SEC staff focuses on ASC 606 (Revenue from contracts with customers) disclosures
Comments issued by the SEC staff in the Division of Corporation Finance (DCF) to companies that adopted Accounting Standards Codification (ASC) 606, Revenue from Contracts with Customers, about their disclosures under the new standard are public and may provide an indication of where companies may have the opportunity to improve their disclosures. The SEC staff recently said that it is monitoring the new disclosures mandated by ASC 606 and encouraging companies to refine and supplement their annual disclosures included in their subsequent quarterly filings in the year of adoption. Identification of performance obligations and the application of principal vs. agent guidance have been the most frequently discussed topics in consultations with the Office of the Chief Accountant. As expected, the SEC staff’s comments on the application of ASC 606 have focused on areas of judgment.
Audit committees should continue to evaluate the adequacy of the company’s disclosures required by the new revenue standard. We believe this evaluation should include the consideration of disclosures by peer companies, industry practice and other best practices as they evolve over time.
SEC amends rules to eliminate redundant and outdated disclosures
The SEC issued a final rule that eliminates or revises a number of disclosure requirements that are redundant or outdated in light of changes in US GAAP, IFRS, technology or the business environment.
The rule changes are not expected to significantly alter the total mix of information provided to investors. Although the rule is generally expected to have a limited effect on disclosures, registrants should carefully review the changes made by the rule and address them as necessary.
SEC reporting update: 2018 trends in SEC comment letters
Boards and audit committees have to address substantial tax policy changes as businesses continue to implement the Tax Cuts and Jobs Act (TCJA). The Treasury Department and IRS have issued administrative guidance on some of the more complex areas of the new tax law, and more guidance and clarification are expected.
Boards and audit committees should also stay focused on US trade activity. Tariffs imposed by the US and other countries could have substantial implications for US businesses, the economy and consumers. With continued uncertainty in both US trade and tax policy, and a significant Supreme Court opinion that has state tax implications for remote sellers, modeling alternative tax and supply-chain scenarios has become more important than ever.
Tax reform implementation
The TCJA significantly changed US income tax law, and companies accounted for the effects of these changes in the period that includes the December 22, 2017 enactment date. The SEC staff issued SAB 118 to provide companies that had not completed their accounting for the income tax effects of TCJA in the period of enactment with a measurement period of up to a year. As the SAB 118 measurement period cannot extend beyond one year, calendar year-end companies are required to finalize any provisional balances by December 31, 2018.
The Treasury Department and IRS began releasing major TCJA-related proposed regulations during the summer of 2018 and are expected to continue through spring of 2019. Key proposed regulations addressed the law’s transition tax, the new global intangible low-taxed income (GILTI) regime, qualified business income (QBI) deduction, additional first-year depreciation deduction, and the new provision to encourage investment in Opportunity Zones (more information available in IRS REG-115420-18). The proposed regulations will be finalized after comment periods for those interested in sharing suggested changes or other observations. Companies trying to plan in the near term face some risk as they await the release of anticipated further TCJA guidance, especially around some of the complex international provisions of the law.
Further TCJA clarification is also expected by year-end from the Joint Committee on Taxation’s Blue Book — a general explanation of the new law. And while there have been calls for technical corrections legislation to resolve drafting errors in the final legislative language, it is unlikely that this type of legislation will move forward in Congress in 2018.
In late September, the House of Representatives advanced three bills as a follow-up effort on tax reform, or “Tax Reform 2.0,” aimed at three areas: (1) making the individual and small business tax cuts permanent; (2) promoting savings for families and retirement; and (3) spurring innovation. It is unlikely that the Senate will take the measures up this year. As with technical corrections legislation, the outcome of this effort will depend on the political composition of Congress after the mid-term elections.
With so many avenues of clarification around the new tax law and the potential for additional tax legislation in the years ahead, audit committees must stay up-to-date with tax policy developments in real time.
Recent US trade policy shifts could have significant implications for US companies. Actions such as the use of targeted tariffs and renegotiation of the 24-year-old North American Free Trade Agreement (NAFTA) indicate that the current Administration prioritizes reducing the US trade deficit over free trade flows to a greater extent than its predecessors.
