The IASB/FASB Transition Resource Group for Revenue Recognition is going to meet again on October 31, 2014. (Seems like a fitting day for this meeting!) In case you have not followed the TRG, this group will not issue guidance. Their mission is to identify issues, discuss them, and share their thoughts on each issue. The FASB and IASB will then decide what action, if any, will be taken on each issue.

The agenda for the meeting includes:

• Customer options for additional goods and services and nonrefundable upfront fees
• Presentation of a contract as a contract asset or a contract liability
• Determining the nature of a license of intellectual property
• Distinct in the context of the contract
• Contract enforceability and termination clauses

As you may know the new standard requires a significant amount of judgment (as well as disclosure of significant judgments!) Each of these areas are complex and will require interpretation and judgment under the new revenue recognition model. This should be a very interesting discussion.

Coordinating the meeting between the IASB group in England and the FASB group in the US presents some interesting logistical challenges, and the meeting will actually begin at 7:00 AM EDT. It is scheduled to run until 2:00 EDT, so the time allocated will allow deep discussion of each issue!

The full agenda, the related Memos discussing each issue, information from the TRG’s first meeting and a description of the TRG’s processes can be found at:

www.fasb.org/cs/ContentServer?c=Page&pagename=FASB%2FPage%2FSectionPage&cid=1176164066683

As always, your thoughts and comments are welcome!

Cybersecurity risk is again in the news. It seems like each cybersecurity incident is bigger and scarier than the breaches before. Clearly, the financial, reputational and other costs associated with these crimes are growing. Perhaps more importantly the efforts and costs associated with the prevention of these events are becoming more significant.

As we approach year end giving appropriate thought to cybersecurity disclosures will be an important discussion for most companies. As a reminder, the SEC’s existing guidance for cybersecurity disclosures is in Corp Fin’s Disclosure Guidance Topic 2, which you can find at:

www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

The drive for more substantive disclosure, including information about the actual costs of cybersecurity breaches to a specific company and cybersecurity prevention costs are themes in the Corp Fin guidance, and these comments help emphasize the important issues in disclosures about cybersecurity risks.

In this comment the staff reminds the registrant about Disclosure Guidance Topic 2:

Technology security risks and environmental and pollution risks could potentially impact our financial results, page 11

6. It appears that this risk factor addresses two separate risks: (1) technology security risks and (2) environmental risks. In future filings, please revise your risk factor disclosure to address these risks under separate headings. Also, with respect to the technology security risks, to the extent that these risks may relate to cybersecurity threats, in future filings please clarify your disclosure accordingly as well as consider the Division of Corporation Finance’s Disclosure Guidance Topic No 2, which is available on our website at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.

Notice the focus on qualitative and quantitative disclosure in this comment:

3. Your risk factor disclosure should provide sufficient qualitative and quantitative disclosure to enable a reader to assess the impact that these risks may have on your results of operations. In this regard, we note the following:

Your risk factor “Our business could be adversely affected by incidents…” on page 9 does not provide sufficient qualitative disclosure for one to understand which aspects of your business operations may expose you to these risks nor does it identify the actual risks or provide examples of past system failures or accidents;

Your risk factor “Technology security risks and environmental and pollution risks could potentially impact our financial results” on page 11 does not specify to what “certain information and technology security risks” you may be exposed.

This comment shows how details should be included to help readers understand the nature and magnitude of the risk:

Our business could be negatively impacted by security threats, including cybersecurity threats…

31. We note your disclosure that an unauthorized party was able to gain access to your computer network “in a prior fiscal year.” So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage.

And this comment emphasizes the need for MD&A discussion if related costs are material:

Item 1A. Risk Factors “Security breaches and other disruptions or misuse of our network and information systems could affect our ability to conduct our business effectively,” page 12

1. We note your disclosure that during 2012 the ******* computer network was the target of a cyber-attack that you believe was sponsored by a foreign government, designed to interfere with your journalism and undermine your reporting. We also note your disclosure that you have implemented controls and taken other preventative actions to further strengthen your systems against future attacks. If the amount of the increased expenditures in cybersecurity protection measures was or is expected to be material to your financial statements, please revise your discussion in MD&A to discuss these increased expenditures. Also, if material, please revise the notes to your financial statements to disclose how you are accounting for these expenditures, including the capitalization of any costs related to internal use software.

Hope all this helps, and as usual your comments and thoughts are welcome!

As many of us discovered in the run-up to the first Form SD for reporting about conflict minerals (which was due June 2 of this year), there was substantial uncertainty about how to fulfill this Dodd-Frank created reporting obligation. Uncertainty about what sort of procedures should support the report, how to draft the report and late-breaking legal wrangling about the rule were only a few of the challenges in the first compliance cycle.

