Monitoring Risk in Financial Reporting: Regulators Look Closer at Cybersecurity, Sustainability, and Governance: Highlights from the 18th Annual Baruch College Financial Reporting Conference.
A common theme in the discussions at this year's conference was the variety of risks that stand in the way of useful financial reporting. Investor confidence rests on the quality and reliability of the reports and the assurance given them. Cybersecurity represents a material, and perhaps critical, issue for all businesses, and the standards governing its reporting and assurance are still being developed. Regulators such as the PCAOB and SEC consider this to be an area of growing concern and are focusing their attention on how to address cybersecurity risks and report to financial statement users. Another topic of concern to all of the speakers was the ability of financial reporting standards and processes to keep pace with a constantly shifting business landscape. Concerns about transparency, international comparability, and sustainable practices featured significantly in the debate over the direction of financial reporting.
The speakers at the conference each shone a light on a different piece of the financial reporting landscape. SEC Chief Accountant Wesley Bricker spoke about the past, present, and future of financial reporting, highlighting trends that regulators, issuers, and other stakeholders must focus on to ensure confidence in the capital markets. FASB Chair Russell Golden gave an overview of his board's efforts to coordinate with and learn from international standards setters in order to craft a higher-quality accounting standards. And in her keynote address, PCAOB Board Member Kathleen Hamm laid out the dangers that interconnectivity poses to the financial reporting system and the steps the auditing profession can take to improve cybersecurity and properly manage the risks inherent to businesses operating in a digital world. Panels throughout the course of the conference covered the current activities of the SEC, the experiences of preparers as they implement the new leasing and revenue recognition standards, other reporting developments affecting both public and private companies, and recent regulatory activity on financial instruments. Panelists included representatives from Moody's, Google, Financial Executives International (FEI), KPMG, Ernst & Young, Deloitte & Touche, and PricewaterhouseCoopers.
The following articles include presentations from the featured speakers as well as summaries of the panel discussions held throughout the day. The comments and opinions expressed at the conference and reproduced here represent the speakers' own views and not necessarily those of their employers, affiliated organizations, colleagues, or staff.
About the Speakers
Wesley Bricker serves as the chief accountant for the SEC's Office of the Chief Accountant (OCA). (Editor's note: Bricker left the SEC in June 2019 after this speech was given.) The accounting group advises the SEC on accounting and auditing matters, and works closely with private sector accounting bodies such as FASB. Bricker was previously the OCA's deputy chief accountant. Before joining the SEC, he was a partner at PricewaterhouseCoopers, where he was responsible for clients in the banking, capital markets, financial technology, and investment management sectors.
Russell Golden has served as chair of FASB since 2013, after previously being a board member for three years. Prior to that appointment, he served for two years as FASB's technical director, overseeing FASB staff work on accounting standards and technical application and implementation activities. He also chaired the FASB's Emerging Issues Task Force (EITF). He has been with the board since 2004.
Bricker and Golden presented the opening remarks at Baruch College's 18th Annual Financial Reporting Conference, held on May 2, 2019. The following is an edited transcript of their remarks. The views expressed are their own and not necessarily those of the SEC, FASB, the commissioners, the board members, or the staff. Official positions of FASB are only reached after extensive due process and deliberations.
Aiming Toward die Future
Building Trust; Quality, and Confidence
By Wesley Bricker
Chief Accountant, SEC
The world stops for no one. Financial reporting, of course, is not exempt from change. This conference also provides an opportunity for us to talk about those changes, as well as current issues in financial reporting, and to peer into the future together and explore the role of financial reporting in a rapidly changing society. I'll use a four-year timeframe to describe changes.
My ambition is to provoke thought about 1) where we've been and 2) several trends and ideas to incorporate into planning for the future of financial reporting. In doing so, I will use as an essential starting point in framing the discussion the overall financial reporting structure, which was the blueprint I introduced at this conference last year.
Over time, the structure of financial reporting has been strengthened through comprehensive efforts. The structure, I believe, is solid. It is supported by clear responsibilities for and certifications from management, requirements to devise and maintain internal accounting controls, and requirements to have an independent expert audit committee or others charged with governance. It's supported by clear accounting and reporting standards. It's also supported by strong audit firms, a well-resourced audit regulator, and ultimately, timely prevention-first regulatory approaches.
While I remain optimistic about the long-term role of financial reporting in the United States and the world, I think we'd all agree that the backdrop is a complex one. In my view, we face a long-term overall trend of less trust and confidence in virtually all institutions, from corporations to audit firms. This trend must be reversed, and we all must work to do so. The future must be met with all of us involved in financial reporting being clear-minded, evidence-based, frank, and courageous regarding the objectives, responsibilities, and sensible expectations for each of us involved in financial reporting. Confusion or lack of action in this regard ultimately undermines purpose, trust, quality, and confidence; ultimately, it increases the costs borne by shareholders.
Improving Financial Reporting
Let me turn to financial reporting and our work in advancing it. Confidence in financial reporting is essential to any healthy economy, including in the capital markets; however, financial reporting is a means to an end, not itself the end. Its purpose is to measure, to reflect, to describe, and in some ways to interpret or otherwise disclose business events that have taken place in a decision-useful manner. High-quality, general-purpose financial statements are designed to help investors make well-informed investment decisions.
And while most professionals are certainly doing the right thing, instances of financial statement fraud, though relatively rare, do occur. When they do, they can have a profound effect on investors. Thus, it helps policy makers and practitioners alike to ask, "How can we analyze previous failures? How do we understand the root causes to learn from them and find effective and efficient ways to limit failure, while restricting burdens and costs on honest, well-run companies?"
In answering this question, it is also essential that the correct lesson be learned by the party with the corresponding responsibility to limit failure--that is, management is responsible for preparing the financial statements, subject of course to board and audit committee oversight. The independent external auditors then evaluate the fair presentation of those financial statements in relation to a financial reporting framework.
Our work over the past four years has emphasized several very well established themes. There are ten of them: Number one is talent and integrity. We have focused on and will continue to focus on inspiring future generations of accountants to enter the profession. I think that is an important element certainly of what Baruch College and the Zicklin School of Business have done so well.
Two, we focused on new GAAP accounting standards. OCA has supported the implementation of new GAAP standards by FASB.
Third, non-GAAP measures. We've talked about non-GAAP at this conference over the years. The commission rules require that disclosure controls and procedures should be designed to prevent timely detection of error, manipulation, or mischief with the numbers.
Fourth, we've focused on ICFR, internal controls over financial reporting, on which my colleagues at the SEC and I have worked diligently--together with the PCAOB, an essential partner in this regard--to communicate to companies and auditors the resources available to them to help address requirements to maintain effective ICFR and evaluate its effectiveness.
Five, we've focused on auditor independence. In May 2018, of course, the commission proposed amendments to its auditor independence rules for situations where the auditor has a lending relationship with certain shareholders of an audit client. Issuance of final rules is on the commission's agenda for 2019.
Number six, we focused on audit regulation in 2018. Of course, the SEC appointed five new board members to join the PCAOB. The new board will continue to innovate and to evaluate its oversight. They're off to a terrific start. I was very pleased that board member [Kathleen] Hamm will be here for the keynote address later in the conference.
Number seven, we've focused on audit firm governance. Five of the six largest U.S. firms have appointed independent directors or advisors with very meaningful governance responsibilities. And in that regard, I'd like to emphasize that the effectiveness of those members lies in their having an independent mindset and adequate opportunities to make active and substantive contributions, both in monitoring as well as in advising firm leadership.
Number eight, we've focused on independent audit committees of public companies. In my experience, the drivers of audit committee effectiveness include members' independence, their training, their experience, and the quality of a committee's information and communication, including with the auditors. And I encourage audit committees to think along those dimensions as they assess on an ongoing basis how to improve their effectiveness.
Number nine, we're very active in international cooperation. Among the commission's extensive international work is the participation in the monitoring group as a new addition. I was honored to be appointed to serve in the roles of last year vice-chair, now co-chair, and in a few weeks, I will assume the role of chair of the monitoring group. That's a group focused on developing recommendations, among other things, to reform the international audit standards-setting structure, as well as governance.
And then number ten, and perhaps most pervasive of all, is technology, data, and innovation. We have engaged with market participants on their innovative ideas and technological developments.
These are just examples of changes over the past four years that have both strengthened the structure of financial reporting and sharpened our focus on areas to make what we do even better.
Financial Reporting Today
Now let me talk about several observations that buttress my belief in the current strength of the U.S. financial reporting structure; that is, restatement rates in the most recent past are at the lowest level in about two decades. There's always more work that we can and should do to prevent failures in financial reporting, but I'm also pleased to say a survey of investors indicates a high degree of confidence in financial reporting. Again, our work is never done, but the trend is in the right direction.
Also, companies with ineffective disclosure controls have decreased for the second year in a row, after peaking in 2015, with IT-specific controls being the most frequently identified deficiency. Again, there's always more that we can and should do, but the trend is in the right direction.
During 2018, there were 209 new engagements and 186 departures among major global and national audit firms, suggesting that audit committees can and do change audit firms as a matter of their own judgment. That is to say, audit committees are well positioned to assess the quality of the audit services being received, and they are executing their responsibilities under the Sarbanes-Oxley Act to hire, fire, and set compensation.
Finally, just as anecdotes, auditor inspection findings are on the decline among the largest registered firms, both in frequency and severity. But again, with this point, there's always more work we can and should do to bring that down even further.
These points are anecdotal, but I believe they are consistent with an emphasis on maintaining high-quality financial reporting throughout a comprehensive structure that fosters investor confidence, promotes effective or efficient capital allocation, and ultimately makes the United States more competitive in the global marketplace. But we cannot and we must not rest on our laurels, so I'd like to touch on two broad areas that have gone through significant change and identity opportunities for the accounting profession.
The first broad area is economic trends, a subset of which is the evolution of technology which contributes to economic development. Technology is a prominent force that has been a catalyst of profound change to business models, business processes, and even accounting and audit. The opportunities and benefits that technology provides also come with risks and complexities.
For example, data security and privacy concerns are coming to the fore. Flow we respond to these challenges will have a profound effect on our capital markets. As such, we need to understand the changes through the lens of those capital markets, and particularly their impact on financial reporting. Adequately preparing the next generation of the accounting profession for such challenges will be critical to that understanding.
A second broad trend is investment strategies. On the investing side, retail investors are and have been critical to our capital markets. Over the past four decades, they have been increasingly relying on financial intermediaries to help them make investment decisions. For example, almost 45% of U.S. households own funds, generally ETFs [exchange-traded funds] or mutual funds, either directly or indirectly through other intermediaries, which is a sharp increase from only about 6% in 1980.
Think about the dramatic shift in the pervasiveness of funds and financial intermediaries. That's a result of innovative and valuable institutional services. In that regard, U.S. issuers, equities, and securities markets have been increasingly intermediated, further separating companies from their ultimate retail investors. These shifts can impact how accounting and audit information serves those investors.
For example, passive investors are not necessarily passive owners. Their governance and trading decisions rely on the consumption of high-quality, consistent, comparable financial information and other metrics, in part because it reduces their trading and monitoring costs. Also, passive investing relies on the efforts of active investors, whose buying and selling activities determine share price.
Transparent financial disclosures are essential for active investors to set informationally efficient prices, and thus there exists a strong demand for extensive, refined financial data for both corporate managers and investment advisors. Opportunities in this area, particularly for the profession, go to those who identify the changes, how those changes affect market participants, and how the needs for financial data used by investors have changed and might continue to change.
Another broad economic influence is the pace of small business formation. While attention is sometimes focused on large corporations, the growth and reporting of small business is vital to our economy. I have two very broad observations in this regard.
First, auditors serve a vital role in providing candid feedback to the small businesses that they audit, in either a financial statement-only audit or an integrated audit. They can and they should engage in two-way communications with the companies they audit because such communications help them elicit useful information from management and improve audit quality.