The shift in approach to trade policy can have a real impact on businesses. For example, the Administration has imposed various tariffs on imported intermediary goods, or parts, used by US businesses to make finished products. Tariffs on these parts can increase costs for businesses and could lead them to cut other expenses, including labor costs, among other options. Further impacting US businesses, many countries have retaliated against the tariffs by imposing their own tariffs on US exports, making US products less attractive to overseas purchasers.
The current trade policy environment is very fluid now, and the possibility of additional rounds of tariffs is quite high. For this reason, it is critical that businesses understand the issues associated with the Administration’s trade policy, examine the potential impacts to their operations and consider expressing their views. Boards need to understand management’s approach to addressing this and other potential geopolitical and regulatory developments, including impacts on strategy and risk management.
Wayfair and evolving digital tax policies
On June 21, the US Supreme Court held in South Dakota v. Wayfair that physical presence in a state was not necessary to create taxable nexus for sales and use tax purposes. As a result of the Court's decision, additional states may now begin requiring remote sellers to register, collect and remit taxes on transactions with in-state customers regardless of the seller's physical presence within the state, provided that they do not impose undue burdens on interstate commerce.
States have already begun to respond by revising their sales and use tax rules, and companies will need to track issues such as retroactivity and prospective tax liability on a state-by-state basis. A company’s facts and circumstances should be reviewed with respect to each jurisdiction in which it may have a state tax filing obligation, regardless of physical presence.
Around the world, the focus on digital tax policies has evolved quickly, mirroring the rapid integration of digital into the business landscape. Tax policymakers are trying to keep pace with this growing trend, with some countries and supranational groups exploring different digital taxation models. A current lack of agreement on how to proceed, however, threatens to create a confusing tax landscape, with a patchwork of different proposals for businesses to navigate. Increasingly, audit committees will need to verify that the company’s tax strategy supports its digital ambitions while also protecting the organization from tax uncertainty.
Boards and audit committees should begin discussing their companies’ existing digital activity and pipeline projects in new ways and assess the related tax implications. This effort will require knowledge of the digital tax approach of countries and states in which they do business, and committing resources to measuring and addressing any resulting tax risks. These risks need to be weighed against the company’s digital goals to determine whether tactics, strategy, structures or business models may need modifying.
Boards and audit committees should assess the completeness of their companies’ investor communications. Investors need to know about tax risks related to digital activities that may reduce profits if these taxes go into effect. Boards should be informed about the possibility and potential impact of restructuring parts of a digital strategy and the potential need to exit lines of business or markets depending on how tax proposals advance.
While the complex issues of how to tax digital activity are not likely to be resolved anytime soon, the debate has implications for all businesses that have digital assets. As such, boards and audit committees will want to closely monitor the evolving discussion and related digital tax developments.
The future of the tax operating model
Tax operating models are at an inflection point. External pressures including technology disruption and talent availability are significantly challenging current tax operational strategies. Companies are looking at their short- and long-term requirements to efficiently and effectively manage their tax operations. Audit committees should inquire of management as to whether their tax operating model is meeting the organization’s needs. Leading organizations are reconsidering their tax functions (e.g., fully internally sourced, outsourced or a hybrid model) to design a more efficient operating model by leveraging lower-cost resources and emerging technologies, such as robotic process automation and artificial intelligence.
The SEC, under Chairman Jay Clayton’s leadership, remains committed to a strategic agenda to promote capital formation in public markets that balances investor protections. Clayton’s capital formation agenda has particularly focused on reducing the regulatory burden on small businesses. With Elad Roisman sworn in as a new SEC commissioner in September 2018 (replacing former Commissioner Piwowar), the SEC is temporarily back to a full slate of commissioners. Although Commissioner Kara Stein must step down as of January 1, 2019, this is not expected to hinder SEC rulemaking, as the Commission will still have a quorum.
Clayton continues to focus SEC efforts on enhancing the attractiveness of raising capital in the US public capital markets. Clayton intends to reduce the regulatory burden on SEC registrants, while still providing material information to investors, to attract more companies to public markets.
Recently, the SEC amended the definition of a smaller reporting company to allow more companies to provide scaled disclosures in SEC filings. Additionally, the SEC finalized a rule that eliminates redundant and outdated disclosures as discussed above. The Commission also proposed a rule to streamline reporting requirements for certain registered debt offerings.
