As calendar-year reporting companies close the books on fiscal 2014, begin to tackle their annual reports on Form 10-K and think ahead to reporting for the first quarter of 2015, a number of issues warrant particularly close board and management attention. In highlighting these key issues, we include guidance gleaned from the late Fall 2014 programs during which members of the staff of the Securities and Exchange Commission (SEC) and other regulators delivered important messages for companies and their outside auditors to consider. Throughout this Alert, we offer practical suggestions on “what to do now.” While there are no major changes in the financial reporting and disclosure rules and standards applicable to the 2014 Form 10-K, companies can expect heightened scrutiny from regulators, and heightened professional skepticism from outside auditors, regarding compliance with existing rules and standards. Companies can also expect shareholders to have heightened expectations of transparency fostered by notable 2014 events such as major corporate cyber-attacks. Looking forward into 2015, companies will need to prepare for a number of significant changes, including a new auditing standard for related party transactions, a new revenue recognition standard and, for the many companies that have deferred its adoption, a new framework for evaluating internal control over financial reporting (ICFR). The role of the audit committee in helping the company meet these challenges is undiminished – and perhaps, in regulators’ eyes, more important than ever. 2015 Challenges – Highlights l The No. 1 challenge: cybersecurity l Continuing spotlight on the audit committee’s role as “gatekeeper” l Increased auditor scrutiny of related party transactions l Preservation of auditor independence l Proper evaluation of control deficiencies l The heightened possibility of a corporate whistleblower l Heightened SEC enforcement focus on financial reporting l The SEC Enforcement Division’s “broken windows” policy l Hot topics in the accounting arena relevant to the 2014 Form 10-K l The new revenue recognition standard l The new COSO framework for evaluating ICFR Alert SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 2 Challenge One: Cybersecurity Cyber-crime has become a chronic, enterprise-wide risk that poses one of the most significant threats to public companies. Recent, highly-publicized incidents of cyber-attacks on companies in a wide range of industry sectors – including media giant Sony Pictures Entertainment, retailers Staples, Home Depot and Target, and J.P. Morgan Chase in the financial sector, to name just a few – demonstrate the vulnerability of companies to cyber-attacks, the severe impact these attacks can have and the need for management and the board to take an integrated, proactive approach to addressing this risk.1 The potential costs to a company of a successful cyber-attack can include loss of intellectual property; breach of customer data privacy; service and business interruptions; damage to physical infrastructure (e.g. corrupted servers); loss of brand value; response costs; loss of stock market value; regulatory inquiries and class action litigation; and management distraction. Not surprisingly, senior federal governmental officials have identified cybersecurity as a top national policy priority. Over the past few months, U.S. Treasury Secretary Jacob Lew and others have urged companies in the banking sector to use a voluntary framework for managing cybersecurity risk published in February 2014 and developed by the National Institute of Standards and Technology (“NIST”) in response to a Presidential executive order and policy directive.2 Both President Obama and Secretary Lew have called on Congress to pass legislation in 2015 that would protect companies from liabilities that might arise from sharing competitively sensitive information relating to cybersecurity risks and breaches.3 The events of 2014 will require a new round of discussion with boards of directors and C-suite executives about company cybersecurity policies and practices, and what companies can do to mitigate cyber-risks. The critical IP assets of the company need to be identified and protected as best as possible, using a variety of strategies that are regularly reviewed; and incident response plans (including information systems, business continuity and recovery planning in the event of absolute destruction of data, not just theft or tampering) need to be prepared, updated as necessary, tested periodically and fully implemented. At a minimum, companies can and should maximize protection against cyber-risk exposures through company and D&O cyberinsurance. Protecting network security takes a village, involving every employee of the company. A culture of security needs to be instilled in every person touching a keyboard or a keypad. Companies also should review carefully their disclosures surrounding cybersecurity, whether made in an SEC filing or elsewhere. Cybersecurity as a disclosure issue has been front-and-center on the SEC’s radar screen for some time now, beginning with the publication in October 2011 of Staff guidance on the disclosure obligations of public companies relating to cybersecurity risks and cyber-incidents.4 The focus of this guidance is on whether information concerning cybersecurity and cyber-incidents rises to the level of a significant risk factor and/or a material “known event, trend or uncertainty” for purposes of the Management Discussion and Analysis (“MD&A”) section of periodic reports and other SEC filings. With respect to the MD&A, the critical determining factor cited in this guidance is whether “the costs or other consequences associated with one or more incidents or the risks of potential incidents [of cyber-breaches] represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.” Concerned by mounting reports of major corporate cyber-breaches, the SEC held a March 2014 “cyber roundtable” bringing together industry groups and public and private sector participants to discuss, among other things, whether or not additional SEC guidance related to the level of disclosure in a company’s public filings is necessary. A few months later, SEC Commissioner Luis Aguilar delivered a speech to the New York Stock Exchange emphasizing that “board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such [cyber] attacks[,]” and expressing the view that there is a disconnect between “the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.”5 SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 3 To date, neither the SEC nor its Staff has taken any formal action as a follow-up to the March 2014 roundtable. That said, the Division of Corporation Finance Staff continues to highlight the importance of the issue in speeches and during the comment process, and to urge companies to look to the Staff’s October 2011 disclosure guidance in preparing their periodic reports. In this regard, companies should be aware that the Staff often monitors media coverage of a public company as part of any review of its periodic reports, and may ask tough questions in that context if reports of a potentially material cyber-breach appear to be inconsistent with a company’s risk factor, MD&A and/or contingent liability footnote disclosures. What To Do Now: l In addition to implementing a robust cyber-risk management program, develop a comprehensive plan for addressing the scenario of an enterprise-threatening cyber-attack. Specific points of vulnerability, such as vendor or other third-party access to corporate IT systems, should be identified and mitigated. The plan should bring together not just IT personnel, but also senior executives, investor relations, in-house and outside counsel, and outside communications advisors. In this regard, we recommend that companies consult the voluntary guidelines set forth in the NIST Framework,6 and the guidance outlined in a new report from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), entitled COSO in the Cyber Age. 7 ¡ Specifically, the plan should address how to mitigate and remediate the attack technologically; when and how disclosure should be made internally – including to the board of directors – and to the public (both customers and investors); public relations; and whether and to what extent law enforcement and regulators need to be contacted (e.g., in the case of consumer privacy breaches). The plan should be flexible, tested repeatedly in the application and, most importantly, clearly designate who among the board, the company’s management and other staff will have ownership with respect to measures for dealing with any cyber-attack should one occur. l Arrange for cyber-risk training and education for board members to ensure that they are conversant in the technology and cyber-risks relevant to the company’s business operations and/or financial reporting controls, and consider competence in information technology when filling a new board position. l Arrange for robust cybersecurity training company-wide regarding password protection strategies, as well as relating to social-engineered “spear phishing,” a common attack vector whereby cyber-criminals often send very normal looking email to company employees, which, if opened, will lace servers with malware. l Determine whether the full board, or a board committee, will have direct oversight responsibility for cybersecurity. Heightened shareholder expectations regarding this responsibility may lead, in the event of a cyber-breach, to derivative suits for breach of fiduciary duties or other litigation,8 and/or negative voting recommendations against board members from proxy advisory