COMMENTARY--As the months go by since the initial signing into law of the Sarbanes-Oxley (SOx) Act, the terms “compliance” and “corporate governance” have taken on a definite connotation of urgency. Most private companies in America are largely untouched by a legal obligation to comply with SOx, but find themselves deliberately choosing public company practices, stopping short of filing and reporting with the SEC.
Public companies, however, are primarily heads-down in intense activity as they set about examining and re-engineering internal controls, achieving new standards of Best Practices. It isn’t just to reach compliance with SOx, but also to recover from the body-blow that struck our corporate sectors when the full Enron story was revealed, and inaugurated a dismal series of high profile corporate accounting scandals, one after another.
At the heart of both these, and more recent, Hollywood-like tales of intrigue, fraud and deception, revenue recognition issues are found. But so too are they found at the heart of dozens of financial restatements that are generated not by unethical or illegal behavior, but by error, confusion, and a lack of appropriate internal controls and systems to manage the complexities of the current economy. By far the hardest hit and the easiest to identify are those in the technology sectors, because by the very nature of their business, they use multi-element contracts, for which revenue recognition is a challenging and exacting process. Typically, accounting and revenue recognition needs differ from component to component of a contract – e.g., how services revenue, versus license revenue, versus maintenance revenue, are booked and allocated, all differ according to the regulations in place from FASB and the SEC. But no matter what the industry, revenue recognition will never be a small operational factor: revenue recognition practices have the intrinsic ability to make or break a company’s health and future, because they are an essential element of a corporation’s financial foundation.
Sarbanes-Oxley is unique both in its comprehensive nature, and in the potential it holds for requiring wholesale revision of a company’s financial practices. Approaching the rigorous task of applying Best Practices to internal controls is characterized by the context in which the work must be done. Most companies find they have roughly a year to “get up to speed”; others, a shorter timeframe demands an even more accelerated, but no less thorough, approach to meeting the most important deadlines and requirements.
Section 404 of Sarbanes-Oxley, “Documenting and Evaluating Controls over Financial Reporting”, is a key area of SOx not just for technology companies struggling with proper revenue recognition, but for all public companies preparing for future, correct filings.
It’s proposed (by the SEC) to be effective for those organizations whose fiscal year ends on or after September 15, 2003. In the world of corporate finance, that’s not so far away, and many entities already have a timeline in place with major milestones that will guide their efforts towards full achievement of Section 404, in time for their own fiscal year filing. But, many companies don’t, and it’s time they organized and got on the bandwagon. They need a project plan, detailed work scope and target dates. They need to be fully utilizing all resources available to them to meet the task at hand.
Section 404-like compliance is, however, of great importance to private companies as well. Because the majority of today’s savvy private companies like to position themselves not just for growth, but also for potential mergers and acquisitions, or a future IPO, it is critical that they be able to manage and certify their financials with clear, documented and auditable controls. And proper revenue recognition practices are the single most important factor in enabling accurate delivery of the valuation of a company. How many once high-flying companies do we know of, anecdotally or otherwise, who from the outside looked very strong, but found their purchase price eroding at the last stages of acquisition negotiation, because their past revenue recognition practices were inaccurate and unreliable? Correct revenue recognition is one of the key variables in M&A transactions.
Revenue recognition and SOx compliance center around Section 404. The main components are:
• Requirement to document and evaluate internal controls’ and procedures’ effectiveness for financial reporting
• Requirement for an external auditor to attest to management’s assertions in an annual report
• Effective for a fiscal year that ends on or after September 15, 2003 (currently proposed by the SEC)
Cornerstone to any effort to implement changes that bring a company confidence that it meets 404 standards is the challenge: How do we ensure that our financial data has integrity? With spreadsheet systems and manual entry still figuring large in many corporate financial processes, the risk of compromise to data integrity is high. A starting point might be to examine what processes actually exist within the financial controls area of the operation, and map out where the weak links are—both as they relate to manual entry (error-prone), and inefficiency or inability in reporting and visibility. Can the key processes be clearly identified? Are there safeguards in place that eliminate or minimize risk for those key processes? Does the data have a clear audit trail from transaction to transaction, and record to record?
For those public companies with deadlines approaching, instrumental to achieving financial controls that accurately manage, report and predict revenue while complying with SOx Section 404 is the Audit Committee’s interaction with the external Auditor. Advocates for proactive management of the ramp-up to compliance are needed in both parties. Each plays an important role in enabling not just appropriate change, but in eliminating risk. And in effecting modifications that will not simply satisfy a short-term requirement, but a fundamental sea change in the way Corporate America does business. These two groups should be challenging each other with examinations of:
• How to identify, scope and create a project plan
• When to target specific milestones and dates
• How to measure effectiveness and confidence in the parties involved
• Defining expectations for compliance
• Creating a “top worst” list: most problematic things that could happen with our system; top worst things to be looking for
• The best way to create a backup plan for different levels of problems that interrupt the steady progress towards full 404 compliance
Revenue recognition and financial controls for private companies can stop short of the actual filing process, but thinking ahead to bigger revenues, larger company size, and future organizational structure, these companies would be prudent to apply much of what this methodology contains to their own present-day operations. Corporate governance is here to stay, and revenue recognition and financial controls are at the core of the issue. Managing them properly will go a long way towards putting “peace of mind” and ”Sarbanes-Oxley” in the same sentence.
What could go wrong? Example: Deferred revenue
Examples like the ones below illustrate the vital nature of carefully identifying each risk and control pair for your company’s internal control systems.
How does deferred revenue become properly allocated?
When does deferred revenue get checked against revenue recognition guidelines?
What mechanism ensures deferred revenue is reported in the proper period?
How is deferred revenue identified as being separate from other types of revenue?
What controls are in place to separate billed and unbilled revenue?
How are various deferred and un-deferred revenue sources consolidated?
What audit trails are available to review changes in deferred revenue?
What can guard against manual calculation or data handling errors?
How are changes to deferred revenue schedules handled?
biography
Mr. Robert O’Connor is President and Chief Executive Officer of Softrax. With over 17 years in the executive management of software companies, he has proven expertise in technology leadership. Softrax is a leading enterprise software company providing revenue management solutions that fundamentally change the way technology companies manage, analyze, and predict their revenue streams. Headquartered in Canton, MA, Softrax Corporation is privately held. Further information is available at www.softrax.com or 1.888. 4 SOFTRAX.