In an effort to promote capital formation, SEC officials continue to encourage companies to consider requesting waivers or modifications of their financial reporting requirements under Rule 3-13 of Regulation S-X.
Looking ahead, the SEC announced that the staff is working on a rule proposal that would reduce the number of companies that are subject to Section 404(b) of the Sarbanes-Oxley Act, which requires an auditor attestation on internal control over financial reporting. The staff may also recommend seeking comment on ways to reduce the regulatory burden associated with earnings releases and quarterly reporting.
Also high on the SEC’s agenda is keeping pace with the technological changes in cybersecurity and distributed ledger technology, including cryptocurrency and initial coin offerings (ICOs). The SEC staff continues to remind market participants that offerings of digital tokens in ICOs must be registered with the SEC or qualify for and comply with an available exemption from registration. The SEC’s Division of Enforcement has been actively pursuing federal securities law violations involving distributed ledger technology and ICOs.
In 2018, the SEC streamlined its short-term regulatory agenda to include only those rulemaking actions that the SEC actually expects to complete within a year. The agenda issued in October 2018 includes pending rulemaking required under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) related to hedging by employees, officers and directors. It does not address other executive compensation matters (e.g., clawback, pay vs. performance), although those are included on the SEC’s long-term agenda.
Boards should also be aware that another item on the SEC’s long-term agenda is consideration of the proxy process. The SEC staff will hold a roundtable to discuss the proxy process in November 2018 to solicit input in light of changes in the market. Topics covered will include the voting process, retail shareholder participation, shareholder proposals and proxy advisory firms.
Audit committees and SEC registrants should keep abreast of the evolving SEC agenda and the impact that such changes have on the organization.
SEC’s continued focus on cybersecurity disclosures
As cybersecurity threats evolve and risks become more complex and widespread, focus on corporate disclosures in public filings on the subject will likely intensify. The SEC issued guidance on February 21, 2018, which reinforces and builds on the SEC’s 2011 cybersecurity staff guidance, clarifying companies’ obligations to disclose cybersecurity risks, material breaches and the potential impact of the breaches on business, finances and operations. The new Commission guidance also addresses company disclosure on how the board of directors oversees the management of cybersecurity risk, among other things. This publication is a clear indication that regulators and stakeholders want to better understand a company’s efforts around cybersecurity planning, incident response and notification procedures.
A recent EY analysis of cybersecurity-related disclosures noted that 70% of Fortune 100 companies disclosed that their audit committees oversee cybersecurity matters. The EY report also showed that the depth and company-specific nature of cybersecurity disclosures varied widely, suggesting room for improvement consistent with the SEC’s 2018 interpretation. Boards and audit committees should re-examine management’s disclosure controls and procedures around cybersecurity and review the company’s cybersecurity disclosures in light of the new guidance and the evolving landscape of cyber risks and cybersecurity.
Recently, the SEC issued an investigative report alerting registrants to carefully assess and calibrate their internal accounting controls in response to emerging risks related to cyber frauds (e.g., spoofed emails or manipulated email communications). The SEC report discussed the findings of its investigation into nine issuers, which were victims of unsophisticated cyber scams (primarily involving emails from fake executives and emails from fake vendors), and whether those companies may have violated their obligation to have designed and implemented a sufficient system of internal accounting controls. The pervasive use of electronic forms of communications and the general expectation that such communications are trustworthy creates risks for organizations that need to be considered. Organizations may need to revisit their controls related to the authorization of the transfer of funds and changes to vendor master file data and their training for employees.
Public Company Accounting Oversight Board (PCAOB) outlook and developments
Five new PCAOB members have been sworn into office since January 2018, including new PCAOB Chairman William (Bill) D. Duhnke III. The PCAOB is expected to maintain its focus on promoting high audit quality through its inspection program, among other things. One of the new Board’s first acts was to seek public input on priorities to include in the PCAOB’s 2018–2022 strategic plan, the first time the PCAOB has done so. In October, Chairman Duhnke gave a speech outlining the results of the Board’s strategic review. He indicated that there will be changes in the Board’s approach to inspections, standard setting and enforcement, including to provide more timely, relevant and useable reports to the market. The Board also plans to work and communicate more closely with audit committees to promote audit quality.