firms.9 The attention to cyber-issues paid by the board or board committee should be extensive and carefully documented. l Board members should review annual budgets for cybersecurity protection measures, understand and evaluate who in the company has responsibility for cybersecurity, and receive regular reports on compliance with cyber policies, procedures and controls, as well as IT risks and any cyber-breaches. l Carefully review company and D&O insurance policy provisions that relate to data breach and privacy claims, and ensure that that such claims are not excluded. Exclusions of such claims – which we have recently seen in some policies – would also serve to exclude claims for breach of fiduciary duty and securities class actions arising out of a data breach. l Ensure that there is a robust risk factor, if appropriate, that addresses the points the SEC Staff emphasized in its 2011 guidance and, as the Bank of America case discussed below makes clear, revisit the disclosure decision every quarter to consider: SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 4 ¡ Aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; ¡ Any outsourced functions that have material cybersecurity risks, and how the registrant addresses those risks; ¡ Cyber-incidents experienced by the registrant that are individually, or in the aggregate, material, including the costs and other consequences; ¡ Risks related to cyber-incidents that may remain undetected for an extended period; and ¡ Relevant cyberinsurance coverage. l If the company has been the victim of cyber-crime over the past fiscal year, whether it be a theft of valuable intellectual property, consumers’ personal financial data, or other confidential business or financial information, the company should evaluate carefully the need for Form 10-K disclosure and the potential impact of the theft or other breach on the company’s internal accounting controls (e.g., safeguarding of assets) and/or its ICFR. Challenge Two: Continuing spotlight on the audit committee’s role as “gatekeeper” As SEC Chair Mary Jo White observed in a June 2014 speech at the Stanford Directors’ College, “audit committees, in particular, have an extraordinarily important role in creating a culture of compliance through their oversight of financial reporting.”10 In March 2014, the SEC sued an audit committee chair for complicity in an accounting fraud scheme in what the SEC Enforcement Director described as a “cautionary tale of what happens when an audit committee chair fails to perform his gatekeeper function in the face of massive red flags” signaling accounting fraud.11 Another company’s audit committee chair settled charges that month arising from her decision to sign a Form 10-K (as director) filed with the SEC despite facts putting her on notice that this filing contained a false SarbanesOxley certification by the former CEO.12 Throughout 2014, various members of the SEC and the Staff have reinforced these messages regarding the importance of the audit committee’s gatekeeper role, reminding companies of that committee’s duties under the federal securities laws to: (a) oversee the quality and integrity of the company’s financial reporting process, including the company’s relationship with the outside auditor; (b) oversee the company’s confidential and anonymous whistleblower complaint policies and procedures relating to accounting and auditing matters; and (c) report annually to shareholders on the performance of these duties.13 Most recently, the SEC Chair has asked the Office of the Chief Accountant to re-examine the audit committee reporting requirements with a view to determining whether these requirements – which have not been updated since 1999 – should be improved.14 Even as the SEC has focusd its attention on the performance of audit committees, the Public Company Accounting Oversight Board (PCAOB) has intensified its focus on the relationship between the outside auditor and the audit committee through the adoption of new and/or amended auditing standards. Effective in 2013 for calendar-year registrants, Auditing Standard No. 16, Communications with Audit Committees (AS 16), specifies a broad range of matters pertaining to the conduct of the audit that auditors must discuss with the audit committee. For more detail on AS 16, see our alert available here. 15 This communication requirement has been enhanced by an important new standard, discussed below, for auditor review of related party transactions, significant unusual transactions and relationships with executive officers. In addition, as a senior SEC accounting official observed in early December, recent improvements in the PCAOB’s inspection reports that explain which auditing standards accounting firms have been found to have misapplied in connection with audits “could be particularly useful for audit committees to promote meaningful discussions with auditors about whether and how those same standards are being applied on their engagements to help to address or to avoid similar issues.”16 SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 5 Challenge Three: Increased auditor scrutiny of related party transactions, significant unusual transactions, and transactions/relationships between the company and executive officers (including incentive compensation) With the SEC’s recent approval of PCAOB Auditing Standard No. 18, Related Parties (AS 18),17 and associated amendments to other auditing standards, auditors will be required to heighten their attention to three areas that have been at the heart of corporate financial scandals dating back to Enron: (i) related party transactions; (ii) significant unusual transactions; and (iii) financial relationships and transactions with executive officers, including executive compensation arrangements. The unifying theme is that, in the regulators’ view, these transactions and relationships pose an increased risk of material misstatement due to fraud, conflict of interest or error. Auditors are being directed to consider the linkage between these three areas, “connect the dots” and, in particular, scrutinize the business purpose (or lack thereof) of relationships and transactions falling within the standard. Moreover, as noted above, AS 18 requires discussion of these areas of the audit with the audit committee. The new standard will take effect beginning with the first quarter of fiscal 2015 (for calendar-year registrants), but senior management and audit committees should be prepared for increased focus by the outside auditor in connection with the 2014 audit.18 Related Party Transactions. With regard to related party transactions, AS 18 requires the auditor to: l Perform specific procedures to understand related party relationships and transactions, including the nature, terms and business purpose (or lack thereof). These procedures include inquiring of the audit committee or its chair as to the audit committee’s understanding of these matters and whether any member of the audit committee has any concerns about them. l Evaluate whether the company has properly identified its related parties and company relationships and transactions with them. If any were previously undisclosed to the auditor, require financial statement disclosure or otherwise carry significant risk, the auditor is required to perform more in-depth procedures. As part of its evaluation, the auditor must obtain more extensive management representations, including as to any transactions that were not properly authorized or for which policy exceptions were granted. l Communicate to the audit committee the auditor’s evaluation of the company’s identification of, accounting for, and disclosure of its relationships and transactions with related parties, and other significant matters arising from this aspect of the audit. Significant Unusual Transactions. “Significant unusual transactions” are defined as transactions that are outside the normal course of business for the company or that otherwise appear to be unusual due to timing, size or nature. With regard to these transactions, the auditor must: l Perform specific procedures to identify significant unusual transactions, and to understand and evaluate the business purpose (or lack thereof) and other elements of such transactions. l These procedures include reading the underlying documentation relating to the transaction and evaluating whether the terms and other information about the transaction are consistent with explanations obtained from inquiries of management and other audit evidence about the business purpose (or the lack thereof) of the transaction; determining whether the transaction has been authorized and approved in accordance with the company’s established policies and procedures; and evaluating the financial capability of the other parties to the transaction with respect to significant uncollected balances, guarantees, and other obligations. l Communicate to the audit committee the auditor’s understanding of the business purpose (or lack thereof) of significant unusual transactions. Executive Officer Relationships and Transactions. Finally, the auditor will be required to follow new procedures designed to help uncover incentives or pressures for the company to achieve a particular financial position or operating result. Specifically, the auditor must perform procedures to understand the company’s financial relationships and transactions with its executive officers, given the influence these officers have on the company’s SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 6 accounting and financial statements. Note, however, that the auditor will not be required to assess the reasonableness