By Gerald D. Bloch

The Sarbanes-Oxley Act of 2002 addresses perceived weaknesses in internal controls, the systems a public company employs to collect, process, and disclose financial information to satisfy its statutory reporting requirements. Recent corporate and accounting frauds have demonstrated the inadequacy of internal controls with regard to revenue recognition. The Act also contains requirements aimed at ensuring proper revenue recognition.

Internal Control Provisions

New auditing requirement for internal controls. Auditors must “test” the scope of a company’s internal control procedures and present its findings in its annual audit report. The audit report must include an evaluation of whether the internal controls provide both a system of maintaining records that fairly and accurately reflect the company’s transactions, and a reasonable assurance that transactions are recorded in accordance with the preparation of GAAP financial statements. The audit report must also contain a description of any material weaknesses in the internal controls and any material noncompliance.

Officer certification of internal controls. The Act requires the CEO and CFO to certify, in each annual and quarterly report issued by the company, as to a number of subjects, including internal controls. They must certify that they are responsible for establishing and maintaining internal controls; have designed the internal controls to enable them to obtain all material financial information; have evaluated the effectiveness of the internal controls; and have presented their conclusions about the effectiveness of the internal controls in the report.

The CEO and CFO must also certify that they have disclosed to the company’s auditors and the audit committee of the board of directors all significant deficiencies in the internal controls that could adversely affect the company’s ability to maintain and report financial data, and have identified for the auditors any material weaknesses in internal controls. They must also disclose any fraud, whether material or not, that involves management or other employees that have a significant role in the company’s internal controls.

The certification must also state that the CEO and CFO have indicated in the report any significant changes in internal controls or changes in other factors affecting them after the date they were evaluated, including any corrective actions taken to remedy deficiencies and weaknesses.

Annual report’s internal control report. A company’s annual report must contain an “internal control report.” This report must state management’s responsibility for establishing and maintaining adequate internal controls for financial reporting, and assess the effectiveness of the internal controls. Each registered public accounting firm that issues an audit report must attest to the management’s assessment included in the internal control report. The attestation cannot be the subject of a separate engagement.

Internal Control Systems

The internal controls described below are necessary to properly account for revenues under GAAP. These controls are aimed at ensuring compliance with revenue recognition guidelines, which have been the source of many recent corporate scandals.

Appropriate business model. The GAAP revenue recognition rules generally vary by industry. Management must analyze the kinds of transactions the company engages in under the rules applicable to its industry in order to determine the revenue recognition guidance that may apply. It should then develop a business model to orient the company toward the most desirable types of transactions, depending on overall company objectives (e.g., cash flow, profit margins, demands of the marketplace, revenue goals). Because those objectives will likely conflict, management will have to make tough choices.

Policies and procedures. Written policies and procedures are the backbone of a company’s compliance with GAAP revenue recognition rules. They should include the following:

Organizational structure. Auditors should focus on a company’s organizational structure to determine if any weaknesses exist. In AICPA Practice Alert 98-3, auditors are instructed to give “special consideration” to a “lack of involvement by the accounting/finance department.” The accounting or finance department must have primary responsibility for reviewing and analyzing transactions before they are booked, to ensure compliance with the company’s revenue recognition policies and procedures.

There are a number of steps to achieve this objective:

Revenue recognition committee. A revenue recognition committee should serve as the company’s primary internal control. It should ensure that revenue recognition policies and procedures are accepted on a company-wide basis. Its duties would include the following:

The revenue recognition committee should be chaired by the CFO and include a member of the audit committee of the board of directors, legal counsel responsible for sales and service documents, contracts management personnel, accounting department personnel responsible for revenue recognition issues, and a vice president or manager of sales and other personnel involved in tracking and reporting sales.

Contracts management. The contracts management function must be independent of the sales operation. It should be part of the accounting/finance department and held responsible for generating all sales contracts on approved company forms, ensuring that all required signatures are obtained, and maintaining files of all sales transactions. The files must include all documents related to revenue recognition. The contracts manager should apply the revenue recognition rules, policies, and procedures to every transaction and prepare a “deal sheet” for each transaction that provides a basic analysis of its impact on revenue recognition. The deal sheets should be distributed to all revenue recognition committee members in preparation for their meetings. As the custodian of all revenue-related documents, the contracts manager would serve as the company’s primary liaison with the auditors on all revenue issues.

Legal counsel. Legal counsel knowledgeable about the company’s business and possessing revenue recognition experience should generate contract forms that support the most favorable revenue recognition positions that the company could take; support the contracts manager in reviewing, structuring, documenting, and negotiating transactions; assist in preparing and ensuring compliance with the revenue recognition policies and procedures; and act as the CFO’s troubleshooter in spotting and resolving contract, transactional, and revenue recognition issues.

Credit and underwriting. Credit standards, customer credit checks, and other underwriting policies and procedures must be established and consistently applied. The credit department should prepare a “credit memo” detailing the underwriting analysis for each customer, to be transmitted to the contracts manager and filed with the related transactional documents.

Pricing issues. In transactions defined by the revenue recognition rules as “multiple element arrangements,” historical pricing information must be collected for the purpose of establishing vendor specific objective evidence (VSOE). When more than one item is sold in a transaction, the rules use VSOE to determine the fair value of each item. This requires the following:

Pricing decisions must be a collaborative effort that involves the revenue recognition committee. Pricing changes must not impair VSOE, and must be added to the pricing database. The sales department must understand the role of VSOE in all pricing strategies. The contracts manager must match the prices charged in each transaction to the current price lists. Such consistency will support the VSOE established for each product and service. Rationales must be developed for any inconsistencies and should be included in the deal sheets the contract administrator maintains for each transaction.

Software. The right software is a necessary component of the internal controls. A general order and billing software solution should be able to maintain the pricing databases described above and determine revenues to be recognized from specific transactions.

Well-functioning and effective internal controls are obviously necessary to comply with the Act. The benefits go well beyond legal compliance. Good control systems will reduce the risk of officer and director liability, maximize a company’s credibility with its auditors, and lower auditing costs.