Auditor’s reporting model
Companies should already be taking steps to prepare for changes in auditor reporting. In the second phase of changes required under the revised PCAOB standard on the auditor’s report (in annual reports for fiscal years ending on or after June 30, 2019 for large accelerated filers), auditors will be required to disclose information about matters that were communicated or required to be communicated to the audit committee that are material to the financial statements and involved especially challenging, subjective or complex auditor judgment (i.e., critical audit matters). For each critical audit matter (CAM), auditors are required to:
- Identify the matter
- Describe the principal considerations in determining that the matter was a CAM
- Describe how the matter was addressed in the audit
- Refer to the relevant financial statement accounts or disclosures
Management and audit committees are encouraged to work with their auditors to understand the requirements related to CAMs, including the process of determining and describing CAMs, and any expected changes to the audit process. This will help management prepare for questions it may receive from investors, regulators and others.
Management should consider involving personnel from other departments (e.g., legal, investor relations) in discussions about disclosures and communications the company will make in response to CAMs. Audit committee members should also understand any changes the company makes to its processes and disclosures.
Enhancing audit committee reporting
The 2018 proxy season saw continued growth in audit committee transparency. Continuing the trend of the past years, proxy disclosures in 2018 continue to show year-over-year growth in voluntary audit-related disclosure based on our annual review of Fortune 100 companies.
A US survey of investors indicates high degrees of confidence in the audited financial information disclosed by public companies. Yet, at the same time, for the reviewed companies, there was a slight increase in average votes against ratifying the external auditor in the 2018 proxy season.
This increase suggests that some investors are taking a stricter approach to reviewing the company-auditor relationship. This could encourage companies to provide additional disclosure around the audit committee’s selection of an auditor. Enhancing audit committee transparency can increase investors’ confidence in financial reporting and their confidence in the role of the audit committee in overseeing the audit process and promoting audit quality.
Meaningful disclosure about what audit committees do and how they oversee auditors would provide a window into the important work audit committees perform, as well as the processes in place to protect auditor independence and professional skepticism and further the alignment among auditors, audit committees and investors.
Disruption in the business environment has taken on many forms, including political instability fueled by economic uncertainty across the world, digital transformation and business model disruptions, greater scrutiny of corporate behavior, and regulators that are under increasing pressure to develop frameworks that foster growth but curb short-termism and unfair practices.
The pace and scale of disruption will continue to present a number of challenges to companies; however, opportunities to harness new technology and trends will undoubtedly emerge to reshape business models, improve companies’ performance and value creation, and focus on and address emerging risks. In this continually changing environment, boards and audit committees need more than ever to focus on risk management.
The next generation of Enterprise Risk Management (ERM)
Rather than avoiding risk, evolved companies will focus on mitigating risk to a tolerable level and, ultimately, optimizing it to drive competitive advantage. Boards have a role to play in challenging organizations to embed risk management in their strategic decision-making and leverage digital capabilities to harness risk intelligence across their enterprises. Such an approach strives to balance upside, downside and outside risks; instill a digital risk mindset and culture; digitize risk intelligence, monitoring and reporting; and consider embedded risks in strategy and operations. That means evaluating business risk drivers, prioritizing opportunities and remediation activities, designing risk response plans to optimize value and return on investment, and keeping risk within acceptable levels of risk tolerance and appetite.
To further facilitate this shift in ERM focused on strategy and operating performance, audit committees are expecting the internal audit (IA) function to go beyond controls auditing to provide assurance over governance and emerging risks. Leading audit committees are also encouraging companies to perform their risk assessments more frequently than once a year with IA adopting the “six-plus-six” approach to audit planning and risk assessments (i.e., a risk-based rolling plan of IA work that is updated every six months). Such a flexible and dynamic approach allows organizations to better meet the changing needs and priorities.
Driving digital trust and overseeing data privacy
The cyber threat environment alone is such that it is only a matter of time before all businesses will suffer a cyber breach. And as consumers become more aware of (and potentially alarmed by) the extensive sharing of their data in the digital economy, and as global data protection laws and regulations proliferate, data privacy risks are growing in number and scope. More than ever, organizations need to be confident that their complex and evolving digital platforms are safe and secure. The boundless possibilities, efficiencies and conveniences of digital are bundled with evolving and emerging risks and challenges, from business disintermediation, cybercrime, data loss and technology outages to third-party risks.