or appropriateness of a company’s compensation arrangements. AS 18 provides that these additional procedures should include: l Review of the employment and compensation contracts between the company and its executive officers. l Review of the company’s proxy statement and other relevant filings with the SEC and other regulatory agencies that relate to the company’s financial relationships and transactions with its executive officers. In particular, the auditor must obtain an understanding of established policies and procedures regarding the authorization and approval of executive officer expense reimbursements. l Consideration of whether to inquire of the chair of the compensation committee and any compensation consultants engaged by either the compensation committee or the company regarding the structuring of the company’s compensation for executive officers. It remains to be seen how outside auditors will apply the new and amended auditing standards, particularly with respect to initiating discussion with compensation committees as well as audit committees. In this connection, the auditor’s decision may turn on the quality of the company’s proxy disclosures and supporting documentation of executive officers’ employment and compensatory arrangements with the company, and the auditor’s level of confidence in the accuracy and completeness of management representations mandated by the new requirements. What To Do Now: l Take a fresh look at the company’s related person transaction policy, including the continuing appropriateness of any blanket carve-outs from pre-approval requirements. Ask how the policy has worked in practice and whether any refinements should be made. Consider whether the committee charged with administering the policy has sufficient access to legal and other advisors to obtain the information and advice necessary to make its determinations. l Look back to determine whether and how often the company has engaged in transactions that would fit the new PCAOB definition of significant unusual transactions. Use this review to understand the nature of significant unusual transactions that may occur in the future, and adopt (or revise, as appropriate) procedures for reviewing and establishing the business purpose for such transactions. l Consider the circumstances under which relationships and/or transactions with executive officers have been permitted and whether such relationships and/or transactions are appropriate or necessary and in the best interests of the company. Review incentive compensation arrangements that provide incentives to achieve a particular financial result, and expect additional auditor scrutiny of such arrangements. We expect perquisites to be a particular target of auditor scrutiny. l Advise both the audit committee and the compensation committee of the scope and implications of AS 18, which will apply to the auditor’s review of the first quarterly report of 2015 to be filed by calendar-year reporting companies, and plan for the possibility that the auditor may wish to engage in dialogue with the compensation committee. Challenge Four: Preservation of auditor independence In early December 2014, a senior SEC accounting official reminded audit committees and management of the importance of having appropriate policies in place to evaluate the non-audit services provided by the company’s outside auditor. Citing the need to monitor “the provision of non-audit services for the risk of ‘scope creep’ that could result in a service becoming impermissible and impairing the auditor’s independence,” this official described a situation where “a large accounting firm resigned from an issuer audit engagement because a purportedly permissible non-audit service was found to have deviated from its intended scope causing the auditor to impair its independence SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 7 for the current period.”19 The negative consequences of gradual “scope creep,” he emphasized, can be severe – an unplanned change in auditors and potential re-audits, which “can be costly and distracting to the company and its shareholders and can interfere with capital raising plans.” As if to reinforce this point, on December 8, 2014, the SEC filed and settled enforcement actions against eight independent public accounting firms based on allegations that these firms improperly prepared their audit clients’ financial statements – a clearly prohibited non-audit service.20 The PCAOB weighed in on the same day, instituting settled proceedings against seven of these firms for the same conduct. Even in situations where an outside auditor renders a permissible non-audit service for its audit client, neither the nature of a particular service nor the manner in which it is provided can be at odds with certain basic principles outlined in the Preliminary Note to Rule 2-01 of Regulation S-X. Specifically, a relationship or a service provided by the outside auditor must not: l Create a mutual or conflicting interest with their audit client; l Place the auditor in the position of auditing its own work; l Result in the auditor acting as management or an employee of the audit client; or l Place the audit firm in the position of being an advocate for the audit client. Earlier in the year, the SEC brought and settled two enforcement proceedings intended to highlight basic auditor independence principles. In the first, an E&Y subsidiary had lobbied Congressional staff on behalf of audit clients.21 In the second, KPMG provided prohibited non-audit services, including restructuring, corporate finance, expert services, bookkeeping, and payroll, to an audit client and an affiliate of an audit client; in addition, some KPMG employees owned stock in audit clients or their affiliates; and the firm hired a former employee of an affiliate of an audit client and then loaned him back to the affiliate to do the same work.22 In a separate but related investigative report, the SEC also discussed the scope of the independence rules in connection with KPMG’s “loan” of non-management level tax professionals to certain audit clients.23 The SEC clarified three points: l Even though an auditor may provide tax services to its audit clients (subject to certain limitations), it may not provide professionals as employees of the audit client to perform tax work. An auditor may not provide otherwise permissible non-audit services to an audit client in a manner that is inconsistent with other independence rules. l An arrangement in which an accountant acts as an employee of an audit client is impermissible, regardless of whether the accountant acted as a director or officer, or performed any decision-making, supervisory or ongoing monitoring functions for the audit client. l In analyzing whether an accountant is acting as an employee of an audit client, auditors and audit clients must carefully consider whether the relationship or service in question would cause the accounting firm’s professionals to resemble, in appearance and function, even on a temporary basis, the employees of the audit client. What To Do Now: l It is vital to public companies that their auditor’s independence not be impaired, which would call into question the validity of the integrated audit of the financial statements and ICFR. An after-the-fact challenge to an auditor’s independence, whether raised by the SEC or the PCAOB, can have disastrous repercussions for an issuer – perhaps even precluding access to the capital markets if the regulator decides historical financial statements must be re-audited by a different registered public accounting firm. Companies, and their audit committees in particular, thus must monitor non-audit services and fees closely. There should be a clearly established process for review and approval by the audit committee of non-audit services before such services are rendered. Any independence questions should be vetted with the auditor and outside counsel. SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 8 l Address thorny independence questions to the SEC. The SEC has emphasized that the Office of the Chief Accountant has a Professional Practice Group available to answer such questions. In the press release announcing the KPMG charges and settlement, the SEC reiterated that, “[a]uditors and audit committees are encouraged to consult the SEC staff with questions about the application of the auditor independence rules, including the permissibility of a contemplated service.” Challenge Five: Proper evaluation of control deficiencies Echoing concerns he initially expressed in December 2013, and citing an ICFR enforcement action instituted this past July against the former CEO and CFO of a public company (discussed below), Deputy Chief Accountant Brian Croteau of the SEC’s Office of the Chief Accountant (OCA) noted at the December 2014 AICPA conference that he continued to question whether material weaknesses in ICFR were being properly identified and disclosed by management in the absence of a material misstatement. Another senior OCA staff accountant elaborated on this theme, stating that some company management may be focusing “too narrowly on what happened as opposed to considering holistically what could happen in the context of current and evolving financial risk.”24 To illustrate this aspect of the so-called “could” factor, he offered the following hypothetical: A company identifies an immaterial prior period error in one revenue stream, but does not go on to consider that its business is growing and diversifying. This is because the company has not employed sufficient resources to keep up with the company’s growth and expansion into new lines of