At the same time, an auditor may also provide management and audit committees with ideas regarding matters involving internal controls, complex accounting matters, and other matters impacting the audit. The value of this feedback flows ultimately to a company's investors. It is consistent with the public interest. I believe auditors can effectively serve this role within the boundaries of the independence rules.
Relative to large and mature companies, small businesses likely have a shorter history and hence less experience in building up robust internal control systems, so they may particularly benefit from objective, seasoned feedback regarding the role and consequences of useful information. We're all better off when auditors fully embrace their role in providing audit feedback and other services, which facilitates improvement to financial reports prepared by management, and increases the effectiveness of the audit committee's oversight. That is an important responsibility.
Second, it is essential to note that mandates for disclosure always come at a cost, and such costs can be disproportionately burdensome on small businesses. In my view, the experience with graduated disclosures or even phased implementation has been positive. For example, the PCAOB's new auditor reporting standard permits phased implementation. Auditors of companies that are not large, accelerated filers will have an additional 18 months to implement the requirements. This phased approach can apply to other standards-setting activities as well.
Phased implementation enables all involved in the implementation of new or revised standards to monitor the experience of earlier adopters, including consideration of any unintended consequences. It can facilitate more timely and effective postimplementation reviews and provide support for regulatory or standards-setting changes, education, and coordination where necessary.
Let me now transition to several international trends. There has been extensive international cooperation to promote convergence where possible between domestic and international accounting and audit standards, and work against fragmented regulation. The SEC has for decades considered accounting convergence, just as one example.
It is crucial, I believe, to identify similarities and differences in financial reporting and auditing standards across countries and to reconcile them where possible. Differences in these standards and their applications contribute to uneven financial reporting quality and audit quality. This in turn manifests in additional costs that investors bear in acquiring and processing information about foreign companies relative to domestic companies, and imposes significant costs on foreign companies that seek cross-listing. Overcoming such information barriers is vital for companies and their investors to realize the benefits of cross-border capital flows and a diversified investor base.
Given the nature and the size of our U.S. capital markets, I would expect the United States to set a benchmark in the quality of financial reporting and audit services, in no small part due to the coordinated, intensely collaborative, and informed thinking regarding the overall financial reporting structure.
I also recognize that countries around the world have different legal, governance, and capital market systems, as well as regulatory approaches. For example, regarding regulating the audit market, some organizations within the United Kingdom have recently issued several reports with varying objectives. In my view, some recommendations require more development; otherwise, they might in fact present risks to audit quality.
For example, a point in one of the reports recommends that the governance regime for an audit firm's audit business should include a board comprising "a majority of nonexecutive directors" that reports on measures related to audit quality to a newly formed regulator. Those nonexecutive appointments of individuals would be "approved" by the new regulator. This regulator would be charged with establishing wider public interest responsibilities that extend beyond investor interests.
I am concerned about national approaches that structurally intertwine private sector and public sector responsibilities, thus blurring the lines of responsibility and accountability of each, and adding additional undefined, and in many ways multilayered, incentives. For example, the path of embedding within a private sector audit firm's chain of command a board answerable to a regulator can undermine and over time impair the auditor's independence, its objectivity, and its impartiality, with deleterious effects on investor and public confidence in the reliability of the auditor's report.
A regulatory process that lacks transparency and consistency can risk placing other interests well ahead of investors' interests. It is our obligation, I believe, to investors' interests first, and notably their long-term interests first.
More broadly, it illustrates the essential responsibility for all of us--policy makers, practitioners, investors, academics--in contributing to the work of problem identification, root cause analyses, and ultimately informative evidence and other comprehensive data gathering on the audit market and audit quality to inform the policy making process.
A Bright Future
In conclusion, my colleagues and I firmly believe that a bright future beckons, but it's not a certainty. Even as we advance high-quality information in the capital markets, it's critically important for us to understand and maintain a focus on the core principles that will move us forward, and continue to act by them. Having fair, orderly, efficient capital markets that facilitate capital formation while protecting investors is a pillar of our economy. It's also vital to the quality and the performance of the U.S. economy, which supports and promotes many of America's other strengths and public policy initiatives. The future belongs to those with the courage to lead and the imagination to make things better.
Editor's note: Bricker's comments above represent an abridged presentation of a fuller commentary posted on the SEC's website at http://bit.ly/2XUoYXE.
The Road to Better Financial Reporting
Reflections on Comparability and Convergence
By Russell Golden
Next month will usher in my last full year as the FASB chairman. It will mark the end of a decade on the board and a 16-year career with the organization. It's been an honor to serve on FASB, and I've learned a lot, due in no small part to the people I've met and worked with along the way. I became chairman in 2013, which also marked the 40th anniversary of FASB. We celebrated that milestone at a "FASB at 40" event in New York City. Those in attendance included five former chairmen of FASB: Don Kirk, Denny Beresford, Ed Jenkins, Bob Heiz, and Leslie Seidman--pretty illustrious company--and I got to stand up in front of them and deliver the speech to close the event in my first major address as chairman.
In that first speech, I talked about the challenges FASB faced in 2013, specifically how to successfully improve financial reporting in the U.S. capital markets and promote and enhance the quality, comparability, and consistency of international financial reporting. I believe, and still do, that more comparable global accounting standards help reduce complexity and costs in financial reporting, costs that are borne by U.S. multinational corporations.
But by 2013, we had come to realize that the ideal of singleset, high-quality global accounting standards was just that: an ideal. Different starting points, different cultures, and different legal systems made bilateral convergence impossible to achieve. I'll discuss how I wanted to address that challenge, what we accomplished, and what I believe is left to be done.
Creating Better Standards
When I became chairman in 2013, we had put in more than a decade of work with the International Accounting Standards Board [IASB], Starting in 2002, FASB and the IASB agreed to focus their resources on areas of GAAP and international financial reporting standards that were most in need of improvement, and we succeeded in a number of key areas. Business combinations, noncontrolling interests, fair value measurements, borrowing costs, segment reporting, stock-based compensation, and nonmonetary exchanges were just some of the areas where we improved and aligned standards.
Our partnership produced many successes, and it challenged us both to set better and higher-quality standards. But we still had to complete our work on revenue recognition, leases, credit losses, and insurance, and we had to carve out a new role in international standards setting, one that would also serve the best interest of the U.S. capital market participants.
Our most notable achievement in both areas occurred in May 2014, when we issued our joint statement on revenue recognition. During the course of that project, FASB and the IASB issued multiple exposure drafts, conducted hundreds of meetings across the globe. We worked tirelessly to ensure the standard would be as useful and as operable as possible. After the standard was issued, we even created a joint Transition Resource Group [TRG] to monitor and address implementation issues in this important area of financial reporting.
I should add here that what we learned from that TRG process helped us improve how we support implementation for all projects, including FASB's credit losses TRG, which was formed a few years later. In the end, I believe that revenue recognition standard achieved its objective. It simplified GAAP. It replaced numerous disparate pieces of industry-specific guidance with a more consistent framework that ensured greater comparability in financial reporting across different industries; it improved IFRS by replacing two main revenue recognition standards that had limited implementation guidance and were difficult to understand and apply across the globe; and it improved both sets of standards by requiring enhanced disclosures that gave investors and other users a better understanding of the economics behind the numbers. Transition has gone smoothly, and costs have been lower than we had originally expected, but we continue to monitor the implementation and stand ready to address any issues that may arise.
Two years later, in 2016, FASB and the IASB issued our standards on leases. During that project, FASB and the IASB both agreed that leases belong on the balance sheet. We agreed on the definition of leases and reached consistent conclusions in other important areas, but the boards chose different approaches towards expense recognition. FASB retained our current expense approach for two reasons. First, we believe it would more appropriately reflect the economics of lease transactions, and secondly, because U.S. stakeholders told us it would be easier to operate and implement. The IASB, on the other hand, reverted to the approach in our original joint exposure draft that frontloads expense by the lessee for all these contracts, one that essentially treats all leases primarily as financing transactions.
Despite our differences, the outcome of the standards is substantially the same. Both have resulted in a more faithful representation of leasing activities. Both require organizations that lease assets to recognize them on the balance sheet, and both require more disclosures to give investors better information about these transactions.
U.S. public companies began to apply the standard this year, and while we didn't create a TRG for leases, we did make narrow scope improvements to address issues raised by stakeholders, and we will continue to monitor the progress of implementation in the coming months and years.
Next, I'll turn my attention to our work on a standard you may have heard about recently in the news: current expected credit losses, better known as CEO.. As with leases, FASB and the IASB agreed on objectives but disagreed on approaches. We agreed that we needed a more forward-looking model, but we disagreed on how to get there, largely because of what we learned from U.S. stakeholders.
Prior to finalizing our respective standards, FASB worked with the IASB to develop the so-called three-bucket model for recognizing expected losses. Auditors, investors, and regulators made it clear that the three-bucket approach would be complex and difficult to apply in the U.S. regulatory system. We met with hundreds of financial statement users, prepares, regulators, and financial institutions, and almost all agreed that the current incurred loss model was a problem. Based on our analysis, the IASB approach would be too costly for the U.S. financial reporting system to implement.
On the bright side, our work on the three-bucket model challenged us to develop a better model for U.S. transactions. As a result, we introduced a simpler, and we believe more informative, model for reporting current expected credit losses. We continue to believe that the CECL model best serves the interest of U.S. investors and that it better reflects in a timelier fashion the credit risks of loans on an institution's balance sheet.
Our credit losses TRG has helped us understand and address implementation issues before the standard goes into effect next year, and we will continue to monitor and respond to implementation questions prior to the effective date and following the effective date. We'll continue to work with the SEC, banking regulators, and others to ensure financial institutions of all sizes can make a successful transition.
On insurance: By 2013, it had become clear that FASB and the IASB disagreed on several fundamental issues in this area.
The biggest obstacle was our different starting points. When we embarked on this joint project, the IASB did not have a measurement standard for insurance. FASB, on the other hand, had extensive GAAP guidance in this area.
Initially, FASB and the IASB set out to overhaul accounting for all insurance contracts. But when we issued our proposed overhaul, U.S. stakeholders, especially investors, told us there was no significant need for fundamental changes to GAAP guidance for short-duration insurance contracts, so we decided to change course and instead focus on making targeted changes to existing GAAP. In 2015, we issued improved disclosure requirements for short-duration insurance contracts, and last year FASB issued a new standard for insurance companies that issue long-duration contracts such as life insurance.
Learning from Each Other
I'm proud of what we've accomplished in these joint projects, and I'm also proud of our success in forging a new model for how we support the goal of more comparable, high-quality accounting standards worldwide. We are doing it in three ways: first, through the development of high-quality GAAP; second, through active participation in and the development of IFRS through membership on the IASB's Accounting Standard Advisory Forum; and third, by enhancing relationships and communications with other national standards setters.
I'll start with the development of GAAP. FASB's primary objective is to develop and improve GAAP for those who use it, both within and outside the United States, but we've made it our practice to consider opportunities to align with the IFRS when possible. It's now embedded in our research process, and we keep the lines of communication open with the IASB. We are in constant contact with IASB members and staff about research on our projects, as well as research on their projects, and we share our research activities to see if we can continue progress toward improved and aligned solutions.
For example, during FASB's agenda consultation project a few years ago, we issued an invitation to comment seeking stakeholder input on potential new technical projects. As part of that process, we asked stakeholders to weigh in on the IASB's solutions on pensions and intangible assets, and whether they thought those solutions would improve U.S. GAAP.
We continue to learn from each other. Later this year, FASB and the IASB will have another joint meeting in London to discuss common projects, including performance reporting, disclosure reporting, and liabilities and equity. Over the past five years, we've also helped improve IFRS through our membership on the Accounting Standards Advisory Forum [ASAF]. The ASAF was created in 2014, and its purpose is to advise the IASB as it develops IFRS.
At ASAF meetings, we share insights and U.S. perspectives on the IASB's projects. FASB's participation on the ASAF is an important opportunity to represent U.S. interests in the IASB's standards-setting process. It's proved to be yet another valuable opportunity to work together with other standards setters on issues of common interest, and it helps all of us continue the process of improving GAAP, IFRS, and other national standards.
