Tag: CPA

Cybersecurity risk – the CPA profession’s response — AICPA develops Cybersecurity Risk Framework

In the olden days crooks had to break into a business to rob it…not anymore. Cyberattacks are spreading.  Cyberattacks are an attempt by hackers to damage or destroy a computer network or system or to misappropriate information from one.  Companies are under increasing pressure to protect the assets and the confidential information they possess.  Historically a company’s internal controls were the procedures to prevent, detect and correct errors – and also reduce the risk that assets will be misappropriated.  Management is under pressure to demonstrate to owners and customers that they are effectively managing cybersecurity threats and that they have effective controls and procedures in place to detect, mitigate, respond to and recover from cybersecurity threats.

To address this need, the AICPA has developed a “cybersecurity risk management reporting framework (Framework)” that assists management develop effective control process.

black and grey device
Photo by Pixabay on Pexels.com

 

The Framework provides senior management, boards of directors and other interested parties with useful information for decision-making about an organization’s cybersecurity risk management program. And it provides organizations with a context for communicating about the effectiveness of their cybersecurity risk management program to build trust and confidence.

What types of issues does the Framework address?

  • Communication procedures
  • Processes and programs to evaluate the program’s effectiveness
  • Policies, processes, and controls to detect, respond to, mitigate, and recover in the event of a cybersecurity breach
  • Communication
  • Responses to breaches at relevant vendors and businesspartners
  • Cyber event simulation
  • Mitigation and risk transfer options (including cyber insurance coverage)
  • Staffing and access to internal and external skills

The Framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations’ enterprise-wide cybersecurity risk management program.  This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts.

CPAs and management can use the cybersecurity criteria to help benchmark their evaluation of the entity’s cybersecurity framework.  CPAs can use the framework to provide advisory engagements to help their clients strengthen their cybersecurity risk management programs. Ultimately, the CPA can offer a cybersecurity risk management examination engagement and provide an opinion on the entity’s description of its efforts, and the effectiveness of its controls.

CPAs can use the cybersecurity framework to provide attestation services by performing an examination of management’s program or as non-attest consulting services where they give information and recommendations to management.

CPAs will consider the criteria from the perspective of these categories:

  1. Nature of Business and Operations. Disclosures about the nature of the entity’s business and operations.
  2. Nature of Information at Risk. Disclosures about the principal types of sensitive information the entity creates, collects, transmits, uses, and stores that is susceptible to cybersecurity risk.
  3. Cybersecurity Risk Management Program Objectives (Cybersecurity Objectives). Disclosures about the entity’s principal cybersecurity objectives related to availability, confidentiality, integrity of data, and integrity of processing and the process for establishing, maintaining, and approving them.

Use of the Framework

The framework may prove to be a valuable resource for CPA firms to enhance their own cybersecurity risk management programs and to provide professional services to clients – both consulting services and attestation services.

Enhancing the CPA firm’s programs

Prior to providing professional services to clients, CPA firms may find the framework suitable for strengthening and enhancing its own cybersecurity risk management programs.  CPA firms are often targets of cyberattacks due to the sensitive nature of client data processed – such as social security number, birth dates and banking information.

Consulting services

Perhaps the first engagements CPAs will provide their clients are consulting engagements where the practitioner gives recommendations and assistance to their clients in strengthening their cybersecurity risk programs.  Companies may turn to their CPA firms for assistance – and CPAs may be in a good position to suggest a consulting engagement while performing other professional services for their clients.  As with other non-attest consulting services, however, CPAs may need to consider threats to independence, if applicable. CPA firms also need to be sure that they have sufficient qualified personnel to perform the services and that they carefully communicate the scope of the proposed services and reach an understanding with the client on the services they agree to deliver.

Examination of management’s cybersecurity program

Should the entity engage the CPA practitioner to examine its assertion about its cybersecurity program, the presentation will have three components:

The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program. Management’s description is intended to provide users with information that will help them better understand the entity’s cybersecurity risk management program.

The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

The third component is a practitioner’s report, which contains an opinion. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

What’s next?