business that will generate new revenue streams. From the Staff’s perspective, this scenario “[o]bviously … raises questions about what other amounts or disclosures could be impacted by the lack of resources,” and whether the failure of a transaction-level control (resulting in an immaterial error) might signal the presence of a broader control deficiency or deficiencies. On a separate but related point, the OCA Staff emphasized that describing an accounting error that resulted from, or could result from, a control deficiency “is not the same as describing the control deficiency.” Disclosures or descriptions relating to a control deficiency that are limited to an explanation of the accounting error may call into question “management’s understanding of the implications of the deficiency and whether its severity was appropriately evaluated.” To help management avoid this trap of equating an accounting error with a control deficiency, the Staff offered this non-exclusive list of factors that could be considered: l Nature of the control deficiency – is it an issue of design or operating effectiveness? Is the issue narrow, or could the deficiency be broader than what has been observed? l Impact of the control deficiency on financial reporting and ICFR. l Cause of the control deficiency. l Identification of the control deficiency – how was it discovered and by whom (the outside auditor or management)? If identified by management, was the discovery accidental, or was it made pursuant to the normal operation of the relevant controls? l Remediation – what measures are likely to be necessary to rectify the deficiency? What To Do Now: l The Company’s disclosure committee and internal audit group should keep in mind the SEC Staff’s emphasis that a material weakness in controls can exist even in the absence of a material misstatement. Be aware of the SEC Staff’s position that describing the accounting error is not the same as describing the control deficiency, and that the factors discussed above must be taken into account when describing the control deficiency. SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 9 Challenge Six: The heightened possibility of a corporate whistleblower Now in its fourth fiscal year of operation, the SEC’s Dodd-Frank whistleblower bounty program has generated over 3,000 tips relating to possible federal securities law violations in each of the last three fiscal years, culminating in a record total of 3,620 tips for the fiscal year ending September 30, 2014.25 Given the substantial financial incentives for potential whistleblowers – the SEC awarded over $30 million in late September 2014 to a single whistleblower residing in a foreign country – and the expansive manner in which the agency is interpreting its statutory mandate,26 those responsible for oversight of internal corporate complaint systems must understand the SEC’s current thinking in this area and, in particular, its relevance to the financial reporting process. First, the SEC appears determined to enforce the anti-retaliation provisions of the Dodd-Frank whistleblower rules. In the summer of 2014, the SEC brought its first case – a settled administrative proceeding against a hedge fund adviser and its individual owner based on allegations that they had illegally retaliated against a trader for reporting suspected misconduct to the SEC.27 The firm and its owner agreed, as part of the settlement, to pay $2.2 million in disgorgement and penalties. As the SEC Staff later explained in a report to Congress, this proceeding is intended to “send a strong message to employers that retaliation against whistleblowers in any form is unacceptable.”28 In addition to bringing a direct action to enforce the governmental anti-retaliation provision of Dodd-Frank, the SEC also has weighed in, as amicus curiae (“friend-of-the-court”), with briefs filed in support of those corporate employees who pursue Dodd-Frank’s private anti-retaliation remedy in federal court. This has been true even in situations where the particular employee-plaintiff reported a suspected securities law violation internally without bringing the matter to the attention of the SEC – a step that one federal appellate court thus far (the U.S. Court of Appeals for the Fifth Circuit) has found to be an essential prerequisite to invoking a judicial anti-retaliation remedy notwithstanding an SEC rule indicating that internal reporting is sufficient.29 Several federal trial courts have reached inconsistent decisions, with some following the Fifth Circuit and others agreeing with the SEC’s interpretation.30 The same issue is now pending in the U.S. Court of Appeals for the Third Circuit, where the SEC has filed an amicus brief asking the appellate panel to defer to its rule protecting a whistleblower who complained internally of overbilling and other possible forms of misconduct without also notifying the SEC.31 Should a split among the federal appellate courts develop in connection with this or future cases, there is the potential for Supreme Court review. Second, the SEC Staff continues to express strong disapproval of perceived corporate efforts to discourage any potential whistleblower activity, whether internal or external. The Office of the Whistleblower, within the SEC’s Enforcement Division, “has been working to identify employee confidentiality, severance, and other kinds of agreements that may interfere with an employee’s ability to report potential wrongdoing to the SEC.”32 A media report indicated, in this connection, that the SEC Staff had opened an investigation into the use of a confidentiality agreement by a large defense contractor to resolve employee allegations of wrongdoing made pursuant to internal whistleblower channels.33 The SEC’s concern is that such agreements could operate to bar disclosure of perceived wrongdoing to federal law enforcement officials absent permission from the company, which the SEC believes would “undermine the important role that public companies’ internal compliance programs play in helping the Commission prevent, detect and stop securities law violations.”34 Finally, it is worth noting that the SEC’s Office of the Whistleblower works closely with other groups within the Division of Enforcement, including most prominently the Financial Reporting and Audit Task Force and the FCPA Unit, to achieve common objectives. To cite just one example of such collaborative efforts, the Office’s Chief stated in a June 2014 interview that his staff will send messages to potential whistleblowers (presumably via its website, at http://www.sec.gov/about/offices/owb.shtml) inviting tips on particular types of securities law violations that are among the Division’s top investigative priorities.35 Among these priorities, as discussed, are accounting and auditing matters. SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 10 What To Do Now: l In light of the SEC Chair’s emphasis on the “gatekeeper” duties of boards of directors in the Dodd-Frank whistleblower context, we recommend that boards heed her advice “to learn and be engaged” in overseeing their companies’ whistleblower complaint systems. (Note that SOX also imposes an express oversight obligation on audit committees, at least with respect to whistleblower complaints relating to accounting and auditing matters as noted above). l We suggest that boards request regular reports from senior management, as well as responsible legal and compliance personnel and outside counsel, on how well these systems are being administered in accordance with guidance on effective compliance programs from the SEC, the Department of Justice, the federal courts and the U.S. Sentencing Commission. l Special care should be taken in drafting employment agreements for employees at all levels of the company to avoid problematic confidentiality provisions that could be viewed by the SEC as unduly chilling whistleblower complaints to governmental officials. Challenge Seven: Heightened SEC enforcement focus on financial reporting It has been well over a year since the SEC Enforcement Division established the new Financial Reporting and Audit Task Force, a small group of Division lawyers and accountants whose work is supported by lawyers, accountants and economists throughout the agency. The Task Force was given the job of determining whether the declining number of restatements observed by the SEC in recent years should be attributed to a reduction in fraudulent financial reporting or, instead, to the government’s failure to detect wrongdoing.36 With the aid of sophisticated technological tools, the Task Force and others within the SEC are searching for signs of accounting fraud by closely monitoring “high-risk” companies to identify possible misconduct, evaluating whistleblower tips, analyzing corporate performance trends by industry, reviewing securities fraud class actions and the relevant academic literature, and conducting “street sweeps” targeting specific industries and/or accounting practices. Various members of the Task Force have delivered speeches identifying certain accounting-related practices as potentially indicative of fraud, including the misapplication of U.S. Generally Accepted Accounting Principles (GAAP) relating to revenue recognition, the definition of business segments, reserves (litigation, loan loss) and fair value measurements, multiple financial statement revisions within relatively short periods, deficient ICFR, and a high proportion of off-balance sheet financing arrangements. Because all of these areas involve difficult management judgments that rely heavily on assumptions and estimates, the Task Force is looking for instances in which