With the EU’s General Data Protection Regulation (GDPR) now legally enforceable and the passing of the California Consumer Privacy Act (which provides the most sweeping, comprehensive consumer privacy rights in the United States), organizations must bolster their cyber defenses to be certain that the personal data collected in each jurisdiction are properly maintained and managed.
Boards and audit committees should view GDPR and data privacy legislation as an opportunity to evaluate, streamline and standardize data processes and procedures, so that risk management controls are primed for the increasingly stringent regulatory requirements that are expected to come.
While the boards’ obligation extends to achieving regulatory compliance, all stakeholders across the organization are responsible for working together to create resilience.Some key board considerations include:
- How cybersecurity and personal data risks are featured in the organizational risk assessment
- Whether controls relating to the collection, processing and use of personal data and its security are compliant with data protection requirements
- In the event of a personal data breach, whether there are established response procedures that are built into the business continuity plans
- How often the board will be updated on data protection and cyber matters
- How data protection policies will be communicated internally and externally to build buy-in and assurance for all stakeholders.
Audit committees should assess whether compliance with data protection and privacy laws is a process that is continually evaluated and evolving within the organization.
Third-party risk management
Boards also must exercise vigilance in confirming that organizations are properly monitoring the heightened risk presented by third-party service providers in a digital world. These providers often have access to a company’s data and its internal systems, which raises concerns and serious potential risks related to fraud, cybersecurity and the company’s reputation. It is paramount that effective governance structures be put into place to manage these risks. Companies may opt for a centralized third-party risk management structure, a decentralized model that provides oversight at the business unit level, or some combination of the two approaches.
Regardless of which model an organization adopts, the board can challenge the company to construct a clear profile of all third-party partners and the potential risks they pose. This means insisting on proper due diligence, strong contracts that protect the company, and methods to consistently evaluate and monitor each service provider (including the third parties’ compliance with stipulated codes of conduct). Companies must have a fundamental understanding of their business processes: how their data is being secured by hosts who are managing their information in the cloud, clarify with clients or customers whether employees with whom they are working are client employees or third party, as well as how their data is being managed through robotic process automation and artificial intelligence.
The future of compliance and board oversight of culture
In a world of changing business models, the explosion of data, and increased regulation and enforcement, integrity remains a critical foundation for driving the ethical and compliance-oriented behaviors needed to protect businesses and business reputations. EY’s 15th Global Fraud Survey found that fraud and corruption remain among the greatest risks to businesses today, and a significant level of unethical conduct is ongoing, with junior professionals more likely to justify fraud. How an organization brings integrity into its culture will become increasingly important.
In this environment, board oversight of corporate culture, controls and governance through an integrity lens is a growing priority. Audit committees should work hand-in-hand with the board and other committees to create and define a culture of ethics and integrity that is modeled by the board, executives and other management and expected of all employees and other members of the workforce — even as the workforce is radically changing. The cultural values should also apply to third parties with which the company regularly does business, including key suppliers and business partners. Audit committees will also need to work ever more diligently to help make sure that company codes of conduct and ethics, compliance programs, whistle-blower policies and procedures, and related employee engagement and training programs are effective in defining and enforcing ethical behaviors.
Overseeing whether the compliance function is effective and appropriately evolving through advances in governance practices and technology is also critically important. Clear assessments of the effectiveness of compliance and ethics policies and programs can lead to more effective risk management, a stronger culture of compliance, ethics and integrity, and increased transparency. With the introduction of digital compliance tools, such as predictive analytics and real-time risk alerts, forensic data analytics can significantly improve the effectiveness and efficiency of monitoring and reporting. Along with providing better data insights, leveraging new technologies may also better optimize resources, which can be critical with budget restraints. Leading companies are also using artificial intelligence technology to replace classroom and web-based training with individualized risk-based communications in real time.
Boards and audit committees should set the right tone at the top by clearly and consistently communicating and demonstrating a clear culture of compliance, ethics and integrity, and by verifying that ethics and compliance policies and procedures (backed by effective training and consistently applied enforcement) are working to maintain the culture and deliver effective compliance.
Audit committee effectiveness