In addition to ASAF, we meet individually with standards setters from other countries, including Canada, Japan, Italy, Australia, China, and South Korea to exchange ideas on improving our respective standards. This process also helps promote the broader flow of information and ideas that mutually informs our thinking and contributes to an environment that will foster greater alignment of standards across the globe.
In 2020, FASB will host a meeting of the International Forum of Accounting Standard Setters in Washington, D.C. It is a group of national accounting standards setters from around the world, plus other organizations closely involved in financial reporting issues. These relationships are critical to developing better and more comparable standards across the globe, and I'm honored to play a role in helping to strengthen them.
What's left for FASB to do on the international front? Plenty, but above all, we have to keep making progress. I think FASB should continue to engage with stakeholders in the United States and abroad to make GAAP the very best it can be for those who use it and apply it.
I think FASB should continue to work with the IASB, our strongest ally in improving financial reporting. We should continue to share our research and potential solutions to standards setting problems. And I think we should follow the IASB's lead and remain focused on improving the financial statements and leave sustainability reporting and other performance metrics--however important they may be--to other experts.
I think FASB should continue to build its relationship with national standards setters and to share research and potential solutions on issues of common interest. But most of all, I think FASB should continue to actively engage our stakeholders in the standards setting process.
I ended my first speech as the FASB Chairman with the hope that when my term ended, GAAP and IFRS would be closer in key areas than they were in 2003, and I believe with your support we've achieved that. Because no matter who's on the board, FASB needs you to continue to share your input. You make standards work now and for the future, and that's one thing that will never change.
Questions from the Moderator
Moderator Norman Strauss: A lot of registrants are having more and more trouble with interim reporting. It seems to get longer and harder to get the stuff out. Is there some thinking about simplifying that?
Bricker: Great question. Quarterly reporting or interim reporting has been included in our rulemaking agenda in the form of a proposal dealing with a variety of questions about frequency of reporting. How often would be the optimal frequency? Also, how does it integrate with other communications, earnings releases, and compliance filings? And so, I would say yes, it has our attention from a rulemaking perspective.
But there's also a practical side to interim reporting, which is the ongoing preparation judgments that come into play, and thinking about materiality and the information that's otherwise included in the annual report in relation to FASB standards.
Strauss: With finishing the major topics--revenue recognition, leases, and financial instruments--does that free up some room to think of any new significant projects that aren't on the table right now?
Golden: Sure. Right now, the FASB staff are spending about 40% of their time monitoring the progress of implementation on the major standards: revenue, leases, credit losses, hedging, and insurance. The other 60% is devoted to thought leadership on the conceptual framework. We do not have a chapter on measurement, and that is one of the reasons why we have different management philosophies throughout GAAP, which I think increases cost and complexity.
We're also focused on how to improve segment reporting, as well as financial performance reporting, and we've done a lot to go out to companies and ask them what their segments would look like, and what their income statement would look like, under new models that we're thinking of.
The last thing we've focused attention on is to try to simplify the distinction between liabilities and equity. Today, there are five models to account for convertible debt. My personal view is, that is four too many; some of you are really good experts at distinguishing between liabilities and equity, and the rest of you are probably like me and are very scared to have to answer those questions.
We're going to try to make it more logical and more streamlined so that we can reduce the restatements associated with distinguishing liabilities and equity, and provide cost savings to companies, as well as a better way for investors to understand the distinction.
Current Developments at the SEC
About the Panelists
Wesley Bricker, chief accountant at the SEC's Office of the Chief Accountant; Kyle Moffatt, chief accountant at the SEC's Division of Corporation Finance; and Matt Jacques, chief accountant at the SEC's Division of Enforcement, were the panelists. Norman Strauss, distinguished lecturer of accountancy at Baruch College, moderated the panel.
The following is an edited and condensed summary of the panel discussion. The views expressed are the panelists' own personal views and not necessarily those of their employers or those employers' boards, management, or staff.
The panel began with Bricker giving an update on the Office of the Chief Accountant's (OCA) activities, starting with some vital statistics. Consultations, he said, are down, which he attributed to the completion of implementation for the new revenue recognition standard. The top five topics for consultations are revenue, consolidations, income taxes (due largely to the effects of the new tax law), financial assets, and long-lived assets. He also described a "very consistent flow of consultations" on auditor independence matters. Bricker stressed the availability of consultation for auditors, firms, and audit committees, saying, "Getting auditor independence right the first time is a way of avoiding a very costly remedial effort in that area." Bricker then touched on international accounting topics, saying that the OCA continues to work with both the IASB and the IFRS Foundation, particularly its monitoring board, to "keep the fundamentals [of financial reporting] in clear view" during the standards setting process. "Financial reporting is the bedrock of our capital market system," Bricker said. "We can't be siloed about this and disregard the activities that occur internationally because they are a strong influence in the quality of financial reporting that underpins investment decisions that are made in the United States."
The OCA, Bricker continued, has also continued to engage with audit committees, focusing on their effectiveness in ensuring the quality of audits. "Maintaining integrity in financial reporting as the underlying environment is subject to change is absolutely important," Bricker said. Audit committees are also integral to auditor independence on multiple fronts, including hiring and firing, risks related to opinion shopping, and fee negotiations. "Fee setting is the statutory oversight responsibility of the audit committee," Bricker noted, "the auditor fee setting discussion is generally not one that's suitable to go through a corporate procurement process." Moffatt then spoke on the activities of the Division of Corporation Finance (DCF). He said that the DCA's accounting staff spends the bulk of their time on rulemaking. "We also act as counsel to the staff in the division when they have questions." Another significant portion of the DCF's work is handling Rule 313 requests to waive filing of financial statements in special circumstances, particularly in the case of Rule 305 filings for required businesses.
Finally, Jacques detailed the day-today doings of the Division of Enforcement (DOE). Accountants in the DOE support the SEC's attorneys in investigations, not only in cases involving financial statements, but also in matters such as securities fraud, insider trading, and disclosure of foreign assets. "Every investigation is different," Jacques said, highlighting the care and attention to detail needed to do the job right. The DOE also interacts frequently with the OCA and the DCF, he said.
Auditor independence, Jacques continued, is a focus of the DOE. "It's fundamental to the financial statement process to have the independent auditor in there," he said, continuing, "it's equally important for the auditor to be independent in fact and appearance." Like Bricker, Jacques stressed the availability of consultations with the SEC for auditors and filers, saying, "If you're faced with a question that you're spending time on, you should take advantage of that. A little bit of upfront work and extra consultation can save a lot of people a lot of pain and heartache."
Bricker then turned the conversation to more specific topics, beginning with internal controls over financial reporting (ICFR), which he said are "key to implementing successfully the new GAAP standards" [i.e., leases, revenue recognition, current expected credit losses]. He stressed the importance of beginning the process with a clear understanding of the risk involved. "If the audit team and the management team skip the conversation early in the audit cycle about risk assessment and risk, it increases the likelihood of a missed conversation later in the cycle, potentially with the consequence of deficiencies late in the cycle," he said.
Disclosure controls and procedures regarding items such as non-GAAP measures and key performance indicators, important elements of investor communication, Bricker said. "I think it's always a good idea, if not essential, for a company to have a good policy in place that defines and describes the non-GAAP measures and key performance indicators. It's that policy that enables the accountants at all levels of the organization to understand how they should do their job and what to do when errors or mistakes are identified." It is also important to set expectations about materiality and consistency with regard to both non-GAAP and nonfinancial measures.
Jacques added an anecdote about a joint action against four issuers who failed to maintain proper ICFR for up to 10 years. He then said that "if an issuer is sitting on a significant deficiency or material weakness and failing to remediate that over a period of time, that's an aggravating factor when we're looking at a misstatement in that area. Too often I see those significant deficiencies just sit there and not get the remediation that they deserve.... That's a potential ticking time bomb."
New Accounting Standards
Turning to the subject of new accounting standards, Bricker brought up Statement of Financial Accounting Standards 5, Accounting for Contingencies. "This is an area where many accountants make difficult disclosure judgments," he said, "so it's important to have a well-developed internal control framework built around that." Disclosure of risk or liability associated with asbestos is an example of a long-dated liability that represents significant underlying risk.
"On a topic like that, notwithstanding its complexity, it's important to apply the framework so that investors are well informed about the nature of the contingency and the nature of recognition of the contingency within the financial statements," Bricker said. Moffatt discussed the DCF's approach to the professional judgment required by the new standards. "Any time the staff is dealing with something that requires significant judgment, they're going to look at it. If it's a new rule or a new standard, they're going to look at it," Moffatt said. "We would look out there, see what was out in the public space, understand what the peers were doing, what their exposures were."
Bricker noted that even long-term liabilities represent real cash obligations: "Understanding cash obligations is really important to understanding the long-term risks associated with those investments." "From an enforcement angle, this is obviously an area where we spend time on appropriate, contemporaneous documentation," Jacques added, "that's an area in particular where I think everybody benefits by putting down clearly, candidly, what the thought process was at the time." Moffat also encouraged issuers and practitioners to reach out to his office or the relevant assistant director's office on any questions regarding the new leasing standard and non-GAAP presentation.
The New Auditor Reporting Model
Bricker then discussed the OCA's efforts surrounding the PCAOB's new model for auditor reporting, specifically the upcoming second phase of implementation, which will deal with critical audit matters (CAM). "Level of planning was and is important to successful implementation of this standard," he said, adding that the objective of such planning should be to foster consistency in communication to investors from management, the audit committee, and the auditor. In this "trio of voices," each communicates a different, important perspective on the financial statements, and thus they need to work out any material areas of disagreement before the statements are filed; early discussion, Bricker said, facilitates this.
Moffatt said that the DCF has received many questions about CAMs. Some issuers taken the view that, because the PCAOB will be examining CAMs closely, the SEC will not; Moffatt clarified that this is not the case. "This is a new rule, a new standard; the staff will look at it," he said. "I can imagine that this is going to be at the top of their list when they open the filing, at least for large accelerated filers." He added that the staff has been "reviewing these filings in these industries for years. They know what to expect. They know what companies should and shouldn't be doing."
Strauss then asked Jacques whether the DOE will be adopting a wait-and-see approach to enforcements related to CAMs. Jacques replied that, as with past changes, while the DOE will not immediately jump into investigating CAMs, neither will it hold off if it sees a particularly suspect case. Bricker added that the fundamental point of making sure everything described in the audit report is accurately represented in the file remains true.
Technology and Cybersecurity
Regarding how the changing pace of technology affects regulation and financial reporting, Bricker pointed to the SEC's new Strategic Hub for Innovation and Financial Technology [FinHub], which provides stakeholders with a place to approach the SEC on technology-related topics, such as cryptocurrency. He also noted that audit committees need to understand how technology is incorporated into financial reporting to understand the risks it entails. This is especially true with regard to cybersecurity, Bricker said, before inviting Jacques and Moffatt to expand upon that topic.
Jacques reiterated the importance of having policies and procedures in place that notify people up the chain when a cyberevent takes place, just as with any other material event in the reporting process. He noted that in some cases, other regulators may be involved who do not want to draw attention to the event right away, but said that the SEC is available and willing to work with filers on such issues.
Moffatt added that, as with other matters, the key thing is that the disclosures are timely and accurate. He cited a 21A report the DCF issued on cyberbreaches and hacking that illustrates the division's opinion on the matter.
As a final point, Bricker added that "when there's a breach, it's important to follow that through and understand the root cause. That root cause may lead to identifying weaknesses within the financial reporting system, even if the breaches occurred within an operational system. Understanding the root causes and what they reveal about the strength of the control environment is a really important step in navigating through follow-up considerations."
Jacques then discussed non-GAAP reporting and nonfinancial measures. From the DOE's experience, he said, "The diversity of understanding is wide, and I think there may be some false assurance out there." He encouraged auditors to hold conversations clarifying their role in the reporting of non-GAAP measures, especially as these measures become more prominent.