the company’s management crossed the line between good-faith errors in judgment or calculation, on the one hand, and, on the other, bad faith or reckless conduct tantamount to fraud. It is unclear whether recent enforcement cases highlighting some of the topics outlined below – in particular, deficient ICFR and MD&A disclosure involving areas of significant management estimates and judgment pertaining to a company’s future performance – can be credited to the Task Force’s investigative activities. We do know that, during an SEC fiscal year (ended September 30, 2014) marked by a record high number (755) of SEC enforcement actions yielding $4.1 billion in disgorgement and penalties, the number of SEC financial reporting cases rose by almost one-half.37 And we also know that the largest plurality of whistleblower tips received by the SEC during its fiscal 2014 (16.9%) involved “corporate disclosures and financials.”38 Perhaps most importantly, we should expect more of the same in 2015. SEC Enforcement Division Director Andrew Ceresney reportedly stated, during the December 2014 AICPA conference, that the Division “continues to focus on accounting and disclosure violations relating to off-balance-sheet transactions, valuation of assets, related-party transactions, and revenue recognition.”39 The relevance of these trends to companies’ preparation of their upcoming Forms 10-K is discussed in greater detail below. SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 11 A. ICFR and Sarbanes-Oxley Certifications As part of its multi-front initiative to improve the quality of ICFR and related disclosures and CEO/CFO certifications, the SEC has brought high-profile ICFR cases recently against large financial institutions40 as well as several non-financial companies.41 In July 2014, the SEC charged a CEO and former CFO with concealing significant control deficiencies relating to the company’s internal control system, and falsely certifying in SEC reports that all such deficiencies had been communicated to the external auditor, without bringing any accompanying charges against the issuer.42 What makes this such a strong ICFR “message” case is the SEC’s exclusive focus on the alleged misconduct of senior management in bringing books-and-records and ICFR disclosure and false certification charges against the responsible individuals, without alleging that this misconduct caused any material misstatement in the company’s financial statements. In the meantime, the PCAOB has been cracking down on registered public accounting firms responsible for ICFR audits through disciplinary proceedings and the staff inspection process (along with the other measures discussed above), which is likely to intensify the nature and scope of outside auditors’ inquiries into the basis of management representations on critical accounting estimates and other matters involving management judgment. A senior SEC accountant suggested in late 2013 that the ICFR audit-related problems outlined in PCAOB inspection reports could signal flaws in ICFR evaluations by management which, in turn, could be masking unidentified material weaknesses.43 In this climate, a company’s unremediated and undisclosed control deficiencies – if deemed sufficiently serious by the outside auditor – might prompt the auditor to give more careful consideration to its statutory duty to report potential securities law violations to the SEC. What To Do Now: l As discussed above, companies need to take a fresh look at the adequacy of their ICFR systems and related disclosures and management certifications. Additionally, they need to review in particular high fraud-risk areas where the application of GAAP is based heavily on management assumptions and estimates, thereby placing outside auditors on high alert. l Bear in mind that the SEC’s comment process – and the manner in which a company responds to such comments – can lead members of the Division of Corporation Finance reviewing staff to refer a matter to the Division of Enforcement. This can occur even when the Division advises the company that it has no further comments. See, e.g., SEC enforcement case involving improper application of GAAP in defining business segments brought against PACCAR, which originated with a Division of Corporation Finance referral.44 B. Disclosure of Known Material Trends or Uncertainties In August 2014, the SEC brought and settled a major MD&A case against Bank of America involving allegations of failure to disclose a material “known trend or uncertainty” in accordance with Item 303 of Regulation S-K.45 Pursuant to this settlement, reached in an administrative proceeding that accompanied the settlement of a separate securities fraud case, the company acknowledged that it had failed to satisfy its obligation to inform investors – through the MD&A section of each of two quarterly reports filed in 2009 – about certain “known uncertainties” regarding the material impact on future income levels of the company because of its potential exposure to mortgage repurchase claims stemming from the collapse of the nation’s housing market. According to the settlement order in the MD&A case, the SEC applied the two-pronged test for evaluating the materiality of a known trend, event or uncertainty that was first delineated in an MD&A interpretive release issued by the SEC in 1989. Under this test, once management identifies a given trend, demand, commitment, event or uncertainty, it must make two assessments: l Is the known trend, demand, commitment, event or uncertainty likely to come to fruition? If management determines that it is not reasonably likely to occur, no disclosure is required. SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 12 l If management cannot make that determination, it must evaluate objectively the consequences of the known trend, demand, commitment, event or uncertainty, on the assumption that it will come to fruition. Disclosure is then required unless management determines that a material effect on the registrant’s financial condition or results of operation is not reasonably likely to occur.46 The SEC’s settlement order went on to state that the term “reasonably likely” as used in the MD&A context sets a lower disclosure threshold than “more likely than not.” It is worth emphasizing that the disclosure violations charged arose from deficiencies in quarterly reports on Form 10-Q that were not deemed to have been mitigated by more comprehensive MD&A and risk factor disclosure provided in the bank’s Form 10-K for the relevant year. Specifically, the SEC’s order noted that Bank of America added “for the first time” a risk factor and MD&A disclosure in the subsequent Form 10-K, when it should have divulged the underlying information earlier, in its Form 10-Qs, in order to alert investors on a timely basis. SEC Staff members reinforced the lessons of the Bank of America MD&A case during the December 2014 AICPA conference, pointing to the importance of adherence to the SEC’s two-step analytical framework and the mandatory nature of the “known trend, event or uncertainty” disclosure duty. More generally, the Division of Enforcement Director re-affirmed the SEC’s intent to make greater use of two strategies underpinning this and other notable financial reporting actions brought in 2014 by the SEC – requiring the admission of culpability in certain cases, and bypassing the courts in favor of administrative cease-and-desist proceedings.47 What To Do Now: l Corporate preparers and/or reviewers of the upcoming Form 10-K (or Form 10-Q for non-calendar year registrants), along with the disclosure committee responsible for administering the company disclosure controls and procedures that underpin certifications by the CEO and CFO, should discuss the lessons of the Bank of America case, in particular to underscore the point that MD&A requires certain forward-looking disclosures, and that companies should apply the SEC’s two-pronged test in analyzing the need for disclosure. l In preparing each Form 10-Q and Form 10-K, thoroughly review the company’s risk factors (and cautionary statements) to determine whether they should be updated in light of recent developments. Challenge Eight: The SEC Enforcement Division’s “broken windows” policy Even as the SEC pursues complex financial reporting cases, the agency is also targeting potential areas of systemic corporate and individual non-compliance with technical disclosure requirements, consistent with the so-called “broken windows” philosophy of securities law enforcement first articulated by Chair White in an October 2013 speech. As applied to the securities markets, this philosophy rests on the “theory that minor violations that are overlooked or ignored can feed bigger ones, and, more importantly, can foster a culture where laws are increasingly treated as toothless guidelines.”48 Two notable examples of the SEC’s broad application of the “broken windows” enforcement approach in 2014, resulting in the institution of multiple administrative proceedings against unrelated companies and/or individuals, are discussed below. With respect to one of these series of “sweep” cases, involving violations of transactional and beneficial ownership reporting rules promulgated under Section 16(a) and/or Section 13(d) of the Securities Exchange Act of 1934, as amended (Exchange Act), the SEC expressly credited its ability to harness quantitative analytics and ranking algorithms to identify both “individuals and companies with especially high rates of filing deficiencies.”49 Companies should be aware, in this regard, that the Enforcement Division formed the Center for Risk and Quantitative Analytics in mid-2013 