Given the complex regulatory and operating landscape that most organizations must now navigate, it comes as no surprise that effectively managing internal controls to support financial reporting is top of mind. Accounting and finance organizations—including financial professionals like you who keep them humming—are challenged to operate efficiently and still drive strong comprehensive controls.
As most of you already know, globalization, intercompany trade, and mergers and acquisitions have increased the volume of transactions that impact every part of the business, including the close. They’ve also created more risk in downstream financial and regulatory reporting. The regulatory environment itself has also grown, both in scope and in depth, increasing exposure while placing pressure on precious accounting resources to cover even more bases.
For example, accounting, tax, and treasury teams face increasing intercompany reporting challenges from base erosion and profit shifting (BEPS) tax rules, which aim to level the playing field for companies that don’t have a substantial presence globally. These same teams face a widening set of regulatory requirements from new Internal Revenue Service (IRS) tax rules to new Financial Accounting Standards Board (FASB) revenue recognition standards.
All these factors are competing for often already strained resources that are also required for financial controls, such as continued compliance with the Sarbanes-Oxley Act of 2002 (SOX).
It’s no wonder that, more than 15 years since the introduction of SOX, improving efficiency is still a top priority for financial executives. In a survey conducted by the SOX & Internal Controls Professionals Group, which has more than 3,000 members, study respondents identified improving the efficiency of the SOX function as a top objective, followed by ensuring compliance with SOX and other regulations and strengthening organizational relationships across SOX owners. (For more, see Figure 1 and “State of the SOX/Internal Controls Market Survey,” available at http://bit.ly/2qGoJgr.)
WEAKNESSES ELEVATE FRAUD RISK
Improving efficiency, while at the same time combating fraud, has kept many in the C-suite up at night. Specifically, weak controls can leave an opening for fraud risk.
A 2017 study by the American Accounting Association found that companies with material weaknesses in their entity-level controls were 90% more likely to have future fraud disclosures compared to companies with strong controls. In fact, when evaluating 127 unique fraud cases, researchers found a strong association between entity-level controls and a subsequent revelation of fraud.
This is forcing accounting and internal audit teams to spend more time reevaluating risks and their mitigating controls to make sure both are properly designed and effective. They have to walk a line between strong control coverage and an overly controlled environment.
The study concluded that “the issuance by an auditor of an adverse internal control opinion is a ‘red flag,’ indicating a higher probability that managers are committing (unrevealed) fraud.” (See Dain C. Donelson, Matthew S. Ege, and John M. McInnis, “Internal Control Weaknesses and Financial Reporting Fraud,” AUDITING: A Journal of Practice & Theory, August 2017, pp. 45-69, http://bit.ly/2ROfDK2.)
With regulators’ heightened focus on control testing results, audit costs are also on the rise. A recent study by Protiviti of more than 1,000 publicly held organizations found that their audit costs are larger than ever, with nearly 40% of those companies surveyed reporting higher external audit fees in 2017. (To view the survey results, go to http://bit.ly/2DkX10D.)
In turn, external audit firms are increasing their dedicated resources and depth of engagements, especially as the focus on cybersecurity intensifies and new auditing standards demand greater transparency in auditors’ reports. As a result, accounting teams are becoming more focused on shifting to a self-service model for internal and external audit to minimize time servicing information requests.
RISK REDUCTION AND EFFICIENCY
Research shows a strong relationship between the number of activities in scope (inside the boundaries of a project and accounted for in the schedule and budget) and the maturity level of the month-end close process. The more activities in scope, the more stringent and rigorous the process.
Something must give: Increase resources to mitigate risk, or try to redefine the risk appetite of the company. Technology innovation offers powerful efficiency, and it challenges the old assumptions that reducing risk requires significant investment while lean processes elevate risk. For example, it’s common knowledge that technology such as robotic process automation (RPA) can accelerate the close using repeatable rules, scheduling, and processing of accounts and transactions in detail. This increases the confidence in control testing results and, therefore, the ability to affect residual risk.
But there’s a larger opportunity: the ability to test greater sample sizes, perhaps even checking every transaction, in detail, while also increasing process efficiency. RPA can dramatically reduce errors in the close and improve balance sheet integrity by strengthening reconciliations.
That said, here’s a comprehensive look at some of the challenges accountants face in a changing regulatory, controls, compliance, and audit landscape and how they can adapt to change effectively.
