Have you vetted fraud risk under new revenue standard?

The risk of fraud via revenue recognition has always been a big deal. Now it’s an even bigger deal as companies are sluggishly adopting new rules that give would-be perpetrators potential new opportunities.

The massive new revenue recognition standard, which public companies are working to adopt beginning in 2018, introduces new judgments and estimates. If not controlled properly, those judgments and estimates can serve as a foot in the door for fraudsters who decide to manipulate numbers.

Even staff members at the Securities and Exchange Commission are starting to wring their hands over it. At a recent one-day conference on implementation of the new standard, SEC staffer Sylvia Alicea reminded companies that transition to a new GAAP standard means they need to give fresh consideration to risk, including fraud risks. And by its nature, the new standard presents plenty of risk to consider.

“Companies should consider whether the potential for management bias in reasonable judgments required to apply the new guidance may lead to the identification of new fraud risks,” said Alicea, who is a professional accounting fellow in the Office of the Chief Accountant at the SEC.

Where does the standard require judgments that might elevate fraud risk? Consider the potential for management bias in identifying performance obligations, estimating certain stand-alone selling prices, and estimating variable consideration, for example. “It is important for management to consider whether new changes in internal controls are warranted to reduce the risk associated with management bias,” Alicea said.

Although the Financial Accounting Standards Board issued the final revenue recognition standard in mid-2014, public companies have been slow to act on preparing for the new accounting requirements. Aside from a handful of early adopters who are applying the standard as of the original effective date of Jan. 1, 2017, the vast majority of public companies are due to reflect the new accounting beginning Jan. 1, 2018.

“I think there are companies that continue to lag behind in the whole process and controls are not front and center in that process.”
Eric Knachel, Senior Consultation Partner, Deloitte & Touche

The change to the new five-step method represents a new way of arriving at reported revenue figures. In terms of the numbers that will appear in financial statements, the change is significant for some companies, but less drastic for others.

Still, the SEC and accounting experts have been warning from the beginning that adopting the new standard would be a huge undertaking because it necessitates new accounting policies and processes, new internal controls, and new disclosures. Experts say those new steps will be substantial for all companies, even those that have already determined the reported revenue figures will not change materially.

Eric Knachel, senior consultation partner at Deloitte & Touche, says he doesn’t see companies focusing a great deal on fraud risk, primarily because they’re not yet focused on the internal controls they’ll need to develop to comply with the new accounting. “I think there are companies that continue to lag behind in the whole process and controls are not front and center in that process,” he says.

Giving fraud proper consideration under the new accounting will not be easy, says Knachel. Each company will have to rely on their own experiences and the nuanced differences in how they operate to identify their own fraud risks, and no one yet has any experience with the new standard. “It’s not like you can apply a checklist and say if we do these five things we’ve addressed the potential for fraud,” he cautions.

In Knachel’s view, the conditions are ripe for fraud, actually. Companies are adopting a huge new standard, full of calls for new judgments and estimates, governed by new internal controls, developed under lagging implementation efforts. “All of that comes together to increase the potential for fraud risk,” he says. “It’s a very legitimate concern.”