Continuing, Jacques affirmed that non-GAAP measures are "a useful tool," but only if they are accurate, consistent, and fully disclosed. "If there are changes, " he said, "disclosing those changes is critical to investors being able to rely on them." Jacques believes that "more candid and clear conversations, and some alignment of expectations, particularly for auditors with their audit committees, would be very helpful in this space."
While the DCF generally leaves looking at non-GAAP measures to the DOE, egregious cases that attempt to mislead financial statement users will still raise red flags. "I think that's very important to keep in mind when you have these situations," Moffat remarked, "we understand that this information is not audited but auditors are at least paying attention to what's being presented. From our perspective, I think the ultimate driver of any comments we issue, or enforcement being involved, is: 'Is it misleading?' It's not an easy area," he said, "but we definitely make sure that a number of people have weighed in before we object or, alternatively, tell folks to provide more detailed disclosures."
Bricker added that it is important for non-GAAP measures not to be more prominent than GAAP measures. "It's also important to keep in mind that non-GAAP and key operational measures fit into the overall package of communication to investors," he said. "What we insist upon is, to the extent that non-GAAP is voluntarily reported, that it have integrity; that it's accurate, materially accurate; that it's consistent, period, unless there's the disclosure that lets investors know that there's been a change. Those are fundamental concepts." He also added that "operational measures reflect actions, not economic value. It's a helpful supplement to financial reporting, which reflects economic value in the end."
Recruiting the Next Generation
Finally, Jacques spoke on the need to recruit new accountants into the profession, urging practitioners to take up the mantle of recruiter when they speak to college and high school students, as well as other people. "Accounting is the language of business," he said, adding, "It makes my life easier if we have good accountants, because there's usually less bad things to investigate."
Strauss then opened the floor to questions from the audience. One audience member asked about the IASB's project on updating management's discussion and analysis (MD&A), asking whether the SEC is monitoring those efforts or preparing its own guidance on the topic. Moffatt replied that while some projects may touch on MD&A, there is no current project specifically targeting it. "I don't think people have identified it as something that needs to be fixed today," he said.
Bricker added that "there is an important area for management to communicate how they have created value and to include that information in MD&A. That's well within our existing rule set. One way they can do that is by thinking about good practices, other standards, other frameworks in complying with our MD&A rules. But I don't think we're at a point of reducing choice at this stage in the preparation of MD&A. That is, we'll continue to focus on compliance with existing MD&A rules, which require disclosure of business outlook, capital resources, and how those capital resources have been deployed within the business."
How Do Preparers Cope?
About the Panelists
Prabhakar Kalavacherla, a partner in the audit quality and professional practice group at KPMG; Mark LaMonte, former managing director at Moody's Investors Service; Sarah Ovuka, professional accounting fellow at Financial Executives International (FEI); Scott Taub, managing director at Financial Reporting Advisors LLC; and Amie Thuener, chief accountant at Google Inc., were the panelists. Norman Strauss, distinguished lecturer of accountancy at Baruch College, moderated the panel. The following is an edited and condensed summary of the panel discussion. The views expressed are the panelists' own personal views and not necessarily those of their employers or those employers' boards, management, or staff.
Strauss opened the panel by asking Amie Thuener to talk about how issuers deal with new standards. Thuener discussed the recent major changes in accounting for leases, noting that, while the quantitative impact on the financial statements has been small, "there is a big change in the background, lots of systems changing, lots of controls and processes changing to comply with the new methods." She added that large projects such as these involve multiple functions within a company, and that early communication to all these groups, as well as management, the audit committee, and stakeholders, is critical to successful implementation. Thuener also praised FASB's efforts to keep issuers and industry groups apprised of its activities.
Prabhakar Kalavacherla added his perspective as a former member of the IASB, saying that few companies get involved with standards setting early. This, he said, is a main reason why companies find implementing standards so difficult. Of revenue recognition, Kalavacherla said that "engagement only happened after the standard become effective. In my mind, that's too late." Scott Taub then offered examples from his experience consulting with companies on implementation. In one case, a company was concerned about a proposal in the revenue recognition standard's exposure draft. He advised the company to write in with those concerns, but the company demurred, noting that its concerns were only relevant to three of FASB's 25 questions. "I said, 'Then you should write in and comment on the three and explain that you're only commenting on those because you have real experience dealing with those issues,"' Taub told the panel. Ultimately, the company did so, and as a result FASB and IASB took a different approach with the final standard.
Taub then shared his experience hearing from some companies that they had not expected their reporting to change simply because they hadn't heard any complaints about their accounting in those areas. When pressed, these companies all admitted they had not read the exposure draft. "You kind of missed your chance to weigh in," Taub said. "A lot of times things that surprise companies were actually laid out in the proposal, so it is important to take the take the time to read it."
Thuener added that, in her view, standards setters often do not get enough insight into the cost-benefit equation of large standards from the preparer perspective. "Frequently," she said, "I hear from FASB that 'we didn't know that it was this hard, that you didn't have this data available.'"
Sarah Ovuka spoke about how the FEI educates companies and their staff on the content of new standards. Like Thuener, Ovuka said that the answer depends upon the size of the company. "If you have certain people that are dedicated to the specific topic, you can do an internal training and teach each other," she explained, adding, "There are certainly volumes of helpful information that the finus publish as well." Ovuka went on to say that working with other affected companies can be helpful as well. "Education is not just about the technical; you are addressing the operational at the same time," she said.
Asked for a user perspective, Mark LaMonte said that "users of financial statements are often very late to the game in terms of understanding the impact of new accounting standards." While FASB does make efforts at outreach, he continued, most of users' information about new standards comes from companies' SAB 74 disclosures, "which more often than not don't say a lot. They might do a good job of describing what the new accounting standard is, but they generally do a rather poor job of quantifying what the impacts are until very late in the game, if at all." Investor calls also play a role, LaMonte said, especially when investors ask questions about how the new models have affected the numbers.
Finally, Strauss asked the panelists about how preparers handle internal issues with implementation, such as systems development and legal and tax questions. "I think it's critical to have a true cross-functional project," Thuener said. "The last thing you want to do is get to the end, implement, and then that's the first time your external auditors look at it. Having a partnership along the way--talking about the key accounting decisions you're making, the process changes, the control changes, and engaging them--is really important."
Leasing and Revenue Recognition
Taub began the discussion on the new leasing and revenue recognition standards by saying that he was surprised at FASB Chair Russell Golden's earlier comment that the revenue standard was cheaper to implement than FASB had expected: "It was more expensive to implement than I thought, so apparently, we had wildly different expectations." Nevertheless, he continued, the final implementation went "relatively smoothly. All of that work paid off. There were not a whole lot of companies that had to file late or were scrambling to get it done." Taub added that answering questions on revenue recognition in general is easier than it was under the previous standard, as the principles behind the accounting are more clearly laid out.
In the case of leasing, Taub said that the difficulty companies had in coming up with systems to handle the necessary data surprised him. Strauss noted that "a lot of companies couldn't even necessarily find the leases. If you're a multinational and they're not in one central place and you have divisions all over the place, they didn't even know where the leases were. And then some had translation issues; they weren't in English."
Kalavacherla added that he expected as much as one-third of internal control audit reports to receive comment from regulators on revenue recognition, so he was pleasantly surprised with how smoothly the implementation went. He also mentioned a forthcoming paper he coauthored that analyzes the filed Form 10-Ks to determine the mean and median change in revenue due to the standard; while the research is ongoing, he said, "I'm a little bit surprised to see the amount on net income has not shown much impact. Definitely on the top line, I expected a much bigger change."
"For many years, there were discussions about how this would be Armageddon and the capital markets would shut down because companies were all of a sudden going to have to put leases on their balance sheet" LaMonte remarked. "I certainly don't see that happening. Investors had long put leases on their balance sheets through many different ways, either doing a discounting of the forward lease disclosures or taking rent expense and multiplying it by a number. So this is really nothing new; it's just catching up the accounting to what sophisticated investors had long been doing."
Implementation and Research Issues
Asked by Strauss about how companies and accounting firms deal with the complexity of standards, Ovuka said, "I do think that the guidance itself can be quite complex, but when you have different resources from each of the firms, though they are quite helpful, sometimes there are discrepancies in the advice that different firms give or companies receive from different firms, which adds even more complexity to adopting these standards."
Strauss then asked Thuener about solving accounting problems. Thuener replied that her team begins by developing an understanding of the transaction itself, then looking for the corresponding model in the standards. "If there is no particular model," Thuener said, "then you're trying to figure out the intent of different models plus the economics of the transaction." In addition, she said, they also may consult with other firms and with auditors. Reaching out to regulators like the SEC and FASB is reserved for matters that are "very judgmental or gray."
Kalavacherla noted that a great deal of private companies' implementation work is being subcontracted to outside consultants. "The danger with that" he said, "is that there is never going to be any institutional knowledge in an organization if that work is subcontracted." This leaves the company's accountants, practically speaking, as more like project managers, he said. In addition, the consultants rarely perform substantive research. "They don't have a professional practice group; they're just using the Internet and doing a little bit more work," he said.
Ovuka brought up the issue of FASB's efforts to improve implementation. For example, while the new revenue recognition standard simplifies the guidance, Ovuka opined that regulators are under the misconception that the volume of data available means that any needed information will be immediately available. Thuener agreed, saying, "There isn't this sort of magic data pool where everybody can go and get whatever they want." Taub added that if management doesn't have a piece of data immediately available, it probably wouldn't be important to investors either.
Taub went on to say that, in his opinion, "FASB has done a reasonably good job of that Although the revenue recognition standard adds a ton of disclosures and there was a lot of fear that companies might not have the data, ... most companies agreed that the numbers they were being required to disclose were actually relevant" He also noted that, while the data was available, controls around it might not have been as robust as regulators would like.
Strauss then asked LaMonte whether users have any concern about the implementation process. LaMonte replied that FASB's efforts to get investor and user input before issuing new standards has hopefully eased concerns about the usability of those standards. "Certainly," he said, "FASB should be asking, 'How is this going to be useful in your decision making?' ... FASB is getting better and better, but I don't know they're quite all the way there yet."
Strauss then asked Taub and Kalavacherla to discuss compliance with SEC requirements. Taub began by again referring the audience to the quarterly updates put out by the Big Four before discussing; he then described how companies should react to SEC comment letters or enforcement attention. "Respond truthfully, don't stall, don't sandbag," he said, adding, "Get your advisors involved early. Talk to your auditors, your lawyers, whoever the appropriate experts are."
Taub also addressed the question of how to write good management discussion and analysis (MD&A): "Each quarter, start with a blank sheet of paper and do not look at last quarter's MD&A. Nobody does that; I think most companies do a fresh rewrite of a portion of the MD&A and roll everything else forward. Maybe that's adequate, but I don't think it's what the SEC or the markets hope for."
With regard to prefiling conferences, Taub said the discussion tends to be much easier "There's less pressure on getting them to agree with you when you haven't already posted those numbers." Kalavacherla noted that prefiling is available for private companies that are planning to go public. He especially recommended this practice for Silicon Valley startups, saying, "It's always a good idea to go because business models are not captured very well in a standard."
Other Reporting Issues
Strauss then turned the topic to other, older standards, such as segment reporting and deferred taxes. "You still have to continue to take a fresh look at those areas," Ovuka said, particularly when they are on FASB's agenda and there may be upcoming changes.
Strauss also asked about documentation issues. "Documentation is so important," Thuener said, "because if you get called by the SEC or if your auditor comes to you with a question, having a clear trail--how did you think about it, what's the transaction, how does it fit within the literature--makes those conversations so much easier. And having them contemporaneous gives you an ability to say, 'These are the facts I had on the day when I made the assessment.'" Taub agreed, adding, "By far the most effective response to an SEC comment is if you can say, 'See attachment A, which is the memo we wrote when we booked the entry.'"
LaMonte gave his take on the quality of note disclosures. "There is an awful lot of repetition in disclosures from year to year," LaMonte said, adding that the repetition "sometimes disguises those things that are really important to investors.... When there's that type of information asymmetry, it doesn't lead to efficient deployment of capital."