Hopefully the second year of this requirement will be a bit less chaotic. To help reduce the chaos and hopefully bring some order to the process we are presenting a one-hour briefing on October 24, 2014 entitled:

SEC’s Conflict Minerals Rules: What We Learned from 2013 and What Happens Next

Here is a summary of the briefing:

So what did we learn from the filings? For the 1300+ public companies and over 250,000 private companies that sought to trace the use of 3TG, the Form SDs and CMRs (Conflict Mineral Reports) provide insights into the struggles that companies have within their supply chains to identify sources and manage data, and to report their compliance efforts and results to customers, the SEC and other constituencies. Public company compliance efforts also impact non-reporting suppliers and will impact interactions with supply chains as the next round of due diligence and reporting gets underway.

Hope this helps, and you can learn more at:

www.pli.edu/Content/Seminar/SECs_Conflict_Minerals_Rules_What_We_Learned/_/N-4kZ1z127tk?fromsearch=false&ID=234693

As always, your thoughts and comments are welcome!

(Our apologies, the post is longer than usual, but it’s an important one)

Pumpkins, glorious foliage, and frost signal the arrival of Fall in NH, as well as hunting season.  Alas for many accountants, Fall signals the beginning of the assessment of internal control over financial reporting as calendar-year companies and their auditors start their interim testing and hunt for material weaknesses.  This year will likely be especially challenging due to recent PCAOB inspection report ICFR findings and guidance such as Staff Audit Practice Alert No. 11: Considerations for Audits of Internal Control over Financial Reporting, issued in October 2013.  The SEC has weighed in over the last year as well.  So, we thought it might be helpful as we start the ICFR season to increase your awareness of the PCAOB and SEC concerns over ICFR assessments and audits and point you to some resources worth reading.

Let’s start with the PCAOB.  It is no secret that the PCAOB inspection staff has focused on ICFR audits and has not been happy with a lot of them.  If this is news to you, just take a look at the inspection reports issued to the Big 4 over the last few years. The inspections staff expects the firms to show progress in addressing inspection findings in the next audit cycle, so the pressure is on.  As a result, it is very likely that your auditors will be changing their audit methodology in some way this year, which will ultimately trickle down to what you do.  So our recommendation to registrants is to be pro-active: read the last 2 inspection reports your auditor received (you can find them at http://pcaobus.org/Inspections/Pages/PublicReports.aspx), read Staff Alert No. 11 (find it at http://pcaobus.org/Standards/QandA/10-24-2013_SAPA_11.pdf), and talk to your auditors about anticipated changes in your audit and their expectations.  And if you have an appetite for more, see an interesting speech by Board Member Jeanette Franzel at http://pcaobus.org/News/Speech/Pages/03262014_IIA.aspx.

The SEC has also expressed concern that some of the PCAOB’s inspection findings “are likely indicators of similar problems with management’s evaluation” (see Deputy Chief Accountant Brian Croteau’s speech last December at www.sec.gov/News/Speech/Detail/Speech/1370540472057#.VC6uXEuppZg)

For years, the SEC has voiced its concern that material weakness findings are lagging indicators, discovered as a result of a restatement, and not a leading indicator discovered in the ICFR assessment in time to prevent a restatement.  Case in point is the recent SEC Enforcement case against JDA Software Group.  The SEC investigation found that the company had inadequate internal controls over financial reporting, specifically in the area of revenue recognition, resulting in a multi year restatement.  And from Mr, Croteau’s remarks cited above there are more ICFR enforcement cases in the pipeline…

We hope this helps – happy hunting!

As always, we would love to hear your comments!

The SEC recently identified a new SEC enforcement initiative which “focuses on two types of ownership reports that give investors the opportunity to evaluate whether the holdings and transactions of company insiders could be indicative of the company’s future prospects.” The 2 ownership reports are Form 4, which is required of company insiders, officers, directors, and certain others when they buy or sell company stock, and Schedule 13D & 13G, which is required of beneficial owners of more than 5% of a registered class of company stock to report their holdings or intentions re: the company.

The Division of Enforcement brought charges against 28 officers, including some that were responsible for SEC Reporting, directors, or major shareholders for violating federal securities laws requiring them to promptly report information about their holdings and transactions in company stock. Six public companies were charged for contributing to filing failures by insiders or failing to report their insider delinquencies. The SEC Enforcement staff used “quantitative data sources and ranking algorithms [DERA at work again] to identify these insiders as repeatedly filing late”, some by years. The orders that were issued reinforced that even inadvertent failures to file are still violations of the rules. The initiative resulted in fines totaling $2.6 million from 33 individuals and companies.

While the 5% test can be challenging for some, the misses in filing Form 4s are surprising, as the rules are fairly clear, and take 10 minutes at the most, to digest, based on our experience in our SEC Reporting Skills Workshop. However, whether to check the 10-K cover page box for delinquent filer of Forms 3, 4, or 5 befuddles many; a hint – if everyone did what they were supposed to and filed as they should, the box is checked.