ICFR

Below is an excerpt from SEC Professional Accounting Fellow Sylvia Alicea’s speech.
Updating and maintaining internal controls will be particularly important as companies work through the implementation of significant new GAAP standards.  Companies' implementation activities will require careful planning and execution, including careful evaluation of the specific facts and circumstances, to determine the appropriate application of new GAAP standards. Management's ability to fulfill its financial reporting responsibilities significantly depends on a comprehensive and timely assessment of risks.  Such risks may exist at various levels and in different areas of a company and those risks may include whether the employees involved in the transition to new GAAP standards have the appropriate competencies to make the reasonable judgments required to faithfully apply the principles in the standards.  Management may find published third-party transition resources helpful in making these judgments.  However, it’s important for management to remember their responsibility to keep books, records, and accounts that accurately reflect their transactions and to maintain internal accounting controls designed to provide reasonable assurance that their transactions are recorded in conformity with GAAP.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework (2013), which most companies base their evaluation of the effectiveness of ICFR on, includes guidance for management on what constitutes effective risk assessment.  This guidance illustrates the importance of the integration of control activities with the risk assessment.  I believe that this linkage is important for all companies — regardless of the framework used or the company's size – in achieving the objective of reliable financial reporting.
The transition to a new GAAP standard necessitates the need for management to carefully consider whether the transition (or consistent application of the standard once implemented) results in new risks or changes to previously identified risks, including fraud risks.
It is important to remember that different factors and influences can impact the risk of fraud.  At its core, fraud is the result of decisions or actions by individuals.  As such, management should carefully consider how the transition to new GAAP standards will affect opportunities, incentives, pressures, attitudes, and rationalizations in a manner that could drive changes to previously identified fraud risks.  These considerations also play an important role in the design and effectiveness of internal controls that mitigate those risks.
For example, during transition to the new revenue standard, companies should consider whether the potential for management bias in reasonable judgments required to apply the new guidance may lead to the identification of new fraud risks.  Potential examples related to areas of judgment susceptible to management bias include the identification of performance obligations, the estimation of standalone selling price for distinct goods and services, as well as the estimation of variable consideration when determining the transaction price.  It is important for management to consider whether new or changes in internal controls are warranted to reduce the risk associated with management bias.  For example, management may want to establish a framework that defines how management will execute the judgments required in the new GAAP standards.  This may allow for a more consistent application of the principles in the new GAAP standards that helps reduce the risk of management bias.
In addition to the COSO framework, there are other sources of guidance available to management to assist with fraud risk assessment.  These sources suggest that a company should have an appropriate oversight function, including an audit committee, in place to reduce risks associated with fraud. Companies should consider engaging the audit committee early and often in its risk assessment process.  The audit committee’s oversight of management’s risk assessment, as well as its oversight of the internal controls that mitigate the identified risks, not only helps management fulfill its financial reporting responsibilities, but also serves as a potential deterrent to fraudulent activity. 
Source: SEC

Knachel says he sees a long list of fraud risks in the new standard, but three big areas involve judgments and complexity that make them the most significant areas of concern. They include requirements to allocate transaction prices to performance obligations, estimate selling prices, and estimate variable consideration. Companies need to establish solid frameworks and internal controls for arriving at those numbers as a result, he says.

In terms of controls, Knachel is advising companies to develop both process controls and monitoring controls. The process controls govern how management arrives at the estimates, and the monitoring controls provide the feedback loop on where the framework and process controls need tweaking. “By definition, estimates are just that,” says Knachel. “They will need to be adjusted and revised.”

The COSO Internal Control — Integrated Framework, which most public companies follow to achieve compliance with internal control reporting under Sarbanes-Oxley, addresses fraud risk explicitly in one of its 17 principles of effective control, says Bob Hirth, COSO chair. “It says you need to address the risk of fraud right up front in the risk assessment,” he says.

That suggests companies, in adopting a change to GAAP, need to consider the fraud risk before they adopt the new accounting, not later in the process. “You have to go through the risk assessment brainstorming and scenario planning early in the process,” says Hirth.

Scott Moritz, managing director at consulting firm Protiviti, says companies should take care to assess the risks all companies face as a result of classic revenue recognition fraud methods — earnings management, manipulation of inventory or shipping records, side agreements, transactions between related parties, and others. Then they need to consider risks that might be specific to the company because of the nature of the business, the products or services it provides, the geographic areas where it does business, and so on.

Going through that exercise will help leadership appreciate the accounting and fraud risks, Moritz says. “It’s easy to say, but it’s not that easy to execute,” he says. “Most people are not hardwired to think in terms of worst-case scenarios, but that’s what fraud risk scenario brainstorming is.”

Doug Townsdin, a partner at Grant Thornton, says the COSO framework will be a helpful tool to consider the fraud risk, but it has to begin with a thorough understanding of the standard and the risks it presents. “There are fraud risks that might or could come into play that wouldn’t have to be considered under the old revenue standard,” he says.

Companies may need to consider an extra layer of review and oversight in the process to assure they’re covering all the key risks, says Townsdin. “From a control perspective you have to address what’s there, but you also need to consider what hasn’t been considered.”

That certainly suggests companies need to be sure the audit committee is engaged and active on the implementation effort, Townsdin says. “As companies have been going through implementation, there becomes more of a realization of the nuances being introduced because of the judgments and estimates,” he says. “I do think that’s coming to light. It’s going to be very important for the audit committee to be fully informed of where the company is.”

The SEC’s Alicea would seemingly concur. “Companies should consider engaging the audit committee early and often in its risk assessment process,” she advised. “The audit committee’s oversight of management’s risk assessment, as well as its oversight of the internal controls that mitigate the identified risks, not only helps management fulfill its financial reporting responsibilities, but also serves as a potential deterrent to fraudulent activity.”