Kalavacherla brought up one point specifically regarding segment reporting, noting that the new revenue standard came from investors telling standards setters that segment reporting was not giving them the level of detail they needed. "I'm very eager to see how FASB and also the IASB are going to shape that," he said.
Working with Auditors
Kalavacherla began discussion of the next topic by saying that, when surprises crop up in audits, they are often down to poor planning by both preparers and auditors. "Upfront involvement of auditors in transactions that are not routine, like mergers and acquisitions or a new standard, will reduce the surprise level quite a bit," he said.
Strauss then asked Thuener about the PCAOB's new requirement for auditors to comment on critical audit matters (CAM). Thuener replied that it has been a topic of interest for Google and its auditors, reiterating a point from an earlier panel about consistency between the audit report and the financial statements. "We started conversations early with our auditors around what [CAMs] might look like," she said, "so that we can make sure that we've disclosed those things adequately."
Kalavacherla picked up on the consistency point, saying that companies can learn from international companies' implementation of the similar "key audit matters" (KAM) requirement; for example, he said, "there is a healthy tension between what the auditors want to disclose and what companies don't want to disclose." He also said that "avoiding boilerplate is the number one issue; make sure that this is not a cut-and-paste from another firm."
Ovuka said that early dry runs have helped quiet concerns from preparers. "We've had a lot of discussions around getting both sides on the same page and setting those expectations so that there aren't surprises when it does go live," she said.
LaMonte said that he expects to see "a significant amount of boilerplate" and that "it's focused on something that investors don't necessarily get that excited about ... Investors just want to know that the audit got done and a clean opinion was given. Whether or not it was challenging to get to the right answer in a particular area is not necessarily that important to them." Taub also voiced concerns about boilerplate, saying that earlier comments from the SEC about knowing what CAMs to expect from each industry indicated a turn toward boilerplate already.
Finally, Strauss asked the panelists what they least liked to see during an audit. The panelists generally agreed that no one is ever happy about surprises, with Thuener saying that the worst case is when a problem comes up near the end of the audit. In such cases, she said, it is important to do a postmortem afterward to prevent a repeat occurrence. "Why did it come up late? Is it because the company didn't give the right information on time? Is it because the auditors weren't looking on time? Is it because it's one of those controls that you can't audit until the last minute anyway?" Thuener also reiterated the importance of involving the auditors at the earliest possible stages of the financial reporting process.
As the subject turned to the quality and volume of disclosures, LaMonte opined that technology is likely going to play a large role. "I think we're looking at a fascinating period ahead in the next 10 to 15 years," he said, opining that disclosure of financial information is headed toward real-time availability. "Investors love data," he explained, continuing, "but it isn't necessarily taken off of the paper [financial statement] that shows up quarterly or annually. It's getting fed directly into their models through data aggregators, and getting looked at on dashboards." He also noted that investors are using digital tools to sift through boilerplate disclosures for new information.
Kalavacherla alluded to the SEC's recent settlement with an unnamed car company over its CEO's use of Twitter. In his view, "there needs to be a vetting process" for such disclosures, as "it is inevitable that there will be an explosion of information disseminated this way. We need to quickly get to a position where we can put guardrails in place." LaMonte agreed, saying that the effort will probably require collaboration between regulators, auditors, preparers, and users of financial statements.
Strauss then opened the panel for discussion on other issues. Thuener spoke briefly about the challenges presented by internal controls, saying that companies are examining their systems to see how well they are supporting the business and financial reporting, before turning to cybersecurity. With privacy such a large concern currently, "investors want to hear about [companies] putting processes in place so that when there's a problem, the information gets escalated to the right people in upper management," she said. Ovuka added that, with the expected technological advances discussed above, the next generation of CPAs will need to be knowledgeable about more than just accounting, while still maintaining that foundation of knowledge.
As a concluding thought, Taub noted that, while FASB issued 19 Accounting Standards Updates (ASU) in 2018, none were major changes; most were what he called "medium-sized issues," nonprofit-related, or technical corrections. "I think we, as a profession, can handle changes of that size," he said, even with the continuing challenge of revenue, leases, and CECL (current expected credit losses). "I think once we get these big standards behind us, we may see that keeping up is not as hard as we think it is."
Cybersecurity: Where Are We, and What More Can Be Done?
By Kathleen Hamm
Our mission at the PCAOB calls on us to protect investors and the public interest by overseeing one particular aspect of the financial reporting ecosystem: the preparation of informative, accurate, and independent audit reports. I'd like to discuss an emerging area for our oversight--cybersecurity. Specifically, I'd like to explore the dangers posed and how cybersecurity presents a threat to our financial reporting system. I'd like to also share my thoughts on what audit professionals can do to strengthen cybersecurity and resiliency in our financial reporting system. But before I do, let me give a brief update on what the PCAOB accomplished last year and where we are heading.
PCAOB Activities Update
This April marked the first lull year with an entirely new PCAOB board in place, a board that by design brought together members with diverse expertise, skill sets, and perspectives. Over much of the past year, my colleagues and I have worked hard, individually and collectively, to understand and assess the PCAOB's core programs and operations. We have also probed whether and how we can improve the PCAOB's ability to more effectively accomplish our mission.
Last month, the PCAOB published our 2018 annual report, the first annual report reflecting the oversight of the new board. We completed and approved two long-awaited standards: accounting for estimates--including fair value--and the use of specialists. The public comment period with the SEC ended last week on both. If approved, these two standards will apply to audits of financial statements for fiscal year ending on or after December 15, 2020.
On our research agenda, we prioritize data and technology and quality control. We tapped our two advisory groups, the standing advisory group and the investor advisory group, to provide us insight on each of these topics. We also convened a task force of private-sector experts to advise us on emerging technologies and data analytics and their effect on the audit.
We helped practitioners, investors, and other stakeholders prepare for the implementation of the last and most significant phase of the new auditor's report: the reporting of critical audit matters. We issued our first postimplementation review of a PCAOB standard. That standard was AS 1220, and it related to engagement quality review.
We also created a new Office of External Affairs to spearhead our efforts to increase our accessibility and engagement with our stakeholders, especially investors, audit committees, and preparers. We began the process of revisiting our approach to conducting and communicating the results of our inspections, and we awarded over $3 million in scholarships to 332 accounting students, with funds from penalties collected in our enforcement actions.
These results reflect some key priorities identified during a far-reaching strategic planning process that we began last year. That process started with the board querying our personnel, bottom to top, on what the PCAOB did well and where we could improve. We also reached out to a broad, diverse set of external stakeholders for their views and suggestions. We conducted a public survey and one-on-one interviews, and board members embarked on listening tours.
After extensive consultation and deliberation inside and out, last November we published our five-year strategic plan. That plan has five goals. Two look inward: becoming more efficient and effective with our resources and empowering our people for success in prudent risk-taking to promote our mission. The remaining three goals look outward.
These external strategies are: One, we are committed to driving audit quality forward through the combination of prevention, detection, deterrence, and enforcement. Two, we have pledged to enhance our transparency and accessibility through proactive stakeholder engagement, with a particular focus on reaching out to investors, audit committees, and preparers. Third, we have dedicated ourselves to anticipating and responding to a changing environment; in particular, to preparing for the opportunities and the risks that emerging technologies present to financial reporting and auditing.
The Benefits and Risks of Technology
Why is technology a key strategic imperative for us? While we do not know precisely how or when, we do know that emerging technologies and data analytics will fundamentally change the way financial information is reported, how audits are conducted, and ultimately how we at the PCAOB perform our work. More and more, companies now use algorithms and robotic process automation [RPA] to perform finance tasks. They are also increasing their use of advanced analytics and artificial intelligence in their financial reporting.
Auditors, in turn, are exploring new approaches to technology and analytics to perform their assurance functions. Today, some auditors use drones for inventory observations. Tomorrow, data analytics could replace sampling techniques with analysis of all transactions and accounts. Eventually, blockchain and distributed ledger technology could make confirmations a thing of the past.
Technology offers the promise of combining increased efficiency with improved effectiveness, resulting in enhanced audit quality. Freed from time-consuming manual reviews, technology may provide auditors with more time to exercise their business and financial expertise. That time could help auditors sharpen their professional skepticism and their ability to more effectively identify indicators of error and fraud. That additional time could also allow auditors to more deeply probe the potential root causes of identified issues and concerns.
But for all their promise, emerging technologies present real risks. Coding errors present inherent threats. Some occur during development; others can occur when changes are made after deployment. Still other errors may lie dormant for extended periods of time. Some experts estimate that between 15 and 50 coding errors exist for every 1,000 lines of code. Given the complexity of many software applications and solutions, many of which contain millions or tens of millions of lines of code, the risk of material errors is not trivial.
The threat also exists for unintended or algorithmic bias. This bias occurs when systematic, repeatable errors in software or computer systems cause unfair outcomes, arbitrarily favoring one result over another. Bias can emerge from the design of an algorithm itself or through unintended or unanticipated uses of the algorithm. For example, software designed to automate the analysis of real estate leases may prove feeble at analyzing equipment leases. Bias can also occur from the way data is coded, collected, selected, and used to train algorithms. These algorithms underpin machine learning and related artificial intelligence solutions.
The Downside of Interoperability
Unauthorized access to information systems and data also presents a significant threat. Amplifying this threat is how interconnected we all are to one another through technology and communication networks and systems. This interconnection occurs through domestic and international telecommunications, financial, retail and host sale payment, and clearing and settlement systems. It also occurs through the Internet.
Today, we communicate and engage in commerce through the Internet. Organizations of all types--energy, transportation, healthcare, financial services, nonprofits and humanitarian groups, and governments--operate on the Internet. Vast amounts of personal and other data are accessible there, too. A key characteristic of the Internet is interoperability--the ability for different networks, systems, and devices, as well as applications, to connect, exchange, and use data across organizations and sovereign borders. Security was an afterthought at best.
And now everyday objects, so-called "Internet of things" devices, are connected to the Internet as well. Personal computers, smartphones, cars, thermostats, electrical appliances, lights, even cardiac monitors, to name a few, send and receive huge amounts of data, largely unfettered by country boundaries.
To fully appreciate the magnitude, scope, and speed of this change, think about this. In 2003, just a year after the establishment of the PCAOB, half a billion devices were connected to the Internet around the globe. By next year, Internet-connected devices are expected to have increased 60-fold, to almost 31 billion. This translates into nearly four devices for every man, woman, and child on the planet.
With this unprecedented access comes peril. Until recently, though, much like the Internet itself, little thought was typically given to the security of these devices. This means 31 billion potential access points for criminals, hacktivists, independent digital malcontents, and even rogue nation-states.
Earlier this year, the U.S. Director of National Intelligence released a report outlining the greatest dangers facing the United States and our intelligence community's proposed response to those dangers. One of the threats was cybersecurity and resiliency. The threat includes the loss of proprietary and sensitive information, the manipulation and destruction of data systems and networks, and even harm to physical assets, as well as the related costs and the undermining of confidence in our institutions. While acknowledging the heightened awareness of cyberthreats and improved cyberdefenses, the report was sobering in its conclusion that nearly all information communication networks and systems will be at risk.
The report continues that our adversaries, both state and nonstate actors, are using cyber access and capabilities to advance their own strategic and economic interests. As we integrate technology into everything we do, the report notes that cyberthreats will pose increasing risks to our economic prosperity and public health and safety.
Similarly, in January, the World Economic Forum highlighted rising dependencies of economies on Internet connectivity and digital information, citing data fraud or theft and cyberattacks as the fourth and fifth most likely sources of global risk in 2019. In its prior year report, the forum highlighted a study that projects that cybercrime will cost businesses $8 trillion over the next five years.
How Cyberthreats Affect Companies
Now let's put a finer point on specifically how cyberthreats can affect financial reporting. Just over a year ago, the SEC brought a settled enforcement action against the company formerly known as Yahoo for misleading investors by failing to disclose one of the world's largest data breaches. Yahoo's successor paid a $35 million penalty for that violation. This was the SEC's first action against a company for a cybersecurity disclosure violation.