BEPS TAX COMPLIANCE
New BEPS tax regulations, formulated by the Organisation for Economic Co-operation and Development (OECD) and published in October 2015, will spur the most significant changes to the taxation of international business since the 1980s. The countries directly involved in the OECD BEPS project represent more than 84% of the total world economy, and PwC reports that 70% of CEOs are concerned about increasing tax burdens from the new regulations. (The full report can be accessed at https://pwc.to/2FrGVVE.)
Many larger international companies are now required to create detailed country-by-country tax and financial information. In addition, a greater volume of data must be disclosed, dramatically increasing compliance burdens.
Specifically, companies must consider three new levels of reporting:
- Country-by-Country Reporting. Details on each entity, organized by country; data to include revenues, profits, taxes, assets, transfer pricing, employee numbers and costs, capital, accumulated earnings, and intercompany payments, to be filed in the jurisdiction of the company’s headquarters.
- Standardized Information for All Group Members. Global organizational structure; description of business; IP development, use, and transfers; intercompany financial arrangements; and financial and tax positions, to be filed in each country in which the company operates.
- Transaction Details between Local Entities and Affiliates. Those involving the local management team, business strategy, and restructurings or IP transfers, to be filed in each country in which the company operates.
With a greater need for data and reporting, BEPS will place substantially increased pressure on systems and personnel, which will most likely include you and members of your team.
This burden will require well-organized document management, data, and workflow systems to increase collaboration across tax, finance, and geographies. If you work for a multinational corporation, you’ll have to reconcile public financial statements, legal entity books, local tax returns, and templates.
CHANGES TO AUDITOR’S REPORT
While auditing standards continually adapt, the latest auditor reporting standard adopted by the PCAOB, AS 3101, “The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion,” marks the first major update to the standard form auditor’s report in 70 years.
Auditor reports soon will have to include a new description of “critical audit matters,” providing information about the most challenging, subjective, or complex aspects of the audit itself and promising to lay bare challenges in the audit process.
Communication of each critical audit matter will be required to include:
- Identification of the critical audit matter,
- Description of the principal considerations that were used to determine that the matter is critical,
- Description of how the critical audit matter was addressed in the audit, and
- Reference to the relevant financial statement accounts and disclosures that relate to the critical audit matter.
Naturally, the complexity of operations and accounting and control systems will have a significant impact on what ends up being defined as a “critical audit matter.” In effect, audit reports that contained information once viewed behind closed doors will now be more transparent.
Providing strong auditor self-service, minimizing lead times to provide data to auditors, and easing efforts to substantiate balance sheets can reduce issues covered in the audit report by discovering and remediating the problem earlier.
CONTRACTS AND LEASES
A new FASB rule, Accounting Standards Codification® (ASC) 606 (ASU 2014-09), Revenue from Contracts with Customers, and International Financial Reporting Standards (IFRS) 15, Revenue from Contracts with Customers, impact revenue recognition on a broad range of contractual agreements with customers. The core principle of this new rule is that an organization recognizes revenue to depict the transfer of promised goods or services to customers in an amount that reflects what the organization expects in exchange for those goods or services.
The new rules affect companies that bundle products and services, have different terms around payments and renewals, and have complex sales commission and royalty arrangements. They have an impact in other areas, too.
ASC 606 in particular places significant pressure on accounting systems and processes. For most companies, this means managing allocations to handle performance obligations and timing revenue recognition. Other considerations include dual reporting on current and future guidance, especially given retrospective adoption.
With ASC 606 touching so many different systems—from sales ordering to enterprise resource planning to billing and invoicing—it’s vital that accounting teams free up resources from typical tasks to adopt these new requirements effectively.
It’s all about simplifying compliance. With a financial close solution, companies can implement intelligent workflows to create rules-based processes, centralize documentation, and eliminate the risk involved with spreadsheets and disparate systems. Tasks can be set up to ensure necessary steps are completed each reporting period and to provide visibility into the status of those items.
Balance sheet positions and profit-and-loss (P&L) activity can be reconciled using templates that provide best practices and limit or eliminate the use of Microsoft Excel. Journal entries can be monitored, certified, supported, and even automated in a single integrated platform.
Leases will become another area of concern to management accountants, especially in large corporations. More than half (54.7%) the respondents to a recent Deloitte survey expect their accounting teams to spend more time on the new FASB and International Accounting Standards Board (IASB) lease accounting standards, which require companies to recognize lease assets and lease liabilities on the balance sheet. (For more, go to http://bit.ly/2z78Vbl.)
For organizations that rely extensively on leases for operating assets, the transition is likely to be labor intensive, especially for lease contracts requiring inventory.