for the specific purpose of developing and employing sophisticated technological tools to flag and refer instances of potential wrongdoing to the Division’s investigative staff for further review and assessment. SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 13 A. SEC crackdown on untimely insider reporting After conducting a broad inquiry into the state of compliance with technical transactional and beneficial ownership reporting rules under Exchange Act Sections 16(a) and 13(d), the SEC filed “cease-and-desist” administrative enforcement proceedings in early September 2014, against 28 officers, directors and/or major shareholders of public companies for late insider reporting. Six publicly-traded companies also were charged in connection with contributing to, or causing, filing failures by their directors and/or officers. Some filings were delayed by weeks, months or even years. Of the 34 respondents charged, all but one (an individual) decided to settle with the SEC simultaneously with the filing of charges, thus agreeing to the entry of cease-and-desist orders and an aggregate $2.6 million in financial penalties (with penalties ranging from $25,000 to $150,000).50 The SEC’s Enforcement Division Director, Andrew Ceresney, clearly signaled frustration with repeat offenders in announcing the settlements, stressing that the insider reporting requirements are not “mere suggestions” and that the SEC’s actions “send a clear message about the importance of these filing provisions.” The actions against the six publicly traded companies are particularly noteworthy because the filing of insider reports under Section 16(a) of the Exchange Act is the individual responsibility of each executive officer and director (and holders of more than 10% of a company’s Section 12-registered equity) of a public company. However, many companies assist their officers and directors with meeting their Section 16 filing obligations, and all companies are required by Item 405 of Regulation S-K to disclose in their proxy statements (and Part III of Form 10-K) any delinquent insider filings. Companies and their insiders therefore are now on notice that “inadvertence is no defense to filing violations, and [the SEC] will vigorously police these sorts of violations through streamlined actions.” On the same day that the foregoing “technical” reporting charges were made public, the SEC filed and settled charges against a biotech company and its former CEO alleging (among other things) an antifraud violation because the former CEO’s undisclosed stock sales would have been material to a reasonable person’s investment decision. The SEC stated that, because of the failure to report the CEO’s numerous sales, investors “were denied important and timely information about how an insider is potentially viewing the company’s future prospects.” What To Do Now: l Companies should re-examine their policies and procedures relating to compliance with insider reporting requirements. To the extent that a company assists its insiders with their Section 16(a) filings, the company must be diligent in its efforts to file in a timely manner all Section 16(a) reports on behalf of its officers and directors, and must have adequate processes in place to ensure that the company is made aware of all potentially reportable transactions in sufficient time for it to prepare and make the required filing. Remember that insiders’ so-called “Rule 10b5-1(c) plan” purchases and sales are reportable. l Companies should engage in due diligence before reporting in the proxy statement (and Form 10-K) regarding whether or not there were delinquent insider filings. In this regard, companies should add an appropriate question (or questions) to the directors’ and/or officers’ questionnaires that must be completed for purposes of proxy statement (and Form 10-K) disclosure, to list all potentially reportable transactions that occurred during the prior fiscal year – including those made pursuant to Rule 10b5-1(c) arrangements. B. Form 8-K reporting on unregistered equity issuances The need for effective disclosure controls and procedures to ensure timely disclosure of material events on Form 8-K was highlighted in early November 2014, by a flurry of settled, negligence-based enforcement proceedings brought against 10 companies for failing to report unregistered equity sales and related financing agreements.51 All 10 companies failed to comply with Item 3.02 of Form 8-K, which calls for disclosure of relatively large unregistered sales of stock considered dilutive to existing shareholders, with some also sanctioned for neglecting to disclose material financing agreements pursuant to Item 1.01 of this Form. Finally, three of these companies disclosed SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 14 incorrect stock dilution levels in quarterly or annual reports. Each company agreed to a cease-and-desist order and payment of penalties ranging from $25,000 to $50,000 (for a combined total of $350,000). What To Do Now: l Refresh the company’s disclosure controls and procedures to make sure they are sufficiently well-calibrated to capture triggering events that may arise in “real time” and must be reported on Form 8-K within four business days. This might entail forming a sub-committee of the company’s disclosure committee whose members are in the best position to collect information and make quick, often difficult materiality judgments. Some of these events may be predictable and/or require board action, which facilitates 8-K compliance, but others may not be as susceptible to advance notice and careful materiality analysis (e.g., unanticipated selective disclosures of material, non-public information that could be violative of Regulation FD, but may be remediated through “prompt” Form 8-K disclosure within 24 hours). Accordingly, companies must design and maintain effective early-warning systems to enable the right personnel to track and analyze potentially reportable developments that might trigger a Form 8-K filing obligation. With respect to Item 8.01, Other Events, the company should identify types of information that do not fit readily within the other 8-K line-items but nevertheless should be disclosed in a “filed” Form 8-K that will be automatically incorporated by reference into shelf registration statements. l To help the company avail itself of the safe harbor from antifraud liability that operates to allow disclosure in a subsequent Form 10-Q or 10-K of certain types of trigger events that should have been, but were not, reported on Form 8-K, the disclosure controls and procedures for these periodic reports should include a “look-back” process for determining whether the company missed a required Form 8-K during the relevant reporting period. This safe harbor is available only for those Form 8-K line-items that involve tough materiality judgment calls, such as entry into or termination of a material definitive agreement (Items 1.01 and 1.02, respectively), and does not insulate the company against non-fraud enforcement action by the SEC for failure to file an 8-K. Challenge Nine: Hot topics in the accounting arena relevant to preparing the 2014 Form 10-K During the December 2014 AICPA conference, accountants from the SEC’s Office of the Chief Accountant and Division of Corporation Finance covered a number of topics that are highly relevant to the preparation of the financial statements and MD&A section of upcoming Form 10-Ks, particularly by larger companies. A. Segment Reporting A senior OCA staff member outlined the SEC Staff’s “refreshed approach” to evaluating companies’ segment disclosures under current GAAP (ASC 280).52 Specific guidance was provided on several issues noted below. Identification of the Chief Operating Decision Maker. The determination of segments begins with identifying the right Chief Operating Decision Maker (CODM), which term refers to a function rather than a member of top management with a particular title, such as the CEO or CFO. The central question is “what the key operating decisions are and who is making those decisions for the entity as a whole.” Such decisions might not be made at the top strategic or ultimate decision maker level – namely, the CEO – but rather by personnel who, like the COO or even a committee of individuals, is closer to the day-to-day operations of the company. Identification of Operating Segments. Although segments may be evident from the structure of a company’s organizational chart, the CODM cannot stop here. An organizational chart is just a data point, perhaps a good one; however, “the underlying principle [of ASC 280] requires consideration of the nature and extent of information that is reported to the CODM by each of the positions you identify on that [organizational] chart.” In tacit acknowledgement that the Staff may have created a de facto presumption, through the review and comment process, that whatever information has been provided to the CODM – known as the CODM report or package – is the determinative factor in identifying operating segments, the Staff will now treat this report as just one of multiple data points to be applied as part of a principles-based analysis. From the Staff’s “refreshed” perspective, companies SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 15 should “avoid over-reliance on the CODM report and, instead, apply the principles within ASC 280 to ensure your identification of operating segments is consistent with the objectives of segment reporting.” Additional factors that may be considered include – but should not be limited to – “the overall management structure, the basis on which budgets and forecasts