To recap, in late 2014, hackers associated with the Russian Federation infiltrated Yahoo systems and stole personal data relating to hundreds of millions of user accounts. Within days of the intrusion, Yahoo's information security team understood that the company's so-called crown jewels had been exfiltrated. This stolen data included usernames, e-mail addresses, telephone numbers, birthdates, encrypted passwords, and security questions and answers for the compromised accounts.
While information on the breach was reported to Yahoo's senior management and legal department, the company failed to properly investigate the incident or adequately consider whether the breach needed to be disclosed to investors. The company also kept its auditors and its outside lawyers in the dark. The breach was only disclosed publicly more than two years later, when Yahoo's operating business was being acquired by Verizon. Ultimately, because of that breach, Verizon lowered its purchase price for Yahoo by $350 million, representing a 7.25% discount.
Among other things, the SEC found that Yahoo failed over a two-year period to make required disclosures about the breach and its potential business impact and legal implications in its quarterly and annual reports. In those filings, instead of disclosing that an actual breach had occurred, the company merely stated that it faced the risk of and potential negative effects from data breaches. Importantly, the SEC also found that Yahoo failed to appropriately design and maintain effective disclosure controls and procedures that ensured the timely assessment and escalation of cyberincidents from Yahoo's security information team.
Relatedly, earlier this year, $29 million was paid to settle private derivative actions alleging that the former directors and officers of Yahoo violated their fiduciary duties of care by failing to properly oversee the company's handling of a series of cyberattacks from 2013 to 2016. These cyberattacks allegedly involved as many as three billion user accounts and included the data breach that formed the basis for the SEC's enforcement action.
Of note, this settlement also represents another first. It was the first monetary recovery in a derivative action involving a data breach. Until then, settlements of data breach-related derivative lawsuits included governance changes and modest attorney fees, but no cash awards.
Last October, the SEC issued an investigative report highlighting a specific type of cyber-enabled fraud that victimized nine companies. It involved criminals using manipulated or spoofed e-mail addresses and domains to impersonate company executives and vendors to dupe employees into making unauthorized payments. Over the course of weeks or months, each of the nine companies lost at least $1 million, with one losing more than $45 million; collectively, the companies lost nearly $100 million. Most of the money was not recovered. In some instances, the frauds were only detected after inquiry from law enforcement or an outside party.
What happened in these instances? The scams came in two varieties. The first type involved criminals masquerading as company executives, sending emails to mid-level finance employees with authority to transmit funds. The emails typically made urgent requests for funds to be wired to purported foreign bank accounts of well-known law firms to facilitate supposed fast-moving mergers. The e-mails also instructed the employees to keep the request secret. Then, instead of going to the law firms, the funds were wired to the bank accounts controlled by the criminals.
The second, more sophisticated variant involves criminals hacking into the actual e-mail accounts of companies' foreign vendors. After fooling company employees into revealing actual purchase order or invoice information, the hackers then tricked the employees into replacing the vendors' payment information with routing information to bank accounts controlled by the hackers.
While declining to bring enforcement actions against the companies, the SEC used the report to underscore the obligations of public companies to devise and maintain sufficient systems of internal accounting control. By statute, these systems must provide reasonable assurance that granting of access to the company's assets and execution of company transactions are only done in accordance with the general and specific authorization of management.
According to the SEC, the hackers succeeded in large part because company personnel was unaware of or did not understand their company's internal controls. Those employees failed to recognize multiple red flags indicating that a fraudulent scheme was under way. The commission further cautioned public companies to be mindful of cyberthreats when designing and maintaining internal accounting controls.
To put these threats into perspective, the FBI estimates that business e-mail compromises have cost companies more than $5 billion over the past five years. Given the likelihood of underreporting, that actual figure might be substantially higher. In fact, some empirical evidence suggests that companies withhold information from investors on more severe cyberattacks, especially when management appears to believe that the attacks will not be independently discovered.
What Auditors Can Do
What is the role of the auditor as it relates to these and other cybersecurity threats facing our financial reporting system? Today, based on our current standards, an auditor of public company financial statements plays an important, but limited, role with respect to cybersecurity. The auditor does not broadly evaluate the company's overall cybersecurity risk or the design and operating effectiveness of nonfinancial controls adopted by the company to mitigate that risk.
Instead, as it relates to cybersecurity, the auditor focuses on information technology that the public company uses to prepare financial statements. The auditor also focuses on automated controls around financial reporting, such as controls around the reliability of underlying data and reports. When doing integrated audits, the auditor also separately assesses companies' internal controls over financial reporting.
With respect to cybersecurity disclosures by a public company, a financial statement auditor plays two distinct but likewise limited roles. For cybersecurity-related incidences reflected in the financial statements themselves, the auditor evaluates whether those statements, taken as a whole, are fairly presented in accordance with generally accepted accounting principles in all material respects. For example, if a company establishes a material contingent liability for an actual cyberincident, then the auditor would need to evaluate in the overall context of the financial statements the appropriateness of the disclosure of that liability in the footnotes of those statements.
The auditor plays an even more limited role when cyber-related information is not contained in the financial statements themselves, but elsewhere in the company's annual report. Here, the auditor need not corroborate the information in the report; instead, the auditor need only read and consider whether the cyber-related information in the report or its presentation is materially misleading, is a material misstatement of fact, or is materially inconsistent with the information in the financial statement.
Can auditors do more? Unless an organization runs entirely on manual processes without using technology or the Internet, I believe auditors should consider cybersecurity as part of the risk assessment. Few enterprises are totally devoid of cybersecurity risk, particularly public companies.
We know some auditors are laser focused on cybersecurity and have taken steps to specifically consider cyberthreats when assessing the risks of material misstatement in the financial statements of public companies. Whether or not a cyberincident has occurred, during the planning process an auditor must perform a risk assessment, and I believe that assessment should consider any cybersecurity risks that could have a material effect on the company's financial statements. If the auditor identifies a risk related to cybersecurity that could have a material effect on a company's financial statements, the auditor should then design and execute procedures to address those risks. For an integrated audit, this work would include testing relevant controls.
To begin the risk assessment, an auditor must obtain an understanding of the company and its external and internal environment. This understanding, of course, includes the company's IT systems relevant to financial reporting, along with any related subsystems. This also includes understanding the potential access points into these systems, as well as the logical access controls over the systems.
As part of the risk assessment, I believe an auditor should also understand the methods used by the company to prevent and detect cyberincidents that could have a material effect on the financial statements, the company's processes that block and identify attempted unauthorized transactions or access to assets, and employees' familiarity with those processes.
Other areas of focus should include the company's processes to assess and address material cyberincidents once identified. This includes understanding, for example, how the company ensures timely evaluation and reporting up the management ladder of material incidences. It also includes how the company ensures appropriate escalation to the board and timely consideration of disclosure obligations to investors and others.
When performing these risk assessments, I encourage auditors to think broadly. As companies become more digitally linked to their vendors, customers, and employees, the potential entry points and attack surfaces multiply. We also know that threat actors usually target the weakest link to gain entry: a website and an email account. Once inside, threat actors typically seek to move laterally throughout the organization's IT architecture, looking to gain entry and access into systems they can exploit. As a result, an auditor should be clear-eyed about the risk that attackers can operate under the guise of legitimate users, ultimately accessing the systems or subsystems that support the financial reporting process.
Even if a specific cyberincident has not been identified, it is important for an auditor to remain professionally skeptical throughout the audit. According to a recent study, the average time to identify a breach is 196 days, more than six months. Therefore, a real possibility exists that a breach has occurred and has not yet been identified or disclosed to the engagement team.
What is an auditor's responsibility if a company experiences a cyberincident? Of course, the auditor must assess the nature and extent of the breach, including what was stolen, altered, or destroyed. The auditor should also consider the expected effect of the breach on the company's operations. Armed with that information, the auditor should consider the financial statements and the financial implications of the breach. The financial effects could include the loss of revenue from disrupted operations and the cost associated with securing, reconfiguring, and replacing systems. Costs could also include the fees associated with conducting forensic inquiries and defending against enforcement investigations and civil actions, as well as paying regulatory fines and civil monetary penalties to harmed private individuals.
Beyond that, the auditor should also assess whether the incident resulted from a deficiency in the company's internal controls over financial reporting, and whether the company has put in place procedures to prevent similar future incidences. The auditor should also explore with management and the audit committee the nature and type of disclosures that the company is considering in its financial statements or notes to those statements.
An auditor's obligation to assess the risk of material misstatement continues throughout the audit. Therefore, if the auditor obtains information about a cyberincident during the audit, then the auditor should evaluate whether that incident has an effect on the previously performed risk assessment. If so, the auditor would need to revise the risk assessment and appropriately modify the planned audit procedures, potentially performing additional procedures. Regardless of the effect on the risk assessment, the auditor would need to document relevant considerations of the cyberincident on the audit.
Finally, even when a cyberincident may not appear to be material to the financial statements, if an auditor becomes aware of a possible illegal act related to the incident, the auditor would need to make sure that the company's audit committee is adequately informed about it as soon as practical. Such an incident could occur if management, notwithstanding a legal requirement, failed to timely disclose a breach of customers' personally identifiable information.
A Shared Responsibility
Cybersecurity represents one of the most significant economic, operational, and national security threats of our time. It is a key risk to investors and our capital markets as well. How do we respond? One thing is for sure: we all must take responsibility. The government, private institutions, and individuals each share responsibility for protecting our individual and collective assets and each other from cyberthreats.
Public companies and their officers and directors have important roles as well. So do auditors. Given the magnitude of the threat, we can only effectively respond if we act together. Thank you for giving me this opportunity to share my thoughts on a topic I'm passionate about.
Kathleen Hamm, JD, LLM, is a member of the PCAOB and vice chair of its global audit quality group. The views expressed above are Hamm's alone and do not necessarily reflect the views of the board, her colleagues on the board, or the PCAOB staff.
Current Developments in the Private Sector
About the Panelists
Susan Cosper, technical director at FASB and recently appointed to be a member of the board; Robert Laux, region lead for North America at the International Integrated Reporting Council (IIRC); David Schmid, partner and U.S. and IFRS Standard Setting Leader at PricewaterhouseCoopers; and Alison Spivey, partner at Ernst & Young and member of the IASB/FASB Revenue Recognition Joint Transition Group, were the panelists. Norman Strauss, distinguished lecturer of accountancy at Baruch College, moderated the panel. The following is an edited and condensed summary of the panel discussion. The views expressed are the panelists' own personal views and not necessarily those of their employers or those employers' boards, management, or staff.
The panel began with Alison Spivey discussing private companies' implementation of the new leasing and revenue recognition standards. She began by listing revenue topics that she has received frequent questions about, such as identifying performance obligations, variable consideration, and allocation of transaction prices, noting that these are the same questions seen during implementation by public companies. She focused on the accounting for multiple goods or services sold to a single customer.
"Even though a company may have packaged multiple goods and services together, and a customer wants to buy all of those because they were all part of a contract, that doesn't necessarily mean that the company is asking for some integrated solution," she said. "Sometimes it is, and you would have a single unit of account, but oftentimes it's not, and so you have to have the revenue recognition appropriately associated with the individual units of account." She continued with the example of when a company is transferring something to a customer at the inception of the contract and there are follow-on services attached. "Some companies may be accustomed to a revenue recognition model that lumps all of that together and you get an even revenue recognition pattern over a term of a contract. Under this standard, there's certainly a challenge to determine whether there truly is a two-way dependency between those goods and services--the stuff that you transfer upfront and the things that are being delivered over time. In many instances, a company finds that they need to pull those apart. Anything that's transferring upfront, revenue gets recognized then; anything that's transferring over time, the revenue gets recognized over time. That can cause some changes in accounting, and I think private companies are just trying to get used to how to apply the framework."
With regard to allocating a transaction price, Spivey added, "There are some specific guidelines in the standard to take variable amounts of a transaction price and allocate them specifically to certain goods and services in your contract to make sure you're getting the right amount of revenue recognized at the right time."
