 4AMLD’s heels. 5AMLD will broaden the definition of obliged entities to include virtual currencies, anonymous prepaid cards and other digital currencies, plus further changes to tighten AML control requirements. Banks should waste no time in making sure they are prepared to comply with the new rules, and seek help promptly where needed.

PCAOB Revises Auditor’s Report

By Chris Wright, Managing Director
Finance Remediation and Reporting Compliance Practice Leader




With the Public Company Accounting Oversight Board’s (PCAOB) new auditor reporting standard finally pending before the U.S. Securities and Exchange Commission (SEC) after nearly a decade in the making, Protiviti has published a Flash Report summarizing the changes and examining possible consequences.

The Auditor’s Report on Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion is intended to make the auditor’s report more relevant to investors by requiring more information about the audit. In a nutshell, the new standard requires auditors to communicate in the report any critical audit matters (CAMs) — that is, matters that were communicated or required to be communicated to the audit committee and that (1) relate to accounts or disclosures that are material to the financial statements, and (2) involve especially challenging, subjective or complex auditor judgment.

The latter distinction takes into account certain factors including, but not limited to:

  • The auditor’s assessment of the risks of material misstatement, including significant risks
  • The degree of auditor judgment related to areas in the financial statements that involved the application of significant judgment or estimation by management, including estimates with significant measurement uncertainty
  • The nature and timing of significant unusual transactions and the extent of audit effort and judgment related to these transactions
  • The degree of auditor subjectivity in applying audit procedures to address that matter or in evaluating the results of those procedures
  • The nature and extent of audit effort required to address the matter, including the extent of specialized skill or knowledge needed or the nature of the consultations outside the engagement team regarding the matter; and
  • The nature of audit evidence obtained regarding the matter

The distinguishing factor in determining whether something is a CAM is the degree to which it involves challenging, subjective or complex auditor judgment during the audit process. The audit report must include identification of each CAM, a description of the principal considerations that led the auditor to determine that the matter was a CAM, description of how the CAM was addressed in the audit, and reference to the relevant financial statement accounts or disclosures.

Because CAM determinations are subjective, some say it will give auditors leverage to encourage additional management transparency to the benefit of investors. Others see it as a significant cost, and, potentially, a competitive threat, depending on the kinds of issues discussed and disclosed.

The final standard includes other changes to the auditor’s report intended to affirm the auditor’s independence, clarify the auditor’s role and responsibilities related to the audit, provide additional information about the auditor, and make the auditor’s report easier to read.

The new standard applies to audits conducted under PCAOB standards. In addition, it specifically concludes that the communication of CAMs is not required for audits of brokers and dealers; investment companies other than business development companies; employee stock purchase, savings and similar plans; and emerging growth companies.

Subject to SEC approval, the final standard and amendments will take effect as follows (although the PCAOB allows auditors to comply with the standard before the effective date, at any point after SEC approval):

  • All provisions other than those related to critical audit matters will take effect for audits of fiscal years ending on or after December 15, 2017.
  • Provisions related to CAMs will take effect for audits of fiscal years ending on or after December 15, 2020.

One consequence to watch for is whether auditors will require disclosure of original information in articulating CAMs encountered during the audit. Limitations of the auditor’s knowledge and expertise, potential liability implications, and friction in the relationship with the company may become influencing factors that could discourage auditors from going beyond management disclosures. No doubt, this will place companies, their SEC counsel and their auditors on a collision course when it comes to deciding how much disclosure is enough disclosure.

We will continue to follow this issue and advise clients on best practices as they develop. For more detail, you can download the full flash report free from our website.