are prepared, and the basis on which executive compensation is determined.” Although not mentioned in the Staff’s AICPA speech, Division of Corporation Finance reviewers are likely to continue to examine a company’s earnings releases and listen to webcast earnings calls, along with other publicly available information about the company (such as marketing materials and analyst reports), and raise questions if any inconsistencies are observed between these data points and segment definitions reflected in the financial statements and MD&A sections of periodic reports filed with the SEC. Aggregation of Operating Segments. Described by the Staff as “one of the more judgmental areas of the operating segment literature,” the pertinent provisions of ASC 280 permit aggregation of two or more operating segments only if companies can satisfy all of the following criteria that together establish a “high hurdle”: (1) aggregation is consistent with the objective and basic principles of the standard; (2) segments have similar economic characteristics; and (3) the segments are similar in each of these five areas: (a) the nature of products and services, (b) the nature of the production process, (c) the type or class of customers, (d) the methods of distribution of products and/or services, and (e) if relevant, the regulatory environment (banking, insurance, public utilities). To illustrate the difficulty of supporting an aggregation decision in the event of a Staff challenge, the Staff described taking the position in 2014 that aggregation would not be permissible in a situation where two segments had similar products, production processes, and methods of distribution, and shared one similar customer base, but one segment had a second, incremental customer base that produced a material revenue stream. The Staff’s key take-away? “[M]ost entities will have more than one reportable segment and less than ten.” Don’t Forget that Material Segment Errors May Affect Goodwill Impairment Determinations. The Division of Corporation Finance accounting staff observed at the recent AICPA conference that, because operating segments (or one level below) are reporting units for purposes of goodwill impairment testing, a material error in determining segments can lead to an otherwise unanticipated goodwill impairment charge. Although the Staff has been inclined to issue “futures” comments allowing companies to correct mistakes in segment presentation in future periodic reports, it will be far less lenient if changes in operating segments result in the impairment of a reporting unit. This is an important consideration for those companies undergoing growth by acquisition – keep a careful eye on the need periodically to re-assess and perhaps to re-define operating segments, and the impact of such re-definition on accounting for accumulated goodwill. B. Cash Flow Statements After noting a steady increase in the number of restatements over the past five years due to errors in cash flow statements, while restatement levels otherwise seem to have stabilized, the SEC Staff reviewed a sample of corporate disclosures and found that most involved errors “in relatively less complex applications of GAAP [ASC 230], such as failure to appropriately account for capital expenditures purchased on credit.”53 Without speculating on the possible root causes, the Staff recommended that companies take a careful look this fiscal year-end at the following aspects of their processes and internal controls for preparing the statement of cash flows: Collection of Data. Companies should re-examine how they are collecting the financial information needed to prepare the cash flow statement, to make sure that they have the processes in place to ensure that the information is accurate and complete, especially to the extent that new or non-recurring transactions have occurred. Consider whether there are ad hoc manual processes that could be standardized or automated. Personnel. Companies should determine whether the people preparing the statement of cash flows understand applicable GAAP and, if needed, find ways to provide better training. Reviewers should have the expertise to identify and prevent misstatements. SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 16 Timing. Find ways to prepare and review the statement of cash flows earlier in the financial statement closing process. Take a Deeper Dive into ICFR. In considering and evaluating the existing ICFR relating to the preparation and review of the statement of cash flows, drill down below Control Activity level controls to cover Risk Assessment and Monitoring controls. C. Pensions (Defined Benefit Plans) An OCA Staff member reminded companies that mortality is a key assumption used, in defined benefit plan accounting (ASC 715), to measure a plan’s cost and the employer’s obligation.54 The Staff understands that many companies have used the mortality tables published by the Society of Actuaries (SOA) in developing their best estimate of mortality. Given the SOA’s publication in October 2014 of updated mortality data and improvement scale reflecting improved longevity, the Staff does not believe it would be appropriate for companies to disregard the new data in formulating their best estimate of mortality. In addition, the Staff expects companies to disclose the impact of any change in the mortality assumption to the extent that it results in a significant change in the benefit obligation. D. Income Taxes The quality of corporate income tax-related disclosures in MD&A is still an area of significant SEC Staff concern, as Division of Corporation Finance accountants emphasized during the December 2014 AICPA conference. Specific topics that continue to be under Division reviewers’ microscope are income tax rate reconciliations, valuation allowances and the ability to realize deferred tax assets, and the liquidity and tax implications of repatriated overseas earnings. As was the case with statements of cash flows in 2014, the SEC Staff plans to assess possible causes of recent restatements attributable to material errors in the application of income tax accounting (ASC 740). To summarize the key Staff comments on areas of needed improvement with respect to MD&A tax disclosures (assuming the requisite level of materiality): l Significant differences between actual and expected (based on the company’s pre-tax income and statutory tax rate) income tax expense. The Staff expects companies to explain these differences. l Situations where effective tax rates are volatile, or where such volatility is offset by material compensating components. The Staff wants companies to use the MD&A to explain material fluctuations in the effective tax rate, or lack of such fluctuation due to offsetting or compensating components, and to discuss such components on an individual basis. l Where foreign earnings represent a material portion of the company’s total pre-tax income, the Staff will be seeking more detailed explanations during the 2015 comment process in response to investor calls for more meaningful disclosures on the impact of foreign taxes on a company’s earnings. Generic or boilerplate disclosures that foreign earnings and/or tax rates might change in the future are insufficient, particularly if an individual tax jurisdiction presents unique material risks and uncertainties warranting MD&A disclosure as a “known trend, event or uncertainty.” Challenge Ten: The new revenue recognition accounting standard In May 2014, the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) issued a new converged standard (ASU No. 2014-09, Revenue from Contracts with Customers (Topic 606)) on the recognition of revenue from contracts with customers. For public companies, the new standard will take effect for annual periods beginning after December 15, 2016 – which means fiscal year 2017 for calendar-year companies – including interim periods within that fiscal year. Early adoption is not permitted. Companies will be given the alternative of full retrospective adoption, which will require a recasting of comparative periods presented in the financial statements back to the beginning of fiscal 2015 for calendar-year registrants, or a modified retrospective SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 17 adoption that generally will require adoption of the standard prospectively on the effective date in 2017. While this may seem like a significant amount of lead time, the new, principles-based standard represents a substantial departure from the current, rules-based revenue recognition requirements, which vary depending upon the particular industry or transaction. There have been strong hints from SEC Chief Accountant James Schnurr, and requests from public companies and others, that the effective date be delayed as the FASB staff resolves an increasing number of difficult implementation questions. However, companies should not defer preparatory action until the FASB responds in early 2015 because, absent a delay, the new standard would apply to contracts entered into beginning with the first fiscal quarter of 2015 (for calendar-year registrants), should the company choose retrospective adoption. In this connection, the SEC accounting staff has indicated that companies opting for the retrospective method will be permitted to provide three years, rather than five years, of recast selected financial data in the body of their Form 10-Ks. The core principle of the new revenue recognition standard is that an entity “should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.” In addition to the substantive requirements, the new standard updates the footnote disclosure requirements