Spivey then turned to contract modifications, noting that public companies are dealing with SEC comment letters on the matter. "The volume hasn't been that significant so far, but I anticipate that we'll see that increase." She also noted that the comment letters are in the public record and available for review. Spivey then outlined the guidance for contract modification, again stressing, "this is an area where there are very specific guidelines in terms of how an entity should evaluate a change to a contract." Susan Cosper added that FASB does have an active agenda request on the topic, specifically license renewals, and the board planned to discuss it at its next meeting.
Regarding the new leasing standard, Spivey stressed the importance of transparent disclosures, saying, "It's important for that information to be provided comprehensively so that investors can have a true understanding of what a company actually did with respect to its leasing activities." In addition, she reminded the audience of the requirement to apply the new annual disclosures for leasing to all interim periods during the first year of adoption. "It's brand-new; you can't just fall back on last year's annual report," she added. Spivey also noted that lessees in particular need to make appropriate adjustments on the balance sheet when leases are modified, especially regarding the liability and right-of-use asset.
Asked by Robert Laux about the lack of a Transition Resource Group (TRG) for the lease standard, Cosper said that FASB's main motivation for not creating a TRG was the more targeted nature of the standard as compared to the revenue recognition and credit losses standards. FASB did, of course, receive many questions on leases, Cosper said, but it addressed them through public forums and webcasts. Cosper also took the opportunity to mention FASB's implementation web portal, technical inquiry service, and other implementation resources.
Identifiable Intangible Assets and Accounting for Goodwill
David Schmid then discussed FASB's upcoming guidance on accounting for accounting. Firstly, FASB expected to finalize its standard on accounting for goodwill and certain other intangible assets for not-for-profit entities by the end of May. The second item, Schmid said, was a planned invitation to comment regarding accounting for goodwill and identifiable intangibles focused on decision-usefulness and cost-benefit.
Outlining the recent history of goodwill accounting updates, Schmid noted that FASB's goal has been relieving the burden on preparers while still retaining decision usefulness for users. Improvements have included a qualitative screen to the impairment test for all entities, voluntary options for amortization, and elimination of the annual trigger test for goodwill impairment, among others. These alternatives have been "well liked" and "widely accepted" by public and private companies, Schmid said, and the upcoming ASU will extend them to nonprofits.
Schmid then discussed the central questions in FASB's upcoming invitation to comment: "Should public companies be able to amortize goodwill? Over what period? Should it be optional? Should it be mandatory? Are there ways to further simplify the impairment test? What about intangibles in a business combination, can you subsume some of those into goodwill? ... Can we simplify disclosures or will some of these changes actually require more disclosures?"
Balance Sheet Classification of Debt
Next, Cosper discussed FASB's project to simplify the classification of debt on the balance sheet. FASB is currently working toward issuing a second exposure draft, Cosper said, describing the governing principle of the update as "you basically should follow the contract. If the liability is contractually due to be settled in more than one year or if the entity has a contractual right to defer settlement of the liability for at least one year after the balance sheet date, the debt arrangement should be classified as noncurrent."
Cosper also described the guidance as "more simple, but not everyone actually likes the answer. And investors, from what we understand, really didn't understand the classification principles that were out today because they're not really fact-specific and there's a number of nuances to them." According to Cosper, one challenging aspect has been the classification of unused financing arrangements. "For example, if I have a long-term financial arrangement in place at the balance sheet date, should I be able to use that to cover what would be perceived to be a current liability and make it long-term? ... As we stand, the board has decided not to allow that, but there is some discussion in the exposure draft that's coming out," Cosper said. Cosper also clarified that FASB planned to issue the exposure draft in mid-June.
The next topic was the efforts of FASB's Private Company Council (PCC) to create an expedient for determining the current price of the underlying share of share-based payments to employees. Spivey explained the rationale behind simplifying this complex area of accounting. Because their shares are not constantly being traded as public shares are, private companies can have trouble accurately valuing their stock when accounting for share-based payments, and auditors can have trouble verifying that valuation. The PCC has been working on this with private company stakeholders for some time, Spivey said, and current efforts are focusing on whether the exercise price of the stock would be an accurate measure of fair value.
Questions surrounding this approach, Spivey said, center on how the company sets the exercise price in the first place: "How much diligence did the company put into that? What type of audit work would an auditor need to be doing to evaluate the company's process and resulting conclusions on the exercise price?" Spivey also praised FASB's efforts to recognize the different accounting needs of private companies versus public companies, and said that the PCC expected to discuss the topic further.
Cosper elaborated on FASB's efforts, saying that a key question is whether using exercise price, or any other practical expedient, will actually provide relief to companies or just their auditors.
Distinguishing Liabilities from Equity
Cosper then moved on to FASB's project on distinguishing liabilities from equity, saying it originated as a comprehensive look at liabilities and equity in total. "What we learned through the last invitation to comment was we should just focus on making some targeted improvements that would ease the burden for companies in terms of the cost and complexity," she said, adding that initial deliberations are complete and FASB expects to issue an exposure draft in summer 2019.
Getting into the details of the upcoming draft, Cosper said that FASB's goal is simplification. "What we're doing is really increasing the simplification of accounting for convertible instruments by reducing the number of convertible instrument models. And we're also reducing the bifurcation of conversion options. What that means is, more things will be reported as a single unit of account under the traditional debt model," she said, explaining that the number of models will decrease from five to two.
The changes will benefit investors as well, Cosper said. "They didn't really like that these things were bifurcated; they preferred one unit of account." She also said that only a few changes will be made to disclosures, making them "slightly more granular than what was already required today."
This project also includes FASB's work surrounding the derivative scope exemption, of which Cosper said, "We're increasing use of management's judgment. We're reducing the strict rules, we're reducing the form-over-substance classifications of outcomes, and providing more use of management judgment in this area." Rather than requiring reassessment of a derivative's fair value by each of 20 measuring criteria for every reporting period, Cosper explained, the anticipated changes will allow companies to assess the probability of contingent events and exempt remote ones from evaluation, as well as require reassessment only on specific triggering events. In addition, the number of additional conditions for equity classification will decrease from seven to four. This exposure draft is also expected in summer 2019.
Reference Rate Reform
Cosper then discussed reference rate reform, calling it "one of the board's most important projects and probably very understated in terms of what's on the board's agenda." As banks move away from using the London Interbank Offered Rate (LIBOR) as a benchmark rate, hedge accounting will be affected. The likely alternative will be the Secured Overnight Financing Rate (SOFR), and FASB is working to smooth the transition for issuers. "We're doing a lot of research with companies and banks internationally to try and understand all of the issues that are in this space, particularly as it relates to hedge accounting," Cosper said. "What happens when debt is modified? Does it resolve in an extinguishment or does it result in some kind of a modification to the existing instrument?"
Schmid agreed on the importance of this project, saying, "If you start taking an inventory of where LIBOR appears in contracts, loans, or any type of activity that your corporate entity does, it is awe-inspiring."
Accounting for Episodic TV Series
Spivey then spoke on the PCC's project changing the accounting for episodic television series. The previous guidance, she said, was viewed as outdated, as it classified film and television productions separately and gave different thresholds for capitalization of production costs. As episodic TV production has become more like film production with programming designed to be "binge-watched" on streaming services like Netflix, the Emerging Issues Task Force (EITF) decided to align the two models. Impairment models for broadcaster content and presentation and disclosure requirements are also affected, Spivey said.
Contract Liabilities and Related Topics
Spivey also spoke about FASB's invitation to comment regarding measurement of contract liabilities and related topics. She gave the example of licensing of intellectual property as an area where questions have arisen, specifically about the value of such a license when the licensor is acquired by another company. While the EITF has decided that companies should use the definition of a performance obligation from ASC Topic 606 to help determine the liability that should be recorded, Spivey said, other questions exist as to determining the fair value of that liability. The invitation to comment is an attempt to sound out views on all the various scenarios where such issues could arise.
Cosper took the floor to discuss disclosures about government assistance. "There's no guidance in GAAP today. The proposed update that we issued back in 2015 did not provide recognition of measurement guides; it really just provided disclosures." The many different types of government assistance available to business entities, Cosper explained, makes establishing a single recognition measurement model difficult, so FASB is currently focusing on disclosures.
"We exposed this update back in November of 2015," Cosper said, continuing, "the board has been working on redeliberations for the last year and a half or so." The effort has focused on setting a defined scope for the guidance, which currently covers all contracts in which a company receives a grant of assets, tax assistance or debt-related assistance, but excludes transactions in which the government is a customer, government assistance accounted for under the income tax standards in ASC Topic 740, employee benefit plans, and not-for-profit entities. The board is now doing research to determine the cost to companies and benefit to investors of these disclosures; while investors welcome any information on this topic, companies have said tracking this information is "very cost prohibitive," Cosper said.
Financial Performance Reporting
Cosper's next subject was financial performance reporting, which she described as "a project where we've spent quite a lot of time trying to frame the problem. The issue we're working on right now is the aggregation of earnings into only a few line items, and specifically cost of sales and SG&A [selling, general, and administrative expenses], and potentially disaggregating some of those individual line items." Field tests, Cosper said, revealed that companies' consolidation systems make this kind of disaggregation "extremely challenging and costly," although she also noted a significant difference between the capabilities of younger tech companies and older, "mature" companies.
"The team is now looking at a different approach," Cosper continued, saying that the next field test will focus on how management uses the line items internally. "Is there any sort of disaggregation that they do that might be useful in coming up with some kind of solution?" Cosper also voiced some concerns over complexity, prompting Laux to recall that a similar previous project had stalled out due to significant preparer opposition. Cosper clarified that this opposition had centered on the statement of cash flows and the balance sheet, which are not within the current scope.
Schmid then spoke on segment reporting, which has been on FASB's agenda since 2017. Efforts are currently focused on whether the right segments are being identified, the aggregation criteria are working well, and the right disclosures are being made. FASB has done "a lot of research," Schmid said, including many of his own clients. "The results of the study are probably not that surprising: the cost-benefit analysis didn't necessarily work," Schmid said. "Users weren't convinced that they would get the right information." Of particular concern was a possible increase in segment changes from year to year, which would require restatement of prior years each time. Another study is planned for 2019, Schmid said, for discussion in late fall.
Laux asked Cosper whether FASB still plans to change aggregation criteria for segments. Cosper responded that it is not, saying, "Some of the feedback that we got was that it didn't provide more useful information to investors.... The concerns always seem to be around the single-segment companies, and in many instances, there are valid reasons for them to be single-segment." Laux shared his own experience of Microsoft's resistance to the aggregation criteria used in segment reporting as an example of how management faces difficulties reconciling the way they want to run the business and the resulting accounting and disclosure ramifications.
Finally, Cosper spoke briefly on a few other noteworthy topics. One such topic was phase 3 of the business combinations project, harmonizing different items between asset acquisitions and business combinations, such as in-process R&D and contingent considerations. A second exposure draft on income tax disclosures was recently released, Cosper said, as was an exposure draft making some simplifications and improvements to ASC Topic 740. Phase 2 of the hedge accounting project is under way.
"Everyone asks about disclosures," Cosper concluded. "We're continuing to work on improving share-based payment disclosures. We keep hearing there's too many disclosures and not the right disclosures. Inventory, an area where there's very light disclosures, we're in the process of reinvigorating that project. And, lastly, we're starting to work on interim disclosures."
About the Panelists
Robert Uhl, partner at Deloitte & Touche LLP; Scott Taub, managing director at Financial Reporting Advisors LLC; Mark LaMonte, former managing director at Moody's Investors Service; Kirk Silva, vice president and head of accounting policy at Fannie Mae; and Jay Shah, project manager at FASB, were the panelists. Norman Strauss, distinguished lecturer of accountancy at Baruch College, moderated the panel. The following is an edited and condensed summary of the panel discussion. The views expressed are the panelists' own personal views and not necessarily those of their employers or those employers' boards, management, or staff.