Cybersecurity threats and managements response to those threats may be relatively new.  But this is a growing concern that will not disappear. The CPA professional has developed tools and techniques that CPAs may use in their own practice and to provide professional services to clients.  This article provided a very brief overview of the new AICPA framework and how CPAs can become involved.  If you are interested in a deeper dive, more resources can be found the AICPA’s website, “SOC for Cybersecurity: Information for CPAs”.

Andrew M. Mintzer, CPA is a forensic accounting with the Los Angeles office of Hemming Morse, LLP.  He is a past chair of the California Society of Certified Public Accountants.

This article discusses professional services in general – I have not considered any specific situations.  The application of standards to a particular situation depends on the specific facts and circumstances and analysis of the applicable accounting standards.  Therefore this article is educational in nature and does not represent professional accounting advice or services.

GAAP Matters – When the Going “Concern” Gets Tough…

Andy Mintzer, CPA

Going Concern

According to the Financial Accounting Standards Board (FASB), under generally accepted accounting principles (GAAP), continuation of a reporting entity as a going concern is presumed as the basis for preparing financial statements unless and until the entity’s liquidation becomes imminent. This is often referred to as the “going concern assumption”.

Why is the “going concern assumption” important?

If and when an entity’s liquidation becomes imminent, financial statements should be prepared under the liquidation basis of accounting.  Finding a financial statement prepared under the liquidation basis of accounting has been said to be about as rare as a unicorn sighting.  Nevertheless there is often news surrounding “going concern” issues of a particular company.  This article will touch on some of the background and overarching concepts necessary to understand this important area.

gray scale photo of gears
Photo by Pixabay on Pexels.com

Financial statements prepared using the liquidation basis of accounting present relevant information about an entity’s expectedresources in liquidation by measuring and presenting assets at the amount of the expected cash proceeds from liquidation. The entity should include in its presentation of assets any items it had not previously recognized under U.S. GAAP but that it expects to either sell in liquidation or use in settling liabilities (for example, trademarks).

Are disclosures about the entity’s ability to continue as a going concern important even if liquidation accounting is not used?

Yes!

There is a generally a wide range of potential financial statement disclosures that are expected before an entity is required to adopt a liquidation basis of accounting – and it is these disclosures (or lack thereof) that financial statement readers should be on alert for.

For example:

There is substantial doubt about the entity’s ability to continue as a going concern but liquidation is not imminent.

Even if an entity’s liquidation is not imminent, there may be conditions or events that nevertheless raise substantial doubt about the entity’s ability to continue as a going concern. In those situations, financial statements should continue to be prepared under the going concern basis of accounting, but relevant conditions and events should be disclosed and described.

“We’ve got it covered”

And in fact, if conditions or events raise substantial doubt about an entity’s ability to continue as a going concern, but the substantial doubt is alleviated as a result of consideration of management’s plans, the entity should nevertheless disclose information that enables users of the financial statements to understand (1) principal conditions or events that raised substantial doubt (2) Management’s evaluation of the significance of those conditions or events in relation to the entity’s ability to meet its obligations, and (3) Management’s plans that alleviated substantial doubt about the entity’s ability to continue as a going concern.

It is often misunderstood that the going concern assumption deals with the entity’s ability to “continue as a going concern…not merely continue in business.  I have heard claims that if the company can expect to keep the lights on they can avoid the disclosures about the substantial doubt to continue.

Not so.

According to the FASB, ordinarily, conditions or events that raise substantial doubt about an entity’s ability to continue as a going concern relate to the entity’s ability to meet its obligations as they become due.  Management’s evaluation shall be based on relevant conditions and events that are known and reasonably knowable at the date that the financial statements are issued.

Management shall evaluate whether relevant conditions and events, considered in the aggregate, indicate that it is probable that an entity will be unable to meet its obligations as they become due within one year after the date that the financial statements are issued. The evaluation initially shall not take into consideration the potential mitigating effect of management’s plans that have not been fully implemented  as of the date that the financial statements are issued (for example, plans to raise capital, borrow money, restructure debt, or dispose of an asset that have been approved but that have not been fully implemented as of the date that the financial statements are issued). If these potential mitigating effects are underway – but not fully implemented – this initial evaluation cannot take them into account as described by the FASB guidance.