for revenue recognition. Under the existing standard, revenue recognition is primarily discussed in the accounting policy footnote (or footnotes). Under the new standard, disclosure will be required that provides “sufficient information to enable users of financial statements to understand the nature, amount, timing, and uncertainty of revenue and cash flows arising from contracts with customers.” During the December 2014 AICPA conference, the SEC accounting staff made clear that companies will have to disclose significant judgments describing the methods used to recognize performance obligations over time, as well as the assumptions used to determine and allocate the transaction price. “Companies that are not used to making management estimates and providing the supplemental information in [financial statement footnote] disclosures will need to evaluate systems, processes, and controls to support the application of the new standard.”55 Notwithstanding all the attention being paid to the new standard, the SEC and PCAOB continue to emphasize the importance of compliance with existing GAAP. At the December 2014 AICPA conference, a senior SEC accountant discussed the Staff’s views on how FASB’s current gross vs. net accounting guidance, which extrapolates from a prior era’s prevalent bricks-and-mortar corporate business model, should be applied by companies with emerging, internet-based business models.56 Preparers of corporate financial statements also should be aware of PCAOB Staff Audit Practice Alert No. 12, Matters Related to Auditing Revenue in an Audit of Financial Statements (Sept. 9, 2014) (PCAOB Alert 12),57 which outlines recurring, and “frequently significant,” areas of audit deficiency involving revenue recognition that have been observed by PCAOB staff inspectors. Here, the PCAOB staff suggests that, “[d] ue to the significance of revenues to many companies’ financial and operating results [,] …. [a]udit committees might wish to discuss with their auditors their approach to auditing revenue, including the matters addressed in this alert.” What To Do Now: l Management should discuss with the company’s audit committee, internal auditors and outside auditors the decision whether to adopt the retrospective method. It will be important, in this regard, to analyze and prepare educational materials to familiarize the board with the anticipated impact of adoption on the key line-items in the company’s financial statements, as well as any affected licenses, debt covenants and/or executive compensation arrangements. To this end, management should get a head start on reviewing existing and new contracts with customers to determine how the new standard will impact revenue recognition and the company’s results of operations. l Consider changes to ICFR and IT systems that may be needed in order to implement and comply with the new standard as of the effective date. Management should be careful to consider whether any such changes already made must be disclosed for the fourth quarter of 2014 (e.g., annual reports of calendar-year registrants or quarterly reports of others), and/or each quarterly or annual report for subsequent fiscal periods. SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 18 l Consider the tax implications of earlier (or later) recognition of revenue under the new standard once it becomes effective; for example, accelerated revenue recognition may affect the timing of tax recognition. l Determine whether disclosure of the potential impact of the recently adopted revenue recognition standard will be required in the upcoming Form 10-K pursuant to SEC Staff Accounting Bulletin No. 74. Although companies may have limited information as of the end of fiscal 2014 upon which to base this disclosure decision, regulators will expect such disclosure to appear in periodic reports and to evolve as progress is made toward implementation. Challenge Eleven: The new COSO framework for evaluating ICFR Companies are grappling with the passage of the December 15, 2014 deadline for transition to a new internal control framework released by COSO in May 2013 (“2013 COSO Framework”). COSO indicated that, after this deadline passed, it would no longer support the 1992 COSO Framework deemed by the SEC to be a “suitable, recognized” framework for management’s ICFR evaluation since 2003.58 Observers indicate that the changes reflected in the updated framework are “evolutionary” rather than “revolutionary” in nature, with the primary difference between the two frameworks being an explicit requirement for management to document adherence to 17 principles in order to assert ICFR effectiveness, which principles (accompanied by 87 “points of focus” offered for guidance purposes) fall within the five original core components of the 1992 version: Control Environment; Risk Assessment; Control Activities; Information and Communication; and Monitoring Activities.59 The SEC Staff has been monitoring the issuer transition process for some time, warning in the Fall of 2013 that “the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC’s requirement to use a suitable, recognized framework (particularly after December 15, 2014).”60 In the meantime, the PCAOB has heard concerns from some companies that “audit firms may take a checklist approach to the [ICFR] audit to map controls to the principles articulated in the 2013 COSO Framework ….[, along with] speculation that firms are taking such an approach because they are worried that PCAOB inspectors will inspect against the points in the 2013 COSO Framework.”61 PCAOB Board Member Jeannette Franzel observed, in this regard, that “a checklist approach to the 2013 COSO Framework would result not only in a missed opportunity to take a fresh look at management’s and the auditor’s approaches to evaluating and auditing internal control, but also … increase the likelihood of missing new and evolving risks in financial reporting and the related auditing.”62 Commentators have predicted that “COSO implementation [for fiscal 2014] is likely to be mixed, with some companies adopting the 2013 framework and others continuing to rely on the guidelines issued in 1992.”63 Fortunately for companies in the latter camp, senior SEC Staff accountants from both the Office of the Chief Accountant and the Division of Corporation Finance appear to be taking a more flexible approach, reportedly stating in early December 2014 at the AICPA conference that they “would not object to [a company’s] using the old framework for fiscal year-ending 2014”; provided that full disclosure, presumably in management’s ICFR report, is made of which version of the COSO framework was used.64 While a Division of Corporation Finance Staff member also stated here that “there is no specific date when or if the SEC will require a switch to the updated COSO framework[,]” he noted that companies should be mindful that they may be asked next year why they are relying upon an outdated control framework that is no longer supported by COSO.65 What To Do Now: l Management and the audit committees of calendar-year registrants should discuss the nature, scope and timing of the proposed transition plan. Contemporaneous documentation of progress made will be helpful in responding to any questions the SEC Division of Corporation Finance might pose in the event the company’s fiscal 2014 Form 10-K is selected for review in 2015, particularly if management’s ICFR report does not indicate clearly which version of the COSO Framework management used to evaluate ICFR. SEC Disclosure and Corporate Governance January 23, 2015Weil, Gotshal & Manges LLP 19 l Regardless of which version of the COSO Framework is applied in evaluating ICFR for fiscal 2014 year-end, management should keep in mind (in addition to disclosing which version was used) the importance of the “could” factor in an ICFR assessment, and take a holistic approach to identifying, evaluating and describing control deficiencies. Given the repeated criticisms leveled in PCAOB staff inspection reports and Staff Audit Practice Alert No. 11,66 registered public accounting firms are expected to exercise heightened skepticism with respect to corporate clients’ ICFR as part of the integrated audit of fiscal 2014 financial statements and ICFR. The strong message delivered in this Practice Alert was reinforced in 2014 by the PCAOB staff inspection process and, most recently, the remarks made by members of the PCAOB staff and COSO Board Member Chuck Landes during the December 2014 AICPA conference.67 Conclusion Companies should “go back to basics” in preparing their 2014 financial statements, MD&A and Risk Factors, recognizing that your outside auditors have more incentive than ever to push for contemporaneous documentation of the difficult management estimates, assumptions and judgments demanded by GAAP as reflected in your financial statements. The consistent message from the SEC, the FASB and the PCAOB Staff to their respective constituencies – preparers and auditors of financial statements – has been to focus on providing the financial disclosures investors need for informed investment decision making. Put another way, companies should make careful materiality judgments, document their conclusions and be prepared for Staff requests for supplemental production of any supportive memoranda prepared pursuant to SEC Staff Accounting Bulletin No. 99 in the event their Form 10-K is selected for review. Audit committees should demand and receive the information they need from both management and the outside auditor to fulfill their important gatekeeper responsibility to oversee the quality and integrity of corporate financial reportings.