The contents of this presenta!on are confiden!al. Copyright © 2017 Workiva.

Top Risks and Considera!ons for Your SOX Process Joe Howell, Workiva Jeremy Sucharski, Armanino Greg Wilson, former PCAOB September 2017

Speakers

Greg Wilson, CPA Re!red EY audit partner, former Deputy Director of PCAOB Inspec!ons Division

Joe Howell Cofounder and Execu!ve Vice President, Workiva

Jeremy Sucharski Partner, Armanino LLP

Agenda

•  What new risk?

•  Nature and significance

•  Recommenda!ons

•  Ques!ons

What New Risk?

•  ASC 606–revenue recogni!on

•  Cri!cal role of SOX and audit teams

•  Failure to engage SOX and audit teams early

Background

•  Extremely complex and significant new requirements

•  Most companies behind on implementa!on

•  Many underes!mate poten!al impact

•  Most SOX and audit teams are not yet engaged

Polling Ques!on #1

Our SOX and audit teams have been ac!vely engaged in the implementa!on of ASC 606.

a)  Strongly agree

b)  Somewhat agree

c)  Neither agree nor disagree (or don’t know)

d)  Somewhat disagree

e)  Strongly disagree

Recent Survey*

7

Interviews with 100 public companies:

Confident have enough !me 70%

Undecided on transi!on method 65%

Consider it a high priority 36%

Started design and test of controls 10%

* Compliance Week/Workiva, April 2017

Cri!cal Role of SOX and Audit

•  SEC Chief Accountant: func!on of ICFR

•  SEC comment le"ers: focus on policy and procedure

•  Change stresses system: deficiency/weakness

•  Implementa!on and understanding: WIP

SEC View on ICFR

“Management’s ability to successfully transi!on to the new standard will depend, to a large degree, on the effec!ve design and opera!on

of internal control over financial repor!ng (ICFR).”

– James Schnurr, SEC Chief Accountant March 22, 2016

SEC Early Comment Le"er

“You state that you are in the process of evalua!ng the impact that the amended revenue recogni!on guidance in Topic 606.”

– Unpublished SEC comment le!er related to 2016 10-K

Focus on Policy and Process

“Please revise to … include a descrip!on of the effects of the accoun!ng policies that you expect to apply, if determined,

and a comparison to your current revenue recogni!on policies.”

– Unpublished SEC comment le!er related to 2016 10-K

Impact on SOX and Audit Teams

•  Even if numbers don’t change, processes must

•  New disclosure and ICFR requirements

•  High risk of missing something important

•  Li"le !me le$ to consider, update, and test controls

•  High risk of last-minute changes

Bo"om Line

•  Disclosure control vs. ICFR

•  Significant deficiency

•  Material weakness

Polling Ques!on #2

My company has begun to revise our accoun!ng policies and controls related to ASC 606.

a)  Strongly agree

b)  Somewhat agree

c)  Neither agree nor disagree (or don’t know)

d)  Somewhat disagree

e)  Strongly disagree

Responsibili!es

Accoun!ng team Opera!ng teams SOX & audit teams

Gather and analyze Provide informa!on Assess and document risks Conclude and document Implement change

Design and document controls

Assure compliance Execute and comply Design and execute tests

Report Report Evaluate and report

Responsibili!es

Accoun!ng team Opera!ng teams SOX & audit teams

Gather and analyze Provide informa!on Assess and document risks Conclude and document Implement change

Design and document controls

Assure compliance Execute and comply Design and execute tests

Report Report Evaluate and report

Must be sustainable

Areas and Nature of Risk

Area of risk Nature of risk

Policies and procedures Complexity è Last minute change

Risk assessment and controls Last minute change è Important miss

Systems: IPE, ITGC Important miss è Manual override

Audit programs and evidence Manual override è Delayed start

Change management Delayed start è Omission and inconsistency

Example #1

Controls over contract iden!fica!on

1.  Business prac!ce vs. wri"en agreement

2.  Modifica!ons, returns, and variable component

3.  Ability to perform, credit, and collect

4.  Point in !me vs. period of !me

My company is well-prepared for ICFR related to ASC 606 for our Q1 disclosures in 2018.

a)  Strongly agree

b)  Somewhat agree

c)  Neither agree nor disagree (or don’t know)

d)  Somewhat disagree

e)  Strongly disagree

Polling Ques!on #3

Example #2

Controls over expense recogni!on

1.  Iden!fica!on—completeness and accuracy

2.  Alloca!on to contract

3.  Deferral and matching

Example #3

Controls over dual repor!ng

1.  Changes to ini!al balance sheet

2.  Dual track

3.  Contract modifica!ons and other changes

4.  Changes in business prac!ces

Example #4

Controls over new disclosures

1.  Disaggrega!on of revenue

2.  Contract balances and reconcilia!ons

3.  Performance obliga!ons

4.  Alloca!on of transac!on prices and periods

Stuff Subject to Change

1.  Accoun!ng memos and informa!on requirements

2.  Policy and procedure documents

3.  Risk assessment and control documenta!on

4.  Automated and manual informa!on systems

5.  Audit plan, program, and evidence

Recommenda!on: 5-Point Plan

1.  Get to the table

2.  Iden!fy all of the things that could change

3.  Make prac!ce runs

4.  Look for ways to accelerate

5.  Recognize the risk of going cheap

How have you invested in your control environment over the past 2 years?

a)  Engaged advisors to assist in implementa!on of ASC 606

b)  Increased internal staffing for SOX and internal audit

c)  Devoted more !me from exis!ng staff

d)  Added so$ware to assist with SOX documenta!on and/or audit

e)  None of the above

f)  Don’t know

Polling Ques!on #4

Your Ques!ons

Conclusion

Final Thoughts

Three legs of “control stool”

1.  People

2.  Process

3.  Technology

Speakers

Greg Wilson, CPA Re!red EY audit partner, former Deputy Director of PCAOB Inspec!ons Division

Joe Howell Cofounder and Execu!ve Vice President, Workiva

Jeremy Sucharski Partner, Armanino LLP

The contents of this presenta!on are confiden!al. Copyright © 2017 Workiva.

Ques!ons?