Going Concern Disclosures – a brief history

Prior to the issuance of ASC 2014-15 by the FASB in 2014there was no guidance in authoritative “FASB GAAP” about management’s responsibility to evaluate whether there is substantial doubt about an entity’s ability to continue as a going concern or to provide related footnote disclosures.

But if you recall hearing about going concern issues before 2014 your memory is not failing you. U.S. auditing standards and federal securities law require that an auditor evaluate whether there is substantial doubt about an entity’s ability to continue as a going concern for a “reasonable period of time”. Thus, the source of what financial statement preparers considered “generally accepted” had its origin in the auditing standards.  As a side note this was also true for the financial statement concept of subsequent events – this accounting concept appeared in authoritative auditing literature before the FASB adopted a standard.  I was a member of the AICPA’s Accounting Standard Executive Committee from 2001 through 2005 – during that time we considered a project to issue Accounting Statement of Positions to codify in authoritative GAAP some of these accounting concepts that resided in the auditing standards – that is, move the concepts to accounting literature.  Before we could undertake this project, however, the FASB indicated that it would be picking up this project…which they ultimately did.

So back to the auditing standards…under these auditing standards a “reasonable period of time” was defined as a period not to exceed one year beyond the date of the financial statements being audited. So if the entity’s fiscal year is a calendar year-end – the going concern evaluation period was through the following December 31.  This meant that the length of the period of time that the entity evaluated varied with the date the financial statements were issued.  For example, calendar year-end financial statements issued in March had an evaluation period of time lasting about nine months – but financial statements issued in July only required an evaluation period for the remainder or the year – or about five months.

One of the ways the recent FASB authoritative GAAP standard changed the going concern evaluation is by redefining the time horizon.  No longer will the time horizon be limited to one year after the date of the financial statements – the new requirement is for the horizon to generally consider whether facts and circumstance raise substantial doubt about the entity’s ability to continue as a going concern within one year after the date that the financial statements are issued. Thus, a calendar-year financial statement issued in June, for example, which prior to this new standard only needed to consider the time horizon through the next December 31, will not need to consider whether there are facts and circumstances which raise substantial doubt through the next twelve months.  Many years ago I was involved in a matter where the entity’s financial statements were not issued until ten months after its year – thus the going concern evaluation period was comparatively short.  Had this new GAAP standard been in effect the going concern evaluation period would have extended an additional ten months past the next calendar year-end.

For readers of financial statements prepared in accordance with International Financial Reporting Standards (IFRS) please consider the evaluation under those standard as “In assessing whether the going concern assumption is appropriate, management takes into account all available information about the future, which is at least, but is not limited to, twelve months from the end of the reporting period.”

U.S. auditing standards also require an auditor to consider the possible financial statement effects, including footnote disclosures on uncertainties about an entity’s ability to continue as a going concern for a reasonable period of time and to possibly modify its auditor’s report. The U.S. Securities and Exchange Commission (SEC) also has guidance on disclosures that it expects from an entity when an auditor’s report includes an explanatory paragraph that reflects substantial doubt about an entity’s ability to continue as a going concern for a reasonable period of time. Auditing standards have evolved somewhat with the development that financial accounting frameworks, such as US GAAP, now contain authoritative accounting guidance – as a result auditing standards now look to the applicable financial reporting framework’s guidance on going concern.  Auditing standards require the auditor to evaluate going concern considerations even if the financial statements are prepared under a special purpose financial reporting framework which does not have explicit going concern disclosure guidance.

Disclosures (and sometimes the lack of disclosures) about issues that raise or respond to doubt about an entity’s ability to continue as a going concern are often significant with important implications to the evaluation of the financial condition.  This article touched on just some of the background as an introduction to understanding this topic.

 

Andrew M. Mintzer, CPA is a forensic accounting with the Los Angeles office of Hemming Morse, LLP.  He is a past chair of the California Society of Certified Public Accountants.

This article discusses GAAP and professional standards in general – I have not considered any specific situations.  The application of GAAP to a particular situation depends on the specific facts and circumstances and analysis of the applicable accounting standards.  Therefore this article is educational in nature and does not represent professional accounting advice or services.

GAAP Matters – will debt classification change…will AICPA independence rules change?