See the SEC’s Press Release at: http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370542904678

As always, we would love to hear your comments!

One of the open questions in adoption of the new Revenue Recognition Standard for public companies has been whether or not the SEC would require companies that adopt ASU 2014-09 retrospectively to apply it to all five years required in Form 10-K – Item 6 – Selected Financial Data.

Yesterday, September 11, 2014, at a Financial Accounting Standards Advisory Committee meeting the SEC Staff said they “would not object” if companies did not apply the standard to the fourth and fifth year back. As you know, S-K Item 301 for the five year summary requires clear disclosure when there are issues that affect comparability between years. In fact, S-K 301 says in Instruction 2:

Briefly describe, or cross-reference to a discussion thereof, factors such as accounting changes, business combinations or dispositions of business operations, that materially affect the comparability of the information reflected in selected financial data. Discussion of, or reference to, any material uncertainties should also be included where such matters might cause the data reflected herein not to be indicative of the registrant’s future financial condition or results of operations.

So, companies must address this lack of comparability, but at least we do not need to run parallel for revenue recognition for a five full years.

So, in a nutshell, the two choices in adopting the new standard are (adoption is required for years beginning after 12/15/2016 for public companies, one year later for non-public companies).

1. Full retrospective for all years presented, that is three years in a non-SRC or non-EGC 10-K. For this choice a company must “run parallel” for 2015 and 2016, and apply the new standard to 2017. (There are a few practical accommodations if you chose this option.)

2. Retrospective with a cumulative effect at the beginning of the year of adoption, 2017. However, if you use this method you must disclose the effect of the new standard on each line of the F/S affected. This means in essence you must run parallel for 2017 to provide comparative disclosures

So, now we know the choice with more clarity, and we can choose to double account for one or two years.

As always, welcome your comments and thoughts!

If there is any issue that is a hot topic in the business world today (and as a consequence in SEC reporting), it is cybersecurity. It seems we can’t go a week without hearing about a major cybersecurity event. From Target’s major attack last year and its consequences, to hospital records being breached, to even Apple possibly having a cybersecurity breach in it’s iCloud, cybersecurity continues to grow in complexity and impact.

One of the benefits of the SEC Institute programs now being part of PLI is that we have resources we could only have dreamed of before. One program that is particularly valuable today is our Cybersecurity 2014: Managing the Risk. This program is being held on September 10, 2014, and will be available in many cities and via webcast. You can learn more at our web page:

http://www.pli.edu/Content/Seminar/Cybersecurity_2014_Managing_the_Risk/_/N-4kZ1z12f7s?ID=178332

Meanwhile back on the disclosure front, as a reminder, the SEC’s guidance on cybersecurity disclosures (so far) is in Corp Fin’s Disclosure Guidance Topic 2. It discusses disclosures in varying levels of risk, more or less starting with risk factors, progressing to discussion of the impact of cybersecurity events in MD&A, and possibly including discussion in the Description of the Business and Legal Proceedings.

For risk factors the Disclosure Guidance Topic suggests, among other factors, considering:

 “Discussion of aspects of the registrant’s business or operations that give rise to      material cybersecurity risks and the potential costs and consequences;

To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;

Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;

Risks related to cyber incidents that may remain undetected for an extended period; and

Description of relevant insurance coverage.”

 The Disclosure Topic also includes a reminder about disclosure controls and procedures surrounding this issue. You can find the disclosure topic at:

www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

And, for the fun of it, here is an example of a current risk factor:

A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.

We rely extensively on our computer systems to manage inventory, process guest transactions, manage guest data, communicate with our vendors and other third parties, service ****** accounts and summarize and analyze results, and on continued and unimpeded access to the internet to use our computer systems. Our systems are subject to damage or interruption from power outages, telecommunications failures, computer viruses and malicious attacks, security breaches and catastrophic events. If our systems are damaged or fail to function properly, we may incur substantial repair or replacement costs, experience data loss and impediments to our ability to manage inventories or process guest transactions, and encounter lost guest confidence, which could adversely affect our results of operations. The Data Breach we experienced negatively impacted our ability to timely handle customer inquiries, and we experienced weaker than expected U.S. Segment sales following the announcement of the Data Breach. Similarly, we experienced a temporary network disruption not involving a data breach in June 2014 that prevented many of our point-of-sale registers from working in a limited geographic region. This disruption caused checkout delays and generated negative publicity, and we engaged in promotional activities to retain our customers during the delay.

We continually make significant technology investments that will help maintain and update our existing computer systems. Implementing significant system changes increases the risk of computer system disruption. Additionally, the potential problems and interruptions associated with implementing technology initiatives could disrupt or reduce our operational efficiency, and could impact the guest experience and guest confidence.