Like ASC 606, these new leasing requirements will likely create significant work in collecting and reviewing detailed agreements, a task that may be complicated by lease agreements across different locations. Significant planning and adoption are required for reviewing lease tax classifications, enhancing disclosure agreements, and changing financial ratios.
With limited resources, it’s important to free up accounting personnel from day-to-day, low-value tasks to devote time to reviewing the new rules and updating accounting processes.
A CHANGING RISK FRAMEWORK
Organizations now need to focus more effort on risks than ever before. And any risk management strategy must mitigate risk related not only to compliance and operational areas but also to strategic execution issues.
The recently updated Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework, Enterprise Risk Management—Integrating with Strategy and Performance, recognizes this and builds on the existing foundation of internal controls to add a layer of strategic enterprise risk management.
Since COSO was first organized in the early 1990s, much has changed. Globalization continues on an upward trajectory, business models and operating structures are more complex, distributed business and outsourcing are seeing rapid growth, and domestic and international regulations are constantly evolving.
Technology advancements, which have had an overwhelmingly positive effect on the accounting industry, have also introduced a double-edged sword, increasing the magnitude of damage that an operational or strategic failure could inflict while also creating their own new risk landscape (i.e., cybersecurity).
It’s important, too, to recognize that strong enterprise risk management—effectively managing the response to business risk and better strategic planning—relies on comprehensive internal controls. The updated COSO Framework grew from being somewhat controls-focused to having an increased emphasis on culture, meeting performance objectives and goals, and considering broader entity-level risks. Moreover, it has expanded to encourage organizations to consider the impact of technology, such as data stewardship and governance, the role of artificial intelligence and increased automation, and greater awareness around cybersecurity.
Managing internal controls around financial reporting is fundamental to governance and compliance. The American Productivity & Quality Center’s 2015 survey of 1,069 public companies found that the most efficient (top quartile) ones spend 13 cents or less per $1,000 in revenue to operate controls and monitor compliance with internal controls policies and procedures. By comparison, the least efficient, bottom-performing quartile spent more than 10 times that, around $1.40 per $1,000 in revenue. (For more, see Mary C. Driscoll, “Metric of the Month: Internal Audit Costs,” CFO.com, November 3, 2015, http://bit.ly/2OFo8W1.)
To make that a little more tangible, for a company with $10 billion in revenue it’s the difference between $1.3 million and $14 million in costs related to controls and compliance. In the context of risk and compliance, these are resources that could be reallocated to managing strategic risk.
While listing the detailed controls that should be in place for financial reporting is beyond the scope of this article, you get the point: It’s fundamental that organizations balance the need for trust and integrity with timeliness and efficiency. A big part of the process happens during the financial close period when accountants verify the accuracy or integrity of all account balances in the company’s general ledger and prepare the balance sheet as part of the company’s financial reports. For many organizations, this remains a manual process, opening the door to significant problems around human error and resource overhead.
More broadly, it’s essential that internal controls and checklists are fully documented and comprehensive. This means that organizations should ensure that they have a real system in place to identify, accumulate, and evaluate control deficiencies; communicate problems and remediate them; and move away from spreadsheet checklists, binders, file shares, or siloed institutional knowledge.
Segregation of duties must exist among transaction processing, authorization, and reporting functions, and many organizations rely on using email as the approval vehicle. Integrity needs to be managed by flagging unusual items and exceptions. Yet it’s often complicated when email becomes the approval vehicle and more complicated in a highly manual environment or one where gut feel plays a major role.
RIPE FOR REINVENTION
With modern technology, improving internal controls for financial reporting is one of the lowest-hanging fruits to reduce risk and improve efficiency. This includes using exception analysis and variance reporting to monitor, review, and reconcile financial activity. Automation can highlight transactions and balances that exceed control thresholds while ensuring all reports can be reconciled back to the original data.
Workflow can enable strong, auditable sign-offs for reconciliations and other close tasks, while digitization can move checklists from binders and spreadsheets into a managed, version-controlled, centralized store. Similarly, modern cloud applications also open new avenues for auditors, who can access reports and underlying transactions from one place, anywhere in the world, with just a web browser—minimizing the need to hunt for data and engage in an ineffective, back-and-forth communication with accounting.
Ultimately, it’s imperative for already resource-strapped organizations to make time to evaluate and implement technology around their close and compliance processes. The demands on these areas will continue to increase in the future.
These are just some of the opportunities and challenges that management accountants and other financial professionals are likely to face in the coming months and years. Getting familiar and comfortable with them may require a fair amount of additional training, either on an individual or departmental level. For now, however, the overarching question is, “Are you and your organization up to the task?”