Strauss opened the panel by asking Mark LaMonte whether users are happy with the state of reporting for financial instalments. "I don't know as anyone's happy (with the way this is going," LaMonte replied, noting that 11 years have passed since FASB and the IASB took on the revision accounting standards for credit losses in the wake of the 2008 financial crisis. "U.S. GAAP and IFRS have come up with very divergent solutions here," he said, "and the U.S. GAAP solution is rather unique in that the day you make a loan, you will be putting a reserve on your balance sheet for that loan. Banks in particular are going to see their loan loss reserves jumping pretty dramatically." LaMonte also said that he has seen "some decent quantification" in on SAB 74 CECL (current expected credit loss) disclosures, which he characterized as "some pretty material effects in terms of the loan loss reserves. How it flows through to the effect on capital isn't nearly as significant, but the balance sheets of these banks will be looking somewhat different."
Kirk Silva then tried to explain this change. "The new standard says, based on everything you know today, your historical experience, and your projections about what's to come, what's your best estimate of the losses you're going to incur over the life of these portfolios?" Silva added, "This isn't really just a financial services standard; we expect that it will apply broadly to many companies." Robert Uhl pointed out that the standard also applies to contract assets, which people often miss.
Implications of the Expected Loss Model
Scott Taub added that the required measure of a loan was less than both fair value and cost, which he found "remarkable. Usually, we choose between cost or fair value; here we've said, no to both." He continued by providing an example: "Make a million-dollar loan, the risk-free rate is 5%. You perceive that there's a 3% chance that you're not going to get paid, so you might be making a little profit. You charge 9% on the loan, you take an immediate 3% loss. You are going to record a reserve based on the expected losses, not taking into account the fact that you're charging interest on that loan." Strauss clarified that this recording takes place on day one, to which Taub noted, "There's no question that this is understood and this was intended. I just find it very difficult to explain to my clients."
Shah then responded to a query from Strauss about FASB's internal take on this requirement. "This expected credit loss model is built on the incurred loss model," Shah said. "You start off with historical loss assumption, and you're just going to be considering a reasonable supportable forecast and then reverting back to your historical loss information." Taub replied that while this analysis works on a portfolio level, "it fails when you look at it loan by loan."
Taub also acknowledged that the prior incurred loss model had its own issues, saying, "It was always very difficult to identify whether a loss has been incurred. The positive thing about CECL [current expected credit losses] model is you no longer have to figure that out; you incurred the loss when you made the loan, as it turned out ... that does remove a point of judgment that was something of a fool's errand.... But what we've got is going to be complicated as well." Explaining further, he said that while banks may have internal processes that mirror this model, commercial companies might have no experience with the approach at all, although the change for them may turn out to be immaterial.
Continuing, Strauss asked whether commercial companies with 90-day trade receipt rules could ignore future analyses entirely. Taub said that, while the change for such a company would not be large, "it's at least something that you need to monitor. And more importantly, for commercial companies that have debt portfolios or that sometimes make loans to other companies in their industry as a form of investment, CECL applies; they'll have to do the work." Strauss also asked whether commercial companies will need documentation showing they know about the new rule; Uhl clarified that they will.
Silva then discussed how the model would apply to long-term loans, such as 30-year mortgages. "It's even more complicated," he said, "because those loans are prepayable, and so it's not really a 30-year period that you're going to lose over; it might be a five- to seven-year period for a fixed-rate, 30-year mortgage." Continuing, he noted that, while lenders can generally expect some percentage of their long-term loans to eventually default, the actual amount is dependent upon changing economic factors. Both Silva and Taub confirmed that the allowance for credit losses would likely increase under the new rule.
Strauss then asked whether this rule would have helped during the last financial crisis. Silva opined that banks would have built their reserves faster due to incorporating the forecast of falling home prices into their planning. LaMonte added that, as banks began to make poorer loans in the years leading up to the crisis, their recognition of higher expected losses might have provided a clue to that fact. Uhl's view was that any certainty about the effects of the rule in such a situation would have to wait until the next financial downturn; he also noted that the IASB's divergent standard would be similarly tested, leading to an opportunity for comparison.
FASB Guidance on CECL
Jay Shah discussed FASB's efforts at providing guidance for the new credit losses standard. Shah began by stressing that FASB went through "a rigorous process" when developing the standard, exploring many alternative models before arriving at the one they used based on feedback from stakeholders. "The standard itself is intentionally built to be scalable; it should be adoptable by all entities, big and small," he continued. "I think you're supposed to build on what you were doing and you just should look at your historical loss information, which you're doing today, presumably.... There's a lot of judgment there. We keep reminding everyone just go look at the guidance, it's flexible intentionally." Shah also explained that the duration of inputs can vary, and that companies are not required to search for all possible information when making estimates. "It's a best-estimate model, similar to what insurance companies do for long-duration contracts," he said.
Strauss asked how auditable the information produced under the new rule would be. "I think that the auditors will encounter the same difficulties the preparers do," Uhl replied. Uhl also discussed two exceptions to the new rale: available-for-sale debt securities and purchased financial assets that have experienced credit deterioration (PCD). Available-for-sale debt securities, he said, are already listed at fair value on the balance sheet if they are likely to be sold; for securities that do not meet that criterion, he said, will have a valuation allowance with a floor at fair value. PCDs will have their allowance added back to their basis to arrive at amortized cost.
Asked about modified disclosures, LaMonte said that some of the new disclosures will be very useful. "'Vintage' disclosures will be extraordinarily useful to users in understanding what the profile of loans made in any given year looks like and how that is evolving as credit cycles evolve," he said. "Things go wrong when the credit quality deteriorates or the underwriting standards deteriorate; I think these vintage disclosures will help provide some indication of when that's happening."
Taub then ran down the effective dates and transition periods; the effective date will be January 1, 2020, for public companies and January 1,2021, for other entities. While early adoption is allowed, Taub said he had not heard of any companies actually taking advantage of that option. As to transition, he noted that "the big banks are starting to give some numbers as to what the effects are, so you can tell that they are making progress on analyzing what's going to happen." Taub also predicted that FASB will go forward with allowing entities to use fair value estimates for existing loans at transition. Strauss noted that Accounting Standards Update (ASU) 2019-04 contains various amendments for several topics related to CECL; Taub and Shah explained that the amendments are intended to clarify issues raised during the Transition Resource Group (TRG) process.
Next, Silva discussed implementation issues encountered by banks and other financial institutions so far. Finding the necessary data has been a big issue, Silva explained. "Even if you have credit loss data, you may not have used that data for financial reporting," he said. "There's generally a lot of cleanup associated with pulling that data out of the business and then using it in a financial reporting capacity."
On the subject of the requirement for "reasonable and supportable forecasts," Silva noted that most organizations are utilizing external forecasts for this purpose and pointed out that adjusting historical data to reflect the forecasted information will require significant judgments from management. Shah added that FASB has received questions about what method to use for those adjustments and reminded the audience that the guidance is designed for flexibility. "If you think straight line is appropriate, use straight line; just explain why you're using straight line," Shah said.
Derivatives and Hedging
With CECL fully covered, Strauss turned the panel toward recent changes to accounting for derivatives and hedging. Asked to explain the goals of ASU 2017-12, Shah said the standard attempted to expand hedging into more risk management activities. "Now you can hedge components of your financial and nonfinancial risk," he explained, "rather than the entire purchase price or the entire contract and all the cash flows that come with it." The standard also simplifies the hedge effectiveness assessment. Strauss and Shah agreed that the standard has been well received by stakeholders.
Next, Uhl discussed the general complexity of hedge accounting, both before and after the new standard. "As the sophistication of risk management strategies goes up, the complexity in the accounting obviously goes up," Uhl said. "While FASB has accomplished a lot in making this easier, there are things that you're still going to have to go through in order to accomplish hedge accounting." As an example, he talked about documentation, which for the most part must still be done in the same amount of time, and "that's going to require you do some complex math."
Silva discussed his implementation experience with a client. "Although the changes reduce the amount of modeling that's necessary to support the ultimate outcome," he said, "there's still significant operational challenges associated with putting this in place. It isn't easy if you've got significant volume that you want to hedge, but it is modeling-light, and that was the significant benefit." Taub agreed, saying that no longer having to measure ineffectiveness every period was another big improvement. "In just about every area of hedge accounting," Taub said, "FASB made it a little easier. Cumulatively, it's a substantive difference." He tells clients, "You may find that the accounting is not as scary as it used to be."
Continuing with the technical discussion, Silva explained how the testing for whether or not a hedge is "highly effective" has changed. The amount of time for the initial test has increased, and while that test must still be quantitative, subsequent tests can be qualitative as long as the issuer provides documentation that it still considers the hedge highly effective. "You may end up spending more time on the back end with your audit firm, trying to defend your qualitative assessment," Silva said, "but if you have less volume than we're talking about and you're not putting something in place that's automated," the process will be easier overall.
Uhl had a mixed view on how smoothly implementation of the standard has gone. While the improvements mentioned above have been well received, Uhl described the transition as "a little bit bumpy," saying that FASB is working on some technical corrections to address questions that have come up regarding, among other things, partial term hedging and hedging components of nonfinancial assets. LaMonte added that, while financial statement users have not particularly focused on this standard, it will still be useful to the extent that it removes unnecessary volatility it will result in a better economic presentation, "ft's more of a perspective issue than a catch-up issue," LaMonte said.
Classification and Measurement of Financial Instruments
Strauss then moved the discussion on to FASB's project on the classification and measurement of financial instruments, ASU 2016-01, effective in 2018 for public companies and 2019 for private companies. Taub explained that the standard targeted three specific areas: measurement of equity investments, presentation of changes in fair value of a company's own debt, and certain fair value disclosures for nonpublic companies. At Strauss's request, Shah clarified elements of the target areas that did not change, such as classification of debt securities. He also said that FASB has received requests to extend the fair value option to some held-to-maturity debt securities.
Silva then commented on the changes to equity investments, delineating them from equity method investments, which are unaffected, and noting exceptions to the new rule, such as consolidated equity investments and cases where fair value is not readily determinable. Uhl further explained the mark-to-market method of the new mle, stressing the new, qualitative requirements for determining impairment, which he described as a "much easier model than what we had previously."
Uhl then discussed practice issues, noting that FASB had plans to discuss issues that had been brought to its attention regarding purchase or sale of equity securities that would move an issuer across the threshold between using the equity method or the measurement alternative. Taub added that removing the other-than-temporary impairment test was "a big simplification."
LaMonte said that the standard should result in more intuitive results, noting a particular feature of the old rule that resulted in increased decreased creditworthiness generating income. Companies, he said, would frequently resort to non-GAAP measurements to avoid this apparent paradox, so this change will lead to a decrease in use of non-GAAP. He also said that companies have reacted positively to the fair value option for changes in their own debt.
Strauss asked how the standard affects convergence with international standards. Silva said that while the models are different, the end result is "very similar." Taub added that the standards were already substantially converged prior to the new standard, and that the changes might actually create divergence.
Taub then summarized the effective dates, noting that the transition for public companies for the most part went smoothly, although some companies with investments in equity securities that chose the measurement alternative and had been using the cost method previously ended up recognizing large amounts of built-up appreciation.
The panel wrapped with Strauss asking the panelists for their thoughts on future developments for financial instruments. Uhl noted that the projects on distinguishing liabilities and equity and on hedging will continue, while Taub said that "there will continue to be financial instrument accounting issues because we keep inventing new financial instruments." Shah praised the efforts of the TRG for the credit losses standard, saying, "I think we got through a number of simplifications and clarifications for the CECL standard in a short time period." He added that FASB is always available to take questions and concerns about existing standards or other matters that need addressing.
Chief Accountant, SEC
Board Member, PCAOB
Board Member, FASB
|Printer friendly Cite/link Email Feedback|
|Publication:||The CPA Journal|
|Article Type:||Conference news|
|Date:||Aug 1, 2019|
|Previous Article:||Fraud 'Possibilities' Are Realities.|
|Next Article:||The Challenge of Embedded Leases: Leases May Be Hiding in Supply and Service Contracts.|