Groups oppose the change proposed by the FASB, and…

New Lease GAAP accounting prompts a change in the AICPA’s auditor independence standard

Both the Private Company Council (PCC) and the Investor Advisor Committee (IAC) have recommended that the FASB reconsider and change its decision on a proposed GAAP standard dealing with debt classification (ASC Topic 470)

money coins finance cash
Photo by Tookapic on Pexels.com

The FASB has proposed and considered a change to GAAP that would affect the classification of debt. This proposal affects when debt can be classified as a non-current liability.  Classification as current vs non-current affects some key financial statement measures.

Generally, classification of debt as “long-term” is not available to instruments which will mature and become due within one year of the balance sheet date.  Under the proposal, debt “should” be classified as long-term (i.e. noncurrent) if “The entity has a contractual right to defer settlement of the liability for at least one year (or operating cycle, if longer) after the balance sheet date. If, before the balance sheet date, an arrangement is in place with a third party (for example, a line of credit) that would result in the entity avoiding the transfer of current assets within 12 months from the balance sheet date, the debt should be classified as noncurrent because the entity has a contractual right to defer settlement.”

The PCC requested that the FASB reconsider its prior decision to allow companies to classify debts due within 12 months as long-term debt if the company has unused long-term financing arrangements at the balance sheet date.  The PCC stated that the FASB decision to consider unused long-term financing arrangements adds complexity and is therefore not in line with its intent to simplify balance sheet classification of debt.

The IAC recommended the Board change its tentative decision to reclassify current debt as a non-current liability based sole on unused long-term financing arrangements – such as a line of credit.  The groups consider the analysis of whether the entity can use the line of credit to effectively extend the repayment of the debt to be somewhat complex as it could potentially include assessing the reasonableness that the line of credit will not be needed for other liquidity needs along with an assessment of terms and conditions of the credit line.

We have here an example where both the PCC and IAC, despite their varying  stakeholders and perspectives, have provided somewhat similar feedback to the FASB. According to the FASB website, the PCC is the primary advisory body to the FASB on private company matters. The PCC uses the Private Company Decision-Making Framework to advise the FASB on the appropriate accounting treatment for private companies for items under active consideration on the FASB’s technical agenda. According to the FASB’s website, the IAC is a standing committee that is expected to work closely with the FASB in an advisory capacity to ensure that investor perspectives are effectively communicated to the FASB on a timely basis in connection with the development of financial accounting and reporting standards.

And speaking of debt…AICPA Code of Conduct interpretation change is on the horizon for CPAs who have lease arrangements with clients

At its upcoming meeting the AICPA’s Professional Ethics Executive Committee (PEEC) will consider adopting a change to the independence interpretation that affects CPAs who have lease arrangements with their clients. This proposed revision was originally considered and exposed for comment by PEEC while I was a member of the PEEC.

The existing “Leases” independence interpretation provides that a lease between the CPA and the attest client does not impair independence if the lease is an operating lease – and – the lease terms are comparable with leases of a similar nature, and all amounts are paid in accordance with the lease terms and provisions. This existing interpretation also provides that a capital lease impairs independence because it is considered be a prohibited loan with the attest client.

The FASB has since adopted authoritative GAAP that when effective will significantly affect the operating versus capital lease interpretation which iscodified in ASC 842, Leases. Calendar year-end public business entities will adopt the new leases standard on January 1, 2019. Thus, PEEC determined it needed to consider how that GAAP change affects the Code of Professional Conduct.

The proposed revision to the Code of Conduct replaces the extant GAAP categorization approach with a conceptual framework approach, allowing for the consideration of factors that PEEC believes truly affect the CPA’s objectivity and professional skepticism. PEEC has stated that it does not believe that objectivity and professional skepticism are affected by whether a lease is an operating lease or a capital lease, per se, but believes that other factors related to the lease and the relationship should be considered in arriving at a conclusion on independence.

While the GAAP lease categorization requirements have been proposed to be eliminated from the revised interpretation, the other requirements remain in the proposed revised interpretation as minimum safeguards. Once these minimum safeguards are met (where applicable), the CPA is required to use a threats and safeguards approach, evaluating any other threats identified and applying safeguards when necessary.

PEEC is set to take up the final adoption of its proposal in the summer of 2018…I will follow its progress and provide